8-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 8 Managing Deployment
Understanding Deployment
Related Topics
Managing Device Communication Settings and Certificates, page9-4
Handling Device OS Version Mismatches, page8-13
Deploying to a Device through an Intermediate Server
Deploying configurations through an intermediate server, such as an Auto Update Server (AUS), Cisco
Networking Services (CNS) Configuration Engine, or Token Management Server (TMS), is a version of
deploying directly to device. When selecting the deployment method, select Device. Security Manager
sends the configuration updates to the intermediate server, where the device retrieves it (for AUS and
CNS), or where you can download it to an eToken (for TMS).
You must use an intermediate server if you are using dynamic IP addresses for your device interfaces
(that is, the IP addresses are provided by a DHCP server). You can also use them with static IP addresses.
However, you cannot use Configuration Engine to manage IOS devices with dynamic IP addresses if you
configure features that use interactive CLI commands. The following features are affected:
Certificate Enrollment:
crypto pki trustpoint
crypto isakmp client configuration group
crypto key generate rsa
IPS signature configuration (ip ips signature-category)
IP Authproxy Banner (ip auth-proxy-banner)
Table8-4 Default Deployment Transport Protocols
Device Type Transport Protocol Description
ASA, IOS 12.3 and
higher routers, FWSM,
PIX Firewall, IPS
sensors
SSL (HTTPS) (Default) Security Manager deploys the configuration to the
device using the Secure Socket Layer (SSL)
protocol, otherwise known as HTTPS. With this
protocol, Security Manager encrypts the
configuration file and sends it to the device.
Note DES encryption is not supported on
Common Services 3.0 and later. Ensure
that all PIX Firewalls and Adaptive
Security Appliances that you intend to
manage with Cisco Security Manager have
a 3DES/AES license.
Catalyst 6500/7600 and
other Catalyst switches
SSH Security Manager deploys the configuration to the
device using a Secure Shell (SSH). This provides
strong authentication and secure communications
over insecure channels. Security Manager
supports both SSHv1.5 and SSHv2. Once
connected to the device, Security Manager
determines which version to use and downloads
using that version.
IOS 12.2 and 12.1
routers
Telnet Security Manager deploys the configuration to the
device using the Telnet protocol.