WH | it system administration

winnis knowledge base

kb

Cisco ESA/WSA | Update Upgrade URL Host

winni

Introduction

This document describes the IP address(es) and hosts needed to configure your Cisco Content Security appliance for use with a static host for downloads, updates, and upgrades.  These configurations are to be used for either hardware or virtual Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), or Security Management Appliance (SMA).

Content Security Appliance Downloads, Updates or Upgrades using a Static Host

Cisco offers static hosts for customers that have strict firewall or proxy requirements. It is important to note that if you configure your appliance to use the static hosts for downloads and updates,  same static hosts for downloads and updates must be allowed in the firewall and proxy on network as well.

Here are the hostname(s), IP address(es), and ports that are involved in the download, update, and upgrade processes:

downloads-static.ironport.com:

  • 208.90.58.105 on port 80

update-manifests.ironport.com (hardware ESA):

  • 208.90.58.5 on port 443
  • 184.94.240.102 on port 443

update-manifests.sco.cisco.com (virtual ESA):

  • 208.90.58.6 on port 443
  • 184.94.240.125 on port 443

updates-static.ironport.com:

  • 208.90.58.25 on port 80
  • 184.94.240.106 on port 80

Note: The ‘update-manifests’ URLs and port numbers provided are configured from the CLI only via the command updateconfig. From with-in this command, there is a hidden sub-command that needs to be run in order to validate the update manifest. Run dynamichost from the first configuration prompt once in the configuration options for updateconfig.

Service Update configuration via GUI

Complete these steps in order to change the download, update, or upgrade configuration on AsyncOS from the GUI:

  1. Navigate to the Service Updates tab of the Security Services page.
  2. Click Edit Update Settings….
  3. Select Local Update Servers from the Update Servers (images) field.
  4. For the Base URL field, enter in http://downloads-static.ironport.com and set the Port to 80.
  5. Leave the Authentication (optional) fields blank.
  6. For the Host (McAfee Anti-Virus definitions, PXE Engine updates, Sophos Anti-Virus definitions, IronPort Anti-Spam rules, Outbreak Filters rules, DLP updates, Time zone rules and Enrollment Client (used to fetch certificates for URL Filtering) field, enter updates-static.ironport.com.  (Port is optional.)
  7. Leave the Update Servers (list) fields all set to Cisco IronPort Update Servers.
  8. Ensure that you have the proper interface selected, if required to communicate over a specific interface.  Default configuration will be set to Auto Select.
  9. Verify and update the configured Proxy Servers, if required.
  10. Click Submit.
  11. In the upper right corner, click Commit Changes.
  12. Finally, click on Commit Changes again in order to confirm all configuration changes.

Configuration of updateconfig via the CLI

The same changes can be applied via the CLI on the appliance.  Complete these steps in order to change the download, update, or upgrade configuration on AsyncOS from the CLI:

  1. Run the CLI command updateconfig
  2. Enter in the command SETUP
  3. For the “Feature Key updates”, change the setting to use ‘2. Use own server’
  4. Enter http://downloads-static.ironport.com:80/
  5. For the “Service (images)”, change the setting to use ‘2. Use own server’
  6. Enter updates-static.ironport.com
  7. Leave the “McAfee Anti-Virus definitions, RSA DLP Engine Updates, PXE Engine Updates, Sophos Anti-Virus definitions, IronPort Anti-Spam rules, Outbreak Filters rules, Timezone rules, Enrollment Client Updates (used to fetch certificates for URL Filtering)” and “Cisco IronPort AsyncOS upgrades” set to default, “Use Cisco IronPort update servers”
  8. All other configuration prompts can be left set to default.
  9. Verify and update the configured Proxy Server, if required.
  10. Return out to the main CLI prompt
  11. Run the CLI command COMMIT to save all configuration changes.

Verify Upgrades and Updates

In order to verify that the upgrade communication is successful and completes, navigate to the System Upgradepage and click Available Upgrades. If the list of available versions displays, then your setup is complete.

From the CLI, you can simply run the upgrade command.  Choose the download option to view the upgrade manifest, if there are available upgrades.

8.5.7-043.local> upgrade


Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
[]> download

Upgrades available.
1. AsyncOS 9.6.0 build 051 upgrade For Email, 2015-09-02 this release is for General Deployment
2. AsyncOS 9.7.0 build 125 upgrade For Email, 2015-10-15. This release is for General Deployment
3. AsyncOS 9.7.1 build 066 upgrade For Email, 2016-02-16. This release is for General Deployment.
4. cisco-sa-20150625-ironport SSH Keys Vulnerability Fix
[4]>

For validation of updates, from the CLI run the command updatenow.  This will initate the update process for all services.

Next, in order to verify that the updates function correctly, run the CLI command tail and choose the log number associated to updater_logs for your appliance.

For successful updates, you should see messages similar to these examples in the updater logs:

  • For Sophos updates, monitor the updater_logs for sophos or monitor the antivirus log:

    Wed Jun 25 19:00:24 2014 Info: sophos verifying applied files
    Wed Jun 25 19:00:24 2014 Info: sophos updating the client manifest
    Wed Jun 25 19:00:24 2014 Info: sophos update completed
    Wed Jun 25 19:00:24 2014 Info: sophos waiting for new updates
  • For McAfee updates, monitor the updater_logs for mcafee or monitor the antivirus log:

    Wed Jun 25 19:00:40 2014 Info: mcafee verifying applied files
    Wed Jun 25 19:00:40 2014 Info: mcafee updating the client manifest
    Wed Jun 25 19:00:40 2014 Info: mcafee update completed
    Wed Jun 25 19:00:40 2014 Info: mcafee waiting for new updates
  • For CASE updates that are used by IPAS and VOF, monitor the updater_logs for case:

    Wed Jun 25 18:59:47 2014 Info: case verifying applied files
    Wed Jun 25 18:59:47 2014 Info: case updating the client manifest
    Wed Jun 25 18:59:47 2014 Info: case update completed
    Wed Jun 25 18:59:47 2014 Info: case waiting for new updates

Troubleshooting

The appliance sends notification alerts when the updates fail. Here is an example of the most commonly received email notification:

The updater has been unable to communicate with the update server for at least 1h.

Last message occurred 4 times between Tue Mar 1 18:02:01 2016 and Tue Mar 1 18:32:03 2016.

Version: 9.7.1-066
Serial Number: 888869DFCCCC-3##CV##
Timestamp: 01 Mar 2016 18:52:01 -0500

Source: http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117854-technote-esa-00.html

You May Also Like

Cisco ASA | DDoS flood protection

winni

Cisco ASA/Firepower SSL Ciphers

winni

Cisco ASA | ASDM Certificate SelfSigned

winni