SGOS on KVM Deployment Guide

Similar documents
Blue Coat ProxySG First Steps Transparent Proxy Deployments SGOS 6.7

Blue Coat Security First Steps Solution for Controlling HTTPS

ProxySG Virtual Appliance MACH5 Edition Initial Configuration Guide

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

Migrating to a New ProxySG Appliance. ProxySG 900/9000 to ProxySG S400/500

ProxySG Virtual Appliance MACH5 Edition Initial Configuration Guide

SGOS on AWS Deployment Guide

Using Kerberos Authentication in a Reverse Proxy Environment

Blue Coat ProxySG First Steps Solution for Exception Pages SGOS 6.7

Office 365 Best Practices: Protocols

Symantec Protection Center Getting Started Guide. Version 2.0

Symantec Ghost Solution Suite Web Console - Getting Started Guide

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

Partner Information. Integration Overview Authentication Methods Supported

Symantec ediscovery Platform

Configuring the SMA 500v Virtual Appliance

Multi-Tenant Policy Deployment Guide

IPv6 Classification. PacketShaper 11.8

Symantec Patch Management Solution for Windows 8.5 powered by Altiris technology User Guide

Symantec Drive Encryption Evaluation Guide

Configuration & Management Guide

Partner Information. Integration Overview. Remote Access Integration Architecture

Veritas System Recovery 18 Management Solution Administrator's Guide

Symantec Workflow 7.1 MP1 Release Notes

ECDS MDE 100XVB Installation Guide on ISR G2 UCS-E and VMWare vsphere Hypervisor (ESXi)

VeriSign Managed PKI for SSL and Symantec Protection Center Integration Guide

Veritas System Recovery 16 Management Solution Administrator's Guide

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Red Hat Enterprise Linux 5

Installing the Cisco Virtual Network Management Center

Installation and Configuration Guide

Cluster Server Generic Application Agent Configuration Guide - AIX, Linux, Solaris

SonicWall SMA 8200v. Getting Started Guide

SRA Virtual Appliance Getting Started Guide

Installation and Configuration Guide

Testing and Restoring the Nasuni Filer in a Disaster Recovery Scenario

Symantec Control Compliance Suite Express Security Content Update for JBoss Enterprise Application Platform 6.3. Release Notes

Polycom RealPresence Access Director System, Virtual Edition

VMware Horizon FLEX Client User Guide

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

Symantec Workflow Solution 7.1 MP1 Installation and Configuration Guide

Novell Access Manager

Veritas Desktop and Laptop Option Mac Getting Started Guide

Silver Peak EC-V and Microsoft Azure Deployment Guide

Veritas NetBackup Plug-in for VMware vsphere Web Client Guide. Release 8.1.1

Symantec pcanywhere 12.5 SP4 Release Notes

Symantec Control Compliance Suite Express Security Content Update for Microsoft Windows Server 2008 R2 (CIS Benchmark 2.1.

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

Symantec NetBackup Appliance Fibre Channel Guide

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

VMware Horizon FLEX Client User Guide. 26 SEP 2017 Horizon FLEX 1.12

Symantec Enterprise Vault

Veritas Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Microsoft SharePoint Server

Veritas System Recovery 18 Linux Edition: Quick Installation Guide

Veritas Backup Exec Migration Assistant

Veritas Deployment Manager User's Guide

Creating New MACHINEGUID and Disk UUID Using the PGPWdeUpdateMachineUUID.exe Utility

HYCU SCOM Management Pack for F5 BIG-IP

F5 iworkflow and Linux KVM: Setup. Version 2.0.2

Symantec Desktop and Laptop Option 8.0 SP2. Symantec Desktop Agent for Mac. Getting Started Guide

Symantec NetBackup Vault Operator's Guide

ForeScout CounterACT. Single CounterACT Appliance. Quick Installation Guide. Version 8.0

