Table Of Contents
VPN/Security Management Solution 2.2 (Basic)
SUPPLEMENTAL LICENSE AGREEMENT
VPN/Security Management Solution Overview
VMS Contents
What's New?
Server and Client System Requirements
VMS System Requirements
CSA MC Browser Requirements for Windows
VMS Installation
Important Installation Notes
Securing Windows 2000
Order of Installation
Uninstalling Cisco IDS Host Sensor and Console
Installing VMS Management and Monitoring Center 2.2 Applications from the Startup Disk
Verifying the Integrity of VMMC Files
Installing CiscoWorks Common Services and Service Pack 2
Installing Management Center for Firewalls
Installing Auto Update Server
Installing Management Center for VPN Routers
Installing Management Center for IDS Sensors and Monitoring Center for Security
Installing Management Center for Cisco Security Agents
Update for 99% CPU Utilization (CSCdt73198)
Post-Installation
Related Documentation
Obtaining Documentation
Cisco.com
Documentation CD-ROM
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco TAC Website
Opening a TAC Case
TAC Case Priority Definitions
Obtaining Additional Publications and Information
Quick Start
VPN/Security Management Solution 2.2 (Basic)
1 SUPPLEMENTAL LICENSE AGREEMENT
SUPPLEMENTAL LICENSE AGREEMENT FOR CISCO SYSTEMS NETWORK MANAGEMENT SOFTWARE: CiscoWorks VPN/SECURITY MANAGEMENT SOLUTION
(BASIC-FIVE DEVICE RESTRICTED VERSION)
IMPORTANT—READ CAREFULLY: This Supplemental License Agreement ("SLA") contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.
By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software. When used below, the term "server" refers to central processor unit.
ADDITIONAL LICENSE RESTRICTIONS
•
Five Device Restricted Version. Customer may manage up to five (5) devices across all components provided in this bundle with the exception of the Management Center for Cisco Security Agents. The Management Center for Cisco Security Agents can manage unlimited Cisco Security Agent devices that are licensed and purchased separately for deployment in the Customer's network environment. A device is defined as having its own IP address in the Customer's network environment. Please refer to the component installation guide for further device definition. Customers whose requirements exceed the restricted version limit of five (5) devices must purchase the twenty (20) device restricted version or unrestricted version of the Software.
•Installation and Use. The Software components are provided to Customer solely to install, update, supplement, or replace existing functionality of the applicable Network Management Software product. Customer may install and use following Software components:
–Management Center for Cisco Security Agents (CSA MC): May be installed on one (1) server in Customer's network management environment.
Note Customers may use CSA MC to manage an unlimited number of purchased Cisco Security Agents that are licensed and purchased separately.
–Cisco Security Agents: Includes three (3) server agent licenses specifically for use with the VMS server(s). Agents may not be used with any other non-VMS server. Additional agents must be purchased separately.
–CiscoWorks Common Services: Contains shared resources used by other components in this bundle. If some components of this bundle are installed on separate servers, a copy of Common Services may be installed with each component in Customer's network management environment.
–Management Center for IDS Sensors: May be installed on one (1) server in Customer's network management environment.
–Monitoring Center for Security: License may be installed on one (1) server in Customer's network management environment.
–Management Center for Firewalls: May be installed on one (1) server in Customer's network management environment.
–Management Center for VPN Routers: May be installed on one (1) server in Customer's network management environment.
–Auto Update Server: May be installed on one (1) server in Customer's network management environment.
•Reproduction and Distribution. Customer may not reproduce nor distribute software.
DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.
Please see the Cisco Systems, Inc. Software License Agreement.
2 VPN/Security Management Solution Overview
CiscoWorks VPN/Security Management Solution (VMS), an integral part of the SAFE blueprint for network security, combines web-based tools for configuring, monitoring, and troubleshooting enterprise virtual private networks (VPNs), firewalls, and network and host-based intrusion detection systems (IDS). CiscoWorks VMS delivers the industry's first robust and scalable foundation and feature set that addresses the needs of small and large-scale VPN and security deployments.
This guide introduces network administrators to the basic tasks involved in installing VPN/Security Management Solution. This guide does not present the full scope of tasks and features provided by the software it introduces. For additional guidance on how to effectively deploy VMS, see the supplement to this document, CiscoWorks VPN/Security Management Solution Deployment Guide found on Cisco.com, at http://www.cisco.com/en/US/products/sw/cscowork/ps2330/products_white_paper09186a00801aa80c.shtml.
This section contains a list of package contents and "What's New?" information. Table 1 describes the capability of individual components.
VMS Contents
VMS 2.2 contains the Quick Start Guide for the VPN/Security Management Solution 2.2, and the following sub-box:
•VMS Management and Monitoring Centers for Windows (VMMC)—Contains the VMMC Startup Disk and provides the following components:
–CiscoWorks Common Services
–Management Center for Firewalls
–Auto Update Server
–Management Center for VPN Routers
–Management Center for IDS Sensors
–Monitoring Center for Security
–Management Center for Cisco Security Agents
What's New?
