Cisco Content Security Virtual Appliance Installation Guide

24 pages
4 downs
245 views

Extension: PDF

Please download to get full document.

View again

of 24
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Share
Description
Cisco Systems, Inc. www.cisco.com Cisco Content Security Virtual Appliance Installation Guide Last Updated: October 6, 2016 Contents ã About Cisco Content Security…
Transcript
Cisco Systems, Inc. www.cisco.com Cisco Content Security Virtual Appliance Installation Guide Last Updated: October 6, 2016 Contents • About Cisco Content Security Virtual Appliances, page 1 • System Requirements, page 2 • Prepare the Content Security Image and Files, page 6 • Deploy on KVM, page 7 • Deploy on VMWare ESXi, page 11 • Managing Your Cisco Content Security Virtual Appliance, page 16 • Troubleshooting and Support, page 18 • Additional Information, page 22 About Cisco Content Security Virtual Appliances Cisco content security virtual appliances function the same as physical email security, web security, or content security management hardware appliances, with only a few minor differences, which are documented in Managing Your Cisco Content Security Virtual Appliance, page 16. 2 Cisco Content Security Virtual Appliance Installation Guide System Requirements Supported Virtual Appliance Models and AsyncOS Releases for KVM Deployments Virtual Appliance Models for VMWare ESXi Deployments Note Except as explicitly stated in the AsyncOS documentation, modifications to the ESXi configurations defined in the OVF are not supported. Cisco Content Security virtual appliance OVF images have been pre-configured with the values in the following table. AsyncOS version requirements are described in Supported VMWare ESXi Hypervisors, page 4. System Requirements • KVM Deployments, page 3 • VMWare ESXi Deployments, page 4 Product AsyncOS Release Model Disk Space RAM Processor Cores Cisco Web Security Virtual Appliance AsyncOS 8.6 and later S000V 250 GB 4096 MB 1 S100V 250 GB 6144 MB 2 S300V 1024 GB 8192 MB 4 Product Model Disk Space Memory Processor Cores Cisco Email Security Virtual Appliance C000V (For evaluation and demonstration only) 200 GB 4 GB 1 C100V 200 GB 6 GB 2 C300V 500 GB 8 GB 4 C600V 500 GB 8 GB 8 Cisco Web Security Virtual Appliance S000V 250 GB 4 GB 1 S100V 250 GB 6 GB 2 S300V 1024 GB 8 GB 4 Cisco Content Security Management Virtual Appliance M000V 250 GB 4 GB 1 M100V 250 GB 6 GB 2 M300V 1024 GB 8 GB 4 M600V 2032 GB 8 GB 8 3 Cisco Content Security Virtual Appliance Installation Guide System Requirements KVM Deployments The following are the qualified environments for KVM deployments. All deployments use thin provisioning for disk storage. Red Hat Enterprise Linux Server Host OS: • Red Hat Enterprise Linux Server 7.0 (Red Hat Enterprise Virtualization and Red Hat OpenStack platform are NOT supported.) Version Info: • Linux: 3.10.0-123.13.2.el7.x86_64 • libvirt/QEMU: Compiled against library: libvirt 1.1.1 Using library: libvirt 1.1.1 Using API: QEMU 1.1.1 Running hypervisor: QEMU 1.5.3 Hardware: • Qualified on: UCS B200 M3 • Redhat 7.0 certified UCS Platforms: https://access.redhat.com/search/browse/certified-hardware/#?&col=portal_certified_hardware&la nguage=All&portal_certification_version=Red+Hat+Enterprise+Linux+7&portal_vendor=Cisco Ubuntu Server Host OS: • Ubuntu Server 14.04.1 LTS (latest update) Version Info: • Linux: 3.13.0-43-generic • Virsh/QEMU Compiled against library: libvirt 1.2.2 Using library: libvirt 1.2.2 Using API: QEMU 1.2.2 Running hypervisor: QEMU 2.0.0 Hardware: • Qualified on: UCS B200 M3 4 Cisco Content Security Virtual Appliance Installation Guide System Requirements • Ubuntu 14.04 Certified UCS Platform: http://www.ubuntu.com/certification/server/make/Cisco%20UCS/?query=&level=Certified&releas e=14.04+LTS KVM Drivers Supported KVM drivers: • CDROM: IDE CDROM • Network: E1000, Virtio • Disk: VirtIO KVM Packages Required/related KVM packages to be installed on the host: • qemu-kvm • qemu-img • libvirt • libvirt-python • libvirt-client • virt-manager (requires X-windows) • virt-install VMWare ESXi Deployments Supported VMWare ESXi Hypervisors AsyncOS Version VMWare ESXi Version AsyncOS 10.x (Email) AsyncOS 10.x (Management) AsyncOS 9.x and later (Web) 6.0 AsyncOS 9.x (Email) AsyncOS 9.x (Management) AsyncOS 8.7 and later (Web) 5.0, 5.1, and 5.5 AsyncOS 8.5 (Web) AsyncOS 8.4 (Management) 5.0 and 5.1 AsyncOS 8.5.x (Email) AsyncOS 8.0.x (Web) 4.x, 5.0, and 5.1 AsyncOS 8.0 (Email) AsyncOS 7.7.5 (Web) 4.x and 5.0 5 Cisco Content Security Virtual Appliance Installation Guide System Requirements Other VMware hypervisors are supported on a “Best Effort” basis: Cisco will try to help you, but it may not be possible to reproduce all problems, and Cisco cannot guarantee a solution. Hardware Requirements for VMWare ESXi Deployments Cisco UCS servers (blade or rack-mounted) are the only supported hardware platform. Minimum requirements for the server hosting your