Eric Partington

v11.x - Adding DR Investigation NW Head Server

Blog Post created by Eric Partington Employee on Oct 25, 2018

Background Information:

  • v10.6.x had a method in the UI to add a standalone NW head server for investigation purposes (and to help with DR scenarios) using legacy authentication (static local credentials).  
  • v11.x appeared to have removed that capability which was blocking some of the larger upgrades, however it appears that the capability actually exists; it is just not presented in the UI as it was in v10.6.
  • Having a DR investigation server also helps to provide continuous access to data for analysts during the major upgrade from v10.6.x to v11.2 which is incredibly beneficial to have.

 

Review the upgrade guide and the "Mixed Mode" notes at the link below for more details on the upgrade and running in mixed mode:

https://community.rsa.com/community/products/netwitness/blog/2018/10/18/running-rsa-netwitness-mixed-mode

 

If you spin up a DR v11.2 standalone NW server from the ISO/OVA you can connect it to an existing set of concentrators using local credentials (Note: DO NOT expect that Live or ESA will function as they do on the actual node0 NW server.  This method gets you a window into the meta for investigation, reporting and Dashboards only!)

 

Here's the steps you'll need to follow once you have your DR v11.2 NW server spun up:

 

Create local credentials to use for authentication with the concentrator(s) or broker(s) that you will connect to under

Admin > Service > <service> > Security

 

 

You will need to add some permissions to the aggregation role to allow the Event Analysis function to work:

Replicate the role and user to the other services that you will need to authenticate to.

 

Your 11.2 DR investigation head server can connect to a 10.6.6 Broker or Concentrator with the following:

 

Broker service > Explore

Select broker

Right click select properties

Select add from the drop down

Add the concentrators that need to be connected (as they were in 10.6).  Below are the ports that are required for the connection:

  • 50005 for Concentrators
  • 56005 for SSL to Concentrators
  • 50003 to Broker 
  • 56003 for SSL to Broker

 

device=<ip>:<port> username=<> password=<>

 

Click send.

 

You should get a successful connection and in the config section you will now see the aggregation connection setup:

 

Click Start aggregation and make sure Aggregate Autostart is checked:

 

Using this DR Investigation server you can use the following process to help in upgrading from v10.6.6 to v11.2+ in the following steps:

 

Initial State:

 

Upgrade the new Investigation Head:

 

Investigators now can use the 11.2 head to investigate without interruption during the production NW head server upgrade.

 

Upgrade the primary (node0) NW head server and ESA:

Upgrade the decoder/concentrator pairs:

Note: an outage will occur here for investigation as the stacks are upgraded

Now you'll be running in v11.2 mode as you were in 10.6 with DR investigation head server so that your Investigation and Events views will be accessible.

Outcomes