Deploy a Service Gateway virtual appliance and enable the Zero Trust Internet Access On-Premises Gateway service.
The Zero Trust Internet Access On-Premises Gateway service supports the following
external connections via proxy server.
-
Communication with Trend Vision One to get the latest settings and policies
-
Queries to services such as Web Reputation Services and ActiveUpdate
-
Forwarding of both HTTP and HTTPS end-user web traffic to final destinations
![]() |
ImportantThe Internet Access On-Premises Gateway requires high levels of system
resources. To avoid negative impact on system performance, Trend Micro recommends
setting up the on-premises gateway on an appliance with no other installed
or enabled services.
|
Procedure
- On the Trend Vision One console, go to .
- On the Gateways tab, click Deploy New On-Premises Gateway.
- Set up an Internet Access On-Premises Gateway by clicking Go to
Service Gateway Inventory.
Important
Only Service Gateway 2.0 and later supports the Zero Trust Internet Access On-Premises Gateway service.- Select an existing Service Gateway that identifies your corporate
location, or deploy a new Service Gateway virtual appliance for the Zero
Trust Internet Access On-Premises Gateway service.
Important
Disable Cloud Service Extension on the Service Gateway when using the Internet Access On-Premises Gateway service. The cloud service extension might interfere with normal operations of the on-premises gateway. For more information, see Configuring Service Gateway settings. - Install and enable the Zero Trust Internet Access On-Premises Gateway service. For details, see Managing services in Service Gateway.
- Select an existing Service Gateway that identifies your corporate
location, or deploy a new Service Gateway virtual appliance for the Zero
Trust Internet Access On-Premises Gateway service.
- After the deployment completes, check the service status and other information about the on-premises gateway under On-Premises Gateways in Internet Access and AI Service Access Configuration.
- Configure the settings for the on-premises gateway by clicking the edit icon
(
).
The following table outlines the available settings for the on-premises gateway and describes the configuration options.SettingsOptionsBasic SettingsUpdate the corporate location name and time zone, and add an optional description as needed-
The default location name is the hostname of the Service Gateway virtual appliance running the on-premises gateway.
User Authentication-
Require user authentication for endpoints connecting without the Secure Access Module installed
-
Disabling user authentication for endpoints connecting without the Secure Access Module installed enforces Internet Access rules on all connected endpoints not required to authenticate.
-
When requiring user authentication for endpoints connecting without the Secure Access Module, you may select or create:
-
Private IP address groups for connected endpoints without the Secure Access Module that may always bypass user authentication
-
Private IP address groups for connected endpoints that may never bypass user authentication
-
-
Upstream Proxy RulesEnable upstream proxy rules for data traffic to specific IP addresses, domains, or subdomains-
You may set up to 10 rules using different proxy options.
-
For details, see Configuring upstream proxy rules
Log ForwardingChoose whether to upload detection logs or activity data in Common Event Format (CEF) syslog format to Trend Vision One-
To send activity data to a syslog server, specify the server address, port, and protocol used for communication with the server.
- For more information about content mapping between Internet Access log output and CEF syslog format, see Syslog content mapping - CEF.
ICAP Integration-
Enable the on-premises gateway as an internet content adaptation protocol (ICAP) server to handle threat protection or data loss protection (DLP) on HTTP requests (default port 1344)
-
Use the supplied RECMOD and RESMOD URLs to configure your ICAP clients.
-
-
Enable ICAP over SSL to connect the ICAP clients to the on-premises gateway over a secure connection (default port 11344)
-
You may use the default SSL certificate or provide a custom certificate with private key and passphrase.
-
-
Select the desired ICAP response and request headers
Important
On-premises gateways with ICAP enabled can only integrate with ICAP v1.0-compliant proxy servers and do not support:-
HTTPS inspection
-
Botnet detection
-
Tenancy restrictions
-
Device posture-based access control
-
End-user authentication
-
Risk control rules
-
Bandwidth control
Deep Discovery AnalyzerIntegrate and configure existing Deep Discovery Analyzer appliances to collect file samples from the on-premises gateway for analysisTip
Configuring both a primary and a secondary Deep Discovery Analyzer appliance allows for increased appliance availability. -
- Click Save.
- Configure and apply PAC files to forward HTTP/HTTPS traffic to the on-premises
gateway.
- Add the FQDN or IP address of the on-premises gateway to one or multiple PAC files that you use for proxy settings.
- Apply the PAC files to deployed Secure Access Modules.
- Configure bandwidth control to optimize network performance on the on-premises gateway.