ISG 2.

x Administration and Deployment Guide

 ISG 2.x Administration and Deployment Guide

Table of Contents
About Integrated Secure Gateway..................................................................................................... 3
About Licensing ISG Applications................................................................................................................................. 3
About Application Serial Numbers and License IDs....................................................................................................3
About Network Interfaces for Applications and Appliances....................................................................................... 4
First Steps.............................................................................................................................................5
Manage Applications........................................................................................................................... 7
Manage Images...................................................................................................................................10
Manage Licenses................................................................................................................................11
Upgrade Instructions......................................................................................................................... 12
Platform and Performance Reference............................................................................................. 13

2
 ISG 2.x Administration and Deployment Guide

About Integrated Secure Gateway

The Integrated Secure Gateway (ISG) is the software on the Symantec Security Platform (SSP) appliance used to
deploy applications.
Use the ISG command line interface (CLI) to perform the following tasks:
• Connect the SSP appliance to your network
• Connect to the ISG serial console
• Create and run one or more applications
• License applications
The SSP is not a licensed product and only the applications it runs require licenses. For information on licensing, see
About Licensing ISG Applications.

About Licensing ISG Applications

Licensing for applications on SSP is managed by ISG (the host) rather than the application itself.
Licenses for applications are managed solely via the ISG command line interface (CLI). License management from within
the application (such as the ProxySG CLI) is disabled.
IMPORTANT
If you make changes to the license, you must restart the application for the changes to take effect.
Only Secure Web Gateway (SWG)-Edition and Advanced Reverse Proxy (ARP) licenses are available for ProxySG
applications. As Proxy-Edition licenses are not available, ProxySG applications running on ISG cannot be used in
Application Delivery Network (ADN) deployments.
There are two sub-types of licenses:
• Enterprise: A single license ID that can be used for multiple ProxySG applications, appliances, and virtual
appliances. For example, you could simultaneously use the same license ID for a ProxySG application on ISG and a
ProxySG VA running on AWS. Each ProxySG instance or appliance using the license can be a different size. Purchase
this license by the number of cores that you will use across all instances and appliances.
• Node-locked: A single license ID that can be used for single fixed ProxySG applications running on a single ISG.
This license dictates the size, model, and number of ProxySG applications you can have running simultaneously. All
applications must be the same model, such as you could purchase a license for two C2S models, but not one C2S and
one C2M. This type of license is perpetual as opposed to a subscription.

About Application Serial Numbers and License IDs

Serial numbers are a unique value that identify your appliance. License IDs are the same value as the serial number and
are used to identify the license file.
You can view the serial number or license ID by using the ISG CLI command:
> show version

NOTE
If you purchased an Enterprise license and are installing the license, use the license ID associated with the
license. Enterprise licenses arrive separately from your appliance. For Node-locked licenses, the license IDs
are automatically associated with the appliance, meaning you can use the show version command to view
Node-locked license IDs before installing your license. For information on license types, see About Licensing
ISG Applications.

3
 ISG 2.x Administration and Deployment Guide

About Network Interfaces for Applications and Appliances

The virtual network interface for applications running on ISG is mapped 1-to-1 with the physical network interface of the
SSP appliance; for example, if the interface for the application is defined as 0:0, then that interface is mapped to the 0:0
physical interface.

4
 ISG 2.x Administration and Deployment Guide

First Steps
Perform the initial configuration steps.

Set Up the Console

Before you set up and configure the appliance, ensure you have performed all steps in the Symantec Security Platform
Quick Start Guide.
1. Use SSH to connect to the ISG console and when prompted, enter 2 .
Welcome to the Symantec S410 Series Appliance Serial Console
Version: ISG 2.1, Release id: 254280
-------------------------- MENU ---------------------------
1) Command Line Interface
2) Setup console
-----------------------------------------------------------
Enter option: 2
2. Enter the number of the interface you want to configure the ISG IP address for and enter the required network
information when prompted.
Please enter the IP addresses for the S410 Appliance

The following interfaces are available for configuration:

1. 0:0
2. 2:0
3. 2:1
4. 2:2
5. 2:3

Enter interface number to configure 1

IP address: ip_address
IP subnet mask: subnet_mask
IP gateway: ip_gateway
DNS server: dns_server_ip_address

Would you like to change any of them? Y/N N

3. When prompted, enter the password you want to use for accessing the ISG console and enter the password again to
confirm it.
4. When prompted, enter the password you want to use for accessing enable mode in the ISG CLI and enter the
password again to confirm it.
5. (Optional) Enter Y to secure the serial port and create a setup password. If you don't want to secure the serial port,
enter N. For more information, see "Securing the Serial Port" in the SGOS Administration Guide.
6. Verify the appliance has been successfully configured by connecting to the appliance's CLI via SSH. The following
uses an example value for the IP address:
The S410 Appliance has been successfully configured.

You can connect to the command line interface or the Web interface to perform additional management
tasks.

5
 ISG 2.x Administration and Deployment Guide

To connect to the command line interface, open the following location from your SSH appliance: 192.0.2.0

To connect to the Web management interface, go to the following location with your web browser:
https://192.0.2.0:8082/

Install the Application License

Before installing your license, ensure you have your license ID available. For information on locating your license ID, see
About Application Serial Numbers and License IDs.
1. Connect to the ISG via SSH.
2. To access the CLI, enter 1.
3. Enter enable mode:
enable
Password:
#
4. Type the command:
# licensing load id license_id username username password password
If the license loaded successfully, the CLI displays the message License update was successful for
license id license_id .

Install an Application Image

Before you create and start an application, load the application image onto the ISG. ISG is the platform on which
an application runs.
1. From the appliance serial console, enter configuration mode
# config
2. Load the application image:

(config)# images
(config-images)# load application_location_URL

Create a ProxySG Application

To run the ProxySG application you must first create it.
1. From the ISG CLI, in configuration mode, create the ProxySG application:
(config)# applications
(config-applications)# create sg sg_name model model_name license-id license_id image-id image_id
ok
For information on the different license types available for your appliance, see Platform and Performance Reference.
2. Start your application:
(config-applications)# start application_name
ok

6
 ISG 2.x Administration and Deployment Guide

Manage Applications
View application information, attach the serial console to running applications, and edit existing applications.

Create Applications
1. Connect to the ISG via SSH.
2. Access the CLI and enter configuration mode.
3. Create the application:
(config)# applications
(config-applications)# create sg sg_name model model_name license-id license_id image-id image_id
ok
For information on the different license types available for your appliance, see Platform and Performance Reference.

Edit Applications
1. Connect to the ISG via SSH.
2. Access the CLI and enter enable mode.
3. Stop the application that you want to edit:
(config-applications)# stop application_name
NOTE
To edit an existing application, your application must be in a Created or Stopped state.
4. Edit the application:
(config-applications)# edit application_name model_type | image-id image_id

The following example shows how to view the application configuration, stop the application, and change the model from a
C2L to a C2S:
(config-applications) view SG1

NAME TYPE VCPU MEMORY MODEL STATUS LICENSE ID IMAGE ID

-------------------------------------------------------------------------
SG1 SG 2 20 GB C2L Running 000090007 sg-6.7.5.6-252532

(config-applications)# stop SG1

ok
(config-applications)# edit SG1 model C2S
ok

Start and Stop Applications

1. Connect to the ISG via SSH.
2. Access the CLI and enter configuration mode.
3. Do one of the following:
– Start an application:
(config-applications)# start application_name
– Stop an application:
(config-applications)# stop application_name

7
 ISG 2.x Administration and Deployment Guide

Remove Applications
1. Connect to the ISG via SSH.
2. Access the CLI and enter configuration mode.
3. Remove the application:
(config-applications)# delete application_name

