はじめに

本稿ではCluster ModeのSEG (Secure Email Gateway: 旧称ESA)をアップグレードする方法をご紹介します。AsyncOS 14.2.1の動作を基に執筆しています。SEGのバージョンによっては動作が異なる場合があります。

また、ここで紹介しているのはアップグレードの一例です。それぞれのお客様の要件に合わせて、ここに記載されている以外の手順で実施することができるケースもあります。

設定のバックアップ

SEGの設定ファイルをローカルにバックアップしておきます。
ESA: GUIからの設定ファイル取得方法

注: リストア目的の設定ファイルは、パスフレーズを「マスク」せず、「暗号化」したものを取得します。パスフレーズをマスクした設定ファイルではリストアを行うことができません。

なお、1台のESAから取得した設定ファイルに、Clusterに参加する他のESAの情報が含まれておりますので、設定ファイルは1台のESAから取得します。

Safelists/Blocklistsの機能を利用している場合は、そちらもバックアップしておきます。
ESA Safelists/Blocklists Backup Procedure

イメージのダウンロード

adminユーザでログインし、upgradeコマンドを実行します。

本稿ではDOWNLOADオプションを選択して、イメージをあらかじめダウンロードしておき、実際のアップグレードは後で実施することとします。ダウンロードとインストールを続けて進める場合は、DOWNLOADINSTALLオプションを選択することも可能です。

また、アップグレードはMachine Modeでそれぞれの機器にて行うことなります。

(Cluster testcluster)> clustermode

Choose the configuration mode for subsequent changes.
1. Cluster
2. Group
3. Machine
[1]> 3

Choose a machine.
1. seg1.example.com (group Main_Group)
2. seg2.example.com (group Main_Group)
[1]> 1

(Machine seg1.example.com)> upgrade

Are you sure you want to proceed with upgrade? [N]> y


Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
[]> download

Upgrades available.
1. AsyncOS 14.2.1 build 020 upgrade For Email, 2022-11-22,This release is a 
Maintenance Deployment Refresh 
2. AsyncOS 14.2.2 build 004 upgrade For Email, 2023-02-16,This release is a
Maintenance Deployment
[1]> 2

Download of AsyncOS 14.2.2 build 004 upgrade For Email, 2023-02-16,This release
is a Maintenance Deployment has started in background.

ダウンロードの進捗確認

ダウンロードの状況は、DOWNLOADSTATUSオプションで確認することができます。

(Machine seg1.example.com)> upgrade

Are you sure you want to proceed with upgrade? [N]> y

Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
- DOWNLOADSTATUS - Shows the download status
- CANCELDOWNLOAD - Cancel ongoing download(AsyncOS 14.2.2 build 004 upgrade For
Email, 2023-02-16,This release is a Maintenance Deployment).
[]> downloadstatus

Download of upgrade image (AsyncOS 14.2.2 build 004 upgrade For Email,
2023-02-16,This release is a Maintenance Deployment) is in progress (40%
complete).

アップグレードが完了するとINSTALLオプションが表示されます。

(Machine seg1.example.com)> upgrade

Are you sure you want to proceed with upgrade? [N]> y

Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
- INSTALL - AsyncOS 14.2.2 build 004 upgrade For Email, 2023-02-16,This
release is a Maintenance Deployment (needs reboot).
- DELETE - Delete downloaded image(AsyncOS 14.2.2 build 004 upgrade For Email,
2023-02-16,This release is a Maintenance Deployment).
[]>

イメージのインストール

アップグレードを実施する前にメールの受信を停止します。

(Machine seg1.example.com)> suspendlistener

Choose the listener(s) you wish to suspend.
Separate multiple entries with commas.
1. All
2. IncomingMail
3. OutgoingMail
[*]> 1

Enter the number of seconds to wait before abruptly closing connections.
[30]>　30

Waiting for listeners to exit...
Receiving suspended for IncomingMail, OutgoingMail.
Commit sent to 1 of 2 machines. Use the "commitdetail" command for more
information.

workqueueのメッセージがゼロになるのを確認します。

(Machine seg1.example.com)> workqueue

Status as of: Tue Jul 11 04:54:51 2023 GMT
Status: Operational
Messages: 0

INSTALLオプションを選択しインストールを開始します。INSTALLオプション実行後の表示事項はバージョンにより異なる場合がありますので、実際に表示されている内容を確認しながら進んでいきます。

なお、最初のESAでinstallオプションを実行する際に、全ての機器がclusterからdisconnectされることになりますので、全ての機器のアップグレードが完了するまでdisconnectのままとしておきます。

(Machine seg1.example.com)> upgrade

Are you sure you want to proceed with upgrade? [N]> y


Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
- INSTALL - AsyncOS 14.2.2 build 004 upgrade For Email, 2023-02-16,This
release is a Maintenance Deployment (needs reboot).
- DELETE - Delete downloaded image(AsyncOS 14.2.2 build 004 upgrade For Email,
2023-02-16,This release is a Maintenance Deployment).
[]> install

You must disconnect all machines in the cluster in order to upgrade them. Do
you wish to disconnect all machines in the cluster now? [Y]> y

Current downloaded version is AsyncOS 14.2.2 build 004 upgrade For Email,
2023-02-16,This release is a Maintenance Deployment.
Do you want to install it ? [Y]> y

