Chapter 17 Configuring System Operations

Understanding Distributed Deployment

Understanding Distributed Deployment

You can configure multiple ACS servers in a deployment. Within any deployment, you designate one server as the primary server and all the other servers are secondary servers.

In general, you make configuration changes on the primary server only, and the changes are propagated to all secondary servers, which can then view the configuration data as read-only data. A small number of configuration changes can be performed on a secondary server, including configuration of the server certificate, and these changes remain local to the server.

There is no communication between the secondary servers. Communication happens only between the primary server and the secondary servers. The secondary servers do not know the status of the other secondaries in their deployment.

ACS allows you to deploy an ACS instance behind a firewall. Table 17-1lists the ports that must be open on the firewall for you to access ACS through the various management interfaces.

Note You cannot Translate Network Address between the nodes in distributed deployment.

Table 17-1

Ports to Open in Firewalls

 

 

 

 

Service

 

Port

 

 

ACS Web Interface/Web Service

443

 

 

Database replication

TCP 2638

 

 

 

RADIUS server

 

1812 and 1645 (RADIUS authentication and

 

 

authorization)

 

 

1813 and 1646 (RADIUS accounting)

 

 

If your RADIUS server uses port 1812,

 

 

ensure that your PIX firewall software is

 

 

version 6.0 or later. Then, run the following

 

 

command to use port 1812:

 

 

aaa-server radius-authport 1812

 

 

Replication over the Message Bus

TCP 61616

 

 

 

RMI

 

TCP 2020 (for RMI registry service)

 

 

 

 

 

TCP 2030 (for incoming calls)

 

 

SNMP (for request)

UDP 161

 

 

SNMP (for notifications)

UDP 162

 

 

 

SSH

 

22

 

 

TACACS+ server

TCP 49

 

 

 

View Collector

 

UDP 20514

 

 

 

The Distributed System Management page can be used to monitor the status of the servers in a deployment and perform operations on the servers.

 

User Guide for Cisco Secure Access Control System 5.3

17-2

OL-24201-01

Page 492
Image 492
Cisco Systems OL-24201-01 manual Understanding Distributed Deployment, Service Port, Aaa-server radius-authport, 17-2