Deploy on VMWare ESXi

Deploy on VMWare ESXi

Action

More Information

1.

Review the Release Notes for your AsyncOS release.

Release Notes are available from the locations in Additional Information.

2.

Download the virtual appliance image and MD5 hash from Cisco.

You will need the MD5 hash to check the data integrity of the appliance image. Prepare the Content Secure Image and Files.

3.

Deploy the virtual appliance on your ESXi host or cluster.

Deploy the Virtual Appliance.

4.

(Optional) Clone the image if you want to run multiple virtual appliances on your network.

If you will deploy the High Availability feature introduced in AsyncOS 8.5 for Cisco Web Security Appliances, configure the host to support this feature. For more information, see (Optional) Configure the Virtual Interface to Support High Availability for ESXi.

5.

Prevent intermittent connectivity issues.

Disable unused network interface cards (NICs) on the virtual machine.

6.

Configure synchronization on the virtual machine to avoid random failures on your Cisco Content Security virtual appliance.

Important! Prevent Random Failures

7.

If DHCP is disabled, set up the appliance on your network.

If DHCP Is Disabled, Set Up the Appliance on the Network (VMware vSphere)

8.

Install the license file.

Install the Virtual Appliance License File.

9.

Log into the web UI of your appliance and configure the appliance software as you would do for a physical appliance.

For example, you can:

  • Run the System Setup Wizard

  • Upload a configuration file

  • Manually configure features and functionality

  • For instructions on accessing and configuring the appliance, including gathering required information, see the online help or user guide for your AsyncOS release, available from the relevant location in Additional Information.

  • To migrate settings from a physical appliance, see the release notes for your AsyncOS release.

Feature keys are not activated until you enable the respective features.

10.

Configure the appliance to send alerts when license expiration nears.

See the online help or user guide for your AsyncOS release, available from the relevant location in Additional Information.

If you will deploy the High Availability feature introduced in AsyncOS 8.5 for Cisco Web Security Appliances, configure the host to support this feature. For more information, see (Optional) Configure the Virtual Interface to Support High Availability for ESXi.

(Optional) Configure the Virtual Interface to Support High Availability for ESXi

The high availability feature was introduced in AsyncOS 8.5 for Cisco Web Security Appliances and is described in detail in the user guide and online help.

If your Cisco Secure Web Appliance will be added to a failover group for high availability, configure the virtual interface to use promiscuous mode, in order to enable the appliances in the failover group to communicate with each other using multicasting.

You can make this change at any time.

Configure Promiscuous mode to Accept state for the VLAN Port Group/Distributed Port Group associated with the virtual interface of the appliance.

(Optional) Clone the Virtual Appliance

If you will run multiple virtual security appliances in your environment:

  • Cisco recommends that you clone the virtual security appliance before you run it the first time.

  • Cloning a virtual security appliance after the license for the virtual appliance has been installed forcefully expires the license. You will have to install the license again.

  • You must shut down the virtual appliance before cloning it.

  • If you want to clone a virtual appliance that is already in use, see Clone a Virtual Appliance Already in Use for more information.

For instructions on cloning a virtual machine, see VMWare’s technical documentation at http://www.vmware.com/support/ws55/doc/ws_clone.html.

Deploy the Virtual Appliance

Before you begin

Procedure

Step 1

Unzip the .zip file for the virtual appliance in its own directory;

Example:

C:\vESA\C100V or :\vWSA\S300V.

Step 2

Open the VMware vSphere Client on your local machine.

Step 3

Select the ESXi host or cluster to which you want to deploy the virtual appliance.

Step 4

Choose File > Deploy OVF template.

Step 5

Enter the path to the OVF file in the directory you created.

Step 6

Click Next.

Step 7

Complete the wizard.

  • Thin provisioning for disk storage is supported at the hypervisor layer. Disk space and performance may be reduced if you select this option.

Note

 

Except as explicitly stated in the AsyncOS documentation, modifications to the ESXi configurations defined in the OVF are not supported.

Note

 

Do not take backup (snapshot) of the virtual appliance using VMware or any other third-party tools, or restore a virtual appliance from a snapshot. Alternatively, you can take backup of the configuration using the System Administration > Configuration File menu in the user interface or using the saveconfig CLI command. You can then load it on another spawned virtual appliance.

Important! Prevent Random Failures


Caution

It is important that you do not shutdown or restart the virtual appliances using vSphere client or web client unless advised to do so by Cisco Technical Support. Cisco recommends that you use the shutdown or reboot command from the CLI, or the Shutdown/Reboot option that is listed in the system administration tab of the appliance GUI. If you power cycle the appliance (or experience power outage to the virtual infrastructure), it may lead to lost messages, database corruption, or lost logging data. The failure to unmount the file system cleanly damages the file system, resulting the system in a broken state.

Virtual machines have inherent timing quirks that you must address in order to avoid random failures on your Cisco Content Security virtual appliance. To prevent these issues, enable exact time stamp counter synchronization on your virtual machine.

Before you begin

  • For more information on timekeeping basics, virtual time stamp counters, and exact synchronization, see VMWare’s Timekeeping in Virtual Machines PDF at http://www.vmware.com/files/pdf/techpaper/Timekeeping-In-VirtualMachines.pdf.

  • Instructions for your version of the vSphere client may vary from the procedure below. Use this as a general guide and see the documentation for your client as needed.

Procedure

Step 1

In the vSphere Client, select a virtual appliance from the list of machines.

Step 2

Log in to the CLI, and type the command shutdown to power off the virtual appliance.

Step 3

Right-click the appliance and select Edit Settings.

Step 4

Click the Options tab and select Advanced > General.

Step 5

Click Configuration Parameters.

Step 6

Edit or add the following parameters:

monitor_control.disable_tsc_offsetting=TRUE

monitor_control.disable_rdtscopt_bt=TRUE

timeTracker.forceMonotonicTTAT=TRUE

Step 7

Close the settings window and run appliance.

If DHCP Is Disabled, Set Up the Appliance on the Network (VMware vSphere)


Note

If you cloned the virtual security appliance image, perform the following steps for each image.

Procedure

Step 1

From the vSphere client console, run interfaceconfig.

Step 2

Write down the IP address of the virtual appliance’s Management port.

The Management port obtains its IP address from your DHCP server. If the appliance cannot reach a DHCP server, it will use 192.168.42.42 by default.

Step 3

Configure the default gateway using the setgateway command.

Step 4

Commit the changes.

Note

 

The hostname does not update until after you have completed the setup wizard.