The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You can install and use Security Manager as a standalone product or in combination with several other Cisco Security Management Suite applications, including optional applications that you can select in the Security Manager installer or download from Cisco.com. Requirements for installation and operation vary in relation to the presence of other software on the server and according to the way that you use Security Manager.
Tip We recommend that you synchronize the date and time settings on all your management servers and all the managed devices in your network. One method is to use an NTP server. Synchronization is important if you want to correlate and analyze log file information from your network.
The sections in this chapter describe requirements and dependencies for installing server applications such as Security Manager, Auto Update Server, and Security Manager client software:
Note Security Manager will use predefined and dynamic ports for its internal operation. Port scanners might block those ports and will not let Security Manager to execute those processes. Therefore port scanners such as Qualys should not be enabled. If enabled, it may result in a Security Manager process crash issue which in turn may require a complete reinstallation of Security Manager.
You must ensure that required ports are enabled and available for use by Security Manager and its associated applications on your server so that the server can communicate with clients and servers running associated applications.
The ports that need to be open depend on whether you are using CiscoWorks for AAA or an external server (such as ACS), and whether you are configuring Security Manager to interact with certain other applications:
Beginning with Version 4.4, Security Manager included a Windows Firewall configuration script in the server installer. This script automates the process of opening and closing the ports necessary for Windows Firewall to work correctly and securely; its purpose is to harden your Security Manager server.
At the time of installation, this script is copied to NMSROOT but not executed. You can run this script manually to configure Windows Firewall on your Security Manager server; doing so will secure the server by blocking unnecessary ports. [ NMSROOT is the path to the Security Manager installation directory. The default is C:\Program Files (x86)\CSCOpx.]
This script opens only those “IN” ports that are needed for Security Manager to perform its tasks. Hence the “Firewall.txt” file has the ports that are the bare minimum for Security Manager. If, later, you discover that you want some other port to be open, you can do that.
To run the Windows Firewall script, follow this procedure:
Step 1 Make sure Powershell scripts can run unrestricted:
a. Open the Powershell Command Line Tool.
b. Execute the command “Set-ExecutionPolicy Unrestricted”
Step 2 In NMSROOT, open a command prompt and execute firewall.bat:
a. Output will appear in the folder NMSROOT/log.
b. Windows.FW_Config.wfw is the backup of the Windows Firewall configuration before executing the script.
c. initialfirewallsettings.txt lists the ports that were open BEFORE running the script.
d. finalfirewallsettings.txt lists the ports that are open AFTER running the script.
Step 3 Enable Windows Firewall and use private network settings: Control Panel > Windows Firewall > Turn Windows Firewall on or off > [General tab] > On.
Step 4 Disable Powershell scripts for security:
a. Open the Powershell Command Line Tool.
b. Execute the command “Set-ExecutionPolicy Restricted”
Step 5 [optional] Verify added firewall rules by using Windows Firewall with Advanced Security (not available in Windows 2008 Enterprise Server (Service Pack 2)—64-bit)
Note Cisco is only responsible for licensing of the pre-installed Operating System that accompanies the Cisco Unified Computing System(UCS) bundle (which has Cisco Security Manger pre-installed). Customers upgrading their Operating System while migrating to Cisco Security Manager 4.9 or later, must buy the appropriate Windows license.
Unless otherwise noted, this section applies to all applications (Security Manager and Auto Update Server).
To install Security Manager, you must be an Administrator or a user with local administrator rights; this also applies if you are installing the client only.
We recommend that you install Security Manager on a dedicated server in a controlled environment. For additional best practices and related guidance, see Chapter4, “Preparing a Server for Installation”
Cisco recommends that you install Security Manager on a Cisco UCS C220 M3 server with the components described in Table 3-3 . More information on Cisco UCS (Unified Computing System) is available at http://www.cisco.com/go/ucs.
Installation Practices to Avoid:
|
|
---|---|
English and Japanese are the only supported languages. For complete information, see Understanding Regional and Language Options and Related Settings. Microsoft ODBC Driver Manager 3.510 or later is also required so that your server can work with Sybase database files. To confirm the installed ODBC version, find and right-click ODBC32.DLL, then select Properties from the shortcut menu. The file version is listed under the Version tab. |
|
16 GB is the minimum needed to use all features of Security Manager. With less memory, features such as Event Management and Report Management are affected. In particular, if the amount of RAM available to the operating system is less than 8 GB, Event Management and Report Manager are disabled during installation. If the memory available to the OS is between 8 and 12 GB, you can turn off Event Management and Report Management, presuming that you do not plan to use them. Configuration Management will be usable in such systems. Tip To turn off Event Management, follow this path: Configuration Manager > Tools > Security Manager Administration > Event Management > Enable Event Management > [clear checkbox]. Tip To turn off Report Management, simply close the Report Manager application. Although not recommended, you can enable Event Management and Report Management for low memory systems from the Security Manager client after completing the installation (select Tools > Security Manager Administration > Event Management). Keep in mind that enabling Event Management and Report Management on a system with low memory can severely affect the performance of the entire application. If you install AUS on a separate server, the following minimum applies: |
|
Diskeeper 2010 Server. This is a recommendation, not a requirement. Disk optimization can improve performance if the cause of poor performance is disk fragmentation. |
|
Use a suitable combination of HDDs in a RAID configuration to achieve the disk space required, which is as follows:
Note Cisco strongly recommends installing the OS and application on separate partitions. Note The application partition mentioned above and any other event store partitions may not be relevant when using Veritas in HA (high availability) mode. Please refer to the applicable Security Manager high availability documentation (http://www.cisco.com/c/en/us/support/security/security-manager/products-installation-guides-list.html) and Veritas documentation for further details.
