You are on page 1of 20

Blue Coat Systems ProxySG Appliance

Upgrade/Downgrade Guide

SGOS Version 6.3.x

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

Contact Information
Americas: Blue Coat Systems Inc. 420 North Mary Ave Sunnyvale, CA 94085-4121 Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland http://www.bluecoat.com/support/contactsupport http://www.bluecoat.com For concerns or feedback about the documentation: documentation@bluecoat.com

ii

Copyright 1999-2012 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV, ProxyOne, CacheOS, SGOS, SG, Spyware Interceptor, Scope, ProxyRA Connector, ProxyRA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, PacketShaper, PacketShaper Xpress, PolicyCenter, PacketWise, AccessNow, Ositis, Powering Internet Management, The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY BLUE COAT) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Americas: Blue Coat Systems, Inc. 420 N. Mary Ave. Sunnyvale, CA 94085

Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland

Document Number: N/A Document Revision: Version 6.3.111/2011

iii

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

iv

SGOS 6.3 Upgrade/Downgrade Guide

This document describes how to upgrade to SGOS 6.3 and contains notes about downgrading.

Upgrading or Downgrading Between SGOS 6.x Versions


Policy features introduced in a minor release can cause compilation errors if you downgrade to a previous version of the same major release in which those features were unsupported. To prevent accidental downgrades, remove unused system images using the following commands:
#(config)installed-systems #(config installed-systems)delete system_number

You cannot remove unused system images through the Management Console.

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

Upgrade to or Downgrade From this Release


Important:

Schedule your upgrade/downgrade during off-peak hours. If you have ADN configured, upgrade/downgrade the ADN Managers before the other ADN nodes.

To upgrade to or downgrade from SGOS 6.3, perform the following steps: 1. Determine your upgrade/downgrade path. See "Step 1: Determine Your SGOS Upgrade/Downgrade Path" on page 5 for more information. WARNING: If your disks object capacity has been increased, you must use the disk decrease-object-limit command before downgrading to a pre-6.2.x release. If you fail to do this, all data and settings will be lost after the downgrade. 2. Resolve CPL deprecations. See "Step 2: Resolve CPL Deprecations" on page 6. 3. Archive the current configuration so you can restore it if you encounter a problem. See "Step 3: Archive Your Configuration" on page 6. 4. If you had downgraded from 6.x to 5.5, and are now upgrading back to 6.x, you need to decide which configuration file you want the ProxySG to use after the upgrade. The default behavior is that it uses the original 6.x configuration file (which does not have your most recent configuration settings). If you want it to use the 5.5 configuration file (which does have recent configuration changes), you need to issue a special CLI command. See "Step 4: Converting SGOS Configuration Settings" on page 7. 5. If specific requirements are met, the ProxySG might have already downloaded the SGOS 6.x license (not verifiable until SGOS 6.x is installed). Otherwise, click Update to retrieve the license or manually install it after upgrading (Step 6). See "Step 5: Download the SGOS 6.x License (Pre-software Installation)" on page 9. 6. If you use BCAAA, install the BCAAA version that is compatible with the release you are migrating to. See "Step 6: Upgrade the BCAAA Service" on page 9. Note: BCAAA 130 for SGOS 6.x contains a security vulnerability fix, so be sure to upgrade BCAAA even if you are already running version 130. 7. Install SGOS. Read the instructions in "Step 7: Install the SGOS Software Release" on page 13. Repeat steps 6 and 7 until the desired release is installed (this step is applicable only if you must upgrade through one or more interim releases before installing SOGS 6.3). 8. If you did not pre-install the SGOS 6.x license (in Step 5), the ProxySG is running in Trial Mode. You must manually update and install the license. See "Step 8: Manually Upgrade The License (Not Required if Step 5 Was Completed)" on page 15.

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

9. Confirm the new license was installed. See "Step 9: Verify the Valid License" on page 16. 10. To prevent Java exceptions errors, clear the browser cache as described in "Step 10: Clear the Browser Cache" on page 16.

Step 1: Determine Your SGOS Upgrade/Downgrade Path


After determining your upgrade/downgrade path, perform the following:

Determine if your hardware is supported on the target release. Learn about additional upgrade or downgrade procedures and caveats by reading the release notes of the releases to which you are upgrading or downgrading.

