Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
This document provides the benefits of upgrading to SGOS 6 and lists the prerequisite information and procedures for migrating to a new ProxySG appliance running SGOS 6. It assumes that the ProxySG appliance is currently running SGOS 5.x and you are upgrading to the latest version of SGOS 6.2.x or 6.3.x before migrating the configuration to a new appliance running the same SGOS 6.2.x or 6.3.x version. In addition, it assumes that the new appliance uses the same network configuration—such as IP address and default gateway. To use IWA Direct or for SMBv2 support, you must upgrade to SGOS 6.3.x. To review the complete list of features in 6.3.x, refer to the SGOS 6.3.x Release Notes on the BTO download portal and for the upgrade impact refer to the 6.3.x Feature Change Reference. For assistance with your upgrade, Blue Coat Professional Services or your reseller's professional services group.
Why Upgrade to SGOS 6?
The following sections provide the top reasons to migrate to SGOS 6.x.
Performance
SGOS 6 uses a 64-bit OS architecture that offers increased performance, scalability, and connection counts for all 64-bit capable ProxySG platforms. The 64-bit architecture allows you to take advantage of the multi-core processors and larger memory capacity available on these platforms, and with SGOS 6.2.x (or later), all multi-disk systems have an increased object store capacity that enhances the object caching capability on the appliance. For a list of all currently supported ProxySG hardware platforms that can be upgraded to run SGOS 6.2.x see Prerequisite Information.
Support for IPv6
Support for IPv6 was introduced in SGOS 5.5.x for Secure Web Gateway deployments. In SGOS 6, the IPv6 proxy allows you to connect IPv4, IPv6, or combination IPv4/IPv6 addresses in both your Secure Web Gateway and WAN optimization deployments. For more information, see the “Using the ProxySG in an IPv6 Environment” and “Configuring an Application Delivery Network” chapters of the SGOS 6.x Administration Guide.
Migrating to a New ProxySG Appliance 5 Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
Web Application Controls
Because of the Web 2.0 proliferation, many organizations want to manage employee access to various Web applications and operations. Facebook is a good example. The application is important for recruiting new employees and most companies want to allow read access while limiting access to operations like email, playing games, and posting content. They might, however, make an exception for employees in the marketing organization because their role might require them to post, email, and upload content for maintaining the company’s presence on Facebook. SGOS 6 offers granular Web application and operation controls on a per-user, per- group, and site-wide level. You can then use Blue Coat Reporter to generate detailed reports on Web application and operation usage on your network.
Advanced Security / Next Generation Security
SGOS 6 offers advanced security features necessary for enterprise security integration. SGOS 6 will be the platform on which Blue Coat expands and builds on its security solutions, and it will be the release train for new features and technologies. Some of the advanced features included in SGOS 6.3.x are — client certificate support on the ProxySG, certificate information propagation, user- and group- based SSL interception, downloadable CA lists (which are maintained on Blue Touch Online), and on-box integrated Windows authentication. For more details on how each of these security features can help your organization become more secure, contact your reseller or local SE.
Extensible and Flexible Solutions
SGOS 6 offers unified integration between Blue Coat’s on-premise ProxySG devices and the Blue Coat cloud service (Security as a Service (Saas)). The integrated solution extends the same policy engine architecture and WebPulse negative-day Web defense to protect all users on your network. The ProxySG device, with its wide range of configurations, cater to the on-premise needs of your corporate office and data centers. The cloud SaaS offers an ideal solution for remote and roaming users and is also suited to branch offices that might be too small to support an on-premise solution. The unified security solution from Blue Coat offers the administrator a single view of all activity across the organization, regardless of whether the users are secured by on-premise appliances or cloud SaaS.
Control and Acceleration of Rich Media
SGOS 6 continues the history of the support of rich media applications. While all SGOS releases offer video caching, pre-population and video splitting for RTSP, Quicktime and Windows Media, SGOS 6 adds the support for RTMP, the protocol used in Adobe Flash streaming and video.
