Sophos Cloud Migration Tool Help · 2 How does Sophos Cloud differ from on-premise management? Sophos Cloud differs from on-premise management in three ways. ... no matter who logs

Sophos Cloud Migration ToolHelp

1.0Product version:June 2015Document date:

Contents

1 About the Sophos Cloud Migration Tool...................................................................................4

2 How does Sophos Cloud differ from on-premise management?..............................................5

3 How does the migration tool work?..........................................................................................6

3.1 Evaluation...................................................................................................................6

3.2 Migration.....................................................................................................................7

4 Planning migration....................................................................................................................9

5 Important considerations........................................................................................................10

5.1 Policy settings...........................................................................................................10

5.2 Interruption of protection...........................................................................................10

5.3 Reboot required........................................................................................................10

5.4 Update caching.........................................................................................................11

6 Migration prerequisites...........................................................................................................12

6.1 Sophos Cloud license...............................................................................................12

6.2 Operating systems....................................................................................................12

6.3 Supported features...................................................................................................13

6.4 Endpoint software.....................................................................................................13

6.5 Server components..................................................................................................13

6.6 Active Directory synchronization...............................................................................14

6.7 Update locations.......................................................................................................14

7 Installing the Sophos Cloud Migration Tool.............................................................................15

8 Check which computers can be migrated...............................................................................16

9 Sophos Cloud readiness and migration states.......................................................................18

9.1 Migration states displayed in the on-premise console..............................................19

10 Change which columns are displayed..................................................................................20

11 View the computer Cloud readiness report..........................................................................21

11.1 View the computer Cloud readiness report in Excel...............................................21

12 Migration exclusions.............................................................................................................22

13 Migrate computers................................................................................................................23

14 View migrated computers in Sophos Cloud..........................................................................25

15 Rolling back to on-premise management.............................................................................26

16 Uninstall the Sophos Cloud Migration Tool...........................................................................27

17 Migrate the on-premise management server........................................................................28

2

18 Where do I find the log?.......................................................................................................29

19 Troubleshooting....................................................................................................................30

19.1 Migration error........................................................................................................30

19.2 Sophos Cloud installer error...................................................................................30

19.3 Migration timed out.................................................................................................30

19.4 Missing component.................................................................................................31

19.5 Post-migration installation error..............................................................................31

20 Technical support..................................................................................................................33

21 Legal notices........................................................................................................................34

3

1 About the Sophos Cloud Migration ToolThe Sophos Cloud Migration Tool helps administrators to move management of protectedcomputers from Sophos Enterprise Console 4.5 and later or Sophos Control Center 4.x to SophosCloud.

The tool cannot migrate computers managed by Sophos Enterprise Manager.

The tool can migrate protected computers that:

■ Are running a supported operating system.

■ Have features or policy settings that are supported by Sophos Cloud.

■ Meet the other migration prerequisites described in Migration prerequisites (page 12).

4

Sophos Cloud Migration Tool

2 How does Sophos Cloud differ fromon-premise management?Sophos Cloud differs from on-premise management in three ways.

Management in the cloudThe Sophos Cloud console is hosted in the cloud by Sophos.You don’t require a managementserver and you don’t have to install and update the management console.

User-based policiesOn-premise management manages and applies security policies to computers. Sophos Cloud,on the other hand, manages users. User-based security policies follow the user across differentdevices, platforms and locations.

Dedicated protection for serversOn-premise management manages computers running client operating systems and the onesrunning server operating systems the same way. Sophos Cloud, on the other hand, managesWindows servers separately from users’ computers. Server security policies are applied to aparticular server or servers, no matter who logs on. Server protection automatically recognizescertain common server applications, so you don’t need to set complicated scanning exclusions.

To read answers to frequently asked questions (FAQ) about Sophos Cloud, see knowledgebasearticle 119598. For information about the Sophos Cloud console and policies, see the SophosCloud Help.

5

Help

https://www.sophos.com/en-us/support/knowledgebase/119598.aspx


http://http://docs.sophos.com/sophos-cloud/customer-dashboard/help/en-us/webhelp/index.htm

http://http://docs.sophos.com/sophos-cloud/customer-dashboard/help/en-us/webhelp/index.htm

3 How does the migration tool work?The migration tool must be installed and run by the Administrator, on the server where SophosEnterprise Console (management server and database) or Sophos Control Center is installed.

Note: Only one instance of the tool can run on the same computer at the same time. For example,if the tool is already running on a computer, another user who connects to the computer usingRemote Desktop Connection will not be able to open the tool.

The tool can be used for assessing computers to see whether or not they can be migrated toCloud, and for migrating the computers to Cloud.

3.1 EvaluationWhen you run the tool, it retrieves the list of managed computers from the Enterprise Console orControl Center database and checks them for Cloud readiness against the latest Cloud readinessassessment data retrieved from Sophos. The Cloud readiness assessment data includes:

■ Cloud readiness rules, which include operating systems and features supported for migration.The Cloud readiness rules are updated automatically, for example when a new operatingsystem or feature becomes available in Cloud.

■ Information about the features licensed to a Cloud account.

The tool can run in one of the two evaluation modes: full evaluation mode, which requires a Cloudaccount, or basic computer assessment mode.

During basic computer assessment, the tool checks that a computer:

■ Is running an operating system supported in Cloud.

■ Has only those features enabled or installed that are supported in Cloud.

■ Has no unsupported server software or component installed.

■ Has an Endpoint Security and Control version that can be migrated.

■ Downloads updates from a supported update location.

■ If synchronized with Active Directory, does not have automatic protection enabled insynchronization properties.

If you log in to your Cloud account when running the tool, then along with performing a basiccomputer assessment, the tool will also compare all features active on the computers againstyour Cloud license. It will then alert you if there are any features enabled that you are not licensedto use in Cloud.

6


The tool then displays evaluation results, showing whether the computers are Cloud ready and,if they are not, the reason(s) why the computers cannot be migrated.

For more information about migration prerequisites, see Migration prerequisites (page 12).

For more information about computer Cloud readiness evaluation, see Check which computerscan be migrated (page 16).

3.2 MigrationWhen you choose to migrate computers, the Sophos Cloud Migration Tool downloads the Cloudagent software and places it in the update share (bootstrap location). The computers that are onthe migration list and meet the migration prerequisites will get the Cloud software during theirnext scheduled update (specified in the Updating policy, on the Schedule tab). The RemoteManagement System (RMS), used for communications between the computer and the on-premiseconsole, is then uninstalled and the Cloud agent software is installed. The Cloud agent softwareincludes Sophos Management Communications System (MCS), used for communications betweenthe computer and Sophos Cloud.

7

Help

Note: The migration process may take up to a couple of hours, depending on the computers’updating interval and network connection.

When a computer is migrated to Cloud, it is treated either as a user’s workstation, if it is runninga Windows client operating system, or as a server, if it is running a Windows server operatingsystem.

When a workstation is migrated:

■ A Cloud user account is created based on the last known user of the computer at the time ofmigration, and is added to the Cloud users list.

■ A user policy is applied to the user (by default, this is the Base Policy).

■ The computer is added to the Devices list in Cloud.

When a server is migrated:

■ The server is added to the Servers list in Cloud.

■ A server policy is applied to the server (by default, this is the Base Policy).

For more information about the migration process, see Migrate computers (page 23).

8


4 Planning migrationYou can migrate your computers to Sophos Cloud by following these key steps:

1. Review Important considerations (page 10) and plan the migration accordingly.2. Check migration prerequisites. See Migration prerequisites (page 12).3. Install the Sophos Cloud Migration Tool. See Installing the Sophos Cloud Migration Tool (page

15).4. Assess computers for Cloud readiness. See Check which computers can be migrated (page

16).5. Migrate computers to Sophos Cloud. See Migrate computers (page 23).6. If you have migrated all endpoint computers and none are managed by the on-premise

management console, you can manually migrate the on-premise management server to SophosCloud. See Migrate the on-premise management server (page 28).

9

Help

5 Important considerations

5.1 Policy settingsPolicy settings are not migrated to Cloud, and the respective Cloud policy will be applied tomigrated computers. By default, the base user policy will be applied to a user and the user’sworkstation, and the base server policy will be applied to a server (as described in Migration (page7)). This means that some of the settings on the computers may change as a result of themigration.

You may want to review the Cloud policies and check how the policy settings will change afterthe migration, especially if you have modified the default on-premise policies. For more informationabout Cloud policies, see the Sophos Cloud Help, Policies.

5.2 Interruption of protectionDuring the migration, the endpoint software is replaced. This means that your computers remainunprotected for the period of time after the on-premise endpoint software has been uninstalledand before the Cloud agent software has been installed.

Therefore, we recommend that you consider migrating the computers when they are not beingused, and to advise your users to save all their work prior to the migration and leave their computersturned on. We also recommend that, once the computers have been migrated, you run a fullsystem scan of the computers to ensure that they haven’t been compromised.

5.3 Reboot requiredComputers running Windows XP or Windows Server 2003 that are being migrated must berestarted as part of the migration, to migrate successfully and be fully protected again. By default,the logged on users will be prompted to restart their computers during the migration.

If a computer is not restarted, you will then see:

■

In the Sophos Cloud Migration Tool, the icon and “In Cloud (error)” status next to thecomputer.

Note: If the error remains unresolved for longer than a predefined time interval, the statuschanges to “In Cloud (critical error)”.

■ In Sophos Cloud, the following event for the computer: “Failed to install savxp: a reboot isrequired before the installation can succeed.”

