ProxySGonAWS Marketplace BYOL DeploymentGuide · 2019. 10. 7. · SGOS forAWSMarketplace...
27
SGOS for AWS Marketplace Deployment Guide ProxySG on AWS Marketplace BYOL Deployment Guide Version 6.7.x Guide Revision: 10/7/2019
Transcript of ProxySGonAWS Marketplace BYOL DeploymentGuide · 2019. 10. 7. · SGOS forAWSMarketplace...
SGOS for AWS MarketplaceDeployment Guide
ProxySG on AWS MarketplaceBYOLDeployment GuideVersion 6.7.x
Guide Revision: 10/7/2019
Symantec SGOS on AWS Deployment Guide 6.7.x
Legal Notice
Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, andthe Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries.Other names may be trademarks of their respective owners. This document is provided for informational purposes only and isnot intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimedto themaximum extent allowed by law. The information in this document is subject to change without notice.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONSAND WARRANTIES, INCLUDINGANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALLNOT BE LIABLE FORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, ORUSE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TOCHANGEWITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHERTECHNICALDATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TOU.S. EXPORT CONTROLANDSANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TOEXPORTOR IMPORTREGULATIONS IN OTHER COUNTRIES. YOU AGREE TOCOMPLY STRICTLY WITH THESE LAWS, REGULATIONSAND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TOOBTAIN ANY LICENSES,PERMITS OR OTHER APPROVALS THATMAY BE REQUIRED IN ORDER TOEXPORT, RE-EXPORT, TRANSFER INCOUNTRY OR IMPORT AFTER DELIVERY TOYOU.
Symantec Corporation350 Ellis StreetMountain View, CA 94043
www.symantec.com
10/7/2019
2 of 27
TOC
Table of Contents
About the ProxySG on AWS 4Important Details about the ProxySG on AWS 4
Step 1: Complete Prerequisite Tasks 5
Step 2: Deploy the Instance 6
Step 3: Verify the Instance 9
Step 4: Install the License 11
Step 5: (Optional) Configure Elastic Load Balancing 12Configure a Listener 12Configure Health Checks 13
Back Up and Restore an Instance of the ProxySG 14Create a Snapshot to Back Up Your ProxySG Instance 14Restore an Instance of the ProxySG from a Snapshot 15Create an AMI from a Snapshot of a ProxySG Instance 15Deploy the Newly Registered AMI 16
Troubleshoot the ProxySG on AWS 17General Troubleshooting Steps 17Troubleshoot Licensing Errors 19
Appendix A: Supported Configurations 21Supported Instance Types 21Storage and Network Settings 22
Appendix B: Metadata Reference 23AWS Metadata 23
Appendix C: Additional Steps for Generating User Data 25Generate User Data Files for Automatic Deployment of Instances 25Supply User Data File While Deploying the Instance 26About AWS User Data 26AWS User Data Security 27
3 of 27
Symantec SGOS on AWS Deployment Guide 6.7.x
About the ProxySG on AWSThis guide provides instructions for deploying a ProxySG virtual appliance (SecureWebGateway edition, SGOS version 6.7.x)running in AmazonWeb Services (AWS)Marketplace. A ProxySG on AWS permits the same features and functionality as theSecureWeb Gateway Virtual Appliance (SWG VA).
This document guides you through the process of setting up a ProxySG on AWS. Deployment consists of the following steps:
Deployment Step Document Reference
Make sure you have the required resources andfiles to deploy a ProxySG on AWS.
"Step 1: Complete Prerequisite Tasks" on page 5
Launch the Amazon Machine Image (AMI) from theMarketplace, and configure it.
"Step 2: Deploy the Instance " on page 6
Verify that you can access the instance throughSSH and the ProxySGManagement Console.
"Step 3: Verify the Instance " on page 9
Install the ProxySG license through the ProxySGManagement Console.
"Step 4: Install the License" on page 11
Configure an AWS Elastic Load Balancer (ELB) formultiple ProxySG instances. This is an optionalstep.
