Replacing a failed Cisco Ironport Web Security Appliance Proxy

Recently we had a Cisco Web Security Appliance (WSA) Proxy fail. When I say fail, I mean a single stick of RAM failed after a reboot. Cisco said RAM isn't replaceable so we had to RMA the whole box (odd for a device that is basically a rebadged server...maybe I have a money saving idea for you Cisco!)

There were a few steps to getting it going, so I thought I'd share.

Firstly, we wanted to build the replacement in our isolated build room, totally off the network. To get it to the right version of code, this meant downloading the files onto a laptop and installing them to the WSA from there. To do this, you need to go to: http://updates.ironport.com/fetch_manifest.html

This is not particularly intuitive. You need to find your version number which you want to download, and enter it in the base release tag in this format:

coeus-7-0-1-140 (this would be for 7.0.1 build 140)

If it's an ESA, then use the word phoebe instead of coeus.

You then extract that file onto a web server (I just used IIS on my laptop - just make sure you have a MIME type that will allow it to serve files with no extension).

After that, it's pretty well described in this document: http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117804-technote-wsa-00.pdf

That will get it to the right code level.

After that, it's just a case of copying the config. We got this advice from TAC about copying the config, which pretty much explain it:

Please find below the steps to edit the configuration of an old device and upload it to a new device -

1.      Assuming your old WSA being replaced is WSA X and the newly shipped WSA is WSA Y.

2.      Ensure that your WSA X and WSA Y are on the same Async OS Version.

3.      Save the configuration of WSA X by making sure the passwords are unmasked.

4.      Next, go the WSA GUI of your WSA Y and ensure to complete all the settings under the Network Tab.

5.      Next, save the configuration of WSA Y by making sure the passwords are unmasked.

6.      Open both the configuration files in a tool such as Notepad ++ so that your configuration file text formatting are preserved.

7.      Next, copy the entire configuration from WSA X starting with the following banner to the end of the file -

******************************************************************************

*                            System Configuration                            *

******************************************************************************

8.      Next, navigate to the configuration of WSA Y and delete its configuration text starting with the following banner to the end of the file -

******************************************************************************

*                            System Configuration                            *

******************************************************************************

9.      Next, past the text copied from the configuration of WSA X in Step 7 to the configuration of WSA Y.

​10.   Save this edited configuration Y.

11.   Upload this saved configuration in Step 10 to the new WSA Y.

12.   Once this is done, you have effectively copied the entire configuration from old WSA X to the new WSA Y and at the same time you have retained the Network settings of the WSA Y.

General Instructions -

To save configuration:

*        System Administration > Configuration File

*        In the "Current Configuration" section click on the radio button next to "Download file to local computer to view or save".

*        Take out the check mark on "Mask passwords in the Configuration Files".

*        Save the file to a safe place or your desktop for later use.

To load configuration:

*        Go to WSA GUI > System Administration > Configuration File

*        In the "Load Configuration" section"

*        Click on the radio button next to "Load a configuration file from local computer:" and then click on the browse button.

*        Locate the file you saved from the above instructions and click "open"

*        Finally click on "Load" button.

And that's about it. It's pretty straight forward, once you figure out the word "coeus"! Most things I found were more centered around the ESA than the WSA (although the procedure is the same, just that word change).

Share this post

  • Share to Facebook
  • Share to Twitter
  • Share to Google+
  • Share to LinkedIn
  • Share by Email