For more information about the error, see Post-migration installation error (page 31).

Important: Until the computers are restarted, they remain unprotected.You must ensure thatthey are restarted as soon as possible after the reboot is requested.

10


http://http://docs.sophos.com/sophos-cloud/customer-dashboard/help/en-us/webhelp/index.htm#concepts/Policies.htm

You can choose to restart the computers automatically during the migration, as follows:

1. On the File menu, click Options.2. Select Automatically restart Windows Server 2003 computers and/or Automatically restart

Windows XP computers.

Important: Once you select the automatic restart option, the computers will restart automaticallyduring the migration, without giving the logged on user any warning.You may want to considermigrating the computers when they are not being used, and to advise your users to save all theirwork prior to the migration and leave their computers turned on.

If you do not enable these options, the logged on users will be prompted to restart their computers.

5.4 Update cachingSophos Cloud's Update Cache feature lets you set up update caches. This enables you to storeendpoint updates on a server on your network from which computers can download them.

You should consider setting up caches. If you don't, migrated computers will download theirupdates directly from Sophos, which may increase your bandwidth usage.

11

Help

6 Migration prerequisitesTo be migrated to Sophos Cloud, computers must run a supported operating system and not haveany features that are not supported in Cloud enabled or installed. See the full list of prerequisitesand actions you can take in the following subsections.

Note: The list of Cloud readiness conditions against which the migration tool checks computersis updated automatically, for example, when a new operating system or feature becomes availablein Cloud.

6.1 Sophos Cloud licenseYou must have a valid Sophos Cloud account to be able to migrate computers to Sophos Cloud.

Note: You do not need to have a Sophos Cloud account if you want to run the tool in the basiccomputer assessment mode, without logging in to your Sophos Cloud account.

When you log in to your Sophos Cloud account when running the Sophos Cloud Migration Tool,then along with performing a basic computer assessment, the tool also compares all featuresactive on the computers against your Sophos Cloud license. It then alerts you if there are anyfeatures enabled that you are not licensed to use in Sophos Cloud.

If the tool has detected an active feature that you are not licensed to use in Sophos Cloud, youcan either:

■ Change your Sophos Cloud license to include the feature. For more information about availablelicenses, see www.sophos.com/en-us/products/enduser-protection-suites/how-to-buy.aspxand www.sophos.com/en-us/products/server-security/how-to-buy.aspx.

■ Disable or uninstall the feature.

To review the details of your Sophos Cloud license or licenses, go to Sophos Cloud, Account >Administration.

6.2 Operating systemsComputers running the following operating systems can be migrated to Sophos Cloud using theSophos Cloud Migration Tool, provided that all the other conditions are met.

■ Windows XP

■ Windows 2003

■ Windows Vista

■ Windows 7

■ Windows 2008 Server

■ Windows 2008 Server R2

■ Windows 8

12


http://www.sophos.com/en-us/products/enduser-protection-suites/how-to-buy.aspx

http://www.sophos.com/en-us/products/server-security/how-to-buy.aspx

https://cloud.sophos.com/

■ Windows 8.1

■ Windows Server 2012

■ Windows Server 2012 R2

■ Windows Small Business Server 2011

At the time of this release, Sophos Cloud Migration Tool does not support other operating systemsthat are supported by Sophos Cloud. Computers running other operating systems supported bySophos Cloud can be migrated manually, by uninstalling the on-premise endpoint software andinstalling the Cloud agent software.

For a full list of operating systems supported by Sophos Cloud, see knowledgebase article 121027.

For information about how to uninstall Sophos products, see knowledgebase article 118849.

For information about how to install Sophos Cloud software, see knowledgebase article 119265and knowledgebase article 120611.

6.3 Supported featuresSophos Cloud may not yet support all the features you manage with Enterprise Console.Youmust disable or uninstall any unsupported features before migration.

For information about unsupported features and details of how to disable or uninstall them, seeknowledgebase article 121751.

6.4 Endpoint softwareTo be migrated, computers must be running Sophos Endpoint Security and Control 10.0 or later.If an earlier version is installed on a computer, upgrade it before migrating the computer.

6.5 Server componentsYou cannot use Sophos Cloud Migration Tool to migrate a computer that:

■ Has Sophos Enterprise Console management server or Sophos Control Center installed.

■ Has Sophos Update Manager installed.

■ Acts as a message relay between endpoint computers (running Endpoint Security and Control)and the Enterprise Console management server.

■ Has one of the following installed: PureMessage for Microsoft Exchange, Sophos for MicrosoftSharePoint, or PureMessage for Lotus Domino.

Note: You may be able to migrate your on-premise management server to Sophos Cloud manually,after you have migrated all endpoint computers and none are managed by the on-premisemanagement console. See Migrate the on-premise management server (page 28).

