Before Upgrading to Symantec Messaging Gateway version 9.5.x from Symantec Brightmail Gateway version 9.0.x or from version 8.0.3

Article:TECH160604  |  Created: 2011-05-23  |  Updated: 2012-08-20  |  Article URL
Article Type
Technical Solution



Here is some guidance and recommendations when wishing to upgrade from Symantec Brightmail Gateway 9.0.x to Symantec Messaging Gateway Version 9.5.x or from version 8.0.3.

The following sections contain migration information to read before you update to version 9.5.x.


If you are updating from version 9.0.x, only the "best practice" items in the following section apply to your situation.


Note: You must update to Symantec Messaging Gateway 9.5.x from Symantec Brightmail Gateway 8.0.3 or later. If your Control Center and Scanners are not running version 8.0.3 or later you must update them to 8.0.3 before you update to version 9.5.x.

After you update the Control Center and Scanners to version 8.0.3, ensure that the Control Center can communicate with all Scanners. If the communication is successful, proceed to update the Control Center and Scanners to version 9.5.x.


Table 1-1 Symantec Brightmail Gateway Migration Guidance

Item Description
Best practice: Perform a backup Symantec recommends that you take a full system backup before you run the software update.
Important: Do not reboot The software update process may take several hours to complete. If you reboot before the process is complete, data corruption is likely. If data corruption occurs, the appliance must be reinstalled with a factory image.
Important: Reduce Spam Quarantine size Versions prior to 9.0 used a database for Spam Quarantine messages. In 9.x, Spam Quarantine
messages are stored in the file system to make the message store more robust and scalable.
Migration of Spam Quarantine messages to the file system can take a significant amount of time
depending on the number of messages to be migrated. Migration can take several hours if your
Spam Quarantine contains a large number of messages. To minimize the migration time, reduce
the number of messages in Spam Quarantine before you update the Control Center to version 9.5.x
from version 8.0.3. Use the Spam Quarantine Expunger to reduce the number of Spam Quarantine
messages. This is not applicable if you are already running 9.0.x.
Important: Reduce content incident folder size Changes have been made in how content incidents are stored. As a result, migrating content
incidents can take a significant amount of time. In particular, the amount of time can be large if your Control Center has a large number of incidents in the folders. To minimize update time, delete unnecessary incidents before you update the Control Center to version 9.5.x from version 8.0.3.
This is not applicable if you are already running 9.0.x.
Best practice: Delete log messages If your site policies let you, delete all Scanner and LDAP log messages.
Best practice: Stop mail flow to Scanners and flush queues before updating To reduce Scanner update time and complexity you should stop mail flow to Scanners and reduce the size of all queues.

To halt incoming messages, click Administration > Hosts > Configuration, click a Scanner, click Do not accept incoming messages, and click Save. To check the queues, click Status > SMTP > Message Queues. Flush the messages that are left in the queues.

Best practice: Stop mail flow to shared Control Center/Scanner systems if using content incidents Stop mail flow to all-in-one Control Center and Scanner systems before you update. The new incidents that are created on a combined Control Center and Scanner during the migration process are stored in the default incident folder. This behavior is limited to only the new incidents that are created during the Control Center migration. All previously created incidents are migrated to the correct folders. After you update to version 9.0, new incidents are sent to the correct folder.
Best practice: Update Scanners first Each appliance must be updated individually. As a best practice, Symantec recommends that you update all Scanners before updating the Control Center. You do not have to update all of your Scanners at the same time. You can update some Scanners to version 9.0 and leave some with the older version. That way some Scanners continue to protect your site while you update others. However, if the Control Center and Scanner versions are different, the Control Center cannot make configuration changes to the Scanner.
Best practice: Perform software update at off-peak hours When you update the Control Center, the Control Center appliance is offline and unusable. Scanners cannot deliver messages to quarantine on the Control Center during the software update, so messages build up in a queue. Running software update on a Control Center appliance can take quite some time. Plan to update the Control Center appliance during off-peak hours.

When you migrate a Scanner, it goes offline. Scanner resources are unavailable during the migration process. Software update of a Scanner takes less time than the software update of the Control Center.

