This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Secondary SA Server 10.6

MarcinGryga
Beginner
Beginner

‎2016-05-18 06:01 AM

Hi,

 

I have to deploy 2nd SA Server for my customer, we have 10.6.0.1 SA version. Is there any exact guide how to deploy this server ? I.e. how to create accounts, best practices etc.

Official documentation ( Multiple Security Analytics Server Deployment - RSA Security Analytics Documentation  ) doesn't contain needed information.

 

Regards

Marcin

0 Likes
16 REPLIES 16

Anonymous
Not applicable

‎2016-05-18 06:31 AM

We've been back and forth on this with RSA since we went to 10.4, and keep getting inconsistent information on how to do this.

 

Would love to see a proper procedure for this.

0 Likes

JonathanSaxon
Employee
Employee

‎2016-05-18 09:20 AM

Missing Information

You indicate that the documentation doesn't contain the necessary information on how to deploy a secondary Security Analytics Server.

 

Can you clarify what questions you have that are not answered?  That would help us review the documentation, create a knowlegebase article in the short-term and update the on-line documentation in the long-term.

Also, keep in mind, that there is not necessarily only one way to accomplish the deployment of the secondary Security Analytics Server.  There is some latitude on your part and discussing this scenario with the account team and Professional Services engineers who helped setup your environment may be helpful.

 

Basic Steps

The basic steps would be to build and deploy the second SA Sever, assign an IP Address, add any hosts to the hosts tab using a name and host name, add services to the service tab using username and password, add any services to the Reporting Engine as report sources, set up any dashboard elements, and add any user accounts including external authentication.

 

You might want to set default sources for Investigations, and perform some tests on reports and investigations.

 

Remember that you are NOT going to use the trust model to add any services on the secondary SA Server.

 

Feedback

If you have any specific questions about these steps, or steps that are not listed, please let me know.  If necessary, I can create a support ticket to make sure your questions and answers are noted and made available to other engineers and customers.  Also, remember to use the feedback option on the documentation at sadocs.emc.com and knowledgebase articles to note any questions, comments or suggestions to any posted article.  Your feedback is highly valued and will result in changes to the documentation.

 

Hope this helps.

0 Likes

Anonymous
Not applicable
In response to JonathanSaxon

‎2016-05-18 09:44 AM

We have had multiple support tickets over this since we went to 10.4 and have had conflicting and Just Plain Wrong information from support on several occasions. 

 

Unfortunately, if the second server doesn't participate in the trust model, then you have to create per-user accounts across all the appliances still, and you can't manage your ESAs from the second server.

 

Licensing gets terminally confused between the two boxes.  How is this supposed to be managed?

 

Where's the process to make the second SA server a primary in the event of a system failure (I was promised this before we bought the system and it's never materialised).

 

How do you sync report engine content between the two instances for DR purposes?  What about other configuration aspects?

 

You can't create a second SA server as such, all you can create is a limited function GUI server and broker.

 

Andy

JonathanSaxon
Employee
Employee
In response to Anonymous

‎2016-05-18 10:22 AM

It sounds like you may have two or more SA Servers and may be treating each as a primary for some appliances and as a secondary for other appliances.  While this can be done, it is not commonly done, and may lead to some of the situations you mentioned. 

 

Configuring Security Analytics Servers in this fashion can be done but note that as I mentioned in my initial reply, there is more than one way to set up a Security Analytics Server. And there are benefits and drawbacks to configuring and deploying a server in different ways. 

 

In situations like this, it will require Support and Professional Services to coordinate closely to make sure everyone understands how the different servers are configured in the Security Analytics eco-system.

 

  • A secondary Security Analytics Server does not use the trust model at this time. 
  • I do not advise licensing appliances through a secondary Security Analytics Server.  Although with the 10.5/10.6 licensing model, the worst that should happen is a "nag screen" popping up when staff logon to the web user interface if a license enters a confused state.
  • There is currently no process for "promoting" a secondary Security Analytics Server to a primary Security Analytics Server. This would require the ability to manage certificates on both servers simultaneously and that feature has not been implemented through 10.6.  I believe this is on the road map for the product but you'll need to address this with your account team. 
  • The only way to "synchronize" Report Engine content between two Security Analytics Servers would be to export rules, lists, alerts, charts, and reports and import them to the other box.  This is obviously sub-optimal but it can be done. 

 

Please see Multiple Security Analytics Server Deployment - RSA Security Analytics Documentation for the best explanation of the differences between the two roles as of this release. 

Primary Security Analytics Server

The Primary Security Analytics Server has all the functionally including:

  • Fully functional Hosts view including the version update functionality.
  • Access to Health & Wellness views.
  • Full use of the trusted connections feature.

Secondary Security Analytics Servers

Secondary Security Analytics Servers can be in offline and online mode.   You can connect to Security Analytics through a secondary Security Analytics Server even if it is not designated as the Primary Security Analytics Server.Secondary Security Analytics Servers improve performance (for example, Analysts can leverage designated Security Analytics Servers to improve Investigation and Reporting efficiency). A Secondary Security Analytics Server has the following limitations:

  • The version update functionality on the Hosts view only applies to hosts connected to the Security Analytics Server using the trust model. Each Security Analytics Server can update itself and any core appliances connected to it using the trust model.
  • You cannot use the following features:
    • Health & Wellness views.
    • Trusted connections feature.
    • Event Source Management
    • Incident Management
  • You cannot modify rules.

 

I hope this clarifies differences between the primary and secondary Security Analytics Server roles at this point in time.

0 Likes

Anonymous
Not applicable

‎2016-05-18 10:43 AM

So, we agree then, that it's not possible to have a fully functional secondary SA Server.

0 Likes

MarcinGryga
Beginner
Beginner

‎2016-05-19 02:36 AM

Hi,

 

Based on documentation I'm fully aware that not all functions may be moved to 2nd SA Server, and that's ok. If vendor says it's not possible then it's not, very simple 🙂

I started learning SA from 10.4 so I don't have experience and knowledge from previous versions. Currently we're deploying SA project in MSSP model ( only SIEM part ) and my customer asked me if it's possible to deploy secondary server for his customers. I managed to deploy second SA and connect it to broker service using added account on broker, but I'm not sure if it's enough. Should I create accounts on all hosts/services that I want connect to 2nd SA ?

My customer is checking if they can give his customers ability to perform investigations and reporting from SA accessible only to his clients. Because of licensing we'll have one master SA which will manage all hosts/services in virtual environment.

 

It would be great to have a guide with examples what can be done and how, something similiar to Fortinet Cookbook ( The Fortinet Cookbook ) , not only product documentation ( it's quite good BTW ) but also real life examples how to use product and its features.

 

Based on information from Jonathan :

Basic Steps

The basic steps would be to build and deploy the second SA Sever, assign an IP Address, add any hosts to the hosts tab using a name and host name, add services to the service tab using username and password, add any services to the Reporting Engine as report sources, set up any dashboard elements, and add any user accounts including external authentication.

You might want to set default sources for Investigations, and perform some tests on reports and investigations.

Remember that you are NOT going to use the trust model to add any services on the secondary SA Server.

I'll try to configure fully working 2nd SA server, hope it will work well to satisfy my customer needs.

Thanks for all your comments.

Marcin

0 Likes

JonathanSaxon
Employee
Employee
In response to MarcinGryga

‎2016-05-19 08:35 AM

It will be best if you open a support ticket with RSA to discuss these questions in-depth.

 

As far as connecting appliances to the secondary Security Analytics Server, you will need an account on each appliance.  Many customers use the "admin" account for this even though we recommend against doing so.  Many customers create a "service account" such as "saadmin" and make it a member of the administrator role and push that account to all appliances. But obviously, you will need a username and password to add a service into the Administration | Services tab on the secondary Security Analytics Server.

 

If you send some use cases, we can possibly review them, test them in the lab and post a series of short videos on some configuration options. 

 

Hope that helps.

0 Likes

DavidPoirier
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2016-05-19 02:54 PM

Hi Marcin,

 

When you mention secondary SA Server, what exactly are you meaning?  A secondary environment that has the ability for testing and performing development functions prior to pushing into a production environment? Then the answer could be a virtual deployment and duplicate the accounts that are present on the SA Server using AD credentials.

 

Our Professional Services team would be a good first pass in the event that you want to have a Secondary server that is basically a stand by server in the event that the primary has become unusable.

 

Thank you

 

David

0 Likes

DavidPoirier
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2016-05-20 02:32 PM

Hi Marcin,

 

In our guides we actually call out our Professional Service team to build these out. This is because of the configurations that get copied from one server to the other, the secondary SA head will see everything that the Primary server will see, all investigation can be done on the secondary server for analytic function's.

 

example: in SADOC,  in the Server deployment section.

Multiple Security Analytics Server Deployment

Customers must contact Customer Care and arrange for a Professional Services Engagement to Deploy Multiple Security Analytics Servers.

 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.