OneSign Virtual Appliance Guide

Veritas Desktop Agent for Mac Getting Started Guide

NetBackup Copilot for Oracle Configuration Guide. Release 2.7.1

Using ANM With Virtual Data Centers

Symantec Cloud Workload Protection on AWS Marketplace. Buyer's Guide for Getting Started

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. AIX 5.3 and 6.1

Cisco UCS C-Series IMC Emulator Quick Start Guide. Cisco IMC Emulator 2 Overview 2 Setting up Cisco IMC Emulator 3 Using Cisco IMC Emulator 9

Symantec Brightmail Gateway 9.0 Getting Started

Log & Event Manager UPGRADE GUIDE. Version Last Updated: Thursday, May 25, 2017

Managing GSS Devices from the GUI

Cisco Cloud Services Platform 2100 Quick Start Guide, Release 2.2.0

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE

Veritas CloudPoint 1.0 Administrator's Guide

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

Altiris Symantec Endpoint Protection Integration Component 7.1 SP1 Release Notes

dctrack Quick Setup Guide (Recommended) Obtain a dctrack Support Website Username and Password

Partner Management Console Administrator's Guide

Symantec Enterprise Vault

ScaleArc Azure Deployment Guide

Symantec Managed PKI. Integration Guide for ActiveSync

Symantec Enterprise Vault

IronKey EMS On-Prem 7.1 Quick Start Guide

Microsoft Hyper-V. Installation Guide

Symantec Enterprise Security Manager JRE Vulnerability Fix Update Guide

SonicWall SonicOS 5.9

Enterprise Vault.cloud Archive Migrator Guide. Archive Migrator versions 1.2 and 1.3

202 Lab Introduction Connecting to the Lab Environment

E June Oracle Linux Storage Appliance Deployment and User's Guide

F5 BIG-IQ Centralized Management andlinux KVM: Setup. Version 5.0

SuperLumin Nemesis. Getting Started Guide. February 2011

Veritas CommandCentral Enterprise Reporter Release Notes

DameWare Server. Administrator Guide

Configuring Symantec Protection Engine for Network Attached Storage for Hitachi Unified and NAS Platforms

Symantec Enterprise Vault Technical Note

Red Hat Enterprise Virtualization 3.6 Introduction to the User Portal

Red Hat Enterprise Virtualization 3.6

HYCU SCOM Management Pack for F5 BIG-IP

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Transcription:

SGOS on KVM Deployment Guide Guide Revision: 8/18/2017

2 SGOS on KVM Deployment Guide

SGOS on KVM Deployment Guide 3 Legal Notice Copyright 2017 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 www.symantec.com 8/18/2017

4 SGOS on KVM Deployment Guide Table of Contents Table of Contents 4 About Deploying SGOS on KVM 5 System Requirements 5 Installing Required Packages on CentOS 5 Installing Required Packages on RHEL 5 Installing Required Packages on Ubuntu 6 VAP File Contents 6 Topics in this Guide 6 Complete Prerequisite Tasks 7 Retrieve Appliance Serial Numbers 8 Create the Libvirt VM Configuration File 9 Boot Up the SWG VA 10 Configure the Virtual Appliance 11 Prepare for Initial Configuration 12 Complete Initial Configuration 13 Deploying the SWG VA in a Proxy Chain 14 Verify Your Configuration 16 Retrieve and Install the SWG License 17 Prevent Licensing Issues 18 Appendix A: Platform and Performance Reference 19 Throughput Requirements Per Virtual Disk 19 Requirements Per Model 20 Guidelines for Optimal Performance 21 Appendix B: Frequently Asked Questions 22

