ESM System upgrade best practices
- While running, both the ESM Console and the ESM Core services commit changes to the shared database.
- During an upgrade of the ESM core, the installer checks the database version and commits changes to it according to the versions’ need. If an ESM core is installed and connected to an existing database of the same version, no changes are made.
- The system supports multiple ESM servers connected to the same database. This feature brings with it a limitation when upgrading the environment as database scheme changes can’t be supported by both the previous and updated ESMs.
Note: The upgrade process requires downtime of each ESM server until it is upgraded.
- Upgrade product components in this order:
- ESM core
- ESM console
- Additional cores/consoles
- Before starting the upgrade process, make sure you have:
- The new version installers including the agent upgrade package
- Admin guide and specific version release notes from the TechDocs
- If using windows authentication for ESM connection to the database – the domain user credentials of the application user.
- ESM server local admin user.
- Privileged database user able to create a full backup of the database.
- Disabled “service protection” on all server-side agents installed on ESM Servers and ESM Console servers.
- The agent uninstall password for agent upgrade done using the agent upgrade action.
If using virtual ESM servers, it is recommended to create machine snapshots prior to starting the upgrade procedure. Once the upgrade process completes successfully, these snapshots can be deleted. Make sure there is no 3rd part “watchdog” in charge of keeping services running and might attempt to restart the Endpoint Security Manager service when stopped. Once the upgrade process has started, “Older” version ESMs shouldn’t be connected to the new database until upgraded. We recommend prioritizing ESM downtime according to the environment and agents connected to them.
Critical ESMs should be stopped last and upgraded first.
- Advanced Endpoint Protection (Traps)
- ESM Console
- ESM Core