CLI Instructions: connect2ces.sh [Linux/OS X Users]
For Cisco Cloud Email Security (CES) customers...
Instructions for a shell script utilizing SSH to make command line interface (CLI) access via CES proxy.
Pre-requisites
As a CES customer, you should have engaged CES On-Boarding/Ops, or Cisco TAC to have SSH Keys exchanged and placed.
- Generate Private/Public RSA key(s)
- Provide Cisco with your Public RSA key
- Wait for Cisco to save and notify you that your key(s) have been saved to your CES customer account
- Copy and modify the connect2ces.sh script
How do I create Private/Public RSA keys(s)?
Cisco recommends using 'ssh-keygen' on the terminal/CLI for Unix/Linux/OS X:
ssh-keygen -b 2048 -t rsa -f ~/.ssh/<NAME>
For more information: https://www.ssh.com/ssh/keygen/
Note
- Please make sure that you safeguard access to your RSA private keys at all times.
- Please do not send your private key to Cisco, only the public key (.pub).
- When submitting your public key to Cisco, please identify the email address/first name/last name that they key is for.
How do I open a Cisco Support Request to provide my public key?
https://mycase.cloudapps.cisco.com/case
Please be sure that you properly identify the SR as "Cisco CES Customer SSH/CLI Setup", etc.
Configuration
To get started, open copy the script provided below and use one of the following proxy hosts for the Host Name:
Note
Make sure you choose the correct proxy for your region! (I.e., If you are a US CES customer, to reach F4 data center and appliances, use the f4-ssh.iphmx.com. If you are an EU CES customer with an appliance in German DC, use f17-ssh.eu.iphmx.com...)
AP (ap.iphmx.com)
f15-ssh.ap.iphmx.com
f16-ssh.ap.iphmx.com
CA (ca.iphmx.com)
f13-ssh.ca.iphmx.com
f14-ssh.ca.iphmx.com
EU (c3s2.iphmx.com)
f10-ssh.c3s2.iphmx.com
f11-ssh.c3s2.iphmx.com
EU (eu.iphmx.com)(German DC)
f17-ssh.eu.iphmx.com
f18-ssh.eu.iphmx.com
US (iphmx.com)
f4-ssh.iphmx.com
f5-ssh.iphmx.com
What if I want to connect to more than one Email Security Appliance (ESA) or Security Management Appliance (SMA)?
Copy and save a second copy of the connect2ces.sh, such as connect2ces_2.sh.
Note:
- You will want to edit the "cloud_host" to be the additional appliance you wish to access.
- You will want to edit the "local_port" to be something OTHER than 2222. If not, you will receive an error, "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!"
How can I configure my ESA or SMA to log in without prompting for a password?
How to configure SSH Public Key Authentication for login to the ESA without a password
What should this look like once I have the prerequisites completed?
joe.user@my_local > ~ ./connect2ces
[-] Connecting to your proxy server (f4-ssh.iphmx.com)...
[-] Proxy connection successful. Now connected to f4-ssh.iphmx.com.
[-] proxy running on PID: 31253
[-] Connecting to your CES appliance (esa1.rs1234-01.iphmx.com)...
Last login: Mon Apr 22 11:33:45 2019 from 10.123.123.123
AsyncOS 12.1.0 for Cisco C100V build 071
Welcome to the Cisco C100V Email Security Virtual Appliance
NOTE: This session will expire if left idle for 1440 minutes. Any uncommitted configuration changes will be lost. Commit the configuration changes as soon as they are made.
(Machine esa1.rs1234-01.iphmx.com)>
(Machine esa1.rs1234-01.iphmx.com)> exit
Connection to 127.0.0.1 closed.
[-] Closing proxy connection...
[-] Done.
connect2ces.sh
Note
Make sure you choose the correct proxy for your region! (I.e., If you are a US CES customer, to reach F4 data center and appliances, use the f4-ssh.iphmx.com. If you are an EU CES customer with an appliance in German DC, use f17-ssh.eu.iphmx.com...)
#!/bin/bash
#-- EDIT THE BELOW VALUES -----------------------
# The following values should already be established with CES:
# cloud_user="username"
# cloud_host="esaX.CUSTOMER.iphmx.com" or "smaX.CUSTOMER.iphmx.com"
## [ASSURE THAT YOU HAVE THE PROPER REGIONAL CES DATACENTER SET!]
# private_key="LOCAL_PATH_TO_SSH_PRIVATE_RSA_KEY"
# proxy_server="PROXY_SERVER" [SELECT ONLY ONE!]
#
## For 'proxy_server', these are SSH proxies:
##
## AP (ap.iphmx.com)
## f15-ssh.ap.iphmx.com
## f16-ssh.ap.iphmx.com
##
## CA (ca.iphmx.com)
## f13-ssh.ca.iphmx.com
## f14-ssh.ca.iphmx.com
##
## EU (c3s2.iphmx.com)
## f10-ssh.c3s2.iphmx.com
## f11-ssh.c3s2.iphmx.com
##
## EU (eu.iphmx.com)(German DC)
## f17-ssh.eu.iphmx.com
## f18-ssh.eu.iphmx.com
##
## US (iphmx.com)
## f4-ssh.iphmx.com
## f5-ssh.iphmx.com
cloud_user="username"
cloud_host="esaX.CUSTOMER.iphmx.com"
private_key="LOCAL_PATH_TO_SSH_PRIVATE_RSA_KEY"
proxy_server="PROXY_SERVER"
#-- LEAVE THESE VALUES AS-IS --------------------
# 'proxy_user' should not change
# 'remote_port' stays 22 (SSH)
# 'local_port' can be set to different value, if needed
proxy_user="dh-user"
remote_port=22
local_port=2222
#-- DO NOT EDIT BELOW THIS LINE -----------------
proxycmd="ssh -f -L $local_port:$cloud_host:$remote_port -i $private_key -N $proxy_user@$proxy_server"
printf "[-] Connecting to your proxy server ($proxy_server)...\n"
$proxycmd >/dev/null 2>&1
if nc -z 127.0.0.1 $local_port >/dev/null 2>&1; then
printf "[-] Proxy connection successful. Now connected to $proxy_server.\n"
else
printf "[-] Proxy connection unsuccessful. Quitting...\n"
exit
fi
# Find proxy ssh process
proxypid=`ps -xo pid,command | grep "$cloud_host" | grep "$proxy_server" | head -n1 | sed "s/^[ \t]*//" | cut -d " " -f1`
printf "[-] proxy running on PID: $proxypid\n"
printf "[-] Connecting to your CES appliance ($cloud_host)...\n\n"
ssh -p $local_port [email protected]
printf "[-] Closing proxy connection...\n"
kill $proxypid
printf "[-] Done.\n"
#-- Want to avoid having to type password each time?
#-- See: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118305-technote-esa-00.html
#-- Need access to more than one ESA or SMA? Copy the same script and rename to connect2ces_2.sh, or similar.
Original doc: https://github.com/robsherw/connect2ces
Updated about 1 year ago