upgrading Symantec Client Security

The last time we responded to one of these alerts, we rushed
it and 
it ended up taking much more time, so I'd like to ask more
questions. 
I've been digging through Symantec's site, and I'm not
finding the answers.
We are currently using the 10.1.5 version of the SCS
Server.
Can we upgrade the Server to 10.1.6 and then push the update
out to 
the clients?
Do we have to uninstall version 10.1.5 first?
Do we have to save the pki or some other files so that the
clients 
can still recognize the server?





Roger Emond
Programmer / Analyst
School of Social Welfare
120 Haviland Hall, MC 7400
University of California
Berkeley, CA 94720-7400
phone (510) 643-6666
fax (510) 643-6126


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Messages you send to this mailing list are public and
world-viewable,
and the list's archives can be browsed and searched on the
Internet.
This means these messages can be viewed by (among others)
your bosses,
prospective employers, and people who have known you in the
past.

Roger,
  I can not speak to upgrading the entire SCS package. We
just use the 
Symantec AV portion and not the client firewall. I have
found that the 
SCS server does not upgrade the clients from 10.1.5 to
10.1.6 . I push 
out the Symantec AntiVirus msi file via a machine group
policy. Version 
10.1.6 can be installed over 10.1.5 with no problems. It
does take about 
7-10 minutes on reboot, but thats it. Let me know if you
have any more 
questions.

Gabriel Gonzalez
-- 
Information Architect
UC Berkeley School of Law
367 Boalt Hall
ggonzalezlaw.berkeley.edu

Roger Emond wrote:
> The last time we responded to one of these alerts, we
rushed it and it 
> ended up taking much more time, so I'd like to ask more
questions. I've 
> been digging through Symantec's site, and I'm not
finding the answers.
> We are currently using the 10.1.5 version of the SCS
Server.
> Can we upgrade the Server to 10.1.6 and then push the
update out to the 
> clients?
> Do we have to uninstall version 10.1.5 first?
> Do we have to save the pki or some other files so that
the clients can 
> still recognize the server?
> 
> 
> 
> 
> 
> Roger Emond
> Programmer / Analyst
> School of Social Welfare
> 120 Haviland Hall, MC 7400
> University of California
> Berkeley, CA 94720-7400
> phone (510) 643-6666
> fax (510) 643-6126
> 
> 
>
------------------------------------------------------------
------------
> The following was automatically added to this message
by the list server:
> 
> To learn more about Micronet, including how to
subscribe to
> or unsubscribe from its mailing list and how to find
out
> about upcoming meetings, please visit the Micronet Web
site:
> 
> http://micronet.berkele
y.edu/
> 
> Messages you send to this mailing list are public and
world-viewable,
> and the list's archives can be browsed and searched on
the Internet.
> This means these messages can be viewed by (among
others) your bosses,
> prospective employers, and people who have known you in
the past.



------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Messages you send to this mailing list are public and
world-viewable,
and the list's archives can be browsed and searched on the
Internet.
This means these messages can be viewed by (among others)
your bosses,
prospective employers, and people who have known you in the
past.

Roger,

I believe that Gabriel is correct in saying that updating
SCS Server does not update the client install files used to
push installs on to client machines. I noticed this on the
last required upgrade and found out that in order to achieve
a central push of the new client files using the new SCS
Server version, the files located in your server's VPHOME
shared directory have to be updated manuall. 

I can't find the article where I got this, but if memory
servers me correctly, all you have to do is grab the client
install files from the new SCS admin pack ( CD4SCS 3.1.6
MR6RolloutAVServerCLIENTSWIN32 ), and replace the ones
in \SERVERVPHOMECLT-INSTWIN32 ( C:Program
FilesSymantecSymantec System CenterDeploymentServer
RolloutCLIENTSWIN32 ), then go back to your SCS Console
and push out the updates.

Hope this helps. Also, wait a little bit in case someone
here finds an error in my explination, but its as best as I
can remember and its what I'm planning on doing soon.

