Configuration and Requirements
Security and Vulnerability Testing
Security is something that is taken seriously by Extreme Networks. Our commitment to achieving and maintaining a strong security stance for our products enables our customers to have confidence in networking, software, and management infrastructure provided by the company.
The Software Quality Assurance team at Extreme Networks scans every ExtremeCloud IQ Site Engine release using the current versions of multiple anti-virus solutions, updated to include the latest virus signatures.
Additionally, all Extreme Networks products undergo rigorous security testing with best-of-breed industry standard scanners. Further, all product binary images are scanned with sophisticated anti-virus solutions for evidence of viruses and malware before the images are uploaded to customer-facing portals. Whenever issues are discovered by these scanners and anti-virus solutions, a well-defined triage process is engaged for remediation or mitigation of such findings. This enables Extreme Networks to engineer solutions that heighten the security of our products, and new releases are made available as necessary in order to address any discovered security vulnerabilities. This has several additional benefits in terms of helping customers maintain networks that are compliant under various regulatory or industry standards such as HIPAA, SoX, and PCI.
Extreme Networks also monitors industry security information data sources, such as CERT, the full-disclosure mailing list, and various authoritative CVE announcements for vulnerabilities that could potentially apply to our products. When such a vulnerability is found, we follow a process by which high severity vulnerabilities (such as the ShellShock bug in the bash shell from late 2014) are prioritized over lower severity vulnerabilities. The severity itself is derived from the Common Vulnerability Scoring System (CVSS) score which provides the most widely accepted measure for vulnerability severity. For applicable vulnerabilities, we provide feedback to CERT to keep them updated on the status of our findings.
Further, for many of our products that are based on a Linux engine image – ExtremeCloud IQ Site Engine and ExtremeControl, for example – we harden the engines by ensuring that we do not start unnecessary services and we do not install unnecessary software. In addition, we apply security updates from the upstream Linux distribution.
Taken together, the security of Extreme Networks products is maintained and verified. For all inquiries about our security processes, contact Global Technical Assistance Center (GTAC).
Installation Information
For complete installation instructions, refer to ExtremeCloud IQ - Site Engine Suite Installation.
| IMPORTANT: | The Compliance tab is available and supported by Extreme on an ExtremeCloud IQ Site Engine engine running the Linux operating system supplied by Extreme. Other Linux operating systems can support Compliance functionality, but python version 2.7 or higher must be installed. Additionally Compliance functionality requires the git, python2, python mysql module, python setup tools module, and python "pygtail" module packages be installed and related dependencies managed by the customer for their server’s unique operating system and version. |
Important Installation Considerations
Custom FlexViews
When reinstalling ExtremeCloud IQ Site Engine Console, the installation program saves copies of any FlexViews you created or modified in the <install directory>\.installer\backup\current\appdata\System\FlexViews folder.
If you are deploying FlexViews via the ExtremeCloud IQ Site Engine server, save them in the appdata\VendorProfiles\Stage\MyVendorProfile\FlexViews\My FlexViews folder.
Custom MIBs and Images
If you are deploying MIBs via the ExtremeCloud IQ Site Engine server, they are saved in the appdata\VendorProfiles\Stage\MyVendorProfile\MIBs\ folder.
If you are deploying device images (pictures) via the ExtremeCloud IQ Site Engine server, they are saved in the appdata\VendorProfiles\Stage\MyVendorProfile\Images\ folder.
ExtremeCloud IQ Site Engine version 24.02.12 supports upgrades from Extreme Management Center 8.5.7 or ExtremeCloud IQ Site Engine 23.4.12 only. The following table details the upgrade path supported for each NetSight, Extreme Management Center or ExtremeCloud IQ Site Engine version.
| NOTE: |
ExtremeCloud IQ Site Engine Version 24.02.12 contains an OS upgrade. Internet connectivity is required to download custom packages. The installer prompts "Do you want to use the Internet to perform the OS upgrade?". The offline upgrade path is supported when no custom packages are installed (answer N). The online upgrade is required when custom packages are manually installed (answer Y). An online upgrade is recommended when an online upgrade was used previously, however there is a risk of session timeout due to 15 minutes of screen inactivity. To upgrade Access Control Engines and Application Analytics Engines you can use the directive --keepalive to decrease the chance of a session expiry timeout from 15 minutes of no screen activity. |
| From Version (currently running) | To Version (next step in upgrade path) |
|---|---|
| ExtremeCloud IQ Site Engine 23.4.12, 23.7.x, 23.11.x | ExtremeCloud IQ Site Engine 24.02 |
| ExtremeCloud IQ Site Engine 21.x, 22.x, 23.2.x 23.4.10, 23.4.11 | ExtremeCloud IQ Site Engine 23.4.12 |
| Extreme Management Center version 8.5.7 | ExtremeCloud IQ Site Engine 24.02 |
| Extreme Management Center version 8.2.x to 8.5.6 | Extreme Management Center 8.5.7 |
| Extreme Management Center version 8.0.x to 8.1.x | Extreme Management Center 8.3.3.11 |
| NetSight version 7.1.4.1 | Extreme Management Center 8.3.3.11 |
| NetSight version 7.x | NetSight 7.1.4.1 |
| NetSight version 6.3.0.186 | NetSight 7.1.4.1 |
| NetSight version 6.x | NetSight 6.3.0.186 |
| IMPORTANT: | A backup (Administration > Backup/Restore) of the database must be performed prior to the upgrade and saved to a safe location. |
|---|
If you use LDAPS with a Fully Qualified Domain Name (FQDN) in the URL to authorize a user to the OneView, then ExtremeCloud IQ Site Engine presents the Server Certificate (located in Administration > Certificates > Server Certificate Information) to the LDAPS server. If the LDAPS server presents a certificate that does not match the LDAPS URL, then the certificate is rejected with the error “Certificate Unknown”.
