简介
本文档提供了使用Nutanix将Cx90设备的配置迁移到虚拟环境的必要步骤的全面指南。它涵盖整个迁移过程,从初始规划和评估到虚拟环境的执行和验证。通过遵循此处列出的步骤,组织可以确保平稳高效的过渡,最大限度地减少停机时间并保持现有配置的完整性。
要更详细地了解某些步骤,您还可以参阅用户指南或其他相关文章。这些资源提供补充本文档中提供的信息的其他见解和说明。
先决条件
在开始迁移过程之前,请确保满足以下前提条件,以便顺利且高效地完成迁移:
Cx90的软件版本要求:确保Cx90使用的是15.0.3版本。请注意,此版本仅用于Nutanix中的配置迁移过程,不应在Nutanix生产环境中使用。
1.智能许可证帐户:此迁移需要有效的智能许可证帐户。在开始迁移过程之前,请验证您的智能许可证状态。
2.对集群的基本了解:熟悉思科安全邮件网关(ESA)的集群概念。 这一基本理解对于顺利迁移至关重要。
3.确定现有硬件集群状态:
使用CLI:运行命令Clusterconfig。
使用GUI:导航到Monitor > any。
如果看到“模式 — 集群:cluster_name”,即您的设备正在集群配置中运行。
5.下载必要的软件:下载适用于KVM的15.0.3版C600v思科安全邮件网关(vESA)软件。
6.网络资源:为新计算机准备所需的网络资源(IP、防火墙规则、DNS等)。
将硬件(Cx90)升级到15.0.3 AsyncOS
要执行迁移,必须在x90群集中安装版本15.0.3。这是我们可以在Nutanix上运行的初始版本,用于配置迁移。
注意:Nutanix设备中的版本15.0.3只能用于配置迁移,不能管理生产中的电子邮件流量。在生产环境中,支持15.0.3版用于其他虚拟环境和物理设备。
将现有Cx90/硬件升级到15.0.3 AsyncOS
从AsyncOS 15.0 for Cisco Email Security Appliances的版本说明中,使用以下说明升级您的邮件安全设备:
- 保存设备的XML配置文件。
- 如果使用安全列表/阻止列表功能,请将安全列表/阻止列表数据库从设备导出。
- 挂起所有侦听程序。
- 等待队列清空。
- 从System Administration选项卡中选择System Upgrade
- 单击Available Upgrades。页面刷新,显示可用AsyncOS升级版本的列表。
- 单击Begin Upgrade按钮,您的升级将开始。在问题出现时予以回答。升级完成后,单击Reboot Now按钮重新启动设备。
- 恢复所有侦听程序。
重新启动后,验证运行的AsyncOS版本:
- CLI,运行命令version。
- UI,导航到监控>系统信息
注意:如果已在集群配置中运行多个设备,则可以跳过下一部分。
在Nutanix中部署您的C600v
从必备条件下载vESA/C600v映像,并根据《思科内容安全虚拟设备安装指南》进行部署。
1.确保您的设备和软件符合所有系统要求。由于迁移将利用版本15.0.3和型号C600v,因此请遵守版本16.0规定的相同要求。
Nutanix AOS:6.5.5.7 版
Nutanix Prism Central:版本pc.2022.6.0.10
2.下载适用于KVM的型号C600v版本15.0.3的虚拟设备映像。
3.确定要分配给虚拟设备型号的RAM容量和CPU核心数量。
| 思科安全邮件虚拟网关 |
AsyncOS版本 |
型号 |
推荐的磁盘大小 |
内存 |
处理器内核 |
|
|
C600v |
500 GB |
16 GB |
8 |
4.在Nutanix Prism上部署虚拟KVM映像设备C600v(版本15.0.3)。(安装指南)
vESA许可
此安装需要使用智能许可。版本16.0或更高版本将在Nutanix的虚拟化设备上运行,需要智能许可而不是传统的许可模式。因此,必须事先验证是否正确安装了智能许可证。
智能许可创建
这些链接介绍激活过程、定义以及如何排除ESA/SMA/WSA上的智能许可服务故障。
了解智能许可概述和电邮与Web安全的最佳实践
思科安全邮件网关和思科安全邮件和网络管理器的智能许可部署指南
配置迁移流程
对于配置迁移,我们将在现有X90集群中添加新设备。新设备连接到集群后,将自动加载所有已部署的配置,确保无缝过渡。此过程利用集群的现有设置来高效集成新的虚拟化设备,从而保留所有当前配置和设置,无需人工干预。此方法可最大限度地减少潜在的中断并确保操作的连续性。
将vESA添加到ESA集群
从vESA上的CLI运行clusterconfig > Join an existing... 要将vESA添加到集群中,与以下内容类似:
vESA.Nutanix> clusterconfig
Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3
While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining. To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.
WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)
Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster. These settings on this machine will remain intact.
Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n
Enter the IP address of a machine in the cluster.
[]> 192.168.100.10
Enter the remote port to connect to. This must be the normal admin ssh port, not the CCS port.
