Launch a Service Gateway virtual appliance from Microsoft Azure using an Azure Virtual Machine image.
If you do not have VMware or Microsoft Hyper-V in your environment, you can deploy
the Service Gateway virtual appliance from Microsoft Azure using Azure Virtual
Machine (VM) images. Before you begin, review the Service Gateway appliance system
requirements
to ensure your virtual appliance has the settings needed to deploy the services you
want to use.
NoteThe steps contained in these instructions are valid as of April 2023.
|
Procedure
- Obtain the Service Gateway registration token.
- On the Trend Vision One console, go to .
- Click Download Virtual Appliance.
- Copy the Registration Token.
Note
The registration token is used to register the Service Gateway virtual appliance to Service Gateway Inventory after installation and setup are complete. The registration token expires after 24 hours if not used.
- To initiate the instance launch, sign in to the Microsoft Azure portal.
- In the Azure portal, click Virtual machines in the
Azure services widget.
Tip
If you don't see the virtual machines service, click More services and use the filter to search for the service. - In the Virtual machines screen, click Create and choose Azure Virtual Machine.
- Specify the Project details.
-
Select the Subscription to assign the instance to.
-
Select an existing Resource group or click Create new to assign the instance to a new group.
-
- Specify the Instance details.
- Specify the Virtual machine name.
- Select the Region for your network needs.
- (Optional) Select the Availability options.
- Select the Availability zone.
Note
The region can be set to any region you require the Service Gateway to be deployed. If you are unsure which region to select, use the default region for your Azure subscription.For more information on Availability options and Availability zone, and what settings are best for your organization, refer to the Microsoft Azure help documentation. - For Security type, select
Standard.
Important
Selecting a higher level of security may interfere with the ability of Service Gateway virtual appliance to connect with Trend Vision One. - Under the Image drop-down, click the
See all images link.
- Search for Trend Micro Service Gateway.
- Find Trend Vision One Service Gateway, and click Select.
- Select Trend Vision One Service Gateway - x64 Gen
1.
Note
Service Gateway does not support Arm64 VM architecture.For reliable connectivity, do not enable Run with Azure Spot discount. - Click the Size drop-down and select
Standard_F8s_v2.
Tip
The instance size should appear in the Size drop-down under Recommended by image publisher. If you do not see the size, click See all sizes and search for F8s. Select F8s_v2 and click Select.
- Configure the settings under the Administrator
account section.Trend Micro recommends accessing the Service Gateway virtual machine using an SSH client. Follow these steps to configure a key pair for SSH access.
- For Authentication type, select SSH public key.
- For Username, type azureuser.
- For SSH public key source, generate a new key
pair or select an existing key pair.
Note
If you choose to use an existing key pair, make sure that the key is at least 2,048 bits in length. - If you choose to generate a new key pair, specify the Key pair name.
- Under the Inbound port rules section, select None for Public inbound ports.
- Click Next: Disks.
- Select Premium SSD (locally-redundant storage) for the
OS disk type.
Note
Trend Micro recommends using the default configuration for all other settings. - Click Next: Networking.
- Configure the settings under the Network interface
section.
- Select the Virtual network for the instance to connect to.
- Select the Subnet.
Note
Refer to the Microsoft Azure documentation on how to set up a virtual network and subnet. - For Public IP, select None.
- For NIC network security group, select None.
- Under the Load balancing section, select None for Load balancing options.
- Click Next: Management.Use default settings for the screens listed below. Click Next to navigate to the next screen.
-
Management
-
Monitoring
-
Advanced
-
- On the Tags screen, set your desired tags, then click
Next: Review + Create.
Tip
Assigning tags helps locate and categorize resources for easier management. For more information, see the Microsoft Azure documentation. - Review the virtual machine settings, then click
Create.
Note
If you chose to create a new key pair, the Generate new key pair prompt appears. Click Download private key and create resource to download the key pair and start the instance creation.Once you create the instance, the Service Gateway virtual appliance begins installation. Installation may take a few minutes to complete. You can view the status of the instance in the Virtual machines screen.The Service Gateway virtual appliance is ready to connect and configure when the Status is Running. - After installation is completed, go to the Virtual machines screen and click on the name of the Service Gateway virtual appliance instance.
- In the virtual machine panel, go to .
- Click Add inbound port rule.
- Configure the inbound port rules.
- Specify the Source.
Note
Trend Micro recommends setting Source to IP Addresses and specifying Source IP addresses/CIDR ranges that are within your network. - For Source port ranges, type * to allow any source port.
- For Destination, select Any.
- Specify Service, Destination port
ranges, Protocol, and
Action according to the following
table.ServiceDestination port rangesProtocolActionDescriptionSSH22TCPAllowFor accessing Service Gateway virtual appliance CLISH commandHTTP80TCPAllowService enabled queries for on-premises Active Directory servers, connected Trend Micro products (such as endpoint agents), Predictive Machine Learning, File Reputation Services, or Third-Party IntegrationHTTPS443TCPAllowService enabled queries for on-premises Active Directory servers, connected Trend Micro products (such as endpoint agents), Predictive Machine Learning, File Reputation Services, or Third-Party IntegrationCustom TCP5274TCPAllowWeb Reputation Services or Web Inspection Service queriesCustom TCP5275TCPAllowWeb Reputation Services or Web Inspection Service queriesCustom TCP8080TCPAllowForward Proxy Service listening port for connectionCustom TCP8088TCPAllowZero Trust Secure Access On-Premises Gateway listening port for connection
- Specify the Priority of the rule.
Note
For more information on priority, refer to Microsoft Azure documentation. - Specify the rule Name.
Note
Trend Micro recommends using default settings for outbound port rules. Setting additional outbound rules may affect the ability of Service Gateway to connect to Service Gateway Inventory. - Specify the Source.
- Connect to the instance.
Note
Trend Micro recommends using an SSH client to connect to the Service Gateway virtual appliance to make copying the registration token easier. The following steps outline how to connect with an SSH client.- In the Virtual machines screen, click the name of the Service Gateway virtual appliance instance.
- In the Virtual machine panel, click Connect and select SSH.
- Review the steps and copy the IP address in the example command.
- Open an SSH client.
- Type the following command to connect to the Service Gateway virtual
appliance:ssh -i "keypair.pem" admin@<IPaddress>
Note
Use the full file name of your key pair including the file extension.The user name isadmin
.For example, if your key pair file is namedmy_key_pair.pem
and the Service Gateway virtual appliance IP address is 127.0.0.1, type the command:ssh -i "my_key_pair.pem" admin@127.0.0.1Important
If you are unable to immediately connect to the appliance, follow these steps to resolve the issue:-
The trusted hosts file cannot be automatically updated from EC2. In your SSH client, type the command ~/.ssh/known_hosts to remove the known hosts in the trusted file, then try connecting again.
-
You cannot configure a Network Time Protocol server on the Service Gateway virtual appliance. Because the appliance is deployed to the cloud, time settings are automatically synchronized.
-
- Configure and register the Service Gateway.
- After connecting to the instance and signing on, the Command Line Interface (CLI) appears.
- Type enable and press the
ENTER key to enable administrative
commands.The command prompt changes from > to #.
- Use the
configure
command to configure the required network settings, such as the IP address and DNS settings. - Type the following command to register the Service Gateway
virtual appliance to Trend Vision One.register <registration_token>Use the registration token you obtained from Service Gateway Inventory.
- Use the CLI to configure other settings, if required.For more information on available commands, see Service Gateway CLI commands.