Setup, Installation, and Basic Configuration

This chapter contains the following sections:

Solution Deployment Overview

To configure your Cisco Content Security Management appliance to provide service to your Cisco Content Security solution:

On These Appliances

Do This

More Information

Step 1

All appliances

Ensure that your appliances meet the system requirements for the features you will use. If necessary, upgrade your appliances.

Step 2

Email Security appliances

Before you introduce centralized services to your environment, configure all Email Security appliances to provide the security features you want, and verify that all features are working as expected on each appliance.

See the documentation for your Cisco Email Security release.

Step 3

Security Management appliance

Set up the appliance and run the System Setup Wizard.

See the Installation Planning, Preparing for Setup and the Running the System Setup Wizard.

Step 4

All appliances

Configure each centralized service that you want to deploy.

Start with the Configuring Services on the Security Management Appliance.

Installation Planning

Network Planning

The Security Management appliance lets you separate end user applications from the more secure gateway systems residing in your demilitarized zones (DMZs). Using a two-layer firewall can provide flexibility in network planning so that end users do not connect directly to the outer DMZ .

Figure 1. Typical Network Configuration Incorporating the Security Management appliance



The following figure shows a typical network configuration incorporating the Security Management appliance and multiple DMZs. You deploy the Security Management appliance outside your DMZ, in your internal networks. All connections are initiated by the Security Management appliances (M-Series) to the managed Email Security appliances (C-Series).

Corporate data centers can share a Security Management appliance to perform centralized reporting and message tracking for multiple Email Security appliances. The Security Management appliance can also be used as an external spam quarantine.

After you connect the Email Security appliance to a Security Management appliance and properly configure all appliances, AsyncOS gathers and aggregates data from the managed appliances. From the aggregated data, reports can be generated and an overall view of email usage can be determined.

About Integrating a Security Management Appliance with Email Security Appliances

Additional information about integrating the Security Management appliance with your Email Security appliances, see the “Centralizing Services on a Cisco Content Security Management Appliance” chapter in the user documentation or online help for your Email Security appliance.

Deployments with Clustered Email Security Appliances

The Security Management appliance cannot be placed in a cluster of Email Security appliances that are using the email appliances’ centralized management feature. However, clustered Email Security appliances can deliver messages to the Security Management appliance for centralized reporting and tracking and to quarantine messages.

Preparing for Setup

Before you run the System Setup Wizard:

    Step 1   Review the latest release notes for your product. See Network Planning.
    Step 2   Verify that the components of your security solution are compatible. .
    Step 3   Ensure that your network and physical space are ready to support this deployment. See Installation Planning.
    Step 4   Physically set up and connect the Security Management appliance. See Physically Setting Up and Connecting the Appliance.
    Step 5   Determine network and IP address assignments. See Determining Network and IP Address Assignments.
    Step 6   Gather information about your system setup. See Gathering the Setup Information.

    Physically Setting Up and Connecting the Appliance

    Before you follow the procedures in this chapter, complete the steps described in the quick start guide that came with your appliance. In this guide, it is assumed that you have unpacked the appliance, physically installed it in a rack, and turned it on.

    Before you can log in to the GUI, you need to set up a private connection between a PC and the Security Management appliance. For example, you can use the included crossover cable to connect directly from the Management port on the appliance to a laptop. Optionally, you can connect through an Ethernet connection between a PC and the network (for example, an Ethernet hub) and between the network and the Management port on the Security Management appliance.

    Determining Network and IP Address Assignments


    Note
    If you have already cabled your appliance to your network, ensure that the default IP address for the content security appliance does not conflict with other IP addresses on your network. The IP address that is pre-configured on the Management port of each appliance is 192.168.42.42.

    After setup, go to the Management Appliance > Network > IP Interfaces page on the main Security Management appliance to change the interface that the Security Management appliance uses.

    You need the following network information about each Ethernet port that you choose to use:

    • IP address
    • Netmask

    In addition, you need the following information about your overall network:

    • IP address of the default router (gateway) on your network
    • IP address and hostname of your DNS servers (not required if you want to use Internet root servers)
    • Hostname or IP address of your NTP servers (not required if you want to manually set system time)

    For more information, see Assigning Network and IP Addresses.


    Note

    If you are running a firewall on your network between the Internet and the content security appliance, it may be necessary to open specific ports for the appliance to work properly. For more information on firewalls, see Firewall Information

    Always use the same IP address on the Security Management appliance for receiving and sending email messages to the Email Security appliances. For an explanation, see information about Mail Flow in the documentation for your Email Security appliance.

    Note that IPv6 is not supported for communication between the Cisco Content Security Management appliance and the appliances it manages.

    Gathering the Setup Information

    Use the following table to gather information about system setup. You will need this information at hand while running the System Setup Wizard.


    Note
    See the Assigning Network and IP Addresses for detailed information about network and IP addresses.

    The following table shows the system setup worksheet

    1

    Notifications

    Email address where system alerts are sent:

    2

    System Time

    NTP Server (IP address or hostname):

    3

    Admin Password

    Choose a new password for the “admin” account:

    4

    AutoSupport

    Enable AutoSupport? ___ Yes ___ No

    5

    Hostname

    Fully qualified hostname of the Security Management appliance:

    6

    Interface / IP Address

    IP address:

    Netmask:

    7

    Network

    Gateway

    Default Gateway (router) IP address:

    DNS

    ___ Use the Internet’s root DNS servers

    ___ Use these DNS servers:

    Accessing the Security Management Appliance

    The Security Management appliance has a standard web-based graphical user interface, a separate web-based interface for managing the spam quarantine, a command-line interface, and special or limited web interfaces for administrative users granted access to specific features and functionality.

    Browser Requirements

    To access the GUI, your browser must support and be enabled to accept JavaScript and cookies, and it must be able to render HTML pages containing Cascading Style Sheets (CSS).

    Table 1 Supported Browsers and Releases

    Browser

    Windows 7

    MacOS 10.6

    Safari

    7.0 and later

    Google Chrome

    Latest Stable Version

    Latest Stable Version

    Microsoft Internet Explorer

    11.0

    Mozilla Firefox

    Latest Stable Version

    Latest Stable Version

    • Internet Explorer 11.0 (Windows 7 only)

    • Safari (7 and later)

    • Firefox (Latest Stable Version)

    • Google Chrome (Latest Stable Version)

    Browsers are supported only for operating systems officially supported by the browser.

    You may need to configure your browser’s pop-up blocking settings in order to use the GUI, because some buttons or links in the interface will cause additional windows to open.


    Note

    The best viewed resolution for the AsyncOS (11.4 and above) web interface is 1366x786, for all the browsers.

    About Accessing the Web Interfaces

    The Security Management appliance has two web interfaces: the standard administrator interface, available by default on port 80, and the spam quarantine end user interface, available by default on port 82. The spam quarantine HTTPS interface defaults to port 83 when enabled.

    Because you can specify HTTP or HTTPS when configuring each of the web interfaces (go to Management Appliance > Network > IP Interfaces on the Security Management appliance), you may be asked to reauthenticate if you switch between the two during your session. For example, if you access the admin web interface through HTTP on port 80 and then, in the same browser, access the spam quarantine end user web interface through HTTPS on port 83, you are asked to reauthenticate if you return to the admin web interface.


    Note

    - When accessing the GUI, do not use multiple browser windows or tabs simultaneously to make changes to the Security Management appliance. Do not use concurrent GUI and CLI sessions either. Doing so will cause unexpected behavior and is not supported.

    - By default, your session times out if you are idle for more than 30 minutes or if you close the browser without logging out. If this happens, you must reenter your user name and password. To change the timeout limit, see Configuring the Web UI Session Timeout.

    Accessing the Web Interface

      Step 1   Open your web browser and type 192.168.42.42 in the IP address text field.
      Step 2   Enter the following default values:
      • User name: admin
      • Password: ironport
      Note    This password is NOT valid after you complete the System Setup Wizard, either using the web interface or the command-line interface.

      Accessing the Command Line Interface

      The command line interface, or CLI, is accessed on the Security Management appliance in the same way that the CLI is accessed on all Cisco Content Security appliances. There are, however, some differences:

      • System setup must be performed through the GUI.
      • Some CLI commands are not available on the Security Management appliance. For a list of which commands are not supported, see the IronPort AsyncOS CLI Reference Guide for Cisco Content Security Appliances.

      For production deployments, you should use SSH to access the CLI. Use a standard SSH client to access the appliance on port 22. For lab deployments, you can also use telnet; however, this protocol is not encrypted.

      Supported Languages

      With the appropriate license key, AsyncOS can display the GUI and CLI in any of the following languages:

      • English
      • French
      • Spanish
      • German
      • Italian
      • Korean
      • Japanese
      • Portuguese (Brazil)
      • Chinese (traditional and simplified)
      • Russian

      To choose the GUI and default reporting language, do one of the following:

      • Set the language preference. See Setting Preferences.
      • Use the Options menu at the top right side of the GUI window to select the language for the session.

      (The method that works depends on the method used to authenticate your login credentials.)

      Running the System Setup Wizard

      AsyncOS provides a browser-based System Setup Wizard to guide you through the process of system configuration. Later, you may want to take advantage of custom configuration options not available in the wizard. However, you must use the wizard for the initial setup to ensure a complete configuration.

      The Security Management appliance supports this wizard via the GUI only. It does not support system setup through the command line interface (CLI).

      Before You Begin

      Complete all tasks in the Preparing for Setup.


      Caution

      The System Setup Wizard completely reconfigures the appliance. Only use the wizard when you initially install the appliance, or if you want to completely overwrite the existing configuration.

      Be sure to connect the Security Management appliance to your network through the Management port.


      Caution

      The Security Management appliance ships with a default IP address of 192.168.42.42 on the Management port. Before connecting the Security Management appliance to your network, ensure that no other device’s IP address conflicts with the factory default setting.


      Note
      By default, your session times out if you are idle for more than 30 minutes or if you close the browser without logging out. If this happens, you must reenter your user name and password. If the session times out while you are running the System Setup Wizard, you need to start over from the beginning. To change the timeout limit, see Configuring the Web UI Session Timeout.

      Overview of the System Setup Wizard

        Step 1   Launch the System Setup Wizard
        Step 2   Review the End User License Agreement
        Step 3   Configure the System Settings
        • Notification settings and AutoSupport
        • System time settings
        • Admin password
        Step 4   Configure the Network Settings
        • Hostname of the appliance
        • IP address, network mask, and gateway of the appliance
        • Default router and DNS settings
        Step 5   Review Your Configuration

        Proceed through the wizard pages, and carefully review your configuration at step 4. You can return to a step by clicking Previous. At the end of the process, the wizard prompts you to commit the changes that you have made. Most changes do not take effect until you commit them.

        Step 6   Proceeding to the Next Steps

        Launch the System Setup Wizard

        To launch the wizard, log in to the GUI as described in the Accessing the Web Interface. The first time you log in to the GUI, the initial page of the System Setup Wizard appears by default. You can also access the System Setup Wizard from the System Administration menu (Management Appliance > System Administration > System Setup Wizard).

        Review the End User License Agreement

        Begin by reading the license agreement. After you have read and agreed to the license agreement, select the check box indicating that you agree, and then click Begin Setup to proceed.

        Configure the System Settings

        Entering an Email Address for System alertsAlerts

        AsyncOS sends alert messages through email if there is a system error that requires your intervention. Enter the email address (or addresses) where the alerts are sent.

        You need to add at least one email address for the system alerts. Separate multiple addresses with commas. The email addresses that you enter initially receive all types of alerts at all levels. You can customize the alert configuration later. For more information, see the Managing Alerts.

        Setting the Time

        Set the time zone on the Security Management appliance so that timestamps in reports, message headers and log files are correct. Use the drop-down menus to locate your time zone or to define the time zone by GMT offset.

        You can set the system clock time manually, but Cisco recommends using an Network Time Protocol (NTP) server to synchronize time with other servers on your network or the Internet. By default, the Cisco NTP server (time.sco.cisco.com) is added as an entry to synchronize the time on your content security appliance. Enter the hostname of the NTP server, and click Add Entry to configure an additional NTP server. For more information, see the Configuring the System Time.

        Setting the Password

        You must change the password:adminpassword for the AsyncOS admin account. Keep the password in a secure location. Changes to the password take effect immediately.


        Note
        If you cancel the system setup after resetting the password, your password changes are not undone.
        Enabling AutoSupport

        The AutoSupport feature (enabled by default) notifies Customer Support about issues with the Security Management appliance so that they can provide optimal support. For more information, see the Cisco AutoSupport.

        Configure the Network Settings

        Define the hostname of the machine and then configure the gateway and DNS settings.


        Note
        Verify that you have connected the Security Management appliance to your network through the Management port.
        Network Settings

        Enter the fully qualified hostname for the Security Management appliance. This name should be assigned by the network administrator.

        Enter the IP address of the Security Management appliance.

        Enter the network mask and IP address of the default deerrouter (gateway) on your network.

