Trend Micro Incorporated reserves the right to make changes to this document and tothe products described herein without notice. Before installing and using the software,please review the readme files, release notes, and the latest version of the applicable userdocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com

Trend Micro, the Trend Micro t-ball logo, and TrendLabs are trademarks or registeredtrademarks of Trend Micro Incorporated. All other product or company names may betrademarks or registered trademarks of their owners.

Copyright © 2012 Trend Micro Incorporated. All rights reserved.

Document Part No.: LPEM55495/120717

Release Date: July 2012

Protected by U.S. Patent No. 7,516,130 and U.S. Patent No. 7,747,642.

The user documentation for Trend Micro Data Loss Prevention introduces the mainfeatures of the software and installation instructions for your production environment.Read through it before installing or using the software.

Detailed information about how to use specific features within the software are availablein the online help file and the online Knowledge Base at the Trend Micro website.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us atdocs@trendmicro.com.

Please evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

Table of Contents

Audience .............................................................................................................. 1

Migration Overview ........................................................................................... 1Migration Toolkit Components ............................................................... 1Migrated Data ............................................................................................. 2Migration Prerequisites ............................................................................. 4Migration Toolkit Usage Parameters ...................................................... 5

Migration Procedures ........................................................................................ 5Installing the RPM Package on the DLP 5.5 Server ............................. 6

Checking File Locations ................................................................... 6Migrating the DLP Server ......................................................................... 7

.............................................................................................................. 9Upgrading Agents .................................................................................... 10Upgrading Remote Crawlers .................................................................. 11

Post Migration Issues ...................................................................................... 12Fingerprint Acquisition Performance ................................................... 12

AudienceThis document is intended for IT administrators involved in migrating from DLP 5.5 toDLP 5.6. IT administrators must have an overall understanding of the Data LossPrevention system, as well as general familiarity with Linux and Windows™ operatingsystems.

Migration OverviewThe DLP Endpoint 5.6 migration tool enables administrators to move server, agent, andremote crawler configuration settings. For the English version, the server’s versionshould be 5.5 with Patch 2 (DSC-5.5-1355) or later, while the agent should be DLPEndpoint 5.5 agent.

This migration tool extracts and migrates DLP 5.5 server data, such as data identifiers,templates, policies, logs, forensic data, reports, schedules, and system configurations.The tool also upgrades the server and deploys an upgrade hot fix to agents.

NoteThere is no need to prepare two servers for migration. The procedure involves both datamigration and server upgrade on the original DLP 5.5 server. More than 10GB free diskspace is required.

After migration, the DLP server can manage DLP 5. 5 agents and deploy the upgradehot fix. Consequently, you must upgrade both agents and remote crawlers.

Migration Toolkit ComponentsThe migration toolkit contains the following components:

1

TABLE 1. Migration Toolkit Components

COMPONENT DESCRIPTION DESCRIPTION

Migration tool Migrates the server from version 5.5 (GM build withPatch 2 (DSC-5.5-1355) or later) to version 5.6 (GMbuild DSC-5.6-1071):

DLP-MigrationTool-55To56-1.0-1.noarch.rpm

Upgrade hot fix Upgrades the agents from version 5.5 to 5.6:

LP_56_en_hotfix1_b1071_20120714.zip

Migrated DataThe following table lists the types of data that are migrated and not migrated to the newversion.

DLP Endpoint 5.6 Migration Guide

2

DATA MIGRATED DATA NOT MIGRATED

• Data identifiers (expressions, fileattributes, fingerprints, keyword lists)

• Templates

• Policies

• Data discovery

• Device control

• Reports

• Logs (policy deployment, securityviolations, and system events)

• Fingerprint data

• Schedules (fingerprint, data discovery,and report schedules)

• Update configuration (user-definedupdate server, proxy settings, andupdate schedule)

• Server configuration (fingerprintsettings and application settings)

• Agent configuration (dialogconfiguration, logging configuration,and global exceptions)

• Remote crawler agent information

• Agent information

• User accounts

• Roles

• LDAP configuration

• Product license code

• Patches/hot fixes

• Add-ons

• Trend Micro ActiveUpdate server

• Server status logs

• UDP Listener information

• Exported file from system data

3

NoteOld violation logs are migrated, and they can be queried on the “Log Query” page byselecting “Data range = all date; Log type = DLP incidents”. The summary page of theweb console also displays the statistics on the dashboard.

Migration PrerequisitesThe following items should be ready before migration.

