This article applies to:

• SWG 10.1
• SWG 10.2
• SWG 11.0

Question:

• What is the best practice to migrate Policy Servers from physical to virtual?

Procedure:

From the release of SWG 10.1, and if SWG is licensed to use virtual functionality, it is possible to load the SWG OS image onto a virtual platform.

Note: The following scenarios apply to dedicated Policy Server device(s) only, since an HA Policy Server cannot be set on a Policy Server that is part of an All-In-One role.

To migrate from a single Physical Policy Server to a single Virtual Policy Server: 

1. Create a new virtual instance of SWG Policy Server. 

2. If running 10.1, apply the current license key and upgrade it with the latest Maintenance Release.

3. If running 10.1, apply all the latest patches on top of the latest Maintenance Release.

4. Add it as a Passive Policy Server to the physical Policy Server: From the Device tree -> Policy Server > High Availability

5. Wait until both Policy Servers are synchronized (this will take time as there is a full replication process running).

6. If Synchronization does not occur (10.1 only), run it manually by right-clicking the Passive Policy Server and selecting Synchronize Now.

7. Switch Policy Server roles so that the virtual Policy Server becomes the Active Policy Server:

1. In 10.1, from the GUI, right-click the Passive Policy Server and select Switch Now.

2. From 10.2, from the Limited Shell, run the failover command.

8. Wait until both Policy Servers are synchronized (this will take time).

9. If you are not using VIP (10.2 and later), open the GUI by browsing to the new Policy Server’s IP.

10. Disable the HA feature on the Active Policy Server which is running as a VM instance at this point.

11. Shut down the physical Policy Server. 

Do not use this Policy Server again since it may cause device conflicts with scanners managed by VM Policy Server.

To migrate from HA Physical Policy Servers to HA Virtual Policy Servers: 

1. Create a new virtual instance of SWG Policy Server. 

2. If running 10.1, apply the current license key and upgrade it with the latest Maintenance Release.

3. If running 10.1, apply all the latest patches on top of the latest Maintenance Release.

4. Remove the Passive physical Policy Server from the GUI and wait for the other Policy Server to synchronize.

5. Add the new virtual Policy Server as Passive to the physical Policy Server. 


At this point the SWG HA pair consists of Active Physical and Passive Virtual Policy Servers.

6. Wait until both Policy Servers are synchronized (this will take time as there is a full replication process running).

7. If Synchronization does not occur (10.1 only), run it manually by right-clicking the Passive Policy Server and selecting Synchronize Now.

8. Switch Policy Server roles so that the virtual Policy Server becomes the Active Policy Server:

1. In 10.1, from the GUI, right-click the Passive Policy Server and select Switch Now.

2. From 10.2, from the Limited Shell run the failover command.

9. Wait until both Policy Servers are synchronized (this will take time).

10. If you are not using VIP (10.2 and later) open the GUI by browsing to the new Policy Server’s IP.

11. Create another new virtual instance of SWG Policy Server. 

12. If running 10.1, apply the current license key and upgrade it with the 10.1.2 Maintenance Release.

13. If running 10.1, apply all the latest patches on top of the 10.1.2 Maintenance Release.

14. Add it as a Passive Policy Server to the existing Policy Server.

15. Wait until both Policy Servers are synchronized (this will take time as there is a full replication process running).

16. Shut down the physical Policy Server. 


At this point the SWG Policy Servers consists of Active Virtual and Passive Virtual Policy Servers.


Do not use the physical Policy Server again since it may cause device conflicts with scanners managed by VM Policy Servers.