SGOS on KVM Deployment Guide 5 About Deploying SGOS on KVM This deployment guide is intended to help administrators set up and run the high-performance model Secure Web Gateway virtual appliance (SWG VA) in a Kernel-based Virtual Machine (KVM) environment. It provides information on the requirements and instructions for creating and configuring a virtual ProxySG appliance. Because KVM is outside of the Symantec network, you must upload a QCOW2 image to KVM, where you can configure and manage virtual SGOS services. You can access the ProxySG serial console via telnet or the VNC console, or both; refer to the documentation for your environment for specific steps to use VNC. You can also manage the ProxySG Management Console in a web browser. System Requirements SGOS on KVM supports the following Linux-based operating systems: CentOS 7.3 Red Hat Linux Enterprise (RHEL) 7.3 Ubuntu 14.04 and 16.04 The operating system must be running kernel version 3.10 or later. Refer to the documentation for your operating system as needed: CentOS 7.3 and RHEL 7.3: https://access.redhat.com/documentation/en/red-hat-enterprise-linux/ Ubuntu 14.04 and 16.04: https://help.ubuntu.com/ In addition, confirm access to the following in your virtualization environment: KVM QEMU 2.0 or later Libvirt API Virsh tool VNC client* *Not required if you intend to access the serial console via telnet only. Installing Required Packages on CentOS SGOS on KVM for CentOS requires the qemu-kvm-ev stack from the CentOS Virtualization Special Interest Group. To install this version of qemu-kvm, use the following commands: # yum install centos-release-qemu-ev # yum install qemu-kvm-ev Installing Required Packages on RHEL Symantec recommends that you review the Virtualization Deployment and Administration Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_ Administration_Guide/

6 SGOS on KVM Deployment Guide To ensure that your machine is capable of running KVM, refer to the "System Requirements". To install the required packages, refer to "Installing the Virtualization Packages". Installing Required Packages on Ubuntu Symantec recommends that you review installation documentation to ensure your machine is capable of running KVM: https://help.ubuntu.com/community/kvm/installation To install the required packages, use the following command: # apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils qemu-utils VAP File Contents The virtual appliance package (VAP) is available at MySymantec (https://support.symantec.com) and includes the following files: The QCOW2 image, such as ProxySG_SWG_KVM_205205.qcow2 The SG VA Generator tool (sgvagen), which you use to create a libvirt VM configuration file A README file, which guides you through generating the libvirt VM configuration file and specifying settings The SGOS on KVM Deployment Guide MySymantec has the most up-to-date version of this deployment guide. Topics in this Guide Refer to the following topics for deployment steps and reference information. Deployment step or reference information All required information and preparing the environment for installation. Reference "Complete Prerequisite Tasks" on the facing page Creating the libvirt VM configuration file. "Create the Libvirt VM Configuration File" on page 9 Booting up the SWG VA. "Boot Up the SWG VA" on page 10 Configuring the VA for the first time and licensing the VA. Supported platforms and performance specifications. Frequently-asked questions about the SWG VA. "Configure the Virtual Appliance" on page 11 "Appendix A: Platform and Performance Reference" on page 19 "Appendix B: Frequently Asked Questions" on page 22

SGOS on KVM Deployment Guide 7 Complete Prerequisite Tasks Before deploying the SWG VA, complete the following tasks: 1. Verify "System Requirements" on page 5. 2. Make sure that the following Symantec servers are accessible from the SWG VA: o o https://download.bluecoat.com https://services.bluecoat.com You require access to these servers in order to retrieve and install the SWG VA license. 3. Obtain or confirm your MySymantec credentials. In addition to retrieving appliance serial numbers, these credentials are required for obtaining the QCOW2 image. If you do not have a MySymantec account, go to https://support.symantec.com/en_us/contact-support.html. 4. Download the VAP file from MySymantec: a. Go to MySymantec: https://support.symantec.com b. Select Downloads > Network Protection (Blue Coat) Downloads. c. When prompted, log in with your MySymantec credentials. d. Select ProxySG. e. Select SG-VA. f. Select a software version. g. Accept the License Agreement. h. Select the file(s) to download and click Download Selected Files. The first time you download files, you are prompted to install the Download Manager. Follow the onscreen prompts to download and run the installer. For more information, refer to https://www.symantec.com/support-center/getting-started. i. The Download Manager window opens. Select the download location. Complete instructions are also available online at: https://www.symantec.com/support-center/getting-started Bookmark this page for future reference. 5. Obtain or confirm the following ProxySG information: o o o o o The username for the administrator account The virtual appliance serial number (see "Retrieve Appliance Serial Numbers" on the next page) The intended password for the administrator account The intended enable password for the appliance Network settings: IP address, subnet mask, gateway, and DNS

