search cancel

How to Migrate Symantec Endpoint Encryption Management Console and all the clients from one Server to another Server, without moving the existing SQL Server


Article ID: 154122


Updated On:


Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


In some scenarios, such as virtualizing physical hardware, it is necessary to migrate the Endpoint Encryption Management Server to a new system. Doing so can disrupt the communication between Endpoint Encryption clients and the server, so this article provides assistance on doing this without the need of updating all of the clients.


Before migrating the server, consider the configuration of the server, and current communication settings for your clients:

  • Is the SEEMS database on the server, or is it on an external server?
  • Do clients communicate with the server via TLS\SSL?
  • Do clients communicate with the server via an external load balancer or proxy; or do they use the server's FQDN, hostname, or IP address?
  • What credentials do the clients use to authenticate to the server?
  • What settings are used on the Management Server for AD Sync?

Ideally, if clients use an external load balancer or proxy to reach the Management Server, then a new server can have a different hostname and IP address, and the load balancer/proxy can point to the replacement server seamlessly.

If no Load Balancer etc. is being used, and moving to a new server is necessary, go through the following steps:

  1. Back up the SEEMS Database; if the database is hosted on an external SQL Server, the backup is just in case a problem occurs. If the database is hosted on the Management Server, it will need to be restored during the migration process.
  2. Verify the SSL certificate is backed up, including its private key and trust chain.
  3. Remove the existing Management Server, by shutting it down or disconnecting it from the network.
    Note: If the server is VM, it is handy to keep it available just in case you need to rollback.
  4. Ready the new Management Server, changing its IP address, hostname, and domain membership, if necessary.
  5. Install IIS and other prerequisites for Endpoint Encryption Management Server.
    Tip: Using the SymDiag application will allow you to easily check that prerequisites are met.
  6. Import the SSL certificate into IIS\SEEMS.
  7. Verify the credentials used for client access and server access are configured as they were on the old server.
  8. If SQL Server was running on the old Management Server, and will be running on the new server, install it and import the existing SEEMS Database into the server, setting up access credentials for SEEMS to use.
  9. Install the SEE Server Suite x64 package to the server.
  10. Step through the Endpoint Encryption Configuration Manager, configuring the system as previously set up.

After the installation is complete, log in to the Symantec Endpoint Encryption Manager and verify that existing client data appears. Check the client communication URL to verify it responds, and make sure clients are able to communicate with the new server.

Additional Information

Scenario 1: Moving SEE Client from Old SEE Management Server to New SEE Management Server
163292 - Migrating from one SEE Management Server to another (Completely new SEE Database)

Scenario 2: (Moving from PGP client/sever to SEE client/server)
227509 - Migrating from Symantec Encryption Desktop to Symantec Endpoint Encryption (Drive Encryption components)

Scenario 3: Moving SEE Clients from the same database to another SEE Management Server with the same Database
154122 - How to Migrate Symantec Endpoint Encryption Management Console and all the clients from one Server to another Server, without moving the existing SQL Server

Scenario 4: Moving same SEE database from one DB instance to another
152340 - How to move the SEE-MS SQL database from one server/instance to another

Scenario 5: Update which hostname the SEE Clients use for communications (Keeping same database)
249333 - Changing Web Access for SEE Clients on Symantec Encryption Management Server