Figure 11

SGOS 6.3 Supported Upgrade/Downgrade Paths

ProxySG VA Upgrade Path

Existing ProxySG VA customers can directly upgrade from SGOS 5.5 to SGOS 6.3. New ProxySG VA customers must can download and install the SGOS 6.3 Virtual Appliance Package (VAP). For details, refer to the ProxySG V A Initial Configuration Guide: https://bto.bluecoat.com/doc/17311

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

Determine Hardware Support


The following ProxySG models can be upgraded to SGOS 6.3:

32-bit platforms: SG210 (except for 210-5) and SG510 64-bit platforms: SG300, SG600, SG810, SG900, SG8100, and SG9000 Virtual appliances: VA-5, VA-10, VA-15, VA-20 Note: The SG210-5 is not supported on SGOS 6.2 or higher because this release provides new features and capabilities that require more system resources than available on the SG210-5. The SG210-5 continues to be supported on the SGOS 6.1.x releases. Please contact your sales teams for upgrade options.

Return to "Upgrade to or Downgrade From this Release" or proceed to the next step.

Step 2: Resolve CPL Deprecations


Note: This procedure only applies when upgrading from SGOS 5.x. You must resolve all deprecated CPL before upgrading. In the CLI, run the following command to view the deprecations:
#SGOS (config) show policy listing

Step 3: Archive Your Configuration


To archive your configuration, complete the following steps: 1. Access the Management Console of the ProxySG you want to back up:
https://ProxySG_IP:8082/mgmt

2. Select Configuration > General > Archive. 3. In the View Current Configuration area, select Configuration - expanded from the View File drop-down list. 4. In the Install Configuration area, clear the Enforce installation of signed archives option. 5. Click View. A browser window opens and displays the configuration. 6. You can also view the file by selecting Text Editor in the Install Configuration panel and clicking Install.

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

7. Copy the configuration to a text file and save it in a secure location. Note: If you need to restore an archived configuration file, see "Restoring a Configuration Archive" on page 96 in the Blue Coat Systems SGOS 6.3 Administration Guide. Configuration files should only be restored on appliances running the same SGOS release version. For example, configuration files from SGOS 5.5.6.x should only be restored to appliances running SGOS 5.5.6.x.

Step 4: Converting SGOS Configuration Settings


This information is applicable to you only if you are upgrading to SGOS 6.x from an SGOS 5.x release, and one of the following conditions is true:

Your ProxySG shipped with SGOS 6.x (as the default OS) and you downgraded to 5.x. You upgraded to 6.x and then downgraded back to 5.x and your latest configuration settings are in SGOS 5.x.

How Configurations are Applied During Upgrade


The SGOS software includes upgrade handlers designed to convert configuration settings between major release upgrades; for example upgrades from 4.x to 5.x, or 5.x to 6.x. The SGOS upgrade handler is designed to convert the existing configuration to current equivalents. However, if a 5.x configuration exists on the appliance, it will be used for the conversion even if you are upgrading from 4.x. This section describes this issue and how to correct it. Every time you upgrade or downgrade SGOS, the most recent configuration is saved. Configuration files are automatically upgraded the first time the upgraded SGOS software is run. When you upgrade from 5.x to 6.x, a new 6.x configuration is created, the 5.x version is saved, and the 5.x configuration is converted to 6.x configuration. If you then downgrade to 5.x and subsequently upgrade back to 6.x, the previously saved 6.x configuration is used. The 5.x configuration is saved but it is not converted to the 6.x configuration. For example: 1. You upgrade from 5.5.6.x to 6.3.1, and the most recent 5.5.6.x configuration is preserved. The 5.5.6 configuration file is converted to 6.3.1. 2. You downgrade to 5.5.6.x again, and the current 6.3.1 configuration is preserved. (The 5.5.6 and 6.3.1 configurations are both preserved; they do not overwrite one another.) 3. You then upgrade to 6.4.1, and the saved 6.3.1 configuration will be used. A 5.5.6 configuration file cannot be converted to 6.4.1. Therefore, if you are running SGOS 5.x and a 6.x configuration is present, the 6.x configuration will be applied during upgrade (your 5.x configuration settings are not applied).

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

Specifying an SGOS 5.x Configuration File Before Upgrading


If you are upgrading to 6.x from 5.x and want to use the 5.x configuration instead of the 6.x configuration, you must run the restart upgrade keep-sgos5-config CLI command before upgrading. If you dont specify a configuration file to use, the restart upgrade command reboots the system to start running the 6.x image. 1. Using an SSH client, access the appliance CLI. 2. When prompted, enter your user name and password. 3. Enter the following command:
SGOS# enable

4. Enter your enable password. 5. Specify that 5.x configuration settings should be kept after reboot:
SGOS# restart upgrade keep-sgos5-config

The restart upgrade keep-sgos5-config command checks for SGOS 6.x settings on the ProxySG; if it doesnt find any, a warning message displays and the appliance exits the operation. If SGOS 6.x settings exist, the ProxySG displays a message that the 6.x configuration will be removed and that a restart will be initiated. After the system restarts, the 5.x configuration is used.

Restoring an SGOS 5.4.x Configuration File


When upgrading from 5.4.x to 6.x, to restore your 5.4.x configuration settings and convert them for use on 6.x versions, you must run the restore-sgos5-config CLI command after upgrading. 1. Using an SSH client, access the appliance CLI. 2. When prompted, enter your user name and password. 3. Enter the following command:
SGOS# enable

4. Enter your enable password. 5. Convert the 5.4.x configuration settings:


SGOS# restore-sgos5-config

The restore-sgos5-config command checks for saved SGOS 5.4.x settings on the ProxySG; if it doesnt find any, a warning message displays and the appliance exits the operation. If saved SGOS 5.4.x settings exist, the ProxySG warns that all current SGOS 6.x settings will be lost and that a restart will be initiated. The restart triggers the upgrade handler, which copies the SGOS 5.4.x settings and converts them to the SGOS 6.x settings.

Restoring an SGOS 5.5.4.x Configuration File


If you had downgraded from 6.x to 5.5.4.x, and are now upgrading back to 6.x, you need to decide before upgrading which configuration file you want the ProxySG to use after the upgrade.

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

To use the original 6.x configuration file after upgrading to SGOS 6.x, you dont need to do anythingthis is the default. However, be aware that any configuration changes you performed in SGOS 5.5.x will not be in effect after the upgrade to 6.x. To use the 5.5.4.x configuration settings after upgrading to SGOS 6.x, you need to issue the following CLI command before you upgrade: removesgos6-config. This command deletes the old 6.x configuration file and will upgrade the configuration settings to 6.x based on the current 5.5.4.x configuration.

Step 5: Download the SGOS 6.x License (Pre-software Installation)


By default, automatic license check is enabled, which means that the ProxySG automatically checks for license updates upon reboot or once daily for a month before the currently installed license expires. If all four of the following conditions are met, the ProxySG retrieves and installs the SGOS 6.x license:

The ProxySG appliance running the previous version also supports SGOS 6.x (see "Determine Hardware Support" on page 6). Your enterprise has a valid entitlement/service contract from Blue Coat.
Use Auto-Update is enabled. (The Use Auto-Update option is selected on the Maintenance > Licensing > Install taba current, valid license is required to

configure the option.)

The ProxySG can connect to the Internet.

If the first two conditions are met, but the Use Auto-Update option is not enabled or the ProxySG cannot connect to the Internet, click the Update button to install the license. The Maintenance > Licensing > View tab > Licensed Components area does not contain the new SGOS 6.x license and does not display the line until the SGOS 6.x software is installed.
Note:

IMPORTANT
If you have already downloaded and installed SGOS 6.3, you cannot use the Retrieve or Update buttons to generate a new license at this point in the process. Manual licensing is described in the step following the software installation stepor you can downgrade to the previous release and retrieve the license as described above.

Step 6: Upgrade the BCAAA Service


If you use the BCAAA service, read this section. Every SGOS release is compatible only with a specific BCAAA version. SGOS 6.3 requires BCAAA version 130. Before installing SGOS, always ensure you are running the compatible BCAAA version for that release. You must install the compatible BCAAA service before upgrading or downgrading SGOS.

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

Note: BCAAA 130 for SGOS 6.x contains a security vulnerability fix, so be sure to upgrade BCAAA even if you are already running version 130. You can get the most up-to-date version of BCAAA 130 from (located on the 6.3.x BlueTouch Online download page).

WARNING: If you do not install the compatible BCAAA version before upgrading or downgrading, authentication will fail and you may not be able to reach any internal or external servers to download a compatible version. Do not delete any existing BCAAA installations, as this will cause authentication failure for any appliances running SGOS versions that require that version.

