簡介

本文檔提供了使用Nutanix將Cx90裝置配置遷移到虛擬環境的必要步驟的全面指南。它涵蓋整個遷移過程，從初始規劃和評估，到虛擬環境的執行和驗證。透過遵循此處所述的步驟，組織可以確保平穩且高效的過渡，最大限度地減少停機時間並保持現有配置的完整性。

有關某些步驟的詳細說明，您還可以參閱使用手冊或其他相關文章。這些資源提供了其他見解和說明，對本文檔中提供的資訊進行了補充。

必要條件

在開始遷移過程之前，請確保滿足以下前提條件，以便順利且高效地完成過渡：

C的軟體版本需求x90：確保Cx90使用的是15.0.3版。請注意，此版本僅適用於Nutanix中的配置遷移過程，絕不能用於Nutanix生產環境。

1.智慧許可證帳戶：此遷移需要有效的智慧許可證帳戶。在開始遷移過程之前，請驗證智慧許可證狀態。

2.對集群的基本瞭解：熟悉思科安全郵件網關(ESA)的集群概念。這種基本的理解對於順利遷移至關重要。

3.確定現有硬體集群狀態：

使用CLI：運行Clusterconfig命令。

使用GUI：導航至Monitor > any。

如果看到「Mode - Cluster： cluster_name」，則您的裝置正在集群配置中運行。

5.下載必需的軟體：下載用於KVM的Cisco Secure Email Gateway (vESA)軟體（15.0.3版C600v）。

6. 網路資源：為新電腦準備所需的網路資源（IP、防火牆規則、DNS等）。

將硬體(Cx90)升級到15.0.3 AsyncOS

若要執行移轉，您必須在x90叢集上安裝15.0.3版。這是我們可以在Nutanix上運行以進行配置遷移的初始版本。

注意：Nutanix裝置中的15.0.3版只能用於配置遷移，不能用於管理生產中的電子郵件流量。15.0.3版支援用於其他虛擬環境和物理裝置的生產環境。

將現有Cx90/硬體升級到15.0.3 AsyncOS

從Cisco郵件安全裝置的AsyncOS 15.0發行版本註釋中，使用以下說明升級郵件安全裝置：

1. 儲存裝置的XML配置檔案。
2. 如果使用安全清單/阻止清單功能，請將安全清單/阻止清單資料庫導出到裝置之外。
3. 暫停所有監聽器。
4. 等待佇列變空。
5. 在System Administration頁籤中，選擇System Upgrade
6. 按一下Available Upgrade。頁面將刷新為可用AsyncOS升級版本的清單。
7. 按一下Begin Upgrade按鈕，升級隨即開始。在問題出現時立即回答。升級完成後，按一下Reboot Now按鈕重新啟動裝置。
8. 恢復所有監聽程式。

重新啟動後，驗證正在運行的AsyncOS的版本：

• CLI，運行命令version。
• UI，導航至Monitor > System Info

注意：如果已在集群配置中運行多個裝置，則可以跳過下一部分。

在Nutanix部署C600v

從前提條件下載vESA/C600v映象，並根據思科內容安全虛擬裝置安裝指南進行部署。

vESA授權

此安裝需要使用智慧許可。16.0版或更高版本將在Nutanix的虛擬化裝置上運行，因此需要智慧許可而不是傳統的許可模式。因此，必須事先驗證智慧許可證是否已正確安裝。

智慧許可建立

這些連結描述啟用過程、定義以及如何對ESA/SMA/WSA上的智慧許可服務進行故障排除。

瞭解智慧許可概述和電郵與網路安全的最佳做法

Cisco Secure Email Gateway和Cisco Secure Email and Web Manager智慧許可部署指南

配置遷移過程

對於配置遷移，我們將在現有X90集群中增加新裝置。新裝置連線到集群後，將自動載入所有已部署的配置，確保無縫過渡。此過程利用集群的現有設定來高效整合新的虛擬化裝置，從而保留所有當前配置和設定，而無需人工干預。此方法可將潛在的中斷降至最低，並確保操作的連續性。

將vESA增加到ESA集群中

從vESA上的CLI運行clusterconfig > Join an existing...將vESA增加到集群中，操作步驟如下：

vESA.Nutanix> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 192.168.100.10

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 192.168.100.10:
Public host key fingerprint: 08:23:46:ab:cd:56:ff:ef:12:89:23:ee:56:12:67:aa
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster cluster.Cx90

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster cluster.Cx90)>

此時，您的vESA現在可映象您現有Cx90硬體的配置。這可確保所有設定、策略和配置在兩個平台上保持一致。

要驗證同步並確保現有C600v和Cx90之間沒有差異，請運行clustercheck命令。 

Cluster cluster.Cx90)> clustercheck

No inconsistencies found on available machines.
(Cluster cluster.Cx90)> 

此命令將幫助您辨識可能需要解決的任何潛在不一致問題。

(cluster.Cx90)> clustercheck
Checking DLP settings...
Inconsistency found!
DLP settings at Cluster test:
vESA.Nutanix was updated Wed July 17 12:23:15 2024 GMT by 'admin' on C690.Machine C690.Machine was updated Wed Jun 13 06:34:45 2024 GMT by 'admin' on C690.Machine How do you want to resolve this inconsistency?

1. Force the entire cluster to use the vESA.Nutanix version.

2. Force the entire cluster to use the C690.Machine version.

3. Ignore.
[3]> 2

注意：您的vESA尚未處理郵件。在進入生產環境之前，請確保vESA已更新到16.0版。此步驟對於系統的穩定性和相容性至關重要。在進入生產環境之前，請按照以下步驟操作。

從ESA群集中刪除vESA

請從vESA上的CLI運行clusterconfig，並使用removemachine操作從集群中刪除裝置：

(Cluster cluster.Cx90)> clusterconfig

Cluster cluster.Cx90

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine

Choose the machine to remove from the cluster.
1. C690.Machine (group Main_Group)
2. vESA.Nutanix (group Main_Group)
[1]> 2

Warning:
- You are removing the machine you are currently connected to, and you will no longer be able to access the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y

Please wait, this operation may take a minute...
Machine vESA.Nutanix removed from the cluster.

升級vESA

在配置遷移的此階段，必須將vESA升級到版本16.0。由於版本16.0是生產環境正式支援的第一個版本，因此需要進行此升級。升級可確保虛擬裝置符合最新的功能、安全更新和相容性要求。透過升級到版本16.0，您可以增強vESA的效能和可靠性，使其完全支援您的生產環境。此步驟對於確保現有基礎設施中的無縫整合和最佳操作至關重要。

要將vESA C600v升級到版本16.0：

1. 在System Administration頁籤中，選擇System Upgrade
2. 按一下Available Upgrade。頁面將刷新為可用AsyncOS升級版本的清單，選擇版本16.0。
3. 按一下Begin Upgrade按鈕，升級隨即開始。在問題出現時立即回答。升級完成後，按一下Reboot Now按鈕重新啟動裝置。
4. 重新啟動後，驗證正在運行的AsyncOS的版本：

CLI，運行命令version

UI，導航到Monitor > System Info

建立新集群（在vESA上）

如果要使用相同的群集名稱，則需要使用在Cx90群集上使用的相同名稱建立一個新群集。或者，使用新的叢集名稱建立新叢集。這是之前在vESA上重複的步驟：

vESA.Nutanix> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> newcluster.Virtual

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 192.168.101.100 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C195.local using IP address 192.168.101.100 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 11:45:33 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster newcluster.Virtual

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.Virtual)>
Join Your Cx00v to Your ESA Cluster
From the CLI on the Cx00v, run clusterconfig > Join an exisiting... to add your Cx00v into your new cluster configured on your vESA, similar to the following:

C600v.Nutanix> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 192.168.101.100

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 00:61:32:aa:bb:84:ff:ff:22:75:88:ff:77:48:84:eb
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster newcluster.Virtual

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.Virtual)>

結論

按照本文檔中概述的步驟，您已使用Nutanix成功將X90裝置的配置遷移到虛擬環境。將vESA升級到版本16.0（第一個支援生產的版本）可確保虛擬裝置完全能夠處理生產環境的需求。此升級可讓您存取最新的功能、安全性增強功能及相容性改進功能，確保達到最佳的效能與可靠性。

最後一步是確認您的DNS記錄和負載平衡配置已更新為包含vESA，使其能有效處理郵件。有了這些配置，您的vESA現在已準備好在現有基礎設施內運行，可提供強大的電子郵件安全和無縫整合。