How to Migrate On-Premise TrendMicro OfficeScan to Apex One as a Service

Posted on by Summa Lai

Step 0: Migration Planning

Check your OfficeScan server configuration and see if the following functions/features were used:

  • Virtual Desktop Support (VDI) for non-persistent VDI environment
    1. Open the ..\Trend Micro\OfficeScan\PCCSRV\ofcscan.ini file.
    2. Check if EnableCheckClientMacAddress exists under [INI_SERVER_SECTION] and is equal to 1.
    3. If EnableCheckClientMacAddress does not exist or is equal to 0, manually change it to “1”.
  • VPN client (e.g. Cisco Anyconnect) is used
    1. Open the ..\Trend Micro\OfficeScan\PCCSRV\ofcscan.ini file.
    2. Check if SP_DisableTmLwfRegistryKeyProtection exists under [INI_SERVER_SECTION] and is equal to 1.
    3. If SP_DisableTmLwfRegistryKeyProtection does not exist or is equal to 0, manually change it to “1”.
    This requires OfficeScan XG Hot Fix Build 1721 or OfficeScan XG Service Pack 1.

Once the above keys have been checked:

  1. Open the OfficeScan web console and go to Agents > Global Agent Settings screen.
  2. Click Save to deploy the setting to agents.

Phase deployment consideration

By the current design, once agents are reporting to Apex One as a Service, a new program package will be automatically downloaded that initiates an agent upgrade. If you migrate all agents at once without sufficient bandwidth, it could cause a corporate network outage.

Apex One as a Service agent package size may vary with pattern/binary file updates, so it is advised to download an MSI agent installer package directly from Apex One as a Service to get the precise package size.

You may also download the agent package (MSI) from Apex One as a Service and leverage other 3rd-party applications like Microsoft Endpoint Configuration Manager (SCCM) to deploy it. This could help save bandwidth consumption when downloading the agent package.

Estimated network usage after agent migration

Once agents have been migrated to Apex One as a Service, communication of Apex One as a Service Server with the following activities will begin:

  • Component update
  • Policy deployment
  • Query for File/Web reputation services, Predictive Machine Learning, and other tasks

As per in-house testing results, every agent will generate around 22MB traffic on a daily basis, but it may be different for each agent.

You can configure an Update Agent to reduce the component update and policy deployment traffic. For detailed instructions, refer to the following article: Configuring OfficeScan/Apex One clients/agents to act as Update Agents.

It is advised to deploy the Apex One as a Service agent within a small scope and monitor network usage before migrating all agents.

Notice Regarding HTTPS Connection on OfficeScan XG SP1 and Apex One

OfficeScan XG SP1 and Apex One have moved communication between agents and server to the HTTPS protocol using TLS. By moving to HTTPS, the communication port on the server will also change from the HTTP port (default: 8080) to the HTTPS port (same as the web console default:4343).

Some environments may encounter HTTPS communication issues due to various factors (e.g. inconsistent SSL/TLS environments, firewalls blocking the HTTPS port, etc.). This can result in agents showing offline, failing to upgrade, and not uploading logs or quarantined files.

For more details, please refer to the following article: Potential issues with HTTPS communication in OfficeScan XG Service Pack 1 and Apex One.

Agent Proxy Settings

When migrating an OfficeScan XG agent to Apex One as a Service, it is necessary to review the Agent Proxy Settings. This can be located in the web console > Administration > Settings > Proxy.

If the Agent Proxy Setting is disabled in OfficeScan XG, the migration would fail.

Since the Agent Proxy Setting is a global setting, please evaluate whether this setting will impact other agents. You may set up another OfficeScan with proper Agent Proxy Settings to manage the transition of migration, or use remove-and-install method for Apex One as a Service agent upgrade.

Step 1: Export settings from On-Premise OfficeScan Server

If Control Manager policies are currently being used to manage multiple OfficeScan servers, you can also export policies from the Control Manager console and import directly to Apex One as a Service.

