Configuring System Settings

  1. Go to Administration > System > Proxy.
    1. Select the Use a proxy server for Trend Micro services check box as necessary. This enables and sets an upstream proxy for the on-premises gateway to communicate with Trend Micro servers. By default, this function is disabled.
    2. Type the host name or IP address of the proxy server in the Proxy server text box, and type the port number of the proxy server in the Port text box.
    3. Type the user ID and password in the User ID and Password text boxes for proxy server authentication, if required.
    4. Click Save.

      A window appears, indicating that the system needs reboot to apply the configuration. To reboot the system, click OK. To go back to the Proxy screen, click Cancel.

      After the system is successfully rebooted, the on-premises gateway works in the upstream proxy mode.

  2. Go to Administration > System > ICAP.
    1. Enable or disable the ICAP headers as necessary.

      The TMWS on-premises gateway can return three optional headers from the ICAP server whenever a virus is found or returns information about users.

      • X-Virus-ID: Contains one line of US-ASCII text with a name of the virus or risk encountered.

      • X-Infection-Found: Returns a numeric code for the type of infection, the resolution, and the risk description.

      • X-Authenticated-User: If enabled, the TMWS on-premises gateway requests the username sent in the X-Authenticated-User ICAP header. The username obtained from the ICAP header allows TMWS to identify the user issuing the request if you configure the on-premises gateway to use the username method of user authentication. By default, this ICAP header is enabled.

        The on-premises gateway follows the ICAP v1.0 protocol and supports the following three authentication schemes specified in the protocol: WinNT, LDAP, and Local.

      By default, the X-Virus-ID and X-Infection-Found ICAP headers are disabled for performace reasons, because many ICAP clients do not use these headers.

    2. If you have enabled ICAP over SSL in the deployment wizard, perform one of the following based on whether you already have a certificate for your ICAP clients.

      I have no certificate

      Click Download to get the default TMWS root CA certificate, and then add it to your ICAP clients.

      I have a certificate

      1. Select the Import certificate check box.

      2. Select whether the certificate is in PEM or PKCS#7 file format.

      3. Click Choose File to choose a certificate to import.

      4. Click Choose File to choose the private key associated with the certificate.

      5. Enter the passphrase for the private key, and then enter the passphrase again to confirm.

      6. Click Verify Certificate to validate the selected certificate.

      After the certificate is successfully verified, the TMWS on-premises gateway will use this certificate to establish secure ICAP communication with the ICAP clients.

    3. Click Save.

      A window appears, indicating that the system needs reboot to apply the configuration. To reboot the system, click OK. To go back to the ICAP screen, click Cancel.

      After the system is successfully rebooted, the ICAP settings take effect.

  3. Go to Administration > System > Diagnostics.

    The TMWS on-premises gateway integrates with the Case Diagnostic Tool (CDT) feature to help Trend Micro maintain and troubleshoot your organization's on-premises gateway. CDT collects product and system information, log files, and configuration files, which can be downloaded as an archive file to facilitate system troubleshooting.

    1. Choose categories.
      • Under Enable corresponding to each category, turn on the button to select one or several categories of information to include in the diagnostic file generated by CDT.


        Product information is enabled by default and cannot be disabled.

      • Mouseover the calendar icon next to Access logs and click it to select a time range for access log collection. By default, no time range is selected.


        There is no maximum time range for access logs. But to avoid a huge log file size, select a time range not longer than 6 hours and covering the time when a problem occurred.

        If the Access logs category is enabled and no time range is selected, CDT collects access logs only within the last one hour.

      • To display the updated size of each category in real time under Size, refresh the page.

    2. Click Generate to run CDT and generate a diagnostic file.

      The icon turns to Generating. After the generation process is completed, the icon turns back to Generate and the file displays in the diagnostic file list.

    3. Download diagnostic files.

      Files that are collected by CDT, related to a core dump, or of other types are displayed.

      • Click to download a file as necessary.

      • Click to delete a file no longer needed.

      • View the type of a file. File types include CDT collected files, Core dump, and Others.

      • Sort the files by File Name, Generation Time, Size, or Type.