Both licenses are available as 1, 2 and 5 (not 3 as listed on the Cisco website) year subscription, or you can buy Plus licenses with a perpetual license option.
Note: For PLUS Licences looks at SKUs starting L-AC-PLS, for APEX Licences look SKUs starting at L-AC-APX
(Note: if you have a Plus Perpetual license you still need to purchase a software applications support plus upgrades (SASU) contract.
Regardless of which you buy, the SASU for AnyConnect is NOT included in the support contract for the parent device e.g. the SmartNet on your Cisco ASA Firewall.
To purchase support you order the parent license (SKU: L-AC-PLS-P-G) which has no cost, then you add in the relevant license for the amount of clients you have e.g. AC-PLS-P-500-S for 500 users, AC-PLS-P-2000-S for 2000 users etc.
BE AWARE: AnyConnect 4 Licenses will display as AnyConnect Premium licenses when you issue a ‘show version’ command. When adding an AnyConnect 4 License (regardless of the quantity of licenses added), will license to the maximum permitted AnyConnect Premium license count for the ASA hardware platform, those being;
New AnyConnect VPN Only Licences (Perpetual)
You can now purchase VPN Only perpetual licences, they are sold by ‘Concurrent VPN Connection‘. You order them like so;
L-AC-VPNO-25 (for 25 concurrent VPN connections) you can also buy in 50, 100, 250, 500, 1K, 2500, 5K ,and 10K versions. Depending on what you device will physically support (see below)
I had a load of Cisco Catalyst 3560 switches that needed ‘ipbase’ licenses adding to them today. I’ve messed about with plenty of ASA license upgrades before, but not switches.
Solution
1. First thing you need is a Cisco PAK, this may be in an email or turn up in a cardboard envelope.
2. Go to http://www.cisco.com/go/license and log in (if you don’t already have a Cisco CCO account you can create one for free). Enter your PAK and select ‘fulfil’.
3. Select ‘All Quantities’ > Next.
4. Enter your product ID and serial number (see below).
To locate your Product ID (PID), and serial number (SN), on the switch issue a ‘show license udi’ command.
5. Accept the agreement > ensure your email address is correct > Submit.
6. Select ‘Download’ to get the license straight away (it will get emailed to you shortly).
Note: If it does not turn up in your email, check your junk email folder, I’m sure Microsoft Outlook does this on purpose!
7. You will have a file with a big long name and a .lic extension. If you want you can copy this onto the switch via TFTP, but let’s keep things simple and use a FAT32 formatted USB drive.
8. Before we start let’s check the license on the switch. I’m running my ipbase license on an evaluation, this is what we are going to add a permanent license for.
[box]
Petes-Switch#show license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: 7 weeks 5 days
License Type: Evaluation
License State: Active, In Use
License Priority: Low
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
Petes-Switch#
10. Then copy the .lic file to the switches flash memory.
[box]
Mar 30 04:13:18.466: %USBFLASH-5-CHANGE: usbflash0 has been inserted!
Petes-Switch#copy usbflash0: flash:
Source filename []? FDO1818X123_201410200338212345.lic
Destination filename [FDO1818X123_201410200338212345.lic]? {Enter}
Copy in progress...C
1152 bytes copied in 0.041 secs (28098 bytes/sec)
Petes-Switch#
[/box]
11. Install the new license.
[box]
Petes-Switch#license install flash:/FDO1818X123_2014102003382212345.lic
Installing licenses from "flash:/FDO1818X123_2014102003382212345.lic"
Installing...Feature:ipbase...Successful:Supported
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install
Petes-Switch#
Mar 30 04:19:35.643: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c3560x
Next reboot level = ipbase and
License = ipbase
Mar 30 04:19:36.146: %LICENSE-6-INSTALL: Feature ipbase 1.0 was installed in this device.
UDI=WS-C3560X-24T-L:FDO1818X123;
StoreIndex=1:Primary License Storage
Petes-Switch#
[/box]
12. The license wont take effect until you reload the switch.
[box]
Petes-Switch#write mem
Building configuration...
[OK]
Petes-Switch#reload
Proceed with reload? [confirm]{Enter}
Mar 30 04:20:43.104: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.
[/box]
13.Post reboot, check and the license should now be permanent.
