Moving your AppGate (classic) Server configuration to a new appliance
This is a checklist for the move of an AppGate Security Server configuration from an old appliance to new appliance. Basically this includes three steps: (1) gather all files and information on the old appliance and (2) prepare and restore files on the new appliance. (3) You would need to prepare a strategy to test and deploy the new appliance and client roll-out. The strategy depends always on how much downtime you can afford.
Moving to new appliance incorporates often a move to a newer version of the AppGate (classic) at the same time. It is possible to move configuration from AGSS version 9 upwards. The AGSS supports older appgate clients which makes it easier for transitioning/rolling-out to current client version. It is recommended to upgrade the clients to the current version.
Note that SP/iDRAC access will not be enough since it is needed to test interfaces and console connectivity.
- On current appliance
- From the Appgate Console, capture the network configs tabs as screencaptures to a document. This is most useful when it comes to troubleshooting or testing when the old appliance and configuration is not accessible during migration.
- Label the patch cables, and create a table showing which label connects to which NIC and corresponding interface name.
- Check if there are any ip filter rules and NAT setups:
- Check crontab for any setups that need to be moved e.g crontab entries and maybe scripts.
- Check if ipf_raw_early is used:
ag_cfggetset -g netcfg.ipf_raw_early. If used, assure you bring along the script that creates the entries (if existent) and dump the current ip filter rules as comparence for later:
ipfstat -in > /tmp/ipf_in_old and
ipfstat -on >/tmp/ipf_on_old. Copy them to your local computer.
- Check if there is NAT configured in the file /etc/ipf/nat.conf, and bring along the file manually.
- Cryptzone OTP:
- If Cryptzone OTP is used, backup the database directory:
tar -pcvf otp.tar /var/opt/appgate/hotp. Transfer it to your computer with the file transfer.
- Check what the OTP settings are, such that there is a big enough overlap between the backup an restore time in number of look aheads, otherwise users might not be able to log in after the migration.
- Nordic Edge / MacAffee:
- If you have NordicEdge installed, transfer the files licenses/* and *.properties.
- Verify the version installed. It might be possible that you need to upgrade due to the current version of NE is newer than your installation.
- Configure backup list and distribution list, and check if there are any files or directories that need to be moved manually
- Are there any files or directories "added manually" to the server which are not part of the backup/restore functionality? To see what is in the backup run
ag_cfggetset -g ag_backup.filelist and ag_cfggetset -g ag_distd.distributions. Add if they are missing.
- Check if there is a server script with
ag_cfggetset -g agsh.client_attributes_script, and assure it is part of the backup list.
- Usually local modifications such as scripts are recomended to be under a directory called /var/opt/appgate/local, assure the directory is in the backup list.
- If you have modifications but files are not located in that directory you will need to address the issue and migrate them on the new system to that specific location if you do not want to loose the content when upgrading in the future.
- If you have webstart customization: Assure that your webstart customization are made in the directory /var/opt/appgate/webroot.local, otherwise make sure you put them there on the new appliance. This directory will not be overwritten during an upgrade and customization will be preserved.
- If no local admin account exists with password only authentication create a temporary local admin account with the full the admin role. This can be a life saver when you can not login due to possible problems with account source and authentication methods other than password on the new appliance.
- Assure that you have root password for the AppGate Security Server.
- Assure you have all the needed directory service access e.g LDAP/AD bind user/password and client access in case of problems.
- Assure you have client access on the new appliance for any of the servers such as Radius/Kerberos/SecurID. Check with the administrators of such in forhand.
- Create a backup and save it on disk.
- On the new appliance
- Log in to AppGate console, restore the backup file. In the case of a cluster backup, restore the node of your choice from the list when prompted. You can choose what network configurations to restore which are particular to a node. All other settings will be identical as in any node in the cluster.
- If you are using NAT:
- Copy from previous steps the file /etc/ipf/nat.conf and assure it has the correct interface names. Reload them if necessary with
- Check the network configuration in appgate.conf: If old interfaces are called different than the new ones change the settings to map the new ones:
- Usually when moving from one hardware/model to a another hardware, the name of the interface changes (example from nge0 to bge0). Check the names of the interfaces, provided by the operating system, in the terminal with
ifconfig -a. Use nano on the file /var/opt/appgate/conf/appgate.conf to change/map the interface names by method search and replace: ^\ (ctrl+\). Use ag_netcfg to test the configuration. Write down which interface name privide which NIC port for the patching. Reboot the appliance and check in AppGate console the network configuration.
- If interfaces should not come up (you need to patch all NIC ports), you might have a look at what
dladm show-phys tells; if down you might run:
ifconfig -a plumb to implement TCP/IP on the all available interfaces.
- Adjust any scripts or features using old interface names to the new interface name.
- Identify which interface maps to what physical NIC-port. Add them to the table created in previous step, and mark the NIC-ports according to interface name.
- If ipf_raw was used it is wise to test the rules.
- Create a dump of
ipfstat -in > /tmp/ipf_in_new and
ipfstat -on >/tmp/ipf_on_new once on the old appliance and once on the new.
- Compare the files with diff taken on the old appliance. It should only differ logically.
- Transfer the files which need manual moving.
- Cryptzone OTP: put the file otp.tar with file transfer to /var/opt/appgate/hotp and untar it. Check that OTP is working with a user login.
- Install Nordic Edge according to the guide here: upgrade or install NE.
If you have questions or need assistance in migration please contact us at Cryptzone.