Move DLP Detection server from one Enforce server to another


Article ID: 159655


Updated On:


Data Loss Prevention Enforce


Learn how to move a Symantec Data Loss Prevention (DLP) Detection server from one Enforce server to a different server.


Consider the following before performing these steps:

  • If you are using the default certificates for communication, these steps will let you move a Detection server from one Enforce server to another server.
  • If you are using self-signed certificates by using the sslkeytool utility, make sure that the right certificate is stored on the Detection and Enforce server; otherwise there will be communication failures and the Detection server will display an "Unknown" state.
  • If you are changing Detection server types (e.g. Network Prevent for Web to Network Monitor or Network Monitor to Discover), you should consider reinstalling the Detection server. This clears out any custom settings.


WARNING: Do not follow these steps if the Detection server is an Endpoint server. In DLP 12.5 and later, moving Endpoint Detection servers in this way will break the certificate chain for all connected Endpoint agents. This requires a reinstall of the Agent on those computers.
If this is true, contact Support for additional assistance.


  1. Log in to the original DLP Enforce console where the Detection server is already registered.
  2. Navigate to System > Server Overview.
  3. Delete the Detection Server by clicking "X".
  4. Reboot the DLP Detection server. This removes the crypto key from memory that relates to the original DLP Enforce server.
  5. Log in to the new DLP Enforce console where you want to register the DLP Detection server.
  6. Navigate to System > Server Overview > Add Server.
  7. Click Add Detection Server.

Note: If the Detection server status in the DLP Enforce console still shows as "Unknown", restart the VontuMonitorController service.