Re: CSA MC (Server)

jameswestley · ‎03-02-2005

We currently have a CSA MC on site, We have another site in the US that will be running another CSA MC, Is it possible to replicate or save the running policies on our current MC and to install then onto the CSA MC in the US ? Or is the only way to create a policy from scratch.

Also is it possible to cluster these servers so replication occurs ?

tsteger1 · ‎03-02-2005

#1 Yes. Export the rules, policies and groups and import them to the new MC. Go to Maintenance>Export and create an export set.

#2 Not that I'm aware of.

Question: Why two servers instead of one (unless the reasons are political)?

Our hosts can talk to the MC from anywhere as long as they are connected to the Internet and in my opinion it's far easier to manage.

jameswestley · ‎03-03-2005

Well the exsisting server is in the UK and we have another site in the US, If the our connection goes does between us and the US what will happen to the US users running the client.

Also applying a second server in the US We feel will cut down replication between users in the US and out UK server thus freeing up the bandwidth between the connection of UK and US

tsteger1 · ‎03-03-2005

The US clients will continue with the same rule set they had when the connection went down. The hosts will store any messages until they contact the MC again and then send them. The MC is mainly for reporting and rule changes.

We have the MC in our DMZ so internal and external hosts can talk to it no matter where they are.

From what I've seen, the bandwidth usage is minimal. We have about 1700 hosts now and one MC and hosts talked to it just fine with dial up connections (when we used to have those).

Hope this helps...

fkhan6_wb · ‎02-07-2007

Tom,

Do external hosts who VPN to your network talk straight to the MC in DMZ or they tunnel through the firewall to the intranet then access the MC?

Another question, can we have multiple polling MCs? One internal and in the DMZ?

Thanks

tsteger1 · ‎02-07-2007

Internal and external hosts talk straight to the MC in the DMZ. We have our VPN configured for only internal servers.

You can have only one MC for polling as the agent can only have one MC to report to.

Tom

owensgl · ‎02-07-2007

you can export all your policies and groups to any CSA MC

Greg Owens

owensgl · ‎02-07-2007

Step 1 From the menu bar Maintenance drop-down list, move the mouse over Export/Import. A cascading menu with further selections appears. Select Export from the drop-down list that appears. Any previously exported files are shown.

Step 2 Click the New button to create a new exported file. This takes you to a checkbox list of all configuration items.

Step 3 Check the box beside the configurations you want to export.

Step 4 At the top of the page, enter a File Name for the exported file you are creating. CSA MC will append an ".export" extension to the file name you enter.

Step 5 Click the Export button. The files are exported under the file name you create. Now you must save the file to the system.

Step 6 Once the export has completed, a link is displayed that allows you to save the exported file. The link reads "Click here to download this file." Click on the "here" link to save the file to a directory you specify

Once you save the file, you can import it to any server

Greg Owens

TradeSecrets · ‎02-07-2007

Hi James,

I have already asked this question to cisco architects.

You can't have two MC's making policy changes.

You export polices and import them into the other system.

If you made this part of the process, the files are fairly small XML 1.0 files. starting at around 189kb. Depending on how many policies you have.

TradeSecrets · ‎03-08-2007

Hi James,

The best thing to do it export all of your polices and import them on the other DMZ.

It's a pain, but the only way I have found. It is still much easier than re-creating all the rules and groups.