[box]
Petes-Switch#show license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
Petes-Switch#
[/box]
Related Articles, References, Credits, or External Links
To complete a migration from Exchange 2010 (or 2007) to Exchange 2016/2013, you need to introduce Exchange 2016 into your existing Exchange environment, then migrate your content onto the new server(s), and finally remove Exchange 2010.
Solution
Assumptions:
In this example I’ve got an existing Exchange 2010 environment running on Windows Server 2008 R2. I’m putting in Exchange 2016 onto a new server running Server 2012. Post install the NEW server will hold client access, and mailbox roles.
Exchange 2013/2016 Role Placement
Unlike with previous versions of Exchange, the 2016/2013 approach is NOT to split up roles to different servers, it’s considered good practice to deploy all roles on all Exchange servers.
Exchange 2013/2016 Licensing
Unless you have Microsoft “Software Assurance” you cannot simply upgrade to Exchange 2016 for free. You will need to buy the Exchange 2016 Base product. You may wish to look at an “Open Value Agreement”, which lets you pay the cost over a three year term.
The Exchange 2016 (on-premises) software itself comes in two flavours, Standard and Enterprise.
Standard: For small Exchange deployments (1-5 Mailbox Databases) and for non mailbox role servers in larger Exchange deployments.
Enterprise: For large Exchange deployments (1-50 Mailbox Databases).
Exchange 2013/2016 Client Access Licenses
As before there are two types of CAL for Exchange 2016 access. These are also ‘confusingly’ called Standard and Enterprise.
Note: An Enterprise CAL is NOT just for Exchange Enterprise 2016 and a Standard CAL is NOT just for Exchange Standard, this is a common mistake. Though you can mix and match, i.e. a standard CAL is required for all mailbox users or devices, adding an Enterprise CAL is only required for those existing users or devices requiring additional functionality.
Standard CAL: Required for all users (or devices) that require access to an Exchange mailbox. For most people these will be the CALS you need to purchase.
Enterprise CAL: Is an additional license that’s added to the Standard license, this enables the user to use archiving/journaling and unified messaging (Requires Outlook 2013). It also gives access to more advanced ActiveSync management policies and custom retention policies.
Exchange 2016/2013 Migration Step 1 “Planning / Pre Site Visit”
1. Media and Licenses: Before you start you will need to have the Exchange 2016 or 2013 CU2 (CU1 = Minimum) version of the install media (.iso or DVD). DO NOT attempt to perform the migration with a version of Exchange 2013 media that IS NOT at least CU1. Warning, this will be a DVD image (over 3.5 GB), you may wish to get this downloaded from a site with a decent Internet connection!
2. Make sure any third party Exchange software you are currently running is also supported on Exchange 2016, e.g. Anti Virus, Backup Solutions, Archiving, Mail Management, Mobile Device Software, etc, check with the software vendor.
3. DO NOT CONSIDER migrating anything until you know you have a good backup of your current Exchange environment. If you are lucky enough to have VMware ESX, Hyper-V or another virtualisation platform, consider doing a P2V conversion on your Exchange 2010 server then simply turning the 2010 Server off, then if it all goes to hell in a hand cart simply turn the original server back on again.
4. Outlook Client Access: Be aware your clients need to be using the following versions of Outlook BEFORE you migrate them.
I would suggest you run through the Microsoft Exchange Server Deployment Assistant, as a “Belt and braces” approach to the migration”
1. Before you do anything, it’s time for a common sense check, make sure your existing Exchange 2010 Organisation is happy and running cleanly, and has good communication with both the domain and your DNS. Get in the event logs and make sure it’s a happy server.
Time spent on reconnaissance is seldom wasted!
2. Run a full Windows update on your existing Exchange server(s), this will install any Exchange roll-ups that are outstanding.
3. If you are planning to utilise DAG, then you should install the following hot-fix on your Exchange 2010 servers before deploying SP3.
4. For coexistence of Exchange 2010 and Exchange 2016/2013, Your Exchange 2010 Servers must have Service pack 3 installed. If you are upgrading from service pack 1 you may see the following error.
1. The server that will run Exchange 2016, will need to be a domain member*, and I would run all the current updates before you start.
Once that is complete there are a number of server roles that will need adding. (Note: in Exchange 2013 these roles are the SAME for both CAS and Mailbox Servers, in 2016 there is only mailbox and edge servers anyway).
*Note: As with previous versions of Exchange it is recommended that you DO NOT run Exchange 2016 on a domain controller.