        Next, configure the Domain Name Service (DNS) settings. AsyncOS contains a high-performance internal DNS resolver/cache that can query the Internet’s root servers directly, or the system can use DNS servers that you specify. If you use your own servers, you need to supply the IP address of each DNS server. You can enter up to four DNS servers when you are using the System Setup Wizard.


        Note
        The DNS servers you specify have an initial priority of 0. For more information, see the Configuring Domain Name System Settings.

        Note
        The appliance requires access to a working DNS server to perform DNS lookups for incoming connections. If you cannot specify a working DNS server that is reachable by the appliance while you are setting up the appliance, you can select Use Internet Root DNS Servers, or else temporarily specify the IP address of the Management interface so that you can complete the System Setup Wizard.

        Review Your Configuration

        Now, the System Setup Wizard displays a summary of the setup information that you have entered. If you need to make any changes, click Previous at the bottom of the page and edit the information.

        After you have reviewed the information, click Install This Configuration. Then click Install in the confirmation dialog box that appears.

        If the page appears not to respond when you click Install This Configuration, this is because the appliance is now using the the new IP address that you specified in the wizard. To continue using the appliance, use the new IP address. If you followed the instructions in the Quick Start Guide to temporarily change the IP address of the computer you used to access your new hardware appliance, revert your computer’s IP address to its original settings first.

        Proceeding to the Next Steps

        After you install the Security Management appliance and run the System Setup Wizard, you can modify other settings on the appliance and configure the monitoring services.

        Depending on the process you used to access the appliance in order to run the system setup wizard, the System Setup Next Steps page appears. If this page dos not appear automatically, you can access it by choosing Management Appliance > System Administration > Next Steps.

        Click on any of the links on the System Setup Next Steps page to proceed with the configuration of your Cisco Content Security appliances.

        About Adding Managed Appliances

        You will add managed Email appliances to the Security Management appliance when you configure the first centralized service for each appliance.

        When you add a remote appliance, the Security Management appliance compares the product name of the remote appliance with the type of appliance you are adding. The Security Management appliance will also check the monitoring services on the remote appliances to make sure that they are correctly configured and compatible.

        The Security Appliances page shows the managed appliances that you have added. The Connection Established? column shows whether or not the connection for monitoring services is properly configured.

        Instructions for adding managed appliances are included in the following procedures:

        Editing Managed Appliance Configurations

          Step 1   [New Web Interface Only] On the Cloud Email Security Management Console, click on the gear icon to load the legacy web interface.
          Step 2   Choose Management Appliance > Centralized Services > Security Appliances.
          Step 3   In the Security Appliance section, click on the name of the appliance you want to edit.
          Step 4   Make the necessary changes to the appliance configuration.

          For example, select or clear check boxes for monitoring services, reconfigure file transfer access, or change the IP address.

          Note    Changing the IP address of a managed appliance can cause several issues to occur. If you change the IP address of an Email Security appliance, the tracking availability data for the appliance will be lost.
          Step 5   Click Submit to submit your changes on the page, then click Commit Changes to commit your changes.

          Removing an Appliance from the List of Managed Appliances

          Before You Begin

          You may need to disable any enabled centralized services on the remote appliance before you can remove that appliance from the Security Management appliance. For example, if the Centralized Policy, Virus, and Outbreak Quarantine service is enabled, you must disable that service first on the Email Security appliance. See the documentation for your email appliance.

            Step 1   [New Web Interface Only] On the Cloud Email Security Management Console, click on the gear icon to load the legacy web interface.
            Step 2   Choose Management Appliance > Centralized Services > Security Appliances.
            Step 3   In the Security Appliances section, and click the trash can icon in the row for the managed appliance that you want to delete.
            Step 4   In the confirmation dialog box, click Delete.
            Step 5   Submit and commit your changes.

            Configuring Services on the Security Management Appliance

            Email security services:

            Committing and Abandoning Configuration Changes

            After you make most configuration changes in the Cisco Content Security appliance GUI, you must explicitly commit the changes.

            Figure 2. The Commit Changes Button



            To

            Do This

            Commit all pending changes

            Click the orange Commit Changes button at the top right side of the window. Add a description of the changes and then click commit. If you have not made any changes that require a commit, then a gray No Changes Pending button appears instead of Commit Changes.

            Abandon all pending changes

            Click the orange Commit Changes button at the top right side of the window, then click Abandon Changes.


            Note

            The configuration changes made on the old web interface is updated on the new web interface, after you logout and login to the new Cisco Content Security Management web interface.