Configuring an On-Premises Gateway

Upon successful registration, an on-premises gateway can work properly to secure users' HTTP service traffic from within your organization. You can modify the existing configurations as necessary under Administration on the web console.

  1. Go to Administration > Network > Interfaces.

    The data interface supports users' Internet traffic to and from the internal network. This screen displays information on all data interfaces available for the on-premises gateway.


    If you need to select another data interface to use by the on-premises gateway, you can configure the required data interface on this screen first, and go to Deployment Wizard > Network to select it and complete the process at a later time.

    1. Select a data interface and click Edit.

      The Edit Interface window appears.

    2. Configure the data interface.
      Select an IP address allocation mode from the Mode drop-down list:
      • Static: Configure the IP settings (IP addresses, gateways, and DNS servers) for the data interface manually.

      • DHCP: Have a DHCP server allocate IP settings to the data interface.

      Select the Web console, Ping, and SSH check boxes as necessary.
      • Web console: Allow access to the web console through this data interface.


        If there is only one data interface, Web console must be selected to ensure connection to the web console.

      • Ping: Allow the connection to be checked with the ping utility.

      • SSH: Allow access to the on-premises gateway via SSH.

      If the IP address changes, the admin user will be automatically logged off the web console and re-log on to the web console using the new IP address.

    3. Click Save.

      The data interface information displays on the Interfaces screen.

    4. To view the latest information of each data interface, click Refresh.
  2. Go to Administration > Network > General.
    1. Configure a primary and optionally secondary DNS server for the on-premises gateway for domain name resolution.
    2. Type the host name of the VM where the on-premises gateway is installed in the Host name text box.
    3. Click Save.

      A window appears, indicating that the system needs reboot to apply the configuration. To reboot the system, click OK. To go back to the General screen, click Cancel.

  3. Go to Administration > Network > Static Routes.

    Static routes allow the TMWS on-premises gateway to overcome problems routing traffic to and from network segments beyond the next router hop to which the TMWS on-premises gateway connects. Static routes allow you to manually control the router connection used to send traffic to the Internet or back to the end users.

    1. Click Add.

      The Add Static Route window appears.

    2. Configure the following:
      • Protocol: IPv4 or IPv6.


        In this version, only IPv4 is supported.

      • Network ID: Network ID.

      • IPv4 netmask: IPv4 netmask that matches the network ID.

      • Router: IP address of the router.

      • Interface: Data interface used by the on-premises gateway.

    3. Click Save.

      The static route displays on the Static Routes screen.

      Make sure that the static route meets the actual network environment of your organization.

    4. To delete a static route, select it and click Delete.
  4. Go to Administration > Time.
    1. View the current date and time of the on-premises gateway in the Time section.
    2. Set the NTP server for time synchronization, and select the system time zone as necessary.

      The system automatically synchronizes time with the NTP server at 06:00 every day. To synchronize time manually, click Sync Now.

    3. Click Save.

      If you have changed the time zone, a window appears, indicating that the system needs reboot to apply the configuration. To reboot the system, click OK. To go back to the Time screen, click Cancel.

  5. Go to Administration > System > Proxy.
    1. Select the Use a proxy server for Trend Micro services check box as necessary. This enables and sets an upstream proxy for the on-premises gateway to communicate with Trend Micro servers. By default, this function is disabled.
    2. Type the host name or IP address of the proxy server in the Proxy server text box, and type the port number of the proxy server in the Port text box.
    3. Type the user ID and password in the User ID and Password text boxes for proxy server authentication, if required.
    4. Click Save.

      A window appears, indicating that the system needs reboot to apply the configuration. To reboot the system, click OK. To go back to the Proxy screen, click Cancel.

      After the system is successfully rebooted, the on-premises gateway works in the upstream proxy mode.

  6. Go to Administration > System > Diagnostics.

    The TMWS on-premises gateway integrates with the Case Diagnostic Tool (CDT) feature to help Trend Micro maintain and troubleshoot your organization's on-premises gateway. CDT collects product and system information, log files, and configuration files, which can be downloaded as an archive file to facilitate system troubleshooting.

    1. Choose categories.
      • Under Enable corresponding to each category, turn on the button to select one or several categories of information to include in the diagnostic file generated by CDT.


        Product information is enabled by default and cannot be disabled.

      • Mouseover the calendar icon next to Access logs and click it to select a time range for access log collection. By default, no time range is selected.


        There is no maximum time range for access logs. But to avoid a huge log file size, select a time range not longer than 6 hours and covering the time when a problem occurred.

        If the Access logs category is enabled and no time range is selected, CDT collects access logs only within the last one hour.

      • To display the updated size of each category in real time under Size, refresh the page.

    2. Click Generate to run CDT and generate a diagnostic file.

      The icon turns to Generating. After the generation process is completed, the icon turns back to Generate and the file displays in the diagnostic file list.

    3. Download diagnostic files.

      Files that are collected by CDT, related to a core dump, or of other types are displayed.

      • Click to download a file as necessary.

      • Click to delete a file no longer needed.

      • View the type of a file. File types include CDT collected files, Core dump, and Others.

      • Sort the files by File Name, Generation Time, Size, or Type.

  7. Go to Administration > Custom Defense.

    You can integrate your on-premises gateway with Deep Discovery™ Analyzer (DDAn) to defend against custom-defense APT attacks from malicious programs through HTTP/HTTPS traffic. For more information, see Configuring Custom Defense.