This document describes the IP address(es) and hosts needed to configure your Cisco Content Security appliance for use with a static host for downloads, updates, and upgrades. These configurations are to be used for either hardware or virtual Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), or Security Management Appliance (SMA).
Content Security Appliance Downloads, Updates or Upgrades using a Static Host
Cisco offers static hosts for customers that have strict firewall or proxy requirements. It is important to note that if you configure your appliance to use the static hosts for downloads and updates, same static hosts for downloads and updates must be allowed in the firewall and proxy on network as well.
Here are the hostname(s), IP address(es), and ports that are involved in the download, update, and upgrade processes:
22.214.171.124 on port 80
update-manifests.ironport.com (hardware ESA):
126.96.36.199 on port 443
188.8.131.52 on port 443
update-manifests.sco.cisco.com (virtual ESA):
184.108.40.206 on port 443
220.127.116.11 on port 443
18.104.22.168 on port 80
22.214.171.124 on port 80
Note: The 'update-manifests' URLs and port numbers provided are configured from the CLI only via the command updateconfig. From with-in this command, there is a hidden sub-command that needs to be run in order to validate the update manifest. Run dynamichost from the first configuration prompt once in the configuration options for updateconfig.
Service Update configuration via GUI
Complete these steps in order to change the download, update, or upgrade configuration on AsyncOS from the GUI:
Navigate to the Service Updates tab of the Security Services page.
Click Edit Update Settings....
Select Local Update Servers from the Update Servers (images) field.
For the Host (McAfee Anti-Virus definitions, PXE Engine updates, Sophos Anti-Virus definitions, IronPort Anti-Spam rules, Outbreak Filters rules, DLP updates, Time zone rules and Enrollment Client (used to fetch certificates for URL Filtering) field, enter updates-static.ironport.com. (Port is optional.)
Leave the Update Servers (list) fields all set to Cisco IronPort Update Servers.
Ensure that you have the proper interface selected, if required to communicate over a specific interface. Default configuration will be set to Auto Select.
Verify and update the configured Proxy Servers, if required.
In the upper right corner, click Commit Changes.
Finally, click on Commit Changes again in order to confirm all configuration changes.
Configuration of updateconfig via the CLI
The same changes can be applied via the CLI on the appliance. Complete these steps in order to change the download, update, or upgrade configuration on AsyncOS from the CLI:
Run the CLI command updateconfig
Enter in the command SETUP
For the "Feature Key updates", change the setting to use '2. Use own server'
For the "Service (images)", change the setting to use '2. Use own server'
Leave the "McAfee Anti-Virus definitions, RSA DLP Engine Updates, PXE Engine Updates, Sophos Anti-Virus definitions, IronPort Anti-Spam rules, Outbreak Filters rules, Timezone rules, Enrollment Client Updates (used to fetch certificates for URL Filtering)" and "Cisco IronPort AsyncOS upgrades" set to default, "Use Cisco IronPort update servers"
All other configuration prompts can be left set to default.
Verify and update the configured Proxy Server, if required.
Return out to the main CLI prompt
Run the CLI command COMMIT to save all configuration changes.
Verify Upgrades and Updates
In order to verify that the upgrade communication is successful and completes, navigate to the System Upgrade page and click Available Upgrades. If the list of available versions displays, then your setup is complete.
From the CLI, you can simply run the upgrade command. Choose the download option to view the upgrade manifest, if there are available upgrades.
Choose the operation you want to perform: - DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot). - DOWNLOAD - Downloads the upgrade image. > download
Upgrades available. 1. AsyncOS 9.6.0 build 051 upgrade For Email, 2015-09-02 this release is for General Deployment 2. AsyncOS 9.7.0 build 125 upgrade For Email, 2015-10-15. This release is for General Deployment 3. AsyncOS 9.7.1 build 066 upgrade For Email, 2016-02-16. This release is for General Deployment. 4. cisco-sa-20150625-ironport SSH Keys Vulnerability Fix >
For validation of updates, from the CLI run the command updatenow. This will initate the update process for all services.
Next, in order to verify that the updates function correctly, run the CLI command tail and choose the log number associated to updater_logs for your appliance.
For successful updates, you should see messages similar to these examples in the updater logs:
For Sophos updates, monitor the updater_logs for sophos or monitor the antivirus log:
Wed Jun 25 19:00:24 2014 Info: sophos verifying applied files Wed Jun 25 19:00:24 2014 Info: sophos updating the client manifest Wed Jun 25 19:00:24 2014 Info: sophos update completed Wed Jun 25 19:00:24 2014 Info: sophos waiting for new updates
For McAfee updates, monitor the updater_logs for mcafee or monitor the antivirus log:
Wed Jun 25 19:00:40 2014 Info: mcafee verifying applied files Wed Jun 25 19:00:40 2014 Info: mcafee updating the client manifest Wed Jun 25 19:00:40 2014 Info: mcafee update completed Wed Jun 25 19:00:40 2014 Info: mcafee waiting for new updates
For CASE updates that are used by IPAS and VOF, monitor the updater_logs for case:
Wed Jun 25 18:59:47 2014 Info: case verifying applied files Wed Jun 25 18:59:47 2014 Info: case updating the client manifest Wed Jun 25 18:59:47 2014 Info: case update completed Wed Jun 25 18:59:47 2014 Info: case waiting for new updates
The appliance sends notification alerts when the updates fail. Here is an example of the most commonly received email notification:
The updater has been unable to communicate with the update server for at least 1h.
Last message occurred 4 times between Tue Mar 1 18:02:01 2016 and Tue Mar 1 18:32:03 2016.
Version: 9.7.1-066 Serial Number: 888869DFCCCC-3##CV## Timestamp: 01 Mar 2016 18:52:01 -0500