Need cookbook steps to perform remote upgrade of ESM agents to CCS Agents capable of raw based data collection. Steps in this article assume the use of agents inside of the CCS console and that ESM message based data collection has already been used with CCS. Reason to upgrade the agents to CCS Agents is in order to enable run raw based data collection capability.
1. PRE WORK: The first step is to get the pre-version 11 agents into CCS as agents. If you already have the ESM 10 agents into the system (and their corresponding assets are showing under the Manage\Assets screen) then you can skip to step 2 (REMOTE UPGRADE).
a. NOTE: Customers having ESM assets in CCS (this would have been done in a version of CCS prior to version 11) as ESM.AGENT asset types must delete the existing ESM.AGENT assets in the CCS console in order to get the pre-version 11 ESM agents into CCS 11 as true agents. This is necessary or there will be dual entries in the asset system for the same target machines. (The ESM.AGENT asset type was deprecated in CCS 11 and only exists in an upgrade environment.)
b. With no ESM agent based assets in the CCS asset screens, the next step is to get these imported. This requires at least SU 4201 or higher being installed on the ESM manager and all of the agents. If SU 4201 or higher has not been installed on the ESM manager, then first use the ESM console’s liveupdate wizard to download and push the latest SU to the ESM manager (Refer to Enterprise Security Manager User Guide). Once past SU 4201 there should be a new policy in the ESM console’ policy folder named “Asset Information” that contains the ESM module called Agent Information. It is this policy that will be used to obtain the information required to create a corresponding agent and asset entry in CCS 11 for each agent. If the Asset Information policy is not present, it can be created manually and the Agent Information module added to it. When adding the module select all possible checks for all OS platforms listed under that module. NOTE: If the ESM manager is version 11 you will need to also run the Security Update's esmcontenttpk.exe file that corresponds to the Security Update (SU) that was downloaded via the Liveupdate Wizard. In ESM 11, the agents cannot update the ESM manager with the SU information, only the correct package run manually on the manager will synch the manager's files to be at the same SU level as the SU packages downloaded for the agents from the liveupdate site. See Security Update 42 release notes attached to this article for section entitled "About Content Separation"
c. Once the Asset Information policy is available, turn on liveupdate capability for all ESM agents that will need to be brought into the CCS system as assets. If liveupdate is not working on certain agents, that will have to be amended before that agent can be brought into CCS because that agent must have a new Agent Information module pushed to it via liveupdate so that the agent can supply the information needed to create the CCS asset.
d. In the CCS console, ensure that at least one CCS Manager is configured to collect from an the ESM managers needed (see the CCS Planning and Deployment Guide if Message Based Data Collection has not yet been implemented in CCS). Ensure that the policy run settings for the ESM data collector are set to launch a new policy run when collecting data.
e. In the CCS console go to the Manage \Agents screen. In the Agent Management Tasks pull down menu, select import agents below v11.0 job. Configure this job to scope to the Site that contains the CCS Manager configured to collect from the ESM manager. Also select the predefined Reconciliation rules of Add Asset and Update Asset, on the appropriate job dialogue screen. All other screens the default settings can be taken. Once configured, run the job.
i. What should occur: If the job is successfully configured and launched, the CCS Manager with ESM data collector should launch the Asset Information policy inside of the ESM console. Ensure that this policy appears and runs inside the ESM policy runs folder on the All Agents domain. During the policy run, if required, the Agent Information module will be pushed via liveupdate to the ESM agent. This module will then be run and should return to the ESM manager all the data required by CCS to create an agent and it's corresponding CCS asset inside of the CCS console.
f. Once the Import job has been accomplished, all ESM 10 and earlier agents that were registered to the ESM manager(s) should be present in the CCS console’s Manage\Agents view. Ensure that there are no agents inside of the Agents Without Assets folder. If there are agents there, this indicates that there were agents who did not return all the information required to create the asset in CCS. This normally indicates an agent that did not take or receive the liveupdate for the Agent Information module and therefore could not return all the required data. In this situation, check the ESM console job run for these agents and see if there are discernible errors. Ensure liveupdate is working. Review the actual data that was returned for this agent during the Asset Information policy run to determine if it contains the same number of data points that other successful imported agents of that type did. Diagnosis of this issue is a purely ESM based diagnosis. Once the issue has been resolved the import job can be rerun to create the assets in CCS.
2. REMOTE UPGRADE: Once Pre-Version 11 agents (ESM 9 and 10) agents are in the CCS console’s Manage\Agent view and the corresponding assets are all visible in the Manage\Assets view, then the remote upgrade process can be staged and run. The overall process of remote upgrading requires staging two packages of files onto the ESM manager using the ESM console’s Liveupdate wizard. Once these packages are staged on the ESM manager, the remote upgrade process is actually launched from the CCS console (DO NOT LAUNCH THE REMOTE UPGRADE PROCESS FROM THE ESM MANAGER AS THIS WILL THEN REQUIRE THAT EACH AGENT BE RE-REGISTERED TO THE CCS MANAGER).
a. Copy the contents (not the folder itself) of the CCS 11 Media’s ESM Components\PrepRU folder into the ESM Console’s granularlu folder . The ESM console’s granularlu folder is found at: <install path>\Symantec\Enterprise Security Manager\Symantec ESM Enterprise Console\liveupdate\granularlu
b. Using the LiveUpdate Wizard in the ESM console, launch the wizard and select the Directory radial button. It should default to point to the console’s liveupdate folder in the path given above. Continue in the wizard and select the ESM manager to push the files to. Run the push and confirm that the files are copied into the ESM managers’ own granularlu folder (....esm\granularlu). During this push to the ESM manager a new policy should appear in the ESM console named “Prepare RU” for Prepare Remote Upgrade. The Prepare RU policy is used by CCS to change the certificates on the current agents so they can accept the new CCS Agent remote upgrade packages.
c. Once the Prepare RU policy has appeared in the ESM console (may have to click update on the policy folder for this policy to appear) the actual remote upgrade packages can be staged.
i. First drill into the ESM manager’s ….<install path>…esm\update folder and rename any folder called “Agent” to “Agent.old”. A new agent folder will be created by the liveupdate wizard in the next step.
ii. Again using the liveupdate wizard select the Directory radial button but this time use the Browse button to have the path point to the CCS 11 Media’s CCS_Agent\RemoteUpgrade folder. Once pointed to this folder, continue and select to push these files to the ESM manager. The Agent folder mentioned in (i) above will be created and will contain the CCS Agent upgrade files.
d. In the CCS console to test if remote upgrade is now working for an agent, go to the Manage\Agents screen, select a pre-version 11 agent, right click the agent and select the Agent Product Update job (NOTE: Job names may change after various PU version updates to CCS 11). Configure the job to Upgrade the Agent and enter any necessary information. Run the job.
i. During the job run, if everything is configured properly, in the ESM console the Prepare RU policy should launch and run on the one agent machine. Once that job completes, a remote upgrade job should auto-launch on that agent. To view the status of the remote upgrade job, right click on the ESM manager in the ESM console and select “Check Remote Upgrade Status” to see if there are any errors reported during the upgrade and whether it is successful. This status information should be sent to the CCS Console for that agent and will appear on the “Last Upgrade Details” tab for the agent in the Manage\Agents view.
ii. Once the remote upgrade job is finished, on the Manage\Agents view screen in the CCS Console refresh the view and see if the agent is listed as version 11 now. If not, on the same screen go to the Agent Management Tasks pull down menu and run the Import Registered Agents job. On completion of this job the agent should show as version 11. If agent does not show as version 11, contact Symantec Support for further steps to correct.
iii. After the agent shows version 11 in the Manage\Agents view, right click on the agent and select the Agent Content Update job. This job should push out the most current SCU information to the registered agent and install it, thus allowing raw based data collection. While configuring the job it is possible to select to update either the OS collection capabilities or the database collection capabilities but NOT both at the same time. It is recommended to first update the OS then in a later update job to update the database capability.
iv. Once the agent content update has been accomplished, if PU and SCU 2014-1 have been applied to the CCS install, then a further Agent Product Update is available. This update contains file changes to the agent that fix many issues reported since the base CCS 11 agent was released. To update the agent, right click and select the “Agent Product Update” job and while configuring, select the Patch Agent radial button.
v. Once the agent is completely updated, run a test raw based data standard on the agent with a Collect\Evaluate\Report job. Confirm that data is returning and that evaluations and reporting for the agent checks are available in the CCS console.
e. Repeat step 2d for all remaining pre-version 11 agents in the CCS console. Multi-select can be used to remote upgrade the agents in higher quantities. Note: It has been seen that, in minimal deployments, remote upgrading agents in batches of 25 agents or less at a time can help to avoid overloading the CCS Manager.
Control Compliance Suite version 11 with ESM manager doing data collection.