Cisco Cisco Security Manager 4.6 Guía De Instalación
24
Deployment Planning Guide for Cisco Security Manager 4.6
OL-31289-01
Factors which Affect Application Performance
Multiple Servers Installation
In some large environment with hundreds or thousand of devices, a single server cannot manage all
devices efficiently. For performance reasons you may choose to deploy the Security Manager
applications of interest across multiple servers. One possible distribution of the applications is as
follows:
devices efficiently. For performance reasons you may choose to deploy the Security Manager
applications of interest across multiple servers. One possible distribution of the applications is as
follows:
Server A: Firewall Policy & Device Management
•
Common Services
•
Security Manager
•
Event/Log Monitoring
•
Report Manager
•
Auto Update Server (optional)
•
Image Manager
Server B: IPS Policy & Device Management
•
Common Services
•
Security Manager
•
Event/Log Monitoring
•
Report Manager
•
Health and Performance Monitor
Server C: VPN Policy & Device Management
•
Common Services
•
Security Manager
•
Event/Log Monitoring
•
Report Manager
•
Health and Performance Monitor
Server A is dedicated for the Configuration and Event Management for all ASA/PIX/FWSM firewall
devices. Server B is dedicated for the Configuration and Event Management for all IPS devices while
Server C is dedicated for VPN policy management for ASA/IOS/ISR VPN devices; Server C will also
manage firewall devices because those are the ones that will be part of the VPN topology. With this
deployment method, the needs of sharing policy data between servers is minimized since each server will
use mostly same policy data within itself. However, this deployment is not suitable for network where
Security Manager servers might be deployed in great distance away from managed devices, which can
affect monitoring, configuration discovery and deployment.
devices. Server B is dedicated for the Configuration and Event Management for all IPS devices while
Server C is dedicated for VPN policy management for ASA/IOS/ISR VPN devices; Server C will also
manage firewall devices because those are the ones that will be part of the VPN topology. With this
deployment method, the needs of sharing policy data between servers is minimized since each server will
use mostly same policy data within itself. However, this deployment is not suitable for network where
Security Manager servers might be deployed in great distance away from managed devices, which can
affect monitoring, configuration discovery and deployment.
Another method is to divide the devices by region so that each Security Manager will only manage
smaller amount of devices for the region (US-West, US-Central, US-East, Europe, or Asia, as examples).
This provides optimal performance for management console, event monitoring and configuration
deployment of managed devices from their local Security Manager server.
smaller amount of devices for the region (US-West, US-Central, US-East, Europe, or Asia, as examples).
This provides optimal performance for management console, event monitoring and configuration
deployment of managed devices from their local Security Manager server.
In Multiple Servers deployment, shared policies and objects can be exported and imported between
different servers using Policy Import/Export feature. Devices also can be migrated (moved) to different
server using Policy Import/Export. This helps to scale management while still keeping policies and
objects synchronized across large number of devices in different servers.
different servers using Policy Import/Export feature. Devices also can be migrated (moved) to different
server using Policy Import/Export. This helps to scale management while still keeping policies and
objects synchronized across large number of devices in different servers.