View Application Information

To view application information, such as license IDs, image IDs, and other properties that are associated with your
applications, use the applications view command (in either enable or configuration mode). For example:
(config-applications)# view
NAME TYPE VCPU MEMORY MODEL STATUS LICENSE ID IMAGE ID
-------------------------------------------------------------------------
SG1 SG 2 20 GB C2L Running 000090007 sg-6.7.5.6-252532
SG2 SG 2 20 GB C2L Running 000090007 sg-6.7.5.6-252532
SG3 SG 2 20 GB C2L Running 000090007 sg-6.7.5.6-252532
(config-applications)# view SG1
NAME TYPE VCPU MEMORY MODEL STATUS LICENSE ID IMAGE ID
-------------------------------------------------------------------------
SG1 SG 2 20 GB C2L Running 000090007 sg-6.7.5.6-252532

Connect to the Application Serial Console

From an application serial console, you can access the application's command line to perform tasks, such as initial
configuration.
1. Connect to the ISG via SSH.
2. Access the CLI and enter configuration mode.
3. Access the application's serial console:
(config-applications)# attach-console application_name
The following is an example output of the command:
(config-applications)# attach-console SG1
Connected to domain sgos
Escape character is ^]
System starting up...

In MP mode; two processors active

Executing image: Version: SGOS 6.7.5.3, Release id: 249936 64-bit, gdb, optimized
Manufacturing MBR on directory-3 - Slot 3 (KVM VirtIO Disk N/A N/A)
This is a new system.

Press "enter" three times to activate the serial console

******************* CONFIGURATION ALERT *******************

System entering configuration wizard for the following reasons:
- Cannot find a network adapter configured with an IP address and subnet.
- The console password or 'enable' password is not set.
******************* CONFIGURATION ALERT *******************

--------------- CONFIGURATION START ------------------

Welcome to the Blue Coat SG-VA Series configuration wizard.

8
 ISG 2.x Administration and Deployment Guide

This appliance's serial number: 0000990007

---------------------------------------------------------------------
You can get field help by entering a question mark ? in the fields.
You can move backwards through the steps by pressing the UP arrow.
You can exit the wizard without saving your entries by pressing ESC.
---------------------------------------------------------------------
Step 1: How do you plan to configure this appliance?
a) Through a manual setup
b) Through a Director-managed setup
Your choice: []

9
 ISG 2.x Administration and Deployment Guide

Manage Images

Install Images
1. Connect to the ISG via SSH.
2. Access the CLI and enter configuration mode.
3. Install the image:
(config-images)# load image_url

View Image Information

1. Connect to the ISG via SSH.
2. Access the CLI and enter either enable or configuration mode.
3. Do one of the following:
– View all downloaded images:
(config-images)# view
– View a specific image:
(config-images)# view image_id
– View all ProxySG images:
(config-images)# view sg

Remove Images
1. Connect to the ISG via SSH.
2. Access the CLI and enter configuration mode.
3. Remove the image:
(config-images)# delete image_id

10
 ISG 2.x Administration and Deployment Guide

Manage Licenses
Perform administrative tasks for your application licenses.

Install Licenses
Before installing your license, ensure you have your license ID available. For information on locating your license ID, see
About Application Serial Numbers and License IDs.
1. Connect to the ISG via SSH.
2. Access the CLI and enter enable mode.
3. Install the license:
# licensing load id license_id username username password password
If the license loaded successfully, the CLI displays the message License update was successful for
license id license_id .

Remove Licenses from ISG

1. Connect to the ISG via SSH.
2. Access the CLI and enter enable mode.
3. Remove the license:
# licensing delete id license_id

View Installed Licenses

1. Connect to the ISG via SSH.
2. Access the CLI and enter enable mode.
3. Do one of the following:
– View all licenses:
# licensing view
– View a specific license:
# licensing view [id license_id]
– View the node-locked license:
# licensing view-node-locked

11
 ISG 2.x Administration and Deployment Guide

Upgrade Instructions
Perform the following steps to upgrade the ISG via the ISG command line.
IMPORTANT
Downgrading to ISG 1.67.5.3 is not supported.
1. Stop all existing applications by running the following command for each application:
(config-applications)# stop application_name

