Getting started with VIPRE Endpoint Migrator

Written By Marissa Fegan (Super Administrator)

Updated at May 30th, 2024

Table of Contents

Important Frequently Asked Questions Migrator Process Details

To assist in your migration from Endpoint Security Server to VIPRE Cloud, we have developed VIPRE Endpoint Migrator.

This migration tool migrates your existing policies, exclusions, and agents. When running the tool, you can first migrate policies and exclusions, review the migration results, and then move your agents. Or, you can simply choose to move your agents first, and the migrator will automatically rehome the related policy and exclusions used by those agents at the same time.

Continue reading this article to learn more about the migrator's actions and flow. Then, for guidance on actually executing the migration, continue through the migration articles.

Important

VIPRE Endpoint Migrator is currently optimized for Windows-based agents. Agents for Mac OS are not supported by the tool.

Frequently Asked Questions

Do I need to prepare my agents for migration?

No. VIPRE Endpoint Migrator is intelligent enough to convert your existing content (policies, exclusions, and agents) without any changes being made in advance.

Therefore, you do not need to take any preparatory action on your existing VIPRE Server deployment before running the migrator.

Does Endpoint Migrator support Site Manager or EDR?

Yes. Endpoint Migrator supports migration from Endpoint Server (on-prem) sites to:

Individual Endpoint Cloud sites
VIPRE Site Manager (site groups)*
Endpoint Detection & Response

*When migrating to Site Manager, each site is processed individually.

What does the Migrator move?

You can choose to migrate only policies and exclusions or to migrate agents (which also migrates the appropriate policies and exclusions if they have not been handled separately).

Regardless of which path you select within the Migrator, the simplified order of operations is

Policy conversion
Exclusion conversion
Agent conversion

The agent migration path process is a little more in-depth, as it also does a policy migration if needed.

Path

What's Migrated

Steps

Policies

Exclusions

Select the policies to migrate; policies and exclusions are converted from VSS to VIPRE Cloud.

Agents

Policies

Exclusions

Agents

Select agents to migrate. If an entire policy is selected, this includes all their agents.

If an agent's policy already exists in VIPRE Cloud, the agent is migrated from VSS to the existing VIPRE Cloud policy. The migrated agent is then removed from VSS.
If an agent's policy does not yet exist in VIPRE Cloud, the policy and exclusions are migrated from VSS to Endpoint Cloud, the agent is moved from VSS to Endpoint Cloud, and then removed from VSS.
Unprotected Computer Discovery is turned off for VSS

How long does the actual endpoint migration take?

This depends on a few factors but is largely environmental. We recommend you perform a test migration on a few agents and monitor the process.

Factors to consider:

Network throughput could affect how quickly VSS is able to transfer data to each agent and how quickly the agent can communicate with both VSS and Endpoint Cloud
Agent machine performance could affect how quickly the agent is able to process the installation

That being said, it is reasonable to assume that agents on the same network, with similar CPU/RAM resources, and that belong to the same policy will be roughly processed in a similar timeframe.

So, if a single agent takes one minute to migrate, and there are 100 total agents with similar resources on the same network, the total time might be around 100 minutes.

Migrator Process Details

This section takes an in-depth look at what actions Endpoint Migrator performs "behind the scenes."

