Migrating On-Prem Gateway to Cloud Gateway

This document outlines migrating your on-premises Gateway configuration to the Cisco Cloud Gateway instance.

Preparing your Installation for Upgrade

In preparation for migrating your on-premises Gateway configuration to your Cisco Cloud Gateway instance, there are specific considerations to remember. The configurations cannot be imported directly from an on-premises Gateway to the Cisco Cloud Gateway instance. The following FAQ can help you as you make your decision.

Q. I am running an older version of AsyncOS (e.g., 12.0.X) on my on-premises Gateway. Can I directly upgrade to Cisco Cloud Email Security?
A. Yes, but migrating from older versions takes longer than migrating from a current one. We recommend upgrading your AsyncOS to the current version to expedite the process before migrating.

Q. Does Cisco provide support on performing these upgrades?
A. You can contact Cisco TAC (Technical Assistance Center) in line with your support contract and open a case for any help or support needed to upgrade your on-premises Gateway to the latest or matching version of AsyncOS. Some limitations may apply based on the on-premises Gateway model running in your environment, especially for older hardware models.

Q. Can a configuration file be imported to an allocation processing mail?
A. No. The configuration migration process disrupts mail flow and can change message processing after the migration. Importing a configuration will also overwrite any configuration already existing on the appliance.

Q. Is there a limit to when a customer may submit their configuration migration request?
A. Yes. There are two limits for configuration migration requests. You must request migration within 60 days after purchasing Cisco Cloud Gateway. Please submit your request before any MX records are updated to send mail to the Cisco Cloud Gateway instance.

Getting Started

Cisco recommends the following steps while planning and performing the migration to your Cisco Cloud Gateway:

  1. To start this process, please provide a copy of the configuration file you wish to have imported to the Activation Team Member you are working with. We recommend that you send it in a password-protected ZIP file, with the password sent under a separate cover; specify the name of your company in the subject line of the emails so we can match them up.
  2. The configuration conversion process takes time and has some limitations. The quickest and most accurate imports can be performed with a configuration file from an appliance closely matching the version running in Cisco Cloud Gateway. While Cisco will do its best to incorporate configuration files from older appliances, those migrations take longer. They are more prone to errors resulting in sections not available for import. We will provide a list of sections we are not able to import.
  3. Cisco highly recommends having all the documentation readily available for your current mail gateway or email security service (e.g., MX details, credentials for domain control panel) since these will be required during migration and post-cutover to Cisco Cloud Gateway to ensure completion of the migration.

Scope of Migration/Limitations

  1. Cisco does not migrate configurations from multiple devices or multiple clusters. We will migrate only one device configuration per customer. If you have multiple devices or clusters you would like to integrate into a single Cisco Cloud Gateway instance, please discuss this with your account team. You provide your configuration export; the essential parts that we look to move to the cluster configuration are:
    • HAT/Mail Flow Policies
    • RAT
    • Destination Control
    • SMTP Routes
    • Incoming and Outgoing Mail Policies
    • Content Filters
    • Message Filters
    • Text Resources (Dictionary/Disclaimers)
    • URL List
    • DLP Settings
    • Encryption profiles
  2. Cisco does not migrate LDAP settings, as these commonly result in connectivity issues and generate alarms until they are identified and corrected.
  3. Anything with a private IP address will require you to provide IP addresses routable through the Internet.
  4. Cisco Secure Email and Web Manager configurations are not migrated. If you have an End-User Safelist/Blocklist from the current SMA, we can work with you to import this to your new Cisco Cloud Gateway instance SMA(s).
  5. To complete the migration, sections of the provided configuration file are manually combined with a configuration file from the instance in Cisco Cloud Gateway. Barring any errors identified during import (the configuration will error out on a single issue), we commit the change. Once Cisco issues the commit, we verify that the configuration is valid. We will then inform you that the configuration is complete and ask you to verify the configuration. From this point, you can make necessary changes to your Cisco Cloud Gateway instance.
  6. Please note that Cisco will only provide a configuration migration once. Suppose you change the on-prem systems after providing the configuration file to Cisco Cloud Gateway. In that case, you must record these changes to adjust the configuration after completing the import.