"Step 5: (Optional) Configure Elastic Load Balancing" on page 12
Create snapshots in AWS to capture the contents ofan Elastic Block Store (EBS) volume at specificpoints in time. This is a recommended step.
"Back Up and Restore an Instance of the ProxySG" on page 14
Review the known issues in this release. SGOS Release Notes at MySymantec
If you encounter any issues while the ProxySG on AWS instance is running, refer to "Troubleshoot the ProxySG on AWS" onpage 17 in this guide for assistance.
Note: For details beyond the scope of ProxySG documentation, refer to AWS documentation:https://aws.amazon.com/documentation/
Important Details about the ProxySG on AWSFor the ProxySG on AWS, you canmanage ProxySG instances through:
n SSH to the CLI
n Management Console
You cannot access or manage a serial or VGA console to a virtual machine.
4 of 27
Step 1: Complete Prerequisite Tasks
Step 1: Complete Prerequisite TasksBefore deploying the ProxySG on AWS, complete the following tasks:
1. Prepare and verify your environment, including firewall configuration, Amazon Virtual Private Cloud (VPC)configuration, and security groups for the VPC. Refer to the Amazon documentation for details:
https://aws.amazon.com/documentation/vpc/
2. Allow the ProxySG instances access to the following Symantec servers:
n https://download.bluecoat.com
n https://services.bluecoat.com
You need to allow these servers through any firewalls and security controls, such as Security Groups and NetworkAccess Control Lists (NACLs).You require access to these servers in order to retrieve and install the ProxySG license.
3. Verify system requirements for the virtual appliance. See "Appendix A: Supported Configurations" on page 21.
4. (Optional) Confirm that you are able to access the SSH private key (PEM file) that matches the public key you wantAWS to register with the EC2 instance.
5. (If you intend to use load balancing) Understand how ELBs are deployed in AWS. Refer to AWS documentation fordetails:
https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-balancing.html
5 of 27
Step 2: Deploy the Instance
Step 2: Deploy the InstanceDeploy the instance through the AWS Management Console.
1. Log in to the AWS Management Console:
a. Open a web browser window/tab.
b. Go to the following URL: https://console.aws.amazon.com.
The browser displays the AWS Management Console.
2. In the AWS Management Console, select Services > EC2.
The browser displays the EC2Dashboard.
3. In the Create Instance section, click Launch Instance.
The browser opens a wizard to guide you through the launch process.
4. On the left menu on the EC2 dashboard, select AWS Marketplace.
a. Step 1: Search for the AMI you want to launch and click Select.
b. Step 2: Choose a supported instance type based on the license type you plan to deploy. Refer to "Appendix A:Supported Configurations" on page 21. The following are supported instance types:
n m4.large
n m4.xlarge
n m4.2xlarge
n m4.4xlarge
n m4.10xlarge
Click Next: Configure Instance Details.
c. Step 3: Select the appropriate VPC and subnet, and (if required by your license) specify CPU options.
n The default number of CPUs for the instance typemight be greater than the number of CPUs yourProxySG license allows, which can cause your license to be suspended when launching your ProxySGon AWS.
To avoid your license being suspended, specify the number of CPUs your license requires. To specify thenumber of CPUs, select Specify CPU options. In Core count, enter the number of cores your license
6 of 27
Symantec SGOS on AWS Deployment Guide 6.7.x
allows (the number of cores you license allows is the number that follows the "C" in your license type,such as SG-VA-C1S has one core or SG-VA-C16L has 16 cores). In Threads per core, enter 1.
Click Next: Add Storage.
d. Step 4: Verify the storage settings are correct for your instance. For all supported instance types, the followingstorage settings are correct:
n For the Root volume, 8 GB of General Purpose SSD
n For each Data disk EBS volume, 100GB of General Purpose SSD with 300 IOPS configured
For the Data disk EBS volumes, ensure the correct number of virtual disks exist for your instance type.For more information, see "Appendix A: Supported Configurations" on page 21.
Click Next: Add Tags.
e. Step 5: (Optional) Create one or more tags for your instance by defining key-value pairs. Symantec recommendsat least assigning your instance a name (Key type is Name) so that you can easily identify it in the console.
