Field Notice: FN - 64177 - Change in IP Addresses Used for Static Updates by Email and Web Security Appliances and Content Security Management Appliance - Workaround Provided

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	02-Aug-16	Initial Release
10.0	19-Oct-17	Migration to new field notice system

Products Affected

Affected OS Type	Affected Release	Affected Release Number	Comments
NON-IOS	10.0	10.0.0
NON-IOS	9	9.1.1,9.5.0
NON-IOS	9.6	9.6.0,9.6.1
NON-IOS	9.0	9
NON-IOS	9.5	9.5.1
NON-IOS	10.1	10.1.0
NON-IOS	8.4	8.4
NON-IOS	10	10.0.1
NON-IOS	8	8.0.0,8.0.1,8.5.5,8.5.6,8.5.7
NON-IOS	9	9.0.0,9.1.0,9.6.0,9.7.0,9.7.1,9.8.0,9.8.1
NON-IOS	7	7.7.5
NON-IOS	11	11.0.0
NON-IOS	10	10.0.0,10.1.0,10.1.1
NON-IOS	9	9.0.0,9.0.1,9.1.1,9.1.2,9.2.0

Defect Information

Defect ID	Headline
CSCvf34445	There were no defects filed with this field notice at the time of publication.

Problem Description

There is a change to update the IPv4 addresses for the Cisco Content Security Appliances Update Server scheduled for August 15th, 2016. This affects all models and versions of the Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA), and Cisco Content Security Management Appliance (SMA).

Background

By default, Cisco security appliances use forward and reverse Domain Name System (DNS) in order to connect to the Update Server platform. Cisco offers static hosts for customers that have strict firewall or proxy requirements. It is important to note that if you configure your appliance to use the static hosts for downloads and updates, the same static hosts for downloads and updates must be allowed in the firewall and/or proxy on customer networks as well. Previously, Cisco's offering of the static updater host/IP consisted of the service being offered from one of our data centers that provides the updater service. This is being updated for resiliency and redundancy to now provide the updater service from our two primary data centers.

Problem Symptom

If static IP addresses are configured for the updater server and the addresses are not included in the outbound HTTP/HTTPS Access Control List (ACL) filters, the Content Security Appliances might not receive security updates after August 15th, 2016.

Workaround/Solution

Customers that have configured static IP addresses for their appliances' updater servers, and/or perform outbound HTTP/HTTPS ACL filtering, will need to allow NEW/additional connectivity to these IP addresses:

update-manifests.ironport.com (hardware appliances):

208.90.58.5 on port 443 (Current)

184.94.240.102 on port 443 <--- NEW/additional

update-manifests.sco.cisco.com (virtual appliances):

208.90.58.6 on port 443 (Current)

184.94.240.125 on port 443 <--- NEW/additional

updates-static.ironport.com:

208.90.58.25 on port 80 (Current)

184.94.240.106 on port 80 <--- NEW/additional

Note: It is highly recommended to add these hostnames along with the IP addresses since any future additions will have DNS to do the lookup for the IP address information.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email
• By telephone

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.