virtual appliances: • Two 64-bit x86 processors of at least 1.5 GHz each • 8 GB of physical RAM • A 10k RPM SAS hard drive disk Other hardware platforms are supported on a “Best Effort” basis: we will try to help you, but it may not be possible to reproduce all problems, and we cannot guarantee a solution. Note Except as explicitly stated in the documentation, Cisco does not support the alteration of the Cisco Content Security virtual appliance’s hardware configuration, such as removing IP interfaces or changing the appliance’s CPU cores or RAM size. The appliance may send alerts if such changes are made. (Hosted Email Security Only) Deployment in FlexPod Solutions For AsyncOS for Email release 8.5 and later: For more information about deploying a virtual Email Security appliance as part of a FlexPod solution, see http://www.cisco.com/c/dam/en/us/products/collateral/security/email-security-appliance/white-paper-c 11-731731.pdf. Your CCO login determines whether you have access to this document. For general information about FlexPod, see http://www.cisco.com/en/US/netsol/ns1137/index.html. FlexPod does not apply to virtual Web Security appliance or virtual Content Security Management appliance deployments. (For Deployments On VMware ESXi 4.x Only) Create a New Datastore VMware ESXi version 4.x comes with a file system that has a default block-size of 4 MB, which supports a virtual disk image of up to 1 TB. However, the larger Cisco virtual security appliances (e.g., S300V, C600V) require more than 1 TB of disk space. In order to run these models, you will need to create a new datastore and format it with an 8 MB or larger block size. For information on block size and instructions on how to create a new datastore, see VMware’s technical documentation at http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId =1003565. 6 Cisco Content Security Virtual Appliance Installation Guide Prepare the Content Security Image and Files Prepare the Content Security Image and Files Determine the Best-Sized Virtual Appliance Image for Your Deployment Determine the best-sized virtual appliance image for your needs. See the data sheet for your products, available from the following locations: Download the Cisco Content Security Virtual Appliance Image Before You Begin • Obtain a license from Cisco for your virtual appliance. • See Determine the Best-Sized Virtual Appliance Image for Your Deployment, page 6. Step 1 Go to the Cisco Download Software page for your virtual appliance: • For email security: https://software.cisco.com/download/release.html?mdfid=284900944&flowid=41782&softwareid =282975113&release=9.1.0&relind=AVAILABLE&rellifecycle=ED&reltype=latest • For web security: https://software.cisco.com/download/release.html?mdfid=284806698&flowid=41610&softwareid =282975114&release=8.6.0&relind=AVAILABLE&rellifecycle=&reltype=latest • For content security management: https://software.cisco.com/download/release.html?mdfid=286283259&flowid=72402&softwareid =286283388&release=9.0&relind=AVAILABLE&rellifecycle=GD&reltype=latest Step 2 In the left navigation pane, select an AsyncOS version. Step 3 Click Download for the virtual appliance model image you want to download. Appliance Link to Data Sheet ESA Look for the "Cisco Email Security Appliance Data Sheet" link on this page: http://www.cisco.com/c/en/us/products/security/email-security-appliance/datashe et-listing.html. In the data sheet, look for the table titled "Email Security Virtual Appliance Specifications." WSA Look for the "Cisco Web Security Appliance Data Sheet" link on this page: http://www.cisco.com/c/en/us/products/security/web-security-appliance/datashee t-listing.html. In the data sheet, look for the table titled "Cisco WSAV." SMA Look for the "Cisco Content Security Management Appliance Data Sheet" link on this page: http://www.cisco.com/c/en/us/products/security/content-security-management-ap pliance/datasheet-listing.html. In the data sheet, look for the table titled "Cisco SMAV." 7 Cisco Content Security Virtual Appliance Installation Guide Deploy on KVM Step 4 Save the image to your local machine. Related Topics • Deploy on KVM, page 7 • Deploy on VMWare ESXi, page 11 Prepare the License and Configuration Files to Load at Startup (KVM Deployments) This feature was introduced in AsyncOS 8.6 for Cisco Web Security Appliances. It is not available for other content security appliances or in other AsyncOS releases. You can automatically load the Cisco Content Security Virtual Appliance license and configuration files the first time the Cisco appliance starts. (These files will not load after the first startup.) Step 1 Obtain and name your license and/or configuration files: • Configuration file: config.xml • License file: license.xml Step 2 Create an ISO image that contains one or both of these files. What To Do Next When you deploy the AsyncOS.QCOW image, you will attach the ISO as a virtual CD-ROM drive to the virtual machine