This document describes how to upgrade or update your Cisco Content Security appliance with the use of a static server.
Cisco recommends that you have knowledge of these topics:
- Cisco Email Security Appliance (ESA)
- Cisco Web Security Appliance (WSA)
- Cisco Security Management Appliance (SMA)
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Upgrade or Update the Appliance
Cisco offers static servers for the sites that have strict firewall requirements. It is important to note that if you configure the update and upgrade settings on your appliance with the use this static method, all the information is needed in the firewalls as well.
Here are the hostnames, IP addresses, and ports that are involved in the upgrade and update process:
- downloads-static.ironport.com: 184.108.40.206 on port 80
- update-manifests.ironport.com: 220.127.116.11 on port 443
- updates-static.ironport.com: 18.104.22.168 on port 80
Complete these steps in order to change the upgrade and update settings on the AsyncOS:
- Navigate to the Service Updates tab of the Security Services page.
- Click Edit Update Settings....
- Select Local Update Servers from the Update Servers (images) field.
- Enter http://downloads-static.ironport.com in the Base URL (all services except McAfee Anti-Virus definitions and IronPort AsyncOS upgrades) field and set the Port to 80. Leave the Authentication Settings field blank.
- Enter updates-static.ironport.com in the Host (McAfee Anti-Virus definitions, PXE Engine updates, IronPort AsyncOS upgrades) field.
- Ensure that the Update Servers (list) field is set to IronPort Update Servers.
- Update the Proxy Servers settings if required.
- Click Submit.
- Click Commit Changes.
- Click Commit Changes again in order to confirm.
Verify Upgrades and Updates
In order to verify that the upgrades are complete, navigate to the System Upgrade page and click Available Upgrades. If the list of available versions displays, then your setup is complete.
In order to verify that the updates function correctly, enter the tail command into the CLI and view the updater_logs for errors.
- For Sophos updates, monitor the updater_logs for sophos, or monitor the antivirus log:
Wed Jun 25 19:00:24 2014 Info: sophos verifying applied files
Wed Jun 25 19:00:24 2014 Info: sophos updating the client manifest
Wed Jun 25 19:00:24 2014 Info: sophos update completed
Wed Jun 25 19:00:24 2014 Info: sophos waiting for new updates
- For McAfee updates, monitor the updater_logs for mcafee, or monitor the antivirus log:
Wed Jun 25 19:00:40 2014 Info: mcafee verifying applied files
Wed Jun 25 19:00:40 2014 Info: mcafee updating the client manifest
Wed Jun 25 19:00:40 2014 Info: mcafee update completed
Wed Jun 25 19:00:40 2014 Info: mcafee waiting for new updates
- For CASE updates that are used by IPAS and VOF, monitor the updater_logs for case:
Wed Jun 25 18:59:47 2014 Info: case verifying applied files
Wed Jun 25 18:59:47 2014 Info: case updating the client manifest
Wed Jun 25 18:59:47 2014 Info: case update completed
Wed Jun 25 18:59:47 2014 Info: case waiting for new updates
The appliance will send notification alerts when the updates fail. Here is an example of the most commonly received:
The Warning message is:
The updater has been unable to communicate with the update server for at least 1h.