========================================================================= Symantec Messaging Gateway (formerly Symantec Brightmail Gateway) version 10.0 Software Update Notes ========================================================================= August, 2012 SPECIAL INSTRUCTIONS AND CAUTIONS ================================================ Unsupported platforms 8220, 8240, 8260, and 8320 purchased on or before May 2008 (based on the Optiplex GX745 platform) hardware platforms are unsupported. To determine what hardware version you have, at the command line type the following: show -i Supported platforms You can update to Symantec Messaging Gateway 10.0 on any of the following platforms: --All supported hardware versions For more information about Symantec Messaging Gateway hardware testing support, on the Internet, go to the following URL: http://www.symantec.com/docs/tech186269 To determine what hardware version you have, at the command line type the following: show -i --VMware ESX or ESXi 5.0/4.x --vsphere 5.0/4.x Supported Web browsers You can access the Symantec Messaging Gateway Control Center on any of the following supported Web browsers: --Internet Explorer 9/8 --Firefox 13 or later --Chrome 19 or later Special update instructions for 9.5.0-19 users Symantec strongly recommends that you upgrade your Control Center before you upgrade your Scanners. If you do not upgrade the Control Center first, you must use the command line interface to upgrade remote Scanners. Please thoroughly review the following sections: ================================================
--What's new --Update considerations --Running software update --Known Issues --End User License Agreement (EULA) What's new ========== The new and enhanced features are as follows: --Custom spam rules specifically for your organization based on the missed spam messages and false positive messages that administrators and end users submit. --Integration with Data Loss Prevention Enforce Server that lets you remediate quarantined messages from either Symantec Messaging Gateway Control Center or from the Enforce Server administration console. --Support for IPv6. --Improvements to content filtering: --Negative policy conditions. --Ability to scan HTML tags in the message body. --Ability to specify how you want Symantec Messaging Gateway to address subsequent policy actions. --New variables that let users view or remediate incidents from incident notification messages. --In addition to the ability to approve or reject items in incident folders, you can now create custom actions. --Bypass scanning content filtering policies when Symantec Messaging Gateway detects malware. --Send spam or suspected messages to content incident folders. --Additional information about messages in the message queue and message audit log. --Greater flexibility to customize your backups. --Ability for an administrator to reset a lost password without performing an OS restore. --All of the predefined attachment lists that Symantec provides in Symantec Messaging Gateway are now premium attachment lists. If you upgrade from a previous version, predefined, customizable attachment lists are retained, as well as any modifications that you made to those lists. New versions of the default, non-editable predefined custom attachment lists also appear in the Attachment List table. --Addressed a number of reported vulnerabilities. For more information, see the Symantec Messaging Gateway 10.0 Administration Guide. Update considerations ===================== --IM filtering and network access control functionality has been removed from this release of Symantec Messaging Gateway. Customers who are currently using the IM filtering features should find an alternative solution.
--Please read the Symantec Messaging Gateway 10.0 release notes for a complete list of update considerations. --For customers updating from version 8.0.3 using LDAP directories, there may be a new communications requirement for LDAP connectivity from Scanners. Please read the release notes for details. --Symantec Messaging Gateway 9.5 introduced a restructuring of the data storage for content incidents and Spam Quarantine. If you update to 10.0 from 8.0.3, systems storing large amounts of data with these features will see increased update time for the Control Center. Delete as many content filtering incidents and quarantined spam messages as possible before you run the update. --Symantec Messaging Gateway 10.0 introduces a custom remediation action for content incidents. This action is added to any existing content incident folders with the same settings as the "approve" action. As a best practice, back up your existing data before you run the software update. The software update process may take several hours to complete. Do not reboot while the software update is in process. If you reboot before the process is complete, data corruption is likely. If data corruption occurs the appliance must be re-installed with a factory image. Important information for installing on VMware Symantec Messaging Gateway 10.0 offers two methods for installing on supported VMware platforms. You can load the ISO file into a preconfigured virtual machine, or you can load the OVF which includes the virtual machine configuration. Please note the following: --The ISO file can be used on VMware ESX or ESXi 5.0/4.x or vsphere 5.0/4.x. Refer to Symantec Messaging Gateway 10.0 Installation Guide for instructions. --The OVF can be used for VMware ESX or ESXi 5.0/4.x or for vsphere 5.0/4.x. Refer to Symantec Messaging Gateway 10.0 Installation Guide for instructions. If you use the BusLogic controller when you upgrade to 10.0 with VMware ESX or VMware ESXi 4.1/4.0, you must switch the SCSI Controller Type in your virtual machine settings to "LSI SAS". For more information, on the Internet, go to the following URL: http://www.symantec.com/docs/tech168754 Supported paths to version 10.0 You can update to Symantec Messaging Gateway 10.0 by using any of the following methods: --Software update from version 8.0.3 or later --OSrestore from ISO on supported hardware or in supported virtual environment --VMware installation with OVF file Software update planning --There is not an option to update a Control Center and multiple Scanners simultaneously. Each appliance must be updated individually.
--Symantec strongly recommends that you upgrade your Control Center before you upgrade your Scanners. If you do not upgrade the Control Center first, you must use the command line interface to upgrade remote Scanners. --It is crucial that the update window in which you update your Scanners to 10.0 is as short as practicable. This is critical because if the Control Center and Scanner versions differ, the Control Center is unable to make configuration changes to the Scanner. Configurations in which the Control Center and Scanners run different versions for an extended period are unsupported. Running software update ======================= Before running the software update from 8.0.3, ensure that your appliance is not performing tasks that, if disrupted, could cause problems after updating. --Check for a running LDAP synchronization cycle. --Check for a running Scanner replication cycle. --Minimize the number of messages in any of the queues by setting the Scanner to reject incoming messages and then wait for the queues to drain completely. To prepare for the software update, follow the steps below. The Control Center locations presented below are for version 8.0.3 and may differ for other versions. 1 To check for a running LDAP synchronization cycle or Scanner replication cycle, go to Status - System - LDAP Synchronization. 2 To halt incoming messages, go to Administration - Hosts - Configuration/Edit, click "Do not accept incoming messages", and click Save. 3 To check the queues, go to Status - SMTP - Message Queues. Using the command line interface to update ----------------------------------------- For 9.5.0, Symantec introduced enhanced upgrade Control Center functionality. If you run a release prior to 9.5.0, or if you prefer not to use this new Control Center functionality, you can update through the command line interface, which allows you to divide the update process into discrete steps. This may be more appropriate to use over imperfect Internet connections. To update using the command line interface: 1 Log into an appliance using an SSH client or log in at the console. You must use your administrator credentials to log in. 2 To list available updates, type the following command: update list 3 To download the update, type the following command: update download 4 To install the update, type the following command: update install Follow the steps below to monitor the software update progress. To monitor the software update progress: 1 Using an SSH client or the console, log into the appliance you are updating.
You must use administrator credentials when logging on. 2 Type one of the following commands: for 8.0.3: watch update.log for 9.0.1 or later: tail -f update.log The progress of the software update appears. When the update is complete, the appliance restarts automatically. Do not restart the appliance before the update completes. You will see the following message: sms-appliance-release-version successfully installed. Rebooting appliance... The appliance reboots. If you have logged into the appliance using an SSH client, the connection will be lost. You may receive warnings, which you can ignore. See the release notes for more information. Testing update success ---------------------- To ensure that your appliance is running Symantec Messaging Gateway version 10.0, log into the command line interface on an appliance and type the following command: show --version Known Issues ============ FIPS mode not automatically enabled when you restore a Symantec Messaging Gateway Scanner from a backup. ---------------------- Your FIPS state is not saved as part of a backup. If you perform the restore from a backup on a Symantec Messaging Gateway 9.5.2 or later host with FIPS mode on, manually re-enable the FIPS mode after the restore completes. http://www.symantec.com/docs/tech186248 Unable to load cache data from /data/dds/dds-cache.ser in dds.log during upgrade from 9.x to 10.0. ---------------------- When you upgrade from a version before 9.x, Symantec Messaging Gateway is unable to load the cache data from /data/dds/dds-cache in dds.log. The DDS cache is rebuilt as messages are processed after upgrade. http://www.symantec.com/docs/tech186186 End User License Agreement (EULA) ================================= After you update, you can display the End User License Agreement (EULA) from the command line interface.
To view the EULA 1 Log into the appliance's command line interface and type: show --eula The EULA appears. 2 To page through the EULA, use the space bar. 3 To exit the display of the EULA, type: q The command prompt appears.