Click Next: Configure Security Group.
f. Step 6: Create a new security group or select an existing one. Security groups allow you to control the inboundconnections to and outbound connections from your EC2 instance.
Click Review and Launch.
g. Step 7: Review the instance settings. Make corrections as needed.
5. Launch the instance:
a. In the AWS Management Console, click Launch.
b. Either choose an existing keypair, create a new keypair,or proceed without a keypair.
c. Accept the acknowledgment, and click Launch Instances.
The browser displays the Launch Status page.
6. In the "Your instances are now launching" message box, click the link to the instance.
The browser displays the Instances page.
7. Under Instance State, look for a status icon and an indication of the number of checks passed. If the instance launched
7 of 27
Step 2: Deploy the Instance
successfully, you should see a green icon and "2/2 checks passed".
If fewer than two checks passed (as follows), refer to the tabs at the bottom of the page.
Click Status Checks to determine which check(s) failed and troubleshoot the problem(s). In the following example, theInstance Status Checks report a failure and provide a link for troubleshooting.
8. Connect to your instance and complete the initial connection wizard:
a. Open your preferred SSH client and connect to your instance with either the private or public IP addressassociated with the instance.
b. Log in with the username config and one of the following:
n The private SSH key file that you associated with the instance during the launch process
n The initial password which is the instance ID (under the Description tab, you can copy and paste theInstance ID)
c. Enter the serial number of the appliance.
d. Enter the console username.
e. Enter the console password and enter it again to verify it.
f. Enter the enable password and enter it again to verify it.
The appliance restarts to apply the new settings. The next time you access either the serial console orManagement Console, use the console username and password you entered to log in.
9. Repeat the previous steps as needed to set up additional instances.
Note: For multiple instances, youmight want to set up a load balancer. If you do set up aload balancer, do so after you have verified the connectivity and license validity for allinstances. For ELB setup instructions, see "Step 5: (Optional) Configure Elastic LoadBalancing" on page 12.
8 of 27
Step 3: Verify the Instance
Step 3: Verify the InstanceAfter you create the instance, verify that you can access it through SSH and the ProxySGManagement Console.
Note: To complete this step, you need the private key (PEM file) and/or the login credentialsthat you used to generate the user data file.
1. Under Instances, select Instances. Locate the instance.
2. Make sure that the Instance State says "running" and that Status Checks says "2/2 checks passed".
If fewer than two checks passed, refer to the Status Checks tab to determine which checks failed, and troubleshootthe problems as suggested.
3. Select the instance, right-click, and click Connect.
Connect to the instance using a standalone SSH client, such as PuTTY. Follow the instructions on the dialog:
Note: When connecting to your instance, use the console username you created and notthe ec2-user username.
9 of 27
Symantec SGOS on AWS Deployment Guide 6.7.x
4. Access the ProxySGManagement Console using the instance's AWS-assigned private IP or public IP address(depending on your security group settings) and your login credentials. With the instance selected, click theDescription tab to determine the AWS-assigned network settings. To access the ProxySGManagement Console, in abrowser, enter the address for your instance in the following format:
https://private_or_public_IP_address:8082
Ensure that the port for the ProxySGManagement Console (8082) is defined in the Security Group associated with yourinstance. If not, select Network & Security > Security Groups and add the port.
10 of 27
Step 4: Install the License
Step 4: Install the LicenseAfter you verify that you can access the instance, install and verify your license. The ProxySG on AWS license contains datathat is used to uniquely identify the virtual appliance.
1. In the ProxySGManagement Console, select Maintenance > Licensing > Install.
2. Click Retrieve. The console displays a dialog.
3. In the dialog:
a. Enter your MySymantec credentials.
b. Click Request License. The console displays a Confirm License Install dialog.
c. Click OK to begin license retrieval.
4. (Optional) Click Show results to verify a successful retrieval. If any errors occur, verify that you are connected to theInternet.
5. Click Close. Verify that there are no license errors.
If the license is invalid, select the instance in the EC2Dashboard and look at the Description tab. If the selectedinstance type is not one that the ProxySG on AWS supports, perform step 5 of "Make sure that a supported instancetype is selected." on page 19. See "Appendix A: Supported Configurations" on page 21 to determine the supportedinstance types.