Would you like to save the current configuration to the configuration directory
before upgrading? [Y]> y

Would you like to email the current configuration before upgrading? [N]> n

Choose the password option:
1. Mask passwords (Files with masked passwords cannot be loaded using
loadconfig command)
2. Encrypt passwords
[1]> 2

From AsyncOS 13.0 onwards, the Next Generation portal of your appliance by
default uses AsyncOS API HTTP/HTTPS ports (6080/6443) and trailblazer HTTPS
port (4431). You can configure the HTTPS (4431) port using the
trailblazerconfig command in the CLI. Make sure that the configured HTTPS port
is opened on the firewall and ensure that your DNS server can resolve the
hostname that you specified for accessing the appliance.
Performing an upgrade may require a reboot of the system after the upgrade is
applied. You can log in to your appliance after the upgrade is done.
Do you want to proceed with the upgrade? [Y]> y

Preserving configuration ...
Finished preserving configuration
Cisco IronPort Email Security Appliance(tm) Upgrade

Note: The custom CA certificates that are expired or have an issue with basic constraints extension and CA setting are deleted after upgrade.

Finding partitions... done. 
Setting next boot partition to current partition as a precaution... done. 
Erasing new boot partition... done. 
Extracting eapp done. 
Extracting scanerroot done. 
Extracting splunkroot done. 
Extracting savroot done. 
Extracting ipasroot done. 
Extracting ecroot done. 
Removing unwanted files in nextroot done. 
Extracting distroot done. 
Removing unwanted files in nextroot done. 
Taking backup of the pre upgrade libs and bins
Configuring AsyncOS disk partitions... done. 
Configuring AsyncOS user passwords... done. 
Configuring AsyncOS network interfaces... done. 
Configuring AsyncOS timezone... done. 
Moving new directories across partitions... done. 
Syncing... done. 
Reinstalling boot blocks... done. 
Will now boot off new boot partition... done.

Upgrade complete. It will be in effect after this mandatory reboot.

After you upgrade to AsyncOS 12.0 or later, you can no longer use certificates with a critical extension that:
- The system cannot recognize
- Contains information that the system cannot process or validate.
All certificates that match the above criterion are deleted.
After you upgrade to AsyncOS 13.0, you cannot use the TLS v1.0 version for GUI in FIPS mode. However, you can enable TLS v1.0 on the appliance, if required.
After you upgrade to AsyncOS 13.5.1 and later, TLS v1.1 and v1.2 is enabled by default.
- You cannot use TLS v1.0 in FIPS mode.
- The appliance disables TLS v1.0 in non-FIPS mode after the upgrade but you can re-enable it if required.

Reboot takes about 20 minutes to complete. Do not interrupt power to the
appliance during this time.
Enter the number of seconds to wait before forcibly closing connections.
[30]> 30

System rebooting. Please wait while the queue is being closed....

Closing CLI connection.
Rebooting the system...

 最後に機器が再起動されてアップグレード完了です。再起動は20分程度かかることがあります。

アップグレードの完了確認

再起動後に目的のバージョンになっていることを確認します。

Machine seg1.example.com) [Disconnected]> version

Current Version
===============
Product: Cisco C100V Secure Email Gateway Virtual
Model: C100V
Version: 14.2.2-004

問題がなければ、メールの受信を再開します。

(Machine seg1.example.com) [Disconnected]> resumelistener

Choose the listener(s) you wish to resume.
Separate multiple entries with commas.
1. All
2. IncomingMail
3. OutgoingMail
[*]> 1

Receiving resumed for IncomingMail, OutgoingMail.
Commit sent to 1 of 2 machines. Use the "commitdetail" command for more
information.

Clusterの再接続

全ての機器のアップグレードが完了した後にClusterをreconnectします。

(Machine seg1.example.com) [Disconnected]> clusterconfig

This command is restricted to "cluster" mode. Would you like to switch to
"cluster" mode? [Y]> y

This machine (seg1.example.com) is currently disconnected from the cluster.
Do you want to reconnect to the cluster? [Y]> y

Commit sent to 1 of 2 machines. Use the "commitdetail" command for more
information.
Cluster testcluster

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> list

Cluster testcluster
===================
Group Main_Group:
Machine seg1.example.com (Serial #: AAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB) 
Machine seg2.example.com (Serial #: CCCCCCCCCCCCCCCCCCCC-DDDDDDDDDDDD) -
administratively disconnected

Cluster testcluster

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> reconnect

Choose the machine to reattach to the cluster. Separate multiple machines with
commas or specify a range with a dash.
1. seg2.example.com (group Main_Group)
[1]> 1

Are you sure you want to reconnect seg2.example.com to the cluster? [Y]> y

Commit sent to 1 of 2 machines. Use the "commitdetail" command for more
information.
seg2.example.com reconnected to the cluster.
Cluster testcluster

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> list

Cluster testcluster
===================
Group Main_Group:
Machine seg1.example.com (Serial #: AAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB) 
Machine seg2.example.com (Serial #: CCCCCCCCCCCCCCCCCCCC-DDDDDDDDDDDD)

Cluster testcluster

参考情報

エンドユーザ ガイド

リリース ノート

AsyncOS アップグレードを行う際の注意

Upgrade Email Security Appliance (ESA) with GUI or CLI