將配置從舊硬體型號(Cx70)遷移到新硬體型號(Cx95)

簡介

在硬體(HW)生命週期中，客戶可能擁有較舊型號的裝置，稍後將由較新的硬體取代。  隨著AsyncOS版本的更新，支援的版本將達到壽命終止(EoL)和支援終止(EoS)狀態。  EoL/EoS和HW生命週期有時會達到無法升級AsyncOS版本以匹配新硬體上出廠和安裝的AsyncOS版本的地步。（例如，Cisco Email Security Cx70 > Cisco Email Security Cx95。）

本文檔將提供管理員選項來彌合版本之間的差距，以便將其現有配置從舊硬體遷移到新硬體。

概觀

必要條件

1. 審閱思科銷售終止和生命週期終止產品頁面
2. 確定在現有硬體和新硬體上運行的AsyncOS版本：
   • Cx70（或其他硬體型號）[這是現有的生產ESA。]
   • Cx95（或其他硬體型號）[這是ESA REPLACING the production ESA。]
     • 步驟：
       • CLI，運行命令version
       • UI，導航到Monitor > System Info

3. 對思科郵件安全裝置集群的基本瞭解
4. 確定現有硬體是否已在群集中
   • CLI，運行命令clusterconfig
   • UI，導航到Monitor > any
     • 如果看到「模式 — 集群：cluster_name",您的裝置正在集群配置中運行

5. 下載思科電子郵件安全虛擬裝置(vESA):
   • 要匹配Cx70支援的版本，請下載11.0.0-274:
     • https://software.cisco.com/download/home/284900944/type/282975113/release/11.0.0

6. 通過以下兩種方法之一獲取vESA許可證：
   1. 許可證管理器提供的45天臨時金鑰
   2. 從許可證管理器請求現有硬體的XML

將舊硬體(Cx70)升級到最新的AsyncOS

本文檔將使用Cx70作為要更換的基本裝置。  所有Cx70機型都在AsyncOS 11.0.x上具有EoS。  為了彌合AsyncOS版本之間的任何差距，您需要將現有配置遷移到vESA，然後利用該vESA將配置同步到新裝置。

要將現有配置遷移到新硬體，請將裝置升級到裝置的最新AsyncOS常規部署(GD)或維護部署(MD)版本。

 

將現有Cx70/硬體升級到11.0.3-238(MD)

在AsyncOS 11.0 for Cisco Email Security Appliances的發行說明中，使用以下說明升級您的郵件安全裝置：

1. 儲存裝置的XML配置檔案。
2. 如果您使用安全清單/阻止清單功能，請將安全清單/阻止清單資料庫從裝置匯出。
3. 掛起所有偵聽程式。
4. 等待隊列清空。
5. 在「系統管理」頁籤中選擇「系統升級」
6. 按一下Available Upgrades頁面將刷新，顯示可用AsyncOS升級版本的清單。
7. 按一下「Begin Upgrade」按鈕，您的升級將會開始。在問題出現時予以回答。升級完成後，按一下Reboot Now按鈕重新啟動裝置。
8. 恢復所有監聽程式。

重新啟動後，驗證運行的AsyncOS版本：

• CLI，運行命令version
• UI，導航到Monitor > System Info

附註：如果已在群集配置中運行多個裝置，則可以跳過下一部分。

建立群集（在現有的Cx70/HW上）

建立集群允許您共用現有配置。  有關使用群集進行集中管理的資訊，請參閱《使用手冊》。  使用clusterconfig > Create a new cluster 命令，如下所示：

C170.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> migration.local

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 10.10.10.56 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C170.local using IP address 10.10.10.56 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 07:47:59 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster migration.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster migration.local)

利用vESA將配置橋接至新硬體(Cx95)

本文檔將使用Cx70作為要更換的基本裝置。  所有Cx70機型都在AsyncOS 11.0.x上具有EoS。  為了彌合AsyncOS版本之間的任何差距，您需要將現有配置遷移到vESA，然後利用該vESA將配置同步到新裝置。

部署vESA

根據思科內容安全虛擬裝置安裝指南，從前提條件下載vESA映像並進行部署。

附註：安裝指南提供有關DHCP(interfaceconfig)的資訊，並設定虛擬主機上的預設網關(setgateway)，同時載入虛擬裝置許可證檔案。  請確保您已按照指示閱讀和部署。

