Filter
Top Products
2-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 2 Preparing Devices for Management
Understanding Device Communication Requirements
• SSL (HTTPS)—Secure Socket Layer, which is an HTTPS connection, is the only transport protocol
used with PIX Firewalls, Adaptive Security Appliances (ASA), and Firewall Services Modules
(FWSM). It is also the default protocol for IPS devices and for routers running Cisco IOS Software
release 12.3 or higher.
If you use SSL as the transport protocol on Cisco IOS routers, you must also configure SSH on the
routers. Security Manager uses SSH connections to handle interactive command deployments
during SSL deployments.
Note DES encryption is not supported on Common Services 3.0 and later. Ensure that all PIX
Firewalls and Adaptive Security Appliances that you intend to manage with Security
Manager have a 3DES/AES license. You will get SSL handshake failures otherwise.
For information on configuring SSL, see Setting Up SSL (HTTPS), page 2-3.
• SSH—Secure Shell is the default transport protocol for Catalyst switches and Catalyst 6500/7600
devices. You can also use it with Cisco IOS routers.
For information on configuring SSH, see Setting Up SSH, page 2-5.
• Telnet—Telnet is the default protocol for routers running Cisco IOS software releases 12.1 and 12.2.
You can also use it with Catalyst switches, Catalyst 6500/7600 devices, and routers running Cisco
IOS Software release 12.3 and higher. See the Cisco IOS software documentation for configuring
Telnet.
• HTTP—You can use HTTP instead of HTTPS (SSL) with IPS devices. HTTP is not the default
protocol for any device type.
• TMS—Token Management Server is treated like a transport protocol in Security Manager, but it is
not a real transport protocol. Instead, by configuring TMS as the transport protocol of a router, you
are telling Security Manager to deploy configurations to a TMS. From the TMS, you can download
the configuration to an eToken, plug the eToken into the router’s USB bus, and update the
configuration. TMS is available only for certain routers running Cisco IOS Software 12.3 or higher.
For information on deploying configurations to a TMS and downloading them to a router, see
Deploying Configurations to a Token Management Server, page 8-43.
Security Manager can also use indirect methods to deploy configurations to devices, staging the
configuration on a server that manages the deployment to the devices. These indirect methods also allow
you to use dynamic IP addresses on your devices. The methods are not treated as transport protocols, but
as adjuncts to the transport protocol for the device. You can use these indirect methods:
• AUS (Auto Update Server)—When you add a device to Security Manager, you can select the AUS
server that is managing it. You can use AUS with PIX Firewalls and ASA devices.
For information on configuring a device to use an AUS server, see Setting Up AUS or Configuration
Engine, page 2-7.
• Configuration Engine—When you add a router to Security Manager, you can select the
Configuration Engine that is managing it.
For more information on configuring a router to use a Configuration Engine server, see Setting Up
AUS or Configuration Engine, page 2-7.
For information on adding devices that use AUS or Configuration Engine servers to Security Manager,
and how to add the servers, see these topics:
• Adding Devices to the Device Inventory, page 3-6
• Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 3-35