Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SMS Migration Guide

    • Updated:
    • 24 Aug 2017
    • Product/Version:
    • TippingPoint SMS All
    • TippingPoint Virtual SMS
    • Platform:
Summary
1. Overview

The purpose of this article is to provide the customer base with information and steps to follow in order that the SMS migration process is as painless as possible. There are multiple upgrade paths for the SMS and each path has its own areas of concern;

  • Upgrade the SMS software on the same SMS device (physical)
  • Upgrade the vSMS software on the same vSMS device (virtual)
  • Migrate from an old SMS device to new SMS device
  • Migrate from a physical SMS to a virtual SMS (vSMS)

Regardless of your migration path as mentioned above, at the most basic level, the SMS migration process consists of the following areas:

  1. Backup the SMS database
  2. Upgrade the SMS to the new version or replace the SMS
  3. Restore the SMS database from the backup (if required)
  4. Unmanage and remanage all IPS devices (if required)
Details
Public
1.1. Backup and Restore

The SMS server maintains important data in both its database and in configuration files. The database holds data about the current and historical operations of the SMS server as well as the devices it manages. The configuration files contain data such as SMTP server information, NAT configuration information, and user information. This data is critical to the operation of the SMS Server and should be backed up periodically to assist recovery from an unexpected failure.

1.1.1 Backup

The backup process backs up both the database and the configuration files. By default, event-related and statistics-related database tables are not backed up due to their size, but you can choose to include them and some other optional configuration files. The process of backing up the SMS database is resource intensive, particularly if the server is under heavy load and the database is large. Take this into consideration when scheduling a regular backup or initiating an immediate backup.

Number of Digital Vaccines - In addition to backing up the SMS Server database, you can specify up to six of the most recent Digital Vaccines (DV) to include in the backup. You are required to back up the most recent DV.

Number of Device TOS packages - You can optionally specify up to six of the most recent Device TOS packages to be included in the backup.

Number of custom packages - If you have custom packages installed, you can specify up to six of the most recent custom packages to be included in the backup. The backup always includes the latest, active package. It does not automatically back up more than one package and does not automatically back up inactive packages. For example, your installation might include a custom script writer (CSW) package.

1.1.2 Restore

When restoring an SMS Server database, SMS validates the integrity of the file from which backed up data is being restored. If the file is invalid, the SMS console displays an error message. To ensure database integrity, the system automatically reboots after the restore operation. SMS supports restoring a backup taken with a previous version of SMS. For example, you can restore a backup taken with SMS 4.0 and restore it to an SMS 4.4 server. When you restore a previous-version backup, SMS not only restores the database but it also migrates data and data structures to match the version of SMS running on your SMS server.

1.2. SMS Backup and storage

The backup and restore processes require access to a storage location, to either back up data to the storage or restore data from the storage. The SMS backup and restore processes can perform their tasks using any of the following storage access protocols:

  • Network File System (NFS) Protocol
  • Server Message Block (SMB) Protocol, a Microsoft-based shared-access file system
  • Secure File Transfer Protocol (sFTP)
  • Secure Copy Protocol (SCP)
  • Hypertext Transfer Protocol (HTTP) and Secure Hypertext Transfer Protocol (HTTPS)

NOTE: The HTTPS and SMB backup options copy the file to the /mgmt/client/tmp partition. If there is no enough space in that partition to hold the backup the operation will fail.

1.3. SMS High Availability (HA):

Before doing an SMS upgrade, you must disable High Availability (HA). The process for upgrading an HA cluster is to break down the cluster, upgrade each SMS individually, and then re-establish the cluster. The reason for this is that one of the nodes is always passive and therefore the SMS software is not fully operational and cannot be upgraded.

Requirements

  • Both SMS devices must have the same disk capacity.
  • It is recommended that you have the same SMS models.
1.4. Preparation to Upgrade

The SMS Server, when connected to the TMC, monitors the TMC for newer versions of the SMS Software. When the SMS Server detects a newer version than the one currently installed, it activates the Download button in the SMS Software section of the Admin (General) screen. Additionally, it updates the Available for Download field to show the software version number. Before you download and install a new version of SMS software, make note of the following:

  • Backup the SMS database. If you are replacing the SMS server with a new device (physical or virtual) the only way to get the SMS data across to the new appliance, is to restore from a previous backup. In addition, best practice dictates that any system should be backed up prior to any major changes (e.g. software updates).
  • Export profiles separately. Even if you back up the entire database, sometimes the restore process causes the profiles to become corrupted (e.g. old profiles). As such it is recommended that the profiles be exported separately. This will ensure that a clean copy is available for restoration.
  • Installing a new version of SMS causes the SMS server to reboot and close all client connections.
  • When the SMS Server is unavailable during the reboot process, the availability and operations of Trend Micro TippingPoint devices managed by SMS are unaffected. IPS and other devices continue to operate as usual and without interruption.
  • When you upgrade the SMS server, you will be unable to connect to the server through the SMS client until you have upgraded the SMS client software. However, you can view detailed upgrade status from the local VGA console.
  • Before upgrading from an older to a newer version, ensure that the latest patch has been installed prior to upgrading the software.
1.5. Upgrade time estimates

On average, the SMS upgrade takes around 25 minutes. However, depending on how large your database is it can take considerably longer. Further steps for updating the Digital Vaccine takes varying times. Prior to any upgrade, be sure to back-up your SMS. The SMS automatically reboots twice during the upgrade. During this upgrade the SMS is only accessible during the first step of the upgrade process. During the remainder of the upgrade, the SMS is NOT accessible.

