Migrate from WGCS to SWG Cloud (ePO-Cloud-managed SCP Agent and Policy)
Verification
Update Data Residency and Log Privacy
Review ePO Cloud Data Residence Settings
- Log in to ePO Cloud.
- Click Policy > Web Policy, select Settings, and select Data Residency Settings.
- Note the Data Residency configuration.
- Select Log Privacy Settings.
- Note the fields that are concealed.
Update Skyhigh Data Residency and Log Privacy Settings
- Log in to Skyhigh Security Cloud.
- Go to Settings > Infrastructure > Web Gateway Setup.
- Edit Log Data Residency and configure it in the same way as it was configured in ePO Cloud.
- For Log Privacy Settings, select the same fields to be concealed as in ePO Cloud.
Update SCP and Web Policies Configuration
Transfer SCP Credentials from ePO Cloud to Skyhigh and Trellix ePO
Export SCP Credentials from ePO Cloud
Use these credentials in Skyhigh Security Cloud, so the SCP Clients can use the same credentials to connect to the Cloud Service.
- Log in to ePO On-Prem or ePO Cloud.
- Click Policy Catalog, select the Product as Skyhigh Client Proxy and Category as SCP Policy.
- Select and open any active policy. Under client proxy settings, select Client Configuration.
- Click Export Customer Credentials > OK.
Edit the Credentials XML
Import SCP Credentials into Skyhigh
Import SCP Credentials into Trellix ePO
- Log on to ePO.
- Under Configuration, select SCP Administration.
- In SCP Administration, choose the exported unmodified ePOExportPassword.xml (exported form ePO), and upload that to Trellix ePO.
Transfer SCP Policy from ePO Cloud to Trellix ePO
Export SCP Policy
- Log in to ePO On-Prem or ePO Cloud.
- Click Policy Catalog, select the Product as “Skyhigh Client Proxy” and Category as “SCP Policy”.
- Next to your policy name, click the Export link.
- Right-click the file, and use Save link as ..., then click OK. The policy file is downloaded in a binary format (.XML extension).
Modify and Import SCP Policy to Trellix ePO
- Log in to Trellix ePO. Under Policy select Policy Catalog.
- Select any SCP Policy and Export.
- Open the exported Trellix ePO Policy XML file and the ePO Cloud Policy XML file in a text editor.
- From the Trellix ePO file, fetch the value of featureid & serverid parameters.
For example: featureid=”SCPSRVER1000”, where the SCPSRVER1000 is the value of the parameter featured. - Replace the parameter values in the ePO Cloud file with the values from Trellix ePO file and save the file.
- In Trellix ePO, go to Policy Catalog > Skyhigh Client Proxy.
- Select Import and select the Modified xml file.
- Click OK as prompted (twice) and make sure the imported policy is configured and displayed as expected.
Import List Content for ePO Cloud (Only for SWG Cloud)
Replicate lists from ePO Cloud to Skyhigh Security Cloud. Unfortunately, full policy migration is not possible.
- Log in to ePO Cloud.
- From Menu, under Policy, go to Web Policy.
NOTE: It is only possible to export the list content from Web Policy. Direct policy conversion from ePO Cloud to Skyhigh Security Cloud is not possible.
As an example, we will export the URL Blacklist Content from ePO Cloud, and import it into Skyhigh Security Cloud. - Under Web Policy > Global Settings click the Global URL Blacklist rule.
This opens a window giving you access to all the lists in the catalog. - From Catalog select Global URL Blacklist list. Click the ellipses at the bottom right corner and export the list.
- Open the exported list file in Excel. There are two columns listed, URL and Subdomain (True/False).
- Remove the Subdomain column, and save the file.
- Log in to Skyhigh Security Cloud.
- Go to Policy > Web Policy > Policy.
- Find the corresponding rule. For example: For “Global URL Backlist” (exported from ePO Cloud) import:
- Go to the “Global Block” branch and click “Global Block Lists” Rule Set. Then choose the “Domains Blocklist”.
This opens the lists tab on the right side of the UI. - From Actions select Import – Append with .CSV.
- Browse to select the exported and modified “Global URL Blacklist” CSV file.
- Open and click Save
- Go to the “Global Block” branch and click “Global Block Lists” Rule Set. Then choose the “Domains Blocklist”.
- The list content from ePO Cloud is imported to Skyhigh Security Cloud under the corresponding RuleSet.
NOTE: This was just one example of a list import. All the other lists and policy configurations should be replicated manually the same way in Skyhigh Security Cloud.
SCP Policy - Configure New Proxy Name
IMPORTANT: Do not make SCP Policy changes unless you have replicated the required Web Policy Rules from ePO Cloud to Skyhigh Security Cloud.
To change the Proxy Server name for Trellix ePO SCP Policy:
- Log in to Trellix ePO.
- Select Policy Catalog > Skyhigh Client Proxy.
- Select the active policy and click Edit.
- Under Client Proxy Settings > Proxy Servers, rename the Proxy Address:
- from c(Customer ID).saasprotection.com
- to c(Customer ID).hybrid.skyhigh.cloud OR c(Customer ID).wgcs.skyhigh.cloud
hybrid.skyhigh.cloud is used if you are managing web policy exclusively with an on-prem SWG. wgcs.skyhigh.cloud is used if you are managing the web policy using the cloud UI or using hybrid routing.
- Save the change
NOTE: All Trellix ePO managed endpoints will receive the policy update on the next policy push.