ESA团星需求和设置

简介

本文描述集群的基础，需求和如何设置在思科电子邮件安全工具(ESA)的一集群。

  

问题

通常，有需要集中在ESAs的一大组的之间配置和保持他们所有同步的避免任务必须更改配置一每个设备，每次一较小或主要修改被做。

什么是在ESA的集群？

ESA集中管理功能允许您同时管理和配置多个设备，提供增强的可靠性、灵活性和可扩展性在您的网络内，允许您管理全局，当符合本地策略时。 

集群包括一套有常见配置信息的机器。 在每集群内，设备可以进一步分开成计算机组，单个计算机只可以每次是一组成员。 

集群在对等体系结构里实现-没有主从的关系。 您可以登录所有计算机控制和管理整个集群或组。 这允许管理员独自地配置系统的不同的元素根据一个簇范围，组或者每计算机基本类型的，与基于逻辑分组

要求

是能开始，能力加入设备到团星(集中管理)您将需要保证以下满足：

• 所有ESAs必须有同样AsyncOS版本(下来对版本)。

Note:在版本8.5+中集中管理密钥不再要求和也不再可视，当已添加，虽然它在AsyncOS内的一个合并的功能。

• 如果创建集群使用端口22 (更加容易配置)保证没有防火墙或路由问题在伊莱克斯之间端口22流量的。
• 如果创建集群使用端口2222 (团星通信服务)保证防火墙规则做允许在此端口的流量是可用的，不用检查或中断。
• 集群配置选项在GUI必须通过在ESA的CLI完成，并且不可能创建或加入。
• 如果选择使用主机名通信，请保证在设备设置的DNS服务器能解决在您的网络的所有其他设备。
• 保证在您的设备的接口，所需端口和服务启用(SSH或CCS)。

创建团星

要开始与进程，一旦所有需求符合创建集群您在第一个设备的line命令将需要开始。

提示： 在配置您的集群之前备份您的在您的设备的当前配置。 从GUI，系统管理>配置文件。 非选定被屏蔽的密码框并且保存配置本地到您的PC。

创建在SSH的团星

C370.lab> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> NameOfCluster

Should all machines in the cluster communicate with each other by hostname or
by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C370.lab?
1. 1.1.1.1 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C370.lab using IP address
1.1.1.1 port 22. You can change this by using the COMMUNICATION subcommand
of the clusterconfig command.
New cluster committed: DATE
Creating a cluster takes effect immediately, there is no need to commit.

Cluster NameOfCluster

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.

创建在CCS的团星

C370.lab> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> Test

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C370.lab?
1. 1.1.1.1 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 2

Enter the IP address for Machine C370.lab.
[]> 1.1.1.1

Enter the port (on 10.66.71.120) for Machine C370.lab.
[22]> 2222

一旦此步骤被实行，您将有一集群，并且所有您的配置从计算机移动集群级别。 这将是其他机器将继承在加入的配置。 

加入现有的集群通过SSH或CCS

此部分将包括添加中的任一新建的设备的到您创建或预先创建的您的现有的集群。 加入一个现有的集群用任一个方法将是类似的在方法，差异唯一的关键点是CCS要求额外步骤确定它允许集群接受更新的设备。

加入通过SSH

Note: 在步骤的粗体指示的部分在需要正确地被跟随之下，因为我们使用SSH，您不应该对CCS启用说“Y”。

C370.lab> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig
-> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig
settings)
Exception:  Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.
Do you want to enable the Cluster Communication Service on C370.lab? [N]>

Enter the IP address of a machine in the cluster.
[]> 10.66.71.120

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Enter the name of an administrator present on the remote machine
[admin]>

Enter password:
Please verify the SSH host key for 10.66.71.120:
Public host key fingerprint: d2:6e:36:9b:1d:87:c6:1f:46:ea:59:40:61:cc:3e:ef
Is this a valid key for this host? [Y]>

一旦此检查进行，设备将顺利地当前参加集群。

加入通过CCS

这将是类似的在方法，唯一的差异是，在您决定允许新的设备到现有的集群前，您需要登录是活跃的在集群的设备。

在集群的活动设备上：

(Cluster test)> clusterconfig

Cluster test

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> prepjoin

Prepare Cluster Join Over CCS

No host entries waiting to be added to the cluster.

Choose the operation you want to perform:
- NEW - Add a new host that will join the cluster.
[]> new

Enter the hostname of the system you want to add.
[]> ESA.lab

Enter the serial number of the host ESA.lab.
[]> XXXXXXXXXXXXXX-XXXXXA

Enter the user key of the host ESA2.lab.  This can be obtained by typing "clusterconfig prepjoin print" in the CLI on ESA.lab.
Press enter on a blank line to finish.

一旦进入通过登录尝试参加您的集群和使用命令“clusterconfig prepjoin打印”)的设备获取的SSH指纹(在上面并且输入空行，将完成预习功课加入。

然后您能开始在尝试的设备的加入的进程加入，供此参考，我们将称它"ESA2.lab"匹配那上述步骤。

Note:在下面示例的SSH-DSS密钥

ESA2.lab> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 4

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig
-> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig
settings)
Exception:  Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.
In order to join a cluster over CCS, you must first log in to the cluster and tell it that this system is being added.  On a machine in the cluster, run "clusterconfig -> prepjoin -> new" with the following information and commit.
Host: ESA2.lab
Serial Number: XXXXXXXXXXXX-XXXXXA
User Key:
ssh-dss AAAAB3NzaC1kc3.......BrccM=

Choose the interface on which to enable the Cluster Communication Service:
1. ClusterInterface (1.1.1.2/24: ESA2.lab)
[1]> 1

Enter the port on which to enable the Cluster Communication Service:
[2222]

Enter the IP address of a machine in the cluster.
[]> 1.1.1.1

Enter the remote port to connect to.  This must be the CCS port on the machine "1.1.1.1", not the normal admin ssh port.
[2222]>

一旦这被确认，您显示SSH-DSS密钥，如果配比您接受条件，并且集群将顺利地加入。

什么在集群配置里被移植

集群将带来所有已配置的策略设置、内容过滤器、文本资源、内容字典、LDAP设置、反垃圾邮件和抗病毒全局设置，监听程序设置， SMTP路由设置， DNS设置。

什么没有在集群配置里被移植

• 设备本地主机名。
• 配置的IP接口。
• 已配置的路由表。
• 本地垃圾邮件检疫配置。
• 本地策略、病毒和爆发检疫配置
• 在“websecurityadvancedconfig” in命令下的设置Line命令(版本8.5和以上)。 

Note: 如果有参考检疫不现存的内容过滤器，他们将无效，直到被参考的策略检疫在计算机配置。