NOTE: It is not unheard of for an upgrade to take 24 hours or longer if large databases are involved.

The steps in the Time Estimates table describe each operation and duration for a typical SMS upgrade using a software package downloaded from TMC. These times are general estimates based on average system hardware configuration and data. Depending on your system and the data it contains, times may be slightly faster or slower than documented.

The following table provides estimates only. The time estimates for your system may vary based on multiple factors including the size of your database. Do NOT reboot or power cycle the system until the upgrade completes.

Depending on your download speed, the update process takes approximately 90 minutes. The following table provides a summary of the process with estimated times

StepTaskManual or AutomaticEstimated TimeLink Status
1Download the packageManualVariesUp
2Install the packageManual5-25 minutesUp
3Reboot. Update the systemAutomatic15-25 minutesDown
4Reboot. Migrate databaseAutomatic10-30 minutesDown
5Migrate Event Data**AutomaticVariesUp

1.6. Software Upgrade Path

The following table provides the upgrade path for the various versions of SMS.

SMS TOS Upgrade Path

DeviceCurrent TOSIntermediate TOSFinal TOS
SMS4.0.014.1.0SMS 4.6.0
4.1.0
4.2.0
4.2.12
4.3.0
4.4.0
4.5.0
vSMS44.0.014.1.0vSMS 4.6.0
4.1.03
4.2.03
4.3.03
4.4.03
4.5.03
Note 1: End-Of-Life
Note 2: Operating System for SMS G9 Server (HP-DL360-G9, HP-DL380-G9).
Note 3: The vSMS platform can be upgraded to 4.6.0 with the incremental upgrade package.
Note 4: You must deploy the vSMS Open Virtualization Format (OVF) file using VMware vCenter Server.
Deploying the OVF file directly through ESX/ESXi utilities is not supported.

1.7. Software Compatibility

Product Version Compatibility

ProductSMS v4.6SMS v4.5SMS v4.4SMS v4.3SMS v4.2.11SMS v4.2SMS v4.1SMS v4.0
Support StatusSupportedSupportedSupportedEOS JUN/30/2018EOS AUG/30/2017EOS AUG/30/2017EOS AUG/30/2017Not supported
Direct migration to SMS v4.6?N/ASupportedSupportedSupportedSupportedSupportedSupportedNot supported
vTPSTOS v4.2.x and earlierTOS v4.2.x and earlierTOS v4.0.2 and earlierNot supportedNot supportedNot supportedNot supportedNot supported
TPSTOS v4.2.x
and earlier
TOS v4.2.x
and earlier
TOS v4.1.02 and earlierTOS v4.0.0Not supportedNot supportedNot supportedNot supported
IPSTOS v3.9.x
and earlier
TOS v3.9.x
and earlier
TOS v3.8.x
and earlier
TOS v3.8.x
and earlier
TOS v3.8.x
and earlier 3
TOS v3.8.x
and earlier 3
TOS v3.7.x
and earlier
TOS v3.6.x
and earlier
NGFWTOS v1.2.3
and earlier
TOS v1.2.3
and earlier
TOS v1.2.3
and earlier
TOS v1.2.0
and earlier
TOS v1.1.1
and earlier
TOS v1.1.1
and earlier
TOS v1.1.0
and earlier
TOS v1.0.0
Identity AgentTOS v1.0.0TOS v1.0.0TOS v1.0.0TOS v1.0.0TOS v1.0.0TOS v1.0.0Not supportedNot supported
Note 1: SMS v4.2.1 is factory installed on new Gen9 hardware.
Note 2: SSL Inspection is only supported in 2200T device.
Note 3: All features except for TACACS+ which is supported in SMS v4.2.1 and earlier.

2. Migration Considerations

This section contains important migration information. Trend Micro TippingPoint recommends that you read through the entire section before attempting to migrate.

2.1. SMS v4.1.0

Software Updates and Migration

SMS/vSMS upgrades are supported from versions 3.5, 3.6 and 4.0. It is recommended that you are running at least SMS version 3.5 prior to upgrade; for details on a migration path, refer to the SMS v4.1 Release Notes. You must allow background processes to complete before you begin migration to SMS v4.1.0.

Top Reports:

Although "Top" reports allow you to specify the Number of Top results to be included (1-100), the chart in the report reflects only the top ten results. This constraint is intended to improve chart readability.