2. Load the ISG image that you want to upgrade to:

# installed-systems load image_location_URL

3. Restart the ISG:

# restart

4. (Only if upgrading from ISG 1.67.5.3) Previously existing applications are put into the Created state and do not have
an associated default image. To associate a default image with the applications, do the following:
a) Load an application image onto the ISG:
(config-images)# load application_location_URL
b) Retrieve and record the image ID:
(config-images)# view Image ID Type Version Release ID In Use sg-6.7.5.3-250069 SG
6.7.5.3 250069 0
c) Assign the image ID to each of the existing applications:
(config-applications)# edit application_name image-id image_ID

5. Start each application and verify that each starts properly and contains all previously existing data.
6. (Only if upgrading from ISG 1.67.5.3) Delete the previous ISG 1.67.5.3 image:
a) Locate the ISG 1.67.5.3 image:
# installed-systems view
1. Version : 2.2.1.1, Release ID : 253965, Locked : false, Booted : true
BuildType : CreationTime : 2020-08-17T13:38:42+0000, BootTime : 2020-08-26T02:00:03.348+0000
DisplayName : ISG 2.2.1.1, Release ID: 253965
2. Version : 1.67.5.3, Release ID : 251920, Locked : false, Booted : true
BuildType : CreationTime : 2020-06-16T13:03:11+0000, BootTime : 2020-08-25T22:53:20.352+0000
DisplayName : ISG 1.67.5.3, Release ID: 251920
Default system to run on next hardware restart: 1
Current running system: 1
System to replace next: None
b) Delete the ISG 1.67.5.3 image (in this example, the image is labeled 2):
# installed-systems delete 2

12
 ISG 2.x Administration and Deployment Guide

Platform and Performance Reference

Table 1: Total Physical Resources for the Appliance and Virtual Resources Available for Applications

The following table lists the total resources available on the SSP appliance model and the resources from that total that
are available for virtual applications.
Resources Available for Applications Total Resources on the SSP Platform

SSP Model vCPUs RAM (GB) Disk vCPUs RAM (GB) Disk

S410-10 16 32 400 GB 20 48 2x480 GB

S410-20 32 80 800 GB 40 96 2x960 GB
S410-30 48 160 800 GB 64 192 2x960 GB
S410-40 64 320 1.6 TB 80 384 2x1.9 TB

Table 2: ProxySG Models and Fit Per Appliance Model

The following table lists the resources required for each ProxySG model and the number of instances of that ProxySG
model that can fit on the various SSP appliance models.
Number of Model Instances
Resource Requirements Per ProxySG Model
Supported Per SSP Appliance
ProxySG Connection
vCPU RAM (GB) Disk (GB) S410-10 S410-20 S410-30 S410-40
Model Count
C2S 2 12 1x200 15,000 2 4 4 8
C2M 2 16 1x200 20,000 2 4 4 8
C2L 2 20 1x200 25,000 1 4 4 8
C4S 4 20 1x200 25,000 1 4 4 8
C4M 4 24 1x200 37,500 1 3 4 8
C4L 4 32 1x200 50,000 1 2 4 8
C8S 8 32 2x200 50,000 1 2 2 4
C8M 8 64 2x200 87,500 0 1 2 4
C8L 8 80 2x200 125,000 0 1 2 4
C16XS 16 32 2x200 50,000 1 2 2 4
C16S 16 80 2x200 125,000 0 1 2 4
C16M 16 128 4x200 200,000 0 0 1 2
C16L 16 160 4x200 250,000 0 0 1 2
C24S 24 80 2x200 125,000 0 1 2 2
C24M 24 160 4x200 250,000 0 0 1 2
C24L 24 256 8x200 375,000 0 0 0 1

13
 ISG 2.x Administration and Deployment Guide

Table 3: Max Performance Deployment

The following table lists the recommended configurations for maximum performance per SSP appliance model.
Total
SSP Model ProxySG Model Instance Count Total vCPU Total RAM (GB) Total Disk (GB)
Connections
S410-10 C16XS 1 16 32 400 50,000
S410-20 C16XS 2 32 64 800 100,000
S410-30 C24S 2 48 160 800 250,000
S410-40 C16S 4 64 320 1,600 500,000

14