8 SGOS on KVM Deployment Guide Make sure that the passwords are strong. 6. Download the VAP. Retrieve Appliance Serial Numbers Before proceeding, have your MySymantec username and password ready. 1. Locate the e-mail you received from Symantec. This e-mail contains the software activation codes as well as a link to the licensing portal. 2. Log in to licensing portal. a. Click the link embedded in the e-mail (https://services.bluecoat.com/eservice_enu/licensing/register.cgi). The web browser displays the licensing portal. b. On the login screen, enter your MySymantec username and password, and then click Sign In. MySymantec displays a Home page. 3. In the Enter Activation Code field, enter any activation code that is listed in your e-mail; the system retrieves all serial numbers from the same purchase order. a. Type the code as it appears in the e-mail, or copy and paste it into the Enter Activation Code field. b. Click Next. MySymantec displays the License Agreement page. 4. Read and accept the License Agreement, and then click Next. MySymantec displays a serial numbers page. 5. Record the appliance serial number(s). You will refer to the serial number when you configure the appliance for the first time.

SGOS on KVM Deployment Guide 9 Create the Libvirt VM Configuration File The first step in creating the SWG VA consists of generating a libvirt VM configuration file. The VAP file you downloaded from MySymantec includes an SG VA Generator, which you use to generate the configuration file. Refer to the README included in the VAP for instructions. The default name of the SWG VA is the model name, such as "C1M" or "C8L". The SG VA Generator also creates the necessary virtual disks and puts all of the files in the current directory by default. To specify a different file name or deployment directory, refer to the README. After you have created the configuration file, proceed to "Boot Up the SWG VA" on the next page.

10 SGOS on KVM Deployment Guide Boot Up the SWG VA To boot up the SWG VA, create the VA using virsh. 1. In the KVM CLI, type the following command: virsh create sgos.xml This command creates a SWG VA using configuration information in the specified XML file; the XML file name (in this example, "SGOS") will be the name of the VM. To launch multiple instances of SGOS, repeat this step for each guest VM. 2. Display a list of currently running VMs: virsh list The CLI returns a list as follows: Id Name State ---------------------------------------------------- 7 SGOS running 3. Delete the specified KVM guest: virsh destroy <name> For example, to delete the guest displayed in the output in step 2, type the following command: virsh destroy SGOS

SGOS on KVM Deployment Guide 11 Configure the Virtual Appliance Initial configuration and configuration of the SWG VA consists of the following steps: "Prepare for Initial Configuration" on the next page "Complete Initial Configuration" on page 13 "Verify Your Configuration" on page 16 "Retrieve and Install the SWG License" on page 17

12 SGOS on KVM Deployment Guide Prepare for Initial Configuration To perform initial configuration, access the ProxySG CLI. The initial configuration wizard guides you through basic network settings, including adding an interface IP address and setting up administrative credentials for console access. The following table summarizes the prompts in the wizard. Before you launch the wizard, obtain and record the information specific to your deployment in this table. After you have recorded your settings in the table, see "Complete Initial Configuration" on the facing page. Description Value My Values Appliance Serial Number Manual setup or use Director Interface configuration Default gateway Primary DNS server Administrator username (ID) and password Refer to the appliance serial number that you recorded in "Retrieve Appliance Serial Numbers" on page 8. If using Director, you must configure a registration password or shared secret on the Director. The same password must be entered while performing the initial configuration. The shared secret is required because the SWG VA does not have an appliance certificate at this point. Note: When you install a license from MySymantec, an appliance certificate is also installed. After you install the license, you can change your configuration to use Director subjugation. The appliance certificate is used instead of the shared secret when subjugating with Director. Identify the IP addresses and subnet masks for the interfaces. You also have an option to assign a VLAN ID to each interface. If you use VLANs for segregating traffic, you must enable VLAN trunking on all interconnecting devices such as switches or routers. This guide does not include information on VLAN configurations. Provide the IP address for the default gateway. Provide the IP address for the primary DNS server. The password you assign here will also be used for accessing enable mode in the CLI. Enable mode allows you to make configuration changes. The default enable username is admin.