TABLE 2. Server Data Migration Prerequisites

ITEM RECOMMENDATION

DLP 5.5 appliance Ensure that the DLP 5.5 server and agents are runningcorrectly before migration. If there are any problemswith the current state, refer to the Administrator’sGuide or contact the Trend Micro DLP Support team.

Migration toolkit The package “DLP-MigrationTool-55To56-1.0-1.noarch.rpm” containsthe migration tool and the server upgrade build. Ensurethat the DLP 5.5 server have enough space (more than10G) to store the backup files during migration.

WARNING!This migration toolkit only supports DLP 5.5servers with Patch 2 (DSC-5.5-1355) and othermore recent versions.

Policies All enabled polices will be deployed automatically aftermigration. Modify or delete policies before or aftermigration.

DLP client 5.6 upgrade patch LP_56_en_hotfix1_b1071_20120714.zip

Deploy this upgrade hot fix to DLP 5.5 agents afterserver migration.

DLP Endpoint 5.6 Migration Guide

4

Migration Toolkit Usage Parameters

The migration toolkit includes the script file (dlpMTool56). Run dlpMTool56 from theDLP server command line interface (CLI).

Usage

dlpMTool56 [-m | -h | -?]

PARAMETER DESCRIPTION

-h | -? Displays Help information.

NoteYou can also display Help information by executingdlpMTool56 without any parameters.

-m Migrate server from DLP v5.5 to DLPv5.6.

Log

If the migration fails, check the following log file: /var/tmp/migration.log

Migration ProceduresBelow are the high-level procedures for migrating the DLP server, agents, and remotecrawler:

Task

1. Installing the rpm package on the DLP v5.5 server

2. Migrating the DLP 5.5 server

3. Upgrading the DLP 5.5 agents

4. Upgrading the remote crawlers

5

ImportantThis sequence must be followed.

Installing the RPM Package on the DLP 5.5 Server

Task

1. Log on to the DLP 5.5 server using the dgate account.

2. Save the DLP-MigrationTool-55To56-1.0-1.noarch.rpm file in thefollowing folder on the DLP server: /home/dgate/.

3. From the RPM package directory, run the following command: sudo rpm -ivhDLP-MigrationTool-55To56-1. -1.noarch.rpm

NoteTo uninstall the migration tool, run the following command: sudo rpm -e DLP-MigrationTool-55To56

Checking File Locations

After installing the rpm package, check the following files:

TABLE 3. Migration Tool Locations

LOCATIONS FILES

/usr/local/bin/ dlpMTool56

DLP Endpoint 5.6 Migration Guide

6

LOCATIONS FILES

/etc/tmdlp/dlpmtool56 DSC-5.6-1071.tar.gz

clish_profile

AutoActionsAfterMigration.class

dlpMigrate.py

applicationContext.xml

Compliance Template.xml

Migrating the DLP Server

Task

1. Before migration, disable the DLP server service port for agents. This will preventagents from interrupting the server during the migration process.

a. Log on to the DLP 5.5 server using the dgate account.

b. Open the following iptables configuration file:

[dgate@localhost ~]$ sudo vi /etc/sysconfig/iptables

c. Add the comment character “#” at the beginning of the following entries:

-A INPUT -p tcp -m tcp --dport 8804 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 8904 -j ACCEPT

d. Save the file.

e. Restart the iptables service:

[dgate@localhost ~]$ sudo service iptables restart

2. On the DLP 5.5 CLI, run the following command:

dlpMTool56 –m

7

Note

The script may run for several minutes. The confirmation message “migrationsuccessful finish...” is displayed on the CLI when the migration process is successfullycompleted.

The automatic migration process involves the following steps:

a. Stop server services.

b. Back up database settings and files in the /var/tmp/ folder.

c. Pre-update the database and replace files for migration.

d. Start services and update DB.

Note

If migration fails during these steps, contact the Trend Micro DLP Support team.

3. On the DLP Endpoint 5.6 server web console, manually upload the upgrade hotfix package LP_56_en_hotfix1_b1071_20120714.zip in both staging andproduction environments.

4. Enable the DLP server service port for agents.

a. Log on to DLP Endpoint 5.5 server using the dgate account.

b. Open the iptables configuration file:

[dgate@localhost ~]$ sudo vi /etc/sysconfig/iptables

c. Remove the comment character “#” from the beginning of the followinglines and save the iptables configuration file.

