Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SMS Migration Guide

    • Updated:
    • 24 Aug 2017
    • Product/Version:
    • TippingPoint SMS All
    • TippingPoint Virtual SMS
    • Platform:
Summary
1. Overview

The purpose of this article is to provide the customer base with information and steps to follow in order that the SMS migration process is as painless as possible. There are multiple upgrade paths for the SMS and each path has its own areas of concern;

  • Upgrade the SMS software on the same SMS device (physical)
  • Upgrade the vSMS software on the same vSMS device (virtual)
  • Migrate from an old SMS device to new SMS device
  • Migrate from a physical SMS to a virtual SMS (vSMS)

Regardless of your migration path as mentioned above, at the most basic level, the SMS migration process consists of the following areas:

  1. Backup the SMS database
  2. Upgrade the SMS to the new version or replace the SMS
  3. Restore the SMS database from the backup (if required)
  4. Unmanage and remanage all IPS devices (if required)
Details
Public

1.1. SMS and Federal Information Processing Standard (FIPS)

Migrating the SMS while in FIPS mode is not supported. You must disable FIPS mode on the SMS before you begin the upgrade, otherwise the upgrade will fail. After you complete the migration you can enable FIPS mode.

1.2. SMS Client

The SMS client will automatically prompt you to upgrade when the SMS server is upgraded.

1.3. Backup and Restore

The SMS server maintains important data in both its database and in configuration files. The database holds data about the current and historical operations of the SMS server as well as the devices it manages. The configuration files contain data such as SMTP server information, NAT configuration information, and user information. This data is critical to the operation of the SMS Server and should be backed up periodically to assist recovery from an unexpected failure.

To migrate historical event data for an SMS upgrade, you must have at least 20 GB of free space in the database partition. If space is unavailable, the upgrade process ends, and a message warns you that cleanup is required. You may be able to free space by deleting old device snapshots, saved reports, profiles, or DV and TOS packages. Otherwise, contact Trend Micro TippingPoint Support for detailed cleanup instructions. The SMS client shows the current state of the partition (File system: Database) on the System Health screen of the Admin workspace.

1.3.1 Backup

The backup process backs up both the database and the configuration files. By default, event-related and statistics-related database tables are not backed up due to their size, but you can choose to include them and some other optional configuration files. The process of backing up the SMS database is resource intensive, particularly if the server is under heavy load and the database is large. Take this into consideration when scheduling a regular backup or initiating an immediate backup.

Number of Digital Vaccines - In addition to backing up the SMS Server database, you can specify up to six of the most recent Digital Vaccines (DV) to include in the backup. You are required to back up the most recent DV.

Number of Device TOS packages - You can optionally specify up to six of the most recent Device TOS packages to be included in the backup.

Number of custom packages - If you have custom packages installed, you can specify up to six of the most recent custom packages to be included in the backup. The backup always includes the latest, active package. It does not automatically back up more than one package and does not automatically back up inactive packages. For example, your installation might include a custom script writer (CSW) package.

1.3.2 Restore

When restoring an SMS Server database, SMS validates the integrity of the file from which backed up data is being restored. If the file is invalid, the SMS console displays an error message. To ensure database integrity, the system automatically reboots after the restore operation. SMS supports restoring a backup taken with a previous version of SMS. For example, you can restore a backup taken with SMS 4.0 and restore it to an SMS 4.4 server. When you restore a previous-version backup, SMS not only restores the database but it also migrates data and data structures to match the version of SMS running on your SMS server.

1.4. SMS Backup and storage

The backup and restore processes require access to a storage location, to either back up data to the storage or restore data from the storage. The SMS backup and restore processes can perform their tasks using any of the following storage access protocols:

  • Network File System (NFS) Protocol
  • Server Message Block (SMB) Protocol, a Microsoft-based shared-access file system
  • Secure File Transfer Protocol (sFTP)
  • Secure Copy Protocol (SCP)
  • Hypertext Transfer Protocol (HTTP) and Secure Hypertext Transfer Protocol (HTTPS)

NOTE: The HTTPS and SMB backup options copy the file to the /mgmt/client/tmp partition. If there is no enough space in that partition to hold the backup the operation will fail.

1.5. RADIUS Authentication

SMS uses Password Authentication Protocol (PAP) by default. While using PAP, the AUTH-REQUEST sent by the SMS to the RADIUS server includes three attributes: User-Name, User-Password, and Message-Authenticator. If the RADIUS server requires attributes that the SMS does not provide, SMS users with RADIUS authentication type can no longer log in. As a workaround, make temporary changes on the RADIUS server to remove restrictions that the AUTH-REQUEST include other attributes. Authentication protocol options for RADIUS include PAP, MD5, and PEAP/EAP-MSCHAPv2.

1.6. SMS High Availability (HA):

Before doing an SMS upgrade, you must disable High Availability (HA). The process for upgrading an HA cluster is to break down the cluster, upgrade each SMS individually, and then re-establish the cluster. The reason for this is that one of the nodes is always passive and therefore the SMS software is not fully operational and cannot be upgraded.

