Table Of Contents
Requirements and Dependencies
Required Services and Ports
Server Requirements
Understanding Regional and Language Options and Related Settings
Client Requirements
Requirements and Dependencies
You can install and use Security Manager as a standalone product or in combination with several other Cisco Security Management Suite applications, including optional applications that you can select in the Security Manager installer or download from Cisco.com. Requirements for installation and operation vary in relation to the presence of other software on the server and according to the way that you use Security Manager.
Tip 
We recommend that you synchronize the date and time settings on all your management servers and all the managed devices in your network. One method is to use an NTP server. Synchronization is important if you want to correlate and analyze log file information from your network.
The sections in this chapter describe requirements and dependencies for installing server applications such as Security Manager, Auto Update Server, Performance Monitor, and RME, and Security Manager client software:
•Required Services and Ports
•Server Requirements
•Client Requirements
Required Services and Ports
You must ensure that required ports are enabled and available for use by Security Manager and its associated applications on your server so that the server can communicate with clients and servers running associated applications.
The ports that need to be open depend on whether you are using CiscoWorks for AAA or an external server (such as ACS), and whether you are configuring Security Manager to interact with certain other applications:
•Basic Required Ports—Table 2-1 lists the basic ports that must be opened, assuming that you have not customized your configuration to use non-default ports. If you are using CiscoWorks for AAA (user authorization) services, and you do not use any of the optional applications, these should be the only ports you need to open.
Table 2-1 Basic Required Ports to Open on the Security Manager Server
Communication
|
Service
|
Protocol
|
Port
|
In
|
Out
|
Security Manager Client to the Security Manager Server.
|
HTTP, HTTPS
|
TCP
|
1741/443
|
X
|
—
|
Security Manager Client to device managers included in the product (such as ASDM).
|
HTTPS
|
TCP
|
443
|
X
|
—
|
Security Manager to Cisco.com for IPS signature and engine update downloads.
|
HTTP
|
TCP
|
80
|
—
|
X
|
HTTPS
|
TCP
|
443
|
—
|
X
|
Security Manager Server to Devices.
Tip HTTPS and SSH ports are required, but open the Telnet port only if you use Telnet as the transport protocol for one or more devices. Because Telnet transmits passwords in clear text, we recommend that you never use Telnet, and that you do not open the Telnet port.
|
HTTPS
|
TCP
|
443
|
—
|
X
|
SSH
|
TCP
|
22
|
—
|
X
|
Telnet
|
TCP
|
23
|
—
|
X
|
Security Manager Server to Device for configuration rollback operations on IOS devices.
|
TFTP
|
UDP
|
69
|
X
|
X
|
Security Manager to an e-mail server.
This port is required only if you configure e-mail notification settings for any of the various functions that can provide these notifications.
|
SMTP
|
TCP
|
25
|
—
|
X
|
Syslog service used by the Security Manager Event Viewer.
|
Syslog
|
UDP
|
514
|
X
|
—
|
•Ports Required By Optional Applications—If you are using Security Manager with other applications, other ports also need to be opened, as shown in Table 2-2. Open only ports required by applications that you are actually using.
Table 2-2 Ports Required for Optional Server Applications
Communication
|
Service
|
Protocol
|
Port
|
In
|
Out
|
Security Manager Server to and from CS-MARS.
|
HTTPS
|
TCP
|
443
|
X
|
X
|
Security Manager Server to Cisco Secure Access Control Server (ACS).
|
HTTP, HTTPS
|
TCP
|
•2002
•If port restriction is enabled on the ACS server, allow all ports in the range for HTTP/HTTPS communication.
•If port restriction is disabled, allow all HTTP/HTTPS traffic between the Security Manager server and ACS.
|
—
|
X
|
Security Manager Server to an External AAA Server (configurable in a non-ACS mode).
|
RADIUS
LDAP
Kerberos
|
TCP
|
1645, 1646, 1812(new), 389, 636 (SSL), 88
|
—
|
X
|
Security Manager Server to Configuration Engine.
|
HTTPS
|
TCP
|
443
|
—
|
X
|
Security Manager Server to AUS.
|
HTTPS
|
TCP
|
443
|
—
|
X
|
Device to AUS. Used to retrieve images and configurations.
|
HTTP
|
TCP
|
1751
|
X
|
—
|
Security Manager Server to TMS Server.
|
FTP
|
TCP
|
21
|
—
|
X
|
Internet browser running on a client system to the browser interface on the Security Manager, AUS, RME, or Performance Monitor server.
|
HTTP, HTTPS
|
TCP
|
1741/443
|
X
|
—
|
Performance Monitor to device for polling.
|
HTTPS
|
TCP
|
443
Tip You can configure this port when importing devices. If you use a non-default port, you must open the port you use.You must use a non-default port if WebVPN is configured on the interface.
|
—
|
X
|
Performance Monitor to device for SNMP polling.
|
SNMP
|
TCP
|
161
|
—
|
X
|
Device to Performance Monitor for SNMP traps.
|
SNMP
|
TCP
|
162
|
X
|
—
|
Syslog service if you use Performance Monitor or RME for syslog, and you install these applications on a separate server than Security Manager.
|
Syslog
|
UDP
|
514
|
X
|
—
|
Server Requirements
Tip We recommend that you install Security Manager on a dedicated server in a controlled environment. For additional best practices and related guidance, see Chapter 3, "Preparing a Server for Installation."
To install Security Manager, you must be an Administrator or a user with local administrator rights; this also applies if you are installing the client only. Table 2-3 describes the minimum and recommended server configuration. These requirements vary based on whether you are using Security Manager for device configuration only, or for both device configuration and event management. Typically, if you use event management, you must use a more powerful server.
Unless otherwise noted, the requirements apply to all applications. For example, if you install Performance Monitor on a separate server than Security Manager, the Performance Monitor server needs to meet the configuration-only requirements.
Recommended Server
Cisco recommends that you install the application on a Cisco UCS C200 server with an Intel Quadcore Xeon 5500 Series CPU, 16 GB RAM, two 1 TB (minimum) hard drives, and a 1 Gbps network adapter. Use RAID 0 and partition the drives so that Windows and the Security Manager application have a 500 GB partition, and event management storage has a 1.5 TB partition.
Do not install any application:
•On a primary or backup domain controller. We do not support any use of Common Services on a Windows domain controller.
•In an encrypted directory. Common Services does not support directory encryption.
•If Terminal Services is enabled in Application mode. In such a case, you must disable Terminal Services, then restart the server before you install. Common Services supports only the Remote Administration mode for Terminal Services.
The following table explains the minimum and recommended server configurations.
Table 2-3 Minimum and Recommended Server Requirements
Component
|
Requirement
|
Operating System
|
Strongly Recommended: Windows 2008 Enterprise Server (Service Pack 2)—64 bit.
Alternate operating systems that also are supported:
•Windows 2003 R2 Enterprise Server (Service Pack 2)—32 bit.
•Windows 2008 Enterprise Server (Service Pack 2)—32 bit.
English and Japanese are the only supported languages. For complete information, see Understanding Regional and Language Options and Related Settings.
Microsoft ODBC Driver Manager 3.510 or later is also required so that your server can work with Sybase database files. To confirm the installed ODBC version, find and right-click ODBC32.DLL, then select Properties from the shortcut menu. The file version is listed under the Version tab.
|
System Hardware
|
•Processor requirements differ based on whether you are using Security Manager for device configuration only or for configuration and event management:
–Configuration only (or AUS, RME, or Performance Monitor only)—A dual-core processor is the minimum requirement. A quad-core or higher processor is recommended. Higher cores typically result in improved performance.
–Configuration and Event Management— A quad-core processor is the minimum requirement. Higher cores typically result in improved performance.
•Color monitor with at least 1280 x 1024 resolution and a video card capable of 16-bit colors. For AUS-, Performance Monitor-, and RME-only servers, you can get by with 1024 x 768 resolution.
•(Optional) RAID 0 or RAID 10.
•DVD-ROM drive.
•100BaseT (100 Mbps) or faster network connection; single interface only. Recommended: 1 Gbps.
•Keyboard.
•Mouse.
|
Memory (RAM)
|
The minimum memory requirements differ based on operating system and whether you are using Security Manager for device configuration only or for configuration and event management. If you install AUS, RME, or Performance Monitor on the same system with Security Manager, the same minimums apply.
•Configuration only:
–32-bit OS (Windows Server 2003 or 2008)—Minimum: 4 GB. Recommended: 8 GB.
–64-bit OS (Windows Server 2008)—Minimum: 8 GB. Recommended: 12 GB.
•Configuration and Event Management:
–32-bit OS (Windows Server 2003 or 2008)—Minimum: 8 GB. Recommended: 8 GB.
–64-bit OS (Windows Server 2008)—Minimum: 12 GB. Recommended: 16 GB.
If the amount of RAM available to the operating system is less than or equal to 4 GB, Event Management is disabled during installation. Although not recommended, you can enable Event Management for low memory systems from the Security Manager client after completing the installation (select Tools > Security Manager Administration > Event Management). Keep in mind that enabling Event Management on a system with low memory can severely affect the performance of the entire application.
If you install AUS, RME, or Performance Monitor on separate servers, the following minimums apply:
•AUS- or Performance Monitor-only server—4 GB. We recommend more than 4 GB if you are using a 64-bit server.
•RME-only server—3 GB.
|
File system
|
NTFS.
|
Disk Optimization
|
Diskeeper 2010 Server.
|
Hard drive space
|
The minimum hard drive space requirements differ based on whether you are using Security Manager for device configuration only or for configuration and event management. Note that you cannot install the application if there is less than 5 GB of available disk space.
•Configuration only—40 GB.
•Configuration and Event Management—1 TB.
Tip A sustained 10,000 events per second (EPS) consumes about 86 GB of compressed disk space per day. Log rollover happens when 90% of the disk space allocated for events is filled. Smaller disk size causes quicker rollovers. Based on your expected EPS rate and rollover requirements, you can increase or decrease the minimum disk size when using Event Management.
|
IP address
|
One static IP address. Dynamic addresses are not supported.
Tip If the server has more than one IP address, you do not need to disable any of the multiple network interface cards before installation.
|
Swap Size
|
4096 MB.
|
Antivirus
|
Real-time protection disabled.
|
Browser
|
One of the following:
•Microsoft Internet Explorer 6.0 Service Pack 2 (when running on Windows Server 2003).
•Internet Explorer 7.0 (when running on Windows Server 2003, Windows Server 2008 32-bit, or Windows Server 2008 64-bit).
•Internet Explorer 8.0 (when running on Windows Server 2003, Windows Server 2008 32-bit, or Windows Server 2008 64-bit).
Internet Explorer 8 is supported only in Compatibility View. To use Compatibility View, open Internet Explorer 8, go to Tools > Compatibility View Settings, and add the Security Manager server as a "website to be displayed in Compatibility View."
•Firefox 3.0.x (when running on Windows Server 2003, Windows Server 2008 32-bit, or Windows Server 2008 64-bit).
–Exception: Firefox 3.0.8 is not supported on Windows Server 2008.
|
Optional Virtualization Software
|
You can optionally install the application on a system running VMware ESX 3.5 (update 2). You should allocate at least the same amount of memory to the virtual machine you use with Security Manager as you would for a non-virtualized server. Use of recent generation CPUs with technology designed to improve virtualization performance is recommended (for example, Intel-VT or AMD-V CPUs).
Tip Allocate two or more CPUs to the VM image. Some processes, such as system backup, can take an unreasonably long time to complete if you use one CPU.
|
Understanding Regional and Language Options and Related Settings
Security Manager supports only the U.S. English and Japanese versions of Windows. From the Start Menu, open the Control Panel for Windows, open the panel where you configure region and language settings, then set the default locale. (We do not support English as the language in any Japanese version of Windows.)
In addition, the Regional and Language Options in the server operating system (Windows Server 2003 or Windows Server 2008) must be set correctly. Also, peripheral devices such as keyboards that use other languages can affect the way Security Manager functions.
The following list contains the Regional and Language Options and related settings that you must adhere to in order to successfully install Security Manager:
•The server locale must be U.S. English or Japanese.
•You must avoid using peripheral devices such as keyboards that use other languages; these devices must not even be connected to the server.
•You must take care not to disturb the server settings while using a non-console RDP session to the server; as documented in http://support.microsoft.com/kb/924852, connecting to the server by using a non-console RDP can lead to the locale of the RDP client machine being applied to the server.
•You must check the Regional and Language Options and verify that the language selected for non-Unicode programs is English (United States); the path to that selection is Control Panel > Regional and Language Options > Advanced > Language for non-Unicode Programs.
Client Requirements
Table 2-4 describes Security Manager Client requirements and restrictions.
Table 2-4 Client Requirements and Restrictions
Component
|
Requirement
|
System hardware
|
•One CPU with a minimum speed of 2 GHz.
•Color monitor with at least 1280 x 1024 resolution and a video card capable of 16-bit colors.
•Keyboard.
•Mouse.
|
System software
|
One of the following:
•Windows XP (Service Pack 3).
•Windows Vista (Service Pack 2).
•Windows 2003 Enterprise R2 Server (Service Pack 2).
•Windows 2008 Enterprise Server (Service Pack 2)—32-bit and 64-bit.
Note Security Manager supports only the U.S. English and Japanese versions of Windows. From the Start Menu, open the Control Panel for Windows, open the panel where you configure region and language settings, then set the default locale. (We do not support English as the language in any Japanese version of Windows.)
|
Memory (RAM)
|
Minimum: 1 GB; Recommended: 2 GB.
|
Virtual Memory/
Swap Space
|
512 MB.
|
Hard Drive Space
|
10 GB free disk space.
|
Browser
|
One of the following:
•Microsoft Internet Explorer 6.0 Service Pack 2 (when running on Windows XP or Windows Server 2003).
•Internet Explorer 7.0 (when running on Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 32-bit, or Windows Server 2008 64-bit).
•Internet Explorer 8.0 (when running on Windows XP, Windows Vista Windows Server 2003, Windows Server 2008 32-bit, or Windows Server 2008 64-bit).
Internet Explorer 8 is supported only in Compatibility View. To use Compatibility View, open Internet Explorer 8, go to Tools > Compatibility View Settings, and add the Security Manager server as a "website to be displayed in Compatibility View."
•Firefox 2.0.x (when running on Windows XP or Windows Server 2003).
•Firefox 3.0.x (when running on Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 32-bit, or Windows Server 2008 64-bit).
–Exception: Firefox 3.0.8 is not supported on Windows Server 2008.
|
Java
|
JRE 1.6 Update 14. This is used for applications that are hosted in a browser window.
The Security Manager client includes an embedded and completely isolated version of Java. This Java version does not interfere with your browser settings or with other Java-based applications.
To verify the installed versions of java, do one of the following:
•Internet Explorer—Select Tools > Sun Java Console.
•Firefox— Select Tools > Web Development > Java Console.
•From a prompt—Enter java -version.
|
Windows user account
|
You must log into the workstation with a Windows user account that has Administrator privileges to use the Security Manager client.
Although the some features of the client might work with lesser privileges, Administrator users only are fully supported.
|
Feedback