__________________________________________
Edgar Ortega
Computer Resource Specialist
Office of Student Life Administration - U. C. Berkeley
2515 Channing Way #12
510-643-0305
sastechberkeley.edu

-----Original Message-----
From: owner-micronet-listlists.berkeley.edu
[mailto:owner-micronet-listlists.berkeley.edu] On
Behalf Of Gabriel Gonzalez
Sent: Friday, July 13, 2007 2:48 PM
To: Roger Emond
Cc: micronet-listlists.berkeley.edu
Subject: Re: [Micronet] upgrading Symantec Client Security

Roger,
  I can not speak to upgrading the entire SCS package. We
just use the Symantec AV portion and not the client
firewall. I have found that the SCS server does not upgrade
the clients from 10.1.5 to 10.1.6 . I push out the Symantec
AntiVirus msi file via a machine group policy. Version
10.1.6 can be installed over 10.1.5 with no problems. It
does take about 7-10 minutes on reboot, but thats it. Let me
know if you have any more questions.

Gabriel Gonzalez
--
Information Architect
UC Berkeley School of Law
367 Boalt Hall
ggonzalezlaw.berkeley.edu

Roger Emond wrote:
> The last time we responded to one of these alerts, we
rushed it and it 
> ended up taking much more time, so I'd like to ask more
questions. 
> I've been digging through Symantec's site, and I'm not
finding the answers.
> We are currently using the 10.1.5 version of the SCS
Server.
> Can we upgrade the Server to 10.1.6 and then push the
update out to 
> the clients?
> Do we have to uninstall version 10.1.5 first?
> Do we have to save the pki or some other files so that
the clients can 
> still recognize the server?
>
>
>
>
>
> Roger Emond
> Programmer / Analyst
> School of Social Welfare
> 120 Haviland Hall, MC 7400
> University of California
> Berkeley, CA 94720-7400
> phone (510) 643-6666
> fax (510) 643-6126
>
>
>
------------------------------------------------------------
----------
> -- The following was automatically added to this
message by the list 
> server:
>
> To learn more about Micronet, including how to
subscribe to or 
> unsubscribe from its mailing list and how to find out
about upcoming 
> meetings, please visit the Micronet Web site:
>
> http://micronet.berkele
y.edu/
>
> Messages you send to this mailing list are public and
world-viewable, 
> and the list's archives can be browsed and searched on
the Internet.
> This means these messages can be viewed by (among
others) your bosses, 
> prospective employers, and people who have known you in
the past.



------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Messages you send to this mailing list are public and
world-viewable, and the list's archives can be browsed and
searched on the Internet.
This means these messages can be viewed by (among others)
your bosses, prospective employers, and people who have
known you in the past.



------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Messages you send to this mailing list are public and
world-viewable,
and the list's archives can be browsed and searched on the
Internet.
This means these messages can be viewed by (among others)
your bosses,
prospective employers, and people who have known you in the
past.

I was able to do a successful upgrade from 10.1.5 to 10.1.6
on our
Symantec server without uninstalling or breaking the pki
with the
clients. Also I upgraded several clients to 10.1.6 before
upgrading the
server and they were able to communicate with the 10.1.5
server just
fine. Still I strongly recommend backing up those pki certs
as described
in the Symantec administrator guide -- if you don't and you
lose them
you will need to manually update the cert on each client in
order to reestablish communication.

Now to push out the latest version to clients you need to
update the
installation files in the cli-inst directory in the VPHOME
network
share. These files should be updated automatically when you
update your
server, but you can also update these installation files and
push them
out to clients without updating the server, or make an
different share
with the updated installation files and push them out from
there.
Personally I haven't tried this as I don't use the Client
rollout
feature but it's an option if you want to get the clients
updated before
the server.

I would recommend testing all this on a secondary manager
(perhaps
running in a VM?) with a handful of test clients just to
make sure
everything goes smoothly. If you run into any specific
issues just let
me know and I will open a case with Symantec.

Allison Henry
System and Network Security
University of California, Berkeley
http://security.berkeley
.edu


Roger Emond wrote:
> The last time we responded to one of these alerts, we
rushed it and it
> ended up taking much more time, so I'd like to ask more
questions. I've
> been digging through Symantec's site, and I'm not
finding the answers.
> We are currently using the 10.1.5 version of the SCS
Server.
> Can we upgrade the Server to 10.1.6 and then push the
update out to the
> clients?
> Do we have to uninstall version 10.1.5 first?
> Do we have to save the pki or some other files so that
the clients can
> still recognize the server?
> 
> 
> 
> 
> 
> Roger Emond
> Programmer / Analyst
> School of Social Welfare
> 120 Haviland Hall, MC 7400
> University of California
> Berkeley, CA 94720-7400
> phone (510) 643-6666
> fax (510) 643-6126
> 
> 
>
------------------------------------------------------------
------------
> The following was automatically added to this message
by the list server:
> 
> To learn more about Micronet, including how to
subscribe to
> or unsubscribe from its mailing list and how to find
out
> about upcoming meetings, please visit the Micronet Web
site:
> 
> http://micronet.berkele
y.edu/
> 
> Messages you send to this mailing list are public and
world-viewable,
> and the list's archives can be browsed and searched on
the Internet.
> This means these messages can be viewed by (among
others) your bosses,
> prospective employers, and people who have known you in
the past.



