Introduction

This document provides a comprehensive guide on the necessary steps to migrate the configuration of Cx90 equipment to a virtual environment using Nutanix. It covers the entire migration process, from initial planning and assessment through to the execution and validation of the virtual environment. By following the procedures outlined here, organizations can ensure a smooth and efficient transition, minimizing downtime and preserving the integrity of their existing configurations.

For a more detailed understanding of certain steps, you may also refer to the user guide or other relevant articles. These resources offer additional insights and instructions that complement the information provided in this document.

Prerequisites

Before beginning the migration process, ensure that these prerequisites are met to facilitate a smooth and efficient transition:

Software Version Requirement for Cx90: Ensure that Cx90 is using version 15.0.3. Note that this version is required solely for the configuration migration process in Nutanix and should never be used in Nutanix production environments.

1. Smart License Account: A valid Smart License Account is required for this migration. Please verify your Smart License status before starting the migration process.

2. Basic Understanding of Clustering: Familiarize yourself with the clustering concepts for Cisco Secure Email Gateway (ESA). This basic understanding is crucial for a smooth migration.

3. Determine Existing HW Cluster Status:

Using CLI: Run the command Clusterconfig.

Using GUI: Navigate to Monitor > any.

If you see “Mode – Cluster: cluster_name”, your appliances are running in a clustered configuration.

5. Download Necessary Software: Download the Cisco Secure Email Gateway (vESA) software, version 15.0.3 model C600v for KVM.

6. Network resources: Prepare the required network resources for the new machine (IPs, Firewall rules, DNS, etc).

Upgrade HW (Cx90) to 15.0.3 AsyncOS

To perform the migration, you must have version 15.0.3 installed on the x90 cluster. This is the initial version that we can run on Nutanix for configuration migration.

Note: Version 15.0.3 in a Nutanix appliance can only be used for the configuration migration, never managing the email traffic in production. 15.0.3 version is supported in production for another virtual environments and physhical appliances.

Upgrade Existing Cx90/HW to 15.0.3 AsyncOS

From theRelease Notes for AsyncOS 15.0 for Cisco Email Security Appliances, use these instructions to upgrade your Email Security appliance:

1. Save the XML configuration file of the appliance.
2. If you are using the Safelist/Blocklist feature, export the Safelist/Blocklist database off the appliance.
3. Suspend all listeners.
4. Wait for the queue to empty.
5. From the System Administration tab, select the System Upgrade
6. Click the Available Upgrades. The page refreshes with a list of available AsyncOS upgrade versions.
7. Click the Begin Upgrade button and your upgrade will begin. Answer the questions as they appear. When the upgrade is complete, click the Reboot Now button to reboot your appliance.
8. Resume all listeners.

Post-reboot, validate the version of AsyncOS running:

• CLI, run the command version.
• UI, navigate to Monitor > System Info

Note: If you have multiple appliances already running in a cluster configuration you can skip the next section.

Deploy Your C600v in Nutanix

From the prerequisites, download the vESA/C600v image and deploy per the Cisco Content Security Virtual Appliance Installation Guide.

Licensing for vESA

This installation requires the use of Smart Licensing. Version 16.0 or higher, which will be run on the virtualized equipment in Nutanix, necessitates Smart Licensing instead of the traditional license model. Therefore, it is essential to verify that the Smart Licenses are properly installed in advance.

Smart licensing creation

These links describe the activation process, definitions, and how to troubleshoot the Smart Licensing Service on ESA/SMA/WSA.

Understand Smart Licensing Overview and Best Practices for Email and Web Security

Smart Licensing Deployment Guide for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager

Configuration migration process

For the configuration migration, we will add the new equipment to the existing X90 cluster. Once the new equipment is connected to the cluster, it will automatically load all the deployed configurations, ensuring a seamless transition. This process leverages the cluster's existing setup to integrate the new virtualized equipment efficiently, thereby preserving all current configurations and settings without manual intervention. This approach minimizes potential disruptions and ensures continuity of operations.

Adding vESA into the ESA Cluster

From the CLI on the vESA, run clusterconfig > Join an existing... to add your vESA into your cluster, similar to the following:

vESA.Nutanix> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 192.168.100.10

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 192.168.100.10:
Public host key fingerprint: 08:23:46:ab:cd:56:ff:ef:12:89:23:ee:56:12:67:aa
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster cluster.Cx90

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster cluster.Cx90)>

At this point, your vESA now mirrors the configuration of your existing Cx90 hardware. This ensures that all settings, policies, and configurations are consistent across both platforms.