Database Migration:

To migrate historical event data for an SMS upgrade, you must have at least 20 GB of free space in the database partition. If space is unavailable, the upgrade process ends, and a message warns you that cleanup is required. You may be able to free space by deleting old device snapshots, saved reports, profiles, or DV and TOS packages. Otherwise, contact Trend Micro TippingPoint Support for detailed cleanup instructions. The SMS client shows the current state of the partition (File system: Database) on the System Health screen of the Admin workspace.

vSMS Requirements

The vSMS must meet the following minimum system requirements:

  • 300 GB virtual disk size for new installation, 73 GB virtual disk size for migration from a previous version
  • 2 virtual CPUs
  • 6 GB memory
  • 2 virtual network adapters
  • VMware vSphere 5.0 or later
  • VMware vCenter 5.0 or later
  • VMware ESX/ESXi 5.0 or later

vSMS Deployment

A new vSMS server must deploy the vSMS Open Virtualization Format (OVF) file using VMware vCenter Server. Deploying the OVF file directly through ESX/ESXi utilities is not supported. Virtual NIC (vNIC) devices configured during deployment of the vSMS are required for the vSMS to operate successfully. For best results, do not change the vNIC settings.

vSMS Migration

Automatic migration from vSMS v3.2 or earlier is not supported. You must redeploy the vSMS to migrate. For vSMS v3.3 or later, you can perform an incremental upgrade to a later version without redeploying the vSMS.

RADIUS Authentication

SMS uses Password Authentication Protocol (PAP) by default. While using PAP, the AUTH-REQUEST sent by the SMS to the RADIUS server includes three attributes: User-Name, User-Password, and Message-Authenticator. If the RADIUS server requires attributes that the SMS does not provide, SMS users with RADIUS authentication type can no longer log in. As a workaround, make temporary changes on the RADIUS server to remove restrictions that the AUTH-REQUEST include other attributes. Authentication protocol options for RADIUS include PAP, MD5, and PEAP/EAP-MSCHAPv2.

NOTE: As a general best practice, a local user should always be enabled and added on the SMS.

2.2. SMS v4.2.0

Software Updates and Migration

SMS and vSMS upgrades are supported from versions 3.5, 3.6 and 4.1. It is recommended that you are running at least SMS version 3.5 prior to upgrade; for details on a migration path, refer to the SMS v4.2.0 Release Notes. You must allow background processes to complete before you begin migration to SMS v4.2.0.

Top Reports:

Although "Top" reports allow you to specify the Number of Top results to be included (1-100), the chart in the report reflects only the top ten results. This constraint is intended to improve chart readability.

Database Migration:

To migrate historical event data for an SMS upgrade, you must have at least 20 GB of free space in the database partition. If space is unavailable, the upgrade process ends, and a message warns you that cleanup is required. You may be able to free space by deleting old device snapshots, saved reports, profiles, or DV and TOS packages. Otherwise, contact Trend Micro TippingPoint Support for detailed cleanup instructions. The SMS client shows the current state of the partition (File system: Database) on the System Health screen of the Admin workspace.

vSMS Requirements

The vSMS must meet the following minimum system requirements:

  • 300 GB virtual disk size for new installation, 73 GB virtual disk size for migration from a previous version
  • 2 virtual CPUs
  • 6 GB memory
  • 2 virtual network adapters
  • VMware vSphere 5.0 or later
  • VMware vCenter 5.0 or later
  • VMware ESX/ESXi 5.0 or later

vSMS Deployment

A new vSMS server must deploy the vSMS Open Virtualization Format (OVF) file using VMware vCenter Server. Deploying the OVF file directly through ESX/ESXi utilities is not supported. Virtual NIC (vNIC) devices configured during deployment of the vSMS are required for the vSMS to operate successfully. For best results, do not change the vNIC settings.

vSMS Migration

Automatic migration from vSMS v3.2 or earlier is not supported. You must redeploy the vSMS to migrate. For vSMS v3.3 or later, you can perform an incremental upgrade to a later version without redeploying the vSMS.

RADIUS Authentication

SMS uses Password Authentication Protocol (PAP) by default. While using PAP, the AUTH-REQUEST sent by the SMS to the RADIUS server includes three attributes: User-Name, User-Password, and Message-Authenticator. If the RADIUS server requires attributes that the SMS does not provide, SMS users with RADIUS authentication type can no longer log in. As a workaround, make temporary changes on the RADIUS server to remove restrictions that the AUTH-REQUEST include other attributes. Authentication protocol options for RADIUS include PAP, MD5, and PEAP/EAP-MSCHAPv2.

NOTE: As a general best practice, a local user should always be enabled and added on the SMS.

Issue with TLS/SSL support when calling the SMS web API

The SSLv3 POODLE vulnerability (CVE-2014-3566) causes SMS v4.2 to disable SSLv2 and SSLv3 on secure web interfaces. Some HTTPS clients and older web browsers, particularly Java based tools, use SSLv2 to handshake the initial connection, and then potentially negotiate up to TLS. Because SSLv2 and SSLv3 are now disabled on the SMS server, any client that uses SSLv2 or SSLv3 is rejected. This impacts older web browsers, which may see a protocol not supported error when connecting to the SMS web server, and ArcSight Connectors, which currently require SSLv2 handshake support to initiate a secure connection.

