41
15-9
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter15 System Administration
keeping the directory structure intact. To use the upgrade image, configure the
appliance to use the local server on the Edit Update Settings page (or use
updateconfig
in the CLI).
The local server also hosts an XML file that limits the available AsyncOS
upgrades for the Cisco IronPort appliances on your network to the downloaded
upgrade image. This file is called the “manifest.” The manifest is located in the
asyncos
directory of the upgrade image ZIP file. After unzipping the ZIP file in
the root directory of the local server, enter the full URL for the XML file,
including the filename, on the Edit Update Settings page (or use
updateconfig
in
the CLI).
For more information about remote upgrades, please see the Cisco IronPort
Knowledge Base or contact your Cisco IronPort Support provider.
Note
Only use a local update server for AsyncOS upgrade images, not security update
images. When you specify a local update server, the local server does not
automatically receive updated security updates from IronPort, so the appliances
in your network eventually become out of date. Use a local update server for
upgrading AsyncOS, and then change the update and upgrade settings back to use
the Cisco IronPort update servers so the security services update automatically
again.
Configuring Upgrade Settings from the GUI
Update settings include the source for the AsyncOS upgrade (remote or
streaming), the interface to use to download the upgrade, and proxy server
settings. In addition to AsyncOS upgrades, you can also edit settings for various
Cisco IronPort services such as anti-spam, ant-virus, and Outbreak Filter services.
For information about updating services, see Service Updates, page15-15.
To edit the AsyncOS upgrade settings:
Step 1
Click Edit Update Settings on the Security Services > Service Updates page.
The Edit Update Settings page is displayed.
Step 2
Choose whether to download the AsyncOS upgrade image from the Cisco
IronPort update servers or a local server.
45
Chapter15 System Administration
15-10
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
If you choose a local server, enter the base URL for the local server hosting
the AsyncOS upgrade image. If the server requires authentication, you can
also enter a valid user name and password.
Note
When you specify a local server for AsyncOS upgrades, the local server
does not automatically receive updated McAfee Anti-Virus definitions, so
the appliances in your network eventually become out of date. Change the
settings back to use the Cisco IronPort update servers after the upgrade so
the McAfee Anti-Virus definitions update automatically again.
Step 3
If you choose to download the AsyncOS upgrade image from a local server, select
the local server as the source for the list of available updates (the manifest XML
file). Enter the full URL for the manifest, including the file name, and the HTTP
port number. If the server requires authentication, you can also enter a valid user
name and password.
Step 4
Select the interface to use for the upgrade.
Step 5
Enter HTTP proxy server or HTTPS proxy server information if desired.
Step 6
Submit and commit changes.
Configuring Upgrade Settings from the CLI
To tell your appliances where to retrieve the AsyncOS upgrade (local or from
Cisco IronPort’s servers), run the
updateconfig
command. To install an upgrade,
run the
upgrade
command.
The updateconfig Command
The
updateconfig
command is used to tell your Cisco IronPort appliance where
to look for service updates, including AsyncOS upgrades. By default, when you
type the
upgrade
command, the appliance will contact Cisco IronPort’s upgrade
servers for the latest update. For remote upgrades, issue the
updateconfig
command and configure the appliance to use a local update server (the local server
configured above).
38
15-11
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter15 System Administration
Note
You can use the
ping
command to ensure that the appliance can contact the local
server. You can also use the
telnet
command to telnet to port 80 of the local
server to ensure the local server is listening on that port.
AsyncOS Reversion
AsyncOS includes the ability to revert the AsyncOS operating system to a
previous qualified build for emergency uses.
Note
After upgrading to AsyncOS 7.0, you cannot revert to a version of AsyncOS
earlier than 6.5.
Available Versions
Because upgrades cause one-way transformation of key subsystems, the reversion
process is complex and requires qualification by Cisco IronPort Quality
Assurance teams. IronPort certifies specific versions of CASE, Sophos, Outbreak
Filters, and McAfee to AsyncOS versions. Not all prior versions of the AsyncOS
operating system are available for reversion. The earliest AsyncOS version
supported for this functionality is AsyncOS 5.5.0; prior versions of AsyncOS are
not supported.
Important Note About Reversion Impact
Using the
revert
command on a Cisco IronPort appliance is a very destructive
action. This command destroys all configuration logs and databases. Only the
network information for the management interface is preserved--all other network
configuration is deleted. In addition, reversion disrupts mail handling until the
appliance is reconfigured. Because this command destroys network configuration,
you may need physical local access to the Cisco IronPort appliance when you
want to issue the
revert
command.
43
Chapter15 System Administration
15-12
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Warning
You must have a configuration file for the version you wish to revert to.
