8-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 8 Managing Deployment
Understanding Deployment

Deployment Jobs and Multiple Users

Only one user can define or change parameters or devices within an individual deployment job at one
time. However, multiple users can work on the same deployment job in sequence: if a deployment job is
closed, another user can open it and make changes to it. Multiple users can work in parallel on different
deployment jobs.
Including Devices in Deployment Jobs or Schedules
When you create a deployment job or schedule, you select the devices to include in it. The inclusion of
a device influences how the device can be used in other jobs or schedules. When you select a device for
a specific job, it cannot be selected for any other job until the original job is deployed, rejected (in
Workflow mode), discarded, or aborted. This mechanism prevents two or more people from deploying
changes to the same device at the same time and ensures that policies are deployed to devices in the
correct order.
However, a device can be part of a deployment schedule and still be selected for specific deployment
jobs. While a deployment job is running, the device is locked. The device cannot be included in other
jobs while the deployment job is running.
When you create a deployment job, Security Manager displays the devices on which policy changes were
made but were not yet deployed. You can deploy to these devices, and you can select additional devices
for the job. Although you can add as many devices to a deployment job as you desire (there is no
limitation), as a practical matter, you should limit the number of devices per job. The deployment job
might fail if you select a large number of devices or several devices that have large configuration files.
If you encounter deployment failures, resubmit the job with fewer devices selected.
For VPNs, Security Manager must generate commands for devices that are affected by the policies
defined for the devices you select for the job. So, if you select a device that is part of a VPN, Security
Manager adds the other relevant devices to the job. For example, if you define a tunnel policy on a spoke,
and you select the spoke for the job, Security Manager adds the spoke’s assigned hub to the job. During
job generation, Security Manager generates commands for both peers so that the VPN configuration is
complete and the tunnel can be established. If you deselect one of the devices associated with the VPN,
Security Manager warns that removing the device might result in the VPN not functioning property.
Understanding Deployment Methods
Security Manager lets you deploy configurations to devices using three main methods: deploying
directly to the device, deploying to a configuration file (which you must then manually apply to the
device), and deploying to an intermediate server (which is treated like deploying directly to the device).
The system default deployment method is to deploy directly to the device.
When you add devices to Security Manager, you select the deployment method to be used by that device.
This determines the method used for deploying to the device (instead of a file). When you create a
deployment job, an additional deployment method default applies to the job as a whole, which
determines whether deployment creates configuration files or whether it sends the configuration to the
device using the method selected for the device. You control this default in the administration settings
(select Tools > Security Manager Administration, then select Deployment; see Deployment Page,
page 11-9). When you create a deployment job, you can also change whether the deployment is to a file
or to the device for each device by clicking Edit Deploy Method in the Create Job window. If you are
using non-Workflow mode, see Deploying Configurations in Non-Workflow Mode, page 8-29. If you are
using Workflow mode, see Creating and Editing Deployment Jobs, page8-36.