If the license is suspended, check that the number of CPUs specified is supported by your ProxySG license. See"Appendix A: Supported Configurations" on page 21 to determine the number of CPUs your license supports and seethe "Troubleshoot License Errors" table in "Troubleshoot the ProxySG on AWS" on page 17.
After you validate the license installation, you do not have to reboot or shut down the appliance.
11 of 27
Step 5: (Optional) Configure Elastic Load Balancing
Step 5: (Optional) Configure Elastic Load BalancingThis section assumes an understanding of AWS Elastic Load Balancers (ELBs). Refer to AWS documentation for details:
https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-balancing.html
To deploy a load balancer in front of multiple ProxySG instances:
1. In the AWS Management Console, under Load Balancing, select Load Balancers.
2. Click Create Load Balancer.
3. Under Classic Load Balancer, click Create.
4. The console displays a setup wizard. Specify the following:
n Step 1: Define Load Balancer - Enter the appropriate details. For listener configuration, see "Configure aListener" below.
n Step 2: Assign Security Groups - This is an optional step; specify groups as required for your deployment.
n Step 3: Configure Security Settings - Skip this step; it is not applicable in this release.
n Step 4: Configure Health Check - Enter the appropriate details. See "Configure Health Checks" on the nextpage.
n Step 5: Add EC2 Instances - Select the instances for the load balancer.
n Step 6: Add Tags - This is an optional step; add tags as needed for your deployment.
n Step 7: Review - Review the load balancer settings. Make any required changes, and then click Create tocreate the load balancer.
Configure a ListenerYou can configure a load balancer to perform layer 4 load balancing and pass traffic through to the ProxySG instances. Specifythe protocol and port on which the instances are configured to intercept traffic. For example, if you enabled explicit interceptionon port 80, use the following settings:
n Load Balancer Protocol: TCP
n Load Balancer Port: 80 (same as instance port)
n Instance Protocol: TCP; this is automatically selected when you specify TCP for the load balancer protocol
n Instance Port: 80
12 of 27
Symantec SGOS on AWS Deployment Guide 6.7.x
Configure Health ChecksFor the load balancer to monitor the health of the ProxySG instances, configure it to TCP ping a socket to which the instancesrespond. The Instance Port that is configured for load balancer listener can serve as this listening socket. The example in"Configure a Listener" on the previous page uses TCP port 8080 for the load balancing listener; thus, in this case, use thefollowing settings:
n Ping Protocol: TCP
n Ping Port: 80
You do not have to change the default settings under Advanced Details.
13 of 27
Back Up and Restore an Instance of the ProxySG
Back Up and Restore an Instance of the ProxySGIn case you need to revert or restore your ProxySG instance to an earlier state, you should create a snapshot of your ProxySGinstance. When you create a snapshot in an AWS environment, the AWS environment saves the snapshot to S3, which backsup the contents of your Amazon Elastic Block Store (EBS) volume.
Caution: Snapshots are incremental; that is, subsequent snapshots include only contents thatdiffer from previous snapshots.
Create a Snapshot to Back Up Your ProxySG InstanceThis section provides steps for creating a snapshot of your ProxySG instance using your AWS console or preferred remotelogin tool for accessing the ProxySGCLI.
To create a snapshot of your ProxySG instance from your AWS console:
1. Under Elastic Block Store, select Snapshots.
2. Click Create Snapshot.
3. In the Create Snapshot dialog:
a. Select the volume for which you want to create the snapshot.
b. Enter a name and description for the snapshot.
c. Click Create Snapshot.
To create a snapshot using your preferred remote login tool:
n In the EC2CLI: ec2-create-snapshot
For details, refer to https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ec2-clt.pdf.
n In the AWS CLI: create-snapshot
For details, refer to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html.
n Using AWS Tools forWindows PowerShell: New-EC2Snapshot
For details, refer to https://docs.aws.amazon.com/powershell/latest/reference/items/Amazon_Elastic_Compute_Cloud_cmdlets.html.