升級vESA以與Cx70匹配

部署vESA後，驗證運行AsyncOS的版本：

• CLI，運行命令version
• UI，導航到Monitor > System Info

由於您已將Cx70的AsyncOS版本升級到11.0.3-238，因此您還需要運行相同且匹配的AsyncOS for Email Security版本。(即11.0.3-238 :11.0.3-238，而不是11.0.0-274 :11.0.3-238。)

1. 在「系統管理」頁籤中選擇「系統升級」
2. 按一下Available Upgrades頁面將刷新，顯示可用AsyncOS升級版本的清單。
3. 按一下「Begin Upgrade」按鈕，您的升級將會開始。在問題出現時予以回答。升級完成後，按一下Reboot Now按鈕重新啟動裝置。

重新啟動後，驗證運行的AsyncOS版本：

• CLI，運行命令version

UI，導航到Monitor > System Info

將vESA加入您的ESA集群

從vESA上的CLI運行clusterconfig > Join an existing... 將vESA新增到集群中，與以下內容類似：

vESA.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 10.10.10.56

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 80:22:44:aa:cc:55:ff:ff:11:66:77:ee:66:77:77:aa
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster migration.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster migration.local)>

此時，vESA的配置與現有Cx70/HW的運行配置相同。

運行clustercheck命令以驗證同步並驗證現有vESA和Cx95之間是否存在任何不一致。  （請參閱「群集不一致」以瞭解詳細資訊。）

附註：您的vESA沒有處理郵件。  為了消除顧慮，您必須將vESA作為附加MX新增到DNS記錄中，或將其包括在ESA外部的任何負載均衡池中。 

從ESA集群中刪除vESA

在vESA上的CLI中，運行clusterconfig，然後使用removemachine操作將裝置從群集中刪除：

(Cluster migration.local)> clusterconfig

Cluster migration.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine

Choose the machine to remove from the cluster.
1. C170.local (group Main_Group)
2. vESA.local (group Main_Group)
[1]> 2

Warning:
- You are removing the machine you are currently connected to, and you will no longer be able to access the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y

Please wait, this operation may take a minute...
Machine vESA.local removed from the cluster.

將vESA和Cx95升級到12.5.x

此時進行配置遷移時，您需要升級vESA以匹配新HW/Cx95的版本。  本文檔假定您使用Cx95作為替換Cx70的裝置。 

Cx95硬體出廠時運行的是AsyncOS 11.5.x。  思科建議從11.5.x升級到12.5.x。

vESA需要運行相同且匹配的AsyncOS for Email Security。(即12.5.0-059 :12.5.0-059，而不是11.0.3-238 :12.5.0-059。)

升級之前，您需要更改vESA上的動態主機設定。  [解釋為什麼需要這樣做：vESA加入Cx70群集時，它假設硬體更新程式的群集配置(update-manifests.ironport.com 443)。  此時，為了升級vESA，需要將其重新指向VM更新程式。]。

要完成此操作，請從CLI運行以下命令：

1. updateconfig
2. dynamichost（*此命令僅在updateconfig的此時處於隱藏狀態）
3. 輸入以下內容：update-manifests.sco.cisco.com 443
4. 按一次Enter返回主CLI提示
5. 運行Commit以儲存配置更改。

要升級vESA和Cx95 :

1. 在「系統管理」頁籤中選擇「系統升級」
2. 按一下Available Upgrades頁面將刷新，顯示可用AsyncOS升級版本的清單。
3. 按一下「Begin Upgrade」按鈕，您的升級將會開始。在問題出現時予以回答。升級完成後，按一下Reboot Now按鈕重新啟動裝置。

重新啟動後，驗證運行的AsyncOS版本：

• CLI，運行命令version
• UI，導航到Monitor > System Info

完成到新硬體/Cx95的配置遷移

對於本文而言，假設您已收到、裝入、供電並完成新硬體（即Cx95）的基本網路配置。  有關Cx95的詳細資訊，請參閱思科電子郵件安全裝置C195、C395、C695和C695F入門指南。

