cancel
Showing results for 
Search instead for 
Did you mean: 

Computer Protection Migration

F-Secure

Computer Protection Migration

 This article gives an overview of the migration process from Workstation 12 series client to Computer Protection client.

 

UPDATE:

- All Solution Providers have been migrated, so all the migrated profiles are available

- 31st of March, 2019: End of Life of Workstation Security client. The client will still receive security updates, but it will not anymore be under support. Using Computer Protection is the resolution for any issues. 

 

NEXT STEP: Channel upgrade is now scheduled for the remaining customers who have not yet fully migrated

 

Migration Goals & Benefits

 

The goals of the Computer Protection Migration process are:

  • Provide a controlled process for the Solution Provider to migrate his customers from their Workstation Security clients to the latest and greatest Computer Protection Clients.
  • Ensure that the upgrade is the smooth and non-intrusive way for the end-customers. 
  • Keep the security settings (profiles) intact during the upgrade process, so that you have the same level of security for the clients both before and after the upgrade process.

Migration Process

 

Stage 1 - Profile Migration (DONE)

 

This is stage during which your workstation profiles are migrated to the new Computer Protection ecosystem.

 

What happens in the background

 

  • The default profiles for each account is set based on the following logic at the end of successful migration:
    • If you have already defined some Computer Protection profiles as the default profile, we will keep that decision as it is and won't be over-writing this.
    • If you have defined some default profile for Workstation Security (and haven't defined any on Computer Protection side), the profile migration process will mark the migrated version of the default Workstation Security profile as the default in the Computer Protection world.
    • If you haven't defined any default profile on either side, the default profile of the parent account will be assumed.
  • The profile migration process doesn't impact in any manner the existing PSB Workstation Security computers or their profiles. It will just create the migrated profiles to Computer Protection - profiles tab. 

The outcome of a profile migration is either:

    1. Successful Profile Migration
    2. Successful Profile Migration - Needs Review

 

Successful Profile Migration

 

 

Once the migration is complete, its status will be indicated by a green banner on the homepage. This would be shown until channel upgrade commence.

Note that the administrator of the companies logging in the portal will also be informed by same a green banner indicated as below

 

migration-successful-flyers.png

 

If you end up in this state after profile migration, you then need to set the channel upgrade dates for either per company level or at set it automatically which will start 14 days after successful migration. However, you are strongly encouraged to

  • Check the profiles that have been migrated and familiarize yourself with the new editor and its functionalities.
  • Check the default profile for your account as well as the security characteristics of this default profile.
  • Try assigning Computer Protection profiles to computers running the Computer Protection Client.

See more information about this in the Channel Upgrade section.

 

Successful Profile Migration - Needs Review

 

 

Once the migration is complete, its status will be indicated by a blue banner on the homepage. This would be shown until channel upgrade commence.

Note that the channel upgrade can still be done without resolving the conflicts however the profiles may be inconsistent.

 

Similarly, the administrator of the companies logging in the portal will also be informed by same a blue banner indicated as below

migration-conflict-flyer.png

 

If you end up in this state after profile migration, you have work on your hands. You have to review the profiles with conflicts and resolve these conflicts before Channel Upgrade. This is a rather straightforward process. The next section provides sufficient details about what you need to do.

  

What is a profile of conflicts?

 

If you end up in this state after profile migration, you have to validate if the proposed profiles are suitable or to modify them according to your needs. Profiles can be in this state because of two reasons

 

  • You have firewall rules where both Allow and Deny rules are defined for same protocolport, and direction. Workstation profile firewall rules have priority order to decide which rule gets processed first. Since Computer Protection uses Windows Firewall behind the scenes, this causes apparent conflicts in firewall rules due to the order in which Windows Firewall rules are executed (Refer https://technet.microsoft.com/es-es/library/dd421709(v=ws.10).aspx).

 

Screen Shot 2018-02-08 at 11.38.38.png

  • You have configured for scheduled scanning tasks more than 1 scanning task and/or task with fields which can't be transformed into Computer Protection format. The new format supports only one scanning task, so we will just migrate the 1st scanning task which has the less number of field inconsistencies.

