Guest

Cisco Email Security Appliance

ESA Local Upgrade Server Configuration Example

Document ID: 117806

Updated: Jun 13, 2014

Contributed by Campbell Krueger and Robert Sherwin, Cisco TAC Engineers.

   Print

Introduction

This document describes how to configure a local upgrade server for the Cisco Email Security Appliance (ESA).

Prerequisites

Cisco recommends that you have knowledge of these topics:

  • Cisco ESA standard upgrade procedures
  • Microsoft Internet Information Services (IIS) web servers
  • Apache-based web servers

Background Information

As an alternative to the use of standard update or upgrade servers, you also have the option to configure a local (or streaming) upgrade server. With this local upgrade server, the CIsco appliances can retrieve the needed upgrade data from a local source without access to the remote HTTP/HTTPS hosts.

Note: This document references software that is not maintained or supported by Cisco. The information is provided as a courtesy for your convenience. For further assistance, contact the software vendor.

Functional Overview and Requirements

A local upgrade server can be configured on any Microsoft IIS or Apache-based web server that is reached via HTTP (or HTTPS) from your appliances. The appliance(s) performs a simple HTTP GET for the upgrade or update manifest file, which provides the available version data and the relevant URLs for the images themselves. Once the manifest is obtained, all of the required data is retrieved for installation.

Configure

Use this section in order to configure the local upgrade server and the associated appliances.

Configure the Web Server

This section describes how to configure the web server for use as a local upgrade server. It is important to note that AsyncOS Versions 6.5.0 and later use a different update or upgrade engine, and changes must be made to your local upgrade server accordingly. If your organization has not yet upgraded to AsyncOS Version 6.5.0 but sees it as a possibility in the future, then you can apply those settings as well.

The Microsoft IIS does not serve unknown file types for security reasons, which ultimately prevents device retrieval of the required update files. In order to circumvent this issue, you must add entries to the MIME Map within the IIS. Complete these steps in order to add the entries:

Note: Site creation within the IIS is not within the scope of this document. For assistance, refer to the How to set up your first IIS Web site Microsoft Support article.

  1. Open the IIS Manager and navigate to the site that is chosen to serve the local updates.

  2. Right-click the web site, and click Properties.

  3. Click the HTTP Headers tab and locate the section labeled MIME Map.

  4. Click the File Types... button:



  5. In the File Types window, click the New Type... button.

  6. Create the file type associations that are required for your version of AsyncOS.

    • The update files that are required for AsyncOS Versions 6.4.0 and earlier use the .ipup extension and should be served with a MIME type of application/octet-stream. In order to configure this association, enter this data:



    • The updates for AsyncOS Versions 6.5.0 and later do not have any extensions at all, which IIS does not serve by default. In order to fix this, you must configure a wildcard MIME type. When prompted, enter these values:



  7. Click OK until all of the configuration dialogs are closed.

Note: The process that is used in order to create a site or virtual host within Apache is not within the scope of this document. For assistance, refer to the Apache HTTP Server Documentation. Apache serves all upgrade files in the default configuration without the addition of custom MIME types.

Obtain the Update Images or Manifests

This section describes how to obtain the update manifests and the associated upgrade data. Refer to the section that is appropriate for your current version of AsyncOS.

AsyncOS Versions 6.4.0 and Earlier

In order to obtain the upgrade data for AsyncOS Versions 6.4.0 and earlier, navigate to http://downloads.ironport.com/asyncos/upgrade/?serial=<SERIAL_NUMBER>, where the <SERIAL_NUMBER> is the serial number of the device that you desire to upgrade.

You should receive a list that contains the available versions for your appliance. Ensure that you enter the entire serial number (12 character dash 7 character). Multiple serial numbers can be entered, separated by commas. An invalid serial number format returns this error:

An error occurred.
An invalid serial was specified.

AsyncOS Versions 6.5.0 and Later

In order to obtain the upgrade data for AsyncOS Versions 6.5.0 and later, navigate to http://updates.ironport.com/fetch_manifest.html. This page prompts you for:

  • Serial number(s) of the appliance(s) that you desire to upgrade
  • Virtual license number (only required for virtual appliances)
  • Model (only required for virtual appliances):
  • Base release tag (the version that currently runs in your environment)

For ESA appliances, all base release tags must include a prefix of phoebe- followed by the appropriate version number in hyphenated form. For example, if your appliances currently run AsyncOS Version 5.5.1-015, enter the string phoebe-5-5-1-015. Links are provided to the ZIP archives for each version of AsyncOS that is available for your appliance(s).

Copy the Data to the Local Upgrade Server

The contents of the ZIP archive that is downloaded in the previous section consists of a base directory named asyncos that contains all of the update files and the manifest itself (both named after the downloaded version):

  • asyncos/phoebe-6-5-2-101
  • asyncos/phoebe-6-5-2-101.xml

The XML file (manifest) references the required files and uses the relative paths, so the asyncos directory must be placed in the root of the web site that serves as the local upgrade server. If you desire to use a different path, then edit the manifest in order to reflect the new paths for the upgrade images (not recommended).

Configure the ESA to Use the Local Upgrade Server

In order for your appliances to use the newly-created upgrade server, you must change your update settings accordingly. Refer to the appropriate section for your current version of AsyncOS.

AsyncOS Versions 6.4.0 and Earlier

Complete these steps in order to configure the ESA to use the local upgrade server:

  1. Navigate to System Administration > Upgrade Settings and click Edit Upgrade Settings.

  2. Click the Local Upgrade Server radio button, and enter the full URL for your local upgrade images (http://local.upgrade.server/asyncos/upgrade/, for example). Ensure that you set the appropriate port number as well, which is typically Port 80 for HTTP and Port 443 for HTTPS.

  3. Once you are finished, submit and commit the changes.

AsyncOS Versions 6.5.0 and Later

Complete these steps in order to configure the ESA to use the local upgrade server:

  1. Navigate to Security Services > Service Updates and click Edit Update Settings.

  2. Beside the Update Servers (images) configuration, click the Local Update Servers radio button. You can leave the first setting as it is, but change the Base URL (IronPort AsyncOS upgrades) setting to your local upgrade server and appropriate port (local.upgrade.server:80, for example).

  3. Select the Local Update Servers option beside the Update Servers (list) configuration and enter the full URL for the manifest file (http://local.upgrade.server/asyncos/phoebe-6-5-2-101.xml, for example).

  4. Once you are finished, submit and commit the changes.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Updated: Jun 13, 2014
Document ID: 117806