Back up and restore the configuration of Edge SWG (ProxySG) or Advanced Secure Gateway appliances
search cancel

Back up and restore the configuration of Edge SWG (ProxySG) or Advanced Secure Gateway appliances

book

Article ID: 165985

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS ASG-S200 ASG-S400 ASG-S500 ISG Proxy SG-S400 SG-S500 SG-S500-RP SG-VA SGVA

Issue/Introduction

Learn how to back up the configuration of Edge Secure Web Gateway (formerly ProxySG) or Advanced Secure Gateway (ASG) appliances, and restore it to the same or different appliance.

Resolution

To back up the configuration:

 

To restore the configuration:

 

Notes:

  • Restore a configuration only to an appliance using the same edition. For example, both the source and destination appliances must be Proxy Edition or MACH5 Edition.
  • Both source and destination appliance must run the same SGOS software version.
  • When restoring a configuration from a physical device to a virtual device, you might run into issues that cause the restore to fail. If the restore fails, manually edit the archive to remove those elements not supported by Edge SWG virtual appliances.
  • Pay special attention to interface configurations between device platforms. For example SSP-S400-xx and SSP-S400-xxB have a different interface configuration, as noted here, which will require either omitting or editing the interfaces prior to installation attempt.

Back up the source appliance

Step 1 (Required): Save a backup of the configuration

  1. (If applicable) Locate and record your Symantec Webfilter (SWF) account information. In the Management Console, navigate to Configuration > Content Filtering > Blue Coat. If using Symantec Intelligence Services, you must attach that to the destination device serial number through the Licensing portal using the Symantec Intelligence Services Activation Code.
  2. Navigate to Configuration > General > Archive.
  3. Next to View File, click Configuration - post setup.

    Note: This does not include information that was entered during initial configuration, such as Interface IP, Default Gateway, and DNS servers. To include this information, choose the expanded archive.
     
  4. Click View. The browser displays the configuration archive in text file format.
  5. Save the configuration file to disk.
  6. Depending on the archive chosen in step 3, and whether you are restoring on the same device or a different device, you might have to manually update the IP, address default gateway, DNS, and other networking configurations.

Step 2 (Required): Save the appliance's configuration-passwords-key keyring

The appliance secures passwords in the configuration with the configuration-passwords-key keyring (denoted as encrypted-password in the configuration file). Use the CLI display the private key encrypted with a password.

Note: The default account password and enable passwords are stored differently and are not included in the post-setup configuration. You will not lose access to the appliance with regards to these credentials when you restore this key later.

  1. Log in to the appliance's command line interface (CLI).
  2. Enter enable mode (enable), and then enter configuration mode (config t).
  3. Display the private key encrypted with a password of your choosing. The CLI prompts you to enter and confirm the password: 
    #show ssl keypair aes256-cbc configuration-passwords-key
      Encryption password: ***********
      Confirm encryption password: ***********
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-256-CBC,2C152FB9BCE5A3509D7975F3B729FC41

    U7Nez8/lJpZ/VT0ayWN7zbROJnr0Vwg3gNOTfZwQrtMDXdE…

    -----END RSA PRIVATE KEY-----
     
  4. After you have copied the private key to the clipboard, paste it into a text editor such as Notepad++.

Step 3 (Required): Save custom SSL certificates

Save custom SSL certificates used for decryption, Management Console, etc.

  1. In the Management Console, navigate to Configuration > SSL > Keyrings.
  2. Click Edit/View.
  3. Copy the CSR (if applicable) and certificate and paste it into a text editor. Make sure that there are no spaces or extra characters.
  4. Log in to the CLI.
  5. Enter enable mode (enable), and then enter configuration mode (config t).
  6. Enter the following commands, and then copy the private key.

    # conf t
    #(config) ssl
    #(config ssl) view keypair keyring_name

     
  7. After you have copied the private key to the clipboard, paste it into a text editor such as Notepad++.

Notes:

  • If the CLI does not display the keyring, the Show keypair option was not selected when the keyring was created.
  • If any certificate needed is in a Hidden status, it must be recreated manually.

 

Step 4 (Required): Other data to restore

If applicable, record the following data for restoring later.

  • The proxy's default policy. In the Management Console, select Configuration > Policy > Policy Options.
  • Hostname used joining the domain. In the Management Console, select Configuration > Authentication > Windows Domain.

 

Restore the configuration on the destination appliance

Step 1 (Required): Reset the appliance to factory defaults and perform initial configuration

  1. Reset the Edge SWG (ProxySG) appliance to factory defaults. If this is a new appliance, skip this step.
  2. Connect to the appliance via the serial console, press Enter three times, and proceed through the initial configuration wizard.
    Important: See Additional Information below if you are restoring the configuration to an appliance that uses a different IP address or scheme for the management service listener.
  3. For Proxy Edition, select other. Refer to the your appliance's Quick Start Guide for more information.
  4. (Optional) Define a management ACL (do not restrict access to the serial console).

 

Step 2 (Required): Restore SSL keyrings

  1. Log in to the destination appliance's CLI.
  2. Enter enable mode (enable) and then enter ssl mode (ssl).
  3. Enter the following command to import the configuration-passwords-key:
    #(config ssl)inline keyring show configuration-passwords-key eof
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-256-CBC,2C152FB9BCE5A3509D7975F3B729FC41

    U7Nez8/lJpZ/VT0ayWN7zbROJnr0Vwg3gNOTfZwQrtMDXdE…

    -----END RSA PRIVATE KEY-----eof
       Decryption password: ***********
      ok

    After you type the end-of-file characters, the CLI prompts you to enter the password you used to encrypt the key on the source appliance. Enter the password to import the key. 