Requirements

  • Both SMS devices must have the same disk capacity.
  • It is recommended that you have the same SMS models.

1.7. Preparation to Upgrade

The SMS Server, when connected to the TMC, monitors the TMC for newer versions of the SMS Software. When the SMS Server detects a newer version than the one currently installed, it activates the Download button in the SMS Software section of the Admin (General) screen. Additionally, it updates the Available for Download field to show the software version number. Before you download and install a new version of SMS software, make note of the following:

  • Backup the SMS database. If you are replacing the SMS server with a new device (physical or virtual) the only way to get the SMS data across to the new appliance, is to restore from a previous backup. In addition, best practice dictates that any system should be backed up prior to any major changes (e.g. software updates).
  • Export profiles separately. Even if you back up the entire database, sometimes the restore process causes the profiles to become corrupted (e.g. old profiles). As such it is recommended that the profiles be exported separately. This will ensure that a clean copy is available for restoration.
  • Installing a new version of SMS causes the SMS server to reboot and close all client connections.
  • When the SMS Server is unavailable during the reboot process, the availability and operations of Trend Micro TippingPoint devices managed by SMS are unaffected. IPS and other devices continue to operate as usual and without interruption.
  • When you upgrade the SMS server, you will be unable to connect to the server through the SMS client until you have upgraded the SMS client software. However, you can view detailed upgrade status from the local VGA console.
  • Before upgrading from an older to a newer version, ensure that the latest patch has been installed prior to upgrading the software.

1.5. Upgrade time estimates

On average, the SMS upgrade takes around 25 minutes. However, depending on how large your database is it can take considerably longer. Further steps for updating the Digital Vaccine takes varying times. Prior to any upgrade, be sure to back-up your SMS. The SMS automatically reboots twice during the upgrade. During this upgrade the SMS is only accessible during the first step of the upgrade process. During the remainder of the upgrade, the SMS is NOT accessible.

NOTE: It is not unheard of for an upgrade to take 24 hours or longer if large databases are involved.

The steps in the Time Estimates table describe each operation and duration for a typical SMS upgrade using a software package downloaded from TMC. These times are general estimates based on average system hardware configuration and data. Depending on your system and the data it contains, times may be slightly faster or slower than documented.

The following table provides estimates only. The time estimates for your system may vary based on multiple factors including the size of your database. Do NOT reboot or power cycle the system until the upgrade completes.

Depending on your download speed, the update process takes approximately 90 minutes. The following table provides a summary of the process with estimated times

StepTaskManual or AutomaticEstimated TimeLink Status
1Download the packageManualVariesUp
2Install the packageManual5-25 minutesUp
3Reboot. Update the systemAutomatic15-25 minutesDown
4Reboot. Migrate databaseAutomatic10-30 minutesDown
5Migrate Event Data**AutomaticVariesUp


1.6. Software Upgrade Path

The following table provides the upgrade path for the various versions of SMS.

SMS TOS Upgrade Path

DeviceCurrent TOSIntermediate TOSFinal TOS
SMS
vSMS1
4.3.04.4.0SMS/vSMS
5.1.0
4.4.0
4.5.0
4.6.0
5.0.0
5.0.1
Note 1: You must deploy the vSMS Open Virtualization Format (OVF) file using VMware vCenter Server.
Deploying the OVF file directly through ESX/ESXi utilities is not supported.


1.7. Software Compatibility

Product Version Compatibility
ProductSMS v5.1.0SMS v5.0.xSMS v4.6SMS v4.5SMS v4.4SMS v4.3
Support StatusSupportedSupportedSupportedSupportedEOS
DEC/31/2018
EOS
JUN/30/2018
Direct migration to SMS v5.0.1?N/ASupportedSupportedSupportedSupportedNot supported
vTPSTOS v5.1.0
and earlier
TOS v5.0.0
and earlier
TOS v4.2.x
and earlier
TOS v4.2.x
and earlier
TOS v4.0.2
and earlier
Not supported
TPSTOS v5.1.0
and earlier
TOS v5.0.0
and earlier
TOS v4.2.x
and earlier
TOS v4.2.x
and earlier
TOS v4.1.0
and earlier
TOS v4.0.0
IPSTOS v3.9.x
and earlier
TOS v3.9.x
and earlier
TOS v3.9.x
and earlier
TOS v3.9.x
and earlier
TOS v3.8.x
and earlier
TOS v3.8.x
and earlier
NGFWNot supportedTOS v1.2.3
and earlier
TOS v1.2.3
and earlier
TOS v1.2.3
and earlier
TOS v1.2.3
and earlier
TOS v1.2.0
and earlier
Identity AgentTOS v1.0.0TOS v1.0.0TOS v1.0.0TOS v1.0.0TOS v1.0.0TOS v1.0.0


2. SMS Migration Scenarios

The following sections present some of the most common migration/updating scenarios that might be encountered.