Contact Trend Micro TippingPoint TAC if this affects you. TAC can provide instructions to adjust the SMS to relax the SSLv2 handshake restriction and allow SSLv2 handshakes. This change does not expose the SMS to the SSLv3 POODLE issues. When SSLv2 successfully handshakes, TLS is potentially negotiated and used, but any attempt to use or negotiate to SSLv3 communications is rejected.

Note: The ArcSight Connectors rely on SSLv2 to handshake HTTPS communications. Their interactions with SMS v4.2 or later, including PCAP retrieval, traffic management, and filter creation, will disable without making the changes advised by TAC.

2.3. SMS v4.3.0

Software Updates and Migration

SMS and vSMS upgrades are supported from version 3.6. We recommend that you are running at least SMS version 3.6 before you upgrade to SMS version 4.3.0. For details on the migration path, refer to the SMS version 3.6 Release Notes.

SMS and Federal Information Processing Standard (FIPS)

Migrating to SMS v4.3.0 while in FIPS mode is not supported. You must disable FIPS mode on the SMS before you begin the upgrade, otherwise the upgrade will fail. After you complete the migration to SMS 4.3.0, you can enable FIPS mode.

SMS client

The SMS client will not connect or automatically prompt you to upgrade when the SMS server is upgraded to version 4.3.0. You must use the web browser to connect the upgraded SMS download and install the new client.

Top Reports:

Although "Top" reports allow you to specify the Number of Top results to be included (1-100), the chart in the report reflects only the top ten results. This constraint is intended to improve chart readability.

Database Migration:

To migrate historical event data for an SMS upgrade, you must have at least 20 GB of free space in the database partition. If space is unavailable, the upgrade process ends, and a message warns you that cleanup is required. You may be able to free space by deleting old device snapshots, saved reports, profiles, or DV and TOS packages. Otherwise, contact Trend Micro TippingPoint Support for detailed cleanup instructions. The SMS client shows the current state of the partition (File system: Database) on the System Health screen of the Admin workspace.

vSMS Requirements

The vSMS must meet the following minimum system requirements:

  • 300 GB virtual disk size for new installation, 146 GB virtual disk size for migration from a previous version
  • 2 virtual CPUs
  • 6 GB memory
  • 2 virtual network adapters
  • VMware vSphere 5.0 or later
  • VMware vCenter 5.0 or later
  • VMware ESX/ESXi 5.0 or later

vSMS Deployment

You must deploy the vSMS Open Virtualization Format (OVF) file using VMware vCenter Server. Deploying the OVF file directly through ESX/ESXi utilities is not supported. Virtual NIC (vNIC) devices configured during deployment of the vSMS are required for the vSMS to operate successfully. For best results, do not change the vNIC settings.

vSMS Migration

Automatic migration from vSMS v3.2 or earlier is not supported. You must redeploy the vSMS to migrate. For vSMS v3.3 or later, you can perform an incremental upgrade to a later version without redeploying the vSMS.

Saved Reports

When a system is migrated from SMS 3.5 to 3.6, results from saved reports are written to an archive file, "3.5SavedReport.tar.gz", and will no longer be available from the SMS Client. This archive file is saved for 60 days; after 60 days, the tar file is deleted automatically during a file cleanup process.

RADIUS Authentication

SMS uses Password Authentication Protocol (PAP) by default. While using PAP, the AUTH-REQUEST sent by the SMS to the RADIUS server includes three attributes: User-Name, User-Password, and Message-Authenticator. If the RADIUS server requires attributes that the SMS does not provide, SMS users with RADIUS authentication type can no longer log in. As a workaround, make temporary changes on the RADIUS server to remove restrictions that the AUTH-REQUEST include other attributes. Authentication protocol options for RADIUS include PAP, MD5, and PEAP/EAP-MSCHAPv2.

NOTE: As a general best practice, a local user should always be enabled and added on the SMS.

Issue with TLS/SSL support when calling the SMS web API

The SSLv3 POODLE vulnerability (CVE-2014-3566) causes SMS v4.3 to disable SSLv2 and SSLv3 on secure web interfaces. Some HTTPS clients and older web browsers, particularly Java based tools, use SSLv2 to handshake the initial connection, and then potentially negotiate up to TLS. Because SSLv2 and SSLv3 are now disabled on the SMS server, any client that uses SSLv2 or SSLv3 is rejected. This impacts older web browsers, which may see a protocol not supported error when connecting to the SMS web server, and ArcSight Connectors, which currently require SSLv2 handshake support to initiate a secure connection.

Contact Trend Micro TippingPoint TAC if this affects you. TAC can provide instructions to adjust the SMS to relax the SSLv2 handshake restriction and allow SSLv2 handshakes. This change does not expose the SMS to the SSLv3 POODLE issues. When SSLv2 successfully handshakes, TLS is potentially negotiated and used, but any attempt to use or negotiate to SSLv3 communications is rejected.