The VMS 2.2 Basic license offers the same functionality as the VMS 2.2 restricted licensed software, except in the following areas:
•The basic license does not provide the use of Resource Manager Essentials (RME) and VPN Monitor components.
•The basic license is limited to the management of 5 devices.
Note You may manage an unlimited number of Cisco Security Agents that are licensed and purchased separately.
VMS 2.2 introduces Management Center for Cisco Security Agents 4.0.1 (CSA MC), which provides intrinsic, distributed security to your enterprise by deploying agents that defend against the proliferation of attacks across networks and systems. These agents use a set of rules provided by the Management Center and are selectively assigned to each client node on your network by the network administrator.
VMS 2.2 provides installation of all Windows-based Management Centers (MCs) and Common Services from a single Installation CD-ROM (Startup Disk): VMS Management and Monitoring Centers 2.2 (VMMC). CiscoWorks Common Services (Common Services) was upgraded to include Service Pack 2 (SP2). All Management Centers were updated.
Each functional area of VMS is enhanced: firewall management, router management, IDS management, and security monitoring.
Major enhancements are:
•Cisco Catalyst Firewall Service Module (FWSM) and Cisco PIX Security appliance syslog reports feature supported by Security Monitor.
•Support for Cisco Catalyst Firewall and VPN service modules.
•Extended support for security routers that includes firewall services, high availability VPNs, and multiple hub and spoke environments.
•Support for IDS 4.1.
•Improved host-based IDS functions that protects servers, and distributed firewall protection for desktops through replacement of the Cisco IDS Host Sensor with Cisco security agents based on Okena technology.
Table 1 VMS Components and Attributes
This component...
|
Enables you to....
|
CiscoWorks Common Services 2.2 with Service Pack 2
|
Provide common software and services for VMS components.
CiscoWorks Common Services 2.2 provides:
•Common Services 2.2—A set of shared application services.
•CiscoView 5.5—A graphical device management tool.
•Integration Utility 1.5—An integration module that supports third-party Network Management Systems (NMS).
•Support for Java Plug-in 1.4.1_02.
|
Management Center for Firewalls 1.2.2 (Firewall MC)
|
•Configure PIX Firewalls and Cisco Catalyst Firewall Services Module (FWSM).
|
Auto Update Server 1.1 (AUS)
|
•Manage PIX Firewall and IOS dynamically addressed devices.
|
Management Center for VPN Routers 1.2.1 (Router MC)
|
•Configure security routers, Catalyst 6000 VPN Service Modules, and IOS firewalls.
|
Management Center for IDS Sensors 1.2.3 for Windows (IDS MC)
|
•Configure network-based IDS Sensors and Catalyst 6000 Intrusion Detection Service Modules (IDSM).
|
Monitoring Center for Security 1.2.3 for Windows (Security Monitor)
|
•Monitor network-based and host-based IDS events and FWSM and PIX Firewall syslogs.
|
Management Center for Cisco Security Agents 4.0.1 (CSA MC)
|
•Configure and manage Cisco Security Agents to protect servers, and provides distributed firewall protection for desktops.
|
3 Server and Client System Requirements
You can install all VMS components for Windows systems. This section contains VMS system requirements and CSA MC browser requirements.
Note Although VMS and LAN Management Solution (LMS) can coexist, we recommend that they reside on separate servers for optimal performance. See the CiscoWorks VPN/Security Management Solution Deployment Guide found on Cisco.com, at http://www.cisco.com/en/US/products/sw/cscowork/ps2330/products_white_paper09186a00801aa80c.shtml.
VMS System Requirements
Table 2 shows VMS server requirements and Table 3 shows VMS client hardware and software requirements.
Note To successfully install VMS components, please make sure that Terminal Services is turned off. See your Microsoft documentation.
Do not install any VMS components on a Windows server that is running any of the following services:
•Primary domain controler.
•Backup domain controler.
•Terminal server.
Table 2 VMS Server Requirements
Component
|
Minimum Requirement
|
Hardware
|
•IBM PC-compatible with 1 GHz or faster Pentium processor.
•Color monitor with video card capable of 16-bit colors.
•CD-ROM drive.
•100BaseT or faster connection.
|
Operating System
|
You must have one of the following operating systems:
•Windows 2000 Professional, Server, and Advanced Server (Service Pack 4).
Note Support for Advanced Server requires turning Terminal Services off. See your Microsoft documentation.
|
File System
|
NTFS.
|
Memory
|
1 Gigabyte, minimum.
|
Virtual Memory
|
2 Gigabytes, minimum.
|
Hard Drive Space
|
9 Gigabytes of free hard drive space, minimum.
Note The actual amount of hard drive space required depends upon the number of CiscoWorks Common Services client applications you are installing and the number of devices you are managing with the client applications.
|
Table 3 VMS Client Hardware and Software Requirements
Component
|
Minimum Requirement
|
Hardware/Software
|
You must have an IBM PC-compatible computer with 300-MHz or faster Pentium processor running one of the following:
•Windows 2000 Server, or Professional Edition with Service Pack 4.
