Security Management Appliance - Multiple SSL Cert support.

Similar Messages

• Updating Security Management Appliance

  Hello Support Community!
  I would like to upgrade a Cisco Security Management Appliance (SMA) M160, former Ironport M-Series.
  Current Version: 7.9.1-039
  My Goal: 8.0.0-402
  The 8.0.0-402 has released on March 28, 2013. The Problem is, when i am searching for available upgrades,
  i get: "Error - No available upgrades"
  There is no error with my firewall, because i can successfull check for new feature keys.
  Any idea whats went wrong?
  greets
  Christian

  You can install a different cert for different process:
  http://www.cisco.com/c/en/us/support/docs/security/content-security-management-appliance/118460-technote-sma-00.html
  Certificates can be used for four different services:
  Inbound TLS
  Outbound TLS
  HTTPS
  LDAPS
  When you say No, you'll just need to be prepared to enter in the separate certs as needed for each process.  And, SMA is still CLI only for cert management.
  -Robert

• IronPort WSA management through Security Management Appliance

  Hi,
  I have two identically configured (policies) IronPort WSA S670 appliances running 7.5.0-833 and both added in SMA M670 management appliance running 7.9.1-102. Appliance A has McAfee license expired. Newly installed appliance B has Mcafee running for 28 more days. "Sophos" is enabled on both and working good. Config Master 7.5 was built based on the config from appliance A.
  Now, when i want to push the Config Master to both the associated WSA, it fails on appliance B as "McAfee" is disabled in Config Master but enabled on it. The setting "Security Services Display" in M670 was changed to enable "McAfee" but now appliance A fails giving a mis-match error on publishing.
  How to workaround this ? Can McAfee license/feature key on appliance B be expired / disabled now without waiting 28 days to let it expire.
  Thanks,
  Rick.

  Hello Rick,
  You can disable Mcafee globally on the SMA by going to :
  GUI -> Web -> Utilities -> Security Services Display -> Edit Display Settings-> Under Configuration Master 7.5 ->
  Do your Web Appliances have McAfee Anti-Malware enabled? -> Uncheck the box and submit.
  Also, Disable Mcafee on the appliance that thas 28 days of the licenses left, This way Mcafee will be disabled on all your boxes.
  I hope this helps.
  Regards,
  -Puja

• Multiple SSL Certs in one SSL Proxy/VIP

  Guys
  I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP.  Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.
  However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP.  The customer wants to use only port 443.  I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.
  Is this possible at all?  I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.
  Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?
  Thanks

  Cathy
  Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide  certificates for www.website.com and ww2.website.com due to cost.
  Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first?  Or would this not be advisable / possible.  I always thought it was the L4 policy that made the VIP proxy?
  Can SAN certs not be used in this example?
  Thanks

• IronPort Security Management Appliance - Directory Search Results Size

  I'm creating an access policy for a web security appliance that is applied to an authorized group within an idenity.  My question is in regards to the number of returned results when using the Directory search function to find and add the group.  Only the first 500 matching entries are shown and attempting to search for the group fails if it isn't part of that first 500.  How do I increase the amount of results returned when searching for groups?

  Hello Alex,
  By default, Active Directory does not respond to LDAP based queries which return more than 1000 results. If you have more than 1000 groups configured in Active Directory, it is necessary to increase the maximum page size (MaxPageSize) using the Ntdsutil.exe tool.
  http://support.microsoft.com/default.aspx?scid=kb;en-us;315071&sd=tech
  MaxPageSize - This value controls the maximum number of objects that are returned in a single search result, independent of how large each returned object is. To perform a search where the result might exceed this number of objects, the client must specify the paged search control. This is to group the returned results in groups that are no larger than the MaxPageSize value. To summarize, MaxPageSize controls the number of objects that are returned in a single search result.
  Default value: 1,000
  You can also simply input the group name and then click "Add" to manually add it as a workaround.
  Hope it helps.

• Cisco Security Manager Appliance bundle

  I have a customer subscribed to the Security ELA, so all security related licenses and subscriptions are free.  It is possible to order this product as an appliance without the bundled licenses?

