Requirements and Dependencies

You can install and use Security Manager as a standalone product or in combination with several other Cisco Security Management Suite applications, including optional applications that you can select in the Security Manager installer or download from Cisco.com. Requirements for installation and operation vary in relation to the presence of other software on the server and according to the way that you use Security Manager.


Tip


We recommend that you synchronize the date and time settings on all your management servers and all the managed devices in your network. One method is to use an NTP server. Synchronization is important if you want to correlate and analyze log file information from your network.

The sections in this chapter describe requirements and dependencies for installing server applications such as Security Managerand Security Manager client software:

Required Services and Ports


Note


Security Manager will use predefined and dynamic ports for its internal operation. Port scanners might block those ports and will not let Security Manager to execute those processes. Therefore port scanners such as Qualys should not be enabled. If enabled, it may crash Security Manager process that may require a complete re installation of Security Manager.

You must ensure that required ports are enabled and available for use by Security Manager and its associated applications on your server so that the server can communicate with clients and servers running associated applications.

The ports that need to be open depend on whether you are using CiscoWorks for AAA or an external server (such as ACS), and whether you are configuring Security Manager to interact with certain other applications:

  • Basic Required PortsTable 3-1 lists the basic ports that must be opened, assuming that you have not customized your configuration to use non-default ports. If you are using CiscoWorks for AAA (user authorization) services, and you do not use any of the optional applications, these should be the only ports you need to open.

Table 1. Basic Required Ports to Open on the Security Manager Server

Communication

Service

Protocol

Port

In

Out

Security Manager Client to the Security Manager Server.

HTTP, HTTPS

TCP

1741/443

X

Security Manager Client to device managers included in the product (such as ASDM).

HTTPS

TCP

443

X

Security Manager Server to Devices.

Tip

 
HTTPS and SSH ports are required, but open the Telnet port only if you use Telnet as the transport protocol for one or more devices. Because Telnet transmits passwords in clear text, we recommend that you never use Telnet, and that you do not open the Telnet port.

HTTPS

TCP

443

X

SSH

TCP

22

X

Telnet

TCP

23

X

Security Manager to an e-mail server.

This port is required only if you configure e-mail notification settings for any of the various functions that can provide these notifications.

SMTP

TCP

25

X

Syslog service used by the Security Manager Event Viewer.

Syslog

UDP

514

X

Health and Performance Monitor

HTTP, HTTPS

TCP

2012 and 4444

X

X

Report Manager

HTTP, HTTPS

TCP

4334

X

X

Event Manager

HTTP, HTTPS

TCP

11999

X

X

  • Ports Required By Optional Applications—If you are using Security Manager with other applications, other ports also need to be opened, as shown in Table 3-2. Open only ports required by applications that you are actually using.

Table 2. Ports Required for Optional Server Applications

Communication

Service

Protocol

Port

In

Out

Security Manager Server to and from CS-MARS.

HTTPS

TCP

443

X

X

Security Manager Server to Cisco Secure Access Control Server (ACS).

HTTP, HTTPS

TCP

  • 2002

  • If port restriction is enabled on the ACS server, allow all ports in the range for HTTP/HTTPS communication.

  • If port restriction is disabled, allow all HTTP/HTTPS traffic between the Security Manager server and ACS.

X

Security Manager Server to an External AAA Server (configurable in a non-ACS mode).

RADIUSLDAPKerberos

TCP

1645, 1646, 1812(new), 389, 636 (SSL), 88

X

Security Manager Server to Configuration Engine.

HTTPS

TCP

443

X

Security Manager Server to TMS Server.

FTP

TCP

21

X

Windows Firewall Configuration Script

Beginning with Version 4.4, Security Manager included a Windows Firewall configuration script in the server installer. This script automates the process of opening and closing the ports necessary for Windows Firewall to work correctly and securely; its purpose is to harden your Security Manager server.

