CLI Instructions: connect2ces.sh [Linux/OS X Users]

For Cisco Cloud Email Security (CES) customers...
Instructions for a shell script utilizing SSH to make command line interface (CLI) access via CES proxy.

📘

Pre-requisites

As a CES customer, you should have engaged CES On-Boarding/Ops, or Cisco TAC to have SSH Keys exchanged and placed.

  1. Generate Private/Public RSA key(s)
  2. Provide Cisco with your Public RSA key
  3. Wait for Cisco to save and notify you that your key(s) have been saved to your CES customer account
  4. Copy and modify the connect2ces.sh script

How do I create Private/Public RSA keys(s)?

Cisco recommends using 'ssh-keygen' on the terminal/CLI for Unix/Linux/OS X:

ssh-keygen -b 2048 -t rsa -f ~/.ssh/<NAME>

For more information: https://www.ssh.com/ssh/keygen/

👍

Note

  • Please make sure that you safeguard access to your RSA private keys at all times.
  • Please do not send your private key to Cisco, only the public key (.pub).
  • When submitting your public key to Cisco, please identify the email address/first name/last name that they key is for.

How do I open a Cisco Support Request to provide my public key?

https://mycase.cloudapps.cisco.com/case

Please be sure that you properly identify the SR as "Cisco CES Customer SSH/CLI Setup", etc.

Configuration

To get started, open copy the script provided below and use one of the following proxy hosts for the Host Name:

👍

Note

Make sure you choose the correct proxy for your region! (I.e., If you are a US CES customer, to reach F4 data center and appliances, use the f4-ssh.iphmx.com. If you are an EU CES customer with an appliance in German DC, use f17-ssh.eu.iphmx.com...)

AP (ap.iphmx.com)
f15-ssh.ap.iphmx.com
f16-ssh.ap.iphmx.com

CA (ca.iphmx.com)
f13-ssh.ca.iphmx.com
f14-ssh.ca.iphmx.com

EU (c3s2.iphmx.com)
f10-ssh.c3s2.iphmx.com
f11-ssh.c3s2.iphmx.com

EU (eu.iphmx.com)(German DC)
f17-ssh.eu.iphmx.com
f18-ssh.eu.iphmx.com

US (iphmx.com)
f4-ssh.iphmx.com
f5-ssh.iphmx.com

What if I want to connect to more than one Email Security Appliance (ESA) or Security Management Appliance (SMA)?

Copy and save a second copy of the connect2ces.sh, such as connect2ces_2.sh.

Note:

  • You will want to edit the "cloud_host" to be the additional appliance you wish to access.
  • You will want to edit the "local_port" to be something OTHER than 2222. If not, you will receive an error, "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!"

How can I configure my ESA or SMA to log in without prompting for a password?

How to configure SSH Public Key Authentication for login to the ESA without a password

What should this look like once I have the prerequisites completed?

joe.user@my_local > ~ ./connect2ces  
[-] Connecting to your proxy server (f4-ssh.iphmx.com)...  
[-] Proxy connection successful.  Now connected to f4-ssh.iphmx.com.  
[-] proxy running on PID: 31253  
[-] Connecting to your CES appliance (esa1.rs1234-01.iphmx.com)...  


Last login: Mon Apr 22 11:33:45 2019 from 10.123.123.123  
AsyncOS 12.1.0 for Cisco C100V build 071  

Welcome to the Cisco C100V Email Security Virtual Appliance  

NOTE: This session will expire if left idle for 1440 minutes. Any uncommitted configuration changes will be lost. Commit the configuration changes as soon as they are made.  

(Machine esa1.rs1234-01.iphmx.com)>  
(Machine esa1.rs1234-01.iphmx.com)> exit

Connection to 127.0.0.1 closed.
[-] Closing proxy connection...
[-] Done.

connect2ces.sh

👍

Note

Make sure you choose the correct proxy for your region! (I.e., If you are a US CES customer, to reach F4 data center and appliances, use the f4-ssh.iphmx.com. If you are an EU CES customer with an appliance in German DC, use f17-ssh.eu.iphmx.com...)

#!/bin/bash

#-- EDIT THE BELOW VALUES -----------------------
# The following values should already be established with CES:
# cloud_user="username"
# cloud_host="esaX.CUSTOMER.iphmx.com" or "smaX.CUSTOMER.iphmx.com"
## [ASSURE THAT YOU HAVE THE PROPER REGIONAL CES DATACENTER SET!]
# private_key="LOCAL_PATH_TO_SSH_PRIVATE_RSA_KEY"
# proxy_server="PROXY_SERVER" [SELECT ONLY ONE!]
#
## For 'proxy_server', these are SSH proxies:
## 
## AP (ap.iphmx.com)
## f15-ssh.ap.iphmx.com
## f16-ssh.ap.iphmx.com
## 
## CA (ca.iphmx.com)
## f13-ssh.ca.iphmx.com
## f14-ssh.ca.iphmx.com
## 
## EU (c3s2.iphmx.com)
## f10-ssh.c3s2.iphmx.com
## f11-ssh.c3s2.iphmx.com
## 
## EU (eu.iphmx.com)(German DC)
## f17-ssh.eu.iphmx.com
## f18-ssh.eu.iphmx.com
## 
## US (iphmx.com)
## f4-ssh.iphmx.com
## f5-ssh.iphmx.com

cloud_user="username"
cloud_host="esaX.CUSTOMER.iphmx.com"
private_key="LOCAL_PATH_TO_SSH_PRIVATE_RSA_KEY"
proxy_server="PROXY_SERVER"

#-- LEAVE THESE VALUES AS-IS --------------------
# 'proxy_user' should not change
# 'remote_port' stays 22 (SSH)
# 'local_port' can be set to different value, if needed

proxy_user="dh-user"
remote_port=22
local_port=2222

#-- DO NOT EDIT BELOW THIS LINE -----------------

proxycmd="ssh -f -L $local_port:$cloud_host:$remote_port -i $private_key -N $proxy_user@$proxy_server"

printf "[-] Connecting to your proxy server ($proxy_server)...\n"
$proxycmd >/dev/null 2>&1
if nc -z 127.0.0.1 $local_port >/dev/null 2>&1; then
    printf "[-] Proxy connection successful.  Now connected to $proxy_server.\n"
else
    printf "[-] Proxy connection unsuccessful. Quitting...\n"
    exit
fi

# Find proxy ssh process
proxypid=`ps -xo pid,command | grep "$cloud_host" | grep "$proxy_server" | head -n1 | sed "s/^[ \t]*//" | cut -d " " -f1`
printf "[-] proxy running on PID: $proxypid\n"

printf "[-] Connecting to your CES appliance ($cloud_host)...\n\n"
ssh -p $local_port [email protected]

printf "[-] Closing proxy connection...\n"
kill $proxypid

printf "[-] Done.\n"

#-- Want to avoid having to type password each time?
#-- See: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118305-technote-esa-00.html
#-- Need access to more than one ESA or SMA?  Copy the same script and rename to connect2ces_2.sh, or similar.

Original doc: https://github.com/robsherw/connect2ces