Content Security Appliance Downloads, Updates or Upgrades using a Static Host

Introduction

This document describes the IP address(es) and hosts needed to configure your Cisco Content Security appliance for use with a static host for downloads, updates, and upgrades.  These configurations are to be used for either hardware or virtual Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), or Security Management Appliance (SMA).

Content Security Appliance Downloads, Updates or Upgrades using a Static Host

Cisco offers static hosts for customers that have strict firewall or proxy requirements. It is important to note that if you configure your appliance to use the static hosts for downloads and updates, the same static hosts for downloads and updates must be allowed in the firewall and proxy on network as well.

Here are the static hostname(s), IP address(es), and ports that are involved in the download, update, and upgrade processes:

• downloads-static.ironport.com
  • 208.90.58.105 (port 80)
• updates-static.ironport.com
  • 208.90.58.25 (port 80)
  • 184.94.240.106 (port 80)

Service Update configuration via GUI

Complete these steps in order to change the download, update, or upgrade configuration on AsyncOS from the GUI:

1. Navigate to the update settings configuration page
   1. WSA: System Administration > Upgrade and Update Settings
   2. ESA: Security Services > Service Updates
   3. SMA: System Administration > Update Settings
2. Click Edit Update Settings....
3. In the Update Servers (images) section, select "Local Update Servers (location of update image files)".
4. For the Base URL field, enter in http://downloads-static.ironport.com and for the Port field, set for port 80.
5. Leave the Authentication (optional) fields empty.
6. (*) ESA only - For the Host (McAfee Anti-Virus definitions, PXE Engine updates, Sophos Anti-Virus definitions, IronPort Anti-Spam rules, Outbreak Filters rules, DLP updates, Time zone rules and Enrollment Client (used to fetch certificates for URL Filtering) field, enter updates-static.ironport.com.  (Port 80 is optional.)
7. Leave the Update Servers (list) section and fields all set to the default Cisco IronPort Update Servers.
8. Ensure that you have the Interface selected as needed for external communication, if required to communicate over a specific interface.  Default configuration will be set to Auto Select.
9. Verify and update the configured Proxy Servers, if required.
10. Click Submit.
11. In the upper right corner, click Commit Changes.
12. Finally, click on Commit Changes again in order to confirm all configuration changes.

Proceed to the Verification section of this document.

Configuration of updateconfig via the CLI

The same changes can be applied via the CLI on the appliance.  Complete these steps in order to change the download, update, or upgrade configuration on AsyncOS from the CLI:

1. Run the CLI command updateconfig.
2. Enter in the command SETUP.
3. The first section presented to configure is "Feature Key updates".  Use '2. Use own server' and enter http://downloads-static.ironport.com:80/.
4. (*) ESA only - The second section presented to configure is "Service (images)".  Use '2. Use own server' and enter updates-static.ironport.com.
5. All other configuration prompts can be left set to default.
6. Ensure that you have the Interface selected as needed for external communication, if required to communicate over a specific interface.  Default configuration will be set to Auto.
7. Verify and update the configured Proxy Server, if required.
8. Hit return to go back to the main CLI prompt.
9. Run the CLI command COMMIT to save all configuration changes.

Proceed to the Verification section of this document.

Verification

Updates 

For verification of updates on the appliance it is best to validate from the CLI.

From the CLI:

1. Run updatenow.
   1. (*) ESA only - you can run updatenow force to have all services and rule sets update.
2. Run tail updater_logs.

You will want to pay close attention to the following lines "http://updates-static.ironport.com/..."  This should signal communication and download with the static updater server.

Example, from an ESA updating the Cisco Antispam Engine (CASE) and associated rules:

Wed Aug 2 09:22:05 2017 Info: case was signalled to start a new update
Wed Aug 2 09:22:05 2017 Info: case processing files from the server manifest
Wed Aug 2 09:22:05 2017 Info: case started downloading files
Wed Aug 2 09:22:05 2017 Info: case waiting on download lock
Wed Aug 2 09:22:05 2017 Info: case acquired download lock
Wed Aug 2 09:22:05 2017 Info: case beginning download of remote file "http://updates-static.ironport.com/case/2.0/case/default/1480513074538790"
Wed Aug 2 09:22:07 2017 Info: case released download lock
Wed Aug 2 09:22:07 2017 Info: case successfully downloaded file "case/2.0/case/default/1480513074538790"
Wed Aug 2 09:22:07 2017 Info: case waiting on download lock
Wed Aug 2 09:22:07 2017 Info: case acquired download lock
Wed Aug 2 09:22:07 2017 Info: case beginning download of remote file "http://updates-static.ironport.com/case/2.0/case_rules/default/1501673364679194"
Wed Aug 2 09:22:10 2017 Info: case released download lock
<<<SNIP FOR BREVITY>>>

As long as the service communicates, downloads, and then successfully updates, you are set.

Once the service update is completed, the updater_logs will show:

Wed Aug 2 09:22:50 2017 Info: case started applying files
Wed Aug 2 09:23:04 2017 Info: case cleaning up base dir [bindir]
Wed Aug 2 09:23:04 2017 Info: case verifying applied files
Wed Aug 2 09:23:04 2017 Info: case updating the client manifest
Wed Aug 2 09:23:04 2017 Info: case update completed
Wed Aug 2 09:23:04 2017 Info: case waiting for new updates

Upgrades

In order to verify that the upgrade communication is successful and completes, navigate to the System Upgrade page and click Available Upgrades. If the list of available versions displays, then your setup is complete.

From the CLI, you can simply run the upgrade command.  Choose the download option to view the upgrade manifest, if there are available upgrades.

myesa.local> upgrade


Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
[]> download

Upgrades available.
1. AsyncOS 9.6.0 build 051 upgrade For Email, 2015-09-02 this release is for General Deployment
2. AsyncOS 9.7.0 build 125 upgrade For Email, 2015-10-15. This release is for General Deployment
3. AsyncOS 9.7.1 build 066 upgrade For Email, 2016-02-16. This release is for General Deployment.
4. cisco-sa-20150625-ironport SSH Keys Vulnerability Fix
[4]>

Troubleshooting

Updates

The appliance sends notification alerts when the updates fail. Here is an example of the most commonly received email notification:

The updater has been unable to communicate with the update server for at least 1h.

Last message occurred 4 times between Tue Mar 1 18:02:01 2016 and Tue Mar 1 18:32:03 2016.

Version: 9.7.1-066
Serial Number: 888869DFCCCC-3##CV##
Timestamp: 01 Mar 2016 18:52:01 -0500

You will want to test communication from the appliance to the specified updater server.  In this instance, we are concerned with downloads-static.ironport.com.  Using telnet, the appliance should have open communication over port 80:

myesa.local> telnet downloads-static.ironport.com 80

Trying 208.90.58.105...
Connected to downloads-static.ironport.com.
Escape character is '^]'.

Likewise, the same should be seen for updates-static.ironport.com:

> telnet updates-static.ironport.com 80

Trying 208.90.58.25...
Connected to origin-updates.ironport.com.
Escape character is '^]'.

If your appliance has multiple interfaces, you may wish to run telnet from the CLI, and specify the interface, in order to validate that the proper interface is selected:

> telnet

Please select which interface you want to telnet from.
1. Auto
2. Management (172.18.249.120/24: myesa.local)
[1]>

Enter the remote hostname or IP address.
[]> downloads-static.ironport.com

Enter the remote port.
[25]> 80

Trying 208.90.58.105...
Connected to downloads-static.ironport.com.
Escape character is '^]'.

Upgrades

When trying to upgrade, you may see the following response:

No available upgrades. If the image has already been downloaded it has been de-provisioned from the upgrade server. Delete the downloaded image, if any and run upgrade.

You will want to review the version of AsyncOS that is running on the appliance and also review the Release Notes of the version of AsyncOS that you are upgrading to.  It is possible that there is not an upgrade path from the version you are running to the version you are trying to upgrade to.

If you are upgrading to a Hot Patch (HP), Early Deployment (ED), or Limited Deployment (LD) AsyncOS version, you may need to open a support case in order to request proper provisioning is completed, in order for your appliance to see the upgrade path as needed.

Related Information

• Cisco Email Security Appliance - Release Notes
• Cisco Web Security Appliance - Release Notes
• Cisco Security Management Appliance - Release Notes
• Technical Support & Documentation - Cisco Systems