Deploying an On-Premises Gateway

Upon successful installation, you can log on to the web console to deploy the on-premises gateway by using the Deployment Wizard. The Deployment Wizard is a web console-based wizard that contains all basic settings to deploy an on-premises gateway. It provides a step-by-step method to facilitate the deployment process. You can also use the Deployment Wizard to modify deployment-related settings.

This task requires the following resources:



Administrator account

The user name is fixed to admin and the password is the same as that for the root user.

Web console URL

The web console URL is https://<your-on-premises-gateway-ip-address-or-FQDN>.


Open the web console from one of the following supported browsers:

  • Apple Safari 8.x or later

  • Google Chrome 55.x or later

  • Microsoft Internet Explorer 11

  • Mozilla Firefox 50.0.1 or later

  • Microsoft Edge 83.x or later

  1. Open a browser and type the web console URL in the address bar.
  2. Type your user name and password in the User name and Password text boxes on the logon page, and then click Log On.

    The main page of the web console appears.


    You can click Change password to change the logon password for admin, but the root user password will not change. You need to log in to the VM where the on-premises gateway is installed if you want to change the password for the root user.

  3. Go to Deployment Wizard, view the brief description of the deployment wizard in the Welcome section, select the deployment mode, and then click Next.

    • Forward Proxy Mode: The TMWS on-premises gateway acts as an intermediary for requests from clients accessing the Internet. After a client connects to the gateway and requests a URL available on a different server, the gateway evaluates the request according to its policies. If the request is valid, it scans and forwards the specified URL request by connecting to the destination server and requesting the web page on behalf of the client. This is the most common configuration, and the TMWS on-premises gateway and the devices that it protects are typically in the same LAN.

    • ICAP Mode: The TMWS on-premises gateway acts as an Internet Content Adapatation Protocol (ICAP) server and accepts ICAP connections from an ICAP v1.0 compliant cache server (acting as a client to the gateway).

      Choose this mode if you have an ICAP client on the network and you want it to pass web traffic to TMWS for scanning. For details, see About the ICAP Mode.


      ICAP Mode is supported only on version 3.5.1 and later.

  4. Configure the Working Mode Settings section.
    Table 1. Forward Proxy Mode



    HTTP listening port

    Specify a listening port number of a given HTTP handler so the traffic will go through. The default value is 8080.

    Enable upstream proxy

    (Optional) Select the Enable upstream proxy check box if you want to configure an upstream proxy for the on-premises gateway. Users' web traffic from the on-premises gateway will be transmitted to the Internet through the upstream proxy server.

    Proxy server

    Specify an IP address or host name that can identify the proxy server.

    Port number

    Specify the port number of the proxy server.


    The proxy server configured here will also act as the proxy server for communication between the on-premises gateway and Trend Micro servers. To use a different proxy server for Trend Micro services, go to Administration > System > Proxy.

    Anonymous FTP over HTTP email address

    Type an email address for anonymous FTP over HTTP traffic forwarding, for example,

    FTP over HTTP enables users to access hyperlinks to ftp:// URLs in web pages and enter a URL starting with ftp:// in the address bar of their browser. If the user omits the user name when accessing this type of URL, anonymous login is used, and the user's email address is conventionally used as a password string that is passed to the FTP server.

    Table 2. ICAP Mode



    ICAP listening port

    Specify a port that the on-premises gateway listens on to receive connections for ICAP.

    The default value is 1344.

    Enable ICAP over SSL

    (Optional) Select the Enable ICAP over SSL check box if you want to use secure ICAP communication.

    When ICAP over SSL is enabled,

    • The default ICAP listening port number is 11344.

    • TMWS will automatically import a default root CA certificate. You can choose to use this certificate or import your own CA certificate under Administration > System > ICAP. For details, see Configuring System Settings.

  5. Click Next, and then configure the Network section.



    Host name

    Specify the host name of the on-premises gateway.

    Do not start the host name with ScannerDy- or ScannerDy4v20-. It may conflict with an TMWS cloud proxy server name, which will cause user authentication failure.

    Data interface

    Select a network interface card (NIC) from the drop-down list to use as the interface for data transmission. All installed and available NICs for the on-premises gateway are listed.

    By default, the data interface configured during gateway installation is selected here.

    If you want to re-configure the NIC after the deployment wizard process, go to Administration > Network > Interfaces, select the NIC, and then click Edit.


    Select an IP address allocation mode for the data interface from the drop-down list. Options include:

    • Static

    • DHCP

    If DHCP is selected, the IP addresses, gateways, and DNS servers will be allocated automatically through DHCP without any user intervention.

    IPv4 address

    Specify an IPv4 address for the data interface.

    By default, the IPv4 address configured during gateway installation is displayed here.

    IPv4 netmask

    Specify an IPv4 netmask for the data interface.

    By default, the IPv4 netmask configured during gateway installation is displayed here.

    Default IPv4 gateway

    (Optional) Specify a default IPv4 gateway for the data interface.

    IPv6 address/prefix length

    (Optional) Specify an IPv6 address and prefix length for the data interface.


    In this version, only IPv4 is supported.

    Default IPv6 gateway

    (Optional) Specify a default IPv6 gateway for the data interface.


    In this version, only IPv4 is supported.

    Primary DNS server

    Specify the IP address of the primary DNS server for the data interface.

    Secondary DNS server

    (Optional) Specify the IP address of the secondary DNS server for the data interface.

  6. Click Next, and then configure the Time section.



    NTP server

    Specify a time server for time synchronization.


    Make sure that the NTP server is reachable by your on-premises gateway and the server time is accurate, which otherwise would cause certain features, such as logging and reporting, not to work properly.

    System time zone

    Select the time zone for the on-premises gateway.

  7. Click Next.

    The configuration summary appears, showing the settings configured in each section of the Deployment Wizard.

    In the ICAP deployment mode, the system automatically generates the service URIs for the ICAP Request Modification Mode and ICAP Response Modification Mode based on the ICAP listening port, Enable ICAP over SSL, and IPv4 address settings.

    Get the Request modification mode service and Response modification mode service URIs on the summary screen and configure them to your ICAP clients.


    The on-premises gateway can work in ICAP mode through one or more data interfaces. To add and configure another data interface, go to Administration > Network > Interfaces.

  8. Click Finish.

    A window appears, indicating that the system needs reboot to apply the configuration. To reboot the system, click OK. To go back to the Deployment Wizard screen, click Cancel.