Deploying the Virtual Appliance on Amazon AWS

Instructions on how to deploy a Private Access Connector virtual appliance on Amazon AWS.

  1. Download and install the AWS Command Line Interface (CLI) on your local machine.

    For more information about how to install and update the AWS CLI on the supported operating systems, see Installing the AWS CLI.

  2. Sign in to the AWS Management Console as a super administrator and add a user to grant the user permission to access AWS and configure settings from the AWS CLI.
    1. Go to the Identity and Access Management (IAM) service screen, click Users in the left navigation, and then click Add user in the right pane.

      The Add user screen appears.

    2. Specify a unique user name, select Programmatic access as the access type, and then click Next: Permissions.
    3. On the Set permissions screen that appears, click Attach existing policies directly and use the search text box to find and select the following four AWS managed policies: AmazonEC2FullAccess, AmazonS3FullAccess, IAMFullAccess, VMImportExportRoleForAWSConnector.
    4. Click Next: Tags.
    5. Keep the default settings and click Next: Review.
    6. Review and confirm the settings and click Create user.

      The user is created successfully.

    7. Record the access key ID and secret access key for later steps.

      You can also click Download .csv to download the file containing the access key ID and secret access key to your local machine.

  3. Create an Amazon S3 bucket and upload the downloaded OVA file to the bucket.
    1. On the AWS Management console, go to the Amazon S3 service screen and click Create bucket.

      The Create bucket screen appears.

    2. In the General configuration section, specify a unique bucket name and select an AWS region.

      Trend Micro recommends you select the region of the app that you want to control access to.

    3. In the Default encryption section, select Disable, and then click Create bucket.

      The bucket is created successfully.

    4. On the Buckets screen, click the bucket you just created.
    5. On the Objects tab, click Upload.
    6. On the Upload screen that appears, click Add files, locate and select the OVA file, keep default values for the other settings, and then click Upload.

      The OVA file is stored in Amazon S3 successfully after the upload process is completed.

  4. Build an Amazon Machine Image (AMI) using the AWS CLI.
    1. Open a command prompt window on your local machine, and run the following command to launch the AWS CLI: aws configure
    2. Paste the access key ID you got in step 2f and press Enter.
    3. Paste the secret access key you got in step 2f and press Enter.
    4. Specify the region that you selected when creating an Amazon S3 bucket to store the OVA file, and then press Enter.
    5. Specify json as the default output format and press Enter.
    6. Create the following three .json files and save them to your local machine.

      Trend Micro recommends you save the files to the same path.

      • File name: trust-policy.json

        {
            "Version":"2012-10-17",
            "Statement":[
               {
                  "Sid":"",
                  "Effect":"Allow",
                  "Principal":{
                     "Service":"vmie.amazonaws.com"
                  },
                  "Action":"sts:AssumeRole",
                  "Condition":{
                     "StringEquals":{
                        "sts:ExternalId":"vmimport"
                     }
                  }
               }
            ]
         }
      • File name: role-policy.json

        Replace <S3-BUCKET-NAME> with the name of the bucket you have created.

        {
            "Version":"2012-10-17",
            "Statement":[
               {
                  "Effect":"Allow",
                  "Action":[
                     "s3:ListBucket",
                     "s3:GetBucketLocation"
                  ],
                  "Resource":[
                     "arn:aws:s3:::<S3-BUCKET-NAME>"
                  ]
               },
               {
                  "Effect":"Allow",
                  "Action":[
                     "s3:GetObject"
                  ],
                  "Resource":[
                     "arn:aws:s3:::<S3-BUCKET-NAME>/*"
                  ]
               },
               {
                  "Effect":"Allow",
                  "Action":[
                     "ec2:ModifySnapshotAttribute",
                     "ec2:CopySnapshot",
                     "ec2:RegisterImage",
                     "ec2:Describe*"
                  ],
                  "Resource":"*"
               }
            ]
         }
      • File name: container.json

        Replace <S3-BUCKET-NAME> with the name of the bucket you have created, and <OVA-FILE-NAME> with the name of the OVA file, which is TrendMicroVisionOne-SecureAccessConnector.ova by default.

        [
            {
                      "Description": "My Server OVA",
                      "Format": "ova",
                      "UserBucket": {
                                  "S3Bucket": "<S3-BUCKET-NAME>",
                                  "S3Key": "<OVA-FILE-NAME>"
                       }
            }
        ]
    7. On the AWS CLI, run the cd command to change the current working directory to where the files are saved.
    8. Run the following command to create a role with appropriate administrative permissions: aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json
    9. Run the following command to create a policy for a trust relationship: aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json
    10. Run the following command to build an AMI: aws ec2 import-image --description "ZTNA VM" --disk-containers file://container.json
    11. Wait until the process is completed. This may take a few minutes.

      Run the following command to view the status:

      aws ec2 describe-import-image-tasks --import-task-id "<ImportTaskId>" --output=json

      When the process is done, "Status" changes to "completed".

      Remember ImportTaskId, which can be used to identify the AMI in later steps.

  5. Launch an AWS EC2 instance.
    1. On the AWS Management console, go to the New EC2 Experience service screen and click Instances in the left navigation.

      The Instances screen appears.

    2. In the right pane, confirm the current region and click Launch instances.
    3. On the Step 1: Choose an Amazon Machine Image (AMI) screen that appears, locate the AMI you just created using the ImportTaskId, and click Select.
    4. On the Step 2: Choose an Instance Type screen that appears, keep the default setting and click Next: Configure Instance Details.
    5. Keep the default settings on the Configure Instance, Add Storage, and Add Tags screen, and then click Next.
    6. On the Step 6: Configure Security Group screen that appears, set Assign a security group to Create a new security group, and click Add Rule to set Type to SSH, Protocol to TCP, Port Range to 22, and Source to My IP, and then click Review and Launch.
    7. On the Step 7: Review Instance Launch screen that appears, review and confirm the settings and click Launch.
    8. On the Select an existing key pair or create a new key pair screen that appears, select Proceed without a key pair from the drop-down list and click Launch Instances.

      The Launch Status screen appears. Click View Instances to monitor your instance's status. When it is in the running state, you can connect to the instance from the Instances screen.

  6. Register the Connector virtual appliance to Trend Micro Vision One.
    1. On the Instances screen of the AWS Management Console, select the instance you just launched and copy the public IPv4 address of the instance.
    2. Open a command prompt and run the following ssh command to log on to the Connector virtual appliance with the default credentials.

      ssh admin@<public_IP_address_of_the_instance>

      Password: saseztna

    3. Run the following command and then press the Enter key to change your password for the enable command: passwd

      The default password is saseztna. Your new password cannot be the same as the default password.

      The admin user, root user, and privileged mode share the same password.

    4. Type enable and then press the Enter key to enter privileged mode. Provide the updated password when asked.

      The command prompt changes from > to #.

    5. (Optional) Run the following command to change the time zone of the Connector: configure timezone <timezone>

      The default time zone is America/Los_Angeles.

    6. Run the following command to register the Connector virtual appliance to Trend Micro Vision One: register <registration_token>

      You can obtain the token from the same screen you downloaded the virtual appliance on Trend Micro Vision One.

  7. Use the CLI to configure other settings, if required.

    For more information on available commands, see Private Access Connector CLI Commands.

    After successful deployment, the Connector virtual appliance appears under the corresponding connector group on the Private Access Connectors tab.

Add an internal app of your organization and associate it with the corresponding connector group on the Trend Micro Vision One console. For more information, see Adding an Internal Application.