Directory integration considerations

■ For some installations, you may need to add access to LDAP ports for 9.0.x. The Control Center
and Scanners using any LDAP features must be able to communicate to the LDAP servers. LDAP
features include authentication, routing, recipient validation, and address resolution (previously
known as synchronization). Your Control Center and Scanners may already meet this
requirement. This access change is a new requirement if your environment matches the
following criteria:
■ You have a distributed deployment with at least one separate Scanner AND
■ The deployment uses one or more LDAP sources with the Synchronization usage enabled
If your environment matches these criteria, use the ldapsearchcommandto check connectivity
on each host before you update to version 9.0.x. For information about how to use ldapsearch,
go to the following URL on the Internet:
■ The new directory data service caches the query results to reduce the load that is placed on
the directory servers and to improve Scanner performance. The cache builds over time. After
you update from version 8.0.3 to version 9.5.x there may be an initial slow down of mail
throughput under heavy load. The slow down can occur in the first few minutes as the cache
■ The LDAP query filter formats in 9.0.x have been standardized to use the %s, %u, and %d
tokens. These tokens were previously used only for the recipient validation and routing query
filters. If authentication, synchronization, or both are enabled in 8.0.3, the query filters are
modified to use the standard tokens after you update to version 9.5.x. If you previously modified
any of the default query filters, confirm the functionality of the authentication and address
resolution functions in 9.5. Use the new Test Query option in the Control Center.
■ In Symantec Brightmail Gateway 8.0.3 and earlier releases, only LDAP groups were displayed
in the Administration>Users>PolicyGroups page. In 9.0.x, bothLDAPgroups and distribution
lists are displayed for a newly added LDAP source. You can view both groups and distribution
lists after you update your deployment.
■ The LDAP "recipient validation" function is now used to check incoming messages for both
Reject invalid recipients and Drop invalid recipients. If you have an 8.0.3 deployment using
LDAP synchronization with Protocols > SMTP > Invalid Recipients set to Drop invalid
recipients, the LDAP source is migrated to a source with both "recipient validation" and "address
resolution" functions enabled after you update to 9.0.x. Additionally, if you have any enabled
"recipient validation" sources in your 8.0.3 deployment, they are used for Drop invalid
recipients upon update to 9.0.x.
■ In versions 9.0.x, any recipient address that includes a domain alias is considered valid if the
following conditions are true:
■ You have one or more domains configured as an alias in Protocols > SMTP > Aliases
■ You have Protocols > SMTP > Invalid Recipients set to either Drop or Reject
If both of the conditions are true, no call is made to the LDAP server to determine whether the
recipient is valid or not

Domino-specific directory integration considerations

If you are using one or more Domino LDAP Sync sources with one or more "Alias domain" values, add those values as Symantec Messaging Gateway domain aliases before you update to version 9.0.x.

Once you have updated, you can optionally modify the resulting data directory service recipient validation and address resolution query filters to include (mail=%u@<domain>) and (uid=%u@<domain>) clauses as necessary, if you do not want to use domain aliases on the Symantec Messaging Gateway host.

New content folders are created

■ After you update a Control Center to version 9.0.x from 8.0.3, the Control Center displays twice
the number of content incidents than you previously had configured.
To facilitate the new incident expunger, 9.0.x requires Informational Incidents and Quarantine
Incidents (hold for review) to be stored in separate folders. Folders containing mixed incidents
are separated in the migration process. After migration, new incident folders are created for
the quarantine incidents. All policies are migrated to save quarantine incidents to the new
folders. You do not have to adjust your policy configuration after migration.

■ In 9.0.x the content folders can contain either informational incidents or quarantine incidents
but not both. As a result, new behavior has been introduced. If a message violates multiple
Content Quarantine polices then an incident is created for the higher precedence policy in the
designated folder. Subsequent Content Quarantine violations are recorded as informational
incidents in the default information incidents folder.

This is not applicable if you are already running 9.0.x.

User Preferences Considerations

■ Versions of Brightmail Gateway prior to 9.0 used the LDAP synchronization schedule time to
replicate user preferences to the Scanners. In 9.0.x, LDAP synchronization has been deprecated
and user preferences replication happens on the default schedule of once per day at midnight.
You can change the schedule or replicate user preferences manually on the Users tab of the
Administration > Settings > Control Center page.

■ End user preferences are no longer in effect after you update from version 8.0.3 if all of the
following conditions occur:
■ You have a distributed deployment
■ End user preferences are enabled
■ You update the Scanners before you update the Control Center
To reenable end user preferences, update the Control Center and ensure that user preferences
are replicated.

■ User preferences are not replicated to remote Scanners during the migration process. To ensure
user preferences are applied, you must replicate them manually after you update the Control
Center and all Scanners. Otherwise user preferences are replicated at the default time of
midnight. Navigate to the Users tab of the Administration > Settings > Control Center page
and click Replicate Now once all systems have been upgraded.
■ The user preference replication alert is enabled by default after you update to version 9.0.x.
Symantec Brightmail Gateway sends an alert to administrators configured to receive alerts
when user preferences replication finds an error. You can disable this alert on the DDS tab on
the Administration > Settings > Alerts page

Change in crash alert mail from In previous releases, crash alert notifications were sent from process-cleanup@<appliancehostname>. In versions 9.0.x, the envelope sender of a crash alert is the same address as the envelope recipient.
URI reporting disabled after update This release can detect and record Uniform Resource Identifiers (URI) that occur in email messages to improve URI-based filters. Symantec Messaging Gateway sends Symantec Security Response every URI in the messages that Symantec Messaging Gateway scans for spam (inbound and
outbound scanning).
Symantec uses this information to develop new URI-based filters. You receive
these updated filters through the Conduit. This feature is enabled by default. If you want to change this setting, go to the Email tab of the Spam > Settings > Scan Settings page, check or uncheck the item “Report URIs to Symantec Security Response” then click Save.

Article URL

Terms of use for this information are found in Legal Notices