Views:

1.1. SMS and Federal Information Processing Standard (FIPS)

Migrating the SMS while in FIPS mode is not supported. You must disable FIPS mode on the SMS before you begin the upgrade; otherwise, the update will fail. After you complete the migration, you can enable FIPS mode.

1.2. SMS Client

The SMS client will automatically prompt you to upgrade when the SMS server is upgraded.

1.3. Backup and Restore

The SMS server maintains essential data in its database and configuration files. The database holds data about the current and historical operations of the SMS server and the devices it manages. The configuration files contain SMTP server information, NAT configuration information, and user information. This data is critical to the operation of the SMS Server and should be backed up periodically to assist in recovery from an unexpected failure.

To migrate historical event data for an SMS upgrade, you must have at least 20 GB of free space in the database partition. If space is unavailable, the upgrade process ends, and a message warns you that cleanup is required. You can free space by deleting old device snapshots, saved reports, profiles, or DV and TOS packages. Otherwise, contact Trend Micro TippingPoint Support for detailed cleanup instructions. The SMS client shows the current state of the partition (File system: Database) on the System Health screen of the Admin workspace.

1.3.1 Backup

The backup process backs up both the database and the configuration files. By default, event-related and statistics-related database tables are not backed up due to their size, but you can choose to include them and other optional configuration files. Backing up the SMS database is resource-intensive, particularly if the server is under heavy load and the database is extensive. Consider this when scheduling a regular backup or initiating an immediate backup.

The number of Digital Vaccines - In addition to backing up the SMS Server database, you can specify up to six of the most recent Digital Vaccines (DV) to include in the backup. You are required to back up the most recent DV.

The number of Device TOS packages - You can optionally specify up to six of the most recent device TOS packages to be included in the backup.

The number of custom packages - If you have custom packages installed, you can specify up to six of the most recent custom packages to be included in the backup. The backup always includes the latest, active package. It does not automatically back up more than one package and does not automatically back up inactive packages. For example, your installation might include a custom scriptwriter (CSW) package.

1.3.2 Restore

When restoring an SMS Server database, SMS validates the integrity of the file from which backed-up data is being restored. If the file is invalid, the SMS console displays an error message. Ensure database integrity; the system automatically reboots after the restore operation. SMS supports restoring a backup taken with a previous version of SMS. For example, you can restore an SMS 5.0 to an SMS 5.2 server. When you restore a previous-version backup, SMS not only restores the database but also migrates data and data structures to match the version of SMS running on your SMS server.

1.4. SMS Backup and storage

The backup and restore processes require access to a storage location to either backup data to the storage or restore data from the storage. The SMS backup and restore processes can perform their tasks using any of the following storage access protocols:

  • Network File System (NFS) Protocol
  • Server Message Block (SMB) Protocol, a Microsoft-based shared-access file system
  • Secure File Transfer Protocol (sFTP)
  • Secure Copy Protocol (SCP)
  • Hypertext Transfer Protocol (HTTP) and Secure Hypertext Transfer Protocol (HTTPS)
 
NOTE: The HTTPS and SMB backup options copy the file to the /mgmt/client/tmp partition. The operation will fail if there is not enough space in that partition to hold the backup.

1.5. RADIUS Authentication

SMS uses the Password Authentication Protocol (PAP) by default. While using PAP, the AUTH-REQUEST sent by SMS to the RADIUS server includes three attributes: User-Name, User-Password, and Message-Authenticator. If the RADIUS server requires attributes that the SMS does not provide, SMS users with RADIUS authentication type can no longer log in. As a workaround, make temporary changes on the RADIUS server to remove restrictions that the AUTH-REQUEST includes other attributes. Authentication protocol options for RADIUS include PAP, MD5, and PEAP/EAP-MSCHAPv2.

1.6. SMS High Availability (HA):

Before an SMS upgrade, you must disable High Availability (HA). The process for upgrading an HA cluster is to break down the cluster, upgrade each SMS individually, and then re-establish the cluster. This is because one of the nodes is always passive; therefore, the SMS software is not fully operational and cannot be upgraded.

Requirements

  • Both SMS devices must have the same disk capacity.
  • It is recommended that you have the same SMS models.

