Deploying an Internet Access On-Premises Gateway

Procedure

1. On the Trend Vision One console, go to Zero Trust Secure Access → Secure Access Configuration → Internet Access and AI Service Access Configuration.
2. On the Gateways tab, click Deploy New On-Premises Gateway.
3. Set up an Internet Access On-Premises Gateway by clicking Go to Service Gateway Inventory.

   Important Only Service Gateway 2.0 and later supports the Zero Trust Internet Access On-Premises Gateway service.

   1. Select an existing Service Gateway that identifies your corporate location, or deploy a new Service Gateway virtual appliance for the Zero Trust Internet Access On-Premises Gateway service.

      Important Disable Cloud Service Extension on the Service Gateway when using the Internet Access On-Premises Gateway service. The cloud service extension might interfere with normal operations of the on-premises gateway. For more information, see Configuring Service Gateway settings.

   2. Install and enable the Zero Trust Internet Access On-Premises Gateway service. For details, see Managing services in Service Gateway.
4. After the deployment completes, check the service status and other information about the on-premises gateway under On-Premises Gateways in Internet Access and AI Service Access Configuration.
5. Configure the settings for the on-premises gateway by clicking the edit icon ().
   The following table outlines the available settings for the on-premises gateway and describes the configuration options.

   Settings	Options
   Basic Settings	Update the corporate location name and time zone, and add an optional description as needed The default location name is the hostname of the Service Gateway virtual appliance running the on-premises gateway.
   User Authentication	Require user authentication for endpoints connecting without the Secure Access Module installed Disabling user authentication for endpoints connecting without the Secure Access Module installed enforces Internet Access rules on all connected endpoints not required to authenticate. When requiring user authentication for endpoints connecting without the Secure Access Module, you may select or create: Private IP address groups for connected endpoints without the Secure Access Module that may always bypass user authentication Private IP address groups for connected endpoints that may never bypass user authentication
   Upstream Proxy Rules	Enable upstream proxy rules for data traffic to specific IP addresses, domains, or subdomains You may set up to 10 rules using different proxy options. For details, see Configuring upstream proxy rules
   Log Forwarding	Choose whether to upload detection logs or activity data in Common Event Format (CEF) syslog format to Trend Vision One To send activity data to a syslog server, specify the server address, port, and protocol used for communication with the server. For more information about content mapping between Internet Access log output and CEF syslog format, see Syslog content mapping - CEF.
   ICAP Integration	Enable the on-premises gateway as an internet content adaptation protocol (ICAP) server to handle threat protection or data loss protection (DLP) on HTTP requests (default port 1344) Use the supplied RECMOD and RESMOD URLs to configure your ICAP clients. Enable ICAP over SSL to connect the ICAP clients to the on-premises gateway over a secure connection (default port 11344) You may use the default SSL certificate or provide a custom certificate with private key and passphrase. Select the desired ICAP response and request headers Important On-premises gateways with ICAP enabled can only integrate with ICAP v1.0-compliant proxy servers and do not support: HTTPS inspection Botnet detection Tenancy restrictions Device posture-based access control End-user authentication Risk control rules Bandwidth control
   Deep Discovery Analyzer	Integrate and configure existing Deep Discovery Analyzer appliances to collect file samples from the on-premises gateway for analysis Tip Configuring both a primary and a secondary Deep Discovery Analyzer appliance allows for increased appliance availability.

6. Click Save.
7. Configure and apply PAC files to forward HTTP/HTTPS traffic to the on-premises gateway.
   1. Add the FQDN or IP address of the on-premises gateway to one or multiple PAC files that you use for proxy settings.
   2. Apply the PAC files to deployed Secure Access Modules.
8. Configure bandwidth control to optimize network performance on the on-premises gateway.