10

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

BCAAA Service Compatibility


To ensure compatibility between the supported BCAAA version and SGOS version installed on the ProxySG, refer to the following table.
SGOS Version SGOS 4.2.1 SGOS 4.2.2 SGOS 4.2.3, SGOS 4.2.4 SGOS 4.3.x SGOS 5.1.1.x, SGOS 5.1.2, SGOS 5.1.3, SGOS 5.1.4 SGOS 5.2.1, 5.2.2, 5.2.3 SGOS 5.3.x SGOS 5.4.x Supported BCAAA Version 100 110 120

120 110

120

120 130 SGOS 5.4.x includes a new release of BCAAA 130 which adds support for Windows Server 2008. The initial version of BCAAA 130 (which shipped with SGOS 5.4.1.x) does not support Windows Server 2008.

SGOS 5.5.x SGOS 6.1.x SGOS 6.2.x SGOS 6.3.x

130 130 130 130

Download and Install the BCAAA Service


Perform one of the following:

If the ProxySG already has BCAAA 130, go to "Direct BCAAA Upgrade to Version 130" to obtain to latest version. If the ProxySG is running BCAAA version 120 or previous, go to "BCAAA Installation: Indirect Upgrade or Downgrade"

11

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

Direct BCAAA Upgrade to Version 130


Complete the following steps. 1. Navigate to the following location to get the latest version of BCAAA 130: http://appliance.bluecoat.com/sgos/bcaaa/v130/bcaaa_windows32.zip 2. When prompted, save the bcaaa_windows32.zip file to the server where you plan to install BCAAA (or save it to a location that is accessible by that server). 3. Follow the installation instructions described in "Download and install the BCAAA Service:". 4. Install SGOS.

BCAAA Installation: Indirect Upgrade or Downgrade


Complete the following steps. 1. Determine the BCAAA version running on the authentication server: a. Go to the folder where the bcaaa-1xx.exe resides. For example:
C:\Program Files\Blue Coat Systems\BCAAA

b. Right click the bcaaa-1xx.exe file, select Properties, and click the Version tab. (In Windows 2008the Properties and Details tab.) 2. Identify the required BCAAA services. a. Identify all BCAAA versions required for your upgrade or downgrade. Examine your upgrade or downgrade path ("Step 1: Determine Your SGOS Upgrade/Downgrade Path") and record the BCAAA versions required for all interim releases. 3. Access the BCAAA download page. a. Navigate to the following page: https://bto.bluecoat.com/download/ProxySG b. Enter your BlueTouch Online username and password. c. Select the SGOS version to which you are migrating to next. 4. Download and install the BCAAA Service: a. Click the BCAAA link for the SGOS release you want to install. b. Review the download agreement. c. To accept and continue, click I agree and wish to download this software. d. Click Download Now and save the file. e. Locate the saved BCAAA zip file. f. Extract the files. The BCAAA installation wizard displays. h. Follow the steps in the installation wizard. g. Double click the BCAAA .exe file.

12

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

5. Install SGOS, as described in "Step 7: Install the SGOS Software Release". 6. Repeat steps 1-5 until you reach SGOS 5.4.6.1 or SGOS 4.3.3.1. The BCAAA upgrade/downgrade process does not disable the BCAAA version required for the current SGOS release. For example, if you are running SGOS 6.1 with BCAAA version 130 and then install BCAAA version 120 so that you can downgrade to SGOS 4.2.10.1, SGOS 6.1.x continues to use BCAAA version 130 until you have downgraded. This BCAAA installation process leaves behind the bcaaa.ini and bcaaa-nn.exe files for the version currently running. Comprehensive installation instructions for BCAAA are located in the BCAAA chapter of the Blue Coat Systems SGOS 6.3 Administration Guide. (https://bto.bluecoat.com/doc/17321) Return to "Upgrade to or Downgrade From this Release" or proceed to the next step.

Step 7: Install the SGOS Software Release


To install the SGOS software release, you must obtain the image, and then install it on your appliance. Important: If you use BCAAA, download and install the compatible BCAAA version, before installing SGOS.

Prerequisite: Components in Trial Mode


Read the following and proceed accordingly:

If the ProxySG automatically downloaded an SGOS 6.x license or you retrieved one by clicking Updateboth described in "Step 5: Download the SGOS 6.x License (Pre-software Installation)" on page 9you can proceed to "To obtain the release image and upgrade SGOS:" on page 14. After upgrading to SGOS 6.3, the ProxySG will continue to intercept traffic as configured. If you elected to perform manual license installation post-upgrade or you want the ProxySG to run in trial mode (all features are available for evaluation purposes), navigate to the Maintenance > Licensing > View tab; in the Licensed Components area, select the Trial Components are Enabled.