  Yes, if we do get a UCS, it will be sized to accommodate more than just CSM due to the other stuff we could load it with, although now that Cisco VMs run under Hyper-V....?  We are also getting FS (their VM is not big enough, shame) in hope that appliance/product will absorb CSM in a future release.
  Thanks,

• Publish to a WSA from Management appliance Fails

  I am trying to publish a configuration from my new M170 to a S160 and i get this error:  "Failure: The Anti-malware settings must match to successfully publish."  I checked and the settings are good any ideas.

  Bob.
  In the MSA, which security settings are turned on (Is Sophos on? Is McAfee on? etc) has to match what is actually enabled on the WSA you're pushing to.
  Taken from 8-10 of the user guide:
  To verify enabled features for a Web Security appliance:
  Step 1 On the Security Management appliance, choose Web > Utilities > Web Appliance Status.
  Step 2 Click the name of a Web Security appliance to which you will publish a Configuration Master.
  Step 3 Scroll to the Security Services table.
  Step 4 Verify that the Feature Keys for all enabled features are active and not expired.
  Step 5 Compare the settings in the Services columns:
  The Web Appliance Service column and the Is Service Displayed on Management Appliance? column should be consistent.
  Enabled = Yes
  Disabled and Not Configured = No or Disabled.
  N/A means Not Applicable. For example, the option may not be configurable using a Configuration Master, but is listed so that you can see the Feature Key status.
  Configuration mismatches will appear in red text.
  Step 6 If the enabled/disabled settings for a feature do not match, do one of the following:
  •Change the relevant setting for the Configuration Master. See Enabling Features to Publish, page 8-10.
  •Enable or disable the feature on the Web Security Appliance. Some changes may impact multiple features. See the information about the relevant feature in the Cisco IronPort AsyncOS for Web Security User Guide.
  I have put in an enhancement request for this to be manageable by the MSA, because I think its pretty dumb that you can't push this config from the MSA.
  Hope that helps,
  Ken

• Catalyst 3750x and 4510R and Cisco Security Manager

  Hi,
  I just downloaded and install trial (evaluation) version of Cisco Security Manager 4.3. In supported devices list I saw Cisco Catalyst 3750 and 4510R but when I try to add it I got for 3750:
  Invalid device: Device is a switch and cannot be mapped to a Generic Router model.
  Please verify the selected device type, OS version and device configuration
  For 4510R:
  Invalid device: Version 03.03.00.SG (N/A) is not supported for the device type of Cisco Catalyst 4510R Switch Please verify the selected device type, OS version and device configuration
  We need to make a purchase decision but for it we need to import all of our devices and perform some tests.
  Thanks in advance for your replies!
  BR, Vasily.

  I figured this out on my own -- change Compatibility mode of the installer to be Windows 8 (which is same OS version as Windows 2012) and it installs just fine.

• " plug-in name does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari Security "Manage Website Settings"?

  Hi,
  Wondering why "<plug-in name> does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari > Security > "Manage Website Settings"?
  Have been trying to get to the root cause of the problem but did not find much on this. I am trying to figure out what can get the warning to go away completely than using the Allow/Always Allow options for the plug-in
  Thanks,
  Shyam

  Hi Linc,
  Thank you for your response. Here is the screenshot of the warning that I am talking about.
  Here is what I do:
  1. Launch Safari and open its Preferences. I have Safari 7.1 installed on my machine.
  2. Click Security Tab and click Manage WebSite Settings
  3. A window opens showing me all the Plug-ins that I have (listed on the left hand side).
  4. One of them is the Adobe Reader plug-in. When I click Adobe Reader, the following details about the plug-in show up on the right
  I was referring to the highlighted section that warns me about this plug-in not using the highest level of security for Safari Plug-ins.
  Note: I do not see this for all my plug-ins (QuickTime, Adobe Flash Player don't give me this warning) which tells me that there is a way to make the warning go away.
  Thanks again,
  Shyam

