Deploying the Private Access Connector on Microsoft Azure

Connect your Azure Marketplace applications with Zero Trust Secure Access Private Access and prevent unauthorized intrusions.

Private Access Connectors connect your internal applications with Zero Trust Secure Access Private Access, which allows you to control access to sensitive corporate resources. To ensure high availability (HA) and facilitate load-balancing on high traffic apps, install and group together at least 2 connectors in each environment. Before attempting to deploy the Private Access Connector, ensure that your environment meets the minimum system requirements.

  1. In the Trend Micro Vision One console, go to Zero Trust Secure Access > Secure Access Configuration > Private Access Configuration.
  2. For customers that need to create a new connector group, click Add Private Access Connector Group.
    1. Provide a unique name and description for the group.
    2. Click Save.
  3. Locate your Connector group name in the list and click the New connector () icon.

    The Private Access Connector Virtual Appliance panel appears.

  4. Select Microsoft Azure from the Platform list.
  5. Copy the Registration token for later use.
  6. Sign in to the Azure Marketplace and locate the Trend Micro Vision One - Zero Trust Secure Access app.
    Important:

    The steps contained in these instructions were valid as of July 2022.

  7. On the Trend Micro Vision One - Zero Trust Secure Access Azure application screen, click Get It Now.
  8. Sign in to Azure Marketplace as a super administrator when prompted.
  9. On the Create this app in Azure screen, click Continue.

    The app deployment screen appears.

  10. Create multiple virtual machine (VM) instances for the Private Access Connector virtual appliances.
    1. On the app deployment screen, click Create.
    2. On the Basics tab that appears, specify the following fields.

      Field

      Description

      Subscription

      Select the subscription to manage the VM instances.

      Resource group

      Select a new or existing resource group to organize and manage the VM instances.

      Region

      Select an Azure region.

      Trend Micro recommends you select the same region as where the resource group is located.

      Scale set instance name

      Specify a uniquely identifiable name for the scale set.

      Scale set instance count

      Use drag-and-drop to select the number of VM instances to deploy.

      You can modify the instance count on the Microsoft Azure portal after the deployment.

      Appliance VM size

      Select the system resources as necessary.

      Registration token

      Paste the registration token that you obtained on the Trend Micro Vision One console.

      The system automatically registers all the Connector virtual appliances in the scale set to Trend Micro Vision One during the deployment.

      SSH public key source

      Select the SSH public key source.

      Important:

      Trend Micro Vision One does not support logon to a VM using a password.

      • Select Generate new key pair and specify a uniquely identifiable name for the key pair.

        You will need to download the private key at a later step.

      • Select Use existing key stored in Azure and select a stored key from the drop-down list.

      • Select Use existing public key and paste your public key to the text box.

    3. Click the Networking tab and specify the following fields.

      Field

      Description

      Virtual network

      Select a virtual network from the drop-down list or click Create new to add a virtual network for the scale set.

      Make sure that the virtual network can connect to the internal applications that you want to protect.

      Management subnet

      Select a subnet of the virtual network from the drop-down list.

      For a newly created virtual network, the subnet of the virtual network is automatically filled in.

    4. Click the Advanced tab and configure Boot diagnostics as necessary.
    5. Click Review + create.
    6. On the Review + create tab that appears, review and confirm the settings and click Create.

      If you selected Generate new key pair at an earlier step, the Generate new key pair screen appears.

    7. (Optional) Click Download private key and create resource. and save the private key file to your local machine.
      Important:

      Make sure your private key file is secure and accessible. You will need to use the private key to log on to the VM.

      The deployment process overview screen appears, indicating the deployment status.

    8. Wait until the deployment is complete, and then click Go to resource.

      The Overview screen of the newly created virtual machine scale set appears. The number of successfully deployed VM instances displays next to Status.

  11. (Optional) Launch and configure a Private Access Connector VM.
    1. In the left navigation, click Instances.
    2. From the VM instances under this scale set, click the name of a VM.
    3. On the Overview screen that appears, copy the public IPv4 address of the VM.
    4. Open a command prompt and run the following ssh command to log on to the Private Access Connector virtual appliance with the default credentials.

      ssh -i <path_of_the_private_key_file> admin@<public_IP_address_of_the_VM>

    5. Run the following command and then press the Enter key to set your password for the enable command:

      passwd

      The admin user and privileged mode share the same password.

    6. Type enable and then press the Enter key to enter privileged mode. Provide the updated password when asked.

      The command prompt changes from > to #.

    7. Run the following command to change the time zone of the Private Access Connector:

      configure timezone <timezone>

      The default time zone is America/Los_Angeles.

    8. Check whether the Private Access Connector can connect to the NTP server 0.pool.ntp.org.

      The Private Access Connector requires connectivity to an NTP server to synchronize its clock. By default, Trend Micro Vision One uses the public NTP server 0.pool.ntp.org. You can also configure the Private Access Connector to connect to another public NTP server or a local NTP server within your organization.

      Run the following command to configure the NTP server: configure ntp server <address>

      Note:

      To use public NTP servers, make sure that your firewall configuration allows outbound UDP traffic on port 123.

  12. Use the CLI to configure other settings, if required.

    For more information on available commands, see Private Access Connector CLI Commands.

    After successful deployment, the Private Access Connector virtual appliances appear under the corresponding connector group on the Private Access Connectors tab.

  13. (Optional) On the Microsoft Azure portal, perform the following tasks to configure the VM scale set you have created when necessary.

    Task

    Description

    Modify the scale set instance count

    1. Search for Virtual machine scale sets in the Search text box and then click Virtual machine scale sets.

    2. Locate and open the VM scale set that you want to configure.

    3. In the left navigation, click Scaling.

    4. On the Scaling screen that appears, select Manual scale and use drag-and-drop to change the number of VM instances to deploy.

    5. Click Save.

      If you chose to decrease the number of VM instances, the system randomly deletes the corresponding number of instances from the scale set.

    6. In the left navigation, click Instances.

      All the VM instances in this scale set are displayed.

    Delete a specific VM instance

    1. In the left navigation, click Instances.

    2. On the Instances screen that appears, select one or multiple VM instances and click Delete.

    Update the registration token

    1. In the left navigation, click Operating system.

    2. On the Operating system screen that appears, select Modify user data in the User data section, and then paste the updated registration token in the User data text box.

    3. Click Save.

    4. In the left navigation, click Instances.

    5. On the Instances screen that appears, select all VM instances and click Upgrade.

      The update process takes about one minute. During the process, the system does not restart the instances and automatically registers the instances to Trend Micro Vision One again.