At the time of installation, this script is copied to NMSROOT but not executed. You can run this script manually to configure Windows Firewall on your Security Manager server; doing so will secure the server by blocking unnecessary ports. [NMSROOT is the path to the Security Manager installation directory. The default is C:\Program Files (x86)\CSCOpx.]

This script opens only those “IN” ports that are needed for Security Manager to perform its tasks. Hence the “Firewall.txt” file has the ports that are the bare minimum for Security Manager. If, later, you discover that you want some other port to be open, you can do that.

To run the Windows Firewall script, follow this procedure:

Procedure


Step 1

Make sure Powershell scripts can run unrestricted:

  1. Open the Powershell Command Line Tool.

  2. Execute the command “Set-ExecutionPolicy Unrestricted”

Step 2

In NMSROOT, open a command prompt and execute firewall.bat:

  1. Output will appear in the folder NMSROOT/log.

  2. Windows.FW_Config.wfw is the backup of the Windows Firewall configuration before executing the script.

  3. initialfirewallsettings.txt lists the ports that were open BEFORE running the script.

  4. finalfirewallsettings.txt lists the ports that are open AFTER running the script.

Step 3

Enable Windows Firewall and use private network settings: Control Panel > Windows Firewall > Turn Windows Firewall on or off > [General tab] > On.

Step 4

Disable Powershell scripts for security:

  1. Open the Powershell Command Line Tool.

  2. Execute the command “Set-ExecutionPolicy Restricted”

Step 5

[optional] Verify added firewall rules by using Windows Firewall with Advanced Security.


Server Requirements and Recommendations


Note


Customers upgrading their Operating System while migrating to Cisco Security Manager 4.9 or later, must buy the appropriate Windows license.

Note


From CSM 4.28, Microsoft Windows Server 2012 and 2012 R2 will not be supported.


Unless otherwise noted, this section applies to all applications (Security Manager ).

To install Security Manager, you must be an Administrator or a user with local administrator rights; this also applies if you are installing the client only.

We recommend that you install Security Manager on a dedicated server in a controlled environment.

For additional best practices and related guidance, see Preparing a Server for Installation.

Recommended Server

Cisco recommends that you install Security Manager on a server that is equivalent to Cisco UCS C220 M3 server.

Installation Practices to Avoid:

  • Do not install any application on a primary or backup domain controller. Cisco does not support any use of Common Services on a Windows domain controller.

  • Do not install any application in an encrypted directory. Common Services does not support directory encryption.

  • Do not install any application if Terminal Services is enabled in Application mode. In such a case, you must disable Terminal Services, then restart the server before you install. Common Services supports only the Remote Administration mode for Terminal Services.

Table 3. Server Hardware Requirements and Recommendations

Component

Description

Operating System

One of the following:

  • Microsoft Windows Server 2019 Standard— 64-bit

  • Microsoft Windows Server 2019 Datacenter— 64-bit

  • Microsoft Windows Server 2016 Standard— 64-bit

  • Microsoft Windows Server 2016 Datacenter—64-bit

  • Microsoft Windows Server 2012 R2 Standard—64-bit

  • Microsoft Windows Server 2012 Standard—64-bit

  • Microsoft Windows Server 2012 R2 Datacenter—64-bit

  • Microsoft Windows Server 2012 Datacenter—64-bit

English and Japanese are the only supported languages. For complete information, see Understanding Regional and Language Options and Related Settings, page 3-9.

Maria DB Drive Manager is required so that your server can work with Maria database.

System Hardware

  • Processor: Intel Quadcore Xeon 5600 Series or above

  • For best UI experience, you would need a color monitor with 1280 x 1024 resolution and a video card capable of 16-bit colors.

  • DVD-ROM drive.

  • 1 Gbps network adapter.

  • Keyboard.

  • Mouse.

Memory (RAM)

16 GB is the minimum needed to use all features of Security Manager. With less memory, features such as Event Management and Report Management are affected.