SGOS on KVM Deployment Guide 13 Complete Initial Configuration Complete initial configuration of the SWG VA. 1. Verify that your SWG VA is powered on. 2. Access the SWG VA serial console. 3. Follow the prompts and enter the details in the setup script. 4. Press Enter three times to activate the serial console. 5. Enter the entire appliance serial number, including the leading zeros, at the Please enter the serial number: prompt. Then, press Enter. The appliance serial number is unique for each appliance; use one serial number per SWG VA. See "Retrieve Appliance Serial Numbers" on page 8. 6. At the How do you plan to configure this appliance? prompt, specify your preference for either configuring the SWG VA manually or using Director. a. If you are using Director, assign a registration password on Director and enter the password in the setup console when prompted. For information on setting up a registration password, refer to the Director Configuration and Management Guide at MySymantec (https://support.symantec.com). b. At the Enter interface number to configure prompt, specify an interface. c. At the Is the IP address to be configured on a non-native VLAN? prompt, type Y or N. If you use VLANs for segregating traffic, you must enable VLAN trunking on all interconnecting devices such as switches or routers. This guide does not include information on VLAN configurations. d. Specify the IP address and subnet mask for the selected interface. e. Specify the IP address for the default gateway. f. Specify the IP address for the DNS server. g. Change the username for administrative access on the SWG VA. The default username is admin. h. Add a password for allowing administrative access privilege. i. When prompted, enter your enable password. j. At the Do you want to secure the serial port? prompt, type Y or N. k. At the Restrict access to authorized workstations? prompt, type Y or N to indicate whether you allow non-authorized workstations to access the ProxySG Management Console. The Management Console is a graphical web interface that allows you to manage, configure and monitor the SWG VA. 7. Press Enter three times to activate the serial console. 8. (If necessary) Repeat the previous steps to configure more interfaces. 9. Exit the serial console.

14 SGOS on KVM Deployment Guide Deploying the SWG VA in a Proxy Chain If you have a forward proxy deployment where the SWG VA is installed as the downstream proxy and cannot connect directly to the following Symantec servers, you must configure the SWG VA to forward this traffic to an upstream proxy that has access to the Symantec servers: https://download.bluecoat.com https://services.bluecoat.com https://validation.es.bluecoat.com https://subscription.es.bluecoat.com To allow the SWG VA to communicate with Symantec servers, create an HTTP forwarding host on the SWG VA and ensure that download-via-forwarding is enabled (it is enabled by default). You can add the host to the default forwarding sequence, but if you do not want to forward all traffic through the default sequence, you must install policy to allow forwarding to Symantec servers. If you have this type of deployment and do not perform these steps, the SWG VA will be unable to connect to the server and the license may be suspended. Configure the SWG VA for proxy chaining. 1. Access the SWG VA serial console. 2. Press Enter three times to activate the serial console. 3. Select the CLI option and enter your credentials. 4. Enter enable to go into enable mode, and then enter your enable password when prompted. 5. Enter the following commands: #conf t If you do not want to forward all client HTTP requests to the hosts specified in the sequence, do not enter the default-sequence add <host_alias> command shown below. Instead, you will configure policy to use the forwarding host. For more information on forwarding and proxy chaining, refer to the SGOS Administration Guide. Enter configuration commands, one per line. End with CTRL-Z. #(config)forwarding #(config forwarding)create host <host_alias> <host_name> http proxy ok #(config forwarding)default-sequence add <host_alias> ok #(config forwarding)download-via-forwarding enable ok

SGOS on KVM Deployment Guide 15 In the commands above: <host_alias> is a name that you specify for this host <host_name> is the name of the host domain, such www.mysite.com, or its IP address 6. Exit the serial console. 7. (If necessary) If you did not add the host to the default forwarding sequence, install the following policy: <Forward> condition=bluecoat_services forward(<host_alias>) define url.domain condition bluecoat_services validation.es.bluecoat.com services.bluecoat.com download.bluecoat.com subscription.es.bluecoat.com end In the policy above, <host_alias> is the forwarding host you configured in the CLI.