  • Upgrade the SMS software on the same SMS device (physical)
  • Upgrade the vSMS software on the same vSMS device (virtual)
  • Migrate from an old SMS device to a new SMS device
  • Migrate from a physical SMS to a virtual SMS (vSMS)
  • Changing the SMS server IP address.


2.1. Upgrade the SMS software on the same SMS device (physical)

  1. Backup the SMS database. This should be done as a matter of best practice.
  2. Download or import the SMS software from the TMC
  3. Install the SMS software
  4. Allow the system to perform the upgrade process
  5. Install the Client software


2.2. Upgrade the vSMS software on the same vSMS device (virtual) vSMS

  1. Backup the SMS database. This should be done as a matter of best practice.
  2. Download or import the incremental vSMS software from the TMC
  3. Install the incremental vSMS software
  4. Allow the system to perform the upgrade process
  5. Install the new Client software


2.3. Migrate from an old SMS server to a new SMS server

  1. Backup the old SMS database. This should be done as a matter of best practice.
  2. Export profiles separately.
  3. Shutdown the old SMS server
  4. Power-up the new SMS server

NOTE: As the SMS starts up, the Trend Micro TippingPoint splash screen is displayed for up to 90 seconds. System status messages are written to the serial port and then displayed on the monitor. After powering up the server, the SMS Hardware Out-of-Box (OBE) Setup Wizard prompts you to perform basic configuration tasks and to periodically input information.

  1. Configure the SMS server

NOTE: The SMS server will re-boot after the configuration is complete.

  1. Allow the SMS server to complete the reboot and configuration
  2. Install the new Client softwarere
  3. Restore the database from the old SMS
  4. Restore the profiles (if required)

IMPORTANT: If you change the IP address of the SMS server read Section: 2.6 Changing the SMS server IP address


2.4. Migrate from a physical SMS to a virtual SMS (vSMS)

  1. Backup the old SMS database. This should be done as a matter of best practice.
  2. Export profiles separately.
  3. Shutdown the old SMS server
  4. Validate the VMware Environment
  5. Obtain the vSMS Software from the TMC
  6. Obtain the vSMS Certification String
  7. Deploy the vSMS Software
  8. Start the vSMS Software

NOTE: As the SMS starts up, the Trend Micro TippingPoint splash screen is displayed for up to 90 seconds. System status messages are written to the serial port and then displayed on the monitor. After powering up the server, the SMS Hardware Out-of-Box (OBE) Setup Wizard prompts you to perform basic configuration tasks and to periodically input information.

  1. Configure the SMS server

NOTE: The SMS server will re-boot after the configuration is complete.

  1. Allow the SMS server to complete the reboot and configuration
  2. Install the new Client Software
  3. Restore the database from the old SMS

IMPORTANT: If you change the IP address of the SMS server read Section: 2.6 Changing the SMS server IP address.


2.5. Migrate from a DEMO vSMS to a purchased vSMS

  1. Backup the DEMO vSMS database.
  2. Export profiles separately.
  3. Unmanage devices from the vSMS.
  4. Obtain the vSMS Software from the TMC.
  5. Obtain the vSMS Certification String.
  6. Deploy the vSMS Software.
  7. Start the vSMS Software.

NOTE: As the vSMS starts up, the Trend Micro TippingPoint splash screen is displayed for up to 90 seconds. System status messages are written to the serial port and then displayed on the monitor. After powering up the server, the vSMS Hardware Out-of-Box (OBE) Setup Wizard prompts you to perform basic configuration tasks and to periodically input information.

  1. Configure the vSMS server.

NOTE: The vSMS server will re-boot after the configuration is complete.

  1. Allow the SMS server to complete the reboot and configuration.
  2. Install the new Client Software.
  3. Restore the database from the DEMO vSMS.
  4. If the IP address you gave the vSMS server is different than the old SMS, then you must delete all the IPS devices and re-manage them. If the IP address is the same as the old server then the IPSs should be ok.
  5. Redistribute your profiles to all devices and segments from the new vSMS.

IMPORTANT: If you change the IP address of the SMS server read Section: 2.6 Changing the SMS server IP address.


2.6. Changing the SMS server IP address

Changing the SMS server IP address has a major impact on the managed devices as the devices will still believe that they are being managed by the old SMS. There are two options for proper management of devices, they all involve un-managing and re-managing.

Option 1 (Before IP address change)

  1. Before you upgrade the SMS, un-manage all devices from the SMS. This can be done from the SMS, IPS CLI or IPS LSM.
  2. After the restore is complete and the IP address has been changed, re-manage all devices from the SMS.

Option 2 (After IP address change)

  1. Un-manage the device from the IPS CLI or the IPS LSM.
  2. Re-manage all devices from the SMS

IMPORTANT: Please ensure that you know the administrative credentials for managing the IPS devices.


3. Additional Resources.

  • Security Management System (SMS) User Guide
  • Virtual Security Management System (vSMS) Getting Started Guide

These documents can be found in the Trend Micro Document Center (http://docs.trendmicro.com/en-us/tippingpoint/security-management-system.aspx)

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000087690
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.