Note

 

As per your deployment model RAM will vary. Please refer to the CSM Deployment guide for further details.

In particular, if the amount of RAM available to the operating system is less than 8 GB, Event Management and Report Manager are disabled during installation.

If the memory available to the OS is between 8 and 12 GB, you can turn off Event Management and Report Management, presuming that you do not plan to use them. Configuration Management will be usable in such systems.

Tip

 
To turn off Event Management, follow this path: Configuration Manager > Tools > Security Manager Administration > Event Management > Enable Event Management > [clear checkbox].

Tip

 
To turn off Report Management, simply close the Report Manager application.

Although not recommended, you can enable Event Management and Report Management for low memory systems from the Security Manager client after completing the installation (select Tools > Security Manager Administration > Event Management). Keep in mind that enabling Event Management and Report Management on a system with low memory can severely affect the performance of the entire application.

File system

NTFS.

Disk Optimization

Diskeeper 2010 Server. This is a recommendation, not a requirement. Disk optimization can improve performance if the cause of poor performance is disk fragmentation.

Hard drive space

Use a suitable combination of HDDs in a RAID configuration to achieve the disk space required, which is as follows:

  • 100 GB for the OS partition is recommended by Cisco.

  • 150 GB for the application (Security Manager) partition is recommended by Cisco. The minimum free disk space required for the Security Manager installation alone is 8 GB. If this is not met, then the installation will be aborted.

Note

 
Cisco strongly recommends installing the OS and application on separate partitions.

Note

 
The application partition mentioned above and any other event store partitions may not be relevant when using Veritas in HA (high availability) mode. Please refer to the applicable Security Manager high availability documentation (https://www.cisco.com/c/en/us/support/security/security-manager/products-installation-guides-list.html) and Veritas documentation for further details.
  • An additional 1.0 TB for log storage for the Event Viewer on a separate partition: This is a requirement, but ONLY if you plan to use Event Viewer. Cisco recommends creating this separate partition on a directly attached storage device.

  • An additional 1.0 TB or more: This is a requirement, but ONLY if you plan to enable Event Archival. Event Archival functionality creates a secondary storage of events when log storage is required beyond primary storage capacity (for long term preservation etc.). The Secondary Event Store size is required to be bigger than the configured primary storage size, so an additional 1.0 TB or more of disk space is required to use Event Archival. Both primary & secondary event stores can be on a SAN but it is recommended to create the primary store partition on a directly attached storage (DAS) for optimum performance. For more information on SAN storage, see Using SAN Storage, page 3-10

Cisco recommends RAID 10 for better performance. RAID 5 can be used if desired.

Tips

  • A sustained 10,000 events per second (EPS) consumes about 86 GB of compressed disk space per day. Log rollover happens when 90% of the disk space allocated for event store (primary/secondary) is filled. Smaller disk size causes quicker rollovers. Based on your expected EPS rate and rollover requirements, you can increase or decrease the minimum disk size when using Event Management.

IP address

One static IP address. Dynamic addresses are not supported.

Tip

 
Security Manager can have multiple network interface cards but teaming multiple NICs for load balancing is not recommended.

Virtual Memory (Paging File)

1.5 x installed memory. This is a recommendation from Microsoft for Windows platforms. It is not a Cisco requirement. Memory paging is necessitated only if the installed RAM on the system is insufficient to handle the load.

Caution:

A special consideration applies if you are using Windows Server 2012 or 2012 R2 (Standard or Datacenter)—64-bit.

If you choose to automatically manage paging file size, the installation of Security Manager might fail with an error message recommending you to configure the virtual memory before running the installation program.

To successfully install Security Manager, follow these steps:

  1. Deselect (clear) the checkbox “Automatically manage paging file size for all drives”. (The navigation path to this checkbox is Control Panel > System> Advanced System Settings > Performance > Settings > Advanced tab> Virtual Memory > Change.)