16 SGOS on KVM Deployment Guide Verify Your Configuration Verify that you can connect to the SWG VA through the CLI and through the web browser. Verify Network Connectivity To verify that the traffic in your network is being intercepted as required, use the ping, traceroute, or test CLI command. Refer to the Command Line Interface Reference at MySymantec (https://support.symantec.com) for details on using these commands. Verify Management Console Access The Management Console is a graphical web interface that allows you to manage, configure and monitor the SWG VA. The Management Console requires a supported browser and version of Java Runtime Environment (JRE). To identify the browsers and JRE version supported for your operating system, refer to the following article: http://www.symantec.com/docs/tech245893 To log in to the Management Console: 1. In a web browser, go to the following URL: https://<ip_address>:8082 where: the default management port is 8082 <IP_address> is the IP address you configured in "Complete Initial Configuration" on page 13 When you enter the URL for the Management Console, the browser may display an error about an untrusted connection or security certificate. Depending on the browser you use, you must proceed with the connection to access the Management Console or add an exception to allow access to the web site. For specific instructions, refer to the documentation for the browser. 2. In the prompt that appears, enter the user name and password that you created in "Complete Initial Configuration" on page 13. The browser displays the Management Console.

SGOS on KVM Deployment Guide 17 Retrieve and Install the SWG License To retrieve and install the SWG VA license for the first time, the SWG VA appliance must be allowed access to the following Symantec servers: https://download.bluecoat.com https://services.bluecoat.com The SWG VA license contains data that is used to uniquely identify the SWG VA as a Blue Coat appliance. If you power on the appliance and a license is not installed, the Management Console banner displays a No license message and a Critical health status. Before you begin: Set up DNS; see Configuring DNS in the SGOS Administration Guide. Confirm NTP is working, or add local NTP servers if you have blocked the Symantec NTP servers. Then, verify the system time is correct; see Accessing the Appliance, in the SGOS Administration Guide. Refer to the SGOS Administration Guide at MySymantec (https://support.symantec.com). Retrieve and install the license: 1. In the Management Console, select Maintenance > Licensing > Install. 2. Click Retrieve. 3. In the dialog that opens: a. Enter your MySymantec credentials. b. Click Request License. License installation begins. c. When the license is installed successfully, the Management Console displays an Installation Successful dialog. Click OK to close the dialog. 4. Click Close. After you complete the license installation, you do not have to reboot or shut down the appliance. The Symantec WebFilter (formerly BCWF) license is not included with the high-performance models of SWG VA and must be purchased separately.

18 SGOS on KVM Deployment Guide Prevent Licensing Issues To prevent licensing issues, ensure the SWG VA is allowed network access to the license validation server at https://validation.es.bluecoat.com. If communication with the server fails, the license might be suspended; thus, a constant Internet connection is required for the SWG VA to communicate regularly with the license validation server to confirm that the serial number is not being used on another SWG VA. If the license validation server detects duplicate serial numbers, your license is invalidated. See "How can I prevent duplicate serial numbers?" on page 22 for more information. If the SWG VA license expires, network traffic is subject only to the default policy (Allow or Deny). If the configured CPU count exceeds the limit in your license, the license is suspended. See "Can I configure more CPUs than my license allows?" on page 22 for more information.