instance. After startup, you can check the Status log on your Cisco virtual appliance. Error messages related to this functionality include the keyword “ZERO”. Related Topics • Deploy on KVM, page 7 Deploy on KVM Action More Information Step 1 Ensure that your equipment and software meet all system requirements. See System Requirements, page 2 and the documentation for the products and tools that you will use. Step 2 Review the Release Notes for your AsyncOS release. Release Notes are available from the locations in Additional Information, page 22. Step 3 Set up the UCS server, host OS, and KVM. See the documentation for the products and tools you will use. 8 Cisco Content Security Virtual Appliance Installation Guide Deploy on KVM Ensure Virtual Appliance Image Compatibility With Your KVM Deployment The qcow version of our image is not compatible with QEMU versions lower than 1.1. If your QEMU version is lower than 1.1, you must convert the image to make it compatible with your deployment. Deploy the Virtual Appliance Using Virtual Machine Manager Step 1 Launch the virt-manager application. Step 2 Select New. Step 4 Download the virtual content security appliance image. See Download the Cisco Content Security Virtual Appliance Image, page 6. Step 5 Ensure that the Cisco image is compatible with your deployment. See Ensure Virtual Appliance Image Compatibility With Your KVM Deployment, page 8 Step 6 (Optional) Prepare an ISO file that includes the license and configuration files to automatically load at startup. See Prepare the License and Configuration Files to Load at Startup (KVM Deployments), page 7. Step 7 Determine the amount of RAM and the number of CPU cores to allocate to your virtual appliance model. See Supported Virtual Appliance Models and AsyncOS Releases for KVM Deployments, page 2. Step 8 Deploy the virtual content security appliance image. Use one of the following methods: • Deploy the Virtual Appliance Using Virtual Machine Manager, page 8 • Deploy the Virtual Appliance Using virt-install: Example, page 10 Step 9 If you will deploy the High Availability feature introduced in AsyncOS 8.5 for Cisco Web Security Appliances, configure the host to support this feature. See (Optional) Configure the Virtual Interface to Support High Availability, page 10. Step 10 If you did not configure the system to load license and configuration files at first startup: • Install the virtual appliance license file • Install feature licenses • Configure your Cisco content security virtual appliance. • To install the virtual appliance license file, see Install the Virtual Appliance License File, page 14 • To install feature licenses and configure the appliance, see the User Guide or online help for your AsyncOS release. Step 11 Configure the appliance to send alerts when license expiration nears. See the online help or user guide for your AsyncOS release. Action More Information 9 Cisco Content Security Virtual Appliance Installation Guide Deploy on KVM Step 3 Enter a unique name for your virtual appliance. Step 4 Select Import existing image. Step 5 Select Forward. Step 6 Enter options: • OS Type: UNIX. • Version: FreeBSD 8.X Step 7 Browse to and select the virtual appliance image that you downloaded. Step 8 Select Forward. Step 9 Enter RAM and CPU values for the virtual appliance model you are deploying. See Supported Virtual Appliance Models and AsyncOS Releases for KVM Deployments, page 2. Step 10 Select Forward. Step 11 Select the Customize check box. Step 12 Select Finish. Step 13 Configure the disk drive: a. In the left pane, select the drive. b. Under Advanced options, select options: • Disk bus:Virtio. • Storage format: qcow2 c. Select Apply. Step 14 Configure the network device for the management interface: a. In the left pane, select a NIC. b. Select options: • Source Device: Your management vlan • Device model: virtIO • Source mode: VEPA. c. Select Apply. Step 15 Configure network devices for four additional interfaces (WSA only): Repeat the previous set of substeps for each interface you will use. Step 16 If you prepared an ISO image with the license and configuration files to be loaded at startup: Attach the ISO as a virtual CD-ROM drive to the Virtual Machine instance. Step 17 Select Begin Installation. Related Topics • Deploy on KVM, page 7 10 Cisco Content Security Virtual Appliance Installation Guide Deploy on KVM Deploy the Virtual Appliance Using virt-install: Example Before You Begin Determine the amount of RAM and number of CPU cores needed for your appliance. See Supported Virtual Appliance Models and AsyncOS Releases for KVM Deployments, page 2. Procedure Step 1 Create the storage pool where your virtual appliance will reside: virsh pool-define-as --name vm-pool --type dir --target /home/username/vm-pool virsh pool-start vm-pool Step 2 Copy the virtual appliance image to your storage pool: cd /home/yusername/vm-pool tar xvf ~/asyncos-8-6-0-007-S100V.qcow2.tar.gz Step 