Installing Management Center for Cisco Security Agents 5.1 - Installing the Management Center for Cisco Security Agents [Cisco Security Agent]

Table Of Contents

Installing the Management Center for Cisco Security Agents

Overview

Licensing Information

Installation Overview

Installation Configuration Options

Installing CSA MC with a Local Database

Microsoft SQL Server 2000 Local Installation Notes

Installing CSA MC with a Remote Database

Microsoft SQL Server 2000 Remote Setup

Installation Log

Accessing Management Center for Cisco Security Agents

Initiating Secure Communications

Internet Explorer: Importing the Root Certificate

Uninstalling Management Center for Cisco Security Agents

Copying Cisco Trust Agent Installer Files

Installing the Management Center for Cisco Security Agents

Overview

This chapter provides instructions for installing CSA MC. Once you have reviewed the preliminary information outlined in the previous chapter, you are ready to proceed.

It is through CSA MC that you create agent installation kits. The tools for creating agent kits are installed as part of CSA MC.

This section contains the following topics.

•Licensing Information

•Installing CSA MC with a Local Database

•Microsoft SQL Server 2000 Local Installation Notes

•Installing CSA MC with a Remote Database

•Installation Log

•Accessing Management Center for Cisco Security Agents

•Initiating Secure Communications

•Uninstalling Management Center for Cisco Security Agents

•Copying Cisco Trust Agent Installer Files

Licensing Information

The Management Center for Cisco Security Agents product CD and product download contains a license key which is imported automatically during the installation and used to operate the MC itself. If you need further license keys, before deploying Cisco Security Agents, you should obtain a license key from Cisco. To receive your license key, you must use the Product Authorization Key (PAK) label affixed to the claim certificate for CSA MC located in the separate licensing envelope.

The information contained in your CSA MC license includes the number of server-agent licenses that have been allotted to you. When you receive your license from Cisco, you should copy it to the system to which you are installing CSA MC (or to a file share accessible from the CSA MC system). Then you can copy the license to the CSA MC directory in the following manner:

After installing CSA MC, to copy the license to the CSA MC directory, click Maintenance in the menu bar and select License Information. The License Information screen appears. You can browse to the license file by clicking the Browse button. Once the license file is located, click the Upload button to copy the file into the CSA MC directory.

Installation Overview

Caution This Management Center for Cisco Security Agents V5.1 release is intended for new installations. You cannot upgrade to V5.1 from a previous version of the product.

You must have local administrator privileges on the system in question to perform the CSA MC installation. Once you've verified system requirements, you can begin the installation.

Caution After you install CSA MC, you should not change the name of the MC system. Changing the system name after the product installation will cause agent/CSA MC communication problems.

Installation Configuration Options

You have three installation configuration options to consider before launching the CSA MC installation process.

•You can install CSA MC and the database on the same machine. (Select the Local Database radio button during the CSA MC installation.)

For a local database configuration, you have the option of installing CSA MC and the included Microsoft SQL Server Desktop Engine (provided with the product) on the same system if you are planning to deploy no more than 500 agents. In this case, the CSA MC installation also installs its own version of Microsoft SQL Server Desktop Engine on the system.

For a local database configuration, you also have the option of installing Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided. Microsoft SQL Server Desktop Engine has a 2 GB database size limit. In this case, you can have CSA MC and Microsoft SQL Server 2000 on the same system depending on the number of agents you are deploying (see Scalable Deployments, page 2-3). Note that of you are using SQL Server 2000, it must be licensed separately and it must be installed on the system before you begin the CSA MC installation.

Also note that if your plan is to use SQL Server 2000, it is recommended that you choose one of the other installation configuration options rather than the local database configuration.

•You can install CSA MC on one machine and install the database on a remote machine. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2000 Remote Setup.)

Use this configuration option depending on the number of agents you are deploying (see Scalable Deployments, page 2-3). If you are using a separately licensed, managed, and maintained SQL Server 2000 database, SQL Server 2000 must be installed and configured on the remote system before you begin the CSA MC installation.

Caution If you are installing CSA MC and the database to multiple machines, make sure the clocks of each machine are in sync. If all clocks are not in sync, unexpected behavior may occur.

•You can install two CSA MCs on two separate machines and install the database on a remote machine. In this case, both CSA MCs use the same remote database. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2000 Remote Setup.)

This is the recommended configuration if you are deploying more than 5,000 agents and are using a separately licensed, managed, and maintained SQL Server 2000 database. SQL Server 2000 must be installed and configured on the remote system before you begin the MC installations.

Using this configuration, you can deploy up to 100,000 agents. Having two CSA MCs lets you use one MC for host registration and polling and another MC for editing configurations.

Caution If you are installing two CSA MCs with one of the MCs residing on the machine where the database is installed, you must select the Remote Database radio button during the installation of both MCs. Even though one MC is "local" to the database, for the two MCs configuration to work properly, they must both be configured to communication with the database as though it were remote.

Installing CSA MC with a Local Database

If you are installing both CSA MC and the database to the same machine, you will first install Microsoft SQL Server Desktop Engine (as part of the CSA MC installation) and then install CSA MC.

Before beginning, exit any other programs you have running on the system where you are installing CSA MC.

To install the CSA MC, do the following:

Step 1 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.

Step 2 Management Center for Cisco Security Agents CD into the CDROM drive. The welcome screen appears. Click Next to begin the installation. See Figure 3-1. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.)

Figure 3-1 CSA MC Installation Welcome Screen

Step 3 After you click Next in the welcome screen, various system checks are performed before the system installation continues.

Step 4 When the initial system checks are complete, you are prompted to accept the license agreement. Accept the agreement by clicking Yes. See Figure 3-2.

Figure 3-2 CSA MC EULA License Agreement

Step 5 The install then begins by prompting you to select a database location. In this case, you will keep the default selection of Local Database and click the Next button. See Figure 3-3.

Figure 3-3 Database Setup Type

Step 6 If installing locally, the installation next checks to see if you have Microsoft SQL Server Desktop Engine (MSDE) installed. CSA MC uses MSDE for its local configuration database. If this software is not detected, you are prompted to install it. See Figure 3-4.

Note For installations exceeding 500 agents, it is recommended that you install Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided with the product. Refer to Installation Configuration Options for more information. If you are using Microsoft SQL Server 2000, refer to Microsoft SQL Server 2000 Local Installation Notes for details.

Caution On a system where CSA MC has not previously been installed, the setup program first installs MSDE. If the CSA MC installation detects any other database type attached to an existing installation of MSDE or a version of MSDE or SQL Server 2000 that does not have at least Service Pack 4, the installation will abort. This database configuration is not qualified.

Figure 3-4 Install MSDE Prompt

Once you click Yes, you proceed through the Microsoft SQL Server installation. You are prompted to select an MSDE install directory. The MSDE installation only takes a few minutes.

Figure 3-5 MSDE Installation Directory Selection

Note When the Microsoft SQL Server installation finishes, the CSA MC installation automatically begins again. This time the installation detects the Microsoft SQL Server software and proceeds.

Step 7 You are prompted to select a CSA MC directory installation path. If you would like to restore a previously backed up CSA MC database, you are prompted to restore that database at this time. Either accept the default installation path or browse to a different path to restore an database backup.

Figure 3-6 Directory Prompt

Step 8 You are next prompted to enter Administrator Name and Password information. This the user name and password you will use to login in to CSA MC. See Figure 3-7. Enter this information and click Next.

Figure 3-7 Enter Administrator Name and Password

Step 9 You are next prompted to select whether or not you want the system to automatically reboot once the installation is complete (see Figure 3-8). It is required that you reboot the system after the installation is complete whether you select Yes to have it done automatically or you choose to manually reboot at the end.

Figure 3-8 Automatic Reboot Option Prompt

You are next prompted to begin the installation (see Figure 3-9). The install then proceeds copying the necessary files to your system (see Figure 3-10).

Figure 3-9 Installation Prompt

Figure 3-10 Copy Files

Once all the files are copied, the installation performs some preliminary system setup tasks (see Figure 3-11).

Figure 3-11 Installation Progress

Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.)

If an agent is already installed on a system to which you are installing CSA MC, that agent will automatically be upgraded by the CSA MC agent installation.

When the MC and agent installs are complete, if you selected to have the system reboot automatically, you are prompted that the automatic reboot will occur within 5 minutes. If you selected not to have the system reboot automatically, it is required that you manually reboot the system at this time.

Once the system reboots, should login to the MC and copy the license key file(s) you received from Cisco Systems to your CSA MC. CSA MC ships with and automatically uses a license for the MC and local agent. You must manually import all other licenses through the MC Maintenance>License Information window. See the User Guide for license import instructions.

Microsoft SQL Server 2000 Local Installation Notes

Note The following instructions are only intended for administrators choosing to install CSA MC and Microsoft SQL Server 2000 to the same system. These instructions are not for administrators using CSA MC with a remote database. If you are choosing to use Microsoft SQL Server 2000 as a remote database, information is provided in the section titled Installing CSA MC with a Remote Database.

For local database installations exceeding 500 agents, it is recommended that you install Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided with the product. Microsoft SQL Server Desktop Engine has a 2 GB limit. SQL Server 2000 must be licensed separately and it must be installed on the local system before you begin the CSA MC installation.

In order for Microsoft SQL Server 2000 to function properly with CSA MC, you must select certain settings during the installation. Those settings are listed here. (Refer to your Microsoft SQL Server 2000 manual for detailed installation information.)

Note You should not change the default instance name of "MSSQLSERVER" for the SQL Server 2000 database. If you change this, the CSA MC installation will not detect the database.

When installing Microsoft SQL Server 2000, choose the default settings except in the following instances:

•In the Setup Type installation window, choose the Typical radio button and in the Destination Folder section, click the various Browse buttons to install SQL Server on the system.

•In the Services Accounts installation window, choose the Use the same account for each service radio button. In the Service Settings section, choose Use a Domain User Account. In the edit fields, enter a Username and Password for the local administrator account.

•In the Choose Licensing Mode installation window, select the Per Seat for radio button and then increment the devices number field to a positive value—at least 1 or 2.

Reboot the system and install the most recent service pack for SQL Server 2000. CSA MC has been qualified with Service Pack 4. When installing the service pack, choose the default settings except in the following instances

•When you install the service pack, in the Installation Folder screen, you should select a drive that has at least 140 MB of free space. For the service pack installation, choose the default settings in all instances.

•In the SA Password Warning installation screen, select the Ignore the security threat warning, leave the password blank radio button.

•In the SQL Server 2000 Service Pack Setup installation screen, select the Upgrade Microsoft Search and apply SQL Server 2000 SP4 (required) checkbox.

Installing CSA MC with a Remote Database

If you are installing one or two CSA MCs and their corresponding database to different machines, you must first install and properly configure Microsoft SQL Server 2000 on the remote system according to Microsoft's instructions. You should restrict access to this database machine as much as possible using any access control systems you already have in place on your network.

