简介

本文档提供了使用Nutanix将Cx90设备的配置迁移至虚拟环境的必要步骤的全面指南。它涵盖整个迁移过程，从初始规划和评估到虚拟环境的执行和验证。通过遵循此处列出的步骤，组织可以确保平稳高效的过渡，最大限度地减少停机时间并保持现有配置的完整性。

要更详细地了解某些步骤，也可以参阅用户指南或其他相关文章。这些资源提供补充本文档中提供的信息的其他见解和说明。

先决条件

在开始迁移过程之前，请确保满足以下前提条件，以便顺利有效地进行迁移：

C的软件版本要求x90：确保Cx90使用版本15.0.3。请注意，此版本仅适用于Nutanix中的配置迁移过程，切勿在Nutanix生产环境中使用。

1.智能许可证帐户：此迁移需要有效的智能许可证帐户。在开始迁移过程之前，请验证您的智能许可证状态。

2.基本了解集群：熟悉思科安全邮件网关(ESA)的集群概念。这种基本理解对于顺利迁移至关重要。

3.确定现有硬件集群状态：

使用CLI：运行Clusterconfig命令。

使用GUI：导航至Monitor > any。

如果显示“Mode - Cluster： cluster_name”，则表示设备正在集群配置中运行。

5.下载必要的软件：下载适用于KVM的15.0.3版C600v思科安全邮件网关(vESA)软件。

6. 网络资源：为新计算机准备所需的网络资源（IP、防火墙规则、DNS等）。

将硬件(Cx90)升级到15.0.3 AsyncOS

要执行迁移，必须在x90群集中安装版本15.0.3。这是我们可以在Nutanix上运行的初始版本，用于配置迁移。

注意：Nutanix设备中的版本15.0.3只能用于配置迁移，不能管理生产中的邮件流量。生产中支持15.0.3版，以用于其他虚拟环境和物理设备。

将现有Cx90/硬件升级到15.0.3 AsyncOS

从Cisco邮件安全设备AsyncOS 15.0发行版本注释中，使用以下说明升级邮件安全设备：

1. 保存设备的XML配置文件。
2. 如果使用安全列表/阻止列表功能，请将安全列表/阻止列表数据库从设备导出。
3. 挂起所有侦听程序。
4. 等待队列清空。
5. 在“系统管理”选项卡上，选择系统升级
6. 点击可用的升级。页面刷新，显示可用AsyncOS升级版本的列表。
7. 单击Begin Upgrade按钮，随后将开始升级。回答所出现的问题。升级完成后，单击Reboot Now按钮重新启动设备。
8. 恢复所有侦听程序。

重新启动后，验证正在运行的AsyncOS的版本：

• cli，运行命令version。
• UI，导航到监控>系统信息

注意：如果已在集群配置中运行多个设备，则可以跳过下一部分。

在Nutanix中部署C600v

从前提条件中，下载vESA/C600v映像，并根据思科内容安全虚拟设备安装指南进行部署。

vESA许可

此安装需要使用智能许可。版本16.0或更高版本将在Nutanix的虚拟化设备上运行，因此必须使用智能许可，而不是传统的许可模式。因此，必须事先验证是否已正确安装智能许可证。

智能许可创建

这些链接介绍激活过程、定义以及如何对ESA/SMA/WSA上的智能许可服务进行故障排除。

了解智能许可概述和电邮与Web安全的最佳实践

思科安全邮件网关和思科安全邮件和网络管理器的智能许可部署指南

配置迁移流程

对于配置迁移，我们将在现有X90集群中添加新设备。新设备连接到集群后，将自动加载所有已部署的配置，确保实现无缝过渡。此过程利用集群的现有设置有效集成新的虚拟化设备，从而无需人工干预即可保留所有当前配置和设置。此方法可最大程度地减少潜在的中断并确保操作的连续性。

将vESA添加到ESA集群

从vESA上的CLI运行clusterconfig > Join an existing...将vESA添加到集群中，如下所示：

vESA.Nutanix> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 192.168.100.10

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 192.168.100.10:
Public host key fingerprint: 08:23:46:ab:cd:56:ff:ef:12:89:23:ee:56:12:67:aa
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster cluster.Cx90