 

Screen Shot 2018-02-08 at 18.49.50.png

 

For more information about how to handle these conflicts, check Workstation Profile to Computer Protection Profiles (Handling Conflicts).

 

After you have resolved the conflicts in your profiles, you are strongly encouraged to

  • Check the profiles that have been migrated and familiarize yourself with the new editor and its functionalities.
  • Check the default profile for your account as well as the security characteristics of this default profile.
  • Try assigning Computer Protection profiles to computers running the Computer Protection Client.
  • Set the channel upgrade date (see next section).

 Note: With Computer Protection, the number of computers using a certain profile is explicitly indicated. Just after a migration that number will always be 0 as no computers are using the profile yet. 

 

Stage 2 - Channel Upgrade

 

This is the stage during which your computers that have Workstation Client are upgraded silently  to Computer Protection Client.

- There are no banner or pop up and no reboot is needed

- The computer automatically takes the new migrated profile in use, or if this one has been deleted he default profile

 

Overall Process

 

After the profile migration, the Solution Provider administrator is informed that Channel upgrade schedule has not been set and that they can select a starting date from account view.

 

There are 2 options to set the channel upgrade schedule.

  1. Manual Channel Upgrade: From the account view, the Solution Provider adminstrator can select the new channel upgrade page tab. The Solution Provider administrator must first (as a Solution Provider in the scope selector) set a date. After that, he should select a Company or SEP view from the scope selector in the top left corner. Then he can click set schedule to define the starting date for this SEP or company in the view below. The SEP or Company administrator can also modify the date  (only when the manual channel upgrade was selected by the Solution Provider and a date selected).channel_upgrade_tab.PNG

channel_configuration.PNG

 

When different  starting dates are configured for a SEP and/or a company, the company will start the channel upgrade at the date indicated for the company. The rest of SEP will start the channel upgrade at the date set for the SEP. The rest of the SoP will start the upgrade at the date defined for the SoP.

 

2. Automatic Channel upgrade: As the process is silent and does not require a reboot, the Solution Provider may not want to set a date for each company individually, but rather use the automatic channel upgrade. The channel upgrade is started 2 weeks after the migration was triggered. If the migration was triggered over 2 weeks ago, the channel upgrade will start immediately.

 

After the automatic channel upgrade is selected, the manual channel upgrade will be disabled. It will be indicated in the channel upgrade tab as below

channel_upgrade_tab_disabled.PNG

Known Issues

Security Impacts of the Channel Upgrade

 

  • If Windows firewall is disabled via Windows group policy due to using PSB Workstation's own firewall, the upgrade to Computer Protection cannot enable Windows firewall and devices are left without a firewall. The recommended action is: Prior to the channel upgrade, enable Windows firewall via Windows group policy and configure the rules to pass all traffic.
  • After the channel upgrade,
    • check the firewall status from device view by selecting category “Firewall” or filtering by the firewall value “disabled by GPO”
    • If your clients are experiencing problems with firewall blocking connections because of that, you can follow these next steps: 
      - A. If experiencing problems with outbound connections :  Add needed outbound rules for blocked protocol. You can also set “Allow unknown outbound connections” to “ON”
       - B. If experiencing problems with blocked inbound connections: Add needed inbound rules for blocked protocol. You can also set “Allow unknown inbound connections” to “ON” to test inbound connections but be aware that this will result in the computer being exposed to inbound traffic, so a better solution is to only open necessary ports and if possible only for necessary applications.

Bandwith Impacts of the Channel Upgrade

  • During the channel upgrade, the new Computer Protection client has to be downloaded. As it is a bit less than 150 MB, if many computers are upgrading and are behind a slow link, it may slow down the network. To resolve the problem, the F-Secure End Point Proxy and a normal http caching proxy should be deployed. By caching the Computer Protection client and related database, they will drastically reduce the bandwith usage.

Computer not upgrading

There are a few actions that you can take to facilitate the upgrade:

  • Install missing software updates: We noticed that computers with old version of their operating system displaying a lot of missing critical security update are sometimes not updating. This is typically resolved by installing the missing security update by for example selecting the computers in the device list and using the remote action "install software updates".
  • Free disc space: Your computer needs to have at least 600MB of free disc space to properly upgrade
  • Free seats: In rare cases the lack of free seats can block or slow the upgrade. If you have unused computers, it is recommended to use "Remove Computers" in the portal.
  • Reboot: In some cases, the new client will only be installed after re-boot (as it does not trigger the re-boot). 
  • Wait: We are regularly triggering the old client to retry the channel upgrade. The client will try to upgrade three times and wait for the next trigger. 