Caution It is recommended that all installed CSA MCs and remote databases be placed on a private LAN. If you cannot provide a private LAN, then you should follow Microsoft's recommendations for securing communication between database servers and application servers.

Caution It is important that the time on the database server system closely match the time on the CSA MC system. Additionally, make sure both times are set correctly.

Caution You must install a Cisco Security Agent on this remote database. This agent should be in the following groups: Servers-SQL Server 2000, Servers-All types, Systems-Mission Critical, and Systems-Restricted Networking. You should install this agent after the last CSA MC has been installed and rebooted.

Microsoft SQL Server 2000 Remote Setup

Note The following section contains overview information for setting up the Microsoft SQL Server 2000 database to work correctly with CSA MC. More detailed SQL Server configuration information should be obtained from your Microsoft documentation.

In order to enter the requested remote database information during the CSA MC installation, you must first setup the SQL Server database system by doing the following. (Note that these steps may be performed by your database administrators. The procedure is detailed after the bullet list.)

•Create an empty database.

•You must configure a new login ID and password and associate it with a new user ID which has the standard access rights on the CSA MC database, including db_ddladmin, db_datareader, and db_datawriter. Note that the login ID and user ID must be identical. (db_owner privileges are not required.)

•Make sure the default language is set to English. Note that you should not change the language default after CSA MC is installed.

•Make sure that the database is configured to accept SQL Server authentication.

•You also need to create a file group for the database called "analysis" and it must have at least one file attached.

More specifically, use the following procedure as a guideline:

Step 1 Right click your SQL Server. Select the Security tab and set "Authentication" to SQL Server and Windows. Then click OK.

Step 2 Stop and start sql server.

Step 3 Create new database "CSAMC51".

Step 4 Inside the DB properties, click Data Files and in the File Name box, type "csamcalanysis", and in the Filegroup field type "ANALYSIS". Then click OK.

Step 5 Expand the "security" + and right-click Logins. Then create a new login. Use SQL Server Authentication. Set Defaults -> Database = csamc51 database.

Note Do not click anything under "server roles".

Step 6 In the "database access" section, permit access to csamc51 and give the role of db_ddladmin. db_datareader and db datawriter permissions must also be provided. Click OK.

Step 7 Restart the server.

Once this is configured, you can begin the CSA MC installation.

Before beginning, exit any other programs you have running on the system where you are installing CSA MC. To install the CSA MC, do the following:

Step 1 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.

Step 2 Management Center for Cisco Security Agents CD into the CDROM drive. The welcome screen appears. Click Next to begin the installation. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.)

Step 3 The Management Center for Cisco Security Agents appears. After you click Next in the welcome screen, various system checks are performed before the system installation continues.

Step 4 When the initial system checks are complete, you are prompted to accept the license agreement. Accept the agreement by clicking Yes. See Figure 3-12.

Figure 3-12 CSA MC EULA License Agreement

Step 5 The install begins by prompting you to choose a database setup type. In this case, you will select the Remote Database radio button and click the Next button.

When you select the Remote Database radio button, you are next prompted to enter the following information for the remote SQL Server database (see Figure 3-13):

•Name of the server

•Name of the database

•Login ID

•Password

Figure 3-13 Remote Database Information

Step 6 Once you enter the database information and click Next, the installation attempts to locate the database and verify that it is configured appropriately. If the database is not setup correctly, you are prompted with this information and the installation will not continue. Otherwise, the installation proceeds.

Step 7 You are next prompted to select a CSA MC directory installation path. Either accept the default installation path or browse to a different path. See Figure 3-14.

Figure 3-14 Directory Prompt

Step 8 You are next prompted to enter Administrator Name and Password information. This the user name and password you will use to login in to CSA MC. See Figure 3-15. Enter this information and click Next.

Figure 3-15 Enter Administrator Name and Password

You are next prompted to select whether or not you want the system to automatically reboot once the installation is complete (see Figure 3-16). It is recommended that you reboot the system after the installation is complete whether you select Yes to have it done automatically or you choose to manually reboot at the end.

Figure 3-16 Automatic Reboot Option Prompt

You are next prompted to begin the installation (see Figure 3-17). The install then proceeds copying the necessary files to your system (see Figure 3-18).

Figure 3-17 Installation Prompt

Figure 3-18 Copy Files

Once all the files are copied, the installation performs some preliminary system setup tasks.

Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system and this is done automatically for you. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.)

When the MC and agent installs are complete, if you selected to have the system reboot automatically, you are prompted that the automatic reboot will occur within 5 minutes. If you selected not to have the system reboot automatically, it is recommended that you manually reboot the system at this time.

Once the system reboots, should login to the MC and copy the license key file(s) you received from Cisco Systems to your CSA MC. CSA MC ships with and automatically uses a license for the MC and local agent. You must manually import all other licenses through the MC Maintenance>License Information window. See the User Guide for license import instructions.

Note for installing two CSA MCs on two separate machines

If you are installing two CSA MCs using one remote database, repeat the steps detailed in this section, entering the same remote database information for the second MC.

Caution When installing two CSA MCs, the first MC you install automatically becomes the polling and logging MC. The second MC acts as the configuration MC. During the installation process, the CSA MCs know the order in which the MCs were installed and direct polling, logging, and management tasks to the appropriate MC.

Caution In a distributed MC environment, when installing, upgrading, or uninstalling any MC in the distributed configuration, the service must be stopped on the other MCs and restarted later.