------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Messages you send to this mailing list are public and
world-viewable,
and the list's archives can be browsed and searched on the
Internet.
This means these messages can be viewed by (among others)
your bosses,
prospective employers, and people who have known you in the
past.

I would like to add that I was able to remotely update 700
of 750 clients
using the built in Client rollout feature.  We use the SAV
only install and
we do not run the SCS firewall.  In most cases the machines
did not even
require a reboot.  The server updated without incident and
all the clients
both old and new are still talking to the server reporting
their status.
This is the first time that I have ever experienced a near
seamless upgrade
of the Symantec/Norton Anti-Virus product line.

Kevin D. Burney, PMP
IT Director
COIS Mailcode-1516
2105 Bancroft Way – 2nd floor
Berkeley, CA  94720-1516
(510) 827-8476
kburneyberkeley.edu

-----Original Message-----
From: owner-micronet-listlists.berkeley.edu
[mailto:owner-micronet-listlists.berkeley.edu] On
Behalf Of Allison Henry
Sent: Monday, July 16, 2007 11:04 AM
To: Roger Emond
Cc: micronet-listlists.berkeley.edu
Subject: Re: [Micronet] upgrading Symantec Client Security


I was able to do a successful upgrade from 10.1.5 to 10.1.6
on our
Symantec server without uninstalling or breaking the pki
with the
clients. Also I upgraded several clients to 10.1.6 before
upgrading the
server and they were able to communicate with the 10.1.5
server just
fine. Still I strongly recommend backing up those pki certs
as described
in the Symantec administrator guide -- if you don't and you
lose them
you will need to manually update the cert on each client in
order to reestablish communication.

Now to push out the latest version to clients you need to
update the
installation files in the cli-inst directory in the VPHOME
network
share. These files should be updated automatically when you
update your
server, but you can also update these installation files and
push them
out to clients without updating the server, or make an
different share
with the updated installation files and push them out from
there.
Personally I haven't tried this as I don't use the Client
rollout
feature but it's an option if you want to get the clients
updated before
the server.

I would recommend testing all this on a secondary manager
(perhaps
running in a VM?) with a handful of test clients just to
make sure
everything goes smoothly. If you run into any specific
issues just let
me know and I will open a case with Symantec.

Allison Henry
System and Network Security
University of California, Berkeley
http://security.berkeley
.edu


Roger Emond wrote:
> The last time we responded to one of these alerts, we
rushed it and it
> ended up taking much more time, so I'd like to ask more
questions. I've
> been digging through Symantec's site, and I'm not
finding the answers.
> We are currently using the 10.1.5 version of the SCS
Server.
> Can we upgrade the Server to 10.1.6 and then push the
update out to the
> clients?
> Do we have to uninstall version 10.1.5 first?
> Do we have to save the pki or some other files so that
the clients can
> still recognize the server?
> 
> 
> 
> 
> 
> Roger Emond
> Programmer / Analyst
> School of Social Welfare
> 120 Haviland Hall, MC 7400
> University of California
> Berkeley, CA 94720-7400
> phone (510) 643-6666
> fax (510) 643-6126
> 
> 
>
------------------------------------------------------------
------------
> The following was automatically added to this message
by the list server:
> 
> To learn more about Micronet, including how to
subscribe to
> or unsubscribe from its mailing list and how to find
out
> about upcoming meetings, please visit the Micronet Web
site:
> 
> http://micronet.berkele
y.edu/
> 
> Messages you send to this mailing list are public and
world-viewable,
> and the list's archives can be browsed and searched on
the Internet.
> This means these messages can be viewed by (among
others) your bosses,
> prospective employers, and people who have known you in
the past.



------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Messages you send to this mailing list are public and
world-viewable,
and the list's archives can be browsed and searched on the
Internet.
This means these messages can be viewed by (among others)
your bosses,
prospective employers, and people who have known you in the
past.



------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Messages you send to this mailing list are public and
world-viewable,
and the list's archives can be browsed and searched on the
Internet.
This means these messages can be viewed by (among others)
your bosses,
prospective employers, and people who have known you in the
past.