1.7. Preparation to Upgrade

When connected to the TMC, the SMS Server monitors the TMC for newer versions of the SMS Software. When the SMS Server detects a newer version than the one currently installed, it activates the Download button in the SMS Software section of the Admin (General) screen. Additionally, it updates the Available for Download field to show the software version number. Before you download and install a new version of SMS software, make a note of the following:

  • Back up the SMS database. If you are replacing the SMS server with a new device (physical or virtual), restoring it from a previous backup is the only way to get the SMS data across to the new appliance. In addition, best practice dictates that any system should be backed up before major changes (e.g., software updates).
  • Export profiles separately. Even if you back up the entire database, sometimes the restore process causes the profiles to become corrupted (e.g., old profiles). As such, it is recommended that the profiles be exported separately. This will ensure that a clean copy is available for restoration.
  • Installing a new SMS version causes the server to close all client connections and reboot.
  • When the SMS Server is unavailable during the reboot process, the availability and operations of Trend Micro TippingPoint devices managed by SMS are unaffected. IPS and other devices continue to operate as usual and without interruption.
  • When upgrading the SMS server, you cannot connect to the server through the SMS client until you have upgraded the software. However, you can view the detailed upgrade status from the local VGA console.
  • Before upgrading from an older to a newer version, ensure that the latest patch has been installed before upgrading the software.

1.5. Upgrade time estimates

On average, the SMS upgrade takes around 25 minutes. However, depending on your database size, it can take considerably longer. Further steps for updating the Digital Vaccine take varying times. Before any upgrade, be sure to back up your SMS. The SMS automatically reboots twice during the upgrade. During this upgrade, the SMS is only accessible during the first step of the upgrade process. During the remainder of the upgrade, the SMS is NOT accessible.

 
NOTE: It is not unheard of for an upgrade to take 24 hours or longer if large databases are involved.

The steps in the Time Estimates table describe each operation and duration for a typical SMS upgrade using a software package downloaded from TMC. These times are general estimates based on average system hardware configuration and data. Depending on your system and the data it contains, times may be slightly faster or slower than documented.

The following table provides estimates only. The time estimates for your system may vary based on multiple factors, including your database size. Do NOT reboot or power cycle the system until the upgrade completes.

The following table provides a summary of the process with estimated times
Step Task Manual or Automatic Estimated Time SMS Status
1 Download software package Manual Varies1 Available
2 Install upgrade package Manual 2-10 minutes Unavailable
3 Migrate data Automatic Varies2 Unavailable
1. Network speed determines the time to download a 1.8 GB MB file
2. It Depends on the amount of data to migrate. The SMS automatically reboots after step 2 and is unavailable for logins until step 3 is completed. Do not reboot the SMS during this time.

1.6. Software Upgrade Path

The following table provides the upgrade path for the various versions of SMS.

SMS TOS Upgrade Path
Device Current TOS Intermediate TOS Final TOS
SMS1, 2
vSMS3		 4.3.0 4.4.0 5.0.1 5.3.0 5.4.1 6.2.0 6.4.0
4.4.0
4.5.0
4.6.0
5.0.0
5.0.1
5.1.0
5.1.1
5.2.0
5.3.0
5.4.0
5.4.1
5.5.0
5.5.2
5.5.3
5.5.4
6.0.0
6.1.0
6.2.0
6.3.0
Note 1: SMS v6.4.0 upgrades are only supported from an SMS installed with SMS v6.2.0 or later. Attempts to upgrade from an older release will return an error.

Note 2: SMS v6.2.0 upgrades are only supported from an SMS installed with SMS v5.4.1 or later. Attempts to upgrade from an older release will return an error.

Note 3: The VMware vCenter server is not required to deploy the vSMS .ovf file. You can deploy the .ovf file directly through ESX/ESXi utilities.

1.7. Software Compatibility

Product Version Compatibility
Product SMS
v6.4.0		 SMS
v6.3.0		 SMS
v6.2.0		 SMS
v6.1.0		 SMS
v6.0.0		 SMS
v5.5.4.1		 SMS
v5.5.4
Support Status              
TPS TXE v6.4.0
and earlier		 v6.3.0
and earlier		 v6.2.0
and earlier		 v6.1.0
and earlier		 v6.0.0 N/A
TPS TX v6.4.0
and earlier		 v6.3.0
and earlier		 v6.2.0
and earlier		 v6.1.0
and earlier		 v5.5.5
and earlier		 v5.5.5
and earlier		 v5.5.4
and earlier
TPS T v5.5.6
and earlier		 v5.5.6
and earlier		 v5.5.6
and earlier		 v5.5.6
and earlier		 v5.5.6
and earlier		 v5.5.6
and earlier		 v5.5.4
and earlier
vTPS v6.4.0
and earlier		 v6.3.0
and earlier		 v6.2.0
and earlier		 v5.5.5
and earlier		 v5.5.5
and earlier		 v5.5.5
and earlier		 v5.5.4
and earlier


2. SMS Migration Scenarios

The following sections present some of the most common migration/updating scenarios that might be encountered.

  • Upgrade the SMS software on the same SMS device (physical)
  • Upgrade the vSMS software on the same vSMS device (virtual)
  • Migrate from an old SMS device to a new SMS device
  • Migrate from a physical SMS to a virtual SMS (vSMS)
  • Changing the SMS server IP address.


