Upgrading the DPS Management Server
Before upgrading the Management Server always backup the following folders and files:
- SQL database
- System backup: Management Console > Tools > Administration > Maintenance
- Server snapshot if it is a VM
- DBInfo.xml: %Program Files% > Safend > Safend Protector > Management Server >Bin
Note: before backing up or upgrading the management server, read the System Requirements document for the version you are upgrading to.
Management Server Version Upgrade
The server is upgraded in an incremental process. For example, to upgrade to DPS 3.3 SP1-SP71 do the following:
- Upgrade to DPS 3.3 SP7.2
- Upgrade to DPS 3.4.6 SP1
- Upgrade to DPS 3.4.6
- Upgrade to DPS 3.4.9
- Upgrade to DPS 3.4.9 SP2
Upgrading 3.4.4 Agents
To upgrade 3.4.4 agents, run the following Safend hotfix which is available as part of the DPS installation tools: SafendSupport_HotFix_3.4SP4_KB00000482.exe
Upgrading 3.4.5 Agents and Higher
To upgrade 3.4.5 agents and higher, use the last agent generated by the management console.
For more information see the Safend Installation Guide in the DPS installation kit.
DATA PROTECTION AGENT REQUIRES THE KB3033929 TO BE INSTALLED ON YOUR WINDOWS 7 PLATFORM. PLEASE INSTALL IT AND TRY AGAIN
This error message is displayed if the KB3033929 or KB3125574 security updates for SHA-2 code signing support are not previously installed when installing the DPS agent 3.4.9 SP1/SP2 on a Windows 7 / Windows Server 2008 R2.
- To check if the KB3033929 or KB3125574 security update is installed open: Control Panel > Uninstall or Change a Program > View Installed Update.
- When the security update is installed, run the following command: Msiexec /i [path to MSI file] DISABLE_KB3033929_VALIDATION =1
- When the security update is not installed, download KB3033929 and save locally.
- Extract and run the Windows 6.1-KB3033929-x64.msu file and follow the installation instructions.
- Restart the machine and install the DPS Agent.
Requests for help can be made either directly from the Contact Support form on the Support page or by emailing the Support Desk.
When describing an issue give as much information as possible. The following information will be of significant help to the Safend Support Team:
- Information about the system’s environment, for example: server and machine OS, server and agent build and whether the server has been upgraded recently.
- Safend server logs. For instructions on exporting server logs see below.
- Safend agent logs, if the issue is related to a specific client machine. For instructions on exporting agent logs see below.
- Screenshots of the reported issue taken from the server and the agent.
- Any other relevant information.
Exporting Safend Server and Agent Logs
Program Files > Safend > Safend Data Protection > Management Server > bin
- Run SDTInit.
- Replicate the issue (if possible).
- Run SDTCollect.
A ZIP file is generated and saved in ProgramData > Safend > SDT > Results > [date created]–Agent > ServerResults-[date created]-[time created].ZIP
The following recommended AV exclusions are required for the Safend Agent to function:
- File Formats: .SES and .SLG
- Folders: \Program Files\Safend and \Program Files\Wave
- Files in \SystemRoot\System32: Sinadin.dll (for 3.3 clients) and Sesami.dll
- Files in C:\Program Files\Safend\Data Protection Agent: AgentPolicyFormatter.dll, SProtectorWMI.dll, SProtectorWMI.dll and SimonPro.exe
- Files in \SystemRoot\system32\drivers: diego.sys , santa.sys, scarlet.sys, sidney.sys, salvador.sys, sofy.sys, sahara.sys, shandy.sys, shlos.sys , sphinx.sys, spfdbus.sys, spfdbusi.sys and Spfdi.sys
- Processes: Hderecoveryutility.exe, Sami.exe, Secret.exe, Simba.exe, Simonpro.exe, Splinter.exe, sdpagent.exe (for 3.4 clients) and SDPExtractor.exe (for 3.4 clients)
To remove the Safend Data Protection Agent before emergency cleanup, uninstall it via Add/Remove Programs or manually. If Safend Encryptor is installed on a device, the Recovery process must be implemented after manually removing the Safend Data Protection Agent.
SAFEND 3.3 AND LOWER
Before manually uninstalling the agent: If the computer does not boot up, run the SPEC on the PE option from a matching version and then do the following:
- Run the SPEC command from the command line or directly from Windows\System32.
- Send the token to firstname.lastname@example.org to receive the cleanup key.
- In the Operating System page select Clean Current Operating System.
- Enter the cleanup key and click Cleanup Now.
- Complete the process and reboot the computer.
SAFEND 3.4 AND HIGHER
Do not run the SPEC command from the command line. Do the following to run the Support Assisted Uninstall (SAU) option:
- Use either of the following commands to receive the client uninstall token:
msiexec/i [Safend Agent MSI path and file] SAU=1 (for example: msiexec /i C:\safendinstall\DataProtectionAgent.en-US.msi SAU=1)
Msiexec /i “[SAFEND CLIENT GUID]” SAU=1 /l*v c:\1.txt
- Send the token you receive to email@example.com. Safend will send a cleanup key.
- Run either of the following commands to remove the client installation:
msiexec /x [Safend Agent MSI path and file] SAU=1 SAU_KEY=[Cleanup_Key] /l*v c:\uninstallSafend.txt
msiexec /x “[SAFEND CLIENT GUID]” SAU=1 SAU_KEY=[Cleanup_Key] /l*v c:\uninstallSafend.txt
- If the process fails, send the MSI log (c:\uninstallSafend.txt) to firstname.lastname@example.org for analysis.
A new SHA2 certificate is required for Windows Server 2008 (IIS 7 and above) after the Safend server name is modified and when an organization needs their own trusted certificate.
- Download the Makecert.zip and copy the makecert.exe to Windows / System32.
- Run the following command:
MakeCert -r -pe -n “CN=FQDN” -b mm/dd/yyyy -e 07/07/2036 -eku 184.108.40.206.220.127.116.11.1 -ss my -sr localMachine -sky Exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 -a SHA256 -len 2048
- Replace the MM/DD/YYYY with today’s date in the same format.
- Right click My computer and select Manage > Roles > Web Server (IIS) > Internet Information Service (IIS) Manager.
- In IIS Snap-In in the Safend Data Protection Suite Web Site field right click and select:
Edit Bindings > Site Bindings > https port 4443 > Edit > SSL Certificate field > New Certificate Name > View > Cancel and Close.
- Return to IIS Snap-In in the ServerName field and remove the Safend Data Protection Suite Web Site’s old certificate.
- Return to In the IIS Snap-In in Sites > Safend Data Protection Suite WS, right click and select Edit Bindings > Site Bindings > https port 443 > Edit > new server name certificate > OK.
- Return to IIS Snap-In > Web Sites > Safend Protector Web Site WS, and repeat the above.
- Do the following:
- Safend Protector Server Version 3.2 – restart the Safend Broadcast Service.
- Safend Protector Server Version 3.3 or above – restart the Safend Local Service and wait for the Domain Service to start. Run the command: iisreset > Login to the Console and then republish your policies.
Note: Both websites now share the same certificate unlike during initialization where two certificates are used.