SGOS on KVM Deployment Guide 19 Appendix A: Platform and Performance Reference Refer to the following information on supported VA models and recommendations. Throughput Requirements Per Virtual Disk Although Symantec recommends that you size each virtual disk at 100GB, ProxySG virtual appliance models with higher storage requirements can have larger virtual drives. Be aware that throughput per virtual disk is inversely proportional to the number of drives. With fewer drives, more throughput is required per disk. Note that the throughput requirements are values for peak network throughput. Throughput per 100GB Drive Model Number of Drives Drive Size (GB) Disk Read Throughput (Mbps) Disk Write Throughput (Mbps) Read Request Rate (IOPS) Write Request Rate (IOPS) SG-VA-C1 1 100 2.00 16.00 85.00 65.00 SG-VA-C2 1 100 5.00 30.00 135.00 125.00 SG-VA-C4 2 100 3.00 32.50 122.50 127.50 SG-VA-C8 4 100 2.75 31.25 117.50 122.50 Throughput per 200GB Drive Model Number of Drives Drive Size (GB) Disk Read Throughput (Mbps) Disk Write Throughput (Mbps) Read Request Rate (IOPS) Write Request Rate (IOPS) SG-VA-C8 2 200 5.50 62.50 235.00 245.00 SG-VA-C16 4 200 4.50 51.25 201.25 208.75 Throughput per 400GB Drive Model Number of Drives Drive Size (GB) Disk Read Throughput (Mbps) Disk Write Throughput (Mbps) Read Request Rate (IOPS) Write Request Rate (IOPS) SG-VA-C16 2 400 9.00 102.50 402.50 417.50

20 SGOS on KVM Deployment Guide Requirements Per Model The table below lists requirements for each model, including recommended and alternate virtual drive configurations. Symantec recommends creating 100GB virtual drives, although models with higher storage requirements can have larger drives. Model Virtual CPUs Virtual Memory (GB) Total Storage (GB) Recommended Virtual Drive Configuration Alternate Drive Configurations SG-VA-C1XS 1 4 100 1x100GB n/a SG-VA-C1S 1 4 100 1x100GB n/a SG-VA-C1M 1 6 100 1x100GB n/a SG-VA-C1L 1 8 100 1x100GB n/a SG-VA-C2S 2 8 100 1x100GB n/a SG-VA-C2M 2 12 100 1x100GB n/a SG-VA-C2L 2 16 100 1x100GB n/a SG-VA-C4S 4 24 200 2x100GB n/a SG-VA-C4M 4 24 200 2x100GB n/a SG-VA-C4L 4 32 200 2x100GB n/a SG-VA-C8S 8 32 400 4x100GB 2x200GB SG-VA-C8M 8 48 400 4x100GB 2x200GB SG-VA-C8L 8 64 400 4x100GB 2x200GB SG-VA-C16S 16 64 800 8X100GB 4x200GB 2x400GB SG-VA-C16M 16 96 800 8X100GB 4x200GB 2x400GB SG-VA-C16L 16 128 800 8X100GB 4x200GB 2x400GB

SGOS on KVM Deployment Guide 21 Guidelines for Optimal Performance Symantec recommends the following settings for optimal performance. The SG VA Generator includes optional parameters for speciying these settings; refer to the README for details. Disable Hyperthreaded Core Sharing If the VM has multiple virtual CPUs, set the virtual CPUs to use non-hyperthreaded physical processors. Use a Single Processor Socket If the VM has multiple virtual CPUs and the host has multiple physical processor sockets, schedule the virtual CPUs on a single physical processor socket. Make sure that the physical processor socket has sufficient physical (non-hyperthreaded) processors to match the number of virtual CPUs for the VM. Symantec recommends using multiple sockets rather than relying on hyperthreaded processors to fit multiple virtual CPUs on a single socket. Use a Single NUMA Node If a single NUMA node has sufficient availability for the VM's memory, specify that the memory should come from that NUMA node. This NUMA node should be associated with the processor socket on which the virtual CPUs are scheduled.

