Table Of Contents
VPN/Security Management Solution 2.2
SUPPLEMENTAL LICENSE AGREEMENT
VPN/Security Management Solution Overview
VMS Contents
What's New?
Server and Client System Requirements
VMS System Requirements
Browser Requirements
VMS Installation on Windows
Important Installation Notes for Windows
Securing Windows 2000
Order of Installation
Uninstalling Cisco IDS Host Sensor and Console
Installing VMS Management and Monitoring Center 2.2 Applications on Windows from the Startup Disk
Verifying the Integrity of VMMC Files
Installing CiscoWorks Common Services and Service Pack 2 on Windows
Installing Management Center for Firewalls on Windows
Installing Auto Update Server on Windows
Installing Management Center for VPN Routers on Windows
Installing Management Center for IDS Sensors and Monitoring Center for Security on Windows
Installing Management Center for Cisco Security Agents
Installing Resource Manager Essentials on Windows
Installing VPN Monitor
Update for 99% CPU Utilization (CSCdt73198)
VMS Installation on Solaris
Important Installation Notes for Solaris
Order of Installation for Solaris
Installing CiscoWorks Common Services and SP2 on Solaris
Installing VMS Management and Monitoring Center 2.2 Applications on Solaris from the Startup Disk
Installing Management Center for Firewalls on Solaris
Installing Management Center for VPN Routers on Solaris
Installing Auto Update Server on Solaris
Installing Monitoring Center for Performance on Solaris
Installing Management Center for IDS Sensors and Monitoring Center for Security on Solaris
Installing Resource Manager Essentials on Solaris
Post-Installation
Component Registration for Windows
Component Registration for Solaris
Where to Go Next
Related Documentation
Obtaining Documentation
Cisco.com
Documentation CD-ROM
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco TAC Website
Opening a TAC Case
TAC Case Priority Definitions
Obtaining Additional Publications and Information
Quick Start
VPN/Security Management Solution 2.2
1 SUPPLEMENTAL LICENSE AGREEMENT
SUPPLEMENTAL LICENSE AGREEMENT FOR CISCO SYSTEMS NETWORK MANAGEMENT SOFTWARE: CiscoWorks VPN/SECURITY MANAGEMENT SOLUTION
(UNRESTRICTED AND RESTRICTED VERSIONS)
IMPORTANT—READ CAREFULLY: This Supplemental License Agreement ("SLA") contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.
By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software. When used below, the term "server" refers to central processor unit.
ADDITIONAL LICENSE RESTRICTIONS
•
Twenty Device Restricted Version. Customer may manage up to twenty (20) devices across all components provided in this bundle with the exception of the Management Center for Cisco Security Agents. The Management Center for Cisco Security Agents can manage unlimited Cisco Security Agent devices that are licensed and purchased separately for deployment in the Customer's network environment. A device is defined as having its own IP address in the Customer's network environment. Please refer to the component installation guide for further device definition. Customers whose requirements exceed the restricted version limit of twenty (20) devices must upgrade to the unrestricted version of the Software.
•Installation and Use. The Software components are provided to Customer solely to install, update, supplement, or replace existing functionality of the applicable Network Management Software product. Customer may install and use following Software components:
–Common Services: Contains shared resources used by other components in this bundle. If some components of this bundle are installed on separate servers, a copy of Common Services may be installed with each component in Customer's network management environment.
–Management Center for Cisco Security Agents (CSA MC): May be installed on one (1) server in Customer's network management environment.
Note Customer may use CSA MC to manage an unlimited number of purchased Cisco Security Agents that are licensed and purchased separately.
–Cisco Security Agents: Includes three (3) server agent licenses specifically for use with the VMS server(s). Agents may not be used with any other non-VMS server. Additional agents must be purchased separately.
–Management Center for Performance: May be installed on one (1) server in Customer's network management environment.
–Management Center for IDS Sensors: May be installed on one (1) server in Customer's network management environment.
–Monitoring Center for Security: May be installed on one (1) server in Customer's network management environment.
–Management Center for Firewalls: May be installed on one (1) server in Customer's network management environment.
–Auto Update Server: May be installed on one (1) server in Customer's network management environment.
–Management Center for VPN Routers: May be installed on one (1) server in Customer's network management environment.
–Resource Manager Essentials (RME): May be installed on one (1) server in Customer's network management environment.
–VPN Monitor: May be installed on one (1) server in Customer's network management environment.
•Reproduction and Distribution. Customer may not reproduce nor distribute software.
DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.
Please see the Cisco Systems, Inc. Software License Agreement.
2 VPN/Security Management Solution Overview
CiscoWorks VPN/Security Management Solution (VMS), an integral part of the SAFE blueprint for network security, combines web-based tools for configuring, monitoring, and troubleshooting enterprise virtual private networks (VPNs), firewalls, and network and host-based intrusion detection systems (IDS). CiscoWorks VMS delivers the industry's first robust and scalable foundation and feature set that addresses the needs of small and large-scale VPN and security deployments.
This guide introduces network administrators to the basic tasks involved in installing VPN/Security Management Solution. This guide does not present the full scope of tasks and features provided by the software it introduces. For additional guidance on how to effectively deploy VMS, see the supplement to this document, CiscoWorks VPN/Security Management Solution Deployment Guide found on Cisco.com, at http://www.cisco.com/en/US/products/sw/cscowork/ps2330/products_white_paper09186a00801aa80c.shtml.
This section contains a list of package contents and "What's New?" information. Table 1 describes the capability of individual components.
VMS Contents
VMS 2.2 contains the Quick Start Guide for the VPN/Security Management Solution 2.2 and the following four sub-boxes:
•VMS Management and Monitoring Centers for Windows (VMMC)—Contains the VMMC Startup Disk and provides the following components:
–CiscoWorks Common Services
–Management Center for Firewalls
–Auto Update Server
–Management Center for VPN Routers
–Management Center for IDS Sensors
–Monitoring Center for Security
–Management Center for Cisco Security Agents
•CiscoWorks VPN Monitor for Windows—Contains release notes and VPN Monitor CD-ROMs.
•CiscoWorks Common Services for Solaris
–CiscoWorks Common Services
•VMS Management and Monitoring Centers for Solaris (VMMC)—Contains the VMMC Startup Disk and provides the following components:
–Management Center for Firewalls
–Auto Update Server
–Management Center for VPN Routers
–Management Center for IDS Sensors
–Monitoring Center for Security
–Monitoring Center for Performance
•CiscoWorks Resource Manager Essentials —Contains release notes and the Resource Manager Essentials for Windows and Solaris CD-ROMs.
What's New?
VMS 2.2 introduces two new components. Management Center for Cisco Security Agents 4.0.1 (CSA MC) provides intrinsic, distributed security to your enterprise by deploying agents that defend against the proliferation of attacks across networks and systems. These agents use a set of rules provided by the Management Center and are selectively assigned to each client node on your network by the network administrator.
This version of VMS also introduces the Monitoring Center for Performance 2.0 (Performance Monitor), which monitors and troubleshoots the health and performance of services that contribute to enterprise network security. Performance Monitor enables users, without requiring expertise with IPSec or other security technologies, to increase service availability by isolating and troubleshooting significant events in their network as they occur.
VMS 2.2 provides installation of all Management Centers (MCs) from a single Installation CD-ROM (Startup Disk): VMS Management and Monitoring Centers 2.2 (VMMC). CiscoWorks Common Services (Common Services) was upgraded to include Service Pack 2 (SP2). All Management Centers were updated.
Each functional area of VMS is enhanced: firewall management, router management, IDS management, and security monitoring.
Major enhancements are:
•Solaris support for IDS management, security monitoring, firewall and router management.
•Ability to graphically illustrate the correlation between various metrics associated with active VPNs, and on a per device basis, identify all the networks and users connected by VPNs on Solaris systems.
•Cisco Catalyst Firewall Service Module (FWSM) and Cisco PIX Security appliance syslog reports feature supported by Security Monitor.
•Support for Cisco Catalyst Firewall and VPN service modules.
•Extended support for security routers that includes firewall services, high availability VPNs, and multiple hub and spoke environments.
•Support for IDS 4.1.
•Improved host-based IDS functions that protects servers, and distributed firewall protection for desktops through replacement of the Cisco IDS Host Sensor with Cisco security agents based on Okena technology.
•Simplified installation of most CiscoWorks VMS functions from a single CD-ROM.
Table 1 VMS Components and Attributes
This component...
|
Enables you to....
|
CiscoWorks Common Services 2.2 with Service Pack 2
|
Provide common software and services for VMS components.
CiscoWorks Common Services 2.2 provides:
•Common Services 2.2—A set of shared application services.
•CiscoView 5.5—A graphical device management tool.
•Integration Utility 1.5—An integration module that supports third-party Network Management Systems (NMS).
•Support for Java Plug-in 1.4.1_02.
|
Management Center for Firewalls 1.2.2 (Firewall MC)
|
•Configure PIX Firewalls and Cisco Catalyst Firewall Services Module (FWSM).
|
Auto Update Server 1.1 (AUS)
|
•Manage PIX Firewall and IOS dynamically addressed devices.
|
Management Center for VPN Routers 1.2.1 (Router MC)
|
•Configure security routers, Catalyst 6000 VPN Service Modules, and IOS firewalls.
|
Management Center for IDS Sensors 1.2.3 for Windows (IDS MC)
|
•Configure network-based IDS Sensors and Catalyst 6000 Intrusion Detection Service Modules (IDSM).
|
Monitoring Center for Security 1.2.3 for Windows (Security Monitor)
|
•Monitor network-based and host-based IDS events and FWSM and PIX Firewall syslogs.
|
Management Center for Cisco Security Agents 4.0.1 (CSA MC)
|
•Configure and manage Cisco Security Agents to protect servers, and provides distributed firewall protection for desktops.
|
VPN Monitor 1.2.1
|
•Monitor IPSec-based, site-to-site, and remote access VPNs.
|
Resource Manager Essentials 3.5 (RME)
|
•Manage network inventory and device changes, network configuration, and software image updates.
|
Monitoring Center for Performance 2.0 (Performance Monitor)
|
•Monitor and troubleshoot the health and performance of services that affect enterprise network security.
|
3 Server and Client System Requirements
You can install all VMS components except Performance Monitor on Windows systems. You can install all components except VPN Monitor and CSA MC on Solaris systems as well. This section contains VMS system requirements and CSA MC browser requirements.
Note Although VMS and LAN Management Solution (LMS) can coexist, we recommend that they reside on separate servers for optimal performance. See the CiscoWorks VPN/Security Management Solution Deployment Guide found on Cisco.com, at http://www.cisco.com/en/US/products/sw/cscowork/ps2330/products_white_paper09186a00801aa80c.shtml.
VMS System Requirements
Table 2 shows VMS server requirements and Table 3 shows VMS client requirements.
Note To successfully install VMS components, please make sure that Terminal Services is turned off. See your Microsoft documentation.
Do not install any VMS components on a Windows server that is running any of the following services:
•Primary domain controler.
•Backup domain controler.
•Terminal server.
Table 2 VMS Server Requirements
Component
|
Minimum Requirement
|
Hardware
|
•One of the following:
–IBM PC-compatible with 1 GHz or faster Pentium processor.
or
–Sun UltraSPARC 60 MP with 440 MHz or faster processor.
or
–Sun UltraSPARC III (Sun Blade 2000 Workstation or Sun Fire 280R Workgroup Server).
•Color monitor with video card capable of 16-bit colors.
•CD-ROM drive.
•100BaseT or faster connection.
|
Operating System
|
You must have one of the following operating systems:
•Windows 2000 Professional, Server, and Advanced Server (Service Pack 4).
Note Support for Advanced Server requires turning Terminal Services off. See your Microsoft documentation.
•Sun Solaris 2.8 with these patches:
–109742 has been replaced by 108528-13.
–109322 has been replaced by 108827-15.
–109279 has been replaced by 108528-13.
–108991 has been replaced by 108827-15.
–111626-01.
–111327-02.
–110945-02.
–110934-01.
–110898-02.
–110700-01.
–109326-05.
–108827-30.
–108652-51.
–108528-18.
–108921-14.
–108940-24.
–110951-01.
–110662-02.
–110615-01.
–110286-02.
–109324-02.
–111085-02.
–108964-06.
|
|
|
| |
File System
|
NTFS.
|
Memory
|
1 Gigabytes minimum.
|
Virtual Memory
|
2 Gigabytes minimum.
|
Hard Drive Space
|
9 Gigabytes of free hard drive space, minimum.
Note The actual amount of hard drive space required depends upon the number of CiscoWorks Common Services client applications you are installing and the number of devices you are managing with the client applications.
|
Table 3 VMS Client Requirements
Component
|
Minimum Requirement
|
Hardware/Software
|
You must have one of the following:
•IBM PC-compatible computer with 300-MHz or faster Pentium processor running one of the following:
–Windows 2000 Server, or Professional Edition with Service Pack 4.
–Windows XP Professional with Service Pack 1A.
•Solaris SPARCstation or Sun Ultra 10 with a 333-MHz processor running the Solaris 2.8 operating system.
|
Hard Drive Space
|
•400 MB virtual memory (for Windows).
•512 MB swap space (for Solaris).
|
Java
|
Sun Java Plug-in 1.4.1_02.
|
Memory
|
256 MB minimum.
|
Web Browser
|
You must also install one of the following HTML browsers:
•Microsoft Internet Explorer 6.0, Service Pack 1 for Windows operating systems.
•Netscape Navigator 4.79/7.1 on any of the Windows platforms.
Caution AUS, CSA MC, Firewall MC, and Router MC require Navigator 7.1 on Windows platforms and Navigator 7.0 on Solaris platforms.
|
Browser Requirements
All VMS components support Internet Explorer 6.0 with Service Pack 1 on Windows platforms. CSA MC supports Explorer Version 5.5 or higher. All components must have cookies and JavaScript enabled. This means using a maximum setting of "medium" as your Internet security setting. Locate this feature from the Tools > Internet Options menu. Select the Security tab.
Table 4 identifies Netscape Navigator support by individual components where these requirements differ from VMS as a whole.
Table 4 Netscape Navigator Support
Component
|
Windows Browser Requirements
|
Solaris Browser Requirements
|
CiscoWorks Common Services (Common Services)
|
•Netscape Navigator 4.79
•Netscape Navigator 7.1
|
•Netscape Navigator 4.76
•Netscape Navigator 7.0
|
Management Center for Firewalls (Firewall MC)
|
•Netscape Navigator 7.1
|
•Netscape Navigator 7.0
|
Auto Update Server (AUS)
|
•Netscape Navigator 7.1
|
•Netscape Navigator 7.0
|
Management Center for IDS Sensors (IDS) and Security Monitor
|
•Netscape Navigator 4.79
|
•Netscape Navigator 4.76
|
Management Center for VPN Routers (Router MC)
|
•Netscape Navigator 7.1
|
•Netscape Navigator 7.0
|
Management Center for Cisco Security Agents (CSA MC)
|
•Netscape Navigator 7.1 (with cookies and Java Script enabled)1
|
•Netscape Navigator 7.0 (with cookies and Java Script enabled)2
|
Resource Manager Essentials (RME)
|
•Netscape Navigator 4.79
•Netscape Navigator 7.1
|
•Netscape Navigator 4.76
•Netscape Navigator 7.0
|
VPN Monitor
|
•Netscape Navigator 7.1
|
•Netscape Navigator 7.0
|
Monitoring Center for Performance (Performance Monitor)
|
•Netscape Navigator 4.79
|
•Netscape Navigator 4.76
|
Note When you access the CSA MC user interface from the CiscoWorks Desktop Server, access will be through SSL. See the "Important Installation Notes for Windows" section.
4 VMS Installation on Windows
This section describes installation procedures for CiscoWorks VMS Management and Monitoring Centers (VMMC) component applications, VPN Monitor, and RME. It also provides uninstalling procedures for Cisco IDS Host Sensor and Console (Cisco HIDS).
Caution Information in this Quick Start Guide is intended
only for first time installation of VMS components. These instructions should
not be followed and could cause harm to systems with existing live deployments. Please see your individual component's installation documentation listed in the
"Related Documentation" section for upgrade instructions.
Before you begin
•Verify all system requirements are met. See the "VMS System Requirements" section.
•Close all open or active programs. Do not run other programs during installation.
Note Verify Terminal Services is not running during installation. See your Microsoft documentation.
Important Installation Notes for Windows
This section contains important information that you should read before you begin installation:
•The CSA MC-recommended deployment is to have only CSA MC and Security Monitor installed as part of your VMS bundle on the CSA MC system. When you install CSA MC, an agent containing the policies necessary to protect CSA MC and other limited CiscoWorks daemons and operations is automatically installed as well. The policies that this agent enforces are fairly restrictive and are appropriate if you are running the recommended deployment.
If you are running non-VMS products or software on the CiscoWorks server, this restrictive policy might impede these other products. If you do install non-VMS products, you might need to remove the restrictive policy from the agent protecting the system, leaving you with a more open policy. Without the restrictive policy, the system remains protected, but the policy allows more products to run on the system and access network resources. Therefore, the system is inherently less secure. If you want to deploy CSA MC on a system running non-VMS software, navigate to the CiscoWorks VMS Systems group and remove the CiscoWorks Restrictive VMS Module from the group.
Note If you feel comfortable doing so, you can edit the CiscoWorks Restrictive VMS Module instead of removing it. Your edits enable the actions your other installed products require. See Using Management Center for Cisco Security Agents 4.0 at http://www.cisco.com/en/US/products/sw/cscowork/ps5212/products_user_guide_book09186a008019b759.html for more information.
•Common Services installation will be extended because of the automatic installation of component patches, including SP2, which will follow automatically after you install Common Services.
•Only those with administrative privileges can perform the installations.
•CiscoWorks applications are installed in the default directory SystemDrive:\Program Files\CSCOpx. If you select another directory during installation, the application is installed in that directory.
•If errors occur during installation, check the installation log in the root directory on the drive where the operating system is installed. Each installation creates a new log file. For example, the CiscoWorks Common Services installation creates SystemDrive:\CiscoWorks_setupxxx.log, where xxx is the log file for the last CiscoWorks application installed.
•You can click Cancel at any time to end the installation. However, any changes to your system (for example, installation of new files or changes to system files) will not be undone.
•If you want to use secure access between the client browser and the management server, you can enable or disable SSL from the CiscoWorks desktop.
•If SSL is enabled:
–The URL begins with https instead of http to indicate a secure connection.
–The port number following the server name is 1742 instead of 1741.
You cannot enable SSL on the CiscoWorks Server if there is an application that is not SSL-compliant installed on the server.
Note We recommend that you have SSL enabled during installation unless you are using other CiscoWorks components that do not support SSL. CSA MC cannot be installed on a server if you have components that do not support SSL. For help with SSL, consult the User Guide for CiscoWorks Common Services 2.2.
•The VMMC Startup Disk might not perform optimally when accessed from a remote drive. We recommend that you avoid remote installations. Network inconsistencies might cause installation errors if you are installing from a remote mount point.
Securing Windows 2000
The least secure component of a system defines how secure the system is. Before installing your server software, you should take some basic steps to secure the target server and operating system:
•Install the operating system on its own partition. Installing the operating system on one partition, and your software and data on another, protects your data and applications from viruses and attempted security breaches.
•Use strong passwords. A strong password has at least eight characters and contains numbers, letters (both uppercase and lowercase), and symbols. You can edit the Local Security Policy to configure Windows 2000 to require strong passwords.
•Avoid creating network shares. If you must create a network share, secure the shared resources with strong passwords. However, network shares are strongly discouraged, and you should disable NETBIOS completely.
•Disable unnecessary accounts. Remove the default Guest account. Make sure that all remaining accounts are protected with strong passwords. Require a password to log in.
•Secure the Registry. Disable or limit remote access to the Registry.
•Apply all hotfixes and security patches. Visit the Microsoft website regularly and apply the most recent security patches. Use the Windows Update feature regularly to ensure that the most recent critical updates are installed on the server.
•Disable unused and unneeded services. At a minimum, Windows requires the following services to run: DNS Client, Event Log, Plug & Play, Protected Storage, and Security Accounts Manager. Check your software documentation for any additional Windows services required by your software. Do not install IIS.
•Disable all network protocols except Internet Protocol (TCP/IP). Other protocols can be used to gain access to your server. Limiting the network protocols used limits the access points to your server. If you are not using network shares on the server, disable NETBIOS.
•Monitor the security of your system regularly. Log and review system activity. Use security tools, such as the Microsoft Security Configuration Tool Set (MSCTS) and Fport, to periodically review the security configuration of your system. You can obtain MSCTS from the Microsoft website.
•Limit physical access to your server. If your server contains removable media drives, set the server to boot from the hard drive first. Your data can be compromised if someone boots your server from a floppy disk. You can typically set the boot order in the system BIOS. Make sure you protect the BIOS with a strong password.
•Do not install remote access or administration tools on the server. These tools provide a point of entry to your server and are considered a security risk.
• Run a virus scanning application on the server. Virus scanning software can prevent trojan horse applications from infecting your server. Update the virus signatures regularly.
Order of Installation
This section presents a high level overview of recommended installation steps. We recommend reading through the order of installation steps suggested here and then referring to the appropriate sections that follow for more detailed instructions.
Step 1 If applicable, uninstall Cisco HIDS and Console. See the "Uninstalling Cisco IDS Host Sensor and Console" section.
Note If the CSA MC or the agent installer detects any Cisco IDS Host Sensor software on the system, the installation stops.
Step 2 Use the vmmc_verify_digest.exe executable file from Cisco.com, or on the VMMC Startup Disk to verify that all media on the CD-ROM is authentic and error free. See the "Verifying the Integrity of VMMC Files" section.
Step 3 Install Common Services from the VMMC Startup Disk. See the "Installing CiscoWorks Common Services and Service Pack 2 on Windows" section.
Note The installation of SP2 will start automatically once Common Services installation is complete and you reboot your system. You must wait while the SP2 installation takes place. This will take approximately 7 minutes.
Step 4 Install desired VMMC applications on the VMMC Startup Disk any order. See any of the following:.
• "Uninstalling Cisco IDS Host Sensor and Console" section.
• "Installing VMS Management and Monitoring Center 2.2 Applications on Windows from the Startup Disk" section.
• "Installing CiscoWorks Common Services and Service Pack 2 on Windows" section.
• "Installing Management Center for Firewalls on Windows" section.
• "Installing Auto Update Server on Windows" section.
• "Installing Management Center for VPN Routers on Windows" section.
• "Installing Management Center for IDS Sensors and Monitoring Center for Security on Windows" section.
• "Installing Management Center for Cisco Security Agents" section.
Note If you chose to install CSA MC first and you try to install another component, the CSA MC agent component might disallow the action or it might display multiple queries to which you must respond. See the "Disabling CSA MC Agent Software to Install Other Components" section for instructions on disabling and re-enabling agent software.
Step 5 Install RME. See the "Installing Resource Manager Essentials on Windows" section.
Step 6 Install VPN Monitor. See the "Installing VPN Monitor" section.
Step 7 See the "Post-Installation" section for important registration and setup information.
Uninstalling Cisco IDS Host Sensor and Console
We recommend that you uninstall the Cisco IDS Host Sensor and Cisco IDS Host Sensor Console software before installing any VMS components. In particular, if CSA MC or the agent installer detects any Cisco IDS Host Sensor software on the system, the installation stops.
Uninstalling Cisco HIDS
Before You Begin
You must change the mode of the Host Sensor (Agent) installed on the Console host before you uninstall the Console. The following procedure provides steps for changing the Agent mode.
Note These uninstallation steps along with any additional information you might need to successfully uninstall Cisco HIDS can also be found on Cisco.com, at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/host/host25/install/.
To uninstall the Console:
Step 1 To change the Agent mode:
a. Log into the Console.
b. To display the Agent Management view, click Agents.
c. Select the Agent that is installed on the Console host.
d. If the Agent is in SecureSelect-Warning mode, close the Console.
e. To change the Agent mode to SecureSelect-Warning mode, right-click the Agent and select Set to SecureSelect-Warning Mode.
f. Close the Console.
Step 2 From the Windows taskbar, select Start > Programs > Cisco HIDS > Cisco HIDS Uninstall.
The Install Shield Wizard appears.
Step 3 Click Yes in the Uninstall Setup window to remove the Cisco IDS Host Console. The publickey and serverkey are copied to the PreserveKeys folder.
Step 4 Click OK to remove the Console.
Step 5 Click Finish to reboot the computer and complete the uninstallation.
Installing VMS Management and Monitoring Center 2.2 Applications on Windows from the Startup Disk
You can use the VMMC Startup Disk to install any Management Center component from a single CD-ROM. Follow the steps listed here to locate component documentation included on the Startup Disk, begin the installation, and then go to the VMMC installation steps below for the components you would like to install.
Note We strongly recommend you verify the integrity of your files before beginning VMMC installation. See the "Verifying the Integrity of VMMC Files" section.
Step 1 Insert the VMMC Startup Disk into the CD-ROM drive. At the top level of the directory structure, you will see folders corresponding to each VMMC component. From here, you can double-click any component folder to view and access that components' Documentation directory and for a complete listing of all necessary component information and installation files.
Step 2 If autorun is enabled on your system, the CiscoWorks VMS Management and Monitoring Centers Installer window opens automatically.
Step 3 If autorun is not enabled, click Start > Run. In the Run dialog box, enter e:\autorun.exe, where e is your CD-ROM drive.
The CiscoWorks VMS Management and Monitoring Centers 2.2 Setup Program splash screen appears.
Step 4 Click Install.
The CiscoWorks InstallShield wizard appears listing all VMMC components and requesting you to select the check boxes for the components you want to install. There are also options to Select All and to Cancel installation.
Step 5 Select all those components you want to install.
Note Select All will not proceed if any of the items selected require a system reboot. Those components (Common Services and CSA MC) requiring a reboot must be installed before the Select All option will work.
Step 6 Click Next. The InstallShield Wizard prompts you with a screen showing which components you selected and giving you the choice to reconsider your choices, cancel, or proceed.
Step 7 Click Install to continue.
Step 8 The Startup Disk begins running the installation scripts in the order selected from the menu with which you were presented earlier.
Note If you install Common Services, Router MC, and/or IDS MC, you will be prompted to restart the system. We recommend that you restart before continuing with remaining component installation. Repeat steps 2 and 3 to restart the VMMC Install Shield Wizard so that you can install other VMMC tools.
Note CSA MC will automatically restart the system. Repeat steps 2 and 3 to restart the VMMC Install Shield Wizard so that you can install other VMMC tools.
Step 9 Go to the section corresponding to each component below for typical installation instructions.
Verifying the Integrity of VMMC Files
The VMMC Startup Disk provides a vmmc_verify_digest.exe executable file with which you can perform integrity checks for all files on the Startup Disk. This tool is also available on Cisco.com for those who have an account established. We recommend that the tool be downloaded from this location to ensure maximum security.
To verify the authenticity and integrity of your VMMC files:
Step 1 Do one of the following:
•Go to http://www.cisco.com/public/sw-center/cw2000/vms-planner.shtml to securely obtain a verify_digests.exe file and enter run vmmc_verify_digest.exe at the DOS command prompt.
or
•Insert the VMMC Startup Disk into your CD-ROM drive and enter run vmmc_verify_digest.exe at the DOS command prompt.
Caution When you download the digest file, make sure your browser is in https mode for a secure download.
The vmmc_verify_digest.exe file runs though a list of files that it needs to verify. After this is done, you will be prompted for the directory where the files are located.
Note You can press any key to exit after the verification of the files on the CD or local directory.
Step 2 Highlight the Startup Disk location by browsing the folders on the CD-ROM and pressing enter. Verify_digests.exe will validate each file.
Note You can enter the CD-ROM drive letter and check the files on the Startup Disk itself or you can copy the files to your system and check them from the directory to which they were copied.
The output displays OK if the files are authentic. If any files are found to be inauthentic (that is, not from Cisco) or corrupt, Failure is displayed.
Step 3 Do one of the following:
•If you receive any failure messages please see your system administrator before proceeding with VMMC installation.
or
•Check the location of the files if you receive a File not found message. This means that the digest program cannot locate a file.
Step 4 Proceed with installation if there are no failure messages.
Installing CiscoWorks Common Services and Service Pack 2 on Windows
Note You must install Common Services and SP2 before any other VMS component.
Step 1 After you select the check box for Common Services on the VMMC Install Shield Wizard, Common Services will always be the first application installed.
Note To run the Common Services installation manually, insert the VMMC Startup Disk into your CD-ROM drive, locate the Common Services top level directory, and double-click the setup.exe file.
Step 2 Follow the prompts, entering all required information. We recommend that you select an Express installation. Select another installation option only if you want to specify a destination directory other than SystemDrive:\Program Files\CSCOpx. For additional assistance, see Installation and Setup Guide for CiscoWorks Common Services (includes CiscoView) for Windows.
Note In order to have the most recent updates for Common Services you must install CiscoWorks VMS Update1 at this point.
Step 3 Install CiscoWorks VMS Update 1 by clicking the setup.exe file located in the Patches > VMSUpdate folder.
Step 4 You must restart your system before installing any more VMS components.
Once reboot is complete, and you initiate installation of one or more VMS components, a screen will appear stating, "Please wait, installer is checking your system...".
You will then receive the following error message: Common Services SP2 is not installed. Installation of Common Services SP2 will begin now. Followed by the following Installer message: Installing Common Services SP2. This will take approximately 7 minutes. Please wait....
When SP2 installation completes, the installation of two Patch updates will begin. No user intervention is required but you will see a splash screen that says Installing Patch CSCec43722-1. A minimized DOS window will be present on your desktop while this installation takes place. Should you maximize the window during the patch installation you will see that the Patch is being installed.
In very quick succession after the installation of Patch update CSCec43722-1, a second Patch Update installation will begin, signified by a splash screen that says Installing Patch CSCed18592-1. There will also be a minimized DOS window on your desktop during this Patch installation.
Note These Patch installations occur very rapidly, in quick succession and require no user intervention.
Step 5 Repeat any necessary steps described in the "Installing VMS Management and Monitoring Center 2.2 Applications on Windows from the Startup Disk" section.
Installing Management Center for Firewalls on Windows
Note You must install Common Services and SP2 before any other VMS component.
Step 1 After you select the check box for Managing PIX Firewalls, Catalyst Firewall SM on the VMMC Install Shield Wizard, Firewall MC installation will begin immediately after Common Services and SP2 installations are complete.
Note If Common Services 2.2 is installed on your system, you can run Firewall MC installation manually by inserting the VMMC Startup Disk into your CD-ROM drive, locating the Firewall MC top level directory, and double-clicking the setup.exe file.
Step 2 Follow the prompts, entering all required information. For additional assistance, see Installing Management Center for Firewalls 1.2.2 on Windows 2000 and Solaris 2.8.
Step 3 To use the activity approver email notification feature, you must configure the CiscoWorks email server. The email configuration option is provided in the Advanced installation, not the Typical installation of Common Services. If you did not configure the email server during installation, you can do so from the CiscoWorks desktop by selecting VPN/Security Management Solution > Administration > Common Services > Preferences.
Step 4 After Firewall MC and any other selected installations are complete, see the "Post-Installation" section for information on setting up the CiscoWorks Desktop Server.
Installing Auto Update Server on Windows
Note You must install Common Services and SP2 before any other VMS component.
Step 1 After you select the check box for Auto Update Server on the VMMC Install Shield Wizard, AUS installation will begin, in the order displayed.
Note If Common Services 2.2 is installed on your system, you can run AUS installation manually by inserting the VMMC Startup Disk into your CD-ROM drive, locating the AUS top level directory, and double-clicking the setup.exe file.
Step 2 Follow the prompts, entering all required information. For additional assistance, see Installing Auto Update Server 1.1 on Windows 2000 and Solaris.
After AUS and any other selected installations are complete, see the "Post-Installation" section for information on setting up the CiscoWorks Desktop Server.
Installing Management Center for VPN Routers on Windows
Note You must install Common Services and SP2 before any other VMS component.
Step 1 After you select the check box for Managing VPN Routers, Catalyst VPN SM, IOS Firewalls on the VMMC Install Shield Wizard, Router MC installation will begin, in the order shown.
Note If Common Services 2.2 is installed on your system, you can also run Router MC installation manually by inserting the VMMC Startup Disk into your CD-ROM drive, locating the Router MC top level directory, and double-clicking the setup.exe file.
Step 2 Follow the prompts, entering all required information. For additional assistance, see Release Notes for Management Center for VPN Routers 1.2.1 on Windows 2000 and Solaris.
Step 3 In both the Password field and the Confirm Password field, enter a password for internal access to the Router MC database. The password you provide is used automatically in the background to allow certain system events (such as backup and restore operations) to occur.
Step 4 To use the activity approver email notification feature, you must configure the CiscoWorks email server. The email configuration option is provided in the Advanced installation of Common Services (not in the Typical installation). If you did not configure the email server during installation, you can do so from the CiscoWorks desktop by selecting VPN/Security Management Solution > Administration > Common Services > Preferences.
Step 5 You must restart your system before installing any more VMS components. You will be returned to the VMMC Install Shield Wizard after the system reboots. Repeat any necessary steps described in the "Installing VMS Management and Monitoring Center 2.2 Applications on Windows from the Startup Disk" section.
After Router MC and any other selected installations are complete, see the "Post-Installation" section for information on setting up the CiscoWorks Desktop Server.
Installing Management Center for IDS Sensors and Monitoring Center for Security on Windows
Note You must install Common Services and SP2 before any other VMS component.
While it is possible to colocate the Security Monitor with other Management Centers, we recommend that you install Security Monitor on a server separate from your management application for a production network. This recommendation is based on the potentially heavy-traffic processing load that might result from monitoring Firewall MC or IDS Sensors or both.
Step 1 After you select the check box for Managing IDS Sensors, Catalyst IDS SM, and Security Monitoring on the VMMC Install Shield Wizard, IDS MC and Security Monitor installation will begin, in the order displayed.
Note If Common Services 2.2 is installed on your system, you can also run IDS MC and Security Monitor installation manually by inserting the VMMC Startup Disk into your CD-ROM drive, locating the IDS MC and Security Monitor top level directory, and double-clicking the setup.exe file.
Step 2 To install both IDS MC and Security Monitor, select the Typical installation radio button.
Step 3 To install either IDS MC or Security Monitor, select the Custom installation radio button. Then, click Next.
a. To install IDS MC, select the IDS MC only radio button and click Next.
b. To install Security Monitor, select the Security Monitor only radio button and click Next.
Step 4 Follow the prompts, entering all required information. You will be prompted to select a database location, enter a database password and specify UDP ports. For additional assistance, see Installing Management Center for IDS Sensors 1.2 and Monitoring Center for Security 1.2.
Step 5 You must restart your system before installing any more VMS components. You will be returned to the VMMC Install Shield Wizard after the system reboots. Repeat any necessary steps described in the "Installing VMS Management and Monitoring Center 2.2 Applications on Windows from the Startup Disk" section.
Step 6 After IDS MC, Security Monitor, and any other selected installations are complete, see the "Post-Installation" section for information on setting up the CiscoWorks Desktop Server.
Installing Management Center for Cisco Security Agents
When you install CSA MC, an agent containing the policies necessary to protect CSA MC and other CiscoWorks daemons and operations is automatically installed as well. The policies that are enforced by this agent protect CSA MC, other VMS components, and general CiscoWorks operations.
Uninstalling Cisco HIDS
CSA MC can be installed at any time from the Startup Disk before or after Common Services or any other application. However, because of potential incompatibilities between Cisco IDS Host Sensor software and Management Center for Cisco Security Agents (CSA MC), you must uninstall the Cisco IDS Host Sensor and Cisco IDS Host Sensor Console software before installing CSA MC or agent software. See the "Uninstalling Cisco IDS Host Sensor and Console" section.
Note Any system on which you are installing CSA MC must not have the Cisco IDS Host Sensor Console or the Cisco IDS Host Sensor installed. If the CSA MC or the agent installer detects any Cisco IDS Host Sensor software on the system, the installation stops.
CSA MC Component Registration
CSA MC installation will not run without the appropriate production license. If you haven't already done so, you must obtain a production license using the PAK label affixed to the claim certificate for CSA MC located in the separate licensing envelope. See the "Component Registration for Windows" section for details.
Before You Begin
CSA MC has some unique system requirements. Before installing this component, see the "Browser Requirements" section.
Disabling CSA MC Agent Software to Install Other Components
If you are installing or uninstalling various VMS components and you have a Cisco Security Agent protecting VMS, you should disable the agent service before you begin the installation or uninstallation of any other VMS component. (You do not have to do this when installing or uninstalling CSA MC.)
To disable the agent service:
Step 1 From a command prompt enter net stop "Cisco Security Agent".
Step 2 If you receive a prompt asking if you want to stop the agent service select Yes.
Step 3 Enter net start "Cisco Security Agent" to enable the service at any time.
Note If you do not disable the agent service and you try to alter a CiscoWorks system configuration, the agent might disallow the action or it might display multiple queries to which you must respond.
Installing CSA MC
Note You must install Common Services and SP2 before any other VMS component.
Step 1 After you select the check box for Managing Cisco Security Agents - Servers and Desktops on the VMMC Install Shield Wizard, CSA MC installation will begin, in the order in which you checked the boxes on the wizard.
Note To run the CSA MC installation manually, insert the VMMC Startup Disk into your CD-ROM drive, locate the CSA MC top level directory, and double-click the setup.exe file.
Step 2 Follow the prompts, entering all required information. For additional assistance, see Installing Management Center for Cisco Security Agents.
Step 3 If you are installing or uninstalling various VMS components and you have a Cisco Security Agent protecting VMS, see the "Disabling CSA MC Agent Software to Install Other Components" section.
Step 4 Register CSA MC using the PAK label affixed to the claim certificate for CSA MC located in the separate licensing envelope. See the "Component Registration for Windows" section for details.
Caution CSA MC installation will not run without the appropriate production license.
Step 5 When installation is complete, read Chapter 3, "Quick Start Configuration" for setup instructions. See the "Post-Installation" section of this document for information on setting up the CiscoWorks Desktop Server.
RME Gatekeeper Remote Access Issue
Remote access to the RME Gatekeeper daemon is not required for correct operation of any of the components in VMS. Therefore, remote client access to this daemon is normally disabled in the CiscoWorks VMS module policy. If you have non-VMS products installed on your VMS system that require the RME Gatekeeper daemon to be accessed remotely, modify the CSA MC VMS policy:
Step 1 Locate the rule with description CiscoWorks RME Gatekeeper daemon, server for UDP and TCP services in the CiscoWorks VMS Module policy in CSA MC.
Step 2 Enable this rule and regenerate the rule program.
Note Refer to Using Management Center for Cisco Security Agents 4.0 for instructions on enabling rules and regenerating rule programs.
Installing Resource Manager Essentials on Windows
Note RME is located on its own component CD-ROM.
Step 1 Locate the Installation and Setup Guide for Resource Manager Essentials on Windows on the component CD-ROM or on Cisco.com, as described in the "Related Documentation" section for prerequisite and setup information.
Step 2 Follow the steps in the section "Performing a New Installation", in
Chapter 1, "Installing RME."
Note We recommend that you change the RME database password when prompted to
do so.
Step 3 After you complete installation, verify that RME was installed correctly as follows:
a. Access the CiscoWorks desktop after following the installation and setup instructions in "Post-Installation" section.
b. Select System Configuration > About the Server > Applications and Versions. The CiscoWorks About the Server page appears.
c. Check the Applications Installed table. RME should be listed as installed and enabled on your system.
Step 4 Follow the steps in Chapter 2, "Preparing to Use RME" of the Installation and Setup Guide for Resource Manager Essentials on Windows.
Step 5 Reinsert the VMMC Startup Disk in order to apply the necessary patches.
Step 6 Install Incremental Device Update (IDU) 5.0 for Resource Manager Essentials 3.5 by clicking the setup.exe file located in the Patches folder on the VMMC Startup Disk.
Note You can also download the latest IDU from http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-rme. See Installation and Setup Guide for Resource Manager Essentials on Windows, Software Release 3.5 for details.
Step 7 Install CiscoWorks VMS 2.2 Update 1 by clicking setup.exe from the Patches > VMSUpdate folder.
Step 8 See the "Post-Installation" section of this document for information on setting up the CiscoWorks Desktop Server.
Note Remote access to the RME Gatekeeper daemon is not required for correct operation of any of the components in VMS. Therefore, remote client access to this daemon is normally disabled through a deny rule in the "CiscoWorks VMS module" policy. See the "RME Gatekeeper Remote Access Issue" section for details.
Installing VPN Monitor
Note VPN Monitor is located on its own component CD-ROM.
Step 1 Locate Installing VPN Monitor on Windows 2000 and Solaris on the component CD-ROM or on Cisco.com, as described in the "Related Documentation" section for prerequisite and setup information.
Step 2 Follow the steps in the section "Installing VPN Monitor on Windows 2000 and Windows NT", in Chapter 2, "Installing and Uninstalling VPN Monitor on Windows 2000 and Windows NT."
Step 3 Follow the steps in Chapter 2, "Preparing to Use RME" of the Installation and Setup Guide for Resource Manager Essenti