13

Help






6.6 Active Directory synchronizationIf a computer is part of a group tree that is automatically synchronized with an Active Directorycontainer, and for which automatic protection is enabled, you should disable automatic protectionin the Active Directory synchronization settings before migrating the computer.

To disable automatic protection during synchronization with Active Directory, right-click the groupthat is synchronized with an Active Directory container (synchronization point) and selectSynchronization Properties. In the Synchronization Properties dialog box, clear the InstallSophos security software automatically check box.

Note: If you migrate a computer that is part of a synchronized group tree for which automaticprotection is enabled, or move an already migrated computer in Active Directory so that it endsup in such a group tree, the computer will be automatically re-protected by Enterprise Consoleduring the next scheduled synchronization and revert back to on-premise management.

6.7 Update locationsA primary update location that is not the default update location is not supported. The defaultupdate location is a UNC share \\<ComputerName>\SophosUpdate, where ComputerName isthe name of the computer where Sophos Update Manager and Sophos Management Server areinstalled.

The computer can still be migrated to Sophos Cloud without using the Sophos Cloud MigrationTool, by running the Sophos Cloud agent installer on that computer. For more information aboutdeploying Sophos Cloud software, see knowledgebase article 119265 and knowledgebase article120611.

Alternatively, you can change the computer’s group updating policy so that it updates from thedefault update location, and then migrate it using the Sophos Cloud Migration Tool.

14





7 Installing the Sophos Cloud Migration ToolThe Sophos Cloud Migration Tool must be installed by the Administrator on the computer wherethe Sophos Enterprise Console management server or Sophos Control Center is installed.

The Sophos Enterprise Console or Sophos Control Center database must be installed on thesame computer. (Remote databases are not currently supported.)

If User Account Control (UAC) is enabled on the server, turn it off before installing the SophosCloud Migration Tool and restart the server, if prompted.

Note: You can turn UAC on again after you have completed the installation. If, later, you wantto uninstall the tool, again ensure that UAC is turned off before you uninstall the tool.

Besides this, the following prerequisites must be met:

■ Microsoft .NET Framework 4.0

The tool requires Microsoft .NET Framework 4.0. If you don’t have it installed, you can chooseto install it during the tool’s installation.You may need to restart the computer afterwards.

■ Windows Installer Framework 4.5 or later

The tool requires Windows Installer Framework 4.5 or later. If you don’t have it installed, installit before installing the tool.

■ Recommended Windows updates and a root certificate update for Windows Server 2003

If you are installing the Sophos Cloud Migration Tool on Windows Server 2003, make surethat all recommended Windows updates and the required root certificate update are installed.See knowledgebase article 122286.

15

Help


8 Check which computers can be migratedTo check whether your computers can be migrated to Cloud:

1. Open the Sophos Cloud Migration Tool.

Note: Only one instance of the tool can run on the same computer at the same time. Forexample, if the tool is already running on a computer, another user who connects to thecomputer using Remote Desktop Connection will not be able to open the tool.

2. In the Connect to Sophos Cloud dialog box, choose whether you want to log in to SophosCloud or perform a basic computer assessment, without taking into account any of your SophosCloud license details.

During basic computer assessment, the tool checks the computers’ operating systems, enabledfeatures, etc. If you log in to your Cloud account, along with performing a basic computerassessment, the tool will also compare all features active on the computers against your Cloudlicense. It will then alert you if there are any features enabled that you are not licensed to usein Cloud.

Click OK.

The Sophos Cloud Migration Tool retrieves the list of computers from the on-premisemanagement database, checks them for Cloud readiness, and displays the list of results.

3. Review the list and see which computers are ready to be migrated to Cloud and whichcomputers can’t be migrated, and for what reason.

There are three main Cloud readiness states:

■ Ready. The computer can be migrated to Cloud.

■ Not ready - can be remediated. The computer cannot be migrated to Cloud in its presentstate, but certain remediation actions can be taken that will enable migration. For example,you can disable features that are not supported in Cloud.

■ Not ready - cannot be migrated. The computer cannot be migrated to Cloud and noremediation actions are available. For example, the computer is running an operatingsystem that is not supported in Cloud.

For more information about computer Cloud readiness and migration states, see Sophos Cloudreadiness and migration states (page 18).

Note: Even though Tamper Protection is supported in Cloud, you must disable it to allow themigration tool to uninstall the on-premise endpoint software and install the Cloud agent software.

16


The results of computer assessment for Cloud readiness may look like this:

4. Optionally, you can generate a more detailed report for selected computers. See View thecomputer Cloud readiness report (page 21).

If you are ready to migrate your computers to Cloud, see Migrate computers (page 23).

17

Help

9 Sophos Cloud readiness and migrationstatesAfter being assessed by the migration tool, computers may end up in or go through the followingstates.

Note: For more information about the status and remediation actions, if any (for example, forcomputers that are not ready for migration or have encountered an error), highlight the computerentry by clicking on it and view the details displayed in the right pane.