Cisco recommends RAID 10 for better performance. RAID 5 can be used if desired.
|
|
One static IP address. Dynamic addresses are not supported. |
|
1.5 x installed memory. This is a recommendation from Microsoft for Windows platforms. It is not a Cisco requirement. Memory paging is necessitated only if the installed RAM on the system is insufficient to handle the load. A special consideration applies if you are using Windows Server 2012 or 2012 R2 (Standard or Datacenter)—64-bit. If you choose to automatically manage paging file size, the installation of Security Manager might fail with an error message recommending you to configure the virtual memory before running the installation program. To successfully install Security Manager, follow these steps: 1. Deselect (clear) the checkbox “Automatically manage paging file size for all drives”. (The navigation path to this checkbox is Control Panel > System> Advanced System Settings > Performance > Settings > Advanced tab> Virtual Memory > Change.) 2. Create the paging file with a minimum size of 4 GB. |
|
Real-time protection disabled. This is a recommendation, not a requirement. The system can have an anti-virus application installed, but Cisco recommends disabling real-time protection because it causes a performance penalty. The user can choose to run a quick scan which is scheduled to run at times when there is not much load on the server. Note It is mandatory to exclude the NMSROOT directory and the eventing folder from scanning. |
|
Note When using Internet Explorer (any version) to download the client, ensure that the following setting is correct: Internet Explorer > Tools > Internet Options > Advanced > Security > clear the “Do not save encrypted pages to disk” checkbox. If this setting is not correct (i.e., the checkbox is checked), attempts to download the client will fail. |
|
There is no requirement to have JRE installed. It is required to have Java scripts enabled in the web browser. |
|
You can, optionally, install the application on a system running the following versions of VMware: ESX 4.1 and ESXi versions up to ESXi 5.5. You should allocate at least the same amount of memory to the virtual machine you use with Security Manager as you would for a non-virtualized server. Use of recent generation CPUs with technology designed to improve virtualization performance is recommended (for example, Intel-VT or AMD-V CPUs). |
|
Security Manager supports only the U.S. English and Japanese versions of Windows. From the Start Menu, open the Control Panel for Windows, open the panel where you configure region and language settings, then set the default locale. (We do not support English as the language in any Japanese version of Windows.)
Tip For a detailed procedure, refer to How to Set the Locale for the Windows Default User Template to U.S. English.
Note You must change the default system locale to U.S. English before installing Security Manager; changing the default system locale and rebooting the server does not change the default profile. It is not sufficient for the current user only to have the proper settings; this is because Security Manager creates a new account (“casuser”) that runs all Security Manager server processes.
In addition, the Regional and Language Options in the server operating system must be set correctly. Also, peripheral devices such as keyboards that use other languages can affect the way Security Manager functions.
The following list contains the Regional and Language Options and related settings that you must adhere to in order to successfully install Security Manager:
1. In a command window, execute one of the following commands: regedit.exe or regedt32.exe.
2. Make sure that the localname is supported. The following example is for U.S. English:
\HKEY_USERS\.DEFAULT\Control Panel\International
and change LocaleName to en-US
Note Paths and file names are restricted to characters in the English alphabet. Japanese characters are not supported for paths or file names. When selecting files on a Windows Japanese OS system, the usual file separator character \ is supported, although you should be aware that it might appear as the Yen symbol (U+00A5).
You can use SAN storage with Security Manager provided that the storage has acceptable I/O rates and capacity. The following are the main items within Security Manager that require storage, and the storage options that you have in addition to using disk storage that is directly installed in the server:
iSCSI volumes using a software initiator may not be available when Security Manager services are about to start after a system reboot. It may take some time for them to be properly initialized.
If Security Manager services have not started, then you need to configure dependency and service startup settings for them (the Security Manager services).
To configure dependency and startup settings, follow this procedure:
Step 1 Execute the following commands in a Windows command prompt to change the startup type of the Cisco Security Manager Daemon Manager, syslog, and tftp services to “Delayed auto start”:
sc config CRMDmgtd start= delayed-auto
sc config crmlog start= delayed-auto
sc config crmtftp start= delayed-auto
Step 2 Set the dependency of Microsoft iSCSi to the Cisco Security Manager Daemon Manager service by executing the following command:
sc config CRMDmgtd depend= MSiSCSI
Tip In these commands, the option name includes the equals sign. A space is required between the equals sign and the value.
Step 3 Verify the dependency settings of the Cisco Security Manager Daemon Manager service by executing the following command. It should display the iSCSI initiator dependency setting as “DEPENDENCIES : MSiSCSI”
Table 3-4 describes Security Manager Client requirements and restrictions.
Note The date and time formats that you select for the client must be the same as those used by your server machine. If they are not, Device View in Security Manager may not load properly.