3 Install the virtual appliance: virt-install \ --virt-type kvm \ --os-type=unix \ --os-variant=freebsd8 \ --name wsa-example \ (This name should be unique) --ram 6144 \ (Use the value appropriate to your virtual appliance model) --vcpus 2 \ (Use the value appropriate to your virtual appliance model) --noreboot \ --import \ --disk path=/home/username/vm-pool/asyncos-8-6-0-007-S100V.qcow2,format=qcow2,bus=virtio \ --disk path=/home/username/vm-pool/wsa.iso,bus=ide,device=cdrom \ (If you created an ISO with the license and configuration file to load at startup) --network type=direct,source=enp6s0.483,source_mode=vepa,model=virtio \ --network type=direct,source=enp6s0.484,source_mode=vepa,model=virtio \ --network type=direct,source=enp6s0.485,source_mode=vepa,model=virtio \ --network type=direct,source=enp6s0.486,source_mode=vepa,model=virtio \ --network type=direct,source=enp6s0.487,source_mode=vepa,model=virtio Step 4 Start the virtual appliance: virsh start wsa-example Related Topics • Deploy on KVM, page 7 (Optional) Configure the Virtual Interface to Support High Availability The high availability feature was introduced in AsyncOS 8.5 for Cisco Web Security Appliances and is described in detail in the user guide and online help. 11 Cisco Content Security Virtual Appliance Installation Guide Deploy on VMWare ESXi If your Web Security appliance will be added to a failover group for high availability, configure the virtual interface to use promiscuous mode, in order to enable the appliances in the failover group to communicate with each other using multicasting. You can make this change at any time. Step 1 On the host OS, find the macvtap interface associated with the interface with which the multicast traffic will be associated. Step 2 Set the macvtap interface to use promiscuous mode: Enter on the host: ifconfig macvtapX promisc Related Topics • Deploy on KVM, page 7 Deploy on VMWare ESXi Action More Information 1. Review the Release Notes for your AsyncOS release. Release Notes are available from the locations in Additional Information, page 22. 2. Download the virtual appliance image and MD5 hash from Cisco. You will need the MD5 hash to check the data integrity of the appliance image. Prepare the Content Security Image and Files, page 6. 3. Deploy the virtual appliance on your ESXi host or cluster. Deploy the Virtual Appliance, page 12. 4. (Optional) Clone the image if you want to run multiple virtual appliances on your network. (Optional) Clone the Virtual Appliance, page 12. 5. Prevent intermittent connectivity issues. Disable unused network interface cards (NICs) on the virtual machine. 6. Configure synchronization on the virtual machine to avoid random failures on your Cisco Content Security virtual appliance. Important! Prevent Random Failures, page 13 7. If DHCP is disabled, set up the appliance on your network. If DHCP Is Disabled, Set Up the Appliance on the Network, page 14 8. Install the license file. Install the Virtual Appliance License File, page 14. 12 Cisco Content Security Virtual Appliance Installation Guide Deploy on VMWare ESXi (Optional) Clone the Virtual Appliance If you will run multiple virtual security appliances in your environment: • Cisco recommends that you clone the virtual security appliance before you run it the first time. • Cloning a virtual security appliance after the license for the virtual appliance has been installed forcefully expires the license. You will have to install the license again. • You must shut down the virtual appliance before cloning it. • If you want to clone a virtual appliance that is already in use, see Clone a Virtual Appliance Already in Use, page 15 for more information. For instructions on cloning a virtual machine, see VMWare’s technical documentation at http://www.vmware.com/support/ws55/doc/ws_clone.html. Related Topics • Deploy on KVM, page 7 • Deploy on VMWare ESXi, page 11 Deploy the Virtual Appliance Before You Begin • Set up the ESXi host or cluster on which you will deploy the virtual appliance. See System Requirements, page 2 for more information. • Install the VMware vSphere Client on your local machine. • Download the image as described in Prepare the Content Security Image and Files, page 6. Step 1 Unzip the .zip file for the virtual appliance in its own directory; e.g., C:\vESA\C100V or :\vWSA\S300V. Step 2 Open the VMware vSphere Client on your local machine. Step 3 Select the ESXi host or cluster to which you want to deploy the virtual appliance. 9. Log into the web UI of your appliance and configure the appliance software as you would do for a physical appliance. For example, you can: • Run the System Setup Wizard • Upload a configuration file • Manually configure features and functionality. • For instructions on accessing and configuring the appliance, including gathering required information, see the online help or user guide for your AsyncOS r
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks