Back up and restore the configuration of ProxySG or Advanced Secure Gateway appliances

book

Article ID: 165985

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS ASG-S200 ASG-S400 ASG-S500 ISG Proxy SG-300 SG-510 SG-S400 SG-600 SG-810 SG-900 SG-9000 SG-S200 SG-S200-RP SG-S400-RP SG-S500 SG-S500-RP SG-VA SGVA

Issue/Introduction

Learn how to back up the configuration of ProxySG or Advanced Secure Gateway (ASG) appliances, and restore it to the same or different appliance.

Resolution

Notes:

  • Restore a configuration only to an appliance using the same edition. For example, both the source and destination appliances must be Proxy Edition or MACH5 Edition.
  • Both ProxySG and ASG need to run the same SGOS software version.
  • When restoring a configuration taken from a physical device onto a virtual device, you may run into issues which cause the restore to fail. If the restore fails, manually edit the archive to remove those elements not supported by virtual versions of ProxySG.

Back up the source appliance

Step 1 (Required): Save a backup of the configuration

  1. (If applicable) Locate and record your Symantec Webfilter (SWF) account information. In the Management Console, navigate to Configuration > Content Filtering > Blue Coat. If using Symantec Intelligence Services, you need to attach that to the destination device serial number through the Licensing portal using the Symantec Intelligence Services Activation Code.
  2. Navigate to Configuration > General > Archive.
  3. Next to View File, click Configuration - post setup.

    Note: This does not include information that was entered during the initial setup wizard. For example, Interface IP, Default Gateway, and DNS servers. If you want to include this information then choose the expanded archive.
     
  4. Click View. The browser displays the configuration archive in text file format.
  5. Save the configuration file to disk.
  6. Depending on the archive chosen in step 3, and whether you are restoring on the same device or a different device, you may need to manually make changes to the IP, address default gateway, DNS, etc

Step 2 (Required): Save the appliance's configuration-passwords-key keyring

Note 1: This step is required because the appliance secures passwords in the configuration with this keyring (denoted as encrypted-password in the configuration file).
Note 2: The default account password and enable passwords are stored differently and are not included in the post setup configuration. You will not lose access to the appliance with regards to these credentials when you restore this key later.

  1. Log in to the appliance's command line interface (CLI).
  2. Enter enable mode (enable), and then enter configuration mode (config t).
  3. Enter the following commands, and then copy the private key:

    #(config)ssl
    #(config ssl)view keypair configuration-passwords-key

     
  4. After you have copied the private key to the clipboard, paste it into a text editor such as Notepad++.

Step 3 (Required): Save custom SSL certificates installed on the source appliance used for Decryption or MGMT Console, etc

  1. In the Management Console, navigate to Configuration > SSL > Keyrings.
  2. Click Edit/View.
  3. Copy the CSR (if applicable) and certificate and paste it into a text editor. Make sure that there are no spaces or extra characters.
  4. Log in to the CLI.
  5. Enter enable mode (enable), and then enter configuration mode (config t).
  6. Enter the following commands, and then copy the private key.

    # conf t
    #(config) ssl
    #(config ssl) view keypair keyring_name

     
  7. After you have copied the private key to the clipboard, paste it into a text editor such as Notepad++.

Notes:

  • If the CLI does not display the keyring, the Show keypair option was not selected when the keyring was created.
  • If any certificate needed is in a Hidden status, they need to be manually re-created.

Step 4 (Required): Other Potential Data Needed for restore

  • Default Policy that is being used on the proxy: In ProxySG Management Console "Configuration Tab>Policy>Policy Options"
  • Hostname used joining the domain: In ProxySG Management Console "Configuration Tab>Authenticaion>Windows Domain"

Restore on the destination appliance

Step 1 (Required): Reset the appliance to factory defaults and perform initial configuration

  1. Reset the ProxySG appliance to factory defaults. If this is a new appliance, skip this step.
  2. Connect to the appliance via the serial console, press Enter three times, and proceed through the initial configuration wizard. For Proxy Edition, select other. Refer to the your appliance's Quick Start Guide for more information. Symantec recommends that you do not secure the serial console or restrict access, as this requires an additional password for serial console connections.
  3. (Optional) Define a management ACL (Restrict access to Serial is not recommended).

Step 2 (Required): Restore SSL keyrings

  1. In a browser, log in to the appliance Management Console (for example, https://<IP_address>:8082).
  2. Navigate to Configuration > SSL > Keyrings.
  3. Delete the existing configuration-passwords-key keyring and click Apply.
  4. Click Create and create a new keyring called configuration-passwords-key..
  5. Select the option to Show keypair and paste the key saved in "Step 2: Save the appliance's configuration-passwords-key keyring" under Back up the source appliance.
  6. Click Apply.

