8-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter8 Managing Deployment
Understanding Deployment
Catalyst device interface switchport (interface switchport)
Security Manager uses an intermediate server if you have configured the device to use one. The
following topics describe the required configuration steps when using an intermediate server:
Deploying Configurations Using an Auto Update Server or CNS Configuration Engine, page8-42
Deploying Configurations to a Token Management Server, page 8-43
Deployment can be affected if you made out-of-band changes to the device since the last deployment.
For more information, see Understanding How Out-of-Band Changes are Handled, page8-12.
During deployment, Security Manager sends configuration changes based on the type of server:
Auto Update Server (standalone or running on Configuration Engine) for PIX and ASA
devices—Security Manager sends the full configuration to Auto Update Server, where the device
retrieves it. The delta configuration is not sent.
Configuration Engine for IOS devices—Security Manager sends the delta configuration to
Configuration Engine, where the device retrieves it.
TMS—Security Manager sends the delta configuration to the TMS server, from which it can be
downloaded to an eToken to be loaded onto the device.
Related Topics
Managing Device Communication Settings and Certificates, page9-4
Device Communication Page, page 11-16
Deploying to a File
If you choose to deploy configurations to configuration files, Security Manager creates two files:
device_name _delta.cfg for the delta configuration, and device_name _full.cfg for the full configuration.
If the files are created by a job that was generated from a deployment schedule, the name includes a time
stamp. Configuration files are in TFTP format so that you can upload them to your devices using TFTP.
Tip You cannot deploy configurations to file for IPS devices.
If you deploy to file, you are responsible for transferring the configurations to your devices. Security
Manager assumes that you have done this, so the next time you deploy to the same devices, the generated
incremental commands are based on the configurations from the previous deployment. If for some reason
the last change was not applied to the device, the new delta configuration will not bring the device
configuration up to the one reflected in Security Manager.
Caution Although Security Manager in one sense assumes that you applied the delta configuration, in another
sense, it assumes that it cannot know if the delta was deployed. Thus, Security Manager maintains an
internal view of the configuration based on the last deployment made directly to the device. So, when
you apply the delta, those delta changes will be considered out-of-band changes. On next deployment to
the device, your out-of-band change setting might cancel the deployment. If you mix deployments to file
with deployments to device, you should rediscover policies after applying file deployments to the device.
For more information, see Understanding How Out-of-Band Changes are Handled, page8-12.