•Windows XP Professional with Service Pack 1A.
|
Hard Drive Space
|
400 MB virtual memory (for Windows).
|
Java
|
Sun Java Plug-in 1.4.1_02.
|
Memory
|
256 MB minimum.
|
Web Browser
|
You must also install one of the following HTML browsers:
•Microsoft Internet Explorer 6.0, Service Pack 1 for Windows operating systems.
•Netscape Navigator 4.7.9/7.1 on any of the Windows platforms.
Caution AUS, CSA MC, Firewall MC, and Router MC require Navigator 7.1 on Windows platforms and 7.0 on Solaris platforms.
|
CSA MC Browser Requirements for Windows
The CSA MC component has the same server requirements as VMS, and some unique browser requirements. See Table 4 below and Installing Management Center for Cisco Security Agents 4.0.
Note When you access the CSA MC user interface from the CiscoWorks Desktop Server, you must have SSL enabled in Common Services to allow the connection. See the "Important Installation Notes" section.
Table 4 CSA MC Browser Requirements for Windows
Component
|
Minimum Requirement
|
Microsoft Internet Explorer
|
•Version 5.5 or later.
•Cookies must be enabled.1
•JavaScript must be enabled.
|
Netscape Navigator
|
•Version 7.1 or higher.
•Cookies must be enabled.2
•JavaScript must be enabled.
|
4 VMS Installation
This section describes installation procedures for CiscoWorks VMS Management and Monitoring Centers (VMMC) component applications. It also provides uninstalling procedures for Cisco IDS Host Sensor and Console (Cisco HIDS).
Caution Information in this Quick Start Guide is intended for first time installation of VMS components
only. These instructions should
not be followed and could cause harm to systems with existing live deployments. Please see your individual component's installation documentation listed in the
"Related Documentation" section for upgrade instructions.
Before you begin
•Verify all system requirements are met. See the "VMS System Requirements" section.
•Close all open or active programs. Do not run other programs during installation.
Note Verify Terminal Services is not running during installation. See your Microsoft documentation.
Important Installation Notes
This section contains important information that you should read before you begin installation:
•The CSA MC-recommended deployment is to have only CSA MC and Security Monitor installed as part of your VMS bundle on the CSA MC system. When you install CSA MC, an agent containing the policies necessary to protect CSA MC and other limited CiscoWorks daemons and operations is automatically installed as well. The policies that this agent enforces are fairly restrictive and are appropriate if you are running the recommended deployment.
If you are running non-VMS products or software on the CiscoWorks server, this restrictive policy might impede these other products. If you do install non-VMS products, you might need to remove the restrictive policy from the agent protecting the system, leaving you with a more open policy. Without the restrictive policy, the system remains protected, but the policy allows more products to run on the system and access network resources. Therefore, the system is inherently less secure. If you want to deploy CSA MC on a system running non-VMS software, navigate to the CiscoWorks VMS Systems group and remove the CiscoWorks Restrictive VMS Module from the group.
Note If you feel comfortable doing so, you can edit the CiscoWorks Restrictive VMS Module instead of removing it. Your edits enable the actions your other installed products require. See Using Management Center for Cisco Security Agents 4.0 at http://www.cisco.com/en/US/products/sw/cscowork/ps5212/products_user_guide_book09186a008019b759.html for more information.
•Common Services installation will be extended because of the automatic installation of component patches, including SP2, which will follow automatically after you install Common Services.
•Only those with administrative privileges can perform the installations.
•CiscoWorks applications are installed in the default directory SystemDrive:\Program Files\CSCOpx. If you select another directory during installation, the application is installed in that directory.
•If errors occur during installation, check the installation log in the root directory on the drive where the operating system is installed. Each installation creates a new log file. For example, the CiscoWorks Common Services installation creates SystemDrive:\CiscoWorks_setupxxx.log, where xxx is the log file for the last CiscoWorks application installed.
•You can click Cancel at any time to end the installation. However, any changes to your system (for example, installation of new files or changes to system files) will not be undone.
•If you want to use secure access between the client browser and the management server, you can enable or disable SSL from the CiscoWorks desktop.
•If SSL is enabled:
–The URL begins with https instead of http to indicate a secure connection.
–The port number following the server name is 1742 instead of 1741.
You cannot enable SSL on the CiscoWorks Server if there is an application that is not SSL-compliant installed on the server.
Note We recommend that you have SSL enabled during installation unless you are using other CiscoWorks components that do not support SSL. CSA MC cannot be installed on a server if you have components that do not support SSL. For help with SSL, consult the User Guide for CiscoWorks Common Services 2.2.
•The VMMC Startup Disk might not perform optimally when accessed from a remote drive. We recommend that you avoid remote installations. Network inconsistencies might cause installation errors if you are installing from a remote mount point.
Securing Windows 2000
The least secure component of a system defines how secure the system is. Before installing your server software, you should take some basic steps to secure the target server and operating system:
•Install the operating system on its own partition. Installing the operating system on one partition, and your software and data on another, protects your data and applications from viruses and attempted security breaches.
•Use strong passwords. A strong password has at least eight characters and contains numbers, letters (both uppercase and lowercase), and symbols. You can edit the Local Security Policy to configure Windows 2000 to require strong passwords.
•Avoid creating network shares. If you must create a network share, secure the shared resources with strong passwords. However, network shares are strongly discouraged, and you should disable NETBIOS completely.
•Disable unnecessary accounts. Remove the default Guest account. Make sure that all remaining accounts are protected with strong passwords. Require a password to log in.
•Secure the Registry. Disable or limit remote access to the Registry.
•Apply all hotfixes and security patches. Visit the Microsoft website regularly and apply the most recent security patches. Use the Windows Update feature regularly to ensure that the most recent critical updates are installed on the server.
•Disable unused and unneeded services. At a minimum, Windows requires the following services to run: DNS Client, Event Log, Plug & Play, Protected Storage, and Security Accounts Manager. Check your software documentation for any additional Windows services required by your software. Do not install IIS.
•Disable all network protocols except Internet Protocol (TCP/IP). Other protocols can be used to gain access to your server. Limiting the network protocols used limits the access points to your server. If you are not using network shares on the server, disable NETBIOS.
•Monitor the security of your system regularly. Log and review system activity. Use security tools, such as the Microsoft Security Configuration Tool Set (MSCTS) and Fport, to periodically review the security configuration of your system. You can obtain MSCTS from the Microsoft website.
•Limit physical access to your server. If your server contains removable media drives, set the server to boot from the hard drive first. Your data can be compromised if someone boots your server from a floppy disk. You can typically set the boot order in the system BIOS. Make sure you protect the BIOS with a strong password.
•Do not install remote access or administration tools on the server. These tools provide a point of entry to your server and are considered a security risk.
• Run a virus scanning application on the server. Virus scanning software can prevent trojan horse applications from infecting your server. Update the virus signatures regularly.
Order of Installation
This section presents a high level overview of recommended installation steps. We recommend reading through the order of installation steps suggested here and then referring to the appropriate sections that follow for more detailed instructions.
Step 1 If applicable, uninstall Cisco HIDS and Console. See the "Uninstalling Cisco IDS Host Sensor and Console" section.
Note If the CSA MC or the agent installer detects any Cisco IDS Host Sensor software on the system, the installation stops.
Step 2 Use the vmmc_verify_digest.exe executable file from Cisco.com, or on the VMMC Startup Disk to verify that all media on the CD-ROM is authentic and error free. See the "Verifying the Integrity of VMMC Files" section.
Step 3 Install Common Services from the VMMC Startup Disk. See the "Installing CiscoWorks Common Services and Service Pack 2" section.
Note The installation of SP2 will start automatically once Common Services installation is complete and you reboot your system. It will be necessary to wait while SP2 installation takes place. This will take approximately 7 minutes.
Step 4 Install desired VMMC applications on the VMMC Startup Disk any order. See any of the following:.
• "Uninstalling Cisco IDS Host Sensor and Console" section.
• "Installing VMS Management and Monitoring Center 2.2 Applications from the Startup Disk" section.
• "Installing CiscoWorks Common Services and Service Pack 2" section.
• "Installing Management Center for Firewalls" section.
• "Installing Auto Update Server" section.
• "Installing Management Center for VPN Routers" section.
• "Installing Management Center for IDS Sensors and Monitoring Center for Security" section.
• "Installing Management Center for Cisco Security Agents" section.
Note If you chose to install CSA MC first and you try to install another component, the CSA MC agent component might disallow the action or it might display multiple queries to which you must respond. See the "Disabling CSA MC Agent Software to Install Other Components" section for instructions on disabling and re-enabling agent software.
Step 5 See the "Post-Installation" section for important setup information.
Uninstalling Cisco IDS Host Sensor and Console
We recommend that you uninstall the Cisco IDS Host Sensor and Cisco IDS Host Sensor Console software before installing any VMS components. In particular, if CSA MC or the agent installer detects any Cisco IDS Host Sensor software on the system, the installation stops.
Uninstalling Cisco HIDS
Before You Begin
You must change the mode of the Host Sensor (Agent) installed on the Console host before you uninstall the Console. The following procedure provides steps for changing the Agent mode.
Note These uninstallation steps along with any additional information you might need to successfully uninstall Cisco HIDS can also be found on Cisco.com, at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/host/host25/install/.
To uninstall the Console:
Step 1 To change the Agent mode:
a. Log into the Console.
b. To display the Agent Management view, click Agents.
c. Select the Agent that is installed on the Console host.
d. If the Agent is in SecureSelect-Warning mode, close the Console.
e. To change the Agent mode to SecureSelect-Warning mode, right-click the Agent and select Set to SecureSelect-Warning Mode.
f. Close the Console.
Step 2 From the Windows taskbar, select Start > Programs > Cisco HIDS > Cisco HIDS Uninstall.
The Install Shield Wizard appears.
Step 3 Click Yes in the Uninstall Setup window to remove the Cisco IDS Host Console. The publickey and serverkey are copied to the PreserveKeys folder.
Step 4 Click OK to remove the Console.
Step 5 Click Finish to reboot the computer and complete the uninstallation.
Installing VMS Management and Monitoring Center 2.2 Applications from the Startup Disk
You can use the VMMC Startup Disk to install any Management Center component from a single CD-ROM. Follow the steps listed here to locate component documentation included on the Startup Disk, begin the installation, and then go to the VMMC installation steps below for the components you would like to install.
Note We strongly recommend you verify the integrity of your files before beginning VMMC installation. See the "Verifying the Integrity of VMMC Files" section.
Step 1 Insert the VMMC Startup Disk into the CD-ROM drive. At the top level of the directory structure, you will see folders corresponding to each VMMC component. From here, you can double-click any component folder to view and access that components' Documentation directory and for a complete listing of all necessary component information and installation files.
Step 2 If autorun is enabled on your system, the CiscoWorks VMS Management and Monitoring Centers Installer window opens automatically.
Step 3 If autorun is not enabled, click Start > Run. In the Run dialog box, enter e:\autorun.exe, where e is your CD-ROM drive.
The CiscoWorks VMS Management and Monitoring Centers 2.2 Setup Program splash screen appears.
Step 4 Click Install.
The CiscoWorks InstallShield wizard appears listing all VMMC components and requesting you to select the check boxes for the components you want to install. There are also options to Select All and to Cancel installation.
Step 5 Select all those components you want to install.
Note Select All will not proceed if any of the items selected require a system reboot. Those components (Common Services and CSA MC) requiring a reboot must be installed before the Select All option will work.
Step 6 Click Next. The InstallShield Wizard prompts you with a screen showing which components you selected and giving you the choice to reconsider your choices, cancel, or proceed.
Step 7 Click Install to continue.
Step 8 The Startup Disk begins running the installation scripts in the order selected from the menu with which you were presented earlier.
Note If you install Common Services, Router MC, and/or IDS MC, you will be prompted to restart the system. We recommend that you restart before continuing with remaining component installation. Repeat steps 2 and 3 to restart the VMMC Install Shield Wizard so that you can install other VMMC tools.
Note CSA MC will automatically restart the system. Repeat steps 2 and 3 to restart the VMMC Install Shield Wizard so that you can install other VMMC tools.
Step 9 Go to the section corresponding to each component below for typical installation instructions.
Verifying the Integrity of VMMC Files
The VMMC Startup Disk provides a vmmc_verify_digest.exe executable file with which you can perform integrity checks for all files on the Startup Disk. This tool is also available on Cisco.com for those who have an account established. We recommend that the tool be downloaded from this location to ensure maximum security.
To verify the authenticity and integrity of your VMMC files:
Step 1 Do one of the following:
•Go to http://www.cisco.com/public/sw-center/cw2000/vms-planner.shtml to securely obtain a verify_digests.exe file and enter run vmmc_verify_digest.exe at the DOS command prompt.
or
•Insert the VMMC Startup Disk into your CD-ROM drive and enter run vmmc_verify_digest.exe at the DOS command prompt.
Caution When you download the digest file, make sure your browser is in https mode for a secure download.
The vmmc_verify_digest.exe file runs though a list of files that it needs to verify. After this is done, you will be prompted for the directory where the files are located.
Note You can press any key to exit after the verification of the files on the CD or local directory.
Step 2 Highlight the Startup Disk location by browsing the folders on the CD-ROM and pressing enter. Verify_digests.exe will validate each file.
Note You can enter the CD-ROM drive letter and check the files on the Startup Disk itself or you can copy the files to your system and check them from the directory to which they were copied.
The output displays OK if the files are authentic. If any files are found to be inauthentic (that is, not from Cisco) or corrupt, Failure is displayed.
Step 3 Do one of the following:
•If you receive any failure messages please see your system administrator before proceeding with VMMC installation.
or
•Check the location of the files if you receive a File not found message. This means that the digest program cannot locate a file.
Step 4 Proceed with installation if there are no failure messages.
Installing CiscoWorks Common Services and Service Pack 2
Note You must install Common Services and SP2 before any other VMS component.
Step 1 After you select the check box for Common Services on the VMMC Install Shield Wizard, Common Services will always be the first application installed.
