Installation Guide for Cisco Security Manager 3.2.2
Requirements and Dependencies
Download this chapter
Requirements and DependenciesRequirements and Dependencies
Download the complete book
Installation Guide for Cisco Security Manager 3.2.2 - Whole Book PDFInstallation Guide for Cisco Security Manager 3.2.2 - Whole Book PDF (PDF - 1 MB)
give_us_feedback

Table Of Contents

Requirements and Dependencies

Required Services and Ports

Server Requirements

Client Requirements


Requirements and Dependencies

You can install and use Security Manager as a standalone product or in combination with several other Cisco security management applications, including optional applications that you can select in the Security Manager installer or download from Cisco.com. Requirements for installation and operation vary in relation to the presence of other software on the server and according to the way that you use Security Manager.

Caution If you are upgrading to Security Manager 3.2.2 from an earlier version, you must make sure that the existing Security Manager database does not contain any pending data, meaning data that has not been committed to the database. If the existing Security Manager database contains pending data, you must commit or discard all uncommitted changes before upgrading. For instructions, see Uninstalling and Reinstalling Server Applications, page 4-6.

CiscoWorks Common Services 3.2 is required for Security Manager 3.2.2 to work. You install Common Services automatically when you install Security Manager server software.

For more information, see Common Services, page 1-2, and see the Common Services documentation on Cisco.com at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/.

Tip We recommend that you synchronize the date and time settings on all of your management servers and all of the managed devices in your network. One method is to use an NTP server. Synchronization is important if you want to correlate and analyze log file information from your network.

The sections in this chapter describe requirements and dependencies for installing Security Manager server and client software:

Required Services and Ports

Server Requirements

Client Requirements

Required Services and Ports

You must ensure that required ICMP (ping), TCP, and UDP ports are enabled and available for use by Security Manager and its associated applications on your server, to support their associated services.

Tip To understand which server processes are associated with the applications that you install from the Security Manager installation DVD, see Verifying That Required Processes Are Running, page 8-2.

In a standalone implementation, Security Manager uses local mode for AAA. You must ensure that the following ports are opened (as shown in Table 2-1) to allow for client-server communication, as well as Security Manager server to supported devices communication.

Table 2-1 Ports and Services Used for AAA in Local Mode

Communication
Service
Protocol
Port

Security Manager Client -> Security Manager Server

HTTP/HTTPS

TCP

1741/443

Security Manager Client -> Cisco IPS Event Viewer

IPS Viewer

TCP

60002/60003

Security Manager Server -> Devices

Note Although Security Manager uses HTTPS to communicate with most devices (and SSH in some cases), other protocols such as Telnet may also be used.

HTTPS
SSH
Telnet

TCP

443
22
23


Table 2-2 sorts the required ports and services numerically, by port.

Table 2-2 Required Services and Ports 

Service
Used For, or Used By
Port Number/
Range of Ports
Protocol
Inbound
Outbound

Ping

RME

ICMP

X

SSH

Common Services

22

TCP

X

RME

22

TCP

X

Telnet

DM 6500/7600

23

TCP

X

RME

23

TCP

X

TACACS+ (for ACS)

Common Services

49

TCP

X

RME

TCP

X

TFTP

Common Services

69

UDP

X

X

HTTP

Common Services

80

TCP

X

DM 6500/7600

TCP

X

SNMP (polling)

Common Services

161

UDP

X

SNMP (traps)

Common Services

162

UDP

X

HTTPs (SSL)

Common Services

4431

TCP

X

Security Manager

TCP

X

AUS

TCP

X

Syslog

Common Services

514

UDP

X

Remote Copy Protocol

Common Services

TCP

X

X

HTTP

Common Services

1741

TCP

X

Security Manager

TCP

X

MySQL2

Security Manager

3306, 5501

MySQL

X

X

Cisco IPS Event Viewer3

Security Manager server

60002, 60003

TCP

X

X

Security Manager client

5001

TCP

X

X

HIPO port for CiscoWorks gatekeeper

Common Services

8088

TCP

X

X

Tomcat shutdown

Common Services

9007

TCP

X

Tomcat Ajp13 connector

Common Services

9009

TCP

X

Database

Security Manager

10033

TCP

X

License Server

Common Services

40401

TCP

X

Daemon Manager

Common Services

42340

TCP

X

X

Osagent

Common Services

42342

UDP

X

X

Database

Common Services

43441

TCP

X

DCR and OGS

Common Services

40050 - 40070

TCP

X

Event Services

Software Service

42350/
44350

UDP

X

X

Software Listening

42351/
44351

TCP

X

X

Software HTTP

42352/
44352

TCP

X

X

Software Routing

42353/
44353

TCP

X

X

Transport Mechanism (CSTM)

Common Services

50000 - 50020

TCP

X

1 To share and exchange information with a Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) appliance, Security Manager uses HTTPS over port 443 by default. You can choose whether to use a different port for this purpose.

2 Do not delete or move the C:\my.cnf file, which the MySQL server requires.

3 The Cisco IPS Event Viewer service depends on MySQL services. If you want to stop retrieving and storing IPS event alerts, you can stop the Cisco IPS Event Viewer service. Later you can restart the Cisco IPS Event Viewer service to resume retrieving and storing alerts.


In the case where applications such as CS-MARS, ACS, and external AAA are being used, other ports also need to be opened, as shown in Table 2-3.

Table 2-3 Services and Ports for CS-MARS, ACS, and external AAA 

Communication
Protocol
Port

Security Manager Server -> CS-MARS

HTTPS

443

Security Manager Server -> ACS

HTTP/HTTPS

2002

If port restriction is enabled on the ACS server, allow all ports in the range for HTTP/HTTPS communication.

If port restriction is disabled, allow all HTTP/HTTPS traffic between the Security Manager server and ACS.

Security Manager Server -> External AAA Server (configurable in a non-ACS mode)

RADIUS
LDAP
Kerberos

1645, 1646, 1812(new) 389, 636 (SSL) 88


In the case where applications such as Configuration Engine, Auto Update Server (AUS), and TMS Server are being used for configuration deployment, other ports also need to be opened, as shown in Table 2-4.

Table 2-4 Services and Ports Used with Config Engine, Auto Update Server (AUS), and TMS Server  

Communication
Service
Protocol
Port

Security Manager Server -> CNS Config Engine

HTTPS

TCP

443

Security Manager Server -> AUS

HTTPS

TCP

443

Security Manager Server -> TMS Server

FTP

TCP

21


Server Requirements

Note See Required Services and Ports, for a complete list of the service ports that you must enable in order to use your Security Manager server.

Tip We recommend that you install Security Manager on a dedicated server in a controlled environment. For additional best practices and related guidance, see Chapter 3, "Preparing a Server for Installation."

You can install Security Manager on a Windows-based server that uses one CPU or multiple CPUs. Table 2-5 describes server requirements and restrictions.

Caution Do not install this product on a primary or backup domain controller. We do not support any use of Common Services on a Windows domain controller.

Do not install this product in an encrypted directory. Common Services does not support directory encryption.

Do not install this product if Terminal Services is enabled in Application mode. In such a case, you must disable Terminal Services, then restart the server before you install. Common Services supports only the Remote Administration mode for Terminal Services.

Table 2-5 Server Requirements and Restrictions 

Component
Requirement

System hardware

Minimum: One CPU >= 2GHz; Recommended: Two CPUs >= 2 GHz or a One dual-core CPU >= 2 GHz

Color monitor with at least 1280 x 1024 resolution and a video card capable of 16-bit colors.

DVD-ROM drive.

100BaseT (100 Mbps) or faster network connection; single interface only.

Keyboard.

Mouse.

System software

Microsoft Windows Server 2003:1 , 2

Enterprise Edition with SP1 and SP2.

Standard Edition with SP1 and SP2.

R2 Enterprise Edition with SP1 and SP2.

R2 Standard Edition with SP1 and SP2.

Security Manager supports only the US-English and Japanese versions of Windows. From the Start Menu, open the Control Panel for Windows3 , open the panel where you configure region and language settings4 , then set the default locale. (We do not support English as the language in any Japanese version of Windows.)

Microsoft ODBC Driver Manager 3.510 or later is also required, so your server can work with Sybase database files. To confirm the installed ODBC version, find and right-click ODBC32.DLL, then select Properties from the shortcut menu. The file version is listed under the Version tab.5

Memory (RAM)

Minimum: 2 GB; Recommended: 4 GB.

File system

NTFS.

Browser

One of the following:

Microsoft Internet Explorer 6.0 Service Pack 2.

Internet Explorer 7.0

Firefox 2.0.

Compression software

WinZip 9.0 or compatible.

Hard Drive Space

20 GB or more.

IP Address

One static IP address.

The Security Manager installer displays a warning if it detects any dynamic IP addresses on the target server. Dynamic addresses are not supported.

Note If the server has more than one IP address, you do not need to disable any of the multiple network interface cards before installation.

Swap Size

4096 MB

Virtualization Software

VMWare ESX Server 3.56

1 To confirm the installed Windows version from the Start menu, select Run, then enter either ver or winver.

2 Security Manager is not supported on 64-bit Windows operating systems.

3 To open the Control Panel for Windows from the Start Menu, you follow a path that varies according to your Windows version and configuration.

4 The panel where you specify region and language settings for Windows has a name that varies according to your Windows version and configuration.

5 Alternatively after you install Security Manager, select Server > Admin from the Common Services desktop, click Selftest, then click Create. When the table is refreshed, click the newest entry in the SelfTest Server Information column. When the "Server Info" window opens, scroll to the odbc.pl section to see the installed ODBC version.

6 You should allocate 4 GB of memory to the virtual machine you use with Security Manager. Use of recent generation CPUs with technology designed to improve virtualization performance is recommended (e.g., Intel-VT or AMD-V CPUs).


Client Requirements

Table 2-6 describes Security Manager Client requirements and restrictions.

Table 2-6 Client Requirements and Restrictions 

Component
Requirement

System hardware

One CPU with a minimum size of 2 GHz.

Color monitor with at least 1280 x 1024 resolution and a video card capable of 16-bit colors.

Tip An older video (graphics) card might fail to display the Security Manager GUI correctly until you upgrade its driver software. To test whether this problem might affect your client system, right-click My Computer, select Properties, select Hardware, click Device Manager, then expand the Display adapters entry. Double-click the entry for your adapter to learn what driver version it uses. You can then do one of the following:

If your client system uses an ATI MOBILITY FireGL video card, you might have to obtain a video driver other than the driver that came with your card. The driver that you use must be one that allows you to configure Direct 3D settings manually. Any driver lacking that capability might stop your client system from displaying elements in the Security Manager GUI.

For any video card, go to the web sites of the PC manufacturer and the card manufacturer to check for incompatibilities with the display of modern Java2 graphics libraries. In most cases where a known incompatibility exists, at least one of the two manufacturers provides a method for obtaining and installing a compatible driver.

Keyboard.

Mouse.

System software

One of the following:

Microsoft Windows XP Professional with SP1, SP2, or SP3.1

Microsoft Windows Server 2003:

Standard Edition with SP1 and SP2.

Enterprise Edition with SP1 and SP2.

R2 Enterprise Edition with SP1 and SP2.

R2 Standard Edition with SP1 and SP2.

Microsoft Windows Vista Business Edition with SP1 or Enterprise Edition

Note Security Manager supports only the US-English and Japanese versions of Windows. From the Start Menu, open the Control Panel for Windows2 , open the panel where you configure region and language settings3 , then set the default locale. (We do not support English as the language in any Japanese version of Windows.)

Memory (RAM)

Minimum: 1 GB; Recommended: 2 GB.

Virtual Memory/
Swap Space

512 MB.

Hard Drive Space

10 GB.

Browser

One of the following:

Microsoft Internet Explorer 6.0 Service Pack 2.

Internet Explorer 7.0.

Firefox 2.0.

Java

Security Manager Client includes an embedded and completely isolated version of Java. This Java version does not interfere with your browser settings or with other Java-based applications.

To verify the installed versions of JVM and the Java plug-in, do one of the following:
 ·  (Internet Explorer) Select Tools > Sun Java Console.
 ·  (Firefox)  Select Tools > Web Development > Java Console.
 ·  (From a prompt) Enter java -version.

1 Security Manager is not supported on 64-bit Windows operating systems.

2 To open the Control Panel for Windows from the Start Menu, you follow a path that varies according to your Windows version and configuration.

3 The panel where you specify region and language settings for Windows has a name that varies according to your Windows version and configuration.