(If applicable) Repeat the previous steps to create a keyring for the custom SSL keyrings for Decryption or MGMT Service etc, backed up in "Step 3: Save custom SSL certificates installed on the source appliance..."  under Back up the source appliance.

  1. In a browser, log in to the appliance Management Console (for example, https://<IP_address>:8082)..
  2. Navigate to Configuration > SSL > Keyrings.
  3. Click Create and create a new keyring names EXACTLY the same name reference from source device to ensure policy will install when referenced.
  4. Select the option to Show keypair and paste the key saved in "Step 3: Save custom SSL certificates installed on the source appliance..." under Back up the source appliance.
  5. Click Apply.
  6. Edit the keyring and paste in the CSR(if applicable) and Certificate from "Step 3: Save custom SSL certificates installed on the source appliance..." under Back up the source appliance.
  7. Click Apply.

Step 3 (Required): Download the SWF or BCIS database

If the archive contains policy references to content filter categories, you must configure the SWF or BCIS service and install the SWF/BCIS database.

  1. In a browser, log in to the appliance Management Console (for example, https://<IP_address>:8082).
  2. Navigate to Configuration > Content Filtering > Blue Coat.
  3. Select Data Source for your Subscription Type: Web Filter for SWF or Intelligence Services.
  4. Is using SWF specify your BCWF details. You must do this before you can restore the archive.
  5. Download the database. It could take up to 30 minutes + for the initial download to complete. Please be patient until the database is downloaded. Without the database the policies will not work. You do not need to wait for the database to finish downloading to continue.

Step 4 (Optional): Configure RADIUS authentication

If RADIUS authentication is required, configure it manually.

Step 5 (Required): Restore the configuration

  1. If you use Direct Domain Join, perform the following steps:
    1. Create the Domain Name exactly as the Source device.
    2. Click Apply.
    3. Join Domain.
  2. If seen, remove the section in the Archive File:

    create ccl bluecoat-appliance
    edit ccl bluecoat-appliance ;mode
    add BC_Engineering_CA
    add ABRCA_root
    exit

     
  3. Search for ccl bluecoat.  If found, remove all other CCL including bluecoat-appliance above starting with 'bluecoat', from the beginning of the first reference to 'exit' as shown in step 2.  All CCLs starting with bluecoat will error.
  4. Search for 'Begin Services' and 'End Services'.  Cut everything in between and save to a new file for reference. Modify this section to only add enabled listeners.  Discard all other settings.  Skipping this step can cause the Configuration>Services>Proxy Services tab to not load, requiring a factory default to get it back.
  5. In the Management Console, navigate to Configuration > General > Archive.
  6. Beside Install configuration from, select Local File, and click Install.
  7. Browse to the archive you backed up in "Step 1: Save a backup of the configuration"  under Back up the source appliance, and click Install. Wait for the appliance to indicate that the process is complete.
  8. Navigate to Maintenance > System and Disks > Tasks.
  9. Select Hardware and software, and click Apply.
  10. Click Restart now. The appliance restarts.
  11. After the appliance restarts, all configuration elements should be restored. Examine them and make note of anything missing. 

Note: The Default Proxy Policy (Configuration > Policy > Policy Options) is often not included in the archive. Set it to Allow if that is specified in your configuration. 

Step 6 (required): Install software licenses

Because the appliance has been reverted to or is in a default state, you must retrieve the license key.

  1. In the Management Console, navigate to Maintenance > Licensing > Install.
  2. Click Retrieve and enter your Symantec account credentials.
  3. Click Request License.  The appliance connects to the licensing server and retrieves the license key for the appliance.


If you are restoring the configuration to an appliance that will use a different IP address or scheme for the management service listener, you must modify the configuration archive before restoring it to prevent a lockout. A lockout occurs if the management services were restricted to a specific IP address instead of all proxy IP addresses, as in the following example from a configuration archive:

management-services ;mode
edit "HTTPS-Console" ;mode
remove all 8082
exit
exit
proxy-services ;mode
edit "FTP" ;mode
remove all all 21
exit
delete "Double Take"
delete "iSCSI"
delete "CommVault"
delete "FCIP"
delete "SRDF"
exit
management-services ;mode
edit "HTTPS-Console" ;mode
add 10.10.10.10/32 8082 enable
exit


In this case, the appliance will replace 'all' with port '8082' and then try to install the IP address that was restricted in the management services, in this example 10.10.10.10.  If that IP address was not configured on the appliance before migrating the post config, you will likely lose Management Console access to the appliance. You can only connect via SSH and correct the Management Console IP address via the CLI. The rest of the configuration will likely be intact.

To prevent this issue, change the IP address in the configuration archive to the IP address that you will use on the destination appliance.