To add the Exchange 2013/2016 Server roles via PowerShell
Note: Here on my ‘Test Network’ the server in question is also a domain controller. In your production environment this will probably NOT be the case. If so, you will need to install the Remote Server Administration Tools for Active Directory.
6. I tend to disable feedback, but the choice is yours > Next.
7. Select the server roles that you wish to install.
8. Select the folder that you wish to install the Exchange program into.
Note: Remember if deploying multiple Exchange 2013/2016 servers, it’s considered good practice to keep the folder paths contiguous across all the servers.
9. If you plan to deploy third party malware protection (post Install), then you might wish to disable this, but in most cases you will want it enabled > Next.
Note: This is built on technology that was called ‘Forefront’ in previous versions of Exchange.
10. Pre deployment readiness checks will be carried out > when complete > Next.
11. Setup will take quite some time.
12. When complete, tick the box to launch the admin console > Finish.
13. After a few seconds the Exchange Admin Center will open.
Note: If you log in and get a blank screen, ensure your users has ‘inheritable permissions’ enabled, (on the security tab of their user object in AD)
14. At this point I would move the new Exchange Database from its default location to its own volume/folder, (again keep this path contiguous across all the new servers). The following PowerShell command will do this for you;
STOP! Before you proceed you need to think about OWA access. For internal access this will not be a problem BUT if you have users that access OWA externally (e.g. via https://mail.yourpublicdomain.com/owa) Then you will have to DO SOME PLANNING. Unless you have two free public IP addresses, your router/firewall can only point to one CAS server at a time.
STOP AGAIN! OK I’ve had more than one email about this so, here’s a warning. Moving Mailboxes creates logs, the more you move, the more logs it creates. The only way to clear these logs properly is to do an Exchange Aware/VSS Level backup. If you just start moving mailboxes without keeping an eye on this you can fill up a volume with logs, and if you are daft enough to have this on our system volume you can take the server down, you have been warned! OrSee the following Article
1. First make sure that the new server can see the existing Exchange infrastructure. From within the Exchange Admin Center > Servers. You should see both your Exchange 2010 Servers and the new Exchange 2016 Server.
Note: You can see the same with the following PowerShell command;
[box]Get-ExchangeServer | select Name, ServerRole, AdminDisplayVersion | ft –auto[/box]
2. Test move one mailbox from Exchange 2010 to 2016, Recipients > Mailboxes > Locate our Test User > Move Mailbox.
3. Give the test migration a name, and browse to the new datastore (Note: If the move fails you can increase both the BadItem limit and the LargeItem limit here as well) > Next.
4. New.
5. You will be asked if you want to the ‘Migration Dashboard’.
6. Here you can watch progress (remember to keep hitting ‘refresh’).
7. If you prefer to use PowerShell you can migrate all mailboxes from one database to another with the following command;
Depending on the amount of mailboxes this can take a while!
8. Then test mail flow to/from this mailbox to internal recipients in the Exchange 2010 infrastructure, and then test mail flow to/from an external mailbox.
Note: At this point you might struggle to connect to the Exchange 2016 Admin Center as ‘Administrator’, because that user’s mailbox is still on the Exchange 2010 Server. If that happens to you and you are ‘Locked Out‘ of the Exchange Admin Center, simply add the user you migrated already, to the Exchange Organization Management group, and log in as that user to https://{Exchange-2016-Server-Name}/ecp
9. You can now migrate the remainder of your mailboxes.
Note: Depending on mailbox size this can take a VERY LONG time, I would suggest staging this migration gradually. To view progress;
Exchange 2013/2016 Migration Step 6 “Change Mail flow”
At this point you need to change the SMTP feed from the old Exchange 2010 box to the new Exchange 2016 Server, how you do this depends on your network setup, some examples of how you might do this are,
i. Change the SMTP (TCP Port 25) Port redirect on your router/firewall.
ii. Swap IP addresses from the old to the new server.
iii. Change the translation from public to private IP address to point to the new IP.
Note: If you have any mail scanning servers, anti spam hardware devices etc, then they will also need changing to point to the new server.
1. You will need to add the new server to your Exchange ‘Send Connector’ and remove the Exchange 2010 Server. (Note: I’m assuming you only have one send connector, if you have more than one i.e. for particular domains, or for secure TLS mail you will need to do these as well). From Exchange Admin Center > Mail flow > Send connectors > Select the send connector > Edit > Scoping > Add the 2016 server > Remove the 2010 server > Save.