14 of 27
Symantec SGOS on AWS Deployment Guide 6.7.x
Restore an Instance of the ProxySG from a SnapshotThis section provides the steps for reverting or restoring an instance from a snapshot using your AWS console or preferredremote login tool.
To revert or restore an instance:
1. Create an AMI from a snapshot of a ProxySG instance.
2. Deploy the newly registered AMI.
Create an AMI from a Snapshot of a ProxySG InstanceThis section provides steps for creating an AMI from a snapshot using your AWS console or preferred remote login tool.
To create an AMI from a snapshot from your AWS console:
1. Under Elastic Block Store, click Snapshots.
2. In the list of snapshots, select the snapshot you want to create an AMI from.
3. Click Actions > Create Image.
4. In the Create Image from EBS Snapshot dialog, enter information in the following fields:
a. Architecture: Select x86_64 for 64-bit.
b. Root device name: Enter the name for the root volume.
c. RAM disk ID: Use the default.
d. Virtualization type: Select Hardware-assisted virtualization.
e. Kernel ID: Use the default.
f. (Optional) Block Device Mappings: You can add new volumes or expand the size of the root volume for yourAMI.
15 of 27
Back Up and Restore an Instance of the ProxySG
5. Click Create.
To create an AMI from a snapshot using your preferred remote login tool:
n In the EC2CLI: ec2-create-image
For details, refer to https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ec2-clt.pdf.
n In the AWS CLI: create-image
For details, refer to https://docs.aws.amazon.com/cli/latest/reference/ec2/create-image.html.
n Using AWS Tools forWindows PowerShell: New-EC2Image
For details, refer to https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2Image.html.
Deploy the Newly Registered AMIYou deploy snapshots the sameway that you deploy new instances. For the full steps on deploying an instance, see "Step 2:Deploy the Instance " on page 6.
16 of 27
Troubleshoot the ProxySG on AWS
Troubleshoot the ProxySG on AWSIf you experience errors or issues using a ProxySG on AWS, and have already checked the SGOS Release Notes, refer to thefollowing troubleshooting steps.
General Troubleshooting StepsPossible Troubleshooting Step Details
Monitor instance health checks. Look for problems under Status Checks:
1. In the EC2 Dashboard, under Instances, select Instances. The page displays allinstances.
2. For the instance you are troubleshooting, under Instance State, look for a statusicon and an indication of the number of checks passed. If there are no issues,you should see a green icon and "2/2 checks passed".
3. If fewer than two checks passed, refer to the tabs at the bottom of the Instancespage for details. Click Status Checks to determine which checks failed, andtroubleshoot the problem as suggested.
Take screenshots of the instanceconsole.
AWS does not provide serial or VGA access to instances, but it allows you to generateconsole screenshots. To help diagnose issues, you can take these screenshots at anytime while the instance is running.
1. In the EC2 Dashboard, under Instances, select Instances. The page displays allinstances.
2. Right click the instance.
3. In the menu, select Instance Settings > Get Instance Screenshot. The browseropens a new page with a static image of the console.
4. While troubleshooting, you can:
n Click Refresh to generate newer console screenshots.
n Right click and save screenshot images to save the information.
17 of 27
Symantec SGOS on AWS Deployment Guide 6.7.x
Possible Troubleshooting Step Details
Check the AWS security group settingsand group membership for the affectedinstance.
Security group settings should allow communication with Symantec servers, includingthe licensing server. Refer to AWS documentation for details on security groups.
Change security group membership:
1. In the EC2 Dashboard, under Instances, select Instances. The page displays allinstances.
2. Right click the instance.
3. On the menu, select Networking > Change Security Groups.
4. On the dialog that appears,select or clear security groups as needed.
5. Click Assign Security Groups.
Edit security group settings:
1. In the EC2 Dashboard, under Network & Security, select Security Groups.
2. Right click the security group and select Edit inbound rules or Edit outboundrules.
3. On the dialog that appears, add, remove, or configure rules as needed.
4. Click Save.
18 of 27
Troubleshoot the ProxySG on AWS
Troubleshoot Licensing ErrorsPossible Troubleshooting Step Details
Make sure that a supported instancetype is selected.
