Re: Guidance? -> LMS v3.1 & CSM v3.2

robv · ‎07-29-2008

hi,

Cross-posting here (it's in the security forum too) to get the LMS perspective. Plus this forum seems to be more heavily trafficked. ;-)

Any folks with both LMS & CSM... what's your experience been like with integration?

Do you prefer to have CSM slave its DCR to LMS? Use LMS's RME vs a separate one, or split it out into separate un-integrated DCRs?

e.g. one-DCR-to-rule-them-all, or just R/S in LMS, PIX/ASA/FWSM/IDSM/MARS in CSM. or not. or something else. or or or ...

Pros? Cons? What is gained/what is lost?

Consider the workload of maintaining two distinct inventories (not to mention two revs of the LMS backend (CS, RME) since CSM isn't up to par with the v3.1 LMS guts), the loss of integrated event repositories, duplication of RSAC, confused user experience with two GUIs, etc.

I'm trying to make a decision as to which way to go. If you've been-there-done-that, could you share your experience.

Thanks,

Rob.

Joe Clarke · ‎07-29-2008

You can slave CSM to LMS, but not the other way around. The server with the highest version of Common Services MUST ALWAYS be the master. We do have a few customers doing this with CSM and CUOM, and it works well for them. If you're going to be managing the same sets of devices in both servers, it pays to keep one device and credentials list.

If it were me, I wouldn't put RME on the CSM server. Just use RME 4.2 from LMS 3.1. Integrate the two servers with DCR and Single Sign On, and register the CSM apps within LMS 3.1. Tell your users to use the LMS 3.1 server as their jumping-off point.

robv · ‎07-29-2008

well, there's one vote in favor for what I had planned to do anyway.

thanks, Joe.

anybody else want to chime in?

best two-out-of-three wins.

cheers,

R.

Mike Bailey · ‎08-12-2008

Was redirected to this post from:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=EmailAFriend&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc18c50%2F1#selected_message

Today I have:

> Ensured CSM and LMS identity accounts and peer accounts setup correctly

> Imported Peer Certs from CMS to LMS and vise-versa

> Setup LMS as DCR and Single Sign-On Master

> Setup CSM as DCR/SSO Slave to LMS

> Registered CSM applications into homepage config of LMS

> Configured CSM Client to use LMS as its RME server

This all seems to work fine, but I still don't have a populated device list in CSM client.

User logs into CSM client and no devices are listed, they only have the option to Add devices from a file etc.

How do I get this nice and slick so that the CSM client automatically shows all the devices from my LMS DCR?

Thanks

Michael

robv · ‎08-12-2008

Could you use the DCR Device Wizard?

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/ivman.html#wp1449656

Mike Bailey · ‎08-12-2008

The DCR Device Wizard says:

You can access the Device Information page from the Add Device from DCR wizard. Click the Add button in the Device selector, select Add Device from DCR, then click Next.

I don't get an "Add Device from DCR" option (see attachment).

THe only option I seem to have related to DCR is the "Add Device From File", which requires doing an export from DCR to a CSV file - not very secure for a security product as the DCR export contains all the device credentials!

Thanks

Michael

Have I missed a step or doing something wrong not to get this option?

Mike Bailey · ‎08-13-2008

Any ideas anyone?

Joe Clarke · ‎08-14-2008

I don't support CSM, so I'm not sure what triggers the ability to import from DCR. You might try this on the security Network Management forum.