Migrating / Moving SEE Clients from one SEE Management Server to another (Moving SEE Client from old SEEMS Database to a *net-new* SEEMS Database)
search cancel

Migrating / Moving SEE Clients from one SEE Management Server to another (Moving SEE Client from old SEEMS Database to a *net-new* SEEMS Database)

book

Article ID: 163292

calendar_today

Updated On:

Products

Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

This article will provide information on how to move from one SEE Management Server database to another SEE Management Server that has a completely different database than the original. 

 

Cause

"Incorrect Authentication. Try Again"

Resolution

Symantec Endpoint Encryption Clients are unique and tied to a specific SEE Management Server database.  This is because unique encryption keys are configured for these environments at the time of installation. 
When moving from one SEE Database to another, a migration process is followed to enable these unique encryption keys and continue to perform Connected/Connectionless Recovery for Drive Encryption. 

This guide will have multiple sections as listed in the Table of Contents to go through this entire process with your specific scenario.
Once finished, you can ensure the SEE Clients can be moved from one SEE database to another and still perform recovery where needed. 

This will also provide information on how to migrate when RME-ONLY clients, that is, no Drive Encryption are migrated from one SEE Management Server to another. 

 

Prerequisites and Considerations:

In order to go through this migration, the following conditions must be met:
*You are creating a new SEE Client from the new SEE Management Server (New Database).
*You are performing an upgrade from an older version of the SEE client to a newer version of the SEE client.
Example: Upgrading the SEE Client from version 12.0.0 to version 12.5.0.
*Migration of Symantec Endpoint Encryption Clients may be done while the drive is still encrypted.
*For Drive Encryption, a "Decoupling" process must be performed. 
*RME-ONLY clients will not need to follow the decoupling process, but Workgroup Keys or Certificate Recovery keys still need to be migrated over. 

 

Table of Contents


Scenario 1: SEE Clients with Drive Encryption and Removable Media Encryption

Step 1. Create a new SEE Client for the new SEE Management Server (New Database).

Important Note: In order to switch from one SEE Management Server to another, the process requires an "upgrade", meaning, from one older version of the SEE Client, to a newer version of the SEE Client.
It is not possible to use the same version and build to migrate from one SEE Management Server to another, so an upgrade scenario is the perfect opportunity to move to a new database.

Step 2. The deployment of the new SEE client can use the general MSIEXEC commands going from the older version to the newer version, such as the following example:

msiexec /i SEEClientInstall.msi

For more specific information on deploying the SEE Client, see the following article:

252118 - Installing and Upgrading the Symantec Endpoint Encryption Client (Deployment of SEE Client)

Step 3. After the upgrade client has been installed, reboot the client machine.

The client machine should now be checking in with the new Symantec Endpoint Encryption Management Server

Step 4: Because these are Drive Encryption Clients with recovery keys, the recovery keys for the new SEE Management Server and new database must be established.
To do this, the SEE Clients must go through a "decoupling" process.  

Decoupling (from old database) and Initialization (to new database) Process

Decoupling and initialization entail disabling and re-enabling the following settings through policy (either through SEE Native Policies or through GPO)

Policy setting 1: Enable Help Desk Recovery

Policy setting 2: Help Desk Recovery Communication Unlock

Once the new SEE Client from the new SEE Database has been installed over the top of the old SEE Client version from the old SEE Database, the clients will start to check in with the new SEE Management Server. 

Whatever policy the SEE clients are checking in to, have the two policy settings above be disabled.  This will clear the old recovery key data set from the old SEE Database.

Once all the New SEE Clients have done this and have successfully checked in, enable the two settings above and the next time the clients check in, the new recovery keys with the new database will be initialized.

 

Step 5: Once you've installed the new SEE Client from the new database/environment, then uncheck the two settings from the new server and save the policy:

SEE 11.4 and above: 

Before SEE 11.4: 

Step 6: Once the policy above has been unchecked, have all your SEE Clients Check in to the new SEE Management Server:

Note: The SEE Clients can check in with the following three methods:

1. Manually via the SEE Management Agent

2. Automatically as per the check-in interval (Default value is every 60 minutes).

3. You can also force the client to check in via the command line with the following command:

C:\Program Files\Symantec\Endpoint Encryption Clients\Management Agent>SEEMAUIApp.exe --check-in

 

Step 7: Check the Computer Status Report to validate all the clients have checked in *after* this new policy update has gone into effect. 

Step 8: Once you have validated all the SEE Clients have checked in after this policy update, re-enable the two settings on the SEE Management Server by checking the two boxes (make sure to save these settings):

Step 9: Check in with the SEE Client again.

Step 10: Once you validate all the SEE Clients have checked in after this decoupling and initialization process, the new recovery keys from the new database can now be used. 

 

The above steps will reset Help Desk settings properly on the endpoint so that it can successfully complete a Help Desk recovery procedure in conjunction with the server-side Help Desk console through the new SEE Environment.

