Skip to content
Supported migration paths

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/support/migration/en-us/index.html?contextId=access-points-migration

Access point migration

Sophos has announced that the APX series will reach End-of-Life (EoL) on December 31, 2027. For more information, see Retirement calendar for Sophos access points. Start planning your migration to Sophos AP6 access points to ensure a seamless transition and address compatibility considerations.

The specific details of the migration plan may vary depending on the size and complexity of your existing wireless network, as well as your specific requirements and constraints. We recommended working closely with Sophos or a qualified wireless network specialist to ensure a smooth and successful migration.

Migration planning

Whether migrating from Sophos AP and APX series access points or third-party devices, it's important to plan your migration by assessing your current infrastructure, selecting the appropriate replacement AP6 models, familiarizing yourself with Sophos Central, and training staff and users on the new hardware changes.

Assess current infrastructure

To start planning your migration to AP6, evaluate your network requirements to determine coverage areas, user density, and performance needs. This will help you select appropriate AP6 replacements. Review the current network requirements and traffic patterns, as they may have changed since the original wireless deployment.

This assessment must include the cabling and network hardware in your environment. Some AP6 models have 2.5 Gbps Ethernet ports, and only specific cables can achieve those speeds. These models require high-quality Ethernet cables to support the increased speed, with a minimum of Cat 5E for short distances and Cat 6 suggested for long distances. See Network cable design and component planning.

You must also review the PoE capabilities of the hardware and cabling to make sure they can provide enough power to AP6 access points. Power sourcing equipment and cables must be capable of PoE+ (802.3at) for all AP6 models except the AP6 840E model, which requires the new PoE++ (802.3bt) standard. See AP6 power requirements.

We strongly recommend conducting a site survey as part of your assessment. This survey helps you visualize the current wireless coverage, identify coverage gaps and dead zones, and adjust the placement of AP6 access points for optimal coverage. See Site survey.

Tip

If you manage your APX access points in Sophos Central, you can identify the busiest ones by looking at their workload and connected devices. If some APX access points experience heavier traffic than others, consider a model upgrade or multiple access points in the same area for load balancing.

Use this assessment to create a placement map of the existing access points. Make sure the map includes IP address, SSID, channel, transmit power, mesh, cabling, and any other requirements that must be transferred to the AP6 access points. Use this map as a baseline to create a new map for the AP6 access points.

Select AP6 models

When you've assessed your current deployment, inventory your existing access points. Document all existing models, their specifications, locations, and configurations. If you're migrating from Sophos APX access points, use the following table to identify the AP6 replacement suggestions for each model:

APX model AP6 replacement

APX 120 or

APX 320

 AP6 420
APX 530

AP6 420E or

AP6 840
APX 740

AP6 840 or

AP6 840E
APX 320X AP6 420X

While these recommendations align with Sophos's suggested migration paths, you may select different AP6 models depending on your needs. Some other considerations for selecting AP6 access points are as follows:

  • 6 GHz: The AP6 420E and AP6 840E models support Wi-Fi 6E and the 6 GHz frequency band. Consider the availability of the 6 GHz band in your region and the need for Wi-Fi 6E support. See Countries supporting the new 6 GHz band of our AP6 series.
  • Antennas: If you're migrating from third-party hardware or Sophos legacy models with external antennas, such as the AP 100, consider that AP6 indoor models are optimized for ceiling mounting, and they might require a different location or orientation for optimal performance. See the mounting guidelines included in the AP6 hardware for additional information.
  • PoE: Check the PoE requirements for the selected models and evaluate if power injectors, like the Sophos PoE++ power injector, are required. See AP6 power requirements.
  • Region: Sophos AP6 access points have different stock-keeping units (SKUs) for different regions. When selecting an AP6 model, make sure you also select the SKU for the region where it will be deployed. See AP6 SKU country mapping.

Sophos Central management

You can only manage AP6 access points in Sophos Central. If you're replacing third-party hardware or managing APX access points in Sophos Firewall or UTM, you must set up Sophos Central as part of your migration plan. Make sure you have access to Sophos Central and are familiar with its interface. See Getting started.

AP6 access points have specific network requirements for communicating with Sophos Central. You must make sure your network allows communication with the required domains and ports. See Domain requirements.

You must also have a support and services subscription for each AP6 access point you want to manage. This license entitles you to Sophos Central management, firmware updates, advanced RMA, and 24×7 support. See AP6 support and services licensing.

Mixed deployment

When migrating to Sophos AP6 access points, you may have AP6 and APX access points deployed simultaneously in a mixed deployment. A mixed wireless deployment is a wireless network consisting of AP6 and APX access points deployed in the same location, managed by Sophos Central, where wireless clients can roam between the access points.

Operating APX and AP6 access points simultaneously requires thorough planning. Many features, such as fast roaming, mesh, and captive portal, don't synchronize between them. Even when using the same SSID and security settings, devices may experience delays or brief disconnections when roaming between different series of access points. We strongly recommend reading the AP6 and APX mixed deployment guide if your migration plan includes a mixed deployment. See AP6 and APX mixed deployment guide.