Installation Log

The installation of CSA MC produces a log file. This log file, called "CSAMC-Install.log" and located in the \CSAMC51\log directory, provides a detailed list of installation tasks that were performed. If there is a problem with the installation, this text file should provide information on what task failed during the install.

Note The installation of the agent produces a similar file called "CSAgent-Install.log" and is located in the Cisco Systems\CSAgent\log directory on agent host systems.

Accessing Management Center for Cisco Security Agents

When the installation has completed and you've rebooted the system, a Management Center for Cisco Security Agents [version number] shortcut icon is placed on your desktop. Double-clicking this icon launches the MC in your default browser.

Local Access

To access CSA MC locally on the system hosting the CSA MC software:

•Double-click the shortcut icon added to your desktop during the installation. This launches the management console login screen in your default browser.

Note See Initiating Secure Communications if you cannot connect to CSA MC.

Remote Access

To access CSA MC from a remote location,

•Launch a browser application on the remote host and enter the following:
      http://<management center system hostname>.<domain>
in the Address or Location field (depending on the browser you're using) to access the Login view.

For example, enter http://<management center system hostname>.<domain>

Note In this example, CSA MC is installed on a host system with the name stormcenter.

Figure 3-19 CSA MC Login Window

Initiating Secure Communications

CSA MC uses SSL to secure all communications between the CSA MC user interface (locally and remotely) and the Management Center for Cisco Security Agents server system itself. This way, all configuration data travels over secure channels irrespective of the location of the CSA MC host system.

During installation, CSA MC generates private and public keys to be used for secure communications between any system accessing the CSA MC user interface and the CSA MC itself.

When your browser connects to the server, it receives the server's certificate. You are then prompted to accept this certificate. It is recommended that you import it into your local certificate database so that you are not prompted to accept the certificate each time you login. The following sections show the process of importing certificates into Internet Explorer and Netscape Web browsers.

Internet Explorer: Importing the Root Certificate

Step 1 You import the certificate from the CSA MC login window. Click the Get root certificate link. See Figure 3-19.

Step 2 Select the Open (this file from its current location) button and click OK.

Step 3 The certificate information box appears (see Figure 3-20). It contains information on the system the certificate is issued to and it displays expiration dates. Click the Install Certificate button to start the Certificate Manager Import Wizard.

Figure 3-20 Certificate Information

Step 4 The first Certificate Manager Import page contains an overview of certificate information. Click Next to continue.

Step 5 From the Select a Certificate Store page, make sure the Automatically select the certificate store based on the type of certificate radio button is selected. Click Next.

Figure 3-21 Certificate Wizard

Step 6 You've now imported your certificate for the server. Click the Finish button (Figure 3-22) to continue.

Figure 3-22 Certificate Wizard Finish Page

Step 7 Now, you must save the certificate. Click the Yes button in the Root Certificate Store box (see Figure 3-23).

Figure 3-23 Root Certificate Store Box

Step 8 You are next prompted with a confirmation box informing you that your certificate was created successfully. Lastly, the View Certificate box remains on the screen (see Figure 3-20). Since your certificate has been generated, you can click the Yes button here.

Note You must perform this certificate import process the first time you login to CSA MC from any remote machine. Once the certificate import is complete, you can access the login page directly for all management sessions. To access the login page remotely, enter the URL in the following format.

http://stormcenter.cisco.com
For example, enter http://<management center system hostname>.<domain>

Caution If you have not obtained a valid license from Cisco, when you login to CSA MC, you'll receive a warning informing you that your license is not valid. Refer back to page 2 for further licensing information.

Uninstalling Management Center for Cisco Security Agents

Uninstall the CSA MC software as follows:

Step 1 Click the uninstall CSA MC option on the system from Start>All Programs>Cisco Systems>Uninstall Management Center for Cisco Security Agents. This launches the uninstall program.

You must respond to uninstall confirmation and database back-up prompts during the uninstall process. The CSA MC uninstall also removes the Cisco Security Agent on the MC system.

Note Uninstalling CSA MC does not uninstall the Microsoft SQL Server Desktop Engine (database). You must uninstall this separately from the Control Panel>Add/Remove Programs window if you are completely removing the product from your system.

Caution If you are upgrading to a new version of CSA MC, or if you are reinstalling the product on the same system, and you want to preserve your current configuration, you should select to Backup the Database during the uninstall when you are prompted to do so. If you do not backup the database, the uninstall removes all program files and configurations. (Note that this only applies to local database installations. CSA MC does not provide a backup mechanism for remote databases.)

Copying Cisco Trust Agent Installer Files

Cisco Trust Agent (CTA) is an optional application you may install as part of an agent kit. The goal of bundling CTA in an agent kit is to facilitate the distribution of CTA. CTA is a separate application from CSA and has its own security objectives.

If you intend to distribute CTA through an agent kit, copy your CTA installer files to the system running CSA MC.

To copy the CTA installer files, follow this procedure:

Step 1 Obtain the desired CTA installer files from Cisco Systems.

Note It is the user's responsibility to verify that they have obtained the correct CTA installer files.

Step 2 Copy the CTA installer files to the
%Program Files%\CSAMC51\bin\webserver\htdocs\cta_kits directory.

The default Cisco Security Agent policies protect this directory. When you copy the files into the directory, CSA prompts you to determine if you want to allow the action. Select the Yes radio button and click Apply. Repeat this step for every file you copy into this directory.

Note Refer to the Agent Kits section of the User Guide for information on installing the CTA files you have just copied.

