About upgrading from ATP 2.3 or earlier to ATP 3.x with Endpoint Data Recorder
Last Updated September 20, 2018
Important: The requirements in this Upgrade Guide are only pertinent if you upgrade from ATP 2.3 or earlier to ATP 3.x. If you upgrade from 3.0 to 3.0.5 or later, no special upgrade requirements are necessary.
If you upgrade from ATP 2.3 or earlier, you can upgrade the software of ATP 8840 appliance to ATP 3.x. However, the hardware of 8840 does not support ATP's new endpoint data recorder and Endpoint Detection and Response (EDR) 2.0 features. The hardware of ATP 8880v1 and 8880v2 appliances can be upgraded to support the endpoint data recorder feature. The ATP 8880-30 requires no hardware upgrade or software upgrade to make use of the endpoint data recorder and EDR 2.0 features.
In the case of appliances, the upgrade involves increased storage (hard drive) capacity and increased memory (RAM). Virtual installations require that additional storage, RAM, and CPU cores are provisioned in the ATP VM. This document provides information and workflow instructions to upgrade existing appliance hardware and VMs to meet ATP 3.x with Endpoint Data Recorder platform requirements.
Port and protocol changes
When you upgrade from ATP 2.3 or earlier, you must change the network port. You might also need to change the protocol, depending on whether you want to use EDR 1.0 or EDR 2.0. To take advantage of EDR 2.0 functionality, such as the endpoint data recorder, this change in protocol and port is required. See the following table for port and protocol requirements.
When EDR 2.0 is enabled, HTTP 80 is no longer available, and thus, HTTP 8080 must be used for HTTP configurations. In the case that HTTPS 8443 was previously configured, the option to use this port and protocol is still available upon upgrade.
Table: Port and protocol changes
HTTPS 8443 or HTTP 8080
Important: Enrolled endpoints are disconnected when you re-configure these ports. However, the endpoint enrollment status does not appear changed in ATP Manager. If you reconfigure the Symantec Endpoint Protection Manager ports, you must re-enroll your Symantec Endpoint Protection endpoints with ATP. You can do so by deleting your SEPM Controller configuration and then re-adding it.
Certificate requirements for upgrade
Immediately upon upgrading to ATP 3.x, EDR 2.0 is disabled (Private Insight Server settings are not affected). If you're running SEP 14.0 RU1 or later, when you enable EDR 2.0, ATP automatically pushes Private Insight Server settings to the SEPM. ATP also automatically pushes the appropriate built-in SSL certificate to the SEP endpoints running SEP 14.0 RU1 or later. (The third-party certificates that have already been installed and pushed to the endpoints are also installed.) The certificate ensures secure communications with ATP on HTTPS. If your SEPM is not on 14.0 RU1 or later, you must manually modify the Private Insight Server settings in the SEPM console. If you have endpoints that run versions before SEP 14.0 RU1, you must install the ATP certificate on those clients to ensure secure communication with ATP.
See the following sections of this guide for instructions to upgrade your type of installation: