Introduction
This document describes best practices for virtual licenses for Virtual Email Security Appliance (vESA), Virtual Web Security Appliance (vWSA) or vSMA.
Prerequisites
- You have a Cisco.com account tied to an active Cisco contract.
- You have a fully licensed Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA), or Cisco Security Management Appliance (SMA) covered on an active Cisco contract.
- You have read and acknowledged the Cisco Content Security Virtual Appliance Installation Guide.
- The vESA/vWSA/Virtual Security Managment Appliance (vSMA) has been installed into your virtual environment, the System Setup Wizard is completed, and you have issued the saveconfig command from the CLI on the virtual appliance.
- At any time, if you have issues in regards to licensing, you can select Help from the License Registration Portal.
Background Information
Various references can list the virtual ESA as VESA, vESA, or ESAV, and the virtual WSA as VWSA, vWSA, or WSAV, or virtual SMA as VSMA, vSMA, and SMAV. Be sure to use these acronyms interchangeably, as needed.
If you have not downloaded the virtual appliance, you can do so from the following:
Best Practices for Cisco Secure Email Virtual Gateway, Secure Web Appliance Virtual, or Secure Email and Web Manager Virtual Licenses
Before you complete the configuration for your vESA/vWSA/vSMA, you are required to request and install a virtual appliance license.
Obtain a Virtual License (VLN)
A Virtual License Number (VLN) must be created from Cisco Global License Operations (GLO). You need to have your activation keys from your ESA, WSA or SMA, and your Cisco.com account in order to complete this process. If you do not already have a Cisco.com account, register for an account at Register for Account
If you share a current license, you need to have your email address used for the current device registration. If not, you cannot request the Activation Code listed in the steps below. Any assistance with licensing must be handled through GLO. (Phone: 1-800-553-2447, option 3, and request to have a case opened for GLO/Licensing, or contact via email: licensing@cisco.com)
Create a Demo License for a Virtual Appliance
- Go to the Cisco License Registration Portal (LRP): Cisco Go License
- Log in with your Cisco account ID.
- Click Licenses.
- From the Get Licenses drop-down, choose Demo and evaluation...
- From the pop-up, choose the Product Family: Security Products and Product: Cisco Email/Web/Content Security Virtual Demo License.
- You then select the Product for one of the following:
- Cisco Email Security Appliance (ESA) Virtual Appliance 45-Day Demo License
- Cisco Web Security Appliance (WSA) Virtual Appliance 45-Day Demo License
- Cisco Content Security Management Appliance (SMA) Virtual Appliance 45-Day Demo License
- Click Next.
- If you have set up Virtual Account for Smart Account, you can select your account from the drop-down. If not, please continue.
- For Demo license for... Virtual Appliance and validity date, please leave these at the default choice.
- For SN / Virtual Device Identifier, you can enter the serial of your current, fully licensed appliance, or leave it blank and click Next.
- Finally, review the Send To, End User fields and click the check box for the End-User-License-Agreement (EULA); click Add... to include additional recipients.
- Click Submit to complete the demo license request.
- Check the email address as entered in earlier steps, as the demo license is sent to that email address.
Note: Your virtual license file can be sent and received within three hours to the email address as you have specified.
Note: The virtual license file is sent in XML format.
Share a Permanent Hardware License to a Virtual License
- Go to the Cisco LRP: Cisco Go License
- Log in with your Cisco account ID.
- Click Licenses.
- From the Move Licenses drop-down, choose Share License...
- Choose the Get Activation Codes option.
- You are presented with a pop-up window. Choose IronPort Product - SW Bundles (if you have a current software bundle) or IronPort Product - TC (if you have individual products).
- Enter a current ESA/WSA/SMA serial number in the Source Serial Number/Virtual Device Identifier field. If you have multiple ESAs, WSAs, or SMAs, choose one that has the same licenses that you want to be enabled on your virtual appliance.
- For the Select Destination Appliance Type option, choose the Virtual button.
- Leave the Target Serial Number/Virtual Device Identifier field BLANK.
- In the Send to field, enter the email address to which the activation code can be sent.
- If you have previously stepped through the license request, you are presented with a current VLN(s), choose as needed.
- Click Request Code.
- Check the email address as entered in earlier steps. An activation code is sent. Once you receive the activation code, repeat steps #3 and #4 (listed above). Once you reach step #5, choose the Use Activation Codes option.
- Paste in the provided activation code and click Next.
- Choose the Cisco ESA/WSA software SKUs that can be embedded on the Cisco virtual ESA/virtual WSA/virtual SMA license. Click Next.
- Enter the email address to which the license can be sent.
- Finally, click Get License.
Note: Your virtual license file can be sent and received within three hours to the email address you have specified.
Note: The virtual license file is sent in XML format.
Load the Virtual License onto Your Appliance
- The virtual license file once received can only be loaded from the CLI of the appliance that uses the command loadlicense, and then either Paste from CLI or Load from file.
- You need to enter CTRL-D once the license has been entered.
- After the successful load of the license file, you are prompted to accept a EULA. You need to enter Y in order to accept the EULA and complete the upload of the license onto the virtual appliance.
Note: It is recommended to load the XML file in Notepad++, or another similar text editor that is capable of XML rendering. If a web browser is used to open the XML file, extraneous dashes or blank spaces can be added which results in this error – "Malformed license: Invalid XML, could not parse". If you see this error, please try again to upload the XML in an appropriate text editor.
Example output of Paste via CLI:
virtual_esa.local> loadlicense
1. Paste via CLI
2. Load from file
How would you like to load a license file?
[1]> 1
Paste the license file now.
Press CTRL-D on a blank line when done.
<?xml version="1.0"?>
<Envelope xmlns="urn:envelope">
<data>
<License>
<info>
<company>
Cisco SWIFT
</company>
<vln>
VLNESAXXYYZZ
</vln>
<issue>
XXYYZZ79f15642c686424515c4XXYYZZ
</issue>
<license_version>
1.0
</license_version>
<begin_date>
Wed Jul 10 23:09:50 2013 GMT
</begin_date>
<end_date>
Thu Jul 10 23:12:02 2014 GMT
</end_date>
<email>
average_user@cisco.com
</email>
<<<SNIP FOR BREVITY>>>
</Envelope>
^D
IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS
VERY IMPORTANT THAT YOU CHECK THAT YOU ARE PURCHASING CISCO SOFTWARE OR
EQUIPMENT FROM AN APPROVED SOURCE AND THAT YOU, OR THE ENTITY YOU
REPRESENT (COLLECTIVELY, THE "CUSTOMER") HAVE BEEN REGISTERED AS THE END
USER FOR THE PURPOSES OF THIS CISCO END USER LICENSE AGREEMENT. IF YOU
ARE NOT REGISTERED AS THE END USER YOU HAVE NO LICENSE TO USE THE SOFTWARE
AND THE LIMITED WARRANTY IN THIS END USER LICENSE AGREEMENT DOES NOT
APPLY. ASSUMING YOU HAVE PURCHASED FROM AN APPROVED SOURCE, DOWNLOADING,
INSTALLING OR Use CISCO OR CISCO-SUPPLIED SOFTWARE CONSTITUTES
ACCEPTANCE OF THIS AGREEMENT.
<<<SNIP FOR BREVITY>>>
Please refer to the Cisco Systems, Inc. End User License Agreement,
Privacy Statement and Service Description of Software Subscription Support
Services.
Do you accept the above license agreement? []> Y
Example output of Load from file:
virtual_esa.local> loadlicense
1. Paste via CLI
2. Load from file
How would you like to load a license file?
[1]> 2
Enter the name of the file in /configuration to import:
[license.xml]> license.xml
Note: If you choose to Load from file, you need to use File Transfer Protocol (FTP) in order to place the license file onto the virtual appliance. This can require configuration of the interface either from CLI with the interfaceconfig command, or the GUI, Network > IP Interfaces. Ensure that FTP is enabled on the interface required, and submit/commit all changes.
An example FTP from your localhost, with standard FTP commands, is shown here:
$ftp 172.16.6.165
Connected to 172.16.6.165.
220 ironport.example.com Cisco IronPort FTP server (V8.0.0) ready
Name (172.16.6.165:user): admin
331 Password required.
Password: <password>
230 Login successful.
Remote system type is UNIX.
Use binary mode to transfer files.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> bin
200 Type set to Binary.
ftp> cd /configuration
250 CWD command successful.
ftp> put license.xml
local: license.xml remote: license.xml
227 Entering Passive Mode (172,16,6,165,67,52)
150 Opening Binary connection for license.xml
######
226 Transfer Complete
6244 bytes sent in 00:00 (90.08 KiB/s)
ftp> quit
221 Goodbye.
Verification
At this point, the license file can be loaded onto your virtual appliance. You can use the featurekey command in order to get the full display of the feature keys that were tied to the license and that are now active.
Note: Feature keys are included as part of the license. The feature keys expire at the same time as the license, even if the feature has not been activated. Purchasing new feature keys requires you to download and install a new virtual appliance license file. This is specified in the Cisco Content Security Virtual Appliance Installation Guide.
You can also use the showlicense command and see the VLN number and license validity dates:
)> showlicense
Virtual License
===============
vln VLNESA123456
begin_date Mon Jan 01 18:20:50 2014 GMT
end_date Wed Dec 31 18:20:49 2014 GMT
company CISCO
seats 25
serial EF7
email average_user@cisco.com
issue 4a0cf2fe83bb47cbbd84e0f359123456
license_version 1.1
Related Information