DescriptionStatusIcon

The computer can be migrated to Sophos Cloud.Ready

The computer cannot be migrated to Sophos Cloud in its present state,but certain remediation actions can be taken that will enable migration.

Not ready (fixable)

For example, you can disable features that are not supported in SophosCloud.

The computer cannot be migrated to Sophos Cloud.Not ready

The computer has been excluded from migration by the administrator. SeeMigration exclusions (page 22).

Not ready(excluded)

The administrator has chosen to migrate the computer, but the migrationprocess has not started yet.

Pending

The computer is being migrated.Migrating

The computer has been migrated successfully and has been found in thelist of computers managed by Sophos Cloud.

In Cloud

An error has occurred during migration. The computer is not yet managedby Sophos Cloud. See Troubleshooting (page 30).

Error

The computer has been migrated and is managed by Sophos Cloud, butan installation error has occurred that has most likely left the computerunprotected. See Post-migration installation error (page 31).

In Cloud (error)

The computer has been migrated and is managed by Sophos Cloud, butan installation error hasn’t been resolved, and the computer has remained

In Cloud (criticalerror)

unprotected for more than a predefined time interval (by default, 24 hours).See Post-migration installation error (page 31).

18


9.1 Migration states displayed in the on-premise consoleOnce a computer has started the migration process, its migration state is displayed in theon-premise management console, in the Computer description column, for example:

The following table shows the correspondence between the migration state shown in the migrationtool and the computer description in the on-premise console.

DescriptionComputer description / Status inon-premise console

Migrationstate

The computer has been added to the migration list and isawaiting migration. <jobid> is a unique integer associatedwith the migration request, here and below.

{SC:Pending:<jobid>}Pending

The computer is being migrated.{SC:Migrating:<jobid>}Migrating

The computer has been found in the list of computersmanaged by Sophos Cloud and has successfully updatedat least once since then.

{SC:InCloud:<jobid>}In Cloud

An error has occurred during migration.{SC:Error:<jobid>;<error code>}Error

The computer has been in the “Pending” or “Migrating”state for longer than a predefined timeout interval. For moreinformation, see Migration timed out (page 30).

{SC:Timeout:<jobid>}Timed out

The computer has been found in the list of computersmanaged by Sophos Cloud, but the installation of the Cloudagent software has failed.

{SC:FailedInstallation:<jobid>}In Cloud(error)

The Cloud agent software installation error hasn’t beenresolved for longer than a predefined time interval (bydefault, 24 hours).

{SC:NotProtected:<jobid>}In Cloud(criticalerror)

For more information about these states and what actions to take, if necessary, see the detailsin the Sophos Cloud Migration Tool, log (page 29), or Sophos Cloud.

For information about resolving errors, see Troubleshooting (page 30).

19

Help

10 Change which columns are displayedYou can add columns to the tool’s computer list view to display more information about thecomputers, such as computer description, its operating system, active features, and so on. TheName, Domain/workgroup, Status, and Group columns are always displayed by default.Youcannot hide them.

To change which columns are displayed:

1. On the View menu, click Columns (or right-click anywhere in the table header) and then clickon the name of the column you want to display or hide. The columns that are displayed in theview have check marks next to their names.

2. After you have added the columns to the view, you can:

■ Drag and drop the column headings to rearrange the order in which the columns aredisplayed.

■ Change the width of a column by dragging the boundary on the right side of the columnheading until the column is the width that you want.

■ Sort the list of computers by any column by clicking on its heading.

Consider also generating a report to see more information (see View the computer Cloud readinessreport (page 21)). In the report, all information about computers and their status is displayed,irrespective of the columns displayed in the tool’s computer list view when the report is generated.

20


11 View the computer Cloud readiness reportTo generate a Cloud readiness report:

1. In the migration tool, select the computers for which you want to generate a report. For example,to generate a report listing all computers that are not ready for migration, click Not Ready atthe top of the screen, right-click anywhere in the computer list, and then click Select all.

2. Click the Report button.

An HTML report is displayed, containing details of the selected computers, their Cloud readinessstate, and required remediation actions, if any.

If you want to view the Cloud readiness report in Excel, see View the computer Cloud readinessreport in Excel (page 21).

11.1 View the computer Cloud readiness report in ExcelEvery time you click the Report button in the migration tool, besides an HTML report that isdisplayed to you, the migration tool also generates an XML copy of the report, report.xml, in thefollowing location.

■ For Windows Vista or later/Windows Server 2008 or later:

C:\ProgramData\Sophos\Cloud Migration Tool\

■ For Windows XP or Windows Server 2003:

C:\Documents and Settings\All Users\Application Data\Sophos\CloudMigration Tool\

The file report.xml is updated every time you click Report.

