Configuring an On-Premises Gateway

Upon successful registration, an on-premises gateway can work properly to secure users' HTTP service traffic from within your organization. You can modify the existing configurations as necessary on the web console.

  1. Go to Network > Interfaces.

    The data interface supports users' Internet traffic to and from the internal network. This screen displays information on all available data interfaces, and the TMWS on-premises gateway supports configuring up to two data interfaces for data transmission.


    After the deployment wizard process is completed, the configurations of the data interface not selected will be cleared. You can re-configure it on this screen.

    If the IPv4 gateway address is modified, the last-modified IPv4 gateway address always takes effect.

    1. Select a data interface and click Edit.

      The Edit Interface window appears.

    2. Configure the data interface.
      Select an IP address allocation mode from the Mode drop-down list:
      • Static: Configure the IP settings (IP addresses, gateways, and DNS servers) for the data interface manually.

      • DHCP: Have a DHCP server allocate IP settings to the data interface.

      Select the Web console, Ping, and SSH check boxes as necessary.
      • Web console: Allow access to the web console through this data interface.


        If there is only one data interface, Web console must be selected to ensure connection to the web console.

      • Ping: Allow the connection to be checked with the ping utility.

      • SSH: Allow access to the on-premises gateway via SSH.

      If the IP address changes, the root user will be automatically logged off the web console and re-log on to the web console using the new IP address.

    3. Click Save.

      The data interface displays on the Interfaces screen.

    4. To view the latest information of each data interface, click Refresh.
    5. To search for a specific data interface, type the data interface name or part of the name in the Search text box.
  2. Go to Network > General.
    1. Configure a primary, secondary, and tertiary DNS server for the on-premises gateway for domain name resolution.
    2. Type the host name of the on-premises gateway in the Host name text box.
    3. Click Save.
  3. Go to Network > Static Routes.

    Static routes allow the TMWS on-premises gateway to overcome problems routing traffic to and from network segments beyond the next router hop to which the TMWS on-premises gateway connects. Static routes allow you to manually control the router connection used to send traffic to the Internet or back to the end users.

    1. Click Add.

      The Add Static Route window appears.

    2. Configure the following:
      • Protocol: IPv4 or IPv6.


        In this version, only IPv4 is supported.

      • Network ID: Network ID.

      • IPv4 netmask: IPv4 netmask that matches the network ID.

      • Router: IP address of the router.

      • Interface: Data interface used by the on-premises gateway.

    3. Click Save.

      The static route displays on the Static Routes screen.

    4. To delete a static route, select it and click Delete.
    5. To apply a static route, select it and click Deploy.

      After a static route is added, its Deployment Status is Newly added. After it is deployed, the status changes to Deployed successfully.

  4. Go to Time.
    1. View the current date and time of the on-premises gateway in the Time section.
    2. Set the NTP server for time synchronization, and select the system time zone as necessary.

      The system automatically synchronizes time with the NTP server at 06:00 every day. To synchronize time manually, click Synchronize Now.

    3. Click Save.
  5. Go to System > Proxy.
    1. Select the Use a proxy server for Trend Micro services check box as necessary. This enables and sets an upstream proxy for the on-premises gateway to communicate with Trend Micro servers. By default, this function is disabled.
    2. Type the host name or IP address of the proxy server in the Proxy server text box, and type the port number of the proxy server in the Port text box.
    3. Type the user ID and password in the User ID and Password text boxes for proxy server authentication, if required.
    4. Click Save.

      The on-premises gateway works in upstream proxy mode.

  6. Go to System > Diagnostics.

    The TMWS on-premises gateway integrates with the Case Diagnostic Tool (CDT) feature to help Trend Micro maintain and troubleshoot your organization's on-premises gateway. CDT collects product and system information, log files, and configuration files, which can be downloaded as an archive file to facilitate system troubleshooting.

    1. Choose categories.
      • Under Enable corresponding to each category, click Yes or No to select one or several categories of information to include in the diagnostic file generated by CDT.


        Basic product information is enabled by default and cannot be disabled.

      • Mouseover the calendar icon next to Access logs and click it to select a time range for access log collection. By default, no time range is selected.


        There is no maximum time range for access logs. But to avoid a huge log file size, select a time range not longer than 6 hours and covering the time when a problem occurred.

        If the Access logs category is enabled and no time range is selected, CDT collects access logs only within the last one hour.

      • To display the updated size of each category in real time under Size, refresh the page.

    2. Click Generate to run CDT and generate a diagnostic file.

      The icon turns to Generating. After the generation process is completed, the icon turns back to Generate and the file displays in the diagnostic file list.

    3. Download diagnostic files.

      Files that are collected by CDT, related to a core dump, or of other types are displayed.

      • Click to download a file as necessary.

      • Click to delete a file no longer needed.

      • View the type of a file. File types include CDT collected files, Core dump, and Others.

      • Sort the files by File Name, Generation Time, Size, or Type.

  7. Go to Custom Defense.

    You can integrate your on-premises gateway with Deep Discovery™ Analyzer (DDAn) to defend against custom-defense APT attacks from malicious programs through HTTP/HTTPS traffic. For more information, see Configuring Custom Defense.