[22]>
Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n
Enter the name of an administrator present on the remote machine
[admin]>
Enter passphrase:
Please verify the SSH host key for 192.168.100.10:
Public host key fingerprint: 08:23:46:ab:cd:56:ff:ef:12:89:23:ee:56:12:67:aa
Is this a valid key for this host? [Y]> y
Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster cluster.Cx90
Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>
(Cluster cluster.Cx90)>
此时,您的vESA现在镜像了现有Cx90硬件的配置。这可确保所有设置、策略和配置在两个平台上保持一致。
要验证同步并确保现有C600v与Cx90之间没有差异,请运行clustercheck命令。
Cluster cluster.Cx90)> clustercheck
No inconsistencies found on available machines.
(Cluster cluster.Cx90)>
此命令将帮助您识别可能需要解决的任何潜在的不一致问题。
(cluster.Cx90)> clustercheck
Checking DLP settings...
Inconsistency found!
DLP settings at Cluster test:
vESA.Nutanix was updated Wed July 17 12:23:15 2024 GMT by 'admin' on C690.Machine C690.Machine was updated Wed Jun 13 06:34:45 2024 GMT by 'admin' on C690.Machine How do you want to resolve this inconsistency?
1. Force the entire cluster to use the vESA.Nutanix version.
2. Force the entire cluster to use the C690.Machine version.
3. Ignore.
[3]> 2
注意:您的vESA尚未处理邮件。在进入生产环境之前,请确保vESA更新到版本16.0。此步骤对于系统的稳定性和兼容性至关重要。在进入生产环境之前,请按照以下步骤操作。
从ESA集群中删除vESA
在vESA的CLI中,请运行clusterconfig,然后使用removememachine操作从集群中删除设备:
(Cluster cluster.Cx90)> clusterconfig
Cluster cluster.Cx90
Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine
Choose the machine to remove from the cluster.
1. C690.Machine (group Main_Group)
2. vESA.Nutanix (group Main_Group)
[1]> 2
Warning:
- You are removing the machine you are currently connected to, and you will no longer be able to access the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y
Please wait, this operation may take a minute...
Machine vESA.Nutanix removed from the cluster.
升级vESA
在配置迁移的此阶段,必须将vESA升级到版本16.0。之所以需要此升级,是因为版本16.0是生产环境正式支持的第一个版本。升级可确保虚拟设备符合最新的功能、安全更新和兼容性要求。通过升级到版本16.0,您可以提高vESA的性能和可靠性,使其完全支持您的生产环境。此步骤对于确保现有基础设施中的无缝集成和最佳操作至关重要。
要将vESA C600v升级到版本16.0:
- 从System Administration选项卡中选择System Upgrade
- 单击Available Upgrades。页面刷新,显示可用的AsyncOS升级版本列表,请选择版本16.0。
- 单击Begin Upgrade按钮,您的升级将开始。在问题出现时予以回答。升级完成后,单击Reboot Now按钮重新启动设备。
- 重新启动后,验证运行的AsyncOS版本:
CLI,运行命令version
UI,导航到监控 > 系统信息
创建新集群(在vESA上)
如果您希望使用相同的群集名称,则需要使用Cx90群集上使用的相同名称创建一个新的群集。或者,使用新的群集名称创建新群集。此步骤重复了之前在vESA上执行的步骤:
vESA.Nutanix> clusterconfig
Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2
Enter the name of the new cluster.
[]> newcluster.Virtual
Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1
What IP address should other machines use to communicate with Machine C170.local?
1. 192.168.101.100 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1
Other machines will communicate with Machine C195.local using IP address 192.168.101.100 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 11:45:33 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.
Cluster newcluster.Virtual
Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>
(Cluster newcluster.Virtual)>
Join Your Cx00v to Your ESA Cluster
From the CLI on the Cx00v, run clusterconfig > Join an exisiting... to add your Cx00v into your new cluster configured on your vESA, similar to the following:
C600v.Nutanix> clusterconfig
Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3
While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining. To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.
WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)
Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster. These settings on this machine will remain intact.
Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n
Enter the IP address of a machine in the cluster.
[]> 192.168.101.100
Enter the remote port to connect to. This must be the normal admin ssh port, not the CCS port.
[22]>
Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n
Enter the name of an administrator present on the remote machine
[admin]>
Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 00:61:32:aa:bb:84:ff:ff:22:75:88:ff:77:48:84:eb
Is this a valid key for this host? [Y]> y
Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster newcluster.Virtual
Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>
(Cluster newcluster.Virtual)>
结论
通过执行本文档中概述的步骤,您已使用Nutanix成功地将X90设备的配置迁移到虚拟环境。将vESA升级到生产支持的第一个版本16.0,可确保虚拟设备完全能够处理生产环境的需求。通过此次升级,您可以访问最新的功能、安全增强功能和兼容性改进,从而确保最佳的性能和可靠性。
最后,请确认您的DNS记录和负载均衡配置已更新为包含vESA,使其能够有效地处理邮件。随着这些配置的到位,您的vESA现在已准备好在现有基础设施内运行,提供强大的电邮安全和无缝集成。
反馈