建立新群集（在vESA上）

如果您希望重複使用相同的群集名稱，請從Cx70群集使用相同的群集名稱建立。  或者，使用新的群集名稱建立新群集。  這重複了之前在vESA上執行的步驟：

vESA.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> newcluster.local

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 10.10.10.58 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C195.local using IP address 10.10.10.58 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 11:45:33 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster newcluster.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.local)>

將Cx95加入您的ESA群集

在Cx95的CLI上，運行clusterconfig > Join an existing... 將Cx95新增到在vESA上配置的新群集中，類似於以下內容：

C195.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 10.10.10.58

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 80:11:33:aa:bb:44:ee:ee:22:77:88:ff:77:88:88:bb
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster newcluster.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.local)>

重複該過程，將其他Cx95加入您的群集。 

此時，您的Cx95的配置與您的現有Cx70/HW和vESA的運行配置相同。

運行clustercheck命令以驗證同步並驗證現有vESA和Cx95之間是否存在任何不一致。  （請參閱「群集不一致」以瞭解詳細資訊。）

類似於第二部分中針對vESA的步驟，您需要將updateconfig設定為指向HW更新程式。  要完成此操作，請從CLI運行以下命令：

1. updateconfig
2. dynamichost（*此命令僅在updateconfig的此時處於隱藏狀態）
3. 輸入以下內容：update-manifests.ironport.com 443
4. 按一次Enter返回主CLI提示
5. 運行Commit以儲存配置更改。

配置遷移已完成！

遷移後清理和選項

Cx70 > Cx95

此時，您需要做出關閉Cx70裝置的電源和將現有IP地址和相關主機名遷移到Cx95的決策。  在此過程中要複查的專案包括：

• UI:
  • Network > IP Interface [逐步檢查每個活動介面以及分配給每個介面的任何關聯的主機名]
• CLI:
  • setgateway
  • sethostname

Cx00V

您還需要決定如何繼續使用虛擬ESA。  要通過運行clusterconfig > removemachine從現有群集中刪除此裝置，並選擇要從群集中刪除的虛擬裝置的編號：

(Cluster newcluster.local)> clusterconfig

Cluster cluster

Choose the operation you want to perform:

- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine

Choose the machine to remove from the cluster.
1. vESA.local (group Main_Group)
2. C195.local (group Main_Group)
[1]> 1

Warning:
- This is the last machine in the cluster.  Removing it from the cluster will destroy the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y

Please wait, this operation may take a minute...
Machine vESA.local removed from the cluster.

虛擬裝置的遷移後使用思路：

• 已使用實驗室或測試裝置
• 用於在生產環境的任何部署之前演示未來的AsyncOS版本/版本
• 備用ESA以實現冗餘或未來增長

vESA許可

建立演示許可證

1. 轉到思科許可證註冊門戶(LRP):cisco.com/go/license
2. 使用您的思科帳戶ID登入
3. 點選許可證(Licenses)
4. 從Get Licenses下拉選單中選擇Demo and evaluation...
5. 在彈出視窗中，選擇產品系列：安全產品和產品：思科電子郵件/Web/內容安全虛擬演示許可證
6. 然後，您將選擇以下產品之一：

• ESA虛擬裝置45天演示許可證
• WSA虛擬裝置45天演示許可證
• SMA虛擬裝置45天演示許可證

7. 按一下下一步
8. 對於SN/虛擬裝置識別符號，您可以在現有完全許可裝置的序列中輸入該裝置，或留空並按一下下一步。
9. 最後，檢視傳送至、終端使用者欄位；按一下..以包含其他收件人
10. 按一下Submit完成演示許可證請求
11. 檢查從前面步驟輸入的電子郵件地址，因為演示許可證將傳送到該電子郵件地址