    Note: Proxy installation creates configuration-passwords-key by default. Delete the existing key configuration-passwords-key in order to restore the key. Please follow documentation link(step 3): https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/6-7/restoring-an-archived-key-ring-and-certificate.html 
  4. (If applicable) Create a keyring for the custom SSL keyrings backed up in Step 3: Save custom SSL certificates under Back up the source appliance
  5. In a browser, log in to the appliance Management Console (for example, https://<IP_address>:8082).
  6. Navigate to Configuration > SSL > Keyrings.
  7. Click Create and create a new keyring names EXACTLY the same name reference from source device to ensure policy will install when referenced.
  8. Select the option to Show keypair and paste the key saved in Step 3: Save custom SSL certificates under Back up the source appliance.
  9. Click Apply.
  10. Edit the keyring and paste in the CSR (if applicable) and Certificate from Step 3: Save custom SSL certificates under Back up the source appliance.
  11. Click Apply.

Step 3 (Required): Download the SWF or BCIS database

If the archive contains policy references to content filter categories, you must configure the SWF or BCIS service and install the SWF/BCIS database.

  1. In a browser, log in to the appliance Management Console (for example, https://<IP_address>:8082).
  2. Navigate to Configuration > Content Filtering > Blue Coat.
  3. Select the Data Source for your Subscription Type: Web Filter for SWF or Intelligence Services (7.x and above does not allow you to Select. Intelligence Services will be Data Source unless you have upgraded the unit for 6.x to 7.x with BCWF as data source).
    If using SWF, specify those account details. You must do this before you can restore the archive.
  4. Download the database. It could take up to 30 minutes or more for the initial download to complete. Without the database, related policies will not work.
    You do not have to wait for the database to finish downloading to continue.

Step 4 (Optional): Configure RADIUS authentication

If RADIUS authentication is required, configure it manually.


Step 5 (Required): Restore the configuration

  1. If you use Direct Domain Join, perform the following steps:
    1. Specify a custom hostname if the default will not be used.
      Note The hostname must be set prior to the restore in step 7 below or the default hostname will automatically be used.
    2. Create the Domain Name exactly as the Source device.
    3. Click Apply.
    4. Join Domain.
  2. If the archive includes the following section, remove it:

    create ccl bluecoat-appliance
    edit ccl bluecoat-appliance ;mode
    add BC_Engineering_CA
    add ABRCA_root
    exit

     
  3. Search for ccl bluecoat. If found, remove all other CCL including bluecoat-appliance above starting with 'bluecoat', from the beginning of the first reference to 'exit' as shown in step 2.  All CCLs starting with 'bluecoat' will present an error.
  4. Search for 'Begin Services' and 'End Services'.  Cut everything in between and save to a new file for reference. Modify this section to only add enabled listeners. Discard all other settings.
    Note: Skipping this step can cause the Configuration > Services > Proxy Services tab to not load; a restore to factory defaults is required to fix this issue.
  5. In the Management Console, navigate to Configuration > General > Archive.
  6. Beside Install configuration from, select Local File, and click Install.
  7. Browse to the archive you backed up in Step 1: Save a backup of the configuration under Back up the source appliance, and click Install. Wait for the appliance to indicate that the process is complete.
  8. Navigate to Maintenance > System and Disks > Tasks.
  9. Select Hardware and software, and click Apply.
  10. Click Restart now. The appliance restarts.
    After the appliance restarts, all configuration elements should be restored. Examine them and make note of anything missing. 

Note: The Default Proxy Policy (Configuration > Policy > Policy Options) is often not included in the archive. Set it to Allow if that is specified in your configuration. 

Step 6 (Required): Install software licenses

Because the appliance has been reverted to or is in a default state, you must retrieve the license key.

  1. In the Management Console, navigate to Maintenance > Licensing > Install.
  2. Click Retrieve and enter your Symantec account credentials.
  3. Click Request License.  The appliance connects to the licensing server and retrieves the license key for the appliance.

Additional Information

If you are restoring the configuration to an appliance that uses a different IP address or scheme for the management service listener, you must modify the configuration archive before restoring it to prevent a lockout. A lockout occurs if the management services were restricted to a specific IP address instead of all proxy IP addresses, as in the following example from a configuration archive:

management-services ;mode
edit "HTTPS-Console" ;mode
remove all 8082
exit
exit
proxy-services ;mode
edit "FTP" ;mode
remove all 21
exit
delete "Double Take"
delete "iSCSI"
delete "CommVault"
delete "FCIP"
delete "SRDF"
exit
management-services ;mode
edit "HTTPS-Console" ;mode
add 10.10.10.10/32 8082 enable
exit

In this case, the appliance replaces 'all' with port '8082' and then tries to install the IP address that was restricted in the management services, in this example 10.10.10.10.  If that IP address was not configured on the appliance before migrating the post configuration, you will likely lose Management Console access to the appliance. You can only connect via SSH and correct the Management Console IP address via the CLI. The rest of the configuration will likely be intact.

To prevent this issue, change the IP address in the configuration archive to the IP address that you will use on the destination appliance.