|
|
The sections in this appendix contain additional information and procedures that you can refer to for guidance in the following areas:
Rather than installing a fully functional system, you can select to install the Cisco Secure Policy Manager Demo, which enables you explore the graphical user interface.
To install the Demo, perform the following task:
Step 2 To begin setup, select Install Demo in the Options box, and then click Next.
Result: The setup program will install the necessary files and place a Cisco Secure Policy Manager Demo folder in the Cisco Systems startup group.
To log on to Cisco Secure Policy Manager, you must access the Log on to Cisco Secure Policy Manager dialog box and submit the appropriate information. When you log on, you are in essence connecting to the Policy Database on the Policy Server host. On a standalone system, this connection is a local one, but on a distributed or client-server system, this connection is local only if you are logging on using the Policy Server host.
To log on to Cisco Secure Policy Manager, perform the following task:
Step 2 To submit the proper administrative account information, type the username and password in the respective boxes under Policy Manager Authorization in the Log on to Cisco Secure Policy Manager dialog box.
Step 3 To connect to the Primary Policy Database when logging on from the Policy Server, click Local under Policy Database Server. To connect to the Primary Policy Database when logging on from a secondary host, click Remote Server, and then type the IP address or DNS name in the box (you do not have to specify the port number unless it is different from the default value of 2567). Then, click Connect.
Result: A connection is made with the Primary Policy Database, and the Cisco Secure Policy Manager GUI opens.
 |
Note If you receive an error message and are unable to log on, refer to Troubleshooting, for possible problems and solutions. |
The Getting Started Videos are included with your Cisco Secure Policy Manager CD-ROM. If you downloaded the software, you will have to run the videoex.exe program, located in the directory where you downloaded Cisco Secure Policy Manager.
|
Note The Getting Started Videos were created using TechSmith's Camtasia. Camtasia uses a proprietary AVI compression codec called TechSmith Compression Codec (TSCC). Before you can view the videos, you must have TSCC installed on your computer. You have the option of installing TSCC during the Cisco Secure Policy Manager installation process. If you downloaded the software, TSCC is installed when you run the videoex.exe file. |
To install the Getting Started Videos, perform the following task:
Result: The CSPM Tutorials folder appears in the window.
Step 2 To select the CSPM Tutorials folder, click Open.
Result: The CSPM Tutorials folder is selected in the drop-down list. No files appear in the window.
Step 3 To close the dialog box, click OK.
Result: The Locate Installation CD-ROM Image panel closes and the Getting Started panel appears with a list of videos you can view.
Step 4 To view a video, select that lesson from the drop-down list and click View.
Result: Your default AVI player (commonly, Windows Media Player) will open and play the video.
The following sections discuss procedures for meeting the prerequisites outlined in "Planning Your Installation." You should refer to the appropriate section and follow the procedures for any prerequisite lacking on the target host(s) or managed devices prior to installing Cisco Secure Policy Manager.
The following sections discuss prerequisites for the hosts on which you intend to install Cisco Secure Policy Manager:
To ensure the integrity and security of the host on which you install Cisco Secure Policy Manager, you must install the product on an NTFS file partition. If the host on which you want to install the product currently runs a FAT file partition, you can convert it to NTFS by performing the following task.
To convert FAT to NTFS, perform the following task:
Result: The Command Prompt window appears.
Step 2 To convert the drive, type convert driveletter /FS:NTFS, and then press Enter.
|
Note You cannot convert the current drive; therefore, driveletter must specify a target drive that is different from the one on which you are typing the convert command. |
Result: The volume is converted to NTFS.
You must have the TCP/IP network protocol installed, properly configured, and operational before you begin the setup program. This section defines the task that you must perform to install TCP/IP, if you have not already installed TCP/IP on the target host.
To install TCP/IP on the target host, perform the following task:
You can also access this dialog box by double-clicking the Network icon in Control Panel.
Result: The Network dialog box appears.
Step 2 Click the Protocols tab in the Network dialog box.
Result: The Protocols tab appears at the forefront.
Step 3 To add the TCP/IP protocol stack to the list of installed protocols in the Network Protocols box, click Add, and then select TCP/IP Protocol by clicking it in the Network Protocol list of the Select Network Protocol dialog box. Then, click OK.
Result: You are prompted for the location of the Windows NT CD-ROM.
Step 4 Click Continue on the Windows NT Setup dialog box after you specify the directory path to the Windows NT CD-ROM.
Result: After the appropriate files are copied, you must reboot the computer.
To verify that TCP/IP is functioning properly, perform the following task:
Result: The Command Prompt window appears.
Step 2 To verify that the host on which you installed TCP/IP can communicate using that protocol suite, type ping at the command prompt followed by a space and then a valid IP address of another host on the network.