附註：您的虛擬許可證檔案將以XML格式傳送，並在三小時內收到您指定的電子郵件地址。

共用現有許可證

1. 轉到思科許可證註冊門戶(LRP):cisco.com/go/license
2. 使用您的思科帳戶ID登入
3. 點選許可證(Licenses)
4. 在「Move Licenses」下拉選單中選擇「Share License...」。
5. 選擇Get Activation Codes選項
6. 系統將顯示一個彈出視窗。選擇IronPort Product - SW Bundles（如果您有現有的軟體捆綁包）或IronPort Product - TC（如果您有單獨的產品）
7. 在Source Serial Number/Virtual Device Identifier欄位中輸入現有的ESA/WSA/SMA序列號。如果您有多個ESA、WSA或SMA，請選擇一個具有要在虛擬裝置上啟用的相同許可證的ESA、WSA或SMA
8. 對於Select Destination Appliance Type選項，請選擇Virtual按鈕
9. 將Target Serial Number/Virtual Device Identifier欄位留空
10. 在「Send To」欄位中，輸入應將啟用碼傳送至的電子郵件地址
11. 如果您之前已經完成了許可請求，可能會向您顯示現有的VLAN，請根據需要選擇
12. 按一下請求代碼
13. 收到啟用碼後，重複上述步驟#3和#4（上面列出）。 到達步驟#5後，選擇Use Activation Codes選項
14. 貼上提供的啟用代碼並按一下「下一步」
15. 選擇應嵌入思科虛擬ESA/虛擬WSA/虛擬SMA許可證的思科ESA/WSA軟體SKU。按一下下一步
16. 輸入許可證應傳送到的電子郵件地址
17. 最後，按一下Get License

附註：您的虛擬許可證檔案將以XML格式傳送，並在三小時內收到您指定的電子郵件地址。

合格升級路徑

11.0.3-238 (發佈通知)	11.5.0-066 (發佈通知)	12.5.0-059 (發佈通知)
用於Cx70的AsyncOS的EoS版本	為Cx95提供的製造版本	推薦的Cx80/Cx90/Cx95正式發行版
phoebe-11-0-1-027 -> phoebe-11-0-3-238 phoebe-11-0-1-301 -> phoebe-11-0-3-238 phoebe-11-0-1-602 -> phoebe-11-0-3-238 phoebe-11-0-2-037 -> phoebe-11-0-3-238 phoebe-11-0-2-038 -> phoebe-11-0-3-238 phoebe-11-0-2-044 -> phoebe-11-0-3-238 phoebe-9-1-2-053 -> phoebe-11-0-3-238 phoebe-9-7-2-145 -> phoebe-11-0-3-238 phoebe-9-8-1-015 -> phoebe-11-0-3-238 phoebe-9-8-1-021 -> phoebe-11-0-3-238	升級路徑不可用，因為這是x95平台的製造版本。	phoebe-11-0-1-027 -> phoebe-12-5-0-059 phoebe-11-0-2-044 -> phoebe-12-5-0-059 phoebe-11-0-3-238 -> phoebe-12-5-0-059 phoebe-11-0-3-242 -> phoebe-12-5-0-059 phoebe-11-1-1-042 -> phoebe-12-5-0-059 phoebe-11-1-2-023 -> phoebe-12-5-0-059 phoebe-11-5-0-058 -> phoebe-12-5-0-059 phoebe-11-5-0-077 -> phoebe-12-5-0-059 phoebe-12-0-0-419 -> phoebe-12-5-0-059 phoebe-12-1-0-089 -> phoebe-12-5-0-059 phoebe-12-5-0-051 -> phoebe-12-5-0-059

群集不一致

升級到AsyncOS 12.x後，如果裝置處於群集模式且配置了DLP，則使用CLI運行clustercheck命令時，會發現DLP設定不一致。

要解決這種不一致問題，請強制整個群集使用群集中任何其他電腦的DLP配置。使用以下提示「您希望如何解決此不一致問題？」 在clustercheck命令中，如下例所示：

(Cluster)> clustercheck
Checking DLP settings...
Inconsistency found!
DLP settings at Cluster test:
mail1.example.com was updated Wed Jan 04 05:52:57 2017 GMT by 'admin' on mail2.example.com mail2.example.com was updated Wed Jan 04 05:52:57 2017 GMT by 'admin' on mail2.example.com How do you want to resolve this inconsistency?

1. Force the entire cluster to use the mail1.example.com version.

2. Force the entire cluster to use the mail2.example.com version.

3. Ignore.
[3]>

請確保閱讀ESA上運行的AsyncOS版本的發行說明。

其他參考：ESA集群要求和設定