• Application Networking Manager - SSL Certs

  Hi,
  We have an ANM 4.1  installation and today i was asked why an ACE context with many certs installed for the SSL proxy service didnt show any of the certs or keys in ANM. I can see some chains group parameters and ssl proxy service config.
  I have double checked and there are lots of certs installed via CLI and have run a resync but absolutely nothing in the SSL --> Cert pages or SSL --> Keys. Is it because all the config importing the certs was via the ACE CLI rather than the ANM??
  What I have to do to import these as we plan to use ANM to manage the cert expiry dates

  Adrian,
  In order to install the license you must have a license file on the ANM server and install it through the command line:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.1/installation/guide/IG_config.html#wpmkr1120937
  No other way to do it.
  License file can either be copied to the ANM file system, or you can create a new empty license file on it and copy paste the license file content.
  If you have no access to the ANM server through CLI, then a workaround might be:
       - install a new VMWARE machine where you have CLI access.
       - install ANM on it
       - copy license (other you copy the file through any means or you create a file and edit by copy pasting the license file content)
       - install license with the command  /opt/CSCOanm/bin/anm-license install /path/ANMxxxxxxxxxxxxxxxxx.lic as described in the link above
       - save the VMware image
       - deploy the same VMWare image to the ESX where it has to be installed and where you have no access to CLI neither you can copy a file.
  Hope this helps,
  Domenico.

• Deleting multiple devices in Cisco Security Manager

  I imported 200 devices from configuration files in cisco security manager which I need to remove again due to updates in the predeployed configurations...
  Does anyone know how to remove devices without selecting every single one and clicking "delete" or restoring the database? :)
  Thanks!

  Maybe from the common services webpage you could select multiple devices at a time ?

• Yesterday, since I downloaded the lastest version 3.6.6, every time firefox opens and when I click on something, I get multiple error windows that say "ERROR: Security Manager Vetoed Action. I can't hardly use if anymore because of all the window pop-ups

  Yesterday, since I downloaded the latest version 3.6.6, every time firefox opens and when I click on something, I get multiple error windows that say "ERROR: Security Manager Vetoed Action". I can't hardly use if anymore because of all the window pop-ups. What can I do? Can I go back to an older version?
  == This happened ==
  Every time Firefox opened
  == I downloaded version 3.6.6 yesterday

  hello, when this is happening after you've already updated firefox with your admin account, try to delete the ''updates'' folder and ''active-update.xml & updates.xml'' within the %localappdata% folder of your restricted account like it is described in http://kb.mozillazine.org/Software_Update#Software_Update_not_working_properly

• Remote Desktop Services Single SSL Cert with multiple hosts

  I am trying to use a single SSL Cert from a third party issuer.  I have 3 servers in my deployement all are 2012R2.  One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role.  The other 2 are
  RD Session Hosts.  I have the SSL cert for the server that has the Gateway and other roles.  My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL.  It works currently with the
  exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match.  Is anyone else using a similar setup and had success with it?  I am trying
  to avoid buying an expensive wildcard cert to cover all of them.

  Hi,
  Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC.  To do this, log on to RD Web Access using IE, right-click and choose View Source.  Find the goRDP function for the icon you want to examine and copy
  the text between the ' marks.  Next paste this into the escape text box the below page:
  http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
  Click complete unescape to get the plain text version.  After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file.  Once you have the .rdp file created you can compare
  it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
  Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
  Thanks.
  -TP

• Is there any way to treat expired SSL certs in HTTPS connections as non-secure?

  Is there a way of navigating HTTPS websites as though they were HTTP, without adding any SSL exceptions?
  Obviously an expired/self signed SSL cert over HTTPS is no more dangerous than no encryption at all over HTTP.
  The Untrusted Connection dialog is a usability nusance, particularly for those of us who understand HTTPS.

  Check out:
  http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
  You will need to turn on Client Auth as described above. Hope it helps.

• HP Protect tools Security Manager - not supported on this sytem

  Hi, i try to install the software hp protect tools security manager but the installation are blocked.
  the driver of fingerprint is ok.
  have you any suggestion? I can use another software to control the password through fingerprint reader?
  thanks
  Maurizio

  i reinstall windows frameworks 4.0 and i resolve the problem.