Note: The ArcSight Connectors rely on SSLv2 to handshake HTTPS communications. Their interactions with SMS v4.2 or later, including PCAP retrieval, traffic management, and filter creation, will disable without making the changes advised by TAC.

2.4. SMS v4.4.0

Software Updates and Migration

SMS and vSMS upgrades are supported from version 4.1 and later. We recommend that you are running at least SMS version 4.1 before you upgrade to SMS version 4.4.0. For details on the migration path, refer to the SMS version 4.4.0 Release Notes.

SMS and Federal Information Processing Standard (FIPS)

Migrating to SMS v4.4.0 while in FIPS mode is not supported. You must disable FIPS mode on the SMS before you begin the upgrade, otherwise the upgrade will fail. After you complete the migration to SMS 4.4.0, you can enable FIPS mode.

SMS client

The SMS client will automatically prompt you to upgrade when the SMS server is upgraded to version 4.4.0.

Top Reports:

Although "Top" reports allow you to specify the Number of Top results to be included (1-100), the chart in the report reflects only the top ten results. This constraint is intended to improve chart readability.

Database Migration:

To migrate historical event data for an SMS upgrade, you must have at least 20 GB of free space in the database partition. If space is unavailable, the upgrade process ends, and a message warns you that cleanup is required. You may be able to free space by deleting old device snapshots, saved reports, profiles, or DV and TOS packages. Otherwise, contact Trend Micro TippingPoint Support for detailed cleanup instructions. The SMS client shows the current state of the partition (File system: Database) on the System Health screen of the Admin workspace.

vSMS Requirements

The vSMS must meet the following minimum system requirements:

  • 300 GB virtual disk size for new installation, 146 GB virtual disk size for migration from a previous version
  • 2 virtual CPUs
  • 12 GB memory
  • 2 virtual network adapters

VMware vSphere environment

A supported VMware vSphere environment must already be set up before you can install and use either vSMS solution. The vSMS platform uses a VMware Open Virtualization Format (OVF) file to operate. OVF is a packaging and distribution format for virtual machines.

  • VMware vSphere Client version 5.5 or 6.0
  • VMware ESX/ESXi version 5.5 or 6.0

You must deploy the vSMS Open Virtualization Format (OVF) file using VMware vCenter Server. Deploying the OVF file directly through ESX/ESXi utilities is not supported. Virtual NIC (vNIC) devices configured during deployment of the vSMS are required for the vSMS to operate successfully. For best results, do not change the vNIC settings.

Kernel-Based Virtual Machine (KVM)

A supported KVM environment must already be set up before you can install and use either vSMS solution. KVM deployment of the vSMS has been successfully tested using the following specifications:

  • RHEL version 6 (for three cores); libvirt version 0.10.2; QEMU version 0.12.0.
  • RHEL version 7 with the KVM hypervisor (for four cores); libvirt version 1.1.0; Quick Emulator (QEMU) version 1.5.3.

The KVM environment must have the following tar packages installed:

  • qemu-kvm
  • virt-install
  • virt-viewer

vSMS Migration

For vSMS v4.1 or later, you can perform an incremental upgrade to a later version without redeploying the vSMS.

RADIUS Authentication

SMS uses Password Authentication Protocol (PAP) by default. While using PAP, the AUTH-REQUEST sent by the SMS to the RADIUS server includes three attributes: User-Name, User-Password, and Message-Authenticator. If the RADIUS server requires attributes that the SMS does not provide, SMS users with RADIUS authentication type can no longer log in. As a workaround, make temporary changes on the RADIUS server to remove restrictions that the AUTH-REQUEST include other attributes. Authentication protocol options for RADIUS include PAP, MD5, and PEAP/EAP-MSCHAPv2.

NOTE: As a general best practice, a local user should always be enabled and added on the SMS.

Issue with TLS/SSL support when calling the SMS web API

The SSLv3 POODLE vulnerability (CVE-2014-3566) causes SMS v4.4 to disable SSLv2 and SSLv3 on secure web interfaces. Some HTTPS clients and older web browsers, particularly Java based tools, use SSLv2 to handshake the initial connection, and then potentially negotiate up to TLS. Because SSLv2 and SSLv3 are now disabled on the SMS server, any client that uses SSLv2 or SSLv3 is rejected. This impacts older web browsers, which may see a protocol not supported error when connecting to the SMS web server, and ArcSight Connectors, which currently require SSLv2 handshake support to initiate a secure connection.

Contact Trend Micro TippingPoint TAC if this affects you. TAC can provide instructions to adjust the SMS to relax the SSLv2 handshake restriction and allow SSLv2 handshakes. This change does not expose the SMS to the SSLv3 POODLE issues. When SSLv2 successfully handshakes, TLS is potentially negotiated and used, but any attempt to use or negotiate to SSLv3 communications is rejected.

Note: The ArcSight Connectors rely on SSLv2 to handshake HTTPS communications. Their interactions with SMS v4.2 or later, including PCAP retrieval, traffic management, and filter creation, will disable without making the changes advised by TAC.