2. You will not need to create receive connectors on the Exchange 2016 Server, if you navigate to mail flow > receive connectors > Change the drop down to point to the Exchange 2013 Server. You will see there is a ‘Default Frontend’ Connector already configured for Exchange 2016.
3. At this point, it would be sensible to once again check mail flow, to and from an external mail account.
Related Articles, References, Credits, or External Links
Thanks to Simcha Kope for the feedback (Adding RSAT-ADDS)
Thanks to Austin Weber for spotting my PowerShell typo.
Thanks to Tony Blunt for the log file PowerShell syntax omission.
The Cisco CSC module provides ‘in line’ scanning of POP3, SMTP, HTTP and FTP traffic, to protect against viruses but also for anti spam and anti phish (with the correct licensing).
If you are familiar with Trend products, you will like it, (because that’s what it runs), and the interface is much the same as Trend IWSS.
It is a hardware device that plugs into the back of the ASA, and comes in two flavours.
1. CSC-SSM-10 (50 to 500 users, depending on licenses) for ASA 5510 and 5520.
2. CSC-SSM-20 (500 to 100 users, depending on licenses) for ASA 5510, 5520, and 5540.
In addition to licensing the amount of users, you can also buy a Plus License, this enables anti-spam, anti-phish, URL filtering, and blocking control. Note: This license expires and must be renewed annually).
Solution
Some licenses on the CSC are time specific, I would consider setting the ASA’s internal clock before you start.
1. Connect to the ASA via command line, go to enable mode and issue the following command;
From the output you should be able to get the serial number of the CSC module (write it down).
2. In the box with the CSC/ASA should be an envelope containing the PAK for the CSC module, write that number down as well.
3. Go to the Cisco license portal here, Note: If you do not have a Cisco CCO account you may need to create one. Enter your PAK code > Fulfill Single PAK.
Note: If you have multiple PAK codes, you can do them at once with the ‘Load more PAK’s’ button, this may be the case if you also have a ‘plus’ license to add.
4. Enter the serial number of your CSC module and the person/company from whom you bought it > Next.
5. It should display your valid email address (from your CCO account). Tick the box to accept the terms and conditions > Get License.
6. Scroll down and accept, then select DOWNLOAD, (that way you wont have to wait for it to be emailed to you).
7. Open the license file (will have a .lic extension) with notepad and you should see two keys.
Step 2: Setup the CSC Module
Note: Here I’m going to simply set up inspection of everything on all interfaces, this might not be what you want, i.e. if theres no mail server in the DMZ why would you want to inspect all DMZ traffic for SMTP.
9. Enter the base and plus license codes. Note: The plus license code that comes with the CSC is just an evaluation one, if you have purchased a plus license separately, then paste THAT code in instead.
10. Enter the network settings you require for the CSC (it requires its own network connection). it has a single RJ45 network socket on the CSC modules back plane, connect that to your LAN > Next.
11. Supply a name for the CSC module and details of your email server (if you require email notification) > Next > enter the IP addresses that will be allowed access to the CSC web console > Next > Change the password Note: The original password will be cisco > Next.
12. Select what traffic you want to inspect, here I’ve selected all traffic all interfaces > Ive set the CSC to fail open (if theres a problem it simply passes traffic, if you have it on fail close and the CSC encounters a problem all http, smtp, ftp, and pop traffic will be blocked until the problem is resolved) > OK > Next.
13. Review the settings > Finish.
Note: You may get a warning if you set ‘fail open’ above that’s OK.
Connecting to and Managing the Cisco CSC Module
Although you can access the CSC settings via the ASDM, the easiest way is via its web interface, you set the IP address in step 2 number 10 above, navigate to
https://{ip-address}:8443
Note: You should now set the CSC module so that is DOES NOT scan its own update traffic, see the following article.
If you add the plus license later, you will obtain the code in the same manner as you did above (put the PAK and the CSC Serial number into the licensing portal and have it sent to you.
1. Once you have the code, open a web session to the CSC management interface https://{ip-address}:8443 > Administration > Licensing > Enter a new code.
2. Paste in the new code > Activate.
3. It may look like it has hung, wait a minuter or so, and check the licensing tab again.
Related Articles, References, Credits, or External Links