Configuration files are not backwards-compatible.
Performing AsyncOS Reversion
To run the
revert
command, complete the following steps:
Step 1
Ensure that you have the configuration file for the version you wish to revert to.
Configuration files are not backwards-compatible. To do this, you can email the
file to yourself or FTP the file. A simple way to do this is to run the
mailconfig
CLI command.
Step 2
Save a backup copy of the current configuration of your appliance (with
passwords unmasked) on another machine.
Note
This is not the configuration file you will load after reverting.
Step 3
If you use the Safelist/Blocklist feature, export the Safelist/Blocklist database to
another machine.
Step 4
Wait for the mail queue to empty.
Step 5
Log into the CLI of the appliance you want to revert.
When you run the
revert
command, several warning prompts are issued. After
these warning prompts are accepted, the revert action takes place immediately.
Therefore, do not begin the reversion process until after you have completed the
pre-reversion steps.
Step 6
From the CLI, Issue the
revert
command.
Note
The reversion process is time-consuming. It may take fifteen to twenty
minutes before reversion is complete and console access to the Cisco
IronPort appliance is available again.
25
15-13
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter15 System Administration
The following example shows the
revert
command:
mail.mydomain.com> revert
This command will revert the appliance to a previous version of
AsyncOS.
WARNING: Reverting the appliance is extremely destructive.
The following data will be destroyed in the process:
- all configuration settings (including listeners)
- all log files
- all databases (including messages in Virus Outbreak and Policy
quarantines)
- all reporting data (including saved scheduled reports)
- all message tracking data
- all IronPort Spam Quarantine message and end-user safelist/blocklist
data
Only the network settings will be preserved.
Before running this command, be sure you have:
- saved the configuration file of this appliance (with passwords
unmasked)
- exported the IronPort Spam Quarantine safelist/blocklist database
22
Chapter15 System Administration
15-14
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Step 7
The appliance will reboot twice.
to another machine (if applicable)
- waited for the mail queue to empty
Reverting the device causes an immediate reboot to take place.
After rebooting, the appliance reinitializes itself and reboots again
to the desired version.
Do you want to continue?
Are you *really* sure you want to continue? yes
Available version Install date
================= ============
Available version Install date
1. 5.5.0-236 Tue Aug 28 11:03:44 PDT 2007
2. 5.5.0-330 Tue Aug 28 13:06:05 PDT 2007
3. 5.5.0-418 Wed Sep 5 11:17:08 PDT 2007
Please select an AsyncOS version: 2
You have selected "5.5.0-330".
The system will now reboot to perform the revert operation.
43
15-15
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter15 System Administration
Step 8
After the machine reboots twice, use the serial console to configure an interface
with an accessible IP address using the
interfaceconfig
command.
Step 9
Enable FTP or HTTP on one of the configured interfaces.
Step 10
Either FTP the XML configuration file you created, or paste it into the GUI
interface.
Step 11
Load the XML configuration file of the version you are reverting to.
Step 12
If you use the Safelist/Blocklist feature, import and restore the Safelist/Blocklist
database.
Step 13
Commit your changes.
The reverted Cisco IronPort appliance should now run using the selected
AsyncOS version.
Service Updates
Many of the settings used to configure how the Cisco IronPort appliance updates
various services (such as the anti-spam, anti-virus, and Outbreak Filter services)
are accessible via the Service Updates page from the Security Services menu or
via the
updateconfig
command in the CLI.
The Service Updates Page
The Service Updates page (available via the Security Services menu in the GUI)
displays the current settings for updating various services for your Cisco IronPort
appliance. The update settings include: Update Server (images), Update Server
(list), Update URLs for various components, Enable Automatic Updates,
Automatic Update interval, and the HTTP and HTTPS Proxy Servers.
Note
The Cisco IronPort update servers use dynamic IP addresses. If you have strict
firewall policies, you may need to configure a static location for security
component updates and AsyncOS upgrades. If you determine that your firewall
settings require a static IP address for updates and upgrades, follow instructions
below for editing the update settings and contact Cisco IronPort Customer support
to obtain the required URL addresses.
13
Chapter15 System Administration
15-16
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Editing Update Settings
To edit the update settings for your Cisco IronPort appliance, click the Edit
Update Settings button. You can configure the following types of settings:
Update Servers (images), Update Servers (list), Automatic Updates, Interface,
and Proxy Servers. See Table15-1 on page15-18 for more details on the update
settings.
Figure 15-5 shows the settings available for Update Servers.
Figure 15-5
Update Servers Settings for Images and Lists
Documents you may be interested
Documents you may be interested