Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Migrating On-premise OfficeScan XG SP1 or higher to Apex One as a Service

    • Updated:
    • 3 Oct 2019
    • Product/Version:
    • Apex One as a Service
    • OfficeScan XG
    • Platform:
    • Windows 2012
    • Windows 2016
Summary

This article illustrates the On-Premise OfficeScan (XG SP1 or higher) to Apex One as a Service migration procedures.

Details
Public

Check your OfficeScan server configuration and see if the following functions/features were used:

  • Virtual Desktop Support (VDI) for non-persistent VDI environment
    1. Open the ..\Trend Micro\OfficeScan\PCCSRV\Private\ofcserver.ini file.
    2. Check if EnableCheckClientMacAddress exists under [INI_SERVER_SECTION] and is equal to 1.
    3. If EnableCheckClientMacAddress does not exist or is equal to 0, manually change it to "1".
  • VPN client (e.g. Cisco Anyconnect) is used
    1. Open the ..\Trend Micro\OfficeScan\PCCSRV\Private\ofcserver.ini file.
    2. Check if SP_DisableTmLwfRegistryKeyProtection exists under [INI_SERVER_SECTION] and is equal to 1.
    3. If SP_DisableTmLwfRegistryKeyProtection does not exist or is equal to 0, manually change it to "1".
     
    This requires OfficeScan 11.0 Service Pack 1 Hot Fix Build 6447, OfficeScan XG Hot Fix Build 1721, or OfficeScan XG Service Pack 1.

Once the above keys have been checked:

  1. Open the OfficeScan web console and go to Agents > Global Agent Settings screen.
  2. Click Save to deploy the setting to agents.

Phase deployment consideration

By the current design, once agents are reporting to Apex One as a Service, a new program package will be automatically downloaded that initiates an agent upgrade. If you migrate all agents at once without sufficient bandwidth, it could cause a corporate network outage.

Apex One as a Service agent package size may vary with pattern/binary file updates, so it is advised to download an MSI agent installer package directly from Apex One as a Service to get the precise package size.

Estimated network usage after agent migration

Once agents have been migrated to Apex One as a Service, communication of Apex One as a Service Server with the following activities will begin:

  • Component update
  • Policy deployment
  • Query for File/Web reputation services, Predictive Machine Learning, and other tasks

As per in-house testing results, every agent will generate around 22MB traffic on a daily basis, but it may be different for each agent.

 
You can configure an Update Agent to reduce the component update and policy deployment traffic. For detailed instructions, refer to the following article: Configuring OfficeScan/Apex One clients/agents to act as Update Agents.

It is advised to deploy the Apex One as a Service agent within a small scope and monitor network usage before migrating all agents.

 
If Control Manager policies are currently being used to manage multiple OfficeScan servers, you can also export policies from the Control Manager console and import directly to Apex One as a Service.

On your On-Premise OfficeScan server:

  1. Make sure that the OfficeScan XG server is running on Service Pack 1 (SP1) Build 4345 or higher.
  2. Navigate to the Apex One as a Service console > Administration > Managed Servers > Server Registration > Apex One > Click the URL to SSO to Apex One > Administration > Settings > Server Migration.
  3. Download the Apex One Settings Export Tool.

    Server Migration

  4. Extract the resulting .zip file on the server to an easy-to-find path (e.g. C:\temp\PolicyExportTool).
  5. Open a command line prompt and point to the PolicyExportTool directory.
  6. Run the tool as Admin on the OfficeScan server computer.

    Server Migration tool

    The tool generates three (3) files:

    • Server_Settings_Migration.zip. This contains the Global Settings. Importing more than one of these will overwrite the previous settings. It is recommended to only import this from a single server.
    • ApexOne_Agent_Policies.zip. This contains the policies generated from the settings configured on the OfficeScan Server. This can be imported from multiple On-Premise OfficeScan servers, and each will create the new corresponding policies.
    • ApexOne_Agent_DLP_Policies.zip. This contains the policies generated from the DLP settings configured on the OfficeScan Server. This can imported from multiple On-Premise OfficeScan servers, and each will create the new corresponding policies.

    Run the tool

On Apex One as a Service:

  1. Log in to Apex One as a Service.
  2. Import agent settings policy:
    1. Go to Policies > Policy Management.
    2. To import agent policies, choose Apex One Agent as the product and click the Import button, then choose the ApexOne_Agent_Policies.zip (or whatever you've renamed it to) and click Open.

      New corresponding policies will be generated and displayed. These will default to targets of None, so they will not apply to any agents until an administrator has reviewed the policy and configured the desired targets. The policy names will follow the format of CLN_ServerName_DomainName (where ServerName and DomainName are replaced by their values from the source OfficeScan Server).

    3. Repeat this process for policies from any additional On-Premise servers you wish to import.

      Repeat the process for other on-premise servers

  3. Import Agent DLP Policy (if desired):
    1. Go to Policies > Policy Management.
    2. To import agent policies, choose OfficeScan Data Loss Prevention as the product and click the Import button, then choose the ApexOne_Agent_DLP_Policies.zip (or whatever you've renamed it to) and click Open.

      New corresponding policies will be generated and displayed. These will default to targets of None, so they will not apply to any agents until an administrator has reviewed the policy and configured the desired targets. The policy names will follow the format of DLP_ServerName_DomainName (where ServerName and DomainName are replaced by their values from the source OfficeScan Server).

    3. Repeat this process for policies from any additional On-Premise servers you wish to import.

      Repeat the process for policies

  4. Import OfficeScan server settings:
     
    This process only allows for importing the settings of a single OfficeScan Server. Importing multiple will overwrite the previous settings.
     
    1. Go to Administration > Managed Servers.

      Managed Servers

    2. Click the link to open the Apex One console.
    3. Go to Administration > Settings > Server Migration in the console.

      Server Migration settings

    4. Click the Import Settings button to import Server_Settings_Migration.zip.

      Import settings

      Confirm to import

 
Before moving On-Premise OfficeScan agents to Apex One as a Service, you have to make sure agents are communicating with server in HTTPS. If it was previously configured to HTTP (e.g. adopt ASE=0 or so in this KB article), revert it to HTTPS. Otherwise, migration may fail.

To move agents from On-Premise OfficeScan server to Apex One as a Service:

  1. Log into Apex One as a Service.
  2. Click Administration.
  3. Click Managed Servers.
  4. Click Server Registration.
  5. Verify that the Server Type is Apex One. You will see the server name listed there.

    Check the Server Type

  6. Go to Agents > Agent Management on the On-Premise OfficeScan Server.
  7. Select agents from the list.
  8. Click Manage Agent Tree > Move Agent.

    Manage Agent Tree and move agent

  9. Select Move selected agent(s) to another OfficeScan server.
  10. Enter the Server URL that was copied from Apex One as a Service. Use SSL Port 443 and HTTP port 80.

    Enter the server URL

  11. Click the Move button.
 
  • To ensure that the agents can be successfully moved to Apex One as a Service, make sure that the agents can connect to the Internet.
  • Agent proxy can also be configured to "Use Windows Proxy settings" in Administration > Settings > Proxy then apply the new proxy settings to agents, if the endpoint computers can access the Internet.
  • Make sure firewalls are configured to allow for communication with the Apex One as a Service servers: Whitelisting Apex One as a Service DNS Name and IPs.
Premium
Internal
Rating:
Category:
Migrate
Solution Id:
1118375
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.