22 SGOS on KVM Deployment Guide Appendix B: Frequently Asked Questions When should I power off the SWG VA? Some tasks that you perform on the SWG VA require a shutdown. When you do any of the following, save all of your configuration changes and then power off the SWG VA: Backing up the SGOS configuration Upgrading the server software Taking the server offline for maintenance Migrating the SWG VA to a different server To power off the SWG VA: 1. Access the SWG VA serial console. 2. Log in to the CLI. 3. Type the enable password to go into privileged mode. 4. Issue the shutdown command. How can I prevent duplicate serial numbers? Do not reuse serial numbers. The SWG VA periodically connects to the license validation server to confirm that the license is still valid. If the license validation server detects a duplicate serial number, SGOS displays a warning beside License Validation Status on the Health Monitoring tab (Maintenance > Health Monitoring). When the license is in this state, you have a specified number of days to determine which VA has duplicate serial numbers and then delete the duplicates (the default time window is 30 days). If you do not delete the duplicates within the specified time window, the license is suspended. License suspension disables proxy functionality and the Management Console displays the "Duplicate serial number detected error message". If you receive this error message, refer to http://www.symantec.com/docs/tech241266, and follow the steps in the article to resolve the issue. Can I configure more CPUs than my license allows? Your license specifies the maximum number of CPUs for your virtual appliance. If you have configured more than the maximum, your license will be suspended. The ProxySG event log shows an error, and the Health Monitoring alerts and the Health status show Critical. Why is my license suspended? First, verify that you do not have duplicate serial numbers (see "How can I prevent duplicate serial numbers?" above) and that you have not exceeded the number of CPUs that your license allows (see "Can I configure more CPUs than my license allows?" above). To determine the number of CPUs that your license allows, issue the show license CLI command. If the license validation status still has a warning, the SWG VA might be unable to connect to the Internet. If the appliance has not been able to contact the license validation server, the license will not be reactivated until connectivity to the Internet is restored. To fix this problem, troubleshoot network connection problems within your deployment.

SGOS on KVM Deployment Guide 23 If the appliance is a downstream proxy in a forward proxy deployment and cannot access Symantec websites directly, make sure that you have created and configured an HTTP forwarding host. Refer to the SGOS Administration Guide for details. How do I update the license key? Install the license key file through the ProxySG Management Console. 1. Launch the ProxySG Management Console. 2. Select Maintenance > Licensing > Install. 3. In the License Key Automatic Installation section, click Update. A Confirm License Install dialog opens. 4. Click OK. How do I upgrade the connection limit for the SWG VA? To increase the connection limit for your SWG VA, go to https://support.symantec.com/en_us/contact-support.html. After your order is processed, you will receive a Symantec efulfillment email with the upgrade activation code. Then, log in to the Symantec Network Protection Licensing Portal to upgrade. You will need the following information to upgrade: the serial number of the VA that you want to upgrade the upgrade activation code that you received in your Symantec efulfillment email To upgrade the connection limit for the VA: 1. Go to the Symantec Network Protection Licensing Portal: https://support.bluecoat.com/eservice_ enu/licensing/register.cgi 2. Log in with your MySymantec credentials. 3. Select ProxySG > SG Upgrades. 4. In the Appliance Serial Number field, enter the serial number for the SWG VA that you want to upgrade. 5. In the Activation Code field, enter the upgrade activation code that you received in your Symantec efulfillment email. 6. Click Submit. 7. Update the license file. 8. Reboot the appliance to reset the connection limits. 9. To verify that the connection limit for the VA has been upgraded, click the View tab and confirm that the number of concurrent users has increased. You cannot request a connection limit upgrade and renew a subscription on a single order; the upgrade and renewal must be on separate orders.

24 SGOS on KVM Deployment Guide How do I renew my subscription for the SWG VA? Your original Symantec efulfillment email contains details about the subscription, including the Start Date and End Date for the subscription. To renew your subscription for the SWG VA: 1. Go to https://support.symantec.com/en_us/contact-support.html. 2. After Customer Care renews your subscription, update the license key through the Management Console. 3. To verify that the subscription has been updated, click the View tab and confirm that the licensed components have new expiration dates. You cannot request a user limit upgrade and renew a subscription on a single order; the upgrade and renewal must be on separate orders.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback