ProxySG & Advanced Secure Gateway

 View Only
  • 1.  Upgrading proxysg from 6.7.x to 7.3.x with external CAS

    Posted Sep 28, 2023 09:03 AM

    We have 2 proxy appliances running SGOS and are migrating to 2 virtual proxies running SGOS We also have 2 CAS units that the existing proxies send Content Analysis streams to. In order to migrate the existing appliance configs/polices to the new units we are planning to upgrade the appliances to BEFORE we migrate the config/policies as we have been told this is the best approach (please correct me if I am wrong).

    The 7.3.x admin guide says:

    In previous versions of SGOS, you could configure the appliance to work in conjunction with an external content scanning service-either Symantec Content Analysis or another ICAP service-to implement a built-in Malware Scanning policy. Starting with SGOS 7.x, that functionality is replaced by the Content Security Policy.

    What will happen to our CAS config? According to the docs the new Content and Access policy layers are disabled by default and you need to use the VPM to enable. We don't use the VPM (prefer the legacy java console). 

    I have read the upgrade/downgrade and release notes for 7.3 and did not see any other 'gotchas'. Is there anything else we should be conscious of prior to and after the upgrade? We usually push policy via the Legacy java console after a SGOS upgrade. If the NEW Access and Content Security policy layers are disabled by default should we not expect to see any errors?

    Lastly, is rollback fairly straight forward? ie: tell the Proxy to use the old OS and reboot? Or is there something done to the old policy where the previous version won't recognize it?

  • 2.  RE: Upgrading proxysg from 6.7.x to 7.3.x with external CAS

    Posted Sep 29, 2023 02:25 AM

    Hi, based on my own experience:

    1. Existing CAS Policy on ProxySG will not migrated to new ProxySG. So You should enable it after upgrade.
    2. VPM is a must. Java console is deprected in 7.3 and in 7.4 will be disabled.
    3. If you upgrade your Proxy to 7.3 configuration will be converted to 7.3 version. If you downgrade to 6.7 config will not work as should - you should have a copy of 6.7 config and apply it after downgrade.