Unsupported Operating Systems

  • Old Operating Systems not supported by Computer Protection such as Windows XP or Vista will obviously not be migrated and still use WorkStation Security. Supported OS are listed in our Help Center.
  • After 31st of March, Workstation Security is End of Life and not supported anymore, so we cannot guarantee that it will still work on old Operating Systems. We cannot either guarantee that it will run properly on latest version of Windows as these will not be tested. Note that security updates will still be delivered to Workstation Security clients for a few months.

Migration of Firewall rules with 0.0.0.0/0 

These rules were not converted properly. More information in: 

https://community.f-secure.com/t5/Protection/Computer-Protection-Firewall/td-p/116463

1 ACCEPTED SOLUTION

Accepted Solutions
F-Secure

Re: Computer Protection Migration

Hello Tamas,

 

Thank you for your feedback.

18.5 does not support cloned computers - that's true. But 18.14 will support it. We have cloned computers support ready and under testing currently and we are going to release it in next client release.

If you would like, we could inform you when it's available and give you a chance to test it right away. Will that work for you?

 

33 REPLIES 33
Scholar

Re: Computer Protection Migration - Piloting

Hi,

 

When will this option be available?

F-Secure Product Manager

Re: Computer Protection Migration - Piloting

Hello Cédric,

We have developed the migration tool and we are now starting the piloting phase. I expect that the tool will be available for all our partners in May.

 

I am planning to invite more partners (including Iliad) to pilot next week.  

 

Regards,

Serge

Scholar

Re: Computer Protection Migration - Piloting

Ok thanks for you reply

we are available for pilot

Regards

Scholar

Re: Computer Protection Migration - Piloting

Hi, any updates when profile migration tool will be available?

Highlighted
F-Secure Product Manager

Re: Computer Protection Migration - Piloting

Hello,

We have now completed the initial piloting phase for the computer protection migration. 

We are gradually deploying the migration tool to production.

 

If you want to migrate before we have launched the migration in your region, let us know (e.g. through the PSB portal feedback).

 

Regards,

Serge

Scholar

Re: Computer Protection Migration

How can I use my existing Log Analytics workspace?

F-Secure

Re: Computer Protection Migration

Hi All,

 

We have now enabled the Workstation to Computer Protection migration for emea and emea2 today (12 Sept 2018). Partners can do the migration for them and companies managed by them as per their convenience.

 

Migration was also enabled for amer portal on 15 August 2018.

 

And, we will enable migration for apac in October.

 

PSB Byte Team

Superuser

Re: Computer Protection Migration

Dear Sirs,

 

I wish to complain that F-Secure's plan for mass migration to FSAV PSB CP18 and the forced phase-out of FSAV PSB WKS 12.01 is not workable and unrealistic as of now!

 

That's because FSAV PSB CP 18.5 is unable to properly support cloned computers, which are a major part of many business and educational (school) desktop fleets. The supposedly unique F-Secure computer identifiers are confused and endpoints start to kind of "rotate" in the PSB web portal display. Please see F-Secure support case no. xxxxxx for details.

 

The above described problem does NOT affect FSAV PSB WKS 12.01 software, which thus remains an essential tool to maintain anti-virus protection in cloned endpoint business and academic environments.

 

Therefore migration plans should be put on hold until the unique computer ID in PSB CP 18 can be made just as robust and truly unique as it was in PSB WKS 12.01.

 

Thanks for your kind attention, Sincerely: Tamas Feher, Hungary.

 

EDIT: Removed Case number details

F-Secure

Re: Computer Protection Migration

Hello Tamas,

 

Thank you for your feedback.

18.5 does not support cloned computers - that's true. But 18.14 will support it. We have cloned computers support ready and under testing currently and we are going to release it in next client release.

If you would like, we could inform you when it's available and give you a chance to test it right away. Will that work for you?