To validate the synchronization and ensure there are no discrepancies between the existing C600v and your Cx90, run the clustercheck command. 

Cluster cluster.Cx90)> clustercheck

No inconsistencies found on available machines.
(Cluster cluster.Cx90)> 

This command will help you identify any potential inconsistencies that may need to be addressed.

(cluster.Cx90)> clustercheck
Checking DLP settings...
Inconsistency found!
DLP settings at Cluster test:
vESA.Nutanix was updated Wed July 17 12:23:15 2024 GMT by 'admin' on C690.Machine C690.Machine was updated Wed Jun 13 06:34:45 2024 GMT by 'admin' on C690.Machine How do you want to resolve this inconsistency?

1. Force the entire cluster to use the vESA.Nutanix version.

2. Force the entire cluster to use the C690.Machine version.

3. Ignore.
[3]> 2

Note: Your vESA is not yet processing mail. Before moving to production, ensure that the vESA is updated to version 16.0. This step is crucial for the system's stability and compatibility. Before to move to production, follow the next steps.

Removing vESA From the ESA Cluster

From the CLI on the vESA, please run clusterconfig and remove the appliance from the cluster using the removemachine operation:

(Cluster cluster.Cx90)> clusterconfig

Cluster cluster.Cx90

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine

Choose the machine to remove from the cluster.
1. C690.Machine (group Main_Group)
2. vESA.Nutanix (group Main_Group)
[1]> 2

Warning:
- You are removing the machine you are currently connected to, and you will no longer be able to access the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y

Please wait, this operation may take a minute...
Machine vESA.Nutanix removed from the cluster.

Upgrade the vESA

At this stage of your configuration migration, it is mandatory to upgrade the vESA to version 16.0. This upgrade is required because version 16.0 is the first version officially supported for production environments. Upgrading ensures that the virtual appliance aligns with the latest features, security updates, and compatibility requirements. By upgrading to version 16.0, you will enhance the performance and reliability of your vESA, enabling it to fully support your production environment. This step is crucial to ensure seamless integration and optimal operation within your existing infrastructure.

To upgrade the vESA C600v to version 16.0:

1. From the System Administration tab, select the System Upgrade
2. Click the Available Upgrades. The page refreshes with a list of available AsyncOS upgrade versions, select version 16.0.
3. Click the Begin Upgrade button and your upgrade will begin. Answer the questions as they appear. When the upgrade is complete, click the Reboot Now button to reboot your appliance.
4. Post-reboot, validate the version of AsyncOS running:

CLI, run the command version

UI, navigate to Monitor > System Info

Create a New Cluster (on vESA)

If you wish to use the same cluster name, you need to create a new cluster using the same name used on the Cx90 clutser. Or, create a new cluster with a new cluster name. This is a repeat of the steps from earlier, just now on the vESA:

vESA.Nutanix> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> newcluster.Virtual

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 192.168.101.100 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C195.local using IP address 192.168.101.100 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 11:45:33 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster newcluster.Virtual

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.Virtual)>
Join Your Cx00v to Your ESA Cluster
From the CLI on the Cx00v, run clusterconfig > Join an exisiting... to add your Cx00v into your new cluster configured on your vESA, similar to the following:

C600v.Nutanix> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 192.168.101.100

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 00:61:32:aa:bb:84:ff:ff:22:75:88:ff:77:48:84:eb
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster newcluster.Virtual

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.Virtual)>

Conclusion

By following the steps outlined in this document, you have successfully migrated the configuration of your X90 equipment to a virtual environment using Nutanix. Upgrading the vESA to version 16.0, the first version supported for production, ensures that your virtual appliance is fully capable of handling the demands of your production environment. This upgrade provides access to the latest features, security enhancements, and compatibility improvements, ensuring optimal performance and reliability.

As a final step, confirm that your DNS records and load balancing configurations are updated to include the vESA, enabling it to process mail effectively. With these configurations in place, your vESA is now ready to operate within your existing infrastructure, providing robust email security and seamless integration.