6 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Process Overview
Process Overview
The high-level process for migrating your configuration from one appliance to another is listed below. 1. Review the upgrade path and then perform the following tasks: – If you use BCAAA, identify and install the latest BCAAA version required for the release(s) to which you are upgrading. You must install the BCAAA version on your authentication server before upgrading the SGOS version on your ProxySG appliance. If you use the same authentication server for ProxySG appliances running other SGOS versions, do not uninstall the earlier version(s) of BCAAA. Even if you have multiple BCAAA versions installed on your server, only one listening port is used; the BCAAA service hands off the connection to the appropriate BCAAA protocol version. See BCAAA Readme on page 30 for more information. – On the current (or older) appliance, upgrade to the SGOS 5.x version that supports a direct upgrade to 6.2.x (or later version). 2. Review the policy rules defined in your SGOS 5.x configuration and validate whether it is supported in SGOS 6.x. A policy rule that is no longer supported is referred to as a CPL deprecation. Note: You can either resolve the policy deprecations or ignore them. Blue Coat recommends that you examine the deprecations and resolve them to ensure that your security policies are not compromised. For details, refer to the Policy Migration Guide. 3. Complete the upgrade to your chosen version of SGOS 6.x. 4. Before you reboot the appliance, remove any previously saved SGOS 6.x configuration settings, so that your current 5.x configuration is converted to an equivalent version of the SGOS 6.x configuration settings. This task makes sure that the ProxySG appliance upgrade handler migrates your current 5.x configuration to SGOS 6.x upon reboot. On the off chance that your ProxySG appliance shipped with a version of SGOS 6.x or if you have ever previously installed a version of SGOS 6.x, by completing this task you ensure that your SGOS 6.x configuration is based on your current 5.x configuration. 5. Reboot the appliance and create a configuration archive with keyrings1 and save it to a local system. 6. Record the network configuration settings (IP address, gateway, DNS, etc). 7. Power down, unrack, and uncable the current (or older) appliance. For information on recycling your old ProxySG appliance, see: http://bluecoat.com/support/recycling-blue-coat-products Perform the following tasks on the new appliance: 8. Install and perform initial configuration. 9. If necessary, upgrade the appliance to your preferred SGOS 6.x version. 10. As necessary, edit the configuration archive to reconcile the interface numbering scheme on your old configuration with the interface numbering scheme on the new one. The interface numbering for each port is unique because it references the slot to which the port belongs and the port number. When you replace the hardware model, the interface numbering scheme changes because the order and numbering of the slots, the number of Ethernet ports in a slot, and the bridge pairs available on the interface module vary by platform and model of the ProxySG appliance. The slot number is shown on the rear of the appliance. 11. Restore the archived configuration (created on the old appliance) onto the new appliance. You must reapply some settings that are not included in the archive, such as the license and initiate the download of the content filter database.
1. Only keyrings created or imported on the ProxySG appliance as showable can be backed up using this method.
Migrating to a New ProxySG Appliance 7 Process Overview Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
Prerequisite Information
❐ SGOS 6.2.x and 6.3.x support direct upgrade from specific 5.x releases. Refer to the Upgrade Path on page 9 to determine whether you can directly upgrade to your chosen SGOS 6.x version or if you must install interim SGOS versions required to complete the upgrade. ❐ See Features Impacted on Upgrade to 6.2.x on page 26 to understand the upgrade impact and behavior changes that occur from features introduced in SGOS 6.2.x. For information on features impacted on upgrade to 6.3.x, refer to the 6.3.x Feature Change Reference. ❐ To minimize any disruption in your network, or to prevent loss of data in your access logs or event logs, Blue Coat recommends completing this migration during a maintenance window. Doing so allows you to upload the most inclusive copy of your access logs, event logs, and snapshots without any loss of data during the transition time when your old appliance goes offline and the new appliance comes online. ❐ Verify that your ProxySG appliance supports the upgrade to SGOS 6.2.x or 6.3.x. The following ProxySG appliance platforms can be upgraded: – Virtual appliances: VA-5, VA-10, VA-15, VA-20 – 32-bit platforms: SG210 (except for 210-5) and SG510 Note: The SG210-10 and SG210-25 can run SGOS 6.2 and later, but the SG210-5 is not supported. SGOS 6.2 and later provide new features and capabilities that require more system resources than available on the SG210-5. The SG210-5 continues to be supported on SGOS 6.1.x releases. Contact your sales teams for upgrade options. – 64-bit platforms: SG300, SG600, SG810, SG900, SG8100, and SG9000. Note: The minimum SGOS 6.2.x and 6.3.x release for the SG900 and SG9000 models are as follows:
Models SGOS 6.2.x SGOS 6.3.x SG900
SG900-10B 6.2.3.3 6.3.1.1
900-20 6.2.3.1 6.3.1.1 900-30 900-45
900-55 6.2.7.2 6.3.3.1 SG9000
9000-5, 9000-10, 6.2.1.4 6.3.1.1 9000-20 Note: See https://kbint.bluecoat.com/index?page=content&id= TFA72
9000-20B 6.2.6.1 6.3.1.1
9000-30 6.2.3.3 6.3.1.1 9000-40
❐ When you replace the hardware model, the interface numbering scheme changes. The interface modules— the slot, interface labeling, and bridge pair groups — on the newer ProxySG appliance
8 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Process Overview
models are different from that of the older models. You must verify the interface configuration on your older appliance and perform the necessary adjustments to maintain consistency in your network configuration before restoring your configuration archive on to your new appliance. For more information, see Interface Information on page 10.
Upgrade Path
Use the following table to confirm the supported upgrade path for SGOS 6.2.5.1 or the latest 6.3.x version..
Migrating to a New ProxySG Appliance 9 Process Overview Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
Interface Information
Refer to following information to verify the interface modules — the physical interfaces available, the interfaces that constitute the default bridge pairs, and the bridge group name assigned to the bridge— for your hardware model. If you require additional interfaces, you must purchase supplementary dual-port or quad-port interface modules. ❐ If you are migrating from a SG8100-5 to the SG900-30 The SG8100-5 has the following interfaces: The SG900-30 has the following interfaces: (2) integrated (on board) NICs (2) integrated (on board) NICs 0:0 0:0 1:0 1:0
Dual GigE NIC card (non-bridged hardware (2) integrated 1000Base-T ports with a hardware interfaces) bridge (also called passthru) 2:0 2:0 (Bridge group: passthru-2) 2:1 2:1 (Bridge group: passthru-2)
Disable the hardware bridge on the SG900 If you used interfaces 2:0 and 2:1 on the SG8100-5 as non-bridged interfaces, you must disable the hardware bridge on the SG900-30 to retain the same functionality. 1. Log into the Management Console of the SG900. Select Configuration > Network > Adapters> Bridges. 2. In the Bridge Name section, select the passthru-2 bridge. 3. Click Edit. The system displays the Edit Bridge dialog. 4. Select Disabled to disable the bridge. For example, when you select the bridge named passthru-2 and click Disable, the interfaces that constituted the bridge pair (2:0 and 2:1) are now unbound and will now function as standalone network interfaces.
10 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Process Overview
❐ If you are migrating from an SG8100-10 to the SG900-45, or from an SG8100-20 or SG8100-30 to the SG900-55 The SG8100-10/ -20/ -30 each has the following The SG 900/-45/ -55 each has the following interfaces: interfaces: (2) integrated (on board) NICs (2) integrated (on board) NICs 0:0 0:0 1:0 1:0 Quad GigE module with a hardware bridge (also (2) integrated 1000Base-T ports with a hardware called passthru) bridge (also called passthru) 2:0 (Bridge group: passthru-2) 2:0 (Bridge group: passthru-2) 2:1 (Bridge group: passthru-2) 2:1 (Bridge group: passthru-2) 2:2 (Bridge group: passthru-2:2) 2:3 (Bridge group: passthru-2:2)
If you have deployed both pairs of bridges — passthru-2 and passthru-2:2 — on the SG8100, you must purchase and install additional interface modules for your hardware model to maintain similar functionality on the appliance. • If for example, you have only configured interfaces 2:0 and 2:1 as passthru-2, you do not need to modify the SG900 interface configurations. • If you have configured interfaces 2:0 and 2:1 as passthru-2 and interfaces 2:2 and 2:3 as passthru-2:2 on the SG8100, you must purchase and install an interface module on the SG900 to match your current configuration. On the SG900, the additional interface module must be installed in slots 3 or 4. Therefore, before you restore your configuration archive on the SG900, you must edit the interface configuration settings and map to the slot, interface and bridge group naming convention on the SG900. If a quad card interface module is installed in slot 3, by default the interface settings are: • 3:0 and 3:1 as passthru-3 • 3:2 and 3:3 as passthru-3:2 The configuration for interfaces 2:2 and 2:3 as passthru-2:2 on the SG8100 must be edited to map one of the above interface pairs and the name of the bridge pair should be passthru 3 or passthru-3:2, to match the pair that you selected for use.
Migrating to a New ProxySG Appliance 11 Prepare the Old Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
Prepare the Old Appliance
Because you are moving to a new appliance that is running SGOS 6.x, you must upgrade to the same SGOS 6.2.x or 6.3.x version on the old appliance first so that you can create an archive of the system configuration that is compatible with the new appliance. Note: SGOS 6.2.x and 6.3.x support a direct upgrade from specific 5.x releases. Refer to the upgrade path to determine whether you can directly upgrade to SGOS 6.2.x/6.3.x or if you must install interim SGOS versions to complete the upgrade. Perform the following procedure to archive the configuration on the old appliance and record any additional settings you will need when configuring the new appliance.
Removing the Old Appliance
Step 1 Determine your upgrade Refer to the Upgrade Path on page 9. You might have to upgrade path. to an interim SGOS version before installing SGOS 6.x.
Step 2 If you use BCAAA, identify Every SGOS release requires a specific BCAAA version. To the BCAAA versions required determine the BCAAA version, refer to the BCAAA compatibility for the release(s) you are table in the BCAA Readme on page 30. upgrading to.
12 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Prepare the Old Appliance
Removing the Old Appliance (Continued)
Step 3 If you use BCAAA, install the Determine the BCAAA version running on the authentication required BCAAA versions server: onto your authentication a. Go to the folder where the bcaaa-1xx.exe program resides. server before upgrading the For example: SGOS version on your C:\Program Files\Blue Coat Systems\BCAAA ProxySG appliance. b. Right-click bcaaa-1xx.exe, select Properties, and click the SGOS 6.x requires BCAAA Version tab. (In Windows 2008—the Properties and Details version 130; however, if you tab.) must upgrade to an interim Download BCAAA: release, you are not required to install the BCAAA version a. Navigate to the following page: required for that release. https://bto.bluecoat.com/download/ProxySG Install the required BCAAA b. Enter your BlueTouch Online username and password. 130 version as an addition to c. Select the SGOS version to which you are migrating to next. the existing BCAAA version. Download and install BCAAA: Do not delete any existing BCAAA installations, as this a. Click the BCAAA Windows link for the SGOS release you causes authentication failure want to install. for any appliances running b. Review the download agreement. SGOS versions that require c. To accept and continue, click I agree and wish to download this that version. software. d. Click Download Now and save the file. e. Locate the saved BCAAA zip file. f. Extract the files. g. Double click the BCAAA.exe file. The BCAAA installation wizard displays. h. Follow the steps in the installation wizard.
Step 4 Obtain the required release a. Locate the release you are upgrading to. images. b. Click Please Read to review the release notes. c. Click the link for your ProxySG appliance model. d. Review the download agreement. e. To accept and continue, click I agree and wish to download this software. f. Copy the URL provided under the Direct Download Link. The download URL is good for only 24 hours.
Migrating to a New ProxySG Appliance 13 Prepare the Old Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
Removing the Old Appliance (Continued)
Step 5 Install all interim SGOS a. Access the appliance Management Console: releases required to upgrade https://proxy_IP_address:8082 to your chosen 6.x version. b. Enter your login credentials. If you have a direct upgrade c. Select the Maintenance > Upgrade > Upgrade tab. to SGOS 6.2.x or 6.3.x, go to Step 6. d. Paste the image URL (copied in Step 4f above) into the Download new system software from this URL field. e. Click Apply. f. Click Download. g. When notified, resolve CPL deprecation warnings before you restart the latest image you downloaded. Refer to the Policy Migration Guide for more information. h. Click Restart. The reboot requires several minutes; furthermore, the ProxySG appliance logs you off. a. Log in to the appliance. b. Click Home (or look at the Management Console banner) to verify that the appliance is running the correct SGOS release.
Step 6 Install SGOS 6.2.x or 6.3.x. a. Access the appliance Management Console: https://proxy_IP_address:8082 b. Enter your login credentials. c. Select the Maintenance > Upgrade > Upgrade tab. d. Paste the image URL into the Download new system software from this URL field. e. Click Apply. f. Click Download. g. Without clicking Restart, continue with Step 7.
14 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Prepare the Old Appliance
Removing the Old Appliance (Continued)
Step 7 Remove the 6.x configuration a. Access the appliance CLI. settings file. – Using SSH-capable terminal emulation software (such as Although the SGOS upgrade PuTTY), launch an SSHv2 session to the ProxySG handler is designed to convert appliance using the configured IP address (the default the existing configuration to port is 22). current equivalents, if a 6.x – When prompted, enter your ProxySG appliance configuration exists on the administrative user name and password. appliance before upgrade, it is used for the conversion b. Enter the following CLI command: instead of your current 5.x SGOS# enable settings. c. Enter your enable password. d. Delete your 6.x configuration settings: Executing this command allows you to ensure that your SGOS# remove-sgos6-config 6.x settings will be based on Depending on whether or not you have an existing 6.x your current 5.x configuration file, one of the following messages will display: configuration. Removing SGOS 6.x configuration will permanently delete existing 6.x configuration from disk. Continue? (y/n)[n]: y ok Or % No SGOS 6.x configuration is available on this system. Step 8 Reboot the appliance. a. In the CLI, enter the following commands: SGOS# restart upgrade Your appliance should now be on SGOS 6.2.x or 6.3.x.
Migrating to a New ProxySG Appliance 15 Prepare the Old Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
Removing the Old Appliance (Continued)
Step 9 Create a back up of your a. In your terminal emulation application, enable session ProxySG appliance logging. Configure the application to log the session output configuration. The archive and save that file on your local system. The following generated in this step includes example uses PuTTY: the showable keyrings on the appliance. IMPORTANT: ❐ Keys are exported in clear text with no encryption or obfuscation. Take precautions to secure the archive file appropriately. ❐ The archive does not include keyrings saved with the Do not show keypair option. For keyrings that are not included in the archive, you must manually create a new keyring and import the key and the certificate into the new ProxySG appliance before you are instructed to restore this archive (Installing the New Appliance, Step 7). b. Access the CLI on the appliance and enter the following commands from the CLI command prompt: SGOS# enable SGOS# config terminal SGOS(config) show configuration noprompts with-keyrings SGOS(config) exit c. Open the session log/output file (ProxySG_archive_08_2012, in this example) and delete all the text/commands before and after the configuration. The content should look similar to the following example:
16 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Prepare the Old Appliance
Removing the Old Appliance (Continued)
Note This is an excerpt from the !- Version: SGOS 6.2.10.1 Proxy Edition output file, the ... indicate !- Serial number: 4XXXXXX001 sections that have been !- Local time: 2012-07-01 18:17:37-00:00UTC deleted from the output for !- BEGIN networking this example. interface 0:0 ;mode ip-address 10.110.10.121 255.255.255.0 exit interface 2:0 ;mode label "WAN" exit interface 2:1 ;mode label "LAN" exit interface 2:2 ;mode label "WAN" exit interface 2:3 ;mode label "LAN" exit ip-default-gateway 10.110.10.1 1 100 dns-forwarding ;mode edit primary clear server add server 10.110.10.101 exit ... !- BEGIN general ... !- END general !- BEGIN proxies caching ;mode no refresh exit !- END proxies !- BEGIN maintenance ... !- END maintenance d. Save this text file on your local system or hard drive.
Migrating to a New ProxySG Appliance 17 Prepare the Old Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
Removing the Old Appliance (Continued)
Step 10 Record the network Record the following information from the configuration archive: configuration information IP address: ______you will need to configure the management interface on the Subnet mask: ______new appliance. Default gateway: ______For example, for the Primary DNS server: ______configuration shown above, you would record the Alternate DNS server: ______following information:
IP address: ______10.110.10.121 Subnet mask: ______255.255.255._0 Default gateway: ______10.110.10.1_ Primary DNS server: ______10.110.1_ Alternate DNS server: ______N/A _
Step 11 Power down the appliance, uncable and unrack it.
18 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Prepare the New Appliance
Prepare the New Appliance
Use the following procedure to install and configure the new appliance.
Installing the New Appliance
Step 1 Rack mount and cable the Cable the appliance the same way that the old appliance was new ProxySG appliance. cabled. Typically you would cable it as follows: For rack mounting • For in-path deployments, connect the LAN interface to the instructions, refer to the switch and connect the WAN interface to the router. Quick Start Guide for your • For virtually in-path deployments (WCCP), connect the LAN ProxySG platform. interface to a dedicated interface on the router. Step 2 Activate the serial console on a. Connect the serial cable from your laptop to the ProxySG the new appliance. appliance. b. Using terminal emulation software on your laptop (such as PuTTY), connect to the ProxySG appliance serial console (9600, 8, N, 1). c. Power on the appliance. The appliance bootup process begins. d. Press Enter three times to activate the ProxySG appliance serial console. The serial console prompts take you through the initial configuration of the appliance. Note If you have previously configured this appliance, the initial configuration prompt does not display. To launch the initial configuration script, you must restore the appliance to factory defaults. Enter the following command from the CLI: restore-defaults factory-defaults
Migrating to a New ProxySG Appliance 19 Prepare the New Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
Installing the New Appliance (Continued)
Step 3 Run the initial configuration a. Enter M to specify that you want to perform a manual setup. wizard to configure network b. Enter the number that corresponds to the interface you want access. to configure. c. Specify whether you want to configure a non-native VLAN. If you enter Y, you are prompted for the VLAN ID. d. Assign the network addresses (IP address, subnet mask, default gateway, and primary DNS server). Refer to the information that you recorded in Step 10 on page 18. e. Set the console username and password. f. Set an enable password. g. When prompted to secure the console or not, select your preference Y/N. h. When prompted to restrict Management Console access to a specific workstation, select your preference Y/N. i. If prompted for a license edition, select the appropriate edition. j. Close the serial console connection after the configuration complete message displays and you can access the Management Console of the appliance using a Web browser.
20 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Prepare the New Appliance
Installing the New Appliance (Continued)
Step 4 Upgrade to your chosen Obtain the release image: SGOS 6.2.x or 6.3.x version. a. Navigate to https://bto.bluecoat.com/download/ProxySG Upgrading to the latest b. Enter your BlueTouch Online username and password. version gives you the most c. Locate the SGOS 6.x.x.x release you are upgrading to. current enhancements and d. Click Please Read to review the release notes. fixes available in the release branch. e. Click the link for your ProxySG model. f. Review the download agreement. g. To accept and continue, click I agree and wish to download this software. h. Copy the URL provided under the Direct Download Link. The download URL is good for only 24 hours. Install SGOS: a. Access the appliance Management Console: https://proxy_IP_address:8082 b. Enter your login credentials. c. Select the Maintenance > Upgrade > Upgrade tab. d. Paste the image URL (copied in step h above) into the Download new system software from this URL field. e. Click Apply. f. Click Download. g. When the image has downloaded, click Restart. The appliance will reboot. This might take several minutes. When the appliance has completed rebooting, you will be logged out of the appliance. a. Log in to the appliance. b. Verify the SGOS release that displays on the banner of the Management Console.
Migrating to a New ProxySG Appliance 21 Prepare the New Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
Installing the New Appliance (Continued)
Step 5 Edit the configuration Using a text editing tool, such as Notepad, open the configuration archive. archive you created in Step 9 on page 16 and make the following changes (see the next page for an example). a. For the management interface, delete the network configuration details, such as IP address, subnet mask, and default gateway. You must remove these settings from the configuration archive because you have already configured the management interface in Step 3 on page 20. Failure to delete these settings will result in an inability to restore the configuration archive. b. Reconcile the interface and bridge configuration between the old and the new ProxySG appliance. For details, see Interface Information on page 10. c. To prevent errors, delete the configuration settings for interfaces and bridge groups that are no longer valid on the new appliance.
22 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Prepare the New Appliance
Installing the New Appliance (Continued)
Note This is an excerpt from the !- Version: SGOS 6.2.10.1 Proxy Edition output file with the previous !- Serial number: 4XXXXXX001 network information !- Local time: 2012-07-01 18:17:37-00:00UTC !- BEGIN networking removed; the ... indicate sections that have been interface 0:0 ;mode exit deleted from the output for interface 2:0; mode this example. exit interface 2:0 ;mode label "WAN" exit interface 2:1 ;mode label "LAN" exit interface 2:2 ;mode label "LAN" exit interface 2:3 ;mode label "LAN" exit dns-forwarding ;mode edit primary exit ... !- BEGIN general ... !- END general !- BEGIN proxies caching ;mode no refresh exit !- END proxies !- BEGIN maintenance ... !- END maintenance d. Save this text file on your local system or hard drive. Step 6 Start the Management a. In a browser, go to the following URL: Console. https://proxy_IP_address:8082 For example: https://10.110.10.221:8082
Migrating to a New ProxySG Appliance 23 Prepare the New Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
Installing the New Appliance (Continued)
Step 7 Restore the configuration. a. From the Management Console, select Configuration > General > Archive. b. In the Install Configuration From drop-down list, select Local File and then click Install. The Open dialog box displays. c. Browse to the text file you saved when you archived the configuration from the older appliance (ProxySG_archive_08_2012, in this example) and then click Open. A message displays indicating that the file was successfully installed. Note: For all keyrings that d. Click OK. were archived with the Do not show keypair option, you must manually create new keyrings and import the keypair one at a time.
Step 8 Delete the previous key files and configuration file so that your keys and other sensitive information are not available to others.
Step 9 Register the new appliance a. Select Maintenance > Licensing > Install. and install the software. b. Click Retrieve. The Request License Key dialog box is displayed. c. Enter your BlueTouch Online User ID and Password and then click Request License. d. Click OK to retrieve the license on the confirmation dialog.
Step 10 (Required if you use content When your configuration is restored, all of the content filtering filtering policy) Download vendors that were configured and enabled for use are ready the content filter database. after you download the database for each vendor configured on the appliance. This example assumes that a. Select the Configuration > Content Filtering > Blue Coat you use BCWF. WebFilter. b. Verify that the default database download location is displayed in the URL field. c. Click Download Now. Note Starting with SGOS 5.5.x, you cannot use the Management Console to configure the legacy content filtering vendors, such as Intersafe, I-Filter, Surfcontrol and Webwasher. You must use the CLI to modify those vendor settings. Futhermore, SGOS 6.3.x does not support Websense or SmartFilter.
Congratulations! You have successfully completed migrating your configuration to a new ProxySG appliance.
24 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Prepare the New Appliance
Next Steps
To explore the features in SGOS 6 use the following links: • To configure the new features and enjoy the benefits of SGOS 6, access the complete documentation set for: – SGOS 6.2.x – SGOS 6.3.x • For information about how specific features are affected by upgrading from SGOS 5.x to SGOS 6.2.x, see Features Impacted on Upgrade to 6.2.x on page 26. For information on upgrade impact to SGOS 6.3.x, refer to the SGOS 6.3.x Feature Change Reference.
Migrating to a New ProxySG Appliance 25 Features Impacted on Upgrade to 6.2.x Migrating to a New ProxySG Appliance — SGOS 5.x to
Features Impacted on Upgrade to 6.2.x
This section provides information about how specific features are affected by upgrading from SGOS 5.x to SGOS 6.2.x and recommends actions administrators must or are recommended to take as a result of upgrading. If a feature is not listed, no configuration changes occur upon the upgrade. For a list of Content Policy Language (CPL) deprecations, refer to the Policy Migration Guide.
Access Logging
❐ For LDAPv2 users, starting in SGOS 5.4.3.3, the cs-username field of the access log reports firstname%20lastname, instead of firstname.lastname as in previous releases. To revert to the prior behavior (firstname.lastname), enter the following CLI command: #(config) security legacy-relative-usernames enable
❐ SGOS 6.2 offers a new access log format for streaming and adds new fields to the existing bcreporterstreaming_v1 format; this format is the default on new systems. The legacy streaming log format, streaming, is used on upgrades to SGOS 6.2. To use the bcreporterstreaming_v1 format after upgrade, perform one of the following: • Edit the streaming log and change its format to bcreporterstreaming_v1. • Create a new streaming log that specifies the bcreporterstreaming_v1 log format, and then edit the various streaming protocols to use this new log.
Adaptive Compression
Starting in SGOS 5.5, adaptive compression was enabled by default on multi-processor platforms, but disabled on uniprocessor platforms. All ProxySG platforms that are manufactured or remanufactured with the SGOS 6.2 release have adaptive compression enabled by default. After upgrading to SGOS 6.2, the adaptive compression setting matches the configuration before the upgrade. For example, if adaptive compression was disabled in SGOS 6.1, it is disabled after upgrading to SGOS 6.2.
Asynchronous Adaptive Refresh
The ProxySG Asynchronous Adaptive Refresh (AAR) algorithm was designed to maintain the freshness of cached HTTP objects in environments where the Internet was characterized by larger, static pages and relatively low Internet connection speeds. However, with the advent of Web 2.0, the nature of the Internet has changed. With the general adoption of Web 2.0, which is characterized by dynamic content with many small objects coupled with increasing bandwidth to the Internet, the methods for caching are also evolving. In SGOS 6.2 the object cache model was changed to support more objects per disk to allow for better support for Web 2.0 content. With the addition of this object model, the value of the original AAR model has diminished markedly, and can in many instances actually increase the latency due to system load. Therefore, the default setting for this feature has been changed from automatic to disabled.
26 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Features Impacted on Upgrade to
When upgrading from 5.x to 6.x, the default setting for adaptive refresh will change from automatic to disabled.
Bandwidth Optimization
Pre-SGOS 6.2 versions had a single control for enabling byte caching and compression optimization for a particular service (called adn-optimize in the CLI and Optimize Bandwidth in the Management Console). SGOS 6.2 introduces separate controls for byte caching (adn-byte-cache or Enable byte caching) and compression (adn-compress or Enable compression). The table below indicates how the value of the adn-optimize setting before upgrade affects the values of the adn-byte-cache and adn-compress settings after upgrading to SGOS 6.2.
adn-optimize adn-byte-cache adn-compress (before upgrade) (after upgrade) (after upgrade)
Enabled Enabled Enabled Disabled Disabled Disabled
Disk Object Capacity
All multi-disk systems that are manufactured with SGOS 6.2 have an increased object capacity; you can get this extra capacity on other multi-disk systems by initiating the disk increase-object-limit command after upgrading to 6.2. The disks are re-initialized in a format that is not compatible with SGOS releases prior to 6.2.
