Migration I: Silverback Server to Server
Server to Server Migration
This article will guide you through a Server to Server Migration for Silverback. In case of technological breaking changes or the end of support of operating systems this article will help you to ensure a guided path to migrate Silverback e.g. from Microsoft Server 2012 R2 to Microsoft Server 2016 or 2019 or newer. Vendors are continuously evolving their technology to support important business use cases, which makes a migration sometimes necessary.
The Apple Push Notification Network is an important part of the infrastructure behind every iOS and MacOS Device. As of April 1, 2021 a breaking change in the Apple Push Notification Network requires Silverback running on an Microsoft Server 2016 and newer in the minimum Version of Silverback 20.0 Update 3. With this guide we want to ensure you make the transformation seamless to avoid service interruption. Please be sure to take the following steps in your Silverback EMM on-premises infrastructure by March 31, 2021. Otherwise your managed devices will loose irreversible the connection to Silverback and need to be re-enrolled.
What you will need
- A prepared new Windows Server 2016 or above
- Access to our Knowledgebase and access to the Matrix42 Marketplace
- Admin Account and Settings Admin Account for the Silverback Management Console
- Administrative privileges on your current and new Silverback Server
- Domain Administrative privileges in case your current Server is Domain Joined
- A network share or any appropriate way to export and import certificates on your Servers
- Password for the SQL Database service account username
Before you start
At this point, you can start to prepare a new Windows Server 2016 Server and newer meeting the System Requirements for Hardware and the Operating System and Firewall Rules. During this guide, we will ensure that all Roles & Features and required additional Software will be installed. Please be aware that your old and the new server requires to have the same DNS and Hostname. If your current Server is Domain Joined, please note that the point of Domain Join will be after we shutdown the old server during in this guide. Additionally we recommend to read the complete guide before starting with the Migration. In case Silverback is placed in the DMZ and you are utilizing the Cloud Connector, you need to ensure to export additional certificates as well. In case your SQL Database is hosted on the same machine as Silverback, you will need to migrate the DB to the new server as well, which is not covered in this article. Please note that you either can migrate on the new server to the your current Silverback Version or directly to a newer version. In case you are running Silversync hosted on your current Silverback Server, please ensure to save/move all content and personal file management locations to your new Server and install Silversync again on the new Server.
Start your Server Migration
Silverback Management Console
Within the Silverback Management Console, we will first download the current APNS Certificate and review our current connection string. We will need to upload the APNS certificate to the new Server later and our current Connection String will be needed to re-establish the connection between Silverback and the SQL database on the new Server after the installation.
The APNS certificate is only relevant for Apple Device Management. In case you don't manage any Apple devices, start with Review your Connection String.
Export APNS Certificate
- Open your current Silverback Management Console
- Login as Administrator
- Navigate to Admin
- Select Certificates
- Under Apple Push Notification Service note down your current Apple ID
- Click Download Copy
- Note down your Password
- Click Download
- Click OK
- Store the MDMCertificate.pfx, e.g. on an internal share
- Log out as Administrator
Review your Connection String
- On your current Silverback Management Console
- Login as Settings Administrator
- Navigate to Connection String
- Note down your current Connection String information
On your current Silverback Server
Now we need to connect remotely to your current Silverback Server to export all mandatory and optional used certificates. We will import all your current used certificates later on to the new Silverback server. To ensure you catch the right certificates, use the option to review your currently used ones with Match your Thumbprints.
Export Certificates
- Open certlm.msc
- Navigate to Personal > Certificates
- Export the following certificates with the private key, e.g on an internal share:
Export all your certificates step by step
| Purpose | Issued To | Issued By | Certificate Store | Exportable Key |
|---|---|---|---|---|
| SSL Certificate | e.g. *.imagoverum.com | e.g. Alpha SSL CA SHA256 - G2 | Local Computer > Personal | company specific |
| Silverback Root CA | Silverback Root CA | Silverback Root CA | Local Computer > Personal | yes |
| Web Settings Encryption | Silverback Web Settings Certificate | Silverback Web Settings Certificate | Local Computer > Personal | yes |
| Certificate Distribution into AD | Agent Certificate | e.g. imagoverum-CA | Local Computer > Personal | yes |
| Certificate Distribution on Windows 10/11 | SB-CEP | e.g. imagoverum-CA | Local Computer > Personal | yes |
| Certificate Distribution on Windows 10/11 | SB-Enrollment | e.g. imagoverum-CA | Local Computer > Personal | yes |
In case you are not quite sure which certificate is currently used, you can find,review and match your thumbprints below.