If you want to view the computer Cloud readiness report as an Excel spreadsheet, follow thesesteps:

1. Open Excel.

2. In Excel, on the File menu, click Open. Browse to C:\ProgramData\Sophos\CloudMigration Tool\ or C:\Documents and Settings\All Users\ApplicationData\Sophos\Cloud Migration Tool\ and open the file report.xml.

Note: ProgramData or Application Data is a hidden folder. Therefore, you have to either typein the full path when browsing for the file or disable hidden folders in Windows Explorer.

3. When prompted, choose to open the file without applying the stylesheet. Click OK.

4. When prompted, choose to open the file as an XML table. Click OK.

5. In the message saying that no schema is present, click OK or Cancel.

This will produce an Excel table with the computers you selected before you clicked Report andtheir Cloud readiness status.You can sort and group the entries in the table.

21

Help

12 Migration exclusionsIf you don’t want to migrate a computer to Cloud, you can add it to the migration exclusion list.That way, it won’t be accidentally selected for migration and migrated to Cloud.

Note: Computers that are already managed by Cloud cannot be excluded from migration. AnyCloud-managed computers that have been selected will not be added to the exclusion list.

To exclude computers from migration:

1. Select the computer or computers in the computer list, right-click and click Add to ExclusionList.

2. In the Exclude computers from migration dialog box, type in the reason for the exclusion,if you wish, to serve as a reminder. Click OK.

Excluded computers’ status will change to “Not Ready” with a padlock icon .

If you later change your mind and decide to migrate the computers to Cloud, you can similarlyremove them from the exclusion list. After you have re-included computers in the migration process,they may appear as either “Ready” or “Not Ready”, depending on their Cloud readiness evaluationresults.

22


13 Migrate computersImportant: During the migration, the endpoint software is replaced. This means that yourcomputers will remain unprotected for the period of time after the on-premise endpoint softwarehas been uninstalled and before the Cloud agent software has been installed.

To migrate your computers to Cloud:

1. Open the Sophos Cloud Migration Tool and check which computers can be migrated, asdescribed in Check which computers can be migrated (page 16).

2. If you haven’t entered your Sophos Cloud credentials when you opened the migration tool,click the Login button and enter the credentials.

3. Perform remediation actions required for computers that cannot be migrated to Cloud in theirpresent state, but for which migration is possible. For example, disable features that are notsupported in Cloud.

If you have tamper protection enabled, disable it. See Tamper protection.

4. Select the computers that are ready to be migrated.To view only the computers that are ready,click Ready at the top of the screen. Click Migrate, and then click Yes in the confirmationmessage.

The computers go into the Pending state and await their next scheduled update to begin themigration. When the migration starts, the computers change their state to Migrating. (For moreinformation about migration states, see Sophos Cloud readiness and migration states (page 18).)

The migration process may take up to a couple of hours, depending on the computers’ updatinginterval and network connection.

You can see the computers that are being migrated in the Migrating view.

Note: Some computers may display a Windows Action Center alert in the notification area, sayingthat the computers are unprotected. The alert will disappear once the computers have beenmigrated successfully.

Once a computer has been migrated to Cloud, it’s moved to the In Cloud view of the tool.Youcan also see it in Sophos Cloud, on the Devices page or Servers page, depending on the operatingsystem the computer is running.

In the on-premise console, a migrated computer is displayed as follows:

For more information about migration states displayed in the on-premise console, see Migrationstates displayed in the on-premise console (page 19).

23

Help

If an error has occurred during migration and a computer hasn’t been migrated, it’s moved to theError view of the tool, where you can find out about the error.

Note: If you close the tool during the migration, you must enter your Sophos Cloud credentialsevery time you reopen the tool. Otherwise, the migration data from Sophos Cloud will not beretrieved and you may not see the actual, latest migration status.

Sometimes computers that have been migrated may need to be restarted.The tool doesn’t displaythis information for migrated computers, so check in Sophos Cloud to see if any of the migratedcomputers need to be restarted.

Important: We recommend that you run a full system scan of the computers to ensure that theywere not compromised during the period when they remain unprotected during the migration.

24


14 View migrated computers in Sophos CloudOnce a computer has been migrated to Sophos Cloud, its details in the migration tool are notupdated anymore. For the latest, up-to-date information about the computer, including anyprotection alerts, go to Sophos Cloud.

1. In Sophos Cloud:

■ To view the details for a migrated workstation, go to the Computers page.■ To view the details for a migrated server, go to the Servers page.

2. In the list of computers or servers, click on the name of the computer to view its full details.

For more information, see the Sophos Cloud Help.

25

Help

http://docs.sophos.com/sophos-cloud/help/en-us/webhelp/index.htm

15 Rolling back to on-premise managementThis version of the Sophos Cloud Migration Tool doesn’t support automatic rollback. That is, afteryou have migrated to Cloud, you cannot roll back to the on-premise endpoint software (EndpointSecurity and Control 10.x for Windows) automatically, using the tool.