The best practice is to use a trusted certificate if the LDAPS URL is defined with FQDN, otherwise the LDAPS server might not accept the LDAPs connection. The alternative option is to use an IP address in the LDAPS URL instead of FQDN.
Important Upgrade Considerations
- If your network is using ExtremeAnalytics or ExtremeControl engines, or another add-on feature, you must first perform the ExtremeCloud IQ Site Engine upgrade to version 24.02.12 and then upgrade the feature.
- To upgrade Traffic Sensor from version 21.x, a fresh installation is recommended. If the fresh installation cannot be used, then please check Knowledge Base for a special procedure.
- If the online upgrade fails due to an Internet connectivity issue, fix the connectivity issue and rerun the upgrade.
| IMPORTANT: | When performing an upgrade, be sure to back up the database prior to performing the upgrade, and save it to a safe location. Use the Administration > Backup/Restore tab to perform the backup. |
- When upgrading the ExtremeCloud IQ Site Engine server, ExtremeAnalyticsengine, or ExtremeControlengine to version 24.02.12, ensure the DNS server IP address is correctly configured.
-
When upgrading to ExtremeCloud IQ Site Engine version 24.02.12, if you adjusted the ExtremeCloud IQ Site Engine memory settings and want them to be saved on upgrade, a flag (
-DcustomMemory) needs to be added to the/usr/local/Extreme_Networks/NetSight/services/nsserver.cfgfile.
For example:-Xms12g -Xmx24g -XX:HeapDumpPath=../../nsdump.hprof -XX:+HeapDumpOnOutOfMemoryError -XX:MetaspaceSize=128m -DcustomMemory
License Renewal
Upgrading to ExtremeCloud IQ Site Engine version 24.02.12 requires you to transition from perpetual to subscription-based license model. Existing NMS licenses do not provide access to ExtremeCloud IQ Site Engine. If your perpetual licenses were not transitioned to subscription-based licenses, contact your Extreme Networks Representative for assistance.
Free Space Consideration
When upgrading to ExtremeCloud IQ Site Engine version 24.02.12, a minimum of 15 GB of free disk space is required on the ExtremeCloud IQ Site Engine server
To increase the amount of free disk space on the ExtremeCloud IQ Site Engine server, perform the following:
- Decrease the number of ExtremeCloud IQ Site Engine backups (by default, saved in the
/usr/local/Extreme_Networks/NetSight/backupdirectory). - Decrease the Data Persistence settings (Administration > Options > Access Control > Data Persistence).
- Remove unnecessary archives (Network > Archives).
-
Delete the files in the
<installation directory>/NetSight/.installerdirectory.
Site Discover Consideration
Discovering devices via the Site tab using a Range, Subnet, or Seed discover might not successfully add all expected devices. To correct the issue, increase the Length of SNMP Timeout value on the Administration > Options > Site tab in the Discover First SNMP Request section.
ExtremeAnalytics Upgrade Information
Enabling or disabling the disk flow export feature might cause enforce operations to time out. Enforcing again resolves the issue.
When you delete an ExtremeXOS/Switch Engine device that is configured as a flow source via the Flow Sources table of the
Analytics > Configuration > Engines > Configuration tab from the Devices list on the Network > Devices tab, an error message is generated in the server.log. The message does not warn you that the device is in use as a flow source. Adding the device back in the Devices list on the Network > Devices tab or removing the device from the Flow Source table fixes the issue.
The Flow Sources table on the Analytics > Configuration > engine > Configuration tab may take a few minutes to load.
ExtremeControl Version 8.0 and later
Beginning in version 8.0, ExtremeControl may fail to join Active Directory when accessing as a Standard Domain User with Descendant Computer Objects ("Reset password" permissions only) group member.
To allow this functionality, add the following permissions:
- Reset Password
- Validated write to DNS host name
- Validated write to service principal
- Read and write account restrictions
- Read and write DNS host name attributes
- Write servicePrincipalName
Other Upgrade Information
Immediately after you install version 24.02.12 on the ExtremeControlengine, the date and time does not properly synchronize and the following error message displays:
WARNING: Unable to synchronize to a NTP server. The time might not be correctly set on this device.
Ignore the error message and the date and time automatically synchronize after a short delay.
Additionally, the following message might display during the ExtremeControl upgrade to version 24.02.12:
No domain specified
To stop domain-specific winbindd process, run /etc/init.d/winbindd stop {example-domain.com}
Access Control Version 8.0 and newer
Beginning in version 8.0, ExtremeControl can fail to join Active Directory when accessing as a Standard Domain User with Descendant Computer Objects ("Reset password" permissions only) group member.
To enable this functionality, add the following permissions:
- Reset Password
- Validated write to DNS host name
- Validated write to service principal
- Read and write account restrictions
- Read and write DNS host name attributes
- Write servicePrincipalName
Firewall Considerations
To configure your firewall, see Ports List.
Supported MIBs
The following directory contains the IETF and Private Enterprise MIBs supported by ExtremeCloud IQ Site Engine applications:
<install directory>\appdata\System\mibs directory
Navigate to the directory and open the .index file to view an index of the supported MIBs.
Additional MIB Support information is available at www.extremenetworks.com/support/policies.