Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSA on DMZ servers

Hi,

I am going to install csa agent on servers in DMZ zone. Since in DMZ there is no access to management center, access is forbidden from dmz to internal, only the MC(internal) can access the servers. I know that CSA can store some events on the machine, will the MC be able to retrieve them?

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: CSA on DMZ servers

Except for sending a polling hint, the MC doesn't initiate the connection to the Agents for to updating policies and uploading events. The Agents are configured with a polling interval (default is 10 minutes), and the Agent initiates the connection back to the MC over port 5401, and if thats not available then tries 443.

For your Agents to function properly with the MC, your DMZ will have to allow your dmz server(s) to connect to your internal MC over port 5401 and/or 443 (I prefer 443).

Just add an ACL on your firewall so only those dmz servers can connect to only that MC server. Then you could create a Network Access Control rule so only the Cisco Security Agent can access the IP address of the MC on port 443.

That way even if the attacker got past all the other csa rules and used the dmz server as a staging point for further attack, they'd have to kill the agent first before they could get to the MC. And if that's not enough, you could create a Data Access Control rule for the Agent installed on the MC itself, that will send you an email if the root of the https:// is accessed.

5 REPLIES
Community Member

Re: CSA on DMZ servers

Except for sending a polling hint, the MC doesn't initiate the connection to the Agents for to updating policies and uploading events. The Agents are configured with a polling interval (default is 10 minutes), and the Agent initiates the connection back to the MC over port 5401, and if thats not available then tries 443.

For your Agents to function properly with the MC, your DMZ will have to allow your dmz server(s) to connect to your internal MC over port 5401 and/or 443 (I prefer 443).

Just add an ACL on your firewall so only those dmz servers can connect to only that MC server. Then you could create a Network Access Control rule so only the Cisco Security Agent can access the IP address of the MC on port 443.

That way even if the attacker got past all the other csa rules and used the dmz server as a staging point for further attack, they'd have to kill the agent first before they could get to the MC. And if that's not enough, you could create a Data Access Control rule for the Agent installed on the MC itself, that will send you an email if the root of the https:// is accessed.

Community Member

Re: CSA on DMZ servers

Thank for the great answer! Just what I needed.

Community Member

Re: CSA on DMZ servers

I am having troubles registering these clients in the MC server. The ACL are there and I can reach the MC server, but they are not registered in the MC...

What can I do?

Community Member

Re: CSA on DMZ servers

OK,

found the problem

the dmz systems were not able to query dns and the MC was not resolved

Community Member

Re: CSA on DMZ servers

So you don't have to open DNS between your dmz and insternal network, which can be a potential vector of attack, you can just add the MC's host name and IP address manually to the windows HOSTS file (or if you have a dedicated dns server for the dmz, you could add a static record).

113
Views
10
Helpful
5
Replies
CreatePlease to create content