Upgrading Your Traffic Manager

Pulse Secure Virtual Traffic Manager: Cloud Services Installation and Getting Started Guide

Upgrading Your Traffic Manager

This section contains details of how to upgrade and, where necessary, revert your Traffic Manager instance when a new version is released.

Before You Start

These instructions describe the upgrade and reversion functionality available in this version. For upgrades from an earlier release, use the Upgrading instructions in the Pulse Secure Virtual Traffic Manager: Installation and Getting Started Guide applicable to the former version. Functionality described here might not be present in earlier releases.

CAUTION
If you are upgrading from Traffic Manager versions earlier than 9.9, you must install a new instance of the Traffic Manager and import your configuration into it. This is due to the underlying operating system on earlier versions missing packages required in version 9.9 and later. For more information on creating and importing configuration backups, see the Pulse Secure Virtual Traffic Manager: User’s Guide.

Before you start, make sure you have enough system resources to perform the upgrade:

•Available memory: The Traffic Manager requires a minimum of 2GB of RAM to function normally. If the Traffic Manager in question currently has less memory, assign more to the virtual machine before proceeding.

•Free disk space: For an upgrade to succeed, a minimum of 2.7 GB must be free on the /logs partition. To confirm your current disk usage, use the System > Traffic Managers page of the Admin UI.

For instances intended to include Pulse Secure Virtual Web Application Firewall (vWAF), use a minimum allocated memory (RAM) of 4 GB.

Ivanti recommends you backup your configuration as a precaution before upgrading a Traffic Manager. Use the System > Backup page to create a snapshot of your current configuration that you can restore later if necessary.

For further information on upgrading and space requirements, see the Ivanti Community Web site:https://forums.ivanti.com/s/?language=en_US

Upgrading a Cluster of Traffic Managers

This section is applicable to upgrades from version 17.4 and later only. Versions of the Traffic Manager earlier than 17.4 do not contain the cluster upgrade functionality described here. Instead, you must upgrade each cluster member individually. See the documentation applicable to the version you have for more details.

An upgrade initiated on one cluster member can optionally be rolled out to all other cluster members automatically.

To initiate an upgrade, you must first obtain the software package specific to your appliance platform. For clusters containing two or more Traffic Managers, one of the following scenarios must apply:

•Where a cluster contains Traffic Managers of only one variant (for example, EC2 instances), the uploaded software package is applicable to all Traffic Managers in the cluster. Hence, an upgrade initiated on one Traffic Manager can upgrade all other Traffic Managers in the cluster without further user intervention.

•Where a cluster contains Traffic Managers spanning multiple platforms (for example, a mixed cluster of software instances and EC2 instances), a single uploaded software package applies only to a subset of your cluster. To upgrade all the Traffic Managers in your cluster, obtain software upgrade packages that cover all product variants used. Then, execute an upgrade for each product variant in turn from any cluster member (regardless of that cluster member’s host platform).

In the event an upgrade fails on any Traffic Manager in the cluster, the default behavior is to roll-back the upgrade in progress and leave your entire cluster on the previous working software version.

Command line upgrades contain an additional option to not automatically roll-back all Traffic Managers in the event of an upgrade failure. You can instead instruct the cluster members which upgraded successfully to remain using the new version, and to only roll-back the Traffic Managers that failed. However, you must not make any configuration changes while your cluster is in a mixed-version state.

Performing an Upgrade

This procedure is applicable to versions 11.1 and later. If you are upgrading from a version prior to 11.1, use instead the replace-and-terminate method described in Upgrading Using the Replace-And-Terminate Method.

Traffic Manager version upgrades involve installation of a new operating system image and a full system restart. To achieve this, the Traffic Manager maintains a secondary disk partition into which the new system image is installed. The Traffic Manager then applies a copy of the configuration from the previous version to the new version, marks the partition as primary, and restarts the instance.

The previous partition is not deleted, but instead marked as dormant. This dual-partition mechanism facilitates a roll-back capability, should you need to revert to the previous version (see Reverting to an Earlier Version).

Traffic Manager releases earlier than 18.2 install maintenance releases inside the same partition as the parent release. For example, 17.2r1 and 17.2r2 are installed into the same partition holding feature release 17.2. From version 18.2 onwards, all Traffic Manager upgrades are treated equally, regardless of the type of change being attempted. In other words, each new feature release or maintenance release is installed to the alternate partition.

Only one previous version can be maintained on the instance in addition to the current version. If you have previously upgraded to a new version, upgrading a further time overwrites the oldest version held. Take note that this operation is permanent – the overwritten version cannot be retrieved after the upgrade is applied.