#-A INPUT -p tcp -m tcp --dport 8804 -j ACCEPT

#-A INPUT -p tcp -m tcp --dport 8904 -j ACCEPT

d. Restart the iptables service.

[dgate@localhost ~]$ sudo service iptables restart

DLP Endpoint 5.6 Migration Guide

8

5. On the DLP Endpoint server web console, review the settings to ensure that thedata was migrated successfully.

TABLE 4. DLP Settings

DATA LOCATION

Data Identifiers Data Protection > Data Identifiers > Expressions

Data Protection > Data Identifiers > File Attributes

Data Protection > Data Identifiers > Fingerprints

Data Protection > Data Identifiers > Keyword Lists

Templates Data Protection > Templates

Policies Data Protection > Policies

Data Discovery Data Protection > Data Discovery

Device Control Data Protection > Device Control

Reports Reports > Archived Reports > Generate Reports

Logs Logs > Query

Update configuration (updatesource, proxy settings, andupdate schedule)

Update > Configuration

Fingerprint settings Administration > Server Configuration > FingerprintSettings

Application settings Administration > Server Configuration > ApplicationSettings

Agent settings Administration > Agent Configuration > AgentSettings

Dialog configuration Administration > Agent Configuration > AdvancedSettings > Dialog Configuration

9

DATA LOCATION

Logging configuration Administration > Agent Configuration > AdvancedSettings > Logging Configuration

Global exceptions Administration > Agent Configuration > GlobalExceptions

Exported data setting Administration > Data Management > DataManagement Control

Remote crawler agentinformation

Administration > Crawler Management

Agent information Administration > Agent Management

User accounts Administration > Management Console > UserAccounts

Roles Administration > Management Console > RoleManagement

LDAP configuration Administration > LDAP

License Information Product license

Upgrading Agents

Trend Micro recommends two solutions for upgrading DLP agents. Select the solutionthat best fits your business environment.

Task

1. Solution 1

a. Uninstall DLP 5.5 agents via uninstall.bat or dtool as described in theDLP Installation Guide.

b. Perform a fresh installation of the DLP Endpoint 5.6 agent via install.bator dtool.

2. Solution 2

DLP Endpoint 5.6 Migration Guide

10

a. Upload the upgrade hot fix to the DLP 5.6 web console.

b. Deploy the hot fix to all DLP Endpoint 5.5 agents.

Note

After hot fix deployment and reboot, agents will register on the DLP 5.6 serverwith the new version and automatically retrieve configuration settings.

c. On the Agent Management page of the web console, check that the agents arerunning the new DLP Endpoint 5.6 version.

Note

When offline agents connect to the DLP 5.6 server (containing the activeupdate hot fix), the agents will automatically install the upgrade hot fix.

Upgrading Remote Crawlers

After server migration is completed, “Update Available” will display in the RemoteCrawler screen of the web console.

Task

1. Back up the repository settings from the DLP 5.5 remote crawler srcrepo.xmlconfiguration file. The srcrepo.xml configuration file can be found in differentlocations on different platforms:

PLATFORM FILE PATH

Windows XP and 2003 ALLUSERSPROFILE\Application Data\Trend Micro\DLP RCA\srcrepo.xml

For example, C:\Documents and Settings\AllUsers\Application Data\Trend Micro\DLP RCA\srcrepo.xml

11

PLATFORM FILE PATH

Windows Vista/2008/7 ALLUSERSPROFILE\Trend Micro\DLP RCA\srcrepo.xml

For example, C:\Program Data\Trend Micro\DLPRCA\srcrepo.xml

2. Uninstall the DLP 5.5 remote crawler agent on the control panel.

3. On the DLP 5.6 web console, download the latest remote crawler fromAdministration > Crawler Management > Download Remote Crawler.

4. Add related repository settings using the backup configuration file.

5. Check remote crawler status and details.

Post Migration IssuesThe following issues may arise after migration to DLP Endpoint 5.6.

Fingerprint Acquisition PerformanceAfter migration, fingerprint acquisition may be slow when acquiring initial fingerprintsof many documents from an existing repository with the remote crawler. The solution isto re-initialize the acquisition cache after the remote crawler update.

The acquisition cache is the fast-acquisition mechanism that scans specific areas of asource repository. For example, if DLP scans and acquires fingerprints of documents Aand B in the repository, and the user subsequently adds document C, the acquisitioncache will only scan document C. However, the remote crawler update clears the cacheand will scan documents A, B, and C to re-initialize the cache.

DLP Endpoint 5.6 Migration Guide

12