Training

Before beginning your migration, we recommend providing IT personnel with technical training on Sophos Central management and AP6 access point features. We also recommend making sure they have at least a basic understanding of Wi-Fi technologies and fundamentals. Educating the teams that oversee the migration and manage the deployment will minimize downtime and maximize performance. The following video is an excellent place to start:

You should also inform users of the migration. Any change in hardware can introduce downtime, changes to network access and procedures, and potential compatibility issues. By educating users beforehand, you can mitigate any issues that arise from these changes.

AP6 deployment

A phased deployment strategy will help make sure that any issues you encounter in your deployment are minimized and easily fixed with the minimum impact on the user experience.

Pilot test

We recommend starting the phased deployment with a pilot test of two AP6 access points in a controlled environment to test compatibility, performance, and management features. When you deploy the access points, test them thoroughly. Make sure to include the following items in your tests:

  • Make sure the SSID is broadcasting and check the coverage area.
  • Check VLAN tagging and make sure network devices are routing traffic correctly.
  • Check roaming performance with computers and mobile devices. Include all OS types in your environment, such as Windows, Mac, iOS, Android, and so on. If handheld devices can connect to the network, test them thoroughly due to their less sensitive antennas.
  • Test authentication, especially when using enterprise authentication.
  • Test the captive portal for guests and when roaming between access points.

Prepare for installation

When you're confident the pilot deployment is working as expected, the next step is to pre-configure your AP6 access points in Sophos Central. Register the access points, assign them names and sites, and update them to the latest firmware. It's important to add AP6 access points to sites. Doing this sets the country code on the access point which maintains regulatory compliance by limiting the frequency bands available based on the access point's location.

Review the placement map created during the planning stage to assign SSIDs and Wi-Fi channels according to the location each access point will operate. Verify you've addressed any cabling needs, PoE requirements, and mounting changes.

Make sure you have all the mounting hardware needed for the access points you've selected and their locations and orientations. All Sophos AP6 access point models come with a mounting bracket that you can use to mount them to walls, flat ceilings, and drop ceilings. The AP6 420X also includes mounting straps to attach it to a pole. Optional flat mounts without the drop ceiling clips and hanging mounts are available separately to provide more mounting options. Carefully review the AP6 mounting guidelines included in your hardware for proper installation and orientation.

Review network settings to make sure IP addresses and other configurations are correct. Check that VLAN traffic is properly tagged and segregated for guest networks and SSIDs. This review must extend to all connected network devices to confirm they pass traffic correctly through all connected switches and firewalls.

Be prepared to roll back. Create a rollback plan in case an unforeseen issue prevents the deployment from being completed. Keep the old access points available and in working order in case you need to reinstall them.

Gradual rollout

When it's time to deploy the AP6 access points, it's best to do it gradually to minimize disruptions. Schedule maintenance windows outside of business hours or during low-use periods. Make sure you notify IT, users, and vendors of the changes as appropriate. Start with a single area and ensure all access points function as expected before moving on to another. Check the following items:

  • Are the devices properly powered up?
  • Are the devices connecting to Sophos Central?
  • Is the signal covering the expected area with good performance?
  • Can wireless devices connect to the access points, appropriate network resources, and the internet?

When you've replaced all existing access points with AP6 access points, you can turn on features unique to the AP6 access points. When you turn them on, you can fully evaluate any new feature that may not have been compatible with the replaced devices.

Monitor and optimize

Throughout the migration, continuously monitor network performance and user feedback and make adjustments as necessary. Move between access points and coverage areas to ensure roaming between access points works as expected. Test the network by performing VoIP calls, media streaming, and simulating bandwidth-intensive activities to help identify potential problem areas where unexpected dropouts and packet loss might occur.

Tip

The Sophos roaming best practices guide details how to configure and optimize roaming in your wireless environment. See Roaming best practices.

Use Sophos Central to monitor the access points' health and functionality. You can identify access points with heavy loads and make sure devices are balanced across them. You can also adjust transmitting power and channel use to address coverage overlaps and co-channel interference.

Tip

The AP6 channel selection guide has information to help you select the best channels for your environment and understand co-channel interference. See AP6 channel selection guide.

Conduct a post-deployment site survey at the end of your migration to confirm all access points are functioning as expected, identify coverage areas, overlaps, and gaps, and scan for any new sources of internal or external interference. Make any adjustments necessary, up to and including moving the access points, to optimize performance and reliability.

Document the migration process

Throughout your migration, keep detailed records of configurations, deployment steps, and any issues encountered to assist with future troubleshooting and serve as a reference for similar projects. It's also important to document any ongoing changes to the deployment after migration to make sure your inventory and records are always up to date.

Make sure the documentation includes the unique password for each access point. This password is printed on a sticker inside the AP6 packaging. While AP6 access points are managed exclusively from Sophos Central, it may be necessary to connect to the local UI or CLI of an access point for troubleshooting. You'll need the unique password for these connections. If you lose the password or want to change it later, you can use the Recover password option in Sophos Central to change it. See Access point details.