Introduction
This document describes the process for Beta customers, and pre-provisioned appliances used for testing, that need to upgrade AsyncOS versions and to get updates for ESA and SMA running Beta and pre-release testing. This document pertains directly to the Cisco Email Security Appliance (ESA) and Cisco Security Management Appliance (SMA). Keep in mind, the staging servers are not to be used by standard production customers for production ESA or SMA. Staging OS releases, services rules, and services engines vary from production.
Before you being, also please keep in mind that Production licenses will not be able to upgrade to Stage releases as they are not able to pass verification and authentication of the license. A production VLN has a signature value written when the license during generation, which will match the production license service. Stage licenses have a separate signature written only for the staging license service.
Prerequisites
Requirements
- The administrator has received prior communication regarding beta (pre-release OS) installation or upgrades.
- Customers participating in Beta and pre-release testing have completed a beta application and they have read and agreed to a non-disclosure agreement prior to the start of beta.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Configure Cisco Email Security and Security Management for Staging Updates
Note: Customers should only use the staging update server URLs if they have gained access to pre-provisioning through Cisco for Beta (pre-release OS) usage only. If you do not have a valid license applied for Beta use, your appliance will not receive updates from the staging update servers. These instructions should only be used for Beta customers or by administrators that participate in Beta testing.
In order to receive staging updates & upgrades:
Log-in to the GUI
- Choose Security Services > Services Updates > Edit Update Settings...
- Confirm that all services are configured to use Cisco IronPort Update Servers
Log-in to the CLI
- Run the command updateconfig
- Run the hidden subcommand dynamichost
- Enter one of these commands:
- For hardware ESA/SMA: stage-update-manifests.ironport.com:443
- For virtual ESA/SMA: stage-stg-updates.ironport.com:443
- Press Enter until you are returned to the main prompt
- Enter Commit in order to save all changes
Verify
Verification can be seen in the updater_logs with communication succeeding for the appropriate stage URL. From the CLI on the appliance, enter grep stage updater_logs:
esa.local> updatenow force
Success - Force update for all components requested
esa.local > grep stage updater_logs
Wed Mar 16 18:16:17 2016 Info: internal_cert beginning download of remote file "http://stage-updates.ironport.com/internal_cert/1.0.0/internal_ca.pem/default/100101"
Wed Mar 16 18:16:17 2016 Info: content_scanner beginning download of remote file "http://stage-updates.ironport.com/content_scanner/1.1/content_scanner/default/1132001"
Wed Mar 16 18:16:17 2016 Info: enrollment_client beginning download of remote file "http://stage-updates.ironport.com/enrollment_client/1.0/enrollment_client/default/102057"
Wed Mar 16 18:16:18 2016 Info: support_request beginning download of remote file "http://stage-updates.ironport.com/support_request/1.0/support_request/default/100002"
Wed Mar 16 18:16:18 2016 Info: timezones beginning download of remote file "http://stage-updates.ironport.com/timezones/2.0/zoneinfo/default/2015100"
Wed Mar 16 18:26:19 2016 Info: repeng beginning download of remote file "http://stage-updates.ironport.com/repeng/1.2/repeng_tools/default/1392120079"
If there are any unexpected communication errors, enter dig <stage URL> in order to verify Domain Name Server (DNS).
Example:
esa.local > dig stage-updates.ironport.com
; <<>> DiG 9.8.4-P2 <<>> stage-updates.ironport.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52577
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;stage-updates.ironport.com. IN A
;; ANSWER SECTION:
stage-updates.ironport.com. 275 IN A 208.90.58.21
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 22 14:31:10 2016
;; MSG SIZE rcvd: 60
Verify that the appliance is able to telnet over port 80, run the command telnet <stage URL> 80.
Example:
esa.local > telnet stage-updates.ironport.com 80
Trying 208.90.58.21...
Connected to origin-stage-updates.ironport.com.
Escape character is '^]'.
Revert
In order to revert back to the standard production update servers, complete these steps:
- Enter the command updateconfig
- Enter the hidden subcommand dynamichost
- Enter one of these commands:
- For hardware ESA/SMA: update-manifests.ironport.com:443
- For virtual ESA/SMA: update-manifests.sco.cisco.com:443
- Press Enter until you are returned to the main prompt
- Run the command Commit in order to save all changes
Note: Hardware appliances (C1x0, C3x0, C6x0, and X10x0) should ONLY use the dynamic host URLs of stage-update-manifests.ironport.com:443 or update-manifests.ironport.com:443. If there is a cluster configuration with both ESA and vESA, updateconfig must be configured at the machine level and confirm that dynamichost is then set accordingly.
URL Filtering
AsyncOS 13.0 and Older
If URL Filtering is configured and in use on the appliance, once an appliance has been redirected to use stage URL for updates, the appliance will also need to be configured to use the staging server for URL Filtering:
- Access the appliance via the CLI
- Enter the command websecurityadvancedconfig
- Step through the configuration and change the value for the option Enter the Web security service hostname to v2.beta.sds.cisco.com
- Change the value for the option Enter the threshold value for outstanding requests from the default of 50 to 5
- Accept defaults for all other options
- Press Enter until you are returned to the main prompt
- Run the command Commit in order to save all changes
Revert
In order to revert back to the production Web security service, complete these steps:
- Access the appliance via CLI
- Enter the command websecurityadvancedconfig
- Step through the configuration and change the value for the option Enter the Web security service hostname to v2.sds.cisco.com
- Accept defaults for all other options
- Press Enter until you are returned to the main prompt
- Run the command Commit in order to save all changes
AsyncOS 13.5 and Newer (utilizing Cisco Talos Services)
Starting in AsyncOS 13.5 for Email Security, Cloud URL Analysis (CUA) was introduced and changed the websecurityadvancedconfig options. As URL analysis is now performed in the Talos cloud, the Web security services hostname is no longer required. This has been replaced by the talosconfig command. This is available only on the command line of the ESA.
esa.local> talosconfig
Choose the operation you want to perform:
- SETUP - Configure beaker streamline configuration settings
[]> setup
Configured server is: stage_server
Choose the server for streamline service configuration:
1. Stage Server
2. Production Server
[]> 1
If you are running a Stage license, you should be pointed to the Stage Server for Talos services.
You may run talosupdate and talosstatus to request an update and current status of all Talos driven services.
Example:
For more information, see the User Guide for AsyncOS 13.5 for Cisco Email Security Appliances.
Firewall Settings to Access Cisco Talos Services
You need to open HTTPS (Out) 443 port on the firewall for the following hostnames or IP addresses (refer to the table below) to connect your email gateway to Cisco Talos services.
Hostname |
IPv4 |
IPv6 |
grpc.talos.cisco.com |
146.112.62.0/24 |
2a04:e4c7:ffff::/48 |
email-sender-ip-rep-grpc.talos.cisco.com |
146.112.63.0/24 |
2a04:e4c7:fffe::/48 |
serviceconfig.talos.cisco.com |
146.112.255.0/24 |
- |
|
146.112.59.0/24 |
- |
Web Interaction Tracking
The web interaction tracking feature provides information about the end-users who clicked on rewritten URLs and the action (allowed, blocked, or unknown) associated with each user click.
Depending on your requirements, you can enable web interaction tracking on one of the global settings pages:
- Outbreak Filters. Track end-users who clicked URLs rewritten by Outbreak Filters
- URL Filtering. Track end-users who clicked URLs rewritten by policies (using content and message filters)
If web interaction tracking is configured and in use, once an appliance has been redirected to use stage URL for updates, the appliance will also need to be configured to use the staging Aggregator server:
- Access the appliance via the CLI
- Enter the command aggregatorconfig
- Use the EDIT command and enter this value: stage.aggregator.sco.cisco.com
- Press Enter until you are returned to the main prompt
- Run Commit in order to save all changes
If the Aggregator is not configured for staging, you will see similar alerts every 30 minutes via Admin email alerts:
Unable to retrieve Web Interaction Tracking information from the Cisco Aggregator Server. Details: Internal Server Error.
Or, by running the displayalerts command on the CLI:
20 Apr 2020 08:52:52 -0600 Unable to connect to the Cisco Aggregator Server.
Details: No valid SSL certificate was sent.
Revert
In order to revert back to the standard production Aggregator server, complete these steps:
- Access the appliance via CLI
- Enter the command aggregatorconfig
- Use the EDIT command and enter this value: aggregator.cisco.com
- Press Enter until you are returned to the main prompt
- Run the command Commit in order to save all changes
Troubleshoot
Troubleshooting commands are listed in the "Verify" section of this document.
If you are seeing the following when running the upgrade command:
Failure downloading upgrade list.
Please verify that you have changed the dynamic host. If this continues, please ask and validate that your ESA or SMA has been provisioned correctly for Beta or pre-release testing.
Related Information