Encrypted MAPI Acceleration
SGOS 6.2 is able to accelerate encrypted MAPI sessions. To accelerate encrypted MAPI, all ADN Peers — Concentrator and Branch appliances — must both be upgraded to SGOS 6.2.x. If a peer is running a pre-6.2 SGOS release, the connection is tunneled but is not accelerated.
IPv6 Support for ADN
SGOS 6.2.4.1 expands the ProxySG support for IPv6 to include ADN. Blue Coat’s WAN optimization solution now works in an IPv4, IPv6, or combination IPv4/IPv6 Application Delivery Network (ADN). ❐ When upgrading managed ADN deployments to a release that supports IPv6 on ADN (SGOS 6.2.4 or higher), the ProxySG that is functioning as the ADN manager must be upgraded before the managed nodes. The manager should continue to be assigned a reachable IPv4 address until all managed nodes have been upgraded. A managed node that has been upgraded to a release that supports IPv6 on ADN (SGOS 6.2.4 or higher) can use either IPv4 or IPv6 to connect to the previously upgraded manager.
Migrating to a New ProxySG Appliance 27 Features Impacted on Upgrade to 6.2.x Migrating to a New ProxySG Appliance — SGOS 5.x to
❐ In explicit deployments, an IPv6-only Concentrator peer is not advertised as the Internet gateway for a node that is running an older (pre-6.2.4) version of software. ❐ Only IPv4 routes are advertised to managed nodes running pre-6.2.4 versions.
Last Peer Detection
Last Peer Detection is enabled by default for new installations, but not for upgrades. When a ProxySG appliance is upgraded to 6.2, the feature is disabled by default. To use the feature, you must enable Last Peer Detection on intermediate concentrators and, optionally, the last concentrator on the path to the OCS. You do not need to upgrade Branch peers to 6.2 for the feature to operate, but they must be running SGOS 5.5 or higher.
Reflect Client IP for ProxyClient Peers
SGOS 6.2 offers independent controls for configuring how the Concentrator peer handles client IP reflection requests from ProxySG peers versus ProxyClient peers. ❐ If Reflect Client IP (RCIP) on the Concentrator peer was set to deny before the upgrade to SGOS 6.2, RCIP for ProxyClient sets to use-local upon upgrade to 6.2; this is consistent with how RCIP for ProxyClient was previously handled. ❐ If RCIP on the Concentrator peer was set to allow, then the client IP is reflected for ProxyClient peers.
Session Monitor
The session.username substitution used in policy substitution realm for username and full username identification was deprecated in SGOS 5.5. The new policy is substitution$(session-monitor.attribute.Calling-Station-ID).
SMTP Server Configuration
A new top-level configuration mode, smtp, is available for configuring the SMTP server that the ProxySG uses for emailing notifications and sending heartbeats. In addition, the server port is now user-configurable; previously, it was hard-coded to port 25. #(config smtp) server domain_name | ip-address [port] #(config smtp) from from-address #(config smtp) no server #(config smtp) view With the introduction of the smtp subcommands, the event-log CLI commands for configuring the SMTP gateway and sender email address are deprecated. #(config event-log) mail smtp-gateway {domain_name | ip_address} #(config event-log) mail from from_address #(config event-log) mail no smtp-gateway
28 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x Features Impacted on Upgrade to
After upgrading, values defined in the (config event-log) mail commands are mirrored in the (config smtp) subcommands. For example: ❐ Before upgrade: #(config event-log) mail smtp-gateway mail.test.com #(config event-log) from [email protected] ❐ After upgrade:
#(config smtp) view Settings: server mail.test.com port 25 From-address: "[email protected]"
Deprecated CLI Commands
Proxy Processing
The proxy processing feature was deprecated starting with SGOS v5.5, and the Proxy Processing tab was removed from the Management Console in SGOS v6.1.2. Blue Coat recommends that you discontinue using this feature and deploy a separate secure Web gateway to handle proxy processing. The following CLI command is deprecated: # (config adn tunnel) proxy-processing http {enable | disable}
Adaptive Refresh
The following caching configuration CLI commands are deprecated starting in SGOS 6.2.6: #(config caching) refresh automatic #(config caching) refresh bandwidth kbps #(config caching) refresh no automatic
They are replaced starting in SGOS 6.2.6 by the following commands, also in caching configuration mode: #(config caching) refresh bandwidth {automatic | kbps} #(config caching) no refresh In addition, refresh bandwidth is now disabled by default.
Migrating to a New ProxySG Appliance 29 BCAAA Readme Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
BCAAA Readme
This section describes the supported BCAAA protocol versions and the requirements for SGOS versions 6.x.
BCAAA Operating System Requirements
The following list describes the platforms that BCAAA can run on to support the specified authentication method. For a list of supported operating systems for your directory services, see Supported Directory Service Operating Systems on page 31.