To roll back, use a script as described in knowledgebase article 122211.

26



16 Uninstall the Sophos Cloud Migration Tool1. If User Account Control (UAC) is enabled on the server where the Sophos Cloud Migration

Tool is installed, turn it off before uninstalling the tool and restart the server, if prompted.

2. In Control Panel, depending on your operating system, double-click Add/Remove Programsor click Programs and Features.

3. Uninstall Sophos Cloud Migration Tool.

After you have uninstalled the tool, you can turn UAC on again.

27

Help

17 Migrate the on-premise managementserverIf you have migrated all endpoint computers and none are managed by the on-premisemanagement console, you can migrate the on-premise management server to Sophos Cloud.

1. If User Account Control (UAC) is enabled on the server, turn it off. Restart the server, ifprompted.

2. Uninstall the Sophos Cloud Migration Tool.

3. Uninstall the on-premise management software.

■ Uninstall Sophos Enterprise Console in this order:Sophos Management ConsoleSophos Management DatabaseSophos Management ServerSophos Update Manager

Note: Uninstalling the Sophos Management Database component will not remove thedatabases attached to the SQL Server instance. For a list of databases associated witheach console, see knowledgebase article 17323. If you are planning to leave the SQLServer instance, the databases will remain attached.

See also knowledgebase article 116912.

■ Uninstall Sophos Control Center.

For information about uninstalling Sophos Control Center, see knowledgebase article 11019.

Note: After you have uninstalled the software, you can turn UAC on again.

4. Run the Sophos Cloud agent installer to migrate the server.

28


http://www.sophos.com/en-us/support/knowledgebase/17323.aspx



18 Where do I find the log?You can find the Sophos Cloud Migration Tool log file in the following location.

■ For Windows Vista or later/Windows Server 2008 or later:

C:\ProgramData\Sophos\Cloud Migration Tool\Logs\CloudMigration.log

■ For Windows XP or Windows Server 2003:

C:\Documents and Settings\All Users\Application Data\Sophos\CloudMigration Tool\Logs\CloudMigration.log

Note: ProgramData or Application Data is a hidden folder. Therefore, you have to either type inthe full path when browsing for the file or disable hidden folders in Windows Explorer.

The logs created during installation or uninstallation of the tool can be found underC:\Windows\Temp. The logs are:

■ mtc-dbinstall.log

■ mtc-dbuninstall.log

■ mtc-install.log

■ mtc-setup.log

29

Help

19 Troubleshooting

19.1 Migration errorIf an error has occurred before a computer has been migrated to Sophos Cloud, you will see a

yellow warning triangle ( ) and the word "Error" in the Status column next to the computer. Seecomputer details for more information about the error.

For more information about the “timed out” error, see also Migration timed out (page 30).

19.2 Sophos Cloud installer errorIn rare circumstances, the Sophos Cloud agent installer may report an error during the migration.

In this case, in the Sophos Cloud Migration Tool, you will see an “Error” in the Status columnnext to the computer.

In Sophos Enterprise Console, you will see the following status in the Computer descriptioncolumn: {SC:Error:<jobid>;<error code>}, where <jobid> is a unique integer associated withthe migration request and <error code> is an error code returned by the Sophos Cloud agentinstaller.

You can look up the error by its error code and read about remediation steps in knowledgebasearticle 122157.

19.3 Migration timed outIf a migration action has timed out on a computer before the computer could be migrated to Sophos

Cloud, you will see a yellow warning triangle ( ) and the words "Error (Timed out)" in the Statuscolumn next to the computer.

This error appears when:

■ The computer has been in the “Pending” state for more than a predefined timeout interval.The timeout occurs in two hours (by default) if the computer is connected to the network andcommunicating with the on-premise management console. If the computer is offline, the timeoutwill occur in 15 days.

■ The computer has been in the “Migrating” state and has not been found in the list of computersmanaged by Sophos Cloud for more than a predefined timeout interval (by default, one hour).

There may be several possible reasons for the timeout error. For example, there may be aconnection problem between Sophos Cloud and the server on which the Sophos Cloud MigrationTool is running. Check in Sophos Cloud to see if the computer has been migrated and appearsin Sophos Cloud.

30




Note: A computer appears in Sophos Cloud as soon as it has registered with Sophos Cloud, butit doesn’t appear in the Sophos Cloud Migration Tool until it has successfully updated at leastonce after that and is protected.

If the computer appears in Sophos Cloud, wait several minutes and check the computer entry inthe Sophos Cloud Migration Tool again. If it still shows the error, try restarting the tool and loggingin to your Sophos Cloud account again.

If the computer hasn’t appeared in Sophos Cloud, go to that computer and check the SophosEndpoint Security and Control installation status. Try running the Sophos Cloud agent installermanually on the computer.

