Secure Remote Access This document describes the process of obtaining your SonicWALL Aventail E-Class SRA EX-Series update file, verifying it, and installing it on an existing appliance. Updating a clustered pair of SonicWALL Aventail appliances is described at the end of this document. For a complete list of known issues from previous versions that are fixed in this release, see the Release Notes. Before updating your SonicWALL Aventail appliance, you must follow these steps, which are described in more detail in the Getting Started Guide: Create a MySonicWALL account, if you don t already have one. You need an account in order to register your SonicWALL Aventail SSL VPN. MySonicWALL registration information is not sold or shared with any other company. Register your device on MySonicWALL. Registration provides access to essential resources, such as your license file, firmware updates, documentation, and technical support information. When you register, you are prompted to enter an authentication code. Use your MySonicWALL account to retrieve the update file for your SonicWALL Aventail SSL VPN. Upload the update file to your appliance using the Aventail Management Console (AMC) and reboot. See the following sections for detailed upgrade information: Platform Compatibility... 1 Update Requirements... 2 Creating a MySonicWALL Account...3 Registering Your SonicWALL Aventail E-Class SRA Appliance... 3 Finding the Authentication Code for Your Appliance... 3 Obtaining the Update File from MySonicWALL... 4 Installing the Update... 4 Verifying the Update... 5 Updating a Clustered Pair... 6 Importing Your SonicWALL Aventail License... 7 Platform Compatibility Version 10.0.3 of the SonicWALL Aventail E-Class SRA EX-Series is supported on the following appliances: SonicWALL Aventail E-Class SRA EX7000 SonicWALL Aventail E-Class SRA EX6000 SonicWALL Aventail E-Class SRA EX-2500 SonicWALL Aventail E-Class SRA EX-1600 SonicWALL Aventail E-Class SRA EX-1500 SonicWALL Aventail E-Class SRA EX-750
Update Requirements The EX-Series appliance must be running the latest hotfix version before upgrading from 9.0.0, 9.0.1, or 9.0.2 to 10.0.3. The required hotfix for each version (9.0.x) is clt-hotfix-9_0_x-013. Appliances running versions 8.8.x or 8.9.x must be running the latest hotfixes prior to installing 10.0.3. More information about available hotfixes for 8.8.x or 8.9.x is available on the SonicWALL Knowledge Base. One of the following SonicWALL Aventail EX-Series platform versions must currently be installed on the appliance in order to install the update. You can import a configuration that you created with any of these releases (including the beta) into v10.0.3: v10.x v9.0x v8.9x v8.8.x A note about licensing requirements: The licensing scheme for the E-Class SRA EX-Series changed in version 9.0.x. If you are upgrading from version 8.8 or 8.9 to a later version, you must obtain a new license. To verify the current version and hotfixes: From the main navigation menu in AMC, click System Status. In addition to the version number, the System Status and Maintenance pages display a list of any hotfixes that have been applied. To install a hotfix: To apply a hotfix, run the following steps, replacing the examples with the actual file name for the hotfix: 1. Log in to your MySonicWALL account and select Support > Knowledge Portal in the left navigation pane. 2. Locate the hotfix script file, in the format clt-hotfix-9_0_x-0xx.gz, and copy it to the root folder (/) on the appliance. 3. Log in to the appliance, or to the master node of a pair, via SSH or serial connection as root. 4. Change directory to the root folder (/) with the command: cd / 5. Decompress the archive with the command: gzip -d clt-hotfix-9_0_x-0xx.gz 6. Mark the hotfix script as executable with the command: chmod a+x clt-hotfix-9_0_x-0xx 7. Execute the hotfix script:./clt-hotfix-9_0_4-002 i 8. Reboot the appliance. 9. Repeat steps 1-7 on slave node (if applicable). The hotfix script will perform certain actions such as the following: Backs up existing files. Replaces files with updated ones containing the fix. Restarts snmp and servicemgr services. To restore to the previous state: If you wish to restore the appliance to the state it was in before applying the hotfix, run the following steps, replacing the examples with the actual file name for the hotfix: 1. Log in to the appliance, or to the master node of a pair, via SSH or serial connection as root. 2. Change directory with the command: cd /var/lib/aventail/avp/rollback 3. Uncompress the rollback script with the command: gzip -d clt-hotfix-9_0_x-0xx.0.0.gz 4. Run the rollback script with the command:./clt-hotfix-9_0_x-0xx-rollback1.0.0 i 5. Reboot the appliance. 6. Repeat steps 1-5 on slave node (if applicable). 2
Creating a MySonicWALL Account If you don t already have a MySonicWALL account, create one by completing an online registration: 1. In your Web browser, go to www.mysonicwall.com. 2. In the User Login section, follow the link for users who are not yet registered. 3. Enter your account information, personal information, and preferences, and then click Submit. Be sure to use a valid email address. 4. Follow the prompts to finish creating your account. SonicWALL will send a subscription code to the email address you entered in step 3. 5. When you return to the login screen, log in with your new username and password. 6. Confirm your account by entering the subscription code you received by email. You have now created and logged into your MySonicWALL account. Registering Your SonicWALL Aventail E-Class SRA Appliance To register your appliance, log in to your MySonicWALL account: 1. In your Web browser, go to www.mysonicwall.com and log in with your username and password. 2. Locate your software serial number, which is printed on the back of your SonicWALL Aventail appliance. 3. Enter your serial number, and then click Next. Follow the on-screen instructions. 4. Confirm your serial number. 5. Enter a name for this appliance. 6. If you are upgrading to v10.0.3 from v8.8 or v8.9, you must also enter an authentication code (how to find the code is described in the next section). 7. Click Register to continue. Follow the online prompts to fill out the survey and complete the registration process. Finding the Authentication Code for Your Appliance Your authentication code is the hardware identifier for your appliance, and it is displayed in one or two places, depending on your appliance model: EX7000 and EX6000: Both your serial number and authentication code are printed on your appliance label; they are also displayed on the General Settings page in AMC. Skip to the next section. EX-2500, EX-1600, EX-1500, and EX-750: Your authentication code is the same as the MAC address of the internal (eth0) network port. If you know how to obtain the MAC address for eth0, you can supply it to the MySonicWALL Web site and proceed to get your license before upgrading the appliance software. If you are not comfortable doing this, the simplest way to find the code is to first upgrade your appliance to v10.0.3, and then copy and paste it from AMC. Follow these steps to get the authentication code/mac address of your appliance: 1. Install the v10.0.3 upgrade (see the steps in the next section, Obtaining the Update File from MySonicWALL ). 2. Click General Settings in the main navigation menu in AMC. On an appliance running v10.x, the authentication code is shown in the Licensing area of that page: copy this code. 3. Log back in to MySonicWALLm to retrieve your license file: select your appliance, and then paste its authentication code into the corresponding text box. 3
Obtaining the Update File from MySonicWALL The next step is to obtain the update file and copy it to the file system of your local computer: 1. In your Web browser, go to www.mysonicwall.com and log in with your username and password. 2. In the Downloads area, select your EX-Series software type from the drop-down list. 3. In the Available Software list, select the firmware item that corresponds to your appliance. You ll be prompted to download a file named <part number>_upgrade-<n>_<n>_<n>_<three-digit build number>.bin file to your local computer. Verifying the Downloaded Update File To make sure that the update was successfully transferred to your local computer, compare its checksum against the MD5 checksum information displayed on MySonicWALL. To verify the MD5 checksum of the upgrade file on a PC, use a Windows- or Java-based utility. Microsoft, for example, offers an unsupported command-line utility on their site named File Checksum Integrity Verifier (FCIV). Follow these steps to compare checksums using this utility: 1. At the DOS command prompt, type the following, which returns a checksum for the downloaded file: fciv <upgrade_filename>.bin 2. Compare the result against the MD5 checksum displayed on MySonicWALL. If they match, you can safely continue with your update. If they differ, try the download again and compare the resulting checksums. If they still don t match, contact Technical Support. To verify the MD5 checksum directly on your SonicWALL Aventail appliance, type the following command, which returns a checksum for the downloaded file: md5sum <upgrade_filename>.bin Installing the Update This section outlines the process of updating your system. Note: Starting in v10.0, you can no longer configure CA etrust SiteMinder as an authentication server on the SonicWALL Aventail appliance. If your current configuration includes a SiteMinder server, remove it from your configuration before you back it up in preparation for installing the v10.0.3 update file, otherwise you will see an Update failed error message. Backing Up Your Current Configuration Before updating, it s a good idea to back up the current configuration data from your appliance using the export feature in AMC. This step is optional, but recommended: 1. From the main AMC navigation menu, click Maintenance. 2. In the System configuration area, click Import/Export. 3. Click the Export button. A File Download dialog box prompts you to open the.aea file or save it to your hard drive. Note: On Windows operating systems, Internet Explorer may block the download of the.aea file. To work around this, click the information bar that appears beneath the Internet Explorer Address box, and then click Download File. 4. Click Save, browse to the correct directory on your hard drive, and then save the.aea file. 5. Click OK on the Export Configuration page to return to the Import/Export page. 4
Installing the Update File Next, install the update using AMC: 1. From the main navigation menu in AMC, click Maintenance. 2. In the System software updates area, click Update. 3. If you have not already downloaded the update file (as described in Obtaining the Update File from mysonicwall.com ), click the mysonicwall.com link and log in to download the appropriate update file to your local file system. 4. Type the path of the update file or click Browse to locate it. 5. Click Install Update. This step may take several minutes, depending on the network connection speed. After the file upload process is complete, the update is automatically installed on the appliance. You cannot cancel this part of the installation process. The appliance automatically restarts when the installation is complete. Restoring a Configuration If the installation of the update file is interrupted or fails, restore a saved configuration (creating a backup, as described in Backing Up Your Current Configuration, is highly recommended). To restore a configuration: 1. From the main navigation menu in AMC, click Maintenance. 2. In the System configuration area, click Import/Export. 3. In the File name box, type the path of the appropriate file (<appliance_name>-<date>-<nnn>.aea), or click Browse to locate it. 4. Click Import. To activate the imported configuration, you must apply changes. Rolling Back to a Previous Version From AMC, you can undo the most recent update installed on the system. If you experience problems after completing an update, for example, you may want to use this feature to roll back to a known state. Each time you roll back the software image, it removes the most recent system update and restores the version that existed just prior to the update. CAUTION: If you have made any configuration changes since updating the system, rolling back the software image will erase these changes. 1. From the main navigation menu in AMC, click Maintenance. 2. In the System configuration area, click Rollback. 3. To roll back to the version displayed on the Rollback page, click OK. After the rollback process is complete, the appliance automatically restarts and applies the changes. 4. After the appliance restarts, verify the new version number in the bottom-left corner of the AMC home page. Note: To roll back the version on a cluster, you must follow the steps above on both nodes, beginning with the master node. Verifying the Update After installing the update, follow these steps to verify the current version number in AMC: 1. Log in to AMC. 2. From the main navigation menu, click System Status and make sure that the update succeeded by verifying the Version number: 10.0.3-<three-digit build number> 5
Updating a Clustered Pair To update the SonicWALL Aventail software in a cluster environment, you should take both appliances off-line so that no new user sessions are established: If you are administering the appliance pair remotely, you can do this by stopping the services on the appliance. If you have physical access to the appliances, you can stop communication between them by disconnecting the network crossover cable between the cluster interface adapters. On each node of the cluster first on the master node, and then on the slave node you must install the update file and import the license file. For more information on managing a cluster, see the Installation and Administration Guide. To update a cluster: 1. Log in to AMC on both nodes in the cluster. 2. On the master node, stop the services: a. In the main navigation menu in AMC, click Services. b. In the Access services area, click Stop for each of the three services (Network tunnel, Web proxy, and Aventail WorkPlace). 3. In the main navigation menu in AMC, click Maintenance. 4. In the System software updates area, click Update. 5. If you have not already downloaded the update file (as described in Obtaining the Update file from mysonicwall.com ), click the mysonicwall.com link and log in to download the appropriate update file to your local file system. Be sure to match the serial number and authentication code on mysonicwall.com for each appliance. The information is displayed on the General Settings page in AMC (click General Settings, and then look in the Licensing area). 6. Type the path of the update file or click Browse to locate it. 7. Click Install Update. A file upload status indicator appears. If necessary, you can stop the upload process by clicking Cancel. 8. On the second (slave) node, log in to AMC, and then click Maintenance in the main navigation menu. 9. In the System software updates area, click Update. 10. Type the path of the update file or click Browse to locate it. 11. Click Install Update. A file upload status indicator appears. If necessary, you can stop the upload process by clicking Cancel. 12. The nodes will automatically reboot once the update is installed; services are restored after reboot. 13. Make sure that the update succeeded by verifying on both nodes that the Version number in the lower-left corner in AMC is: 10.0.3-<three-digit build number> 6
Importing Your SonicWALL Aventail License If you are upgrading from v9.0.x to a later version of the firmware, your existing license will work automatically; you do not need to re-import it. Here are a few situations in which importing a license is necessary: You have bought a new license. You are upgrading from a pre-v9.0 version of the SonicWALL Aventail firmware; in this case you must obtain a new license and import it. The process for importing a license file is described in detail in the online help for the Aventail Management Console (AMC). Briefly, the steps are as follows: 1. From the main navigation menu in AMC, click General Settings, and then click Edit in the Licensing area. The Manage Licenses page appears. 2. Click Import License. 3. In the License file box, type the path for the license file you retrieved from your MySonicWALL account, or click Browse to locate it. 4. Click Upload, and then apply the change by clicking the Pending changes link in the upper-right corner. Note: When you upload a Spike License, the countdown of the number of days it is valid begins once you activate it and apply the pending change in AMC. Don t click the Activate link until you are ready to start using it. Last updated: 11/9/2009 7