See "Appendix A: Supported Configurations" on page 21 to determine supportedinstance types. Then, verify that a supported instance type is selected:
1. In the EC2 Dashboard, under Instances, select Instances. The page displays allinstances.
2. Right click the instance.
3. On the menu, select Instance Settings> Change Instance Type.
4. On the dialog that appears, make sure that a supported instance type is selected.
5. If the selected instance type is not one that the ProxySG on AWS supports:
a. Stop the instance. In the Instances list, select an instance and right click.On the menu, select Instance State > Stop.
b. Verify the instance state. In the Instance State column, look for a red iconand the status "stopped".
c. Right click the instance and select Settings > Change Instance Type.
d. On the dialog, select a supported type.
e. Click Apply to save your changes.
f. Restart the instance. Right click the instance again and select InstanceState > Start.
19 of 27
Symantec SGOS on AWS Deployment Guide 6.7.x
Possible Troubleshooting Step Details
Check the AWS security group settingsand group membership for the affectedinstance.
Security group settings should allow communication with Symantec servers, includingthe licensing server. Refer to AWS documentation for details on security groups.
Change security group membership:
1. In the EC2 Dashboard, under Instances, select Instances. The page displays allinstances.
2. Select the instance and right click.
3. On the menu, select Networking > Change Security Groups.
4. On the dialog that appears, select or clear security groups as needed.
5. Click Assign Security Groups.
Edit security group settings:
1. In the EC2 Dashboard, under Network & Security, select Security Groups.
2. Select the security group, right click, and select Edit inbound rules or Editoutbound rules.
3. On the dialog that appears, add, remove, or configure rules as needed.
4. Click Save.
Specify the correct number of CPUs foryour ProxySG.
If during the license installation you received the error message The SG appliancelicense is suspended. The system configured CPU count exceeds limitin license file, then the number of CPUs specified for the instance type is greaterthan the number of CPUs your ProxySGlicense allows.
The number of cores you license allows is the number that follows the "C" in yourlicense type, such as SG-VA-C1S allows for one core or SG-VA-C16L allows for 16cores.
To specify the correct number of CPUs, redeploy your instance. During Step3: Configure Instance Details of the AWS wizard, do the following:
1. Select Specify CPU options.
2. In Core count, enter the number of cores your license allows.
3. In Threads per core, enter 1.
Continue deploying your instance.
20 of 27
Appendix A: Supported Configurations
Appendix A: Supported ConfigurationsThe ProxySG on AWS supports the following instance types and configurations.
Supported Instance Types
Note: If you purchased a small license (such as SG-VA-C2S or SG-VA-C16S), youmight havethe option of two AWS instance types; for example, SG-VA-C2S can use either anm4.large orm4.xlarge instance.
License TypeAWS InstanceType
AllowedNumber ofCPUs*
EC2 CPUOptions
Virtual Memory(GB)
Boot Disk**Numberof VirtualDisks
StorageSpace PerDisk (GB)
SG-VA-C1XS m4.large 1 1 core, 1 threadper core
8 1 (8 GB) 1 100
SG-VA-C1S
SG-VA-C1M
SG-VA-C1L
SG-VA-C2S m4.large 2 default values 8 1 (8 GB) 1 100
SG-VA-C2S m4.xlarge 2 2 cores, 1thread per core
16 1 (8 GB) 1 100
SG-VA-C2M
SG-VA-C2L
SG-VA-C4S m4.xlarge 4 default values 16 1 (8 GB) 2 100
SG-VA-C4S m4.2xlarge 4 4 cores, 1thread per core
32 1 (8 GB) 2 100
SG-VA-C4M
SG-VA-C4L
SG-VA-C8S m4.2xlarge 8 default values 32 1 (8 GB) 4 100
SG-VA-C8S m4.4xlarge 8 8 cores, 1thread per core
64 1 (8 GB) 4 100
SG-VA-C8M
SG-VA-C8L
SG-VA-C16S m4.4xlarge 16 default values 64 1 (8 GB) 8 100
21 of 27
Symantec SGOS on AWS Deployment Guide 6.7.x
License TypeAWS InstanceType
AllowedNumber ofCPUs*
EC2 CPUOptions
Virtual Memory(GB)
Boot Disk**Numberof VirtualDisks
StorageSpace PerDisk (GB)
SG-VA-C16S m4.10xlarge 16 16 cores, 1thread per core
160 1 (8 GB) 8 100
SG-VA-C16M
SG-VA-C16L
*The number of allowed CPUs is determined by the type of ProxySG license you have and not by the number of CPUs theAWS instance type allows for; for example, anm4.large instance has 2 CPUs, but an SG-VA-C1XS license allows for only 1CPU. In this example, the number of CPUs must be restricted to 1.