	Installing Management Center for Cisco Security Agents 5.1
	Installing the Management Center for Cisco Security Agents
Installing Management Center for Cisco Security Agents 5.1 Title Preface Preparing to Install Deployment Planning Installing the Management Center for Cisco Security Agents Quick Start Configuration Cisco Security Agent Installation and Overview Open Source License Acknowledgements and Third Party Copyright Notices	Download this chapter Installing the Management Center for Cisco Security Agents Download the complete book Installing Management Center for Cisco Security Agents 5.1 (PDF) (PDF - 3 MB) Table Of Contents Installing the Management Center for Cisco Security Agents Overview Licensing Information Installation Overview Installation Configuration Options Installing CSA MC with a Local Database Microsoft SQL Server 2000 Local Installation Notes Installing CSA MC with a Remote Database Microsoft SQL Server 2000 Remote Setup Installation Log Accessing Management Center for Cisco Security Agents Initiating Secure Communications Internet Explorer: Importing the Root Certificate Uninstalling Management Center for Cisco Security Agents Copying Cisco Trust Agent Installer Files Installing the Management Center for Cisco Security Agents Overview This chapter provides instructions for installing CSA MC. Once you have reviewed the preliminary information outlined in the previous chapter, you are ready to proceed. It is through CSA MC that you create agent installation kits. The tools for creating agent kits are installed as part of CSA MC. This section contains the following topics. •Licensing Information •Installing CSA MC with a Local Database •Microsoft SQL Server 2000 Local Installation Notes •Installing CSA MC with a Remote Database •Installation Log •Accessing Management Center for Cisco Security Agents •Initiating Secure Communications •Uninstalling Management Center for Cisco Security Agents •Copying Cisco Trust Agent Installer Files Licensing Information The Management Center for Cisco Security Agents product CD and product download contains a license key which is imported automatically during the installation and used to operate the MC itself. If you need further license keys, before deploying Cisco Security Agents, you should obtain a license key from Cisco. To receive your license key, you must use the Product Authorization Key (PAK) label affixed to the claim certificate for CSA MC located in the separate licensing envelope. The information contained in your CSA MC license includes the number of server-agent licenses that have been allotted to you. When you receive your license from Cisco, you should copy it to the system to which you are installing CSA MC (or to a file share accessible from the CSA MC system). Then you can copy the license to the CSA MC directory in the following manner: After installing CSA MC, to copy the license to the CSA MC directory, click Maintenance in the menu bar and select License Information. The License Information screen appears. You can browse to the license file by clicking the Browse button. Once the license file is located, click the Upload button to copy the file into the CSA MC directory. Installation Overview Caution This Management Center for Cisco Security Agents V5.1 release is intended for new installations. You cannot upgrade to V5.1 from a previous version of the product. You must have local administrator privileges on the system in question to perform the CSA MC installation. Once you've verified system requirements, you can begin the installation. Caution After you install CSA MC, you should not change the name of the MC system. Changing the system name after the product installation will cause agent/CSA MC communication problems. Installation Configuration Options You have three installation configuration options to consider before launching the CSA MC installation process. •You can install CSA MC and the database on the same machine. (Select the Local Database radio button during the CSA MC installation.) For a local database configuration, you have the option of installing CSA MC and the included Microsoft SQL Server Desktop Engine (provided with the product) on the same system if you are planning to deploy no more than 500 agents. In this case, the CSA MC installation also installs its own version of Microsoft SQL Server Desktop Engine on the system. For a local database configuration, you also have the option of installing Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided. Microsoft SQL Server Desktop Engine has a 2 GB database size limit. In this case, you can have CSA MC and Microsoft SQL Server 2000 on the same system depending on the number of agents you are deploying (see Scalable Deployments, page 2-3). Note that of you are using SQL Server 2000, it must be licensed separately and it must be installed on the system before you begin the CSA MC installation. Also note that if your plan is to use SQL Server 2000, it is recommended that you choose one of the other installation configuration options rather than the local database configuration. •You can install CSA MC on one machine and install the database on a remote machine. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2000 Remote Setup.) Use this configuration option depending on the number of agents you are deploying (see Scalable Deployments, page 2-3). If you are using a separately licensed, managed, and maintained SQL Server 2000 database, SQL Server 2000 must be installed and configured on the remote system before you begin the CSA MC installation. Caution If you are installing CSA MC and the database to multiple machines, make sure the clocks of each machine are in sync. If all clocks are not in sync, unexpected behavior may occur. •You can install two CSA MCs on two separate machines and install the database on a remote machine. In this case, both CSA MCs use the same remote database. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2000 Remote Setup.) This is the recommended configuration if you are deploying more than 5,000 agents and are using a separately licensed, managed, and maintained SQL Server 2000 database. SQL Server 2000 must be installed and configured on the remote system before you begin the MC installations. Using this configuration, you can deploy up to 100,000 agents. Having two CSA MCs lets you use one MC for host registration and polling and another MC for editing configurations. Caution If you are installing two CSA MCs with one of the MCs residing on the machine where the database is installed, you must select the Remote Database radio button during the installation of both MCs. Even though one MC is "local" to the database, for the two MCs configuration to work properly, they must both be configured to communication with the database as though it were remote. Installing CSA MC with a Local Database If you are installing both CSA MC and the database to the same machine, you will first install Microsoft SQL Server Desktop Engine (as part of the CSA MC installation) and then install CSA MC. Before beginning, exit any other programs you have running on the system where you are installing CSA MC. To install the CSA MC, do the following: Step 1 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system. Step 2 Management Center for Cisco Security Agents CD into the CDROM drive. The welcome screen appears. Click Next to begin the installation. See Figure 3-1. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.) Figure 3-1 CSA MC Installation Welcome Screen Step 3 After you click Next in the welcome screen, various system checks are performed before the system installation continues. Step 4 When the initial system checks are complete, you are prompted to accept the license agreement. Accept the agreement by clicking Yes. See Figure 3-2. Figure 3-2 CSA MC EULA License Agreement Step 5 The install then begins by prompting you to select a database location. In this case, you will keep the default selection of Local Database and click the Next button. See Figure 3-3. Figure 3-3 Database Setup Type Step 6 If installing locally, the installation next checks to see if you have Microsoft SQL Server Desktop Engine (MSDE) installed. CSA MC uses MSDE for its local configuration database. If this software is not detected, you are prompted to install it. See Figure 3-4. Note For installations exceeding 500 agents, it is recommended that you install Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided with the product. Refer to Installation Configuration Options for more information. If you are using Microsoft SQL Server 2000, refer to Microsoft SQL Server 2000 Local Installation Notes for details. Caution On a system where CSA MC has not previously been installed, the setup program first installs MSDE. If the CSA MC installation detects any other database type attached to an existing installation of MSDE or a version of MSDE or SQL Server 2000 that does not have at least Service Pack 4, the installation will abort. This database configuration is not qualified. Figure 3-4 Install MSDE Prompt Once you click Yes, you proceed through the Microsoft SQL Server installation. You are prompted to select an MSDE install directory. The MSDE installation only takes a few minutes. Figure 3-5 MSDE Installation Directory Selection Note When the Microsoft SQL Server installation finishes, the CSA MC installation automatically begins again. This time the installation detects the Microsoft SQL Server software and proceeds. Step 7 You are prompted to select a CSA MC directory installation path. If you would like to restore a previously backed up CSA MC database, you are prompted to restore that database at this time. Either accept the default installation path or browse to a different path to restore an database backup. Figure 3-6 Directory Prompt Step 8 You are next prompted to enter Administrator Name and Password information. This the user name and password you will use to login in to CSA MC. See Figure 3-7. Enter this information and click Next. Figure 3-7 Enter Administrator Name and Password Step 9 You are next prompted to select whether or not you want the system to automatically reboot once the installation is complete (see Figure 3-8). It is required that you reboot the system after the installation is complete whether you select Yes to have it done automatically or you choose to manually reboot at the end. Figure 3-8 Automatic Reboot Option Prompt You are next prompted to begin the installation (see Figure 3-9). The install then proceeds copying the necessary files to your system (see Figure 3-10). Figure 3-9 Installation Prompt Figure 3-10 Copy Files Once all the files are copied, the installation performs some preliminary system setup tasks (see Figure 3-11). Figure 3-11 Installation Progress Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.) If an agent is already installed on a system to which you are installing CSA MC, that agent will automatically be upgraded by the CSA MC agent installation. When the MC and agent installs are complete, if you selected to have the system reboot automatically, you are prompted that the automatic reboot will occur within 5 minutes. If you selected not to have the system reboot automatically, it is required that you manually reboot the system at this time. Once the system reboots, should login to the MC and copy the license key file(s) you received from Cisco Systems to your CSA MC. CSA MC ships with and automatically uses a license for the MC and local agent. You must manually import all other licenses through the MC Maintenance>License Information window. See the User Guide for license import instructions. Microsoft SQL Server 2000 Local Installation Notes Note The following instructions are only intended for administrators choosing to install CSA MC and Microsoft SQL Server 2000 to the same system. These instructions are not for administrators using CSA MC with a remote database. If you are choosing to use Microsoft SQL Server 2000 as a remote database, information is provided in the section titled Installing CSA MC with a Remote Database. For local database installations exceeding 500 agents, it is recommended that you install Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided with the product. Microsoft SQL Server Desktop Engine has a 2 GB limit. SQL Server 2000 must be licensed separately and it must be installed on the local system before you begin the CSA MC installation. In order for Microsoft SQL Server 2000 to function properly with CSA MC, you must select certain settings during the installation. Those settings are listed here. (Refer to your Microsoft SQL Server 2000 manual for detailed installation information.) Note You should not change the default instance name of "MSSQLSERVER" for the SQL Server 2000 database. If you change this, the CSA MC installation will not detect the database. When installing Microsoft SQL Server 2000, choose the default settings except in the following instances: •In the Setup Type installation window, choose the Typical radio button and in the Destination Folder section, click the various Browse buttons to install SQL Server on the system. •In the Services Accounts installation window, choose the Use the same account for each service radio button. In the Service Settings section, choose Use a Domain User Account. In the edit fields, enter a Username and Password for the local administrator account. •In the Choose Licensing Mode installation window, select the Per Seat for radio button and then increment the devices number field to a positive value—at least 1 or 2. Reboot the system and install the most recent service pack for SQL Server 2000. CSA MC has been qualified with Service Pack 4. When installing the service pack, choose the default settings except in the following instances •When you install the service pack, in the Installation Folder screen, you should select a drive that has at least 140 MB of free space. For the service pack installation, choose the default settings in all instances. •In the SA Password Warning installation screen, select the Ignore the security threat warning, leave the password blank radio button. •In the SQL Server 2000 Service Pack Setup installation screen, select the Upgrade Microsoft Search and apply SQL Server 2000 SP4 (required) checkbox. Installing CSA MC with