2.5. SMS v4.5.0

Software Updates and Migration

SMS/vSMS upgrades are supported from SMS v4.1 and later. We recommend that you are running at least SMS version 4.1 before you upgrade to SMS version 4.5.0. For details on the migration path, refer to the SMS version 4.5.0 Release Notes.

SMS and Federal Information Processing Standard (FIPS)

Migrating to SMS v4.5.0 while in FIPS mode is not supported. You must disable FIPS mode on the SMS before you begin the upgrade, otherwise the upgrade will fail. After you complete the migration to SMS 4.5.0, you can enable FIPS mode.

SMS client

The SMS client will automatically prompt you to upgrade when the SMS server is upgraded to version 4.5.0.

Top Reports:

Although "Top" reports allow you to specify the Number of Top results to be included (1-100), the chart in the report reflects only the top ten results. This constraint is intended to improve chart readability.

Database Migration:

To migrate historical event data for an SMS upgrade, you must have at least 20 GB of free space in the database partition. If space is unavailable, the upgrade process ends, and a message warns you that cleanup is required. You may be able to free space by deleting old device snapshots, saved reports, profiles, or DV and TOS packages. Otherwise, contact Trend Micro TippingPoint Support for detailed cleanup instructions. The SMS client shows the current state of the partition (File system: Database) on the System Health screen of the Admin workspace.

vSMS Requirements

The vSMS must meet the following minimum system requirements:

  • 300 GB virtual disk size for new installation, 146 GB virtual disk size for migration from a previous version
  • 2 virtual CPUs
  • 12 GB memory
  • 2 virtual network adapters

VMware vSphere environment

A supported VMware vSphere environment must already be set up before you can install and use either vSMS solution. The vSMS platform uses a VMware Open Virtualization Format (OVF) file to operate. OVF is a packaging and distribution format for virtual machines.

  • VMware vSphere Client version 5.5 or 6.0
  • VMware ESX/ESXi version 5.5 or 6.0

You must deploy the vSMS Open Virtualization Format (OVF) file using VMware vCenter Server. Deploying the OVF file directly through ESX/ESXi utilities is not supported.

Virtual NIC (vNIC) devices configured during deployment of the vSMS are required for the vSMS to operate successfully. For best results, do not change the vNIC settings.

Kernel-Based Virtual Machine (KVM)

A supported KVM environment must already be set up before you can install and use either vSMS solution. KVM deployment of the vSMS has been successfully tested using the following specifications:

  • RHEL version 6 (for three cores); libvirt version 0.10.2; QEMU version 0.12.0.
  • RHEL version 7 with the KVM hypervisor (for four cores); libvirt version 1.1.0; Quick Emulator (QEMU) version 1.5.3.

The KVM environment must have the following tar packages installed:

  • qemu-kvm
  • virt-install
  • virt-viewer

vSMS Migration

For vSMS v4.1 or later, you can perform an incremental upgrade to a later version without redeploying the vSMS.

RADIUS Authentication

SMS uses Password Authentication Protocol (PAP) by default. While using PAP, the AUTH-REQUEST sent by the SMS to the RADIUS server includes three attributes: User-Name, User-Password, and Message-Authenticator. If the RADIUS server requires attributes that the SMS does not provide, SMS users with RADIUS authentication type can no longer log in. As a workaround, make temporary changes on the RADIUS server to remove restrictions that the AUTH-REQUEST include other attributes. Authentication protocol options for RADIUS include PAP, MD5, and PEAP/EAP-MSCHAPv2.

NOTE: As a general best practice, a local user should always be enabled and added on the SMS.

Issue with TLS/SSL support when calling the SMS web API

The SSLv3 POODLE vulnerability (CVE-2014-3566) causes SMS v4.5 to disable SSLv2 and SSLv3 on secure web interfaces. Some HTTPS clients and older web browsers, particularly Java based tools, use SSLv2 to handshake the initial connection, and then potentially negotiate up to TLS. Because SSLv2 and SSLv3 are now disabled on the SMS server, any client that uses SSLv2 or SSLv3 is rejected. This impacts older web browsers, which may see a protocol not supported error when connecting to the SMS web server, and ArcSight Connectors, which currently require SSLv2 handshake support to initiate a secure connection.

Contact Trend Micro TippingPoint TAC if this affects you. TAC can provide instructions to adjust the SMS to relax the SSLv2 handshake restriction and allow SSLv2 handshakes. This change does not expose the SMS to the SSLv3 POODLE issues. When SSLv2 successfully handshakes, TLS is potentially negotiated and used, but any attempt to use or negotiate to SSLv3 communications is rejected.

Note: The ArcSight Connectors rely on SSLv2 to handshake HTTPS communications. Their interactions with SMS v4.2 or later, including PCAP retrieval, traffic management, and filter creation, will disable without making the changes advised by TAC.

2.6. SMS v4.6.0

Software Updates and Migration

SMS/vSMS upgrades are supported from SMS v4.1 and later. We recommend that you are running at least SMS version 4.1 before you upgrade to SMS version 4.6.0. For details on the migration path, refer to the SMS version 4.6.0 Release Notes.