**The boot disk is created automatically during deployment.
Refer to AWS documentation for more information on instance types,: https://aws.amazon.com/ec2/instance-types/
Storage and Network SettingsConfigurationSettings
Supported Values
Storage Settings For all supported instance types, the following storage settings are correct:
n For the Root volume, 8 GB of General Purpose SSD
n For each Data disk EBS volume, 100 GB of General Purpose SSD with 300 IOPS configured
For the Data disk EBS volumes, ensure the correct number of virtual disks exist for your instancetype. For more information, see "Appendix A: Supported Configurations" on the previous page.
Refer to AWS documentation for more information on volume types:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html
Network Settings You can specify multiple network interfaces if needed; however, at least one interface must have a route tothe public internet.
By default, the ProxySG on AWS provides a single network interface for both management and traffic.
22 of 27
Appendix B: Metadata and User Data Reference
Appendix B: Metadata ReferenceThis section describes metadata in AWS.
AWSMetadataIn AWS, each instance has access tometadata provided by the AWS infrastructure. Instancemetadata is used to configurethe running instance, such as some network settings. Because there is no serial console or VGA console access available foryou tomanually complete the initial configuration (as you would for a SWG VA, for example), the ProxySG on AWS instanceuses themetadata fields described in this section to configure itself.
For details, see AWS documentation at:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html.
Data Description
instance-id The ID of this instance.
instance-type The type of instance. Currently, the supported instance types are:
n m4.large
n m4.xlarge
n m4.2xlarge
n m4.4xlarge
n m4.10xlarge
For a complete list of instance types, see the AWS documentation at:
https://aws.amazon.com/ec2/instance-types/
public-keys/0/openssh-key Public key. Only available if supplied at instance launch time. Used to installas an authorized key for the default console username.
network/interfaces/macs/mac/subnet-id The ID of the subnet in which the interface resides. Returned only forinstances launched into a Virtual Private Cloud (VPC). The subnet ID is usedas a label applied to the network device.
network/interfaces/macs/mac/vpc-ipv4-cidr-block
The CIDR block of the subnet in which the interface resides. Returned onlyfor instances launched into a VPC. Used to calculate the primary DNS serverof the instance.
network/interfaces/macs/mac/subnet-ipv4-cidr-block
The CIDR block of the subnet in which the interface resides. Returned onlyfor instances launched into a VPC. Used to calculate the default gateway ofthe instance.
23 of 27
Symantec SGOS on AWS Deployment Guide 6.7.x
Data Description
network/interfaces/macs/mac/local-ipv4s The private IP addresses associated with the interface. Used to apply all IPaddresses associated to the instance.
This metadata is reapplied to the virtual appliance at every restart; thus, avoidmaking changes using the following CLIcommands because any changes youmake are not permanent:
CLI Command Do not use this command because...
#(config) ip-default-gateway Default gateway for the proxy has already been configured by instance metadata.
If required, configure additional static routes.
#(config) interface adapter_number:interface_number
Default settings for the network adapters have already been configured by instancemetadata.
24 of 27
Appendix C: Additional Steps for Generating User Data
Appendix C: Additional Steps for Generating User DataThe following steps detail how to deploy the instance by generating user data (administrator account information and ProxySGappliance serial numbers) and supplying it during the launch, instead of supplying it after the initial launch. This method ofsupplying user data originally was required for deploying a ProxySG on AWS; currently, the recommendedmethod is to supplythe user data after the initial launch, as detailed in the previous chapters of this guide.