  1. Get copy of the Apex One Settings Export Tool from Apex One as a Service.
    1. Log in to your Apex One as a Service console.
    2. Go to Directories > Product Servers, and then click the link to open the Apex One as a Service console.
    3. Go to Administration > Settings > Server Migration in the console.
    4. Click the Download Apex One Settings Export Tool link to obtain the tool.
  2. Export Settings from On-Premise OfficeScan server.
    1. Make sure that the OfficeScan XG server is running on Service Pack 1 (SP1) Build 4345 or higher.
    2. Extract the Apex One Settings Export Tool package downloaded to the On-premise server (e.g. C:\temp\PolicyExportTool).
    3. Open a command line prompt and point to the PolicyExportTool directory.
    4. Run the tool as Admin on the OfficeScan server computer.The tool generates three (3) files:
      • Server_Settings_Migration.zip. This contains the Global Settings. Importing more than one of these will overwrite the previous settings. It is recommended to only import this from a single server.
      • ApexOne_Agent_Policies.zip. This contains the policies generated from the settings configured on the OfficeScan Server. This can be imported from multiple On-Premise OfficeScan servers, and each will create the new corresponding policies.
      • ApexOne_Agent_DLP_Policies.zip. This contains the policies generated from the DLP settings configured on the OfficeScan Server. This can imported from multiple On-Premise OfficeScan servers, and each will create the new corresponding policies.Run the tool

Step 2: Import settings to Apex One as a Service

On Apex One as a Service:

  1. Log in to Apex Central.
  2. Import agent settings policy:
    1. Go to Policies > Policy Management.
    2. To import agent policies, choose Apex One Agent as the product and click the Import button, then choose the ApexOne_Agent_Policies.zip (or whatever you’ve renamed it to) and click Open.New corresponding policies will be generated and displayed. These will default to targets of None, so they will not apply to any agents until an administrator has reviewed the policy and configured the desired targets. The policy names will follow the format of CLN_ServerName_DomainName (where ServerName and DomainName are replaced by their values from the source OfficeScan Server).
    3. Repeat this process for policies from any additional On-Premise servers you wish to import.
  3. Import Agent DLP Policy (if desired):
    1. Go to Policies > Policy Management.
    2. To import agent policies, choose OfficeScan Data Loss Prevention as the product and click the Import button, then choose the ApexOne_Agent_DLP_Policies.zip (or whatever you’ve renamed it to) and click Open.New corresponding policies will be generated and displayed. These will default to targets of None, so they will not apply to any agents until an administrator has reviewed the policy and configured the desired targets. The policy names will follow the format of DLP_ServerName_DomainName (where ServerName and DomainName are replaced by their values from the source OfficeScan Server).
    3. Repeat this process for policies from any additional On-Premise servers you wish to import.
  4. Import OfficeScan server settings:This process only allows for importing the settings of a single OfficeScan Server. Importing multiple will overwrite the previous settings.
    1. Go to Directories > Product Servers.
    2. Click the link to open the Apex One as a Service console.
    3. Go to Administration > Settings > Server Migration in the console.
    4. Click the Import Settings button to import Server_Settings_Migration.zip.

Step 3: Move agents from On-Premise OfficeScan server to Apex One as a Service

Before moving On-Premise OfficeScan agents to Apex One as a Service, you have to make sure agents are communicating with server in HTTPS. If it was previously configured to HTTP (e.g. adopt ASE=0 or so in this KB article), revert it to HTTPS. Otherwise, migration may fail.

To move agents from On-Premise OfficeScan server to Apex One as a Service:

  1. Log into Apex Central.
  2. Go to Directories > Product Servers.
  3. Verify that the Server Type is Apex One as a Service. You will see the server name listed there.
  4. Go to Agents > Agent Management on the On-Premise OfficeScan Server.
  5. Select agents from the list.
  6. Click Manage Agent Tree > Move Agent.
  7. Select Move selected agent(s) to another OfficeScan server.
  8. Enter the Server URL that was copied from Apex One as a Service. Use SSL Port 443 and HTTP port 80.
  9. Click the Move button.
  • To ensure that the agents can be successfully moved to Apex One as a Service, make sure that the agents can connect to the Internet.
  • Agent proxy can also be configured to “Use Windows Proxy settings” in Administration > Settings > Proxy then apply the new proxy settings to agents, if the endpoint computers can access the Internet.
  • Make sure firewalls are configured to allow for communication with the Apex One as a Service servers: Whitelisting Apex One as a Service DNS Name and IPs.

For more information, refer to the migration guide for Apex One as a Service.

Ref: https://success.trendmicro.com/dcx/s/solution/1118375-migrating-on-premise-officescan-xg-sp1-or-higher-to-apex-one-as-a-service?language=en_US