Note To run the Common Services installation manually, insert the VMMC Startup Disk into your CD-ROM drive, locate the Common Services top level directory, and double-click the setup.exe file.
Step 2 Follow the prompts, entering all required information. We recommend that you select an Express installation. Select another installation option only if you want to specify a destination directory other than SystemDrive:\Program Files\CSCOpx. For additional assistance, see Installation and Setup Guide for CiscoWorks Common Services (includes CiscoView) for Windows.
Step 3 You must restart your system before installing any more VMS components.
Once reboot is complete, and you initiate installation of one or more VMS components, a screen will appear stating, "Please wait, installer is checking your system...".
You will then receive the following error message: Common Services SP2 is not installed. Installation of Common Services SP2 will begin now. Followed by the following Installer message: Installing Common Services SP2. This will take approximately 7 minutes. Please wait....
When SP2 installation completes, the installation of two Patch updates will begin. No user intervention is required but you will see a splash screen that says Installing Patch CSCec43722-1. A minimized DOS window will be present on your desktop while this installation takes place. Should you maximize the window during the patch installation you will see that the Patch is being installed.
In very quick succession after the installation of Patch update CSCec43722-1, a second Patch Update installation will begin, signified by a splash screen that says Installing Patch CSCed18592-1. There will also be a minimized DOS window on your desktop during this Patch installation.
Note These Patch installations occur very rapidly, in quick succession and require no user intervention.
Step 4 Repeat any necessary steps described in the "Installing VMS Management and Monitoring Center 2.2 Applications from the Startup Disk" section.
Installing Management Center for Firewalls
Note You must install Common Services and SP2 before any other VMS component.
Step 1 After you select the check box for Managing PIX Firewalls, Catalyst Firewall SM on the VMMC Install Shield Wizard, Firewall MC installation will begin immediately after Common Services and SP2 installations are complete.
Note If Common Services 2.2 is installed on your system, you can run Firewall MC installation manually by inserting the VMMC Startup Disk into your CD-ROM drive, locating the Firewall MC top level directory, and double-clicking the setup.exe file.
Step 2 Follow the prompts, entering all required information. For additional assistance, see Installing Management Center for Firewalls 1.2.2 on Windows 2000 and Solaris 2.8.
Step 3 To use the activity approver email notification feature, you must configure the CiscoWorks email server. The email configuration option is provided in the Advanced installation, not the Typical installation of Common Services. If you did not configure the email server during installation, you can do so from the CiscoWorks desktop by selecting VPN/Security Management Solution > Administration > Common Services > Preferences.
Step 4 After Firewall MC and any other selected installations are complete, see the "Post-Installation" section for information on setting up the CiscoWorks Desktop Server.
Installing Auto Update Server
Note You must install Common Services and SP2 before any other VMS component.
Step 1 After you select the check box for Auto Update Server on the VMMC Install Shield Wizard, AUS installation will begin, in the order displayed.
Note If Common Services 2.2 is installed on your system, you can run AUS installation manually by inserting the VMMC Startup Disk into your CD-ROM drive, locating the AUS top level directory, and double-clicking the setup.exe file.
Step 2 Follow the prompts, entering all required information. For additional assistance, see Installing Auto Update Server 1.1 on Windows 2000 and Solaris.
After AUS and any other selected installations are complete, see the "Post-Installation" section for information on setting up the CiscoWorks Desktop Server.
Installing Management Center for VPN Routers
Note You must install Common Services and SP2 before any other VMS component.
Step 1 After you select the check box for Managing VPN Routers, Catalyst VPN SM, IOS Firewalls on the VMMC Install Shield Wizard, Router MC installation will begin, in the order shown.
Note If Common Services 2.2 is installed on your system, you can also run Router MC installation manually by inserting the VMMC Startup Disk into your CD-ROM drive, locating the Router MC top level directory, and double-clicking the setup.exe file.
Step 2 Follow the prompts, entering all required information. For additional assistance, see Release Notes for Management Center for VPN Routers 1.2.1 on Windows 2000 and Solaris.
Step 3 In both the Password field and the Confirm Password field, enter a password for internal access to the Router MC database. The password you provide is used automatically in the background to allow certain system events (such as backup and restore operations) to occur.
Step 4 To use the activity approver email notification feature, you must configure the CiscoWorks email server. The email configuration option is provided in the Advanced installation of Common Services (not in the Typical installation). If you did not configure the email server during installation, you can do so from the CiscoWorks desktop by selecting VPN/Security Management Solution > Administration > Common Services > Preferences.
Step 5 You must restart your system before installing any more VMS components. You will be returned to the VMMC Install Shield Wizard after the system reboots. Repeat any necessary steps described in the "Installing VMS Management and Monitoring Center 2.2 Applications from the Startup Disk" section.
After Router MC and any other selected installations are complete, see the "Post-Installation" section for information on setting up the CiscoWorks Desktop Server.
Installing Management Center for IDS Sensors and Monitoring Center for Security
Note You must install Common Services and SP2 before any other VMS component.
While it is possible to colocate the Security Monitor with other Management Centers, we recommend that you install Security Monitor on a server separate from your management application for a production network. This recommendation is based on the potentially heavy-traffic processing load that might result from monitoring Firewall MC or IDS Sensors or both.
Step 1 After you select the check box for Managing IDS Sensors, Catalyst IDS SM, and Security Monitoring on the VMMC Install Shield Wizard, IDS MC and Security Monitor installation will begin, in the order displayed.
Note If Common Services 2.2 is installed on your system, you can also run IDS MC and Security Monitor installation manually by inserting the VMMC Startup Disk into your CD-ROM drive, locating the IDS MC and Security Monitor top level directory, and double-clicking the setup.exe file.
Step 2 To install both IDS MC and Security Monitor, select the Typical installation radio button.
Step 3 To install either IDS MC or Security Monitor, select the Custom installation radio button. Then, click Next.
a. To install IDS MC, select the IDS MC only radio button and click Next.
b. To install Security Monitor, select the Security Monitor only radio button and click Next.
Step 4 Follow the prompts, entering all required information. You will be prompted to select a database location, enter a database password and specify UDP ports. For additional assistance, see Installing Management Center for IDS Sensors 1.2 and Monitoring Center for Security 1.2.
Step 5 You must restart your system before installing any more VMS components. You will be returned to the VMMC Install Shield Wizard after the system reboots. Repeat any necessary steps described in the "Installing VMS Management and Monitoring Center 2.2 Applications from the Startup Disk" section.
Step 6 After IDS MC, Security Monitor, and any other selected installations are complete, see the "Post-Installation" section for information on setting up the CiscoWorks Desktop Server.
Installing Management Center for Cisco Security Agents
When you install CSA MC, an agent containing the policies necessary to protect CSA MC and other CiscoWorks daemons and operations is automatically installed as well. The policies that are enforced by this agent protect CSA MC, other VMS components, and general CiscoWorks operations.
Uninstalling Cisco HIDS
CSA MC can be installed at any time from the Startup Disk before or after Common Services or any other application. However, because of potential incompatibilities between Cisco IDS Host Sensor software and Management Center for Cisco Security Agents (CSA MC), you must uninstall the Cisco IDS Host Sensor and Cisco IDS Host Sensor Console software before installing CSA MC or agent software. See the "Uninstalling Cisco IDS Host Sensor and Console" section.
Note Any system on which you are installing CSA MC must not have the Cisco IDS Host Sensor Console or the Cisco IDS Host Sensor installed. If the CSA MC or the agent installer detects any Cisco IDS Host Sensor software on the system, the installation stops.
CSA MC Component Registration
CSA MC installation will not run without the appropriate production license. When prompted during CSA MC installation, navigate to the Licenses directory at the top level of the VMMC CD-ROM and select the license file marked CSAMC.lic.
Before You Begin
CSA MC has some unique system requirements. Before installing this component, see the "CSA MC Browser Requirements for Windows" section.
Disabling CSA MC Agent Software to Install Other Components
If you are installing or uninstalling various VMS components and you have a Cisco Security Agent protecting VMS, you should disable the agent service before you begin the installation or uninstallation of any other VMS component. (You do not have to do this when installing or uninstalling CSA MC.)
To disable the agent service:
Step 1 From a command prompt enter net stop "Cisco Security Agent".
Step 2 If you receive a prompt asking if you want to stop the agent service select Yes.
Step 3 Enter net start "Cisco Security Agent" to enable the service at any time.
Note If you do not disable the agent service and you try to alter a CiscoWorks system configuration, the agent might disallow the action or it might display multiple queries to which you must respond.
Installing CSA MC
Note You must install Common Services and SP2 before any other VMS component.
Step 1 After you select the check box for Managing Cisco Security Agents - Servers and Desktops on the VMMC Install Shield Wizard, CSA MC installation will begin, in the order in which you checked the boxes on the wizard.
Note To run the CSA MC installation manually, insert the VMMC Startup Disk into your CD-ROM drive, locate the CSA MC top level directory, and double-click the setup.exe file.
Step 2 Follow the prompts, entering all required information. For additional assistance, see Installing Management Center for Cisco Security Agents.
Note Note that CSA MC installation will not run without the appropriate production license.
Step 3 When prompted during CSA MC installation, you must navigate to the Licenses directory at the top level of the VMMC CD-ROM and select the license file marked CSAMC.lic.
Step 4 If you are installing or uninstalling various VMS components and you have a Cisco Security Agent protecting VMS, see the "Disabling CSA MC Agent Software to Install Other Components" section.
Step 5 When installation is complete, read Chapter 3, "Quick Start Configuration" for setup instructions. See also the "Post-Installation" section of this document for information on setting up the CiscoWorks Desktop Server.
Default Policy Settings for VMS by CSA MC
By default, this release applies a more restrictive policy to the CiscoWorks VMS Systems Group. This policy further locks down the system and provides security-in-depth against the proliferation of current and future network attacks.
Update for 99% CPU Utilization (CSCdt73198)
Caution This update should
not be installed if you are running other CiscoWorks solutions on the same server (e.g., LMS or RWAN).
On a system running the VMS server, you might experience high CPU usage under certain conditions. This high CPU utilization might be triggered by any of the following conditions:
•Network connection goes down.
•Switch to which the server is connected goes down and/or is rebooted.
•Ethernet cable becomes unplugged from the server.
•The netmask and/or IP address is changed.
An update that addresses this problem is available on the VMMC Startup Disk.
Step 1 Navigate to the Patches directory marked CSCdt73198-1 on the VMMC Installation Startup Disk.
Step 2 Follow the directions in the Readme file included in this directory.
5 Post-Installation
Configuration and setup tasks for all VMS components for Windows is outside the scope of this guide. It is important that you see each component's installation guide to ensure that all setup tasks are complete. See the "Related Documentation" section for your component's documents and locations.
After you install the required components, you must configure and access your CiscoWorks server and client systems by referring to the installation and setup documentation at
http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_installation_guides_list.html.
You can uninstall VMS using the instructions in the application installation guides. Uninstall each application in the reverse order of its installation.
Note Do not uninstall CiscoWorks Common Services 2.2 before uninstalling applications dependent on it.
6 Related Documentation
Installation and user documentation can be found in PDF format on the VMMC list in each component's documentation directory. Release notes for each component contain a complete list of each component's documentation, along with ordering information. All VMS documentation can also be found on Cisco.com. Select Products & Services > Network Management CiscoWorks > CiscoWorks VPN/Security Management Solution > Versions and Options > CiscoWorks VPN/Security Management Solution 2.2.
Note Although we make effort to validate the accuracy of the information in the printed and electronic documentation, you should also review the documentation on Cisco.com for any updates.
Paper Documentation
•Quick Start Guide for the VPN/Security/Management Solution 2.2
Release Notes and Related Readme Documentation
•Readme for Management Center for Cisco Security Agents 4.0.1
•Registration and Licensing Notes for CiscoWorks Common Services 2.2
•Release Notes for CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Windows 2000
•Release Notes for Management Center for Firewalls 1.2.2 on Windows 2000 and Solaris 2.8
•Release Notes for Auto Update Server 1.1 on Windows 2000 and Solaris
•Release Notes for Management Center for VPN Routers 1.2.1 on Windows 2000 and Solaris
•Release Notes for Management Center for IDS Sensors 1.2.3 and Monitoring Center for Security 1.2.3
•Release Notes for Management Center for Cisco Security Agents 4.0
Online Help and All Other Documentation
•Online help, which can be accessed in two ways:
–Select an option from the navigation tree, then click Help.
–Click the Help button in the dialog box.
•PDF for:
–Installation and Setup Guide for CiscoWorks Common Services (includes CiscoView) on Windows
–User Guide for CiscoWorks Common Services 2.2
–Installing Management Center for Firewalls 1.2.2 on Windows 2000 and Solaris 2.8
–Using Management Center for Firewalls 1.2
–Supported Devices, OS Versions, and Commands for Management Center for Firewalls 1.2.1
–Installing Auto Update Server 1.1 on Windows 2000 and Solaris
–Using Auto Update Server 1.1
–Supported Devices and Software Versions for AUS 1.1
–Installing Management Center for VPN Routers 1.2.1 on Windows 2000 and Solaris
–Using Management Center for VPN Routers 1.2.1
–Supported Devices Table for Management Center for VPN Routers 1.2
–Installing Management Center for IDS Sensors 1.2 and Monitoring Center for Security 1.2
–Using Management Center for IDS Sensors 1.2
–Supported Devices and Software Versions for Management Center for IDS Sensors 1.2
–Using Monitoring Center for Security 1.2
–Supported Devices and Software Versions for Monitoring Center for Security 1.2
–Installing Management Center for Cisco Security Agents
–Using Management Center for Cisco Security Agents
Note Adobe Acrobat Reader 4.0 or later is required.
7 Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html
All users can order annual or quarterly subscriptions through the online Subscription Store:
http://www.cisco.com/go/subscription
Click Subscriptions & Promotional Materials in the left navigation bar.
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
8 Documentation Feedback
You can submit e-mail comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
9 Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.
Cisco TAC Website
The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:
http://www.cisco.com/tac
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:
http://tools.cisco.com/RPF/register/register.do
Opening a TAC Case
Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:
http://www.cisco.com/tac/caseopen
For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
TAC Case Priority Definitions
To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.
Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
10 Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
http://www.ciscopress.com
•Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:
http://www.cisco.com/packet
•iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
•Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:
http://www.cisco.com/en/US/learning/index.html