  2. Create the paging file with a minimum size of 4 GB. The paging file value is configured based on the swap size. The default values of the paging configuration are 10240 and 16384 respectively.

  3. Start installing Security Manager.

Antivirus

Real-time protection disabled. This is a recommendation, not a requirement. The system can have an anti-virus application installed, but Cisco recommends disabling real-time protection because it causes a performance penalty. The user can choose to run a quick scan which is scheduled to run at times when there is not much load on the server.

Note

 
It is mandatory to exclude the NMSROOT directory and the eventing folder from scanning.

Browser

One of the following:

  • Internet Explorer 8.x, 9.x, 10.x, or 11.x, but only in Compatibility View

Note

 
When using Internet Explorer (any version) to download the client, ensure that the following setting is correct: Internet Explorer > Tools > Internet Options > Advanced > Security > clear the “Do not save encrypted pages to disk” checkbox. If this setting is not correct (i.e., the checkbox is checked), attempts to download the client will fail.

Tip

 
To use Compatibility View in Internet Explorer, navigate to Tools > Compatibility View Settings, and add the Security Manager server as a “website to be displayed in Compatibility View.”
  • Firefox 15.0.1 and above supported and recommended

Java Plug-in

There is no requirement to have JRE installed. It is required to have Java scripts enabled in the web browser. The version supported is Azul JRE 1.8.0 update 322.

Maria DB

Beginning with Version 4.26, Security Manager uses Maria DB 10.5.15 version.

Optional Virtualization Software

You can, optionally, install the application on a system running the following versions of VMware: ESXi versions from 5 update 2 up to ESXi 6.5.

You should allocate at least the same amount of memory to the virtual machine you use with Security Manager as you would for a non-virtualized server. Use of recent generation CPUs with technology designed to improve virtualization performance is recommended (for example, Intel-VT or AMD-V CPUs).

Tip

 
Allocate two or more CPUs to the VM image. Some processes, such as system backup, can take an unreasonably long time to complete if you use one CPU.

High Availability Support (HA Support)

One of the following:

  • Veritas Storage Foundation 6.0.1

  • Veritas Storage Foundation 6.0.2

  • Veritas Storage Foundation 6.1

  • Veritas Storage Foundation 7.0

  • Veritas Storage Foundation 7.2

  • Veritas Storage Foundation 7.4

    • Veritas InfoScale 7.4.2 and above supports Windows Server 2019

    • Windows 2019:

      Veritas Storage Foundation for Windows Version: 7.4.2

    • Windows 2016:

      Veritas Storage Foundation for Windows Version: 7.4

Understanding Regional and Language Options and Related Settings

Security Manager supports only the U.S. English and Japanese versions of Windows. From the Start Menu, open the Control Panel for Windows, open the panel where you configure region and language settings, then set the default locale. (We do not support English as the language in any Japanese version of Windows.)


Tip


For a detailed procedure, refer to How to Set the Locale for the Windows Default User Template to U.S. English.

Note


You must change the default system locale to U.S. English before installing Security Manager; changing the default system locale and rebooting the server does not change the default profile. It is not sufficient for the current user only to have the proper settings; this is because Security Manager creates a new account (“casuser”) that runs all Security Manager server processes.

In addition, the Regional and Language Options in the server operating system must be set correctly. Also, peripheral devices such as keyboards that use other languages can affect the way Security Manager functions.

To successfully install Security Manager, you must adhere to the following Regional and Language Options and related settings:

  • The server locale must be U.S. English or Japanese.

  • You must avoid using peripheral devices such as keyboards that use other languages; these devices must not even be connected to the server.

  • You must take care not to disturb the server settings while using a non-console RDP session to the server; connecting to the server by using a non-console RDP can lead to the locale of the RDP client machine being applied to the server.

  • You must check the Regional and Language Options and verify that the language selected for non-Unicode programs is English (United States); the path to that selection is Control Panel > Regional and Language Options > Advanced > Language for non-Unicode Programs.

  • You must ensure that the system locale in the Windows Registry is in a supported language. In order to change it, follow this procedure:

  • In a command window, execute one of the following commands: regedit.exe or regedt32.exe.

  • Make sure that the localname is supported. The following example is for U.S. English:

\HKEY_USERS\.DEFAULT\Control Panel\International

and change LocaleName to en-US


Note


Paths and file names are restricted to characters in the English alphabet. Japanese characters are not supported for paths or file names. When selecting files on a Windows Japanese OS system, the usual file separator character \ is supported, although you should be aware that it might appear as the Yen symbol (U+00A5).

Using SAN Storage

You can use SAN storage with Security Manager provided that the storage has acceptable I/O rates and capacity. The following are the main items within Security Manager that require storage, and the storage options that you have in addition to using disk storage that is directly installed in the server:

  • Security Manager installation folder (CSCOpx and subfolders)—The application is best installed on a local drive. However, the folder can be direct attached storage (DAS) or block-based SAN storage (FC, FCoE, iSCSI). The high-availability configuration for Security Manager, described in High Availability Installation Guide for Cisco Security Manager, requires a shared cluster volume.

  • Primary storage for the Event Manager service—If you use Event Viewer to monitor events, you must specify a primary storage location. The primary storage can be direct attached storage (DAS) or block storage (SAN protocol: FC, FCoE, iSCSI) mapped as a local drive.

  • Extended storage for the Event Manager service—Any extended storage location is expected to be on SAN storage. The extended storage should be direct attached storage (DAS) or block storage (SAN protocol: FC, FCoE, iSCSI) mapped as a local drive.

Tips

  • CIFS and NFS are not supported.

  • The supported network storage types are also supported in VMware configurations.

Requirement for iSCSI Volumes

iSCSI volumes using a software initiator may not be available when Security Manager services are about to start after a system reboot. It may take some time for them to be properly initialized.

If Security Manager services have not started, then you need to configure dependency and service startup settings for them (the Security Manager services).

To configure dependency and startup settings, follow this procedure:

Procedure

Step 1

Execute the following commands in a Windows command prompt to change the startup type of the Cisco Security Manager Daemon Manager, syslog, and tftp services to “Delayed auto start”:

sc config CRMDmgtd start= delayed-auto

sc config crmlog start= delayed-auto

sc config crmtftp start= delayed-auto

Step 2

Set the dependency of Microsoft iSCSi to the Cisco Security Manager Daemon Manager service by executing the following command:

sc config CRMDmgtd depend= MSiSCSI

Tip

 
In these commands, the option name includes the equals sign. A space is required between the equals sign and the value.

Step 3

Verify the dependency settings of the Cisco Security Manager Daemon Manager service by executing the following command. It should display the iSCSI initiator dependency setting as “DEPENDENCIES : MSiSCSI”

sc qc CRMDmgtd


Client Requirements

Table 3-4 describes Security Manager Client requirements and restrictions.


Note


The date and time formats that you select for the client must be the same as those used by your server machine. If they are not, Device View in Security Manager may not load properly.

Caution


Conflict detection uses a significant memory size on the CSM client. The memory usage varies based on the number of rules in the policy or the device that is used. Enable the conflict detection functionality on the client UI, only if required. Ensure that the CSM client LAX file is configured with adequate memory, based on the system RAM size. By default, it is 2 GB. For example, try configuring the LAX file with 4 GB if the machine's RAM size is 8 GB or with 8 GB if the machine's RAM is 16 GB. However, it is strongly recommended that the client LAX file is configured, matching the requirements of the environment.

Use the following parameters based on number of rules and devices requirements:


#   LAX.NL.JAVA.OPTION.JAVA.HEAP.SIZE.MAX
#   -------------------------------------
#   2420m

lax.nl.java.option.java.heap.size.max=2420m

Table 4. Client Requirements and Restrictions

Component

Requirement

System hardware

  • One CPU with a minimum speed of 2 GHz.