a Remote Database If you are installing one or two CSA MCs and their corresponding database to different machines, you must first install and properly configure Microsoft SQL Server 2000 on the remote system according to Microsoft's instructions. You should restrict access to this database machine as much as possible using any access control systems you already have in place on your network. Caution It is recommended that all installed CSA MCs and remote databases be placed on a private LAN. If you cannot provide a private LAN, then you should follow Microsoft's recommendations for securing communication between database servers and application servers. Caution It is important that the time on the database server system closely match the time on the CSA MC system. Additionally, make sure both times are set correctly. Caution You must install a Cisco Security Agent on this remote database. This agent should be in the following groups: Servers-SQL Server 2000, Servers-All types, Systems-Mission Critical, and Systems-Restricted Networking. You should install this agent after the last CSA MC has been installed and rebooted. Microsoft SQL Server 2000 Remote Setup Note The following section contains overview information for setting up the Microsoft SQL Server 2000 database to work correctly with CSA MC. More detailed SQL Server configuration information should be obtained from your Microsoft documentation. In order to enter the requested remote database information during the CSA MC installation, you must first setup the SQL Server database system by doing the following. (Note that these steps may be performed by your database administrators. The procedure is detailed after the bullet list.) •Create an empty database. •You must configure a new login ID and password and associate it with a new user ID which has the standard access rights on the CSA MC database, including db_ddladmin, db_datareader, and db_datawriter. Note that the login ID and user ID must be identical. (db_owner privileges are not required.) •Make sure the default language is set to English. Note that you should not change the language default after CSA MC is installed. •Make sure that the database is configured to accept SQL Server authentication. •You also need to create a file group for the database called "analysis" and it must have at least one file attached. More specifically, use the following procedure as a guideline: Step 1 Right click your SQL Server. Select the Security tab and set "Authentication" to SQL Server and Windows. Then click OK. Step 2 Stop and start sql server. Step 3 Create new database "CSAMC51". Step 4 Inside the DB properties, click Data Files and in the File Name box, type "csamcalanysis", and in the Filegroup field type "ANALYSIS". Then click OK. Step 5 Expand the "security" + and right-click Logins. Then create a new login. Use SQL Server Authentication. Set Defaults -> Database = csamc51 database. Note Do not click anything under "server roles". Step 6 In the "database access" section, permit access to csamc51 and give the role of db_ddladmin. db_datareader and db datawriter permissions must also be provided. Click OK. Step 7 Restart the server. Once this is configured, you can begin the CSA MC installation. Before beginning, exit any other programs you have running on the system where you are installing CSA MC. To install the CSA MC, do the following: Step 1 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system. Step 2 Management Center for Cisco Security Agents CD into the CDROM drive. The welcome screen appears. Click Next to begin the installation. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.) Step 3 The Management Center for Cisco Security Agents appears. After you click Next in the welcome screen, various system checks are performed before the system installation continues. Step 4 When the initial system checks are complete, you are prompted to accept the license agreement. Accept the agreement by clicking Yes. See Figure 3-12. Figure 3-12 CSA MC EULA License Agreement Step 5 The install begins by prompting you to choose a database setup type. In this case, you will select the Remote Database radio button and click the Next button. When you select the Remote Database radio button, you are next prompted to enter the following information for the remote SQL Server database (see Figure 3-13): •Name of the server •Name of the database •Login ID •Password Figure 3-13 Remote Database Information Step 6 Once you enter the database information and click Next, the installation attempts to locate the database and verify that it is configured appropriately. If the database is not setup correctly, you are prompted with this information and the installation will not continue. Otherwise, the installation proceeds. Step 7 You are next prompted to select a CSA MC directory installation path. Either accept the default installation path or browse to a different path. See Figure 3-14. Figure 3-14 Directory Prompt Step 8 You are next prompted to enter Administrator Name and Password information. This the user name and password you will use to login in to CSA MC. See Figure 3-15. Enter this information and click Next. Figure 3-15 Enter Administrator Name and Password You are next prompted to select whether or not you want the system to automatically reboot once the installation is complete (see Figure 3-16). It is recommended that you reboot the system after the installation is complete whether you select Yes to have it done automatically or you choose to manually reboot at the end. Figure 3-16 Automatic Reboot Option Prompt You are next prompted to begin the installation (see Figure 3-17). The install then proceeds copying the necessary files to your system (see Figure 3-18). Figure 3-17 Installation Prompt Figure 3-18 Copy Files Once all the files are copied, the installation performs some preliminary system setup tasks. Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system and this is done automatically for you. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.) When the MC and agent installs are complete, if you selected to have the system reboot automatically, you are prompted that the automatic reboot will occur within 5 minutes. If you selected not to have the system reboot automatically, it is recommended that you manually reboot the system at this time. Once the system reboots, should login to the MC and copy the license key file(s) you received from Cisco Systems to your CSA MC. CSA MC ships with and automatically uses a license for the MC and local agent. You must manually import all other licenses through the MC Maintenance>License Information window. See the User Guide for license import instructions. Note for installing two CSA MCs on two separate machines If you are installing two CSA MCs using one remote database, repeat the steps detailed in this section, entering the same remote database information for the second MC. Caution When installing two CSA MCs, the first MC you install automatically becomes the polling and logging MC. The second MC acts as the configuration MC. During the installation process, the CSA MCs know the order in which the MCs were