Check your OfficeScan server configuration and see if the following functions/features were used:
- Virtual Desktop Support (VDI) for non-persistent VDI environment
- Open the ..\Trend Micro\OfficeScan\PCCSRV\ofcscan.ini file.
- Check if EnableCheckClientMacAddress exists under [INI_SERVER_SECTION] and is equal to 1.
- If EnableCheckClientMacAddress does not exist or is equal to 0, manually change it to "1".
- VPN client (e.g. Cisco Anyconnect) is used:
- Open the ..\Trend Micro\OfficeScan\PCCSRV\ofcscan.ini file.
- Under the Global Setting section, manually add the following key and set its value to "1".
[Global Setting]
SP_DisableTbimdsaRegistryKeyProtection = 1
SP_DisableTmLwfRegistryKeyProtection = 1 - Save the changes and close the file.
- Open the A1 web console, and go to the Agents > Global Agent Settings screen.
- Click Save to deploy the setting to agent.
- The A1 server deploys the command to A1 agents and adds the following registry entry on all A1 agent computers:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS
Key: SP_DisableTmLwfRegistryKeyProtection
Type: DWORD
Value: 1
This requires OfficeScan XG Hot Fix Build 1721 or OfficeScan XG Service Pack 1.
Once the above keys have been checked:
- Open the OfficeScan web console and go to Agents > Global Agent Settings screen.
- Click Save to deploy the setting to agents.
Phase deployment consideration
By the current design, once agents are reporting to Apex One as a Service, a new program package will be automatically downloaded that initiates an agent upgrade. If you migrate all agents at once without sufficient bandwidth, it could cause a corporate network outage.
Apex One as a Service agent package size may vary with pattern/binary file updates, so it is advised to download an MSI agent installer package directly from Apex One as a Service to get the precise package size.
Estimated network usage after agent migration
Once agents have been migrated to Apex One as a Service, communication of Apex One as a Service Server with the following activities will begin:
- Component update
- Policy deployment
- Query for File/Web reputation services, Predictive Machine Learning, and other tasks
As per in-house testing results, every agent will generate around 22MB traffic on a daily basis, but it may be different for each agent.
It is advised to deploy the Apex One as a Service agent within a small scope and monitor network usage before migrating all agents.
Notice Regarding HTTPS Connection on OfficeScan XG SP1 and Apex One
OfficeScan XG SP1 and Apex One have moved communication between agents and server to the HTTPS protocol using TLS. By moving to HTTPS, the communication port on the server will also change from the HTTP port (default: 8080) to the HTTPS port (same as the web console default:4343).
Some environments may encounter HTTPS communication issues due to various factors (e.g. inconsistent SSL/TLS environments, firewalls blocking the HTTPS port, etc.). This can result in agents showing offline, failing to upgrade, and not uploading logs or quarantined files.
For more details, please refer to the following article: Potential issues with HTTPS communication in OfficeScan XG Service Pack 1 and Apex One.
Agent Proxy Settings
When migrating an OfficeScan XG agent to Apex One as a Service, it is necessary to review the Agent Proxy Settings. This can be located in the web console > Administration > Settings > Proxy.
If the Agent Proxy Setting is disabled in OfficeScan XG, the migration would fail.
Since the Agent Proxy Setting is a global setting, please evaluate whether this setting will impact other agents. You may set up another OfficeScan with proper Agent Proxy Settings to manage the transition of migration, or use remove-and-install method for Apex One as a Service agent upgrade.
- Make sure that the OfficeScan XG server is running on Service Pack 1 (SP1) Build 4345 or higher.
- Extract the Apex One Settings Export Tool package downloaded to the On-premise server (e.g. C:\temp\PolicyExportTool).
- Open a command line prompt and point to the PolicyExportTool directory.
- Run the tool as Admin on the OfficeScan server computer.
The tool generates three (3) files:
- Server_Settings_Migration.zip. This contains the Global Settings. Importing more than one of these will overwrite the previous settings. It is recommended to only import this from a single server.
- ApexOne_Agent_Policies.zip. This contains the policies generated from the settings configured on the OfficeScan Server. This can be imported from multiple On-Premise OfficeScan servers, and each will create the new corresponding policies.
- ApexOne_Agent_DLP_Policies.zip. This contains the policies generated from the DLP settings configured on the OfficeScan Server. This can imported from multiple On-Premise OfficeScan servers, and each will create the new corresponding policies.
On Apex One as a Service:
- Log in to Apex Central.
- Import agent settings policy:
- Go to Policies > Policy Management.
- To import agent policies, choose Apex One Agent as the product and click the Import button, then choose the ApexOne_Agent_Policies.zip (or whatever you've renamed it to) and click Open.
New corresponding policies will be generated and displayed. These will default to targets of None, so they will not apply to any agents until an administrator has reviewed the policy and configured the desired targets. The policy names will follow the format of CLN_ServerName_DomainName (where ServerName and DomainName are replaced by their values from the source OfficeScan Server).
- Repeat this process for policies from any additional On-Premise servers you wish to import.
- Import Agent DLP Policy (if desired):
- Go to Policies > Policy Management.
- To import agent policies, choose OfficeScan Data Loss Prevention as the product and click the Import button, then choose the ApexOne_Agent_DLP_Policies.zip (or whatever you've renamed it to) and click Open.
New corresponding policies will be generated and displayed. These will default to targets of None, so they will not apply to any agents until an administrator has reviewed the policy and configured the desired targets. The policy names will follow the format of DLP_ServerName_DomainName (where ServerName and DomainName are replaced by their values from the source OfficeScan Server).
- Repeat this process for policies from any additional On-Premise servers you wish to import.
- Import OfficeScan server settings:
This process only allows for importing the settings of a single OfficeScan Server. Importing multiple will overwrite the previous settings.
To move agents from On-Premise OfficeScan server to Apex One as a Service:
- Log into Apex Central.
- Go to Directories > Product Servers.
- Verify that the Server Type is Apex One as a Service. You will see the server name listed there.
- Go to Agents > Agent Management on the On-Premise OfficeScan Server.
- Select agents from the list.
- Click Manage Agent Tree > Move Agent.
- Select Move selected agent(s) to another OfficeScan server.
- Enter the Server URL that was copied from Apex One as a Service. Use SSL Port 443 and HTTP port 80.
- Click the Move button.
- To ensure that the agents can be successfully moved to Apex One as a Service, make sure that the agents can connect to the Internet.
- Agent proxy can also be configured to "Use Windows Proxy settings" in Administration > Settings > Proxy then apply the new proxy settings to agents, if the endpoint computers can access the Internet.
- Make sure firewalls are configured to allow for communication with the Apex One as a Service servers: Whitelisting Apex One as a Service DNS Name and IPs.
For more information, refer to the migration guide for Apex One as a Service.