2.1. Upgrade the SMS software on the same SMS device (physical)

  1. Back up the SMS database. This should be done as a matter of best practice.
  2. Download or import the SMS software from the TMC
  3. Install the SMS software
  4. Allow the system to perform the upgrade process
  5. Install the Client Software


2.2. Upgrade the vSMS software on the same vSMS device (virtual) vSMS

  1. Back up the SMS database. This should be done as a matter of best practice.
  2. Download or import the incremental vSMS software from the TMC
  3. Install the incremental vSMS software
  4. Allow the system to perform the upgrade process
  5. Install the new Client software


2.3. Migrate from an old SMS server to a new SMS server

  1. Back up the old SMS database. This should be done as a matter of best practice.
  2. Export profiles separately.
  3. Shutdown the old SMS server
  4. Power up the new SMS server
 
NOTE: As the SMS starts, the Trend Micro TippingPoint splash screen is displayed for up to 90 seconds. System status messages are written to the serial port and then displayed on the monitor. After powering up the server, the SMS Hardware Out-of-Box (OBE) Setup Wizard prompts you to perform basic configuration tasks and periodically input information.
  1. Configure the SMS server
 
NOTE: The SMS server will reboot after the configuration is complete.
  1. Allow the SMS server to complete the reboot and configuration
  2. Install the new Client software
  3. Restore the database from the old SMS
  4. Restore the profiles (if required)
 
IMPORTANT: If you change the IP address of the SMS server, read Section: 2.6 Changing the SMS server IP address


2.4. Migrate from a physical SMS to a virtual SMS (vSMS)

  1. Back up the old SMS database. This should be done as a matter of best practice.
  2. Export profiles separately.
  3. Shutdown the old SMS server
  4. Validate the VMware Environment
  5. Obtain the vSMS software from the TMC
  6. Obtain the vSMS Certification String
  7. Deploy the vSMS software
  8. Start the vSMS software
 
NOTE: As the SMS starts, the Trend Micro TippingPoint splash screen is displayed for up to 90 seconds. System status messages are written to the serial port and then displayed on the monitor. After powering up the server, the SMS Hardware Out-of-Box (OBE) Setup Wizard prompts you to perform basic configuration tasks and periodically input information.
  1. Configure the SMS server
 
NOTE: The SMS server will reboot after the configuration is complete.
  1. Allow the SMS server to complete the reboot and configuration
  2. Install the new Client Software
  3. Restore the database from the old SMS
 
IMPORTANT: If you change the IP address of the SMS server, read Section: 2.6 Changing the SMS server IP address.


2.5. Migrate from a DEMO vSMS to a purchased vSMS

  1. Back up the DEMO vSMS database.
  2. Export profiles separately.
  3. Unmanage devices from the vSMS.
  4. Obtain the vSMS software from the TMC.
  5. Obtain the vSMS Certification String.
  6. Deploy the vSMS software.
  7. Start vSMS Software.
 
NOTE: As the vSMS starts up, the Trend Micro TippingPoint splash screen is displayed for up to 90 seconds. System status messages are written to the serial port and then displayed on the monitor. After powering up the server, the vSMS Hardware Out-of-Box (OBE) Setup Wizard prompts you to perform basic configuration tasks and periodically input information.
  1. Configure the vSMS server.
 
NOTE: The vSMS server will reboot after the configuration is complete.
  1. Allow the SMS server to complete the reboot and configuration.
  2. Install the new Client Software.
  3. Restore the database from the DEMO vSMS.
  4. If the IP address you gave the vSMS server differs from the old SMS, you must delete and re-manage all the IPS devices. If the IP address is the same as the old server, then the IPSs should be ok.
  5. Redistribute your profiles to all devices and segments from the new vSMS.
 
IMPORTANT: If you change the IP address of the SMS server, read Section: 2.6 Changing the SMS server IP address.


2.6. Changing the SMS server IP address

Changing the SMS server IP address has a major impact on the managed devices as the devices will still believe they are being managed by the old SMS. There are two options for the proper management of devices. They all involve un-managing and re-managing.

Option 1 (Before IP address change)

  1. Before you upgrade the SMS, unmanage all devices from the SMS. This can be done from the SMS, IPS CLI or IPS LSM.
  2. After the restoration and the IP address have been changed, re-manage all devices from the SMS.

Option 2 (After IP address change)

  1. Un-manage the device from the IPS CLI or the IPS LSM.
  2. Re-manage all devices from the SMS
 
IMPORTANT: Please ensure you know the administrative credentials for managing the IPS devices.


3. Additional Resources.

  • Security Management System (SMS) User Guide
  • Virtual Security Management System (vSMS) Getting Started Guide

These documents can be found in the Trend Micro Document Center (https://docs.trendmicro.com/en-us/documentation/security-management-system/)

Keywords: sms migration guide, federal information processing standard, fips mode, sms server, migrating