Platforms Supported Authentication Methods Integrate Oracle COREid CA eTrust Windows Novell d version 6.5 and SiteMinder SSO SSO Windows 7.0 version 5.5 Authentic and 6.0 ation Windows® Server ✔ ✔ ✔ 2008 (64-bit) Windows® Server ✔ ✔ ✔ 2008 (32-bit) Windows® Server ✔ ✔ ✔ 2008 R2 (64-bit) Windows® Server ✔ ✔ ✔ 2003 (64-bit) Windows® Server ✔ ✔ ✔ ✔ ✔ 2003 (32-bit) Windows® 2000 ✔ ✔ ✔ ✔ Server (32-bit) Solaris 5.8 or 5.9 ✔
Important: BCAAA can run on any hardware as long as the BCAAA sizing requirements are met. For virtual machine deployments on Windows, please see the appropriate documentation for your Windows platform and the virtual machine software to ensure compatibility.
The BCAAA service cannot be installed on Windows NT, Windows Vista, or Windows 7.
30 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x BCAAA Readme
Supported Directory Service Operating Systems
The only supported directory service operating systems for the authentication methods listed in BCAAA Operating System Requirements on page 30 are: ❐ Windows Server 2000 ❐ Windows Server 2003 ❐ Windows Server 2003 R2 ❐ Windows Server 2008 ❐ Windows Server 2008 R2 ❐ Solaris 5.8 and 5.9 (SiteMinder and COREid only)
BCAAA Disk Space Requirements
To install BCAAA, make sure that you have at least 45 MB of disk space on your Windows server. Although some versions of BCAAA might require less than 45 MB of disk space, allocating 45 MB of disk space will address the needs to complete the BCAAA installation process. Additional space might be required, depending on the features that have been enabled. ❐ If using Windows SSO with Domain Controller Query Add 256 bytes for each concurrent login. For example, if 1000 users will be concurrently logged in to the Windows domain during peak hours, then this feature requires 256k (256 bytes record * 1000 concurrently logged in users). ❐ If using Novell SSO Add 256 to 512 bytes for each user concurrently logged in to Novell eDirectory. You only need to count users that are in containers that are monitored by a Novell SSO realm. For Novell SSO, the record length is dependant on the length of each user’s distinguished name in eDirectory. Users with long distinguished names require extra storage. Because distinguished names have a maximum length of 256 bytes in eDirectory, an individual Novell SSO record will not be larger than 512 bytes.
About the BCAAA Upgrade/Downgrade Process
Before upgrading to, or downgrading from your current SGOS version, you must first install the BCAAA protocol version required for the release you are migrating to. This procedure is described in the Upgrade Guide, refer to the appropriate document for your SGOS version:
SGOS Version Upgrade Guide Link on BTO
SGOS 5.4.x https://bto.bluecoat.com/doc/12117 SGOS 5.5.x https://bto.bluecoat.com/doc/12580 SGOS 6.1.x https://bto.bluecoat.com/doc/14786
Migrating to a New ProxySG Appliance 31 BCAAA Readme Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
SGOS Version Upgrade Guide Link on BTO
SGOS 6.2.x https://bto.bluecoat.com/doc/16295 SGOS 6.3.x https://bto.bluecoat.com/doc/17153
Warning If you do not install the compatible BCAAA protocol version before upgrading or downgrading, authentication fails and you will not be able to reach the BCAAA server to download a compatible version without bypassing the ProxySG.
Using Multiple Versions of the BCAAA Service
Accessing ProxySG appliances running different versions of SGOS requires multiple version of the BCAAA service to be installed on your computer. Before installing the SGOS version, always ensure you are running the compatible BCAAA version for that release. You must install the compatible BCAAA service before upgrading or downgrading the SGOS version on your ProxySG appliances. To ensure compatibility between the supported BCAAA protocol version and SGOS version installed on the ProxySG, refer to the following table.
SGOS Version Supported BCAAA Protocol Version
SGOS 4.2.2 110 SGOS 4.2.3 120 SGOS 4.2.4 SGOS 4.3.x 120 SGOS 5.1.x 110 SGOS 5.2.x 120 SGOS 5.3.x 120
SGOS 5.4.x, SGOS 130 5.5.x SGOS 6.1.x, SGOS 5.4.2 and later included a release of BCAAA 130 that added support for SGOS 6.2.x, SGOS Windows Server 2008. The initial version of BCAAA 130 (which shipped with 6.3.x SGOS 5.4.1.x) did not support Windows Server 2008. You can get the most up-to-date version of BCAAA 130 from the 6.3.x BlueTouch Online download page.
❐ Install the lowest version of the BCAAA service first and the highest version of BCAAA last, allowing each version to uninstall the previous version. This process leaves behind the bcaaa.ini and bcaaa-nn.exe files for the lower version. ❐ Only one listening port is used, no matter how many versions you have installed. The BCAAA service hands off the connection to the appropriate BCAAA protocol version.
32 Migrating to a New ProxySG Appliance Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x BCAAA Readme
❐ Installation instructions for BCAAA are located in the BCAAA chapter of the Blue Coat SGOS Administration Guide for your SGOS version. This document is accessible through your BlueTouch Online account at https://bto.bluecoat.com/documentation/pubs/ProxySG
Migrating to a New ProxySG Appliance 33 BCAAA Readme Migrating to a New ProxySG Appliance — SGOS 5.x to 6.x
34 Migrating to a New ProxySG Appliance