  • Color monitor with at least 1280 x 1024 resolution and a video card capable of 16-bit colors.

  • Keyboard.

  • Mouse.

Operating System

One of the following:

  • Microsoft Windows Server 2019 Standard— 64-bit

  • Microsoft Windows Server 2019 Datacenter— 64-bit

  • Microsoft Windows Server 2016 Standard— 64-bit

  • Microsoft Windows Server 2016 Datacenter— 64-bit

  • Microsoft Windows 8—64-bit and 32-bit

  • Microsoft Windows 8.1 Enterprise Edition—64-bit and 32-bit

  • Microsoft Windows 10 —64-bit and 32-bit

  • Microsoft Windows Server 2012 R2 Standard—64-bit

  • Microsoft Windows Server 2012 Standard—64-bit

  • Microsoft Windows Server 2012 R2 Datacenter—64-bit

  • Microsoft Windows Server 2012 Datacenter—64-bit

Note

 
Security Manager supports only the U.S. English and Japanese versions of Windows. From the Start Menu, open the Control Panel for Windows, open the panel where you configure region and language settings, then set the default locale. (We do not support English as the language in any Japanese version of Windows.)

Memory (RAM)

For 32 bit systems:

  • Minimum: 2 GB

  • Recommended: > 2 GB

For 64 bit systems:

  • Minimum: 4 GB

  • Recommended: > 4 GB

Note

 
The minimum memory requirement would increase if you enable conflict detection. In such a case, in the client lax file, increase the memory space to the required value.

Note

 
As per your deployment model, RAM size needs to be increased. Refer to the CSM Deployment Guide for further details

Virtual Memory (Paging File)

512 MB.

Caution:

You must deselect (clear) the checkbox “Automatically manage paging file size for all drives”. (The navigation path to this checkbox is Control Panel > System > Advanced System Settings > Performance > Settings > Advanced tab> Virtual Memory > Change.) The paging file value is configured based on the swap size. The default values of the paging configuration are 10240 and 16384 respectively

Caution:

A special consideration applies if you are using Windows Server 2012 or 2012 R2 (Standard or Datacenter)—64-bit. You need to be aware of this consideration if your server has two independent partitions (e.g., C: and F:).

If you follow these steps, the installation will fail :

  1. Uncheck (clear the checkbox for) “Automatically manage paging file size for all drives.”

  2. On your non-system partition (e.g., F:), create the paging file.

  3. On your system partition (e.g., C:), retain the option to automatically manage paging file size.

  4. Start installing Security Manager.

The installer quits with an error message stating not to use a system-managed paging file size.

Hard Drive Space

10 GB free disk space.

Browser

One of the following:

  • Internet Explorer 8.x, 9.x, 10.x, or 11.x, but only in Compatibility View

Note

 
When using Internet Explorer (any version) to download the client, ensure that the following setting is correct: Internet Explorer > Tools > Internet Options > Advanced > Security > clear the “Do not save encrypted pages to disk” checkbox. If this setting is not correct (i.e., the checkbox is checked), attempts to download the client will fail.

Tip

 
To use Compatibility View in Internet Explorer, navigate to Tools > Compatibility View Settings, and add the Security Manager server as a “website to be displayed in Compatibility View.”
  • Firefox 15.0.1 and above supported and recommended

Java Plug-in

There is no requirement to have JRE installed. It is required to have Java scripts enabled in the web browser. The version supported is Azul JRE 1.8.0 update 322.

The Security Manager client includes an embedded and completely isolated version of Java (Azul JRE 1.8.x). This Java version does not interfere with your browser settings or with other Java-based applications.

Windows user account

You must log into the workstation with a Windows user account that has Administrator privileges to use the Security Manager client.

Although some features of the client might work with lesser privileges, only Administrator users are fully supported.