Silverback Root CA certificate is also present in the Trusted Root Certification Authorities and needs to imported there later as well
Export Cloud Connector Certificates
If you are utilizing a Cloud Connector, please ensure to export the following certificates with the private key (for Tunnel Certificate and Root Authority) as well.
| Issued to | Issued By | Certificate Store | Exportable Key |
|---|---|---|---|
| Cloud Connector Client | Silverback Root Authority | Local Computer > Personal | No |
| Silverback Tunnel Certificate | Silverback Root Authority | Local Computer > Personal | Yes |
| Silverback Root Authority | Silverback Root Authority | Local Computer > Personal | Yes |
Match your Thumbprints
You can review your current used certificates under the following sections:
- SSL Certificate: Login as Settings Admin > Payload > Profile Signing Certificate
- Silverback Root CA Certificate: Login as Settings Admin > Certificates > Silverback Root Certification Authority
- Silverback Web Settings Certificate: Login as Settings Admin > Connection String
- Agent Certificate: Login as Admin > Tags > In any Tag you configured your Corporate Wi-Fi Profile(s) with Active Directory Certificate Distribution.
- CEP Encryption Agent Certificate > Login as Settings Admin > Certificates > Windows 10 Certificate Settings
- Exchange Enrollment Agent Certificate > Login as Settings Admin > Certificates > Windows 10 Certificate Settings
- Cloud Connector Client > Login as Settings Admin > Cloud Connector > Client Certificate Thumbprint
- Silverback Tunnel Certificate > Login as Settings Admin > Cloud Connector > Silverback Server Tunnel certificate
Shutdown Server
- After exporting all relevant certificates, please shut down your current Silverback Server
In your Domain
- If your Silverback Server is Domain Joined, perform a Domain Join on your new Server with the same hostname
- Ensure that all your current DNS entry targets now the new Silverback Server
On your new Silverback Server
Please switch to your new Silverback Server and install Roles & Features and Additional Software and ensure that TLS 1.1 and 1.2 is enabled. After that we will import our previously exported certificates and install Silverback on the new Server. After the setup we need to adjust our IIS Binding and re-enter the Connection String for the database. As the last step we will import our APNS Certificiate in case your are managing Apple devices.
Meet the System Requirements
- Install all necessary Roles & Features
- Install Additional Software
- Download and Execute the Protocols & Cipher Suites Script (Installation Guide V: Server Hardening)
It is important that the new Silverback Server will have the same DNS name as before.
Import your Certificates
- Import your previously exported certificates
- Open certlm.msc
- Navigate to Personal > Certificates
- Perform a right click in the right section
- Select All Tasks
- Choose Import
- Click Browse
- Select your certificate
Ensure that All Files is selected to see exported *.pfx files
- Proceed with Next, enter your Export Password
- Decide if you want to mark the key for the SSL Certificate as exportable
- Ensure that for all other certificates the private key is marked as exportable as previously
- Ensure to place the Certificate in the right certificate store and click next and finish
- Repeat the steps for all available certificates and review the certificate stores:
- SSL Certificate to Personal > Certificates
- Silverback Root CA Certificate to Personal > Certificates and in Trusted Root Certification Authorities
- Silverback Web Settings Certificate to Personal > Certificates
- Agent Certificate (if available) to Personal > Certificates
- CEP Encryption Agent Certificate (if available) to Personal > Certificates
- Exchange Enrollment Agent Certificate (if available) to Personal > Certificates
- Cloud Connector Client (if available) to Personal > Certificates
- Silverback Tunnel Certificate (if available) to Personal > Certificates
- Silverback Root Authority (if available) to Personal > Certificates
- Add Network Service read permissions to the certificate private keys
- Perform a right click on each certificate
- Select All Tasks
- Choose Manage Private Keys
- Click Add
- Enter Network Service
- Press Check Names
- Click OK
- Ensure that only Read Access is granted
- Click OK
Silverback Installation
- Download Silverback from the Matrix42 Marketplace
- Run the executable and perform with the Silverback Installation
- After successful installation, before you Launch Silverback Admin Console
- Edit the SSL Binding in IIS to your SSL Certificate
- Open Internet Information Services (IIS) Manager
- Expand your Server and Sites
- Select Silverback
- Select in the right pane Bindings
- Select the https type and click edit
- Select your SSL Certificate and confirm with OK
- Confirm the warning if presented
- Click Close and Restart the IIS
- Edit the SSL Binding in IIS to your SSL Certificate
- Navigate back to the Silverback Installation
- Click Finish and Launch the Silverback Admin Console
- Wait until the Database wizard will appear
- Enter your old connection string information
- Click Pick and select your (old) Silverback Web Settings Certificate
- Click Save
- Click OK
- Proceed and Finish Setup
If your newly installed Silverback is higher then the current one, a database upgrade screen will appear.
Start Services
- Run PowerShell as an Adminmistrator
- Run restart-service w3svc,silv*,epic*,mat*
Import APNS Certificate
- Open your Silverback Management Console
- Login as Administrator
- Navigate to Certificates
- In the Apple Push Notification Service sections click Upload Existing Certificate
- Click Choose File and select your previously exported APNS Certificate
- Enter your previously noted password
- Re-enter your used Apple ID
- Click OK
Check health status
- Try to open Silverback Management Console and login
- Try to open Self Service Portal and login
- Try to refresh a device as an Administrator
- Try to enroll a device as a User
If something went wrong, please contact us.