Action	Description
Establish a connection	The Migrator begins by connecting to VSS and VIPRE Cloud (EDR, Endpoint Cloud, or Site Manager)
Convert policies and exclusions	Once connected, policy and agent information is retrieved from both VSS and VIPRE Cloud. The migrator compares policies between VSS and VIPRE Cloud to determine if there is a policy overlap. The Migrator checks if a selected policy exists in VIPRE Cloud. If so, it skips policy and exclusion conversion – and moves on to the agent conversion process. If the policy does not exist in VIPRE Cloud, the Migrator: Converts VSS policies to VIPRE Cloud format Retrieves exclusion groups from VIPRE Cloud Applies those exclusion groups to the selected policies Creates additional exclusion groups in VIPRE Cloud as needed Copies updated VSS policies to VIPRE Cloud Assigns exclusion groups to policies If a failure occurs during any step, the corresponding policy is marked as failed in the Migrator and skipped in the steps that follow. The Finish screen provides a list of failed policies if any exist.
Policy Mapping	For each policy, settings are mapped one-to-one between the VSS version and the VIPRE Cloud version. Due to differences between environments, some policy settings may not exist on either side. The bullets below describe the actions taken in these situations. VSS policy only: If a setting exists only in the VSS policy, it is ignored for migration to VIPRE Cloud. VIPRE Cloud policy only: If a setting exists only in VIPRE Cloud, it is defaulted to disabled/allowed. This can occur when migrating from older VSS versions which can lack some policy settings related to features introduced in newer releases. Both VSS and VIPRE Cloud: If a setting exists in both VSS and VIPRE Cloud, but is not exposed in the VIPRE Cloud UI, or is overwritten by VIPRE Cloud when being distributed to agents, that setting is given a default value that matches the normal VIPRE Cloud default.
Exclusion Conversion	Exclusions are converted by considering all exclusions associated with selected policies. The conversion is a multiple-pass operation intended to keep groups simple while minimizing the number of groups created in VIPRE Cloud. The process is outlined below. Check for matching exclusions: Every exclusion in every selected policy is compared with the current VIPRE Cloud site scope exclusions. Matches are noted. Every existing VIPRE Cloud policy scope exclusion group is compared with each policy. If there is a complete match of the group, it is applied to the corresponding exclusions in that policy. Create temporary groups: A new exclusion group is created in memory for each policy that contains at least one exclusion without an existing VIPRE Cloud group associated with it. The new group is named the same as the policy, with an additional suffix as necessary to ensure it is unique in VIPRE Cloud. If a congruent group was already created (with the same collection of exclusions), it is used in favor of creating a copy. The new groups created in memory are compared with the selected policies and applied to those that match. Check for redundancy: Starting with the largest first, each new group is checked to see if it is redundant. If all the exclusions the group covers are already covered by other groups, the group is unassigned and discarded. Discarded groups are not added to VIPRE Cloud. This ensures we don't add more groups than necessary. A final pass is made, this time smallest to largest, to remove any redundant assignments. This ensures each policy has as few groups as possible assigned to it. Add and link new groups: Once the new groups have been created and assigned in memory, they are added to VIPRE Cloud. Policies are then copied to VIPRE Cloud if all the exclusion groups assigned to that policy were successfully added to VIPRE Cloud. Finally, the links between exclusion groups and policies are persisted in VIPRE Cloud. Note: Exclusions are set up differently in VIPRE Cloud from VSS. If you are not yet familiar with how VIPRE Cloud differs, read these articles to learn about exclusions: ESC - Exclusions \| EDR - Exclusions
Agent Conversion	The agent selection screen displays VSS policies and the agents that belong to those policies. Because of this, it only shows policies that have agents currently assigned to them. Policies with no active agents will not be listed; these 'empty' policies must be migrated using the policies migration function of the Migrator if you plan to use these policies in VIPRE Cloud. When agents are moved from VSS to VIPRE Cloud, they will no longer show as protected in the VSS console. Therefore, by choosing to migrate agents from your VSS, you are, in effect indicating that you have no intention of deploying any new agents from that VSS. On an agent-by-agent basis, the Migrator checks if the agent's policy exists in VIPRE Cloud. If it does not, it migrates the policy first. Once the policy and exclusions are in place, the Migrator proceeds to the agent migration. Connect to agent - The Migrator connects to the VSS agent. It attempts to connect using both the credentials provided by the user and any pre-configured deployment credentials previously stored in the VSS Cloud agent MSI transferred to agent - The Migrator pushes the VIPRE Cloud agent MSI to the agent Installation / Upgrade - Instead of performing a VSS agent update, the installer tells the agent to upgrade to VIPRE Cloud, making it a Cloud agent Configuration - The Migrator updates the new Cloud agent configuration so it can connect to the VIPRE Cloud console Removal of VSS agent - The agent is removed from the catalog in VSS, and Unprotected Computer Discovery is turned off for the site. This avoids a situation where VSS could attempt to deploy VIPRE Server agents to Endpoint Cloud agents if it doesn't recognize them as protected Once all agents are processed, the Migrator displays a summary screen with the successfully copied agents. If any agents did not succeed, they will also be listed here with details as to why.

VIPRE Security Knowledge