SMS and Federal Information Processing Standard (FIPS)

Migrating to SMS v4.6.0 while in FIPS mode is not supported. You must disable FIPS mode on the SMS before you begin the upgrade, otherwise the upgrade will fail. After you complete the migration to SMS 4.6.0, you can enable FIPS mode.

SMS client

The SMS client will automatically prompt you to upgrade when the SMS server is upgraded to version 4.6.0.

Top Reports:

Although "Top" reports allow you to specify the Number of Top results to be included (1-100), the chart in the report reflects only the top ten results. This constraint is intended to improve chart readability.

Database Migration:

To migrate historical event data for an SMS upgrade, you must have at least 20 GB of free space in the database partition. If space is unavailable, the upgrade process ends, and a message warns you that cleanup is required. You may be able to free space by deleting old device snapshots, saved reports, profiles, or DV and TOS packages. Otherwise, contact Trend Micro TippingPoint Support for detailed cleanup instructions. The SMS client shows the current state of the partition (File system: Database) on the System Health screen of the Admin workspace.

vSMS Requirements

The vSMS must meet the following minimum system requirements:

  • 300 GB virtual disk size for new installation, 146 GB virtual disk size for migration from a previous version
  • 2 virtual CPUs
  • 12 GB memory
  • 2 virtual network adapters

VMware vSphere environment

A supported VMware vSphere environment must already be set up before you can install and use either vSMS solution. The vSMS platform uses a VMware Open Virtualization Format (OVF) file to operate. OVF is a packaging and distribution format for virtual machines.

  • VMware vSphere Client version 5.5 or 6.0
  • VMware ESX/ESXi version 5.5 or 6.0

You must deploy the vSMS Open Virtualization Format (OVF) file using VMware vCenter Server. Deploying the OVF file directly through ESX/ESXi utilities is not supported.

Virtual NIC (vNIC) devices configured during deployment of the vSMS are required for the vSMS to operate successfully. For best results, do not change the vNIC settings.

Kernel-Based Virtual Machine (KVM)

A supported KVM environment must already be set up before you can install and use either vSMS solution. KVM deployment of the vSMS has been successfully tested using the following specifications:

  • RHEL version 6 (for three cores); libvirt version 0.10.2; QEMU version 0.12.0.
  • RHEL version 7 with the KVM hypervisor (for four cores); libvirt version 1.1.0; Quick Emulator (QEMU) version 1.5.3.

The KVM environment must have the following tar packages installed:

  • qemu-kvm
  • virt-install
  • virt-viewer

vSMS Migration

For vSMS v4.1 or later, you can perform an incremental upgrade to a later version without redeploying the vSMS.

RADIUS Authentication

SMS uses Password Authentication Protocol (PAP) by default. While using PAP, the AUTH-REQUEST sent by the SMS to the RADIUS server includes three attributes: User-Name, User-Password, and Message-Authenticator. If the RADIUS server requires attributes that the SMS does not provide, SMS users with RADIUS authentication type can no longer log in. As a workaround, make temporary changes on the RADIUS server to remove restrictions that the AUTH-REQUEST include other attributes. Authentication protocol options for RADIUS include PAP, MD5, and PEAP/EAP-MSCHAPv2.

NOTE: As a general best practice, a local user should always be enabled and added on the SMS.

Issue with TLS/SSL support when calling the SMS web API

The SSLv3 POODLE vulnerability (CVE-2014-3566) causes SMS v4.6 to disable SSLv2 and SSLv3 on secure web interfaces. Some HTTPS clients and older web browsers, particularly Java based tools, use SSLv2 to handshake the initial connection, and then potentially negotiate up to TLS. Because SSLv2 and SSLv3 are now disabled on the SMS server, any client that uses SSLv2 or SSLv3 is rejected. This impacts older web browsers, which may see a protocol not supported error when connecting to the SMS web server, and ArcSight Connectors, which currently require SSLv2 handshake support to initiate a secure connection.

Contact Trend Micro TippingPoint TAC if this affects you. TAC can provide instructions to adjust the SMS to relax the SSLv2 handshake restriction and allow SSLv2 handshakes. This change does not expose the SMS to the SSLv3 POODLE issues. When SSLv2 successfully handshakes, TLS is potentially negotiated and used, but any attempt to use or negotiate to SSLv3 communications is rejected.

Note: The ArcSight Connectors rely on SSLv2 to handshake HTTPS communications. Their interactions with SMS v4.2 or later, including PCAP retrieval, traffic management, and filter creation, will disable without making the changes advised by TAC.

3. SMS Migration Scenarios

The following sections present some of the most common migration/updating scenarios that might be encountered.