Before you begin, obtain the relevant Traffic Manager appliance installation package. Packages are named according to the following convention:

ZeusTM_<version>_EC2-Appliance-Upgrade-x86_64.tgz

Perform the upgrade through the Admin UI or from the instance command line.

To upgrade using the Admin UI

1.Log in to the Admin UI, and click System > Traffic Managers > Upgrade....

2.Follow the instructions to upload and apply the upgrade package. Where you are upgrading a cluster of Traffic Managers, select which of your other cluster members should receive the upgrade package (subject to the platform rules in Upgrading a Cluster of Traffic Managers).

To upgrade using the command line

1.Copy the package file to the instance using the Linux scp command, or Windows based pscp (http://www.chiark.greenend.org.uk/~sgtatham/putty/) or WinSCP (http://winscp.net/eng/index.php).

Ivanti recommends the package is copied to the /logs partition to avoid any disk space issues during the upgrade process.

2.Connect to the Traffic Manager command line.

3.To upgrade the current Traffic Manager only, run the command:

ZEUSHOME/zxtm/bin/upgrade <package_filename> [<args>]

To upgrade a cluster of Traffic Managers, run the command:

ZEUSHOME/zxtm/bin/upgrade-cluster --package <package_filename> --mode <mode> [<args>]

To see the full list of optional arguments available for each command, add the --help argument.

For upgrade-cluster, <mode> is either “info” (just report on the potential upgrade) or “install” (perform the upgrade). Additionally, upgraded cluster members reboot automatically into the new software version by default. To override this behavior, use the option --no-restart.

4.Follow the instructions provided. The upgrade program then copies your configuration data to the new version, but a reboot is required before you can start to use it.

Subsequent configuration changes in the original version are not migrated to the new version.

5.Reboot the Traffic Manager when convenient from the Admin UI or command line (type "reboot").

Upgrading Using the Replace-And-Terminate Method

This procedure is offered as an alternative to the standard upgrade procedure.

The specific steps for upgrading your Traffic Manager in this way depends on whether you are upgrading a single Traffic Manager instance or a cluster of Traffic Manager instances.

Upgrading a Single Traffic Manager Instance

When an AMI containing a newer version of the Traffic Manager software is made available, create a separate instance of the newer Traffic Manager AMI, migrate the configuration over from the existing instance, and then terminate the earlier version. For more information about creating and importing configuration backups, see the Pulse Secure Virtual Traffic Manager: User’s Guide.

Upgrading a Cluster of Traffic Manager Instances

Using clustering and fault tolerant Traffic IP addresses, you can upgrade a cluster in place, replacing each Traffic Manager with one running the newer version of the software, while continuing to serve application traffic.

In accordance with standard configuration replication rules, when you add a newer version Traffic Manager instance to your existing cluster, it automatically receives a copy of the cluster configuration. The new instance performs an automatic upgrade of the configuration it receives to ensure compatibility.

You can then terminate the older Traffic Manager instance it replaces, repeating the process with each cluster member in turn.

CAUTION
Configuration backup files are specific to the Traffic Manager instance on which they are created, and are not included in the cluster configuration replication mechanism. To avoid losing configuration backups when you terminate a Traffic Manager instance, Ivanti strongly recommends you download all stored configuration backups and then reimport them manually to the new Traffic Manager.

Due to the nature of the replace-and-terminate process described here, there is no direct roll back path should you need to return to the previous version. If you need to return to the previous version, complete a full configuration backup first and then preserve a copy of each existing Traffic Manager instance that you intend to remove.

To upgrade using this method, your cluster must be at least one Traffic Manager instance smaller than the maximum size that your license key permits. This is because you must add a new Traffic Manager running the upgraded version of the software to your cluster before removing one of the older instances. If your total number of instances is already at a maximum, use the alternative method described in Upgrading an EC2 Cluster Using the Backup and Restore Method.

When the cluster is in a mixed state (for example, the Traffic Managers are using different software versions) do not make any configuration changes until all Traffic Managers in the cluster are running the upgraded version.

For configurations using the Pulse Secure Virtual Web Application Firewall (vWAF)

For cluster synchronization to succeed during the following procedure, you must ensure that your cluster members are using the same vWAF version as the new instance you are adding. If the Traffic Manager indicates that there is a vWAF configuration synchronization issue between your cluster members, Ivanti recommends using the Updater tool included with vWAF on all your cluster members (including the newly added instance) before continuing.

For each Traffic Manager in your cluster, perform the following steps:

1.Start an instance of the new AMI.

2.Using the Admin UI, or the userdata preconfiguration parameters, join the new instance to your cluster. You should ensure that join_tips is set according to the rules shown in the parameter list contained in Preconfiguring the Traffic Manager at Launch Time.

