Overview
The following steps provided as over view for upgrading from existing production 8e6 R3000 filter appliance to new R3000 (ie. replacement).
Important Caveat and Assumptions
- R3000 Backup files are VERSION-specific. You should only restore R3000 backup file to same software version.
The migration procedure involved restoring CONFIG+LIBRARY backup file from OLD to NEW R3000 appliance.
The restoration of LIBRARY backup file to new R3000 deletes existing "core" library on appliance. This means new R3000 filter will be unable to enforce any web filter policy until Manual Full URL Update is 100% completed.
The Full URL Update may take upwards of TWO HOURS to complete.
The box can't enforce web filter policy until complete.
- If you have authentication enabled on 8e6 R3000, this includes the use of "virtual authentication IP address". This address does NOT respond to PING. The 8e6 R3000 virtual authentication IP is included in the R3000 backup CONFIG. When restored to new appliance, the authentication service on NEW appliance will attempt to use virtual IP. This will cause IP over-lap with current production 8e6 R3000 (ie. the old unit). Thus, after restore of CONFIG+LIBRARY file to new 8e6 R3000, the next immediate step is to disable the authentication service on new appliance. 8e6 R3000 GUI // System tab // Authentication // Authentication Enable_Disable ==> Disable.
Procedure
setup new
R3000 with same hostname as old R3000, but DIFFERENT IP address.
If you change hostname, please reboot appliance via GUI (a reboot is required to incorporate the new hostname for Operating System).
do not connect SNIFF interface on NEW R3000 --
typically LAN1. This is to avoid the old and new R3000 filters both filtering traffic simultaneously (could lead to expected results).
check R3000
software rev: R3000 GUI // home tab.
verify new
R30000 is running v2.1.x software:
If yes,
proceed
to R3000 GUI // system tab // backup_restore, if not -- let's talk.
upload the
'updated' backup file.
restore the
'update' backup file. (note: this will delete current library).
disable Authentication on NEW appliance //
system tab / authentication
initiate
manual
"Full URL update": // Library tab // Updates // Manual update. Note: this will likely take upwards of TWO hours.
verify no
download failures in // Libary tab // Updates // Library update log
verify //
system
tab // operational mode settings are same between boxes
verify //
Group
tab // range to detect settings are same between boxes
verify //
system
tab // alerts settings to insure new box has email alerts prefs.
verify //
Group
tab // Global Group // Rules to insure everything present on new
R3000-IR.
verify //
Group
tab // IP // IPgroups and check a few members to insure everything as
expected on new R3000
verify //
Group
Tab // LDAP // <domain object>. check that object doesn't say
"INACTIVE". check domain details and default rule, validate group
profiles are present as expected.
once URL
update
complete (watch the 'library update log'), execute a manual Software
Patch Update. This is same location under // Library tab.
verify patch
download progress under // System tab // Patches // Patch Update Log.
If not running
latest R3000 v2.1.10.5, you'll have some patches to apply under //
System tab / Patches / Local Patch. (applying patches is a slow
process -- BE VERY PATIENT -- software is being installed and services
restarted. Box may not be responsive for upwards of 1-2minutes. Be
sure to kill browser to point where Java cup disappears from taskbar
tray before reconnect to R3000. This should be done after EACH
patch apply). Note: pop-up blocker MUST allow pop-ups from IP of new
(and old) R3000.
Note: The Full URL Update may take upwards of TWO HOURS to complete.
The box can't enforce web filter policy until complete.
I put all this on paper to lay out all the steps - we can review
individual steps over phone.