  • Upgrade the SMS software on the same SMS device (physical)
  • Upgrade the vSMS software on the same vSMS device (virtual)
  • Migrate from an old SMS device to a new SMS device
  • Migrate from a physical SMS to a virtual SMS (vSMS)
  • Changing the SMS server IP address.
3.1. Upgrade the SMS software on the same SMS device (physical)
  1. Backup the SMS database. This should be done as a matter of best practice.
  2. Download or import the SMS software from the TMC
  3. Install the SMS software
  4. Allow the system to perform the upgrade process
  5. Install the Client software
3.2. Upgrade the vSMS software on the same vSMS device (virtual)

For step-by-step instructions, please access the Trend Micro TippingPoint Virtual SMS Quick Start Guide at https://tmc.tippingpoint.com.

vSMS
  1. Backup the SMS database. This should be done as a matter of best practice. NOTE: For added assurance use vSphere to take a snapshot of the SMS virtual appliance.
  2. Download or import the incremental vSMS software from the TMC
  3. Install the incremental vSMS software
  4. Allow the system to perform the upgrade process
  5. Install the new Client software
3.3. Migrate from an old SMS server to a new SMS server

For step-by-step instructions, please access the Trend Micro TippingPoint SMS Quick Start Guide at https://tmc.tippingpoint.com.

  1. Backup the old SMS database. This should be done as a matter of best practice.
  2. Export profiles separately.
  3. Shutdown the old SMS server
  4. Power-up the new SMS server

NOTE: As the SMS starts up, the Trend Micro TippingPoint splash screen is displayed for up to 90 seconds. System status messages are written to the serial port and then displayed on the monitor. After powering up the server, the SMS Hardware Out-of-Box (OBE) Setup Wizard prompts you to perform basic configuration tasks and to periodically input information.

  1. Configure the SMS server

NOTE: The SMS server will re-boot after the configuration is complete.

  1. Allow the SMS server to complete the reboot and configuration
  2. Install the new Client software
  3. Restore the database from the old SMS
  4. Restore the profiles (if required)

IMPORTANT: If you change the IP address of the SMS server read Section: 3.6 Changing the SMS server IP address.

3.4. Migrate from a physical SMS to a virtual SMS (vSMS)

For step-by-step instructions, please access the Trend Micro TippingPoint Virtual SMS Quick Start Guide at https://tmc.tippingpoint.com.

  1. Backup the old SMS database. This should be done as a matter of best practice.
  2. Export profiles separately.
  3. Shutdown the old SMS server
  4. Validate the VMware Environment
  5. Obtain the vSMS Software from the TMC,
  6. Obtain the vSMS Certification String
  7. Deploy the vSMS Software,
  8. Start the vSMS Software

NOTE: As the SMS starts up, the Trend Micro TippingPoint splash screen is displayed for up to 90 seconds. System status messages are written to the serial port and then displayed on the monitor. After powering up the server, the SMS Hardware Out-of-Box (OBE) Setup Wizard prompts you to perform basic configuration tasks and to periodically input information.

  1. Configure the SMS server

NOTE: The SMS server will re-boot after the configuration is complete.

  1. Allow the SMS server to complete the reboot and configuration
  2. Install the new Client Software
  3. Restore the database from the old SMS

IMPORTANT: If you change the IP address of the SMS server read Section: 3.6 Changing the SMS server IP address.

3.5. Migrate from a DEMO vSMS to a purchased vSMS

  1. Backup the DEMO vSMS database.
  2. Export profiles separately.
  3. Unmanage devices from the vSMS.
  4. Obtain the vSMS Software from the TMC.
  5. Obtain the vSMS Certification String.
  6. Deploy the vSMS Software.
  7. Start the vSMS Software.

NOTE: As the vSMS starts up, the Trend Micro TippingPoint splash screen is displayed for up to 90 seconds. System status messages are written to the serial port and then displayed on the monitor. After powering up the server, the vSMS Hardware Out-of-Box (OBE) Setup Wizard prompts you to perform basic configuration tasks and to periodically input information.

  1. Configure the vSMS server.

NOTE: The vSMS server will re-boot after the configuration is complete.

  1. Allow the SMS server to complete the reboot and configuration.
  2. Install the new Client Software.
  3. Restore the database from the DEMO vSMS.
  4. If the IP address you gave the vSMS server is different than the old SMS, then you must delete all the IPS devices and re-manage them. If the IP address is the same as the old server then the IPSs should be ok.
  5. Redistribute your profiles to all devices and segments from the new vSMS.

IMPORTANT: If you change the IP address of the SMS server read Section: 3.6 Changing the SMS server IP address.

3.6. Changing the SMS server IP address

Changing the SMS server IP address has a major impact on the managed devices as the devices will still believe that they are being managed by the old SMS. There are two options for proper management of devices, they all involve un-managing and re-managing.

Option 1 (Before IP address change)

  1. Before you upgrade the SMS, un-manage all devices from the SMS. This can be done from the SMS, IPS CLI or IPS LSM.
  2. After the restore is complete and the IP address has been changed, re-manage all devices from the SMS.

Option 2 (After IP address change)

  1. Un-manage the device from the IPS CLI or the IPS LSM.
  2. Re-manage all devices from the SMS
IMPORTANT: Please ensure that you know the administrative credentials for managing the IPS devices.
 
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000087690
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.