Onboard an On-Prem Management Center

CDO provides two ways of onboarding an on-prem management center:

  • Discover From SecureX Account: This procedure automatically initiates the onboarding process for all on-prem management centers that are running Version 7.2 or later and are linked to your SecureX tenant or registered to the Cisco Security Cloud. This is the recommended method for onboarding the on-prem management center to CDO.

    Note

    The Discover From SecureX Account method for onboarding an on-prem management center to CDO is not supported in the Australia region. You must use the Use Credentials method to onboard the management center in this region instead.

  • Use Credentials: This procedure onboards the on-prem management center using only its credentials and the management IP address.

Review Connect Cisco Defense Orchestrator to your Managed Devices for more information.

Limitations and Guidelines

These are the limitations applicable to onboarding an on-prem management center:

  • Onboarding an on-prem management center also onboards all of the devices registered to the on-prem management center. Be aware that if a managed device is disabled, or unreachable, CDO may display the device in the Inventory page, but cannot successfully send requests or view device information.

  • We recommend creating a new user on the on-prem management center specifically for CDO communication that has administrator-level permissions. If you onboard an on-prem management center and then simultaneously log into that on-prem management center with the same login credentials, onboarding fails.

  • If you create a new user on the on-prem management center for CDO communication, the Maximum Number of Failed Logins for the user configuration must be set to "0".

Network Requirements

Before you onboard a device, ensure the following ports have external access. If communication ports are blocked behind a firewall, onboarding the device may fail.

Port Protocol/Feature Platforms Direction Details
7/UDP UDP/audit logging Management Center Outbound Verify connectivity with the syslog server when configuring audit logging.

53/tcp

53/udp

DNS

Outbound

DNS

67/udp

68/udp

DHCP

Outbound

DHCP

123/udp

NTP

Outbound

Synchronize time.

162/udp

SNMP

Outbound

Send SNMP alerts to a remote trap server.

389/tcp

636/tcp

LDAP

Outbound

Communicate with an LDAP server for external authentication.

Obtain metadata for detected LDAP users (Management Center only).

Configurable.

443/tcp

HTTPS

Management Center

Inbound

Allow inbound connection to port 443 if you are onboarding the management center with an on-premises Secure Device Connector.

443/tcp

HTPS

Management Center

Outbound

Allow outbound traffic from port 443 if onboarding the management center to CDO using the cloud connector.

443/tcp

HTPS

Management Center

Outbound

Allow outbound connection for port 443 if onboarding the management center using SecureX.

443/tcp

HTTPS

Outbound

Send and receive data from the internet.

514/udp

Syslog (alerts)

Outbound

Send alerts to a remote syslog server.

1812/udp

1813/udp

RADIUS

Outbound

Communicate with a RADIUS server for external authentication and accounting.

Configurable.

8305/tcp

Appliance communications

Both

Securely communicate between appliances in a deployment.

Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default.