簡介
本文檔提供了使用Nutanix將Cx90裝置的配置遷移到虛擬環境的必要步驟的全面指南。它涵蓋整個遷移過程,從初始規劃和評估到虛擬環境的執行和驗證。通過遵循此處介紹的步驟,組織可以確保平穩而高效的過渡,將停機時間降至最低並保留其現有配置的完整性。
有關某些步驟的詳細說明,您還可以參閱《使用手冊》或其他相關文章。這些資源提供補充本文檔中提供的資訊的其他見解和說明。
必要條件
在開始遷移過程之前,請確保滿足以下前提條件,以便實現平穩且高效的過渡:
Cx90的軟體版本要求:確保Cx90使用的是15.0.3版。請注意,此版本僅用於Nutanix中的配置遷移過程,絕不應在Nutanix生產環境中使用。
1.智能許可證帳戶:此遷移需要有效的智慧許可證帳戶。在開始遷移過程之前,請驗證您的智慧許可證狀態。
2.對聚類的基本認識:熟悉思科安全電子郵件網關(ESA)的群集概念。 這一基本理解對於順利遷移至關重要。
3.確定現有硬體集群狀態:
使用CLI:運行命令Clusterconfig。
使用GUI:導航到Monitor > any。
如果看到「模式 — 集群:cluster_name」中,您的裝置正在集群配置中運行。
5.下載必要的軟體:下載適用於KVM的15.0.3版C600v思科安全電子郵件網關(vESA)軟體。
6.網絡資源:為新電腦準備所需的網路資源(IP、防火牆規則、DNS等)。
將硬體(Cx90)升級到15.0.3 AsyncOS
要執行遷移,必須在x90群集上安裝版本15.0.3。這是我們可以在Nutanix上運行用於配置遷移的初始版本。
附註:Nutanix裝置中的版本15.0.3隻能用於配置遷移,決不能管理生產中的電子郵件流量。生產中支援15.0.3版本用於其他虛擬環境和物理裝置。
將現有Cx90/硬體升級到15.0.3 AsyncOS
在AsyncOS 15.0 for Cisco Email Security Appliances的發行說明中,使用以下說明升級您的郵件安全裝置:
- 儲存裝置的XML配置檔案。
- 如果您使用安全清單/阻止清單功能,請將安全清單/阻止清單資料庫從裝置匯出。
- 掛起所有偵聽程式。
- 等待隊列清空。
- 在「系統管理」頁籤中,選擇系統升級
- 按一下Available Upgrades。頁面將刷新,顯示可用AsyncOS升級版本的清單。
- 按一下Begin Upgrade按鈕,開始升級。在問題出現時予以回答。升級完成後,按一下Reboot Now按鈕重新啟動裝置。
- 恢復所有監聽程式。
重新啟動後,驗證運行的AsyncOS版本:
- CLI,運行命令version。
- UI,導航到Monitor > System Info
附註:如果已在群集配置中運行多個裝置,則可以跳過下一部分。
在Nutanix中部署C600v
根據前提條件,下載vESA/C600v映像,並根據思科內容安全虛擬裝置安裝指南進行部署。
1.確保您的裝置和軟體符合所有系統要求。由於遷移將使用15.0.3版和型號C600v,因此應遵守為16.0版指定的相同要求。
Nutanix AOS:版本6.5.5.7
Nutanix Prism Central:版本pc.2022.6.0.10
2. 下載用於KVM的型號C600v版本15.0.3的虛擬裝置映像。
3.確定要分配給虛擬裝置型號的RAM容量和CPU核心數量。
| 思科安全電子郵件虛擬閘道 |
AsyncOS版本 |
型號 |
建議的磁碟大小 |
記憶體 |
處理器核心 |
|
|
C600v |
500 GB |
16 GB |
8 |
4.在Nutanix Prism上部署虛擬KVM映像裝置C600v(版本15.0.3)。(安裝指南)
vESA許可
此安裝需要使用智慧許可。版本16.0或更高版本將在Nutanix的虛擬化裝置上運行,需要智慧許可而不是傳統的許可模式。因此,必須事先驗證是否正確安裝了智慧許可證。
智慧許可建立
這些連結介紹了啟用過程、定義以及如何對ESA/SMA/WSA上的智慧許可服務進行故障排除。
瞭解針對電子郵件和Web安全的智慧許可概述和最佳實踐
思科安全郵件網關和思科安全郵件和網路管理器的智慧許可部署指南
配置遷移過程
對於配置遷移,我們將在現有的X90群集中新增新裝置。一旦新裝置連線到集群,它將自動載入所有已部署的配置,確保無縫過渡。此過程利用群集的現有設定來高效整合新的虛擬化裝置,從而保留所有當前配置和設定,無需手動干預。此方法將潛在的中斷降至最低並確保操作的連續性。
將vESA新增到ESA集群中
從vESA上的CLI運行clusterconfig > Join an existing... 將vESA新增到集群中,與以下內容類似:
vESA.Nutanix> clusterconfig
Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3
While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining. To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.
WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)
Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster. These settings on this machine will remain intact.
Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n
Enter the IP address of a machine in the cluster.
[]> 192.168.100.10
Enter the remote port to connect to. This must be the normal admin ssh port, not the CCS port.