19.4 Missing componentThe Sophos Cloud Migration Tool requires that Sophos Anti-Virus and Sophos AutoUpdate beinstalled and running on the migrated computer. If a working installation of either cannot bedetected, you will see the error “The migration requires that Sophos AutoUpdate be installed” or“The migration requires that Sophos Anti-Virus be installed”.

To resolve the error, re-protect the endpoint computer.

1. In Sophos Enterprise Console, select the computers you want to re-protect, right-click, andthen click Protect Computers.

2. Follow the steps in the Protect Computers Wizard.

Remember not to select any of the features that are not supported in Sophos Cloud, such asEncryption software, Firewall or Patch.

For more information about protecting computers, see the Sophos Enterprise Console Help,Protect computers automatically.

19.5 Post-migration installation errorIf an installation error has occurred after a computer has been migrated to Sophos Cloud, andthe computer hasn’t been protected successfully, you will see one of the following icons next tothe computer, depending on how long the error has remained unresolved:

DescriptionStatusIcon

The computer has been migrated and is managed by Cloud, but aninstallation error has occurred that has most likely left the computerunprotected.

This error will appear for computers that must be restarted to becomeprotected.To resolve the error, restart the computers as soon as possible.

In Cloud (error)

The computer has been migrated and is managed by Cloud, but aninstallation error hasn’t been resolved, and the computer has remainedunprotected for more than a predefined time interval (by default, 24 hours).

To resolve the error, restart the computer as soon as possible.

In Cloud (criticalerror)

31

Help

https://docs.sophos.com/esg/enterprise-console/5-4/help/en-us/webhelp/index.htm#tasks/protect_09_wizard.htm

Important: In Sophos Cloud, this error event may not be escalated to a warning and displayedin the Action Center right away.To check the Cloud events for a computer, do one of the following:

■ For a workstation, go to Computers, click on the computer name and go to the Events tab.

■ For a server, go to Servers, click on the server name and go to the Events tab.

■ To view events for all computers, go to Logs & Reports > Events, and filter the events bythe type Protection > Failed to protect computer or server.

If you see an event “Failed to install savxp: a reboot is required before the installation cansucceed”, you must restart the computer to ensure it is protected successfully following themigration.

For more information about events and alerts in Sophos Cloud, see the Sophos Cloud Help, EventTypes or Alerts.

32


http://docs.sophos.com/sophos-cloud/customer-dashboard/help/en-us/webhelp/index.htm#concepts/EventTypes.htm

http://docs.sophos.com/sophos-cloud/customer-dashboard/help/en-us/webhelp/index.htm#concepts/EventTypes.htm

http://docs.sophos.com/sophos-cloud/customer-dashboard/help/en-us/webhelp/index.htm#concepts/Alerts.htm

20 Technical supportYou can find technical support for Sophos products in any of these ways:

■ Visit the Sophos Community at community.sophos.com/ and search for other users who areexperiencing the same problem.

■ Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx.

■ Download the product documentation at www.sophos.com/en-us/support/documentation.aspx.

■ Open a ticket with our support team athttps://secure2.sophos.com/support/contact-support/support-query.aspx.

33

Help

http://community.sophos.com

http://www.sophos.com/en-us/support.aspx

http://www.sophos.com/en-us/support/documentation.aspx

https://secure2.sophos.com/support/contact-support/support-query.aspx

21 Legal noticesCopyright © 2016 Sophos Limited. All rights reserved. No part of this publication may bereproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,mechanical, photocopying, recording or otherwise unless you are either a valid licensee wherethe documentation can be reproduced in accordance with the license terms or you otherwise havethe prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, SophosGroup and Utimaco Safeware AG, as applicable. All other product and company names mentionedare trademarks or registered trademarks of their respective owners.

34


Index

A

Active Directory synchronization, unsupported settings 14assessing computers 16automatic restart 10

E

endpoint software, supported versions 13error 30–31

migration 30migration timed out 30missing component 31post-migration installation 31Sophos Cloud installer 30troubleshooting 30

excluding computers from migration 22

F

features, support for in Sophos Cloud 13

I

installation 15installation prerequisites 15

L

logs 29

M

migrating computers 23migration considerations 10migration error 30migration exclusions 22migration prerequisites 12migration status 18

migration timed out 30missing component, error 31

O

operating systems 12overview, Sophos Cloud Migration Tool 6

P

policy settings, changes 10post-migration installation error 31prerequisites 12, 15, 27

installation 15migration 12uninstallation 27

R

reboot, required 10report 21rollback 26

S

server components, unsupported 13Sophos Cloud installer error 30Sophos Cloud license 12Sophos Cloud Migration Tool overview 6

T

troubleshooting 30

U

uninstallation 27uninstallation prerequisites 27update locations, unsupported 14

35

Help