Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Migrate from WGCS to SWG Cloud (ePO-Cloud-managed SCP Agent and Policy)

Verification

Check Accounts

Make sure that your Skyhigh Security accounts are working as expected and check that your ePO Cloud accounts were successfully migrated to Skyhigh Security Cloud. 

  1. Log on to Skyhigh Security Cloud (https://auth.ui.trellix.com)
    Use your email ID and password (the same account credentials as the administrator for ePO Cloud).
  2. Confirm if the logon was successful or if you receive an error message for a failed logon attempt.

If any needed account is not working, contact Skyhigh Security Support

Check the Customer ID

Verify that the Customer ID remains the same:

  1. Log on to ePO Cloud.
  2. Go to MenuWeb ProtectionGetting Started.
  3. Make a note of the Customer ID.
  4. Log on to Skyhigh Security Cloud.
  5. Go to Settings > Infrastructure > Client Proxy Management.
  6. Click Global ConfigurationTenant Authentication.
  7. Compare if the displayed Customer ID matches the one in ePO Cloud. If not, contact Skyhigh Security Support.

Verify Data

Verify that data from ePO Cloud is available in Skyhigh Security Cloud:

  1. Log on to Skyhigh Security Cloud.
  2. Go to Dashboards > Web Dashboard
    The predefined Dashboard Cards usually show data from the past seven days. For details, see About the Web Dashboard. If the data is missing or the displayed data is incorrect, open a Service Request.
    NOTE: You'll need to recreate custom reports using the reporting and analytics features within Skyhigh Security Cloud.
  3. Check all the web traffic logs at Analytics > Web > Web Traffic. 
    If the data is missing or the displayed data is incorrect, contact Skyhigh Security Support.

Update Data Residency and Log Privacy 

Review ePO Cloud Data Residence Settings

  1. Log in to ePO Cloud.
  2. Click Policy > Web Policy, select Settings, and select Data Residency Settings.
  3. Note the Data Residency configuration.
  4. Select Log Privacy Settings.
  5. Note the fields that are concealed.

Update Skyhigh Data Residency and Log Privacy Settings

  1. Log in to Skyhigh Security Cloud.
  2. Go to Settings > Infrastructure > Web Gateway Setup.
  3. Edit Log Data Residency and configure it in the same way as it was configured in ePO Cloud.
  4. For Log Privacy Settings, select the same fields to be concealed as in ePO Cloud.

Update SCP and Web Policies Configuration

Transfer SCP Credentials from ePO Cloud to Skyhigh and Trellix ePO

Export SCP Credentials from ePO Cloud

Use these credentials in Skyhigh Security Cloud, so the SCP Clients can use the same credentials to connect to the Cloud Service. 

  1. Log in to ePO On-Prem or ePO Cloud.
  2. Click Policy Catalog, select the Product as Skyhigh Client Proxy and Category as SCP Policy.
  3. Select and open any active policy. Under client proxy settings, select Client Configuration.
  4. Click Export Customer Credentials > OK.
Edit the Credentials XML
  1. Download the file ePOExportPassword.xml and open it in a text editor.
  2. Scroll towards the end (Extreme Right) before closing the </SCPCredentials> tag
  3. Place (paste) the following information just before the </SCPCredentials> tag:

<KeepDomainName>true</KeepDomainName>

Place the line between the </CustomerID> and </SCPCredentials> tags. This is an additional option that is required that ePO Cloud did not support.

  1. Save the ePOExportPassword.xml file
Import SCP Credentials into Skyhigh
Import SCP Credentials into Trellix ePO
  1. Log on to ePO.
  2. Under Configuration, select SCP Administration.
  3. In SCP Administration, choose the exported unmodified ePOExportPassword.xml (exported form ePO), and upload that to Trellix ePO.

Transfer SCP Policy from ePO Cloud to Trellix ePO

Export SCP Policy
  1. Log in to ePO On-Prem or ePO Cloud.
  2. Click Policy Catalog, select the Product as “Skyhigh Client Proxy” and Category as “SCP Policy”.
  3. Next to your policy name, click the Export link.
  4. Right-click the file, and use Save link  as ..., then click OK.  The policy file is downloaded in a binary format (.XML extension).
Modify and Import SCP Policy to Trellix ePO
  1. Log in to Trellix ePO. Under Policy select Policy Catalog.
  2. Select any SCP Policy and Export.
  3. Open the exported Trellix ePO Policy XML file and the ePO Cloud Policy XML file in a text editor.
  4. From the Trellix ePO file, fetch the value of featureid & serverid parameters.
    For example: featureid=”SCPSRVER1000”, where the SCPSRVER1000 is the value of the parameter featured.
  5. Replace the parameter values in the ePO Cloud file with the values from Trellix ePO file and save the file.
  6. In Trellix ePO, go to Policy Catalog > Skyhigh Client Proxy.
  7. Select Import and select the Modified xml file.
  8. Click OK as prompted (twice) and make sure the imported policy is configured and displayed as expected.

Import List Content for ePO Cloud (Only for SWG Cloud)

Replicate lists from ePO Cloud to Skyhigh Security Cloud. Unfortunately, full policy migration is not possible. 

  1. Log in to ePO Cloud.
  2. From Menu, under Policy, go to Web Policy.

    NOTE: It is only possible to export the list content from Web Policy. Direct policy conversion from ePO Cloud to Skyhigh Security Cloud is not possible.

    As an example, we will export the URL Blacklist Content from ePO Cloud, and import it into Skyhigh Security Cloud.
  3.  Under Web Policy > Global Settings click the Global URL Blacklist rule.
    This opens a window giving you access to all the lists in the catalog.
  4. From Catalog select Global URL Blacklist list. Click the ellipses at the bottom right corner and export the list.
  5. Open the exported list file in Excel. There are two columns listed, URL and Subdomain (True/False). 
  6. Remove the Subdomain column, and save the file.
  7. Log in to Skyhigh Security Cloud.
  8. Go to Policy > Web Policy > Policy.
  9. Find the corresponding rule. For example: For “Global URL Backlist” (exported from ePO Cloud) import:
    • Go to the “Global Block” branch and click “Global Block ListsRule Set. Then choose the “Domains Blocklist”.
      This opens the lists tab on the right side of the UI.
    • From Actions select Import – Append with .CSV.
    • Browse to select the exported and modified “Global URL Blacklist” CSV file. 
    • Open and click Save
  10. The list content from ePO Cloud is imported to Skyhigh Security Cloud under the corresponding RuleSet.

NOTE: This was just one example of a list import. All the other lists and policy configurations should be replicated manually the same way in Skyhigh Security Cloud.

SCP Policy - Configure New Proxy Name

IMPORTANT: Do not make SCP Policy changes unless you have replicated the required Web Policy Rules from ePO Cloud to Skyhigh Security Cloud. 

To change the Proxy Server name for Trellix ePO SCP Policy:

  1. Log in to Trellix ePO.
  2. Select Policy Catalog > Skyhigh Client Proxy.
  3. Select the active policy and click Edit.
  4. Under Client Proxy Settings > Proxy Servers, rename the Proxy Address:
    • from c(Customer ID).saasprotection.com
    • to c(Customer ID).hybrid.skyhigh.cloud OR c(Customer ID).wgcs.skyhigh.cloud

hybrid.skyhigh.cloud is used if you are managing web policy exclusively with an on-prem SWG. wcgs.skyhigh.cloud is used if you are managing the web policy using the cloud UI or using hybrid routing.
 

  1. Save the change

NOTE: All Trellix ePO managed endpoints will receive the policy update on the next policy push.

  • Was this article helpful?