Youmight want to supply user data generated files during the launch if you are launchingmultiple instances that have the sameadministrator account information, as you will not need tomake configuration changes to each instance after they have beenlaunched. In most cases, Symantec recommends using the initial connection wizard after the initial launch.
Note: For each instance, youmust generate a new user data file with a unique appliance serialnumber. All other information required to generate a user data file can be reused.
In this method, you generate the user data file(s) from Symantec’s Support site before initiating the launch. During Step 3:Configure Instance Details of the AWS Launch InstanceWizard (see step 4c. of "Step 2: Deploy the Instance " on page 6),you supply the user data file.
Generate User Data Files for Automatic Deployment of InstancesBefore deploying your ProxySG on AWS. generate a user data file for each instance you want to automatically deploy.
To generate a user data file:
1. Obtain or confirm your MySymantec credentials.
Youmust supply these credentials when generating the instance user data file and retrieving the ProxySG on AWSlicense.
2. Obtain or confirm the following information:
o The username for the administrator account
o The virtual appliance serial number (which you either retrieved when you downloaded the VHD fromMySymantec)
o The intended password for the administrator account
o The intended enable password for the appliance
Make sure that the passwords are strong.
You need these details to generate the user data file.
25 of 27
Symantec SGOS on AWS Deployment Guide 6.7.x
3. Generate the user data file:
a. Go to the following URL:
https://support.symantec.com/us/en/user-data-key-generator.html
b. When prompted to log in, enter your MySymantec username and password.
c. Enter the following:
n Console Username: The administrative username for accessing the ProxySGManagement Console
n Serial Number: The appliance serial number
n Console Password: The administrative password
n Enable Password: The enable password
Be sure to create strong passwords
d. Click Generate User Data. The browser displays the user data.
e. Click Download File to download the user data file.
f. Click Finish.
Supply User Data FileWhile Deploying the InstanceWhen deploying your instance (see "Step 2: Deploy the Instance " on page 6), you supply the user data file. In Step 3:Configure Instance Details of the AWS deployment wizard, do the following:
1. Expand the Advanced Details section.
2. Beside User data, select As file.
3. Click Choose File and browse to the location where you saved the user data file.
4. Do not select Input is already base64 encoded.
Continue deploying your instance.
About AWSUser DataUser data is a JSON blob that allows the instance to self-configure parameters required to initialize the instance.
26 of 27
Appendix C: Additional Steps for Generating User Data
Generate the user data at theMySymantec website:
https://support.symantec.com/us/en/user-data-key-generator.html
The following is an example of the output:
{"ICW_Params":{"BC_SerialNumber":"9999999999","BC_AdminUsername":"admin","BC_ConsolePassword":"$2a$12$UjBY3DkcED02Nn96w3l0qupscB81gyLorl8NnJWL84mhRVdmkd2r6","BC_EnablePassword":"$2a$12$8l4GTA2N59F3NM52EmGc1uPhtZEORvXjJJXqu9XS.yw2Eka0FFnLu"}}
Refer to the following descriptions of the user data fields:
Field Description
BC_SerialNumber The serial number associated with the VM.
BC_AdminUsername The user name of the console user.
BC_ConsolePassword A hash of the console user's password.
BC_EnablePassword A hash of the enable password.
This user data is reapplied to the virtual appliance at every restart. If user data is associated with the instance, avoidmakingchanges using the following CLI commands because any changes youmake are not permanent:
n #(config)security enable-passwordpassword
n #(config)security hashed-enable-passwordhashed_password
n #(config)security passwordpassword
n #(config)security password hashed-passwordhashed_password
n #(config)security usernamename
AWSUser Data SecurityInstance user data can contain sensitive information and should not be shared. To prevent accidental exposure of the data, theProxySG automatically installs the following policy when detects it is running in AWS:
<Proxy>url.address=169.254.169.254 FORCE_DENY
This policy is designed to prevent accidental exposure of instance user data and cannot be disabled.
27 of 27