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster cluster.Cx90)>

此时，您的vESA现在镜像您现有Cx90硬件的配置。这可确保所有设置、策略和配置在两个平台之间保持一致。

要验证同步并确保现有C600v与Cx90之间没有差异，请运行clustercheck命令。 

Cluster cluster.Cx90)> clustercheck

No inconsistencies found on available machines.
(Cluster cluster.Cx90)> 

此命令将帮助您识别可能需要解决的任何潜在不一致问题。

(cluster.Cx90)> clustercheck
Checking DLP settings...
Inconsistency found!
DLP settings at Cluster test:
vESA.Nutanix was updated Wed July 17 12:23:15 2024 GMT by 'admin' on C690.Machine C690.Machine was updated Wed Jun 13 06:34:45 2024 GMT by 'admin' on C690.Machine How do you want to resolve this inconsistency?

1. Force the entire cluster to use the vESA.Nutanix version.

2. Force the entire cluster to use the C690.Machine version.

3. Ignore.
[3]> 2

注意：您的vESA尚未处理邮件。在转移到生产之前，请确保vESA更新到版本16.0。此步骤对于系统的稳定性和兼容性至关重要。在进入生产环境之前，请按照以下步骤操作。

从ESA集群中删除vESA

请从vESA上的CLI运行clusterconfig，并使用removememachine 操作从集群中删除设备：

(Cluster cluster.Cx90)> clusterconfig

Cluster cluster.Cx90

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine

Choose the machine to remove from the cluster.
1. C690.Machine (group Main_Group)
2. vESA.Nutanix (group Main_Group)
[1]> 2

Warning:
- You are removing the machine you are currently connected to, and you will no longer be able to access the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y

Please wait, this operation may take a minute...
Machine vESA.Nutanix removed from the cluster.

升级vESA

在配置迁移的此阶段，必须将vESA升级到版本16.0。由于版本16.0是生产环境官方支持的第一个版本，因此需要此升级。升级可确保虚拟设备符合最新的功能、安全更新和兼容性要求。通过升级到版本16.0，您可以提高vESA的性能和可靠性，使其完全支持您的生产环境。此步骤对于确保现有基础设施中的无缝集成和最佳操作至关重要。

要将vESA C600v升级到版本16.0：

1. 在“系统管理”选项卡上，选择系统升级
2. 点击可用的升级。页面刷新，显示可用AsyncOS升级版本列表，选择版本16.0。
3. 单击Begin Upgrade按钮，随后将开始升级。回答所出现的问题。升级完成后，单击Reboot Now按钮重新启动设备。
4. 重新启动后，验证正在运行的AsyncOS的版本：

CLI，运行命令version

UI，导航到监控 > 系统信息

创建新集群（在vESA上）

如果要使用相同的群集名称，则需要使用Cx90群集上使用的相同名称创建一个新群集。或者，使用新群集名称创建新群集。此步骤与之前的vESA上的步骤重复：

vESA.Nutanix> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> newcluster.Virtual

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 192.168.101.100 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C195.local using IP address 192.168.101.100 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 11:45:33 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster newcluster.Virtual

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.Virtual)>
Join Your Cx00v to Your ESA Cluster
From the CLI on the Cx00v, run clusterconfig > Join an exisiting... to add your Cx00v into your new cluster configured on your vESA, similar to the following:

C600v.Nutanix> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 192.168.101.100

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 00:61:32:aa:bb:84:ff:ff:22:75:88:ff:77:48:84:eb
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster newcluster.Virtual

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.Virtual)>

结论

通过执行本文档中概述的步骤，您已使用Nutanix成功将X90设备的配置迁移至虚拟环境。将vESA升级到生产支持的第一个版本16.0可确保虚拟设备完全能够处理生产环境的需求。此次升级提供了对最新功能、安全增强功能和兼容性改进的访问，从而确保了最佳性能和可靠性。

最后一步是确认DNS记录和负载均衡配置已更新以包括vESA，使其能够有效地处理邮件。有了这些配置，您的vESA现在可以在现有基础设施中运行，提供强大的电邮安全和无缝集成。