Skip to main content
Skyhigh Security

Migrate from WPS to WPS2 (ePO Managed MCP Agent and Policy)


Check Accounts

Make sure that your Skyhigh Security accounts are working as expected and check that your ePO Cloud accounts were successfully migrated to Skyhigh Security Cloud. 

  1. Log in to Skyhigh Security Cloud (
    Use your email ID and password (the same account credentials as the administrator for ePO Cloud).
  2. Confirm if the login was successful or if you receive an error message for a failed login attempt.

If any needed account is not working, contact Skyhigh Support.

Check the Customer ID

Verify that the Customer ID remains the same:

  1. Log in to ePO Cloud.
  2. Go to MenuWeb ProtectionGetting Started.
  3. Make a note of the Customer ID.
  4. Log in to Skyhigh Security Cloud.
  5. Go to Settings > Infrastructure > Client Proxy Management.
  6. Click Global ConfigurationTenant Authentication.
  7. Compare if the displayed Customer ID matches the one in ePO Cloud. If not, contact Skyhigh Support.

Verify Data

Verify that data from ePO Cloud is available in Skyhigh Security Cloud:

  1. Log in to Skyhigh Security Cloud.
  2. Go to Dashboards > Web Dashboard
    The predefined Dashboard Cards usually show data from the past seven days. For details, see About the Web Dashboard. If the data is missing or the displayed data is incorrect, open a Service Request.
    NOTE: You'll need to recreate custom reports using the reporting and analytics features within Skyhigh Security Cloud.
  3. Check all the web traffic logs at Analytics > Web > Web Traffic. 
    If the data is missing or the displayed data is incorrect, contact Skyhigh Support.

Update Data Residency and Log Privacy

Review ePO Cloud Settings

  1. Log in to ePO Cloud.
  2. Click Policy > Web Policy, select Settings, and select Data Residency Settings.
  3. Note the Data Residency configuration.
  4. Select Log Privacy Settings.
  5. Note the fields that are concealed.

Update Skyhigh Security Cloud Settings

  1. Log in to Skyhigh Security Cloud.
  2. Go to Infrastructure > Web Gateway Setup.
  3. Edit Log Data Residency and configure it in the same way as it was configured in Trellix ePO Cloud.
  4.  For Log Privacy Settings, select the same fields to be concealed as in Trellix ePO Cloud.

Update MCP Configuration

Transfer MCP Credentials from ePO Cloud to Skyhigh

Export MCP credentials from Trellix ePO Cloud to Skyhigh Security Cloud, so the MCP Clients can use the same credentials to connect to the cloud service. 

  1. Log in to ePO Cloud.
  2. Go to Policy Catalog > Select the Product as "McAfee Client Proxy" and Category as "MCP Policy".
  3. Select and open any active policy. Under client proxy settings, select Client Configuration.
  4. Click Export Customer Credentials > OK.

Edit the Credentials XML

  1. Download the file ePOExportPassword.xml and open it in a text editor.
  2. Scroll towards the end (Extreme Right) before closing the </MCP Credentials> tag
  3. Place (paste) the following information just before the </MCPCredentials> tag:


Place the line between the </CustomerID> and </MCPCredentials> tags. This is an additional option that is required that ePO Cloud did not support.

  1. Save the ePOExportPassword.xml file

Import MCP Credentials into Skyhigh

  1. Log in to Skyhigh Security Cloud.
  2. Click the Settings > Infrastructure > Client Proxy Management.
  3. Go to Global Configuration > Tenant Authentication.
  4. Click the Actions > Import Credentials, then browse to the modified ePO ExportPassword.xml file. Click Import and Save the configuration.
  5. Publish the configuration by clicking the yellow badge at the top right corner, Publish.

MCP Policy - Configure New Proxy Name

Change the name of the proxy server in the ePO On-Prem MCP policy.

  1. Log in to Trellix ePO On-Prem.
  2. Select Policy Catalog > McAfee Client Proxy.
  3. Select the active policy > Edit the Policy
  4. Under Client Proxy Settings > Proxy Servers, Rename the Proxy Address:
    • from c(Customer ID)
    • to c(Customer ID)
      IMPORTANT: c(Customer ID) will direct traffic directly to a hybrid proxy which will process the hybrid policy uploaded from the on-prem appliance. This DNS name is only used with MCP policy and may not be used by customers who are using a SKU other than WPS2. All other SKUs must point to SSE proxies first to utilize SSE policy configured within the Skyhigh Security Cloud UI.
  5. Save the change

NOTE: All ePO Managed endpoints will receive the policy update on the next policy push.


Edit and Review the Hybrid Policy Sync Status on MWG

Review the SWG Hybrid Policy Sync Status. No changes are required as the accounts are not changed. 

  1. Log in to the MWG appliance.
  2. Go to Configuration > Cluster > Web Hybrid.
  3. In Cloud Access, replace with
  4. Click Save

Now verify the snyc:

  1. Go to Troubleshooting > Synchronization.
  2. Click Synchronize and wait for the message to appear.

NOTE: If the “Policy Synchronization successfully performed!” message appears, then the Web Gateway is working as expected.

Review the Web Hybrid Policy Sync Status on Skyhigh

  1. Log on to (
  2. Go to Dashboards > Web Dashboard.
  3. If the Policy Synchronization is successful, then the Web Hybrid Policy Sync Status is indicated by a green dot at the top of the Dashboards > Web Dashboards page.

NOTE: If the status of Hybrid Sync is anything otherwise than green, contact Skyhigh Support.

  • Was this article helpful?