Alternatively, you can decouple and initialize with the following steps:

  1. Create a new group with a new policy.  The new policy must not have the "Help Desk Recovery" option selected. 

  2. Move the machines into this new group so they can go through the decoupling process.

  3. Allow the SEE Clients to check in and receive the updated policy.

  4. After confirmation, move the clients back to their original group where the policy has Helpdesk Recovery enabled.

  5. Once the clients check in and are part of the original policy again, test by going through the recovery process.

    The following articles will allow you to test both recovery methods to ensure the decoupling process worked for you:

    258513 - Symantec Endpoint Encryption Help Desk Recovery (Connected Recovery - SEE Client connected to the SEE Management Server)

    162352 - Challenge Key Recovery for Symantec Endpoint Encryption Help Desk Recovery (Connectionless Recovery) 

 

Step 11: There is no decoupling process for Workgroup Keys and Recovery Certificates. Instead, you simply copy them over from the old environment to the new manually.
For more information on Workgroup Keys and Recovery Certificates for SEE Removable Media Encryption, refer to the following articles:

171224 - Creating a Recovery certificate for Endpoint Encryption Removable Media Encryption

252268 - Workgroup Key for Symantec Endpoint Encryption Removable Media Encryption

Workgroup Keys are known only when they are created.  If you didn't copy the workgroup key and store it safely, you may need to start with a new Workgroup key.

Once the applicable Workgroup Keys and Recovery keys are entered into the new policy, when the new SEE Clients check in, these will then be part of their encryption policy going forward.

 

 

Scenario 2: SEE Clients with Drive Encryption without Removable Media Encryption

For Scenario 2, the decoupling process still needs to be followed for Drive Encryption, but because Removable Media Encryption is not being used in this scenario, no workgroup keys or recovery keys are needed.
Follow all the steps in Scenario 1, but skip step 11 for Workgroup Keys and Recovery keys.  

 

 

Scenario 3: SEE Clients with ONLY Removable Media Encryption (No Drive Encryption being used)

For Scenario 3, the main thing to keep in mind is you will create the new SEE Client as discussed in Scenario 1 on the new SEE Management Server (new database), but because Drive Encryption is not being used, there is no decoupling process here.

You will need to re-establish the Workgroup Keys and Recovery Certificates for Removable Media Encryption, but these are copied over from the old environment to the new, manually.

For more information on Workgroup Keys and Recovery Certificates for SEE Removable Media Encryption, refer to the following articles:

171224 - Creating a Recovery certificate for Endpoint Encryption Removable Media Encryption

252268 - Workgroup Key for Symantec Endpoint Encryption Removable Media Encryption

Once the applicable Workgroup Keys and Recovery keys are entered into the new policies for the new SEE Management Server, when the new SEE Clients check in, these will then be part of their encryption policy going forward.

 

 

Scenario 4: Symantec Endpoint Encryption for FileVault Clients:

 

1. From the new Symantec Endpoint Encryption Management Server, create a new Mac FileVault Client with the new communication settings.

2. Double-click the newly created Mac FileVault Client and follow the prompts to update the client machine. A reboot is not necessary.

The client machine should now be checking in with the new Symantec Endpoint Encryption Management Server

Note: If you are using an institutional recovery key, this must be configured manually for the new environment.  For more information on this, see the following article:

213002 - Installing and using the SEE for FileVault client to enable encryption and manage Recovery Keys with the Symantec Endpoint Encryption (SEE) Management Server

213010 - Creating a SEE Client and Institutional Recovery Key for Symantec Endpoint Encryption FileVault Recovery (client creation)

 

 

 

 

 

 

 

Additional Information

Scenario 1: Moving SEE Client from Old SEE Management Server to New SEE Management Server
163292 - Migrating from one SEE Management Server to another (Completely new SEE Database)

Scenario 2: (Moving from PGP client/sever to SEE client/server)
227509 - Migrating from Symantec Encryption Desktop to Symantec Endpoint Encryption (Drive Encryption components)

Scenario 3: Moving SEE Clients from the same database to another SEE Management Server with the same Database
154122 - How to Migrate Symantec Endpoint Encryption Management Console and all the clients from one Server to another Server, without moving the existing SQL Server

Scenario 4: Moving same SEE database from one DB instance to another
152340 - How to move the SEE-MS SQL database from one server/instance to another

Scenario 5: Update which hostname the SEE Clients use for communications (Keeping same database)
249333 - Changing Web Access for SEE Clients on Symantec Encryption Management Server

Scenario 6: Moving the SEE Database from one domain (original.example.com) to a completely new domain (new.example.net)
266993 - Migrating from one Domain to a New Domain with Symantec Endpoint Encryption Management Server (From Old Domain to a new Domain)

Powered by Wolken Software