For Traffic Manager instances, note that the Traffic Manager hostname mappings (configured using the System > Networking page) are not migrated automatically. You must set these manually on each new instance. Traffic Manager software instances do not manage hostname mappings directly. You must ensure that the host virtual machine is correctly configured with the desired hostname mappings.

3.Terminate one of the existing instances in your cluster.

4.Repeat these steps until all the Traffic Managers in your cluster have been replaced. Replace instances one by one. Do not terminate an existing instance until its replacement has successfully joined the cluster.

Upgrading an EC2 Cluster Using the Backup and Restore Method

You can also upgrade a cluster by taking a backup of its configuration, creating a new cluster using a new AMI, and applying the backup to the new cluster. You might need to use this method if your license does not permit you to add extra instances to your cluster, or if you want to run an upgraded cluster alongside your existing one for testing.

To upgrade using this method, perform the following steps:

1.Log in to the existing cluster and download a configuration backup from the System > Configuration Backups page.

2.Create a new cluster of the same size as the existing one, using the new AMI. Make each new instance join the new cluster, but do not perform any additional configuration procedures.

Upload the configuration backup to the new cluster, and navigate to the Restore section on the Backup detail page. The Admin UI allows you to choose which instance in your new cluster takes the place of each instance in the existing one. In most cases, if the new cluster is the same size as the existing one, the software maps existing instances to new ones appropriately.

You should only need to alter the default mapping if your new cluster is larger or smaller than the existing one, or if you need to ensure that an instance in the existing cluster is replaced by a particular instance in the new one.

Reverting to an Earlier Version

The upgrade process preserves the previous Traffic Manager version in a separate disk partition to facilitate a reversion capability. To revert to the previous version, use the Switch Versions feature in the Admin UI or the rollback program from the command line.

This procedure does not retain any configuration you have made since upgrading to the current version. It is strictly a roll-back procedure that reinstates the selected software version and reinstates the previous configuration settings. Therefore, Ivanti strongly recommends that you make a backup copy of your configuration before reverting your Traffic Manager.

To revert the Traffic Manager to a previous version using the Admin UI

Traffic Manager versions earlier than 10.4 do not contain a switch feature in the Admin UI. If you roll back to a version earlier than 10.4 and then want to switch forward again to a later release, or even to return to the newest software version, you must use the command line “rollback” program until you reach version 10.4 or later.

1.Login to the Admin UI of the Traffic Manager you want to revert.

2.Click System > Traffic Managers and locate the “Switch Versions” section:

The Switch Versions section is hidden if there are no applicable versions to revert to.

3.Select a Traffic Manager version to use from the drop-down list.

4.Tick Confirm and then click Rollback to start the roll back process.

To revert the Traffic Manager to a previous version using the command line

1.Connect to the Traffic Manager command line.

2.Ensure you are the root user.

3.Run the command:

$ZEUSHOME/zxtm/bin/rollback

This starts the rollback program:

Rollback

This program allows you to roll back to a previously installed version of the software. Please note that the older version will not gain any of the configuration changes made since upgrading.

Do you want to continue? Y/N [N]:

4.Type Y and press Enter to continue. The program lists all versions of the Traffic Manager it can restore:

Which version of the Traffic Manager would you like to use?

1) 18.2

2) 18.3 (current version)

Select a version [2]

5.Select the version you want to restore, and press Enter.

6.The Traffic Manager stops the current version and restarts itself with the selected version.

If you need to cancel this process and return to the latest version, repeat the rollback procedure and select the newer version to restore. You do not need to reinstall the latest version of the Traffic Manager to achieve this. The change in version is applied permanently; subsequent appliance reboots continue to use the version you select from the rollback program.

For rollbacks to 18.1 or earlier, be aware that if you subsequently decide to roll forward again to version 18.2 or later, the Admin UI “Switch Versions” feature is not supported. Use only the command line rollback program for this purpose.

Changing Your Traffic Manager Version Manually

If the rollback program is unable to complete a version change, you can perform the operation manually by editing the Traffic Manager "boot menu" from the command line.

Due to boot menu updates implemented in version 18.2, this process applies only if you want to switch between Traffic Manager versions from 18.2 onwards. For version changes between version 18.2 (or later) and version 18.1 (or earlier), use only the rollback program. For more information, contact Technical Support.

To complete a manual version change, perform the following steps:

1.Log in to the instance command line as the "admin" user.

2.Run the command:

grub-set-default <version>

where <version> is a string representing an available Traffic Manager release (for example, the string “zeus183” refers to the Traffic Manager 18.3 release). For the list of applicable releases and their associated version string, run the command:

/opt/zeus/zxtm/bin/rollback-helper --list-versions

3.Type "reboot" at the prompt to reboot your instance.