Result: If TCP/IP is not functioning properly, a request timeout message appears. Otherwise, the host receives a response from the IP address that you pinged.
Step 3 To verify that other hosts can communicate with the host on which you installed TCP/IP, repeat Step 2 on another host by trying to ping the IP address of the host on which you installed TCP/IP.
Result: If TCP/IP is not functioning properly, a request timeout message appears. Otherwise, the host receives a response from the IP address that you pinged.
Cisco Secure VPN Client enables you to secure the communications channel between the Cisco Secure Policy Manager system and an IPSec-enabled managed device. To use this feature, you must install Cisco Secure VPN Client on any host on which you have installed a standalone Cisco Secure Policy Manager system or the Policy Proxy-Monitor or Policy Proxy feature set.
Cisco Secure VPN Client provides Virtual Private Networking (VPN) capability on a desktop or laptop computer. Based on the latest industry-standard IPSec recommendations, Cisco Secure VPN Client enables secure client-to-gateway communications over TCP/IP networks, including the Internet. Cisco Secure VPN Client gives you the tools you need to use public key encryption for your secure Internet communications. It automatically generates the public/private key pair you need to obtain a digital certificate and lets you import and maintain digital certificates in Certificate Manager.
|
Note If you are upgrading from a previous version of Cisco Secure VPN Client, uninstall the old version, reboot, and then install the new version. When you uninstall a previous version, you may keep any existing key pairs and certificates. |
If you want to install Cisco Secure VPN Client, you must do so before you begin the setup program for Cisco Secure Policy Manager. This section defines the tasks that you must perform to install Cisco Secure VPN Client on the target host(s).
To install Cisco Secure VPN Client, perform the following task:
Result: The Welcome panel appears.
Step 2 To begin setup, click Next.
Result: The License Agreement panel appears.
Step 3 To review all conditions of the license agreement, use the scroll bar on the right side of the window. To accept the license agreement and continue with the installation process, click Yes.
Result: The User Information panel appears.
Step 4 To specify user information, type your name and the name of your company in the corresponding fields. To proceed to the next panel, click Next.
Result: The Choose Destination Location panel appears.
Step 5 To specify where to install Cisco Secure VPN Client, click Browse to find the correct path. To proceed to the next panel, click Next.
Result: The Select Program Folder panel appears.
Step 6 To select the program folder, type in a new folder name, or scroll to locate an existing folder. To proceed to the next panel, click Next.
Result: The Start Copying Files panel appears.
Step 7 To start copying the files to the selected folder, verify the current settings and click Next.
Result: The Setup Complete panel appears.
Step 8 To complete the installation process, select Yes, I want to restart my computer now. Remove the CD-ROM disc and click Finish.
Result: Cisco Secure VPN Client starts automatically each time your computer starts, and runs transparently on your computer.
For more information, refer to the latest version of the Cisco Secure VPN Client release notes at http://www.cisco.com/go/vpnclient.
To receive e-mail and pager notifications, you must configure TAPI (Telephony Application Programming Interface) and MAPI (Messaging Application Programming Interface) on any host on which you have installed a standalone Cisco Secure Policy Manager system or the Policy Proxy-Monitor or Policy Monitor feature set.
MAPI is a collection of software features built into Windows NT that enables different e-mail clients to distribute mail. MAPI is installed with Windows Messaging. You need to install Windows Messaging and create a user profile if you want Cisco Secure Policy Manager to notify you via e-mail. The following task walks you through the process of checking for Windows Messaging on the computer, installing Windows Messaging, and then creating a user profile.
To set up Windows Messaging, perform the following task:
Result: If Windows Messaging is not installed, a dialog box displays a message asking if you want to install it.
Step 2 If you receive this dialog box, click Yes. Otherwise, skip to Step 5.
Result: A dialog box prompts you to insert the Windows NT CD-ROM into the local CD-ROM drive.
Step 3 To install the requisite files, insert the Windows NT CD-ROM, and then ensure that the correct path appears in the Copy File From box. If not, type the correct path to the Windows NT CD-ROM. Then, click Next.
Result: The required files are copied from the Windows NT CD-ROM to the target host.
Step 4 To initiate the Windows Messaging Setup Wizard, double-click the Inbox icon again.
Result: The Windows Messaging Setup Wizard starts and prompts you to choose the type of mail service for your user profile.
Step 5 Click Internet Mail. Then, click Next.
Result: A dialog box prompts you to choose the type of connection for your user profile.
Step 6 Click Network. Then, click Next.
Result: A dialog box prompts you to specify either the name or the IP address of the mail server.
Step 7 Type the name or IP address of the mail server. Then, click Next.
Result: A dialog box prompts you to choose whether to have mail automatically downloaded to the inbox.
Step 8 To have mail automatically downloaded to the inbox, click Automatic. Then, click Next.
Result: A dialog box prompts you to specify the e-mail address from which messages on the system originate.
Step 9 Type the e-mail address from which messages on the system should originate in the E-mail Address box. Also, type the name that should appear on all messages originating from the system in the Full Name box. Then, click Next.
Result: A dialog box prompts you to specify the mailbox name on the mail server.
Step 10 Type the name of the e-mail account on the mail server in the Mailbox Name box. Also, type the password associated with this account in the Password box. Then, click Next.
Result: A dialog box prompts you to choose whether to accept the default personal address book.
Step 11 Accept the default personal address book and default personal folders. Then, click Next.
Result: A message signals that you are done configuring Windows Messaging.
Step 12 Click Finish to complete the process.
Result: The computer is now configured to use MAPI for e-mail notifications.
TAPI is a collection of software features built into Windows NT that gives users access to telephony services. TAPI is automatically configured when you install a modem on a Windows NT-based computer. If you have properly installed and configured your modem, you do not need to do anything else for TAPI functionality.
To configure the modem for alphanumeric paging, perform the following task:
Result: The Modems Properties dialog box appears.
Step 2 To specify which modem you want to configure, click that modem in the Modem list, and then click Properties.
Result: The Modem Properties dialog box for the selected modem appears.
Step 3 To access the connection settings, click the Connection tab.
Step 4 Under Connection preferences, verify the following settings:
Step 5 To access the Advanced Connection Settings dialog box, click Advanced.
Result: The Advanced Connection Settings dialog box appears.
Step 6 Under Use flow control, verify that the Software (XON/XOFF) option is selected.
Step 7 To close the Advanced Connection Settings dialog box, click OK.
Step 8 To accept your changes and close the Modem Properties dialog box, click OK.
Step 9 To close the Modems Properties applet, click Close.
Step 10 To close Control Panel, click Close on the File menu.
You should make sure that each target host has a permanently assigned IP address before you install Cisco Secure Policy Manager.
|
Note If you choose to use DHCP, you must define a permanent, static lease for all hosts on which Cisco Secure Policy Manager runs. As long as the lease is permanent, communications between Cisco Secure Policy Manager hosts are performed correctly. |
To disable DHCP and assign a permanent IP address, perform the following task:
Result: The Network dialog box appears.
Step 2 Click the Protocols tab on the Network dialog box.
Result: The Protocols tab appears at the forefront.
Step 3 To access TCP/IP properties, click TCP/IP Protocol in the Network Protocols list, and then click Properties.
Result: The Microsoft TCP/IP Properties dialog box appears with the IP Address tab at the forefront.
Step 4 To disable DHCP, click Specify an IP address.
Result: The IP Address, Subnet Mask, and Default Gateway boxes become available.
Step 5 To assign a permanent IP address to the host, type an available IP address in the IP Address box, its corresponding subnet mask in the Subnet Mask box, and the default gateway IP address to which all packets should be sent for routing in the Default Gateway box. Click Apply.
Result: The IP address that you specified becomes permanently associated with the host, unless you change it in the future.
|
Note You must disable DHCP for each network adapter installed in the host. You can select another adapter by clicking that adapter in the Adapter box in the IP Address panel. |
Step 6 To effect your changes against your network settings, click the Bindings tab.
Result: Windows NT recalculates the TCP/IP stack bindings.
Step 7 To exit and reboot your host, click OK.
Result: You are prompted to reboot your computer. You should reboot before you continue verifying the network connectivity.
To change the Windows NT timeout setting, perform the following task:
You can also access this dialog box by double-clicking the System icon in Control Panel.
Result: The System Properties dialog box appears with the General panel at the forefront.
Step 2 Click the Startup/Shutdown tab.
Result: The Startup/Shutdown tab appears at the forefront.
Step 3 Under System Startup, change the value that appears in the Show list for box to zero. Click Apply, and then click OK.
Result: The dialog box closes, and upon the next reboot the operating system takes control of the host without any timeout.
We recommend that you use the same Windows NT account (with administrative privileges) whenever you install or uninstall Cisco Secure Policy Manager or any of its feature sets. This account can be either a domain account or a local account. Follow the procedures in this section to create a new Windows NT account with administrative privileges.
To create a new Windows NT account with administrative privileges, perform the following task:
Result: The User Manager appears.
Step 2 To create a new user, click New User on the User menu.
Result: The New User dialog box appears.
Step 3 To specify account parameters, type the username in the Username box and a corresponding password in the Password box. You must confirm the password by retyping it in the Confirm Password box.
Result: The username and password that you typed become associated with the new account.
You can also provide more information by filling in the Full Name and Description boxes.
Step 4 To assign administrative privileges to the account, click Groups, click Administrators in the Not member of box, and then click Add.
Result: Administrators appears in the Member of box.
Step 5 To close the Group Memberships and New User dialog boxes, click OK.
Result: The Windows NT user account becomes active. You can now use this account to log on to the host.
The following sections refer to prerequisites to help you prepare the devices you intend to manage with Cisco Secure Policy Manager:
To connect to and configure the initial settings for the PIX Firewall, you must use a console terminal, such as the one described in "Configuring a Console Terminal" section. These bootstrap settings can be discovered automatically by the Topology Wizard provided with Cisco Secure Policy Manager, but you must specify them on the PIX Firewall before Cisco Secure Policy Manager can discover the PIX Firewall on your network. Complete the following worksheet before performing the bootstrapping procedures.
The worksheet in Table A-1 asks you questions about your PIX Firewall and your network. You should write the answer to each question in the corresponding box. Then, as you are performing the procedures for the PIX Firewall, you should replace any reference letter within a procedure with the answer corresponding to that reference letter.
| Reference | Question | Answer | ||
|---|---|---|---|---|
(procedures display this) | (used to obtain real value) | (this is your real value) | ||
[A] | What is the enable password for this PIX Firewall? | For security purposes, do not record your password in this worksheet. | ||
[B] | What is the outside IP address of your PIX Firewall? |
| ||
[C] | What netmask is associated with the network connected to the outside of your PIX Firewall? |
| ||
[D] | What is the inside IP address of your PIX Firewall? |
| ||
[E] | What netmask is associated with the network connected to the inside of your PIX Firewall? |
| ||
[F] | What is the default route for your PIX Firewall? |
| ||
[G] | If you want to set up address hiding, what is the low IP address used for the NAT pool? |
| ||
[H] | If you want to set up address hiding, what is the high IP address used for the NAT pool? |
| ||
[I] | What is the IP address of the Policy Proxy host that controls this PIX Firewall? |
| ||
[J] | If the Policy Proxy host resides on a network other than the inside network, what is the default gateway for the inside network to use when trying to reach that other network? |
| ||
| ||||
The following procedures detail the commands entered at the console terminal. The commands use brackets surrounding a capital letter, such as [A], to refer to values that you have written on the worksheet. When you are carrying out a procedure that has a reference to the worksheet, type the value from the field on the worksheet, not the reference letter that we use to point you to the field on the worksheet.
For cases where we cannot use the worksheet to collect the required data, we use the standard command syntax. Do not include the braces <, >, [, or ] in any commands that you type.
To bootstrap a PIX Firewall, perform the following task:
Step 2 To specify that you want to configure the PIX Firewall using privileged mode, type enable and press Enter.
Step 3 Type the enable password [A] for the PIX Firewall, and then press Enter.
Step 4 To enter terminal configuration mode, type configure terminal and press Enter.
Result: You are in the PIX Firewall terminal configuration mode.
Step 5 To name each interface and specify an interface security level between 0 and 100, type nameif <hardware_id> <if_name> <security_lvl>, and then press Enter.
Use the following parameter guidelines to complete the nameif command:
Step 6 To name each additional interface installed in the PIX Firewall and to specify an interface security level for each interface, repeat Step 5 until all interfaces have been named.
Step 7 To designate the network IP address and network mask for the outside interface, type ip address outside [B] [C], and then press Enter.
Step 8 To designate the network IP address and network mask for the inside interface, type ip address inside [D] [E], and then press Enter.
Step 9 To specify the default gateway for your PIX Firewall, type route outside 0 0 [F] [metric], and then press Enter.
Step 10 To apply the global pool of IP addresses that you just specified to the inside interface, type nat (inside) <nat_id> <local_ip> [<netmask> [<max_conns> [em_limit>]]] [norandomseq], and then press Enter.
The nat_id value is the same value that you specified in Step 8. The remaining parameters must adhere to the following guidelines:
Step 11 To enable the Policy Proxy to distribute commands to the PIX Firewall, type telnet [I], and then press Enter.
Step 12 To specify the route to reach the Policy Proxy host if it is not located on the network attached to the inside interface, type route inside <network_address> <netmask> [J] [metric], and then press Enter.
See Table 1-2, "Supported PIX and IOS Platforms," for the PIX Firewall versions that require you to connect to the inside interface when distributing commands.
Step 13 To save your configuration changes to the Flash memory of the PIX Firewall, type write memory, and then press Enter.
Step 14 To exit the enable privileged mode and close the terminal console connection, type exit, and then press Enter.
You should be able to Telnet and log in to this managed device from the Policy Proxy host.
To connect to and configure the initial settings for a Cisco router/firewall or Cisco VPN Gateway, you must use a console terminal, such as the one described in Configuring a Console Terminal. These bootstrap settings can be discovered automatically by the Topology Wizard provided with Policy Manager, but you must specify them before Policy Manager can discover the managed device on your network.
The worksheet in Table A-2 asks you questions about your Cisco router and your network. You should write the answer to each question in the corresponding box. Then, as you are performing the procedures for the Cisco IOS software setup command, you should replace any reference letter within a procedure with the answer corresponding to that reference letter.
| Reference | Question | Answer | ||
|---|---|---|---|---|
(procedures display this) | (used to obtain real value) | (this is your real value) | ||
What version of Cisco IOS software is running on this Cisco router? |
| |||
Does this Cisco router have the firewall feature set? |
| |||
Does this Cisco router support IPSec? |
| |||
[A] | What is the enable password for this Cisco router? | For security purposes, do not record your password in this worksheet. | ||
[B] | What is the default route for your Cisco router? |
| ||
[C] | If the Policy Proxy host resides on a network other than the inside network, what is the default gateway for the inside network to use when trying to reach that other network? |
| ||
[D] | For dynamic NAT, what is the starting IP address used for the NAT pool? |
| ||
[E] | What is the ending IP address used for the NAT pool? |
| ||
[F] | For static NAT, what is the alias IP address of the Policy Proxy host? |
| ||
[G] | What is the actual IP address of the Policy Proxy host? |
| ||
How many interfaces are on your Cisco router? For each interface on your Cisco router, |
| |||
[H] | What is the interface name? |
| ||
Is this interface enabled? |
| |||
[I] | What is the IP address of this interface? |
| ||
[J] | What is the netmask? |
| ||
| ||||
The following procedures detail the commands entered at the console terminal. The commands use brackets surrounding a capital letter, such as [A], to refer to values that you have written on the worksheet. When you are carrying out a procedure that has a reference to the worksheet, type the value from the field on the worksheet, not the reference letter that we use to point you to the field on the worksheet.
For cases where we cannot use the worksheet to collect the required data, we use the standard command syntax. Do not include the braces <, >, [, or ] in any commands that you type.
To bootstrap the Cisco router, perform the following task:
Step 2 Turn ON power to the router.
:
--- System Configuration Dialog ---
At any point you may enter a questions mark '?' for help.
Refer to the 'Getting Started' Guide for additional help.
Default settings are in square brackets '[]'. continue with
configuration dialog? [yes]: Step 3 To specify that you want to configure this router using privileged mode, type enable and press Enter.
Step 4 Type the enable password [A] for this router, and then press Enter.
Step 5 To enter terminal configuration mode, type configure terminal and press Enter.
Result: You are in Cisco IOS terminal configuration mode.
Step 6 To specify the static default gateway for your router, type ip route 0.0.0.0 0.0.0.0 [B] [metric], and then press Enter.
Use the following parameter guidelines to complete the ip route 0.0.0.0 0.0.0.0 command:
If the managed device is not on the same network, you will need to add a route to enable Cisco Secure Policy Manager to distribute its generated command sets. You can confirm this need by pinging the managed device from the Policy Proxy host. If you cannot ping the managed device, you need a route from the managed device back to the network where the Policy Proxy host resides.
Step 7 To specify a route to reach the Policy Proxy host if it is not located on the network attached to the inside interface, type ip route <network_address> <netmask> [C] [metric], and then press Enter.
Use the following parameter guidelines to complete the ip route command:
Step 8 If you do not want to perform addressing hiding, skip to Step 12.
Step 9 To define a global pool of IP addresses to use for address hiding (NAT), type ip nat pool <pool_name> [D] [E] netmask<netmask>, and then press Enter.
Use the following parameter guidelines to complete the ip nat pool command:
Step 10 To apply the global pool of IP addresses that you just specified to the inside interface, type ip nat inside source list <list_name> pool <pool_name> overload, and then press Enter.
Use the following parameter guidelines to complete the ip nat inside source list command:
Step 11 If you do not want to perform static NAT, skip to Step 13.
Step 12 To enable static NAT of the inside source address, type ip nat inside source static [F] [G], and then press Enter.
Step 13 To select an interface to assign an IP address to, type interface [H], and then press Enter.
Step 14 To assign an IP address to the interface you selected, type ip address [I] [J], and then press Enter.
Step 15 If you want to perform NAT on this interface, type ip nat inside, and press Enter.
Step 16 Repeat Step 13 through Step 15 for each interface.
Step 17 Type exit, and press Enter.
Step 18 To exit from the configuration mode, type end.
Step 19 To save your configuration changes to the Flash memory of the router, type write memory, and then press Enter.
Step 20 To exit the enable privileged mode and close the terminal console connection, type exit, and then press Enter.
You should be able to Telnet and log in to this router from the Policy Proxy host.
If the computer you are connecting to runs either Windows 95 or Windows NT, the Windows HyperTerminal accessory provides easy-to-use software for communicating with the managed device. If you are using UNIX, refer to your system documentation for a terminal program.
HyperTerminal also lets you cut and paste configuration information from your computer to the managed device console. This ability is crucial for pasting IPSec bootstrap commands to the managed device console.
To configure HyperTerminal for use as the managed device console, perform the following task:
Step 2 To start HyperTerminal, click Start, point to Programs, and then point to Accessories, then point to HyperTerminal, and click HyperTerminal.
Result: The HyperTerminal windows opens, and the Connection Description dialog box appears.
Step 3 To specify that this connection description is for a specific managed device console, type a unique name in the Name box and click OK.
Result: The Connect To panel appears.
Step 4 To designate the COM port to which the managed device serial cable is attached, click that port number in the Connect using box, and then click OK.
Step 5 To specify the required connection settings in the COM Properties dialog box, select the following values, and then click OK:
Result: The HyperTerminal window is now ready to receive information from the managed device console. If the serial cable is connected to the managed device, turn on the managed device and you should be able to view the console startup display.
|
Note If the connection does not appear to be established, wait for at least 60 seconds. The managed device does not send information for about 30 seconds after a connection is established. If messages do not appear after 60 seconds, press Enter. If nothing appears, ensure that the serial cable is attached securely to the COM port you specified and to the serial port on the managed device. If garbage characters appear, verify that the bits per second value is 9600. |
Step 6 To save your terminal configuration settings, click Save on the File menu.
Step 7 To exit HyperTerminal, click Exit on the File menu.
Result: HyperTerminal prompts you to be sure you want to disconnect.
Step 8 To disconnect and close the HyperTerminal window, click Yes.
Result: HyperTerminal saves a log of your console session that you can access the next time you use it.
 |
Tips To restart HyperTerminal, click the connection description name that you specified in the HyperTerminal folder on the Accessories submenu. When HyperTerminal starts, drag the scroll bar up to view the previous session. |
|
Note When you are upgrading a distributed system, you must first upgrade the Policy Server host before you upgrade the other distributed feature sets. |
To upgrade using the local maintenance method, perform the following task:
Result: The Autostart panel appears, and the What Do I Need To Do? box explains the results of the system check.
Step 2 To continue with the upgrade process, select Install Product in the Options box. To proceed to the next panel, click Next.
Result: The License Disk panel appears when you upgrade between major versions.
Step 3 To specify the location of the Cisco Secure Policy Manager license disk, type the directory path in the Location box, or click Browse to find the correct path. Then type the corresponding password in the Password box. To proceed to the next panel, click Next.
|
Note If you are upgrading from the evaluation version of this software to the standard product license, refer to the readme.txt file located with the license. |
Result: The Backup Folder panel appears.
Step 4 To specify the location in which to store the backup file of your current system, type a valid directory path in the Backup Folder box. To proceed to the next panel, click Next.
Result: A file containing your current system data is stored in the location that you specify. You can use this backup file to restore the system to the exact configuration at the time the backup was created. After you click Next, the Verify Settings panel appears.
Step 5 To verify the settings that you chose before copying files, use the scroll bar on the right side of the window. Review all settings carefully before clicking Copy Files.
Result: The system or feature set on the local host is upgraded to the newer version.
Repeat this procedure for any remaining Cisco Secure Policy Manager hosts on your network.
The discussions in this section outline potential problems and solutions that you may encounter while attempting to install Cisco Secure Policy Manager.
You should refer to the Release Notes for Cisco Secure Policy Manager for caveats and other known issues.
The questions in this section represent issues that will help you troubleshoot the preparation of a managed device. This section provides answers to the following questions:
Test connectivity between the managed device and the target host. If you can Telnet to the device and enter the enable password, you do not need to bootstrap.
To Telnet from the Policy Proxy host to the managed device, perform the following task:
Result: The system attempts to Telnet to the interface you specified.
The following task outlines the procedures for testing the connectivity for a managed device.
To test the connectivity for this managed device, perform the following task:
Result: The Command Prompt window appears.
Step 2 To verify that the Policy Proxy host can ping the managed device, type ping at the command prompt followed by a space and then the IP address of the managed device interface the Policy Proxy host connects to for command distribution.
Result: If the ping attempt was successful, the host receives a response from the IP address that you pinged. If the ping was unsuccessful, a request timeout message appears.
a. verify that the managed device is not down
b. check network connectivity
c. verify that an existing security policy is not denying Telnet to the managed device
If you cannot confirm the connectivity for command distribution, you must bootstrap the managed device to ensure that it has a basic configuration that enables it to receive commands from the Policy Proxy host.
Cisco Secure Policy Manager currently supports basic password authentication. If you Telnet to the managed device and do not receive a password prompt, you should add a password for better security. However, if you receive a username and password prompt, you will need to change the login behavior so that the managed device only prompts you for a password, and not a username. Procedures for each of these tasks follow.
To add a password and/or change login behavior, perform the following task:
Result: You are in Cisco IOS terminal configuration mode.
Step 2 To go to Line VTY, type line vty 0 4, and press Enter.
Step 3 If Line VTY is set to login local, change it by typing login and press Enter. Otherwise, skip to Step 8.
Result: You will no longer be prompted for a username at login.
Step 4 If you do not have AAA (Radius or TACAS+) turned on for Telnet sessions, skip to Step 8.
Step 5 To turn off AAA for Telnet sessions, create a custom list for Line VTY by typing aaa authentication login vty line, and then press Enter.
Step 6 To go to Line VTY, type line vty 0 4, and then press Enter.
Step 7 To assign the custom list, type login authentication vty, and then press Enter.
Step 8 To add a password, type password [A], and then press Enter.
Step 9 To exit from the configuration mode, type end.
The questions in this section represent issues that will help you troubleshoot the preparation of a target host and installation of Cisco Secure Policy Manager. This section provides answers to the following questions:
The Autostart utility will launch your web browser to access the download site for the requisite software. If you are using Microsoft Internet Explorer version 2.0, you will have to perform a manual upgrade to Internet Explorer 3.0 or later before you can access the download site.
You must review the Space Required and Space Available fields on the Installation Options panel to ensure that the drive specified in the directory path has enough free space for the installation that you selected. If it does not, you must select another hard drive on which to install, or you must exit the setup program and free up enough hard drive space.
There are two error messages you might see regarding logon failure that relate to the NT username/password used to log on to the target host. This section includes a brief description of these messages and the suggested work around for each.
If you type the wrong username or password at login, you will see the following error message when you attempt to log on to the GUI.
The connection attempt to the Policy Database failed. The specified username and/or password was incorrect.
Explanation You should retype the username and password, ensuring that you use the correct case and keystroke sequence for a valid Cisco Secure Policy Manager administrative account. If you forget the username/password combination for a full-access account, or if the database frames get destroyed, you will be unable to log on to the Cisco Secure Policy Manager GUI client. If you still receive the same error message, you must follow the procedures below to create a new, temporary Cisco Secure Policy Manager Administrative Account for immediate log on.
To create a temporary Administrative Account, use the Accounts panel of the Troubleshooting Tool Kit to perform the following task:
Step 2 To specify the password that corresponds to the username you just entered, type that password in the Password box.
Step 3 Confirm the password you just entered by retyping it in the Confirm Password box.
Step 4 To specify the location of the license.dsk file that was used to install Cisco Secure Policy Manager on this host, type that path in the License Path box, or click Browse to search directories and locate the file.
Step 5 Submit the password associated with this license.dsk file by typing it into the Password box.
Step 6 To submit the specifications and create a new temporary Administrative Account, click Create.
Result: Tool Kit attempts to create a temporary administrative account that can be used for a one-time logon to the Cisco Secure Policy Manager GUI client. The Status field displays the results of the create command.
Step 7 To close the Troubleshooting Tool Kit, click OK.
 |
Warning Once you have logged on to the GUI client, you must create a new permanent full-access account and perform a Save and Update operation. The temporary account does not appear in the Administrative Accounts tree and will be deleted upon a Save and Update operation. |
If you type the wrong NT password during installation, you will see the following error messages. The first message appears after you click Finish during the installation process. The second message appears when you attempt to log on to the GUI client.
Failed to start Cisco Controlled Host Component
The connection attempt to the policy database failed. This application was unable to establish a connection to the Policy Database using the specified server and port. Make sure the server is started, correct erroneous target machine or port information, and then retry Connect.
Explanation The setup program detects the Windows NT username that you used to log on to the target host and expects you to submit the corresponding password. However, the setup program will create a default Cisco Secure Policy Manager account using the password you type and confirm, even if you type the wrong password or type the password incorrectly. The installation process will continue, but the Cisco Controlled Host Component will fail to start because the username and password for the default Cisco Secure Policy Manager account do not match the Windows NT username and password. You will not be able to log on to Cisco Secure Policy Manager until you correct the password.
To correct the password, perform the following task:
Step 2 To access the Cisco Controlled Host Component, select Cisco Controlled Host Component in the Service list, and then click Startup.
Step 3 To submit the correct password, click This Account in the Log On As dialog box, and then type the correct user name and password.
Step 4 To accept your changes and close the panel, click OK.
You can use the local maintenance method or Installation Manager to reinstall your system. However, there are distinct differences between the methods that make one method more practical, depending on what feature set you are reinstalling and on which host. Installation Manager enables you to remotely reinstall any feature set, except the Policy Server. The local maintenance method enables you to locally reinstall any feature set. When using the local maintenance method to reinstall a secondary host, you have the option of keeping the existing data stored in the secondary database or synchronizing it with the data stored in the primary database on the Policy Server host. When using Installation Manager to reinstall a secondary host, the binary files are reinstalled, but the database is not.
To reinstall using the local maintenance method, perform the following task:
Result: The Autostart panel appears, and the What Do I Need To Do? box explains the results of the system check.
Step 2 To continue with the reinstallation process, select Install Product in the Options box. To proceed to the next panel, click Next.
Result: The Policy Database panel appears.
Step 3 To specify that you want to use the Policy Database data currently used by this Cisco Secure Policy Manager host, click Keep old Database, click Next, and skip to Step 6. Otherwise, continue with Step 4.
Step 4 To specify that you want to use a backed up database stored in the primary database on the Policy Server host, click Recover Database from backup folder.
|
Note When you recover a database from the backup folder, you access a backup stored on the primary host. If you have not created a backup of your current database, no backups will be present for you to select. |
Step 5 To specify the backup folder on the primary host that you want to use to recover/reinstall the database, type that folder name in the Backup Folder box. To proceed to the next panel, click Next.
Step 6 To verify the settings that you chose before copying files, use the scroll bar on the right side of the window. Review all settings carefully before clicking Copy Files.
Step 7 To complete the reinstallation, click Finish.
Result: The database on the local host is reinstalled from a backup.
Installation Manager enables you to remotely reinstall any feature set, except the Policy Server. When you use Installation Manager to reinstall a secondary host, the binary files are reinstalled, but the database is not.
To reinstall using Installation Manager, perform the following task:
Result: The Connect to Policy Database dialog box appears.
Step 2 To submit the proper administrative account information, type the username and password in the respective boxes in the Connect to Policy Database dialog box. If you are logged on to the Policy Server, select Local; otherwise, select Remote Server, and then type the IP address or DNS name in the box (you do not have to specify the port number unless it is different from the default 2567). Then, click Connect.
Result: Installation Manager connects to the Primary Policy Database (either locally or remotely, depending on what you specified) and retrieves data about all secondary servers with installed feature sets. Then, the Remote Hosts panel appears.
Step 3 To designate which feature set to reinstall, select the name of the secondary server on which it is installed in the Name box under Include these hosts. Then, click Next.
Result: A dialog box displays a message asking if you really want to reinstall the specified feature set. After you click Yes, the Open dialog box appears.
Step 4 To specify the setup.exe file that contains the version of Cisco Secure Policy Manager identical to the one currently installed on the host, select that file in the Open dialog box, and then click Open.
You must select the setup.exe file in the root directory on the Cisco Secure Policy Manager CD-ROM disc. If you downloaded the zip file, the setup.exe file is located in the directory where you extracted the zip file.
Result: The reinstallation process begins. The % column indicates the completion rate for the reinstallation process.
At any time, you can uninstall any secondary host or the entire Cisco Secure Policy Manager product. To uninstall a single secondary host, you only need to uninstall the product on that host. If you need to remove the entire product and you have a distributed system, you must uninstall the Policy Server last. Remember that you must use the local maintenance method for uninstalling the Policy Server, but you can use either method for the other distributed feature sets.
|
Note You can uninstall a secondary host at anytime and later install that secondary host again without having to uninstall/reinstall the entire product. |
To uninstall using the local maintenance method, perform the following task:
Result: The shortcut menu for the Cisco Secure Policy Manager program group appears.
Step 2 Click Remove Cisco Secure Policy Manager on the displayed program group.
Result: A dialog box prompts you to confirm the uninstallation before all files, directories, and Registry entries are removed from the local host.
You must reboot to complete the uninstallation.
You can use Installation Manager to uninstall the Policy Proxy, Policy Proxy-Monitor, Policy Monitor, or Policy Administrator feature sets of a distributed system.
To uninstall using Installation Manager, perform the following task:
Result: The Connect to Policy Database dialog box appears.
Step 2 To submit the proper administrative account information, type the username and password in the respective boxes in the Connect to Policy Database dialog box. If you are logged on to the Policy Server, select Local; otherwise, select Remote Server, and then type the IP address or DNS name in the box (you do not have to specify the port number unless it is different from the default 2567). Then, click Connect.
Result: Installation Manager connects to the primary database on the Policy Server host (either locally or remotely, depending on what you specified) and retrieves data about all secondary hosts with installed feature sets. Then, the Remote Hosts panel appears.
Step 3 To designate which feature set to uninstall, select the name of the secondary host on which it is installed in the Name box under Include these hosts. Then, click Next.
Result: A dialog box displays a message asking if you really want to uninstall the specified feature set. After clicking Yes, the uninstallation process begins. The % column indicates the completion rate for the uninstallation process.
The secondary host will automatically reboot to complete the uninstallation.
Posted: Tue Jun 20 13:57:30 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.