update notes
=========================================================================
Symantec Messaging Gateway (formerly Symantec Brightmail Gateway) version
9.5.4 Software Update Notes
=========================================================================
May, 2012
Before you install this software update, copy and paste the URL below
into a Web browser to check for late-breaking issues:
http://www.symantec.com/docs/TECH185792
SPECIAL INSTRUCTIONS AND CAUTIONS
================================================
Unsupported platforms
----------------------------------------------
8220, 8240, 8260, and 8320 purchased on or before May 2008 (based on the
Optiplex GX745 platform) hardware platforms are unsupported.
For more information about supported hardware versions, on the Internet, go to
the following URL:
http://www.symantec.com/docs/TECH186269
To determine what hardware version you have, at the command line type the
following:
show -i
Special update instructions for 9.5.0-19 users
----------------------------------------------
Symantec strongly recommends that you upgrade your Control Center before
you upgrade your Scanners. If you do not upgrade the Control Center first,
you must use the command line interface to upgrade remote Scanners.
Please thoroughly review the following sections:
================================================
--What's New
--Translated software update notes
--Documentation
--Update considerations
--Running software update
--Known Issues
--Note regarding IM filtering and access control features of Symantec Messaging
Gateway
--End User License Agreement (EULA)
What's new
==========
This release addresses changes in supported hardware versions and resolving
known issues.
Translated software update notes
================================
These software update notes have been translated into the following languages:
--Simplified Chinese
--Traditional Chinese
--Japanese
--Korean
To access the translated software update notes, copy and paste the URL
below into a Web browser:
Chinese (Simplified)
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_CN
Chinese (Traditional)
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_TW
Japanese
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ja_JP
Korean
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ko_KR
Documentation
=============
To access product documentation online, copy and paste the URL below into a
Web browser:
http://www.symantec.com/business/support/index?page=landing&key=53991
Update considerations
=====================
--Please read the Symantec Messaging Gateway 9.5.4 release notes for a
complete list of update considerations.
--For customers who update from version 8.0.3 using LDAP directories, there
may be a new communications requirement for LDAP connectivity from Scanners.
Please read the release notes for details.
--Symantec Messaging Gateway 9.5 introduced a restructuring of the data
storage for content incidents and Spam Quarantine. If you update to 9.5.4
from 8.0.3, systems storing large amounts of data with these features will
see increased update time for the Control Center. Delete as many content
filtering incidents and quarantined spam messages as possible before you
run the update.
--Back up your existing data before you run the software update. The software
update process may take several hours to complete.
--Do not reboot while software update is in process. If you reboot before
the process is complete, data corruption is likely. If data corruption occurs
the appliance must be re-installed with a factory image.
Important information for installing on VMware
----------------------------------------------
Symantec Messaging Gateway 9.5.4 offers two methods for installing on supported
VMware platforms. You can load the ISO file into a preconfigured virtual
machine or you can load the OVF which includes the virtual machine
configuration. Please note the following:
--The ISO file can be used on VMware ESX or ESXi 3.5 - 4.1 or vSphere 4.1/4.0.
--The OVF can be used for VMware ESX or ESXi 3.5 - 4.1 or for vSphere 4.1/4.0.
Refer to Symantec Messaging Gateway 9.5 Installation Guide for instructions.
If you use the BusLogic controller when you upgrade to 9.5.4 with VMware ESX or
VMware ESXi 4.1/4.0/3.5, you must change the SCSI Controller Type in your
virtual machine settings before the upgrade as follows:
--When you upgrade through VMware ESX 3.5, you must switch the SCSI Controller
Type in your virtual machine settings to "LSI controller".
--When you upgrade through VMware ESX 4.1/4.0, you must switch the SCSI
Controller Type in your virtual machine settings to "LSI SAS".
For more information, on the Internet, go to the following URL:
http://www.symantec.com/docs/TECh168754
Supported previous versions
----------------------------------------------
You can only update version 8.0.3 or later to version 9.5.4. Systems that run
versions prior to 8.0.3 must be updated to 8.0.3, including all Scanners
and the Control Center, before proceeding to the version 9.5.4 update.