installed and direct polling, logging, and management tasks to the appropriate MC. Caution In a distributed MC environment, when installing, upgrading, or uninstalling any MC in the distributed configuration, the service must be stopped on the other MCs and restarted later. Installation Log The installation of CSA MC produces a log file. This log file, called "CSAMC-Install.log" and located in the \CSAMC51\log directory, provides a detailed list of installation tasks that were performed. If there is a problem with the installation, this text file should provide information on what task failed during the install. Note The installation of the agent produces a similar file called "CSAgent-Install.log" and is located in the Cisco Systems\CSAgent\log directory on agent host systems. Accessing Management Center for Cisco Security Agents When the installation has completed and you've rebooted the system, a Management Center for Cisco Security Agents [version number] shortcut icon is placed on your desktop. Double-clicking this icon launches the MC in your default browser. Local Access To access CSA MC locally on the system hosting the CSA MC software: •Double-click the shortcut icon added to your desktop during the installation. This launches the management console login screen in your default browser. Note See Initiating Secure Communications if you cannot connect to CSA MC. Remote Access To access CSA MC from a remote location, •Launch a browser application on the remote host and enter the following: `http://<management center system hostname>.<domain>` in the Address or Location field (depending on the browser you're using) to access the Login view. For example, enter `http://<management center system hostname>.<domain>` Note In this example, CSA MC is installed on a host system with the name stormcenter. Figure 3-19 CSA MC Login Window Initiating Secure Communications CSA MC uses SSL to secure all communications between the CSA MC user interface (locally and remotely) and the Management Center for Cisco Security Agents server system itself. This way, all configuration data travels over secure channels irrespective of the location of the CSA MC host system. During installation, CSA MC generates private and public keys to be used for secure communications between any system accessing the CSA MC user interface and the CSA MC itself. When your browser connects to the server, it receives the server's certificate. You are then prompted to accept this certificate. It is recommended that you import it into your local certificate database so that you are not prompted to accept the certificate each time you login. The following sections show the process of importing certificates into Internet Explorer and Netscape Web browsers. Internet Explorer: Importing the Root Certificate Step 1 You import the certificate from the CSA MC login window. Click the Get root certificate link. See Figure 3-19. Step 2 Select the Open (this file from its current location) button and click OK. Step 3 The certificate information box appears (see Figure 3-20). It contains information on the system the certificate is issued to and it displays expiration dates. Click the Install Certificate button to start the Certificate Manager Import Wizard. Figure 3-20 Certificate Information Step 4 The first Certificate Manager Import page contains an overview of certificate information. Click Next to continue. Step 5 From the Select a Certificate Store page, make sure the Automatically select the certificate store based on the type of certificate radio button is selected. Click Next. Figure 3-21 Certificate Wizard Step 6 You've now imported your certificate for the server. Click the Finish button (Figure 3-22) to continue. Figure 3-22 Certificate Wizard Finish Page Step 7 Now, you must save the certificate. Click the Yes button in the Root Certificate Store box (see Figure 3-23). Figure 3-23 Root Certificate Store Box Step 8 You are next prompted with a confirmation box informing you that your certificate was created successfully. Lastly, the View Certificate box remains on the screen (see Figure 3-20). Since your certificate has been generated, you can click the Yes button here. Note You must perform this certificate import process the first time you login to CSA MC from any remote machine. Once the certificate import is complete, you can access the login page directly for all management sessions. To access the login page remotely, enter the URL in the following format. `http://stormcenter.cisco.com` For example, enter `http://<management center system hostname>.<domain>` Caution If you have not obtained a valid license from Cisco, when you login to CSA MC, you'll receive a warning informing you that your license is not valid. Refer back to page 2 for further licensing information. Uninstalling Management Center for Cisco Security Agents Uninstall the CSA MC software as follows: Step 1 Click the uninstall CSA MC option on the system from Start>All Programs>Cisco Systems>Uninstall Management Center for Cisco Security Agents. This launches the uninstall program. You must respond to uninstall confirmation and database back-up prompts during the uninstall process. The CSA MC uninstall also removes the Cisco Security Agent on the MC system. Note Uninstalling CSA MC does not uninstall the Microsoft SQL Server Desktop Engine (database). You must uninstall this separately from the Control Panel>Add/Remove Programs window if you are completely removing the product from your system. Caution If you are upgrading to a new version of CSA MC, or if you are reinstalling the product on the same system, and you want to preserve your current configuration, you should select to Backup the Database during the uninstall when you are prompted to do so. If you do not backup the database, the uninstall removes all program files and configurations. (Note that this only applies to local database installations. CSA MC does not provide a backup mechanism for remote databases.) Copying Cisco Trust Agent Installer Files Cisco Trust Agent (CTA) is an optional application you may install as part of an agent kit. The goal of bundling CTA in an agent kit is to facilitate the distribution of CTA. CTA is a separate application from CSA and has its own security objectives. If you intend to distribute CTA through an agent kit, copy your CTA installer files to the system running CSA MC. To copy the CTA installer files, follow this procedure: Step 1 Obtain the desired CTA installer files from Cisco Systems. Note It is the user's responsibility to verify that they have obtained the correct CTA installer files. Step 2 Copy the CTA installer files to the %Program Files%\CSAMC51\bin\webserver\htdocs\cta_kits directory. The default Cisco Security Agent policies protect this directory. When you copy the files into the directory, CSA prompts you to determine if you want to allow the action. Select the Yes radio button and click Apply. Repeat this step for every file you copy into this directory. Note Refer to the Agent Kits section of the User Guide for information on installing the CTA files you have just copied.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks