This article applies to:
Question:
- What is the best procedure for upgrading Secure Web Gateway from version 9.2.x to 10.1.2?
Procedure:
# General remarks
There are a number of ways to move a Secure Web Gateway environment from 9.2 to 10.1.2. The best option for a specific organization will depend on their topology (whether it is a High Availability setup with two Policy Servers, a single Policy Server with a few Scanners, or an All-In-One) and their requirements for acceptable system downtime.
For smaller environments or All-In-One setups, the migration option might fit better than a clean installation on a second Policy Server (PS).
Once a PS has 10.1.2 up and working, Scanners can be upgraded independently (although they must start with at least version 9.2) by using a command in the Limited Shell (LS). This command ('config_upgrade') is basically a new installation over the network, which preserves each scanner's configuration settings.
A Scanner should not be listed in the devices tree of two or more Policy Servers at the same time. A scanner which is supposed to be 'moved' from one PS to another, must be deleted and added in the devices lists accordingly.
A Policy Server on 10.1.2 can restore a Rollback Backup files from version 9.2 and 10.0.
# Preparation
Create a bootable USB key with all of the necessary files on it.
- Use a key which is at least 2 GB in size, and make it bootable. Any appropriate tool will do (e.g., under Linux use “UNetbootin”, or under Win7 use the Windows version of this tool (link °4)).
- Unzip the 1.4.1-05 installer files (link °1), and copy all files onto the USB key. DO NOT USE an older version of these files.
- Copy the 10.0-19 ISO (link °2) onto the key.
- Copy the 10.1-12 ISO (link °3) onto the key.
If performing a clean installation, make sure that you have a 10.1 license key. The format of 9.x and 10.1.x keys is different, so a 9.2 key would not be accepted on a cleanly installed 10.1 appliance. For any license issue, please contact your Trustwave Sales representative and request a new license with the same options.
# Upgrade
1) Release Policy Server High Availability (PS HA), if applicable:
- Stop synchronization between the master and backup policy servers
- Release HA
- Access the Backup PS GUI, and remove the scanner devices (select the IP, right click, 'Delete Device')
- Shut down the backup PS (Limited Shell: 'poweroff')
2) On the (to-be-upgraded) Policy Server, delete the scanners from the devices tree (select the IP, right click, 'Delete Device'), to make sure they are still up and untouched until the PS is fully upgraded. All scanners will continue to work and scan traffic.
3) Plug in the USB key. If the local console is not accessible remotely (for example, via an IP KVM), also connect a USB keyboard and VGA monitor.
4) Reboot the appliance (Limited Shell: 'reboot').
5) Perform each of the three phases of the upgrade:
- Boot from the USB key and run the migration to 10.0, as described in the Tech Brief Installation Utility document
- Boot from the hard disk, log in to the PS GUI from a browser, navigate to the Updates section, and install 10.0 Maintenance Fix 01 (listed in 'Available Updates').
- Reboot the appliance from the USB key and run the migration to 10.1. When the upgrade has finished and the appliance is rebooting, unplug the USB stick.
6) After the appliance finishes booting, log in to the PS GUI, and install all recent patches:
- Maintenance Fix 10.1.2 (listed in 'Available Updates')
- recent Management and Runtime Hotfixes (Knowledge Base Article 14562, please contact Support if you do not have access)
7) Check the configuration and policies (AD configuration and import, Upstream Proxy Policies, etc.).
8) Add the scanners back into the devices tree (one by one, or in groups). Make sure that a scanner is not listed under and managed by any other PS.
9) Log in to the Limited shell via SSH, and run 'config_upgrade' in order to upgrade the scanners. Wait until all of the scanners are updated and stable. (Note: The scanners will go offline during the upgrade. It is possible to upgrade scanners individually or in groups in order to prevent all scanners from being offline at once. The upgrade can take a while, since the Policy Server will copy the ISO to each scanner over the network, and each scanner must then install the ISO. This process takes some time, however it will take less time than an installation from USB.)
10) Establish Policy Server HA again, if applicable:
- Perform steps 3 through 6 on the backup PS (migration and updates).
- On the master PS, setup HA again, enable synchronization (do not synchronize unless all updates are installed).
# Alternatively: PS on the side (‘PS clone’) in order to test the process in advance
Advantage: Production environment is not affected (Main difference: this is a clean install, not a migration process)
1) Boot from USB and install 10.1.0 clean (do not choose the migration option)
2) On the Limited Shell, run 'setup', and configure the appliance according to your needs
3) Enter the GUI, install your license (PS must have access to the Update Server, otherwise the license cannot be applied)
4) Install all recent AV / URL / Security Updates
5) Install all recent patches
- Maintenance Fix 10.1.2 (listed in ‘available updates’)
- recent Management and Runtime Hotfixes (Knowledge Base Article 14562, please contact Support if you do not have access)
6) Copy the latest Rollback Backup files (from the source PS) to an FTP or Samba location
- The actual backup file (xxxxx_backup_yyyy_mm_dd_hh_mm_ss.tar.enc)
- index.xml
- date
7) Restore
- Configure the PS’s Rollback settings (with FTP selected, it might be necessary to add a trailing '/' after the server´s IP)
- Navigate to Administration > Rollback > Restore
- Start Rollback Restore
NOTE: After this Rollback Restore has been performed, all scanners will be listed under Devices. Remove them immediately on the "new" Policy Server in order to avoid conflicts.
In addition, this Policy Server will have the IP configuration of the PS from which the Backup originates (in the Database and GUI, not in terms of network-settings). This address is probably different from the setting after step [2]. To correct this, follow the steps below:
- Navigate to Administration > System Settings > Devices > select Policy Server IP
- In the pane on the right hand side, click the Edit button, select the correct IP address under 'Device IP', and click the Save button. Commit this change.
8) From here, follow steps 7+ of the migration process as described above in order to transition the 9.2-scanners to 10.1.2.
Notes:
Download Links USB installer:
1) ftp://outgoing:Mr8om21r@ftp.finjan.com/support/vsi/1-4-1--5/VSI_1.4.1-05_79592M-2011-11-27_1102.tgz
2) ftp://outgoing:Mr8om21r@ftp.finjan.com/support/images/10.0/1000-b19-04-10-2010--12-26PM.iso
3) ftp://outgoing:Mr8om21r@ftp.finjan.com/support/images/10.1/1010-b12-10-04-2011--10-32AM.iso
4) USB Creator for Win7 (do not select “reboot” at the end of this process; see the howto movie)
Recent Patches (as of May 2012)
Update 10.1.2: Updates > Available Updates
Recent Management and Runtime Hotfixes: Knowledge Base Article 14562
Documentation:
5) Secure Web Gateway 10.1 Upgrade Release Notes
6) Secure Web Gateway 10.1.2 Release Notes