Software update planning
----------------------------------------------
--Ensure that you are running on a supported hardware platform.
--There is not an option to update a Control Center and multiple Scanners
simultaneously. Each appliance must be updated individually.
--It is crucial that the update window in which you update your Scanners
to 9.5.4 is as short as practicable. This is critical because if the Control
Center and Scanner versions differ, the Control Center is unable to make
configuration changes to the Scanner. Configurations in which the Control
Center and Scanners run different versions for an extended period are
unsupported.
Running software update
=======================
Before running the software update from 8.0.3, ensure that your appliance is
not performing tasks that, if disrupted, could cause problems after updating.
--Check for a running LDAP synchronization cycle.
--Check for a running Scanner replication cycle.
--Minimize the number of messages in any of the queues by setting the Scanner
to reject incoming messages and then wait for the queues to drain completely.
To prepare for the software update, follow the steps below. The Control
Center locations presented below are for version 8.0.3 and may differ for
other versions.
1 To check for a running LDAP synchronization cycle or Scanner replication
cycle, go to Status - System - LDAP Synchronization.
2 To halt incoming messages, go to Administration - Hosts -
Configuration/Edit, click "Do not accept incoming messages", and click Save.
3 To check the queues, go to Status - SMTP - Message Queues.
Using the command line interface to update from releases
prior to 9.5.0
-----------------------------------------
For 9.5.0, Symantec introduced enhanced upgrade Control Center functionality.
If you run a release prior to 9.5.0, or if you prefer not to use this new
Control Center functionality, you can update through the command line interface,
which allows you to divide the update process into discrete steps. This may be
more appropriate to use over imperfect Internet connections.
To update using the command line interface:
1 Log into an appliance using an SSH client or log in at the console. You must
use your administrator credentials to log in.
2 To list available updates, type the following command:
update list
3 To download the update, type the following command:
update download
4 To install the update, type the following command:
update install
You can monitor the software update progress using the steps below.
To monitor the software update progress:
1 Using an SSH client or the console, log into the appliance you are updating.
You must use administrator credentials when logging on.
2 Type one of the following commands:
for 8.0.3: watch update.log
for 9.0.1 or later: tail -f update.log
The progress of the software update appears. When the update is complete, the
appliance restarts automatically. Do not restart the appliance before the
update completes. You will see the following message:
sms-appliance-release-version successfully installed.
Rebooting appliance...
The appliance reboots. If you've logged into the appliance using an SSH client,
the connection will be lost.
You may receive warnings, which you can ignore. See the release notes for more
information.
Testing update success
----------------------
To ensure that your appliance is running Symantec Messaging Gateway version
9.5.4, log into the command line interface on an appliance and type the
following command:
show --version
Known Issues
============
Error messages are generated when you upgrade
----------------------
When you upgrade from a release before 9.5.3, you may observe a number of
benign error messages during the upgrade process. See the following knowledge
base article for more information:
http://www.symantec.com/docs/TECH173852
Error messages are generated when you configure your NTP server information
----------------------
When you configure your NTP server information during installation or when
you modify it post-installation, you may observe an error message in your
message log. The message indicates that the requested IPv6 address cannot be
assigned. You can ignore this message.
http://www.symantec.com/docs/TECH186256
SSLv3 connections are not supported when FIPS mode is enabled
----------------------
The Require TLS encryption option for SMTP authorization does not work as
expected when FIPS mode is enabled. When you run in normal, non-FIPS mode,
Symantec Messaging Gateway accepts both TLS and SSLv3.0 connections. When FIPS
mode is enabled, even if the Require TLS encryption option is disabled, the
connections that use SSLv3.0 and earlier are not supported. For more
information, see the Symantec Messaging Gateway FIPS 140-2 level 1 Deployment
Guide.
http://www.symantec.com/docs/TECH186251
Error message appears when update check command is issued
----------------------
When you upgrade from a release before 9.5.2 and run the update check command,
you may receive a message that some packages cannot be installed. You can
ignore this message.
http://www.symantec.com/docs/TECH169454
Errors in logs during update
----------------------
During an update, errors may appear despite a successful upgrade as follows:
--Errors appear in the mysql error log for a successful update. You can
disregard these errors.