[22]>
Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n
Enter the name of an administrator present on the remote machine
[admin]>
Enter passphrase:
Please verify the SSH host key for 192.168.100.10:
Public host key fingerprint: 08:23:46:ab:cd:56:ff:ef:12:89:23:ee:56:12:67:aa
Is this a valid key for this host? [Y]> y
Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster cluster.Cx90
Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>
(Cluster cluster.Cx90)>
此時,vESA現在映象了現有Cx90硬體的配置。這可確保所有設定、策略和配置在兩個平台上保持一致。
要驗證同步並確保現有C600v與Cx90之間沒有差異,請運行clustercheck命令。
Cluster cluster.Cx90)> clustercheck
No inconsistencies found on available machines.
(Cluster cluster.Cx90)>
此命令將幫助您識別可能需要解決的任何潛在不一致問題。
(cluster.Cx90)> clustercheck
Checking DLP settings...
Inconsistency found!
DLP settings at Cluster test:
vESA.Nutanix was updated Wed July 17 12:23:15 2024 GMT by 'admin' on C690.Machine C690.Machine was updated Wed Jun 13 06:34:45 2024 GMT by 'admin' on C690.Machine How do you want to resolve this inconsistency?
1. Force the entire cluster to use the vESA.Nutanix version.
2. Force the entire cluster to use the C690.Machine version.
3. Ignore.
[3]> 2
附註:您的vESA尚未處理郵件。在進入生產環境之前,請確保vESA更新到16.0版。此步驟對於系統的穩定性和相容性至關重要。在進入生產環境之前,請按照以下步驟操作。
從ESA群集中刪除vESA
在vESA上的CLI中,運行clusterconfig,然後使用removememachine操作將裝置從群集中刪除:
(Cluster cluster.Cx90)> clusterconfig
Cluster cluster.Cx90
Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine
Choose the machine to remove from the cluster.
1. C690.Machine (group Main_Group)
2. vESA.Nutanix (group Main_Group)
[1]> 2
Warning:
- You are removing the machine you are currently connected to, and you will no longer be able to access the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y
Please wait, this operation may take a minute...
Machine vESA.Nutanix removed from the cluster.
升級vESA
在配置遷移的此階段,必須將vESA升級到版本16.0。之所以需要此升級,是因為版本16.0是生產環境官方支援的第一個版本。升級可確保虛擬裝置符合最新的功能、安全更新和相容性要求。通過升級到版本16.0,您可以提高vESA的效能和可靠性,使其完全支援您的生產環境。此步驟對於確保現有基礎設施中的無縫整合和最佳操作至關重要。
要將vESA C600v升級到版本16.0:
- 在「系統管理」頁籤中,選擇系統升級
- 按一下Available Upgrades。頁面將刷新可用的AsyncOS升級版本清單,選擇版本16.0。
- 按一下Begin Upgrade按鈕,開始升級。在問題出現時予以回答。升級完成後,按一下Reboot Now按鈕重新啟動裝置。
- 重新啟動後,驗證運行的AsyncOS版本:
CLI,運行命令version
UI,導航到Monitor > System Info
建立新群集(在vESA上)
如果您希望使用相同的群集名稱,則需要使用Cx90群集上使用的相同名稱建立一個新群集。或者,使用新的群集名稱建立新群集。這重複了之前在vESA上執行的步驟:
vESA.Nutanix> clusterconfig
Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2
Enter the name of the new cluster.
[]> newcluster.Virtual
Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1
What IP address should other machines use to communicate with Machine C170.local?
1. 192.168.101.100 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1
Other machines will communicate with Machine C195.local using IP address 192.168.101.100 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 11:45:33 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.
Cluster newcluster.Virtual
Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>
(Cluster newcluster.Virtual)>
Join Your Cx00v to Your ESA Cluster
From the CLI on the Cx00v, run clusterconfig > Join an exisiting... to add your Cx00v into your new cluster configured on your vESA, similar to the following:
C600v.Nutanix> clusterconfig
Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3
While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining. To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.
WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)
Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster. These settings on this machine will remain intact.
Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n
Enter the IP address of a machine in the cluster.
[]> 192.168.101.100
Enter the remote port to connect to. This must be the normal admin ssh port, not the CCS port.
[22]>
Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n
Enter the name of an administrator present on the remote machine
[admin]>
Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 00:61:32:aa:bb:84:ff:ff:22:75:88:ff:77:48:84:eb
Is this a valid key for this host? [Y]> y
Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster newcluster.Virtual
Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>
(Cluster newcluster.Virtual)>
結論
通過執行本文檔中概述的步驟,您已使用Nutanix成功地將X90裝置的配置遷移到虛擬環境。將vESA升級到生產支援的第一個版本16.0可確保您的虛擬裝置完全能夠處理生產環境的需求。通過此升級,您可以訪問最新的功能、安全增強功能和相容性改進,從而確保獲得最佳效能和可靠性。
最後一步是確認您的DNS記錄和負載平衡配置已更新為包括vESA,使其能有效處理郵件。隨著這些配置的到位,您的vESA現在已準備好在現有基礎架構中運行,可提供強大的電子郵件安全性和無縫整合。
意見