13

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide To obtain the release image and upgrade SGOS:

1. Obtain the release image. a. Navigate to https://bto.bluecoat.com/download/ProxySG. b. Enter your BlueTouch Online username and password. c. Locate the release you are upgrading to. d. Click Please Read to review the release notes. e. Click the link for your ProxySG model. f. Review the download agreement. g. To accept and continue, click I agree and wish to download this software. h. Copy the URL provided under the Direct Download Link. The download URL is good for only 24 hours. 2. Install SGOS. a. Access the appliance Management Console:
https://ProxySG_IP:8082/mgmt

b. Enter your login credentials. c. Select the Maintenance > Upgrade > Upgrade tab. d. Paste the image URL (copied in step h above) into the Download new system software from this URL field. e. Click Apply. f. Click Download. The ProxySG reboots. This might take several minutes. When the appliance completes the reboot, the ProxySG logs you out.
Perform these steps to verify the installation:

g. When the image has downloaded, click Restart.

1. Log in to the ProxySG. 2. Click the Home link (upper-right corner) and verify that the appliance is running the correct SGOS release (blue header bar near the top). If the ProxySG is not running the correct release, perform the following steps: 1. Select Maintenance > Upgrade > Systems. 2. Identify the correct system release and select Default. 3. Click Apply. 4. Select the Upgrade tab and click Restart. 5. Return to "Upgrade to or Downgrade From this Release" or proceed to the next step.

14

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

Step 8: Manually Upgrade The License (Not Required if Step 5 Was Completed)
If you completed "Step 5: Download the SGOS 6.x License (Pre-software Installation)" on page 9, skip to "Step 9: Verify the Valid License" on page 16. If you upgraded the SGOS software to version 6.3 before installing the SGOS 6.x license, the ProxySG runs in Trial Mode and you must manually update and install the new license.
To upgrade the license:

1. In the Management Console, select the Maintenance > Licensing > Install tab. 2. In the License Administration area, click Register/Manage. In a new tab, the Blue Coat License Configuration and Management System page displays. 3. Enter your BlueTouch Online (BTO) credentials and enter the site. a. In the Currently Registered Appliances list, click the serial number link for the appropriate ProxySG. A menu displays. b. Click Manage Software Serial Numbers. Your self-service license page displays. c. In the Cust Info area (upper-right corner), click Update License Key. The system might take up to several minutes to complete the license key update and returns you to the self-service page when complete. 4. Return to the Management Console Maintenance > Licensing > Install tab and click Update.

No Internet Connection
If you cannot directly access the Internet, contact Blue Coat Support Services for assistance. You are asked to provide the hardware serial numbers of the appliances to be upgraded and account details, such as contact name, e-mail address, and BlueTouch Online account name. If you do not have a BlueTouch Online account or if you have lost the password, contact Blue Coat Customer Care. Return to "Upgrade to or Downgrade From this Release" or proceed to the next step.

15

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

Step 9: Verify the Valid License


Select the Maintenance > License > View tab; the Licensed Components area displays the SGOS 6.x license information. If you click View Details, the Component Name line confirms the SGOS 6 license. Because you upgraded from a previous version, the Product Description field displays the version that was shipped on the ProxySG hardware platform. This is correct information. If you received a new appliance that shipped with SGOS 6.x installed, the Product Description field displays SGOS 6.x information.
Note:

Return to "Upgrade to or Downgrade From this Release" or proceed to the next step.

Step 10: Clear the Browser Cache


After you install the image on the ProxySG, Blue Coat recommends clearing your Web browser cache. Clearing the browser cache triggers a reload of the Java Archive (JAR) files. This reloading prevents Java exception errors on the Web browser when you access the ProxySG Management Console.
To reload the JAR files:

1. Close all Web browser windows. 2. Clear your Web browser cache. The instructions for clearing the cache varies by browser. For Internet Explorer 7, go to Tools > Internet Options > Delete. Click Delete Files. For Firefox 3, go to Tools > Clear Private Data > Clear Private Data Now. Ensure that Cache and Offline Website Data are selected.

16

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

3. Clear the Java cache on your desktop. To clear the Java cache: a. Go to Start > Control Panel b. Double click Java. This launches the Java Control Panel window. c. In the General tab, click Settings under Temporary Internet Files. d. Click Delete Files... e. Launch the ProxySG Management Console.

17

Blue Coat SGOS 6.3.x Upgrade/Downgrade Guide

18