--You may find some unexpected messages that are related to module-loading
failure in the conduit log. You can ignore these messages.
9.5.2 included changes to the appliance platform, which includes the operating
system and database versions.
http://www.symantec.com/docs/TECH169981
Possible errors during bootstrap process
----------------------
/data/logs/boot.log may not appear upon fresh install. As a result, you may
see some related errors during the bootstrap process, including a red [FAILED]
status from "Adjusting Symantec Messaging Gateway services". You can ignore
these errors.
http://www.symantec.com/docs/TECH186249
FIPS mode not automatically enabled upon OS restore
----------------------
Your FIPS state is not saved as part of a backup. If you perform an OS restore
on a Symantec Messaging Gateway 9.5.2 or later host with FIPS mode on, manually
turn on the FIPS mode after the restore completes.
http://www.symantec.com/docs/TECH186248
Download may take longer than for past updates
----------------------
When you upgrade from versions prior to 9.5.2, the download portion of the
update process can take substantially longer than past updates. This situation
is due to the large size of the download package.
http://www.symantec.com/docs/TECH186191
MTA takes several minutes to start on a FIPS-enabled appliance that is
configured with SMTP authentication and Accept TLS
----------------------
The following actions take significantly longer with FIPS mode turned on than
they do with FIPS mode turned off:
--Restarting the Message Transfer Agent (MTA) service
--Any configuration change that implicitly restarts the MTA service
The host may appear to be hung for several minutes, but it is not. As a best
practice, enable FIPS mode as the final step in your setup process before you
deploy the host in a production environment.
http://www.symantec.com/docs/TECH186189
delete ddsconfig does not remove directory data sources from Control Center
----------------------
If you use the delete ddsconfig command to remove the ddsconfig.xml file from
the disk, the DDS configuration remains in the database. The DDS configurations
on the Control Center remain unchanged.
To delete data sources in the Control Center, perform the following tasks:
1. In the Control Center, click Administration - Directory Integration.
2. On the Directory Integration Settings page, select the data source or sources
you want to remove, and click Delete.
http://www.symantec.com/docs/TECH186188
Unable to load cache data from /data/dds/dds-cache.ser in dds.log during
upgrade from 9.0 to 9.5.4
----------------------
When you upgrade from a version before 9.5.2, Symantec Messaging Gateway is
unable to load the cache data from /data/dds/dds-cache in dds.log. The DDS cache
is rebuilt as messages are processed after upgrade.
http://www.symantec.com/docs/TECH186186
Virtual machine kernel panics after update to 9.5.2
----------------------
After you update the Symantec Messaging Gateway virtual appliance to 9.5.2,
the virtual machine (VM) fails to restart. The VMware console indicates that
VMware is unable to restart due to a kernel panic.
http://www.symantec.com/docs/TECh168754
The Russia time zone is incorrect.
----------------------
Russia no longer changes for Daylight Savings Time. The correct time should be
GMT +4 rather than GMT +3.
http://www.symantec.com/docs/TECH173452
Note regarding IM filtering and access control features of Symantec
Messaging Gateway
===================================================================
Symantec is removing IM filtering and network access control in the 10.0
release of Symantec Messaging Gateway. Customers who are currently
using the IM filtering features should plan for an alternative solution.
Symantec recommends that customers do not enable IM filtering for new
installations or existing installations that are not currently using IM
filtering.
End User License Agreement (EULA)
=================================
After the update completes, you can display the End User License Agreement
(EULA) from the command line interface.
To view the EULA
1 Log into the appliance's command line interface and type:
show --eula
The EULA appears.
2 To page through the EULA, use the space bar.
3 To exit the display of the EULA, type:
q
The command prompt appears.