Deploying the Virtual Appliance on Microsoft Azure

Instructions on how to deploy a Private Access Connector virtual appliance on Microsoft Azure.

  1. Prepare a VHD file for the deployment.
    1. Decompress the OVA file downloaded from the Trend Micro Vision One console and find the TrendMicroVisionOne-SecureAccessConnector-disk1.vmdk file.
    2. Launch a VMDK-to-VHD converter.

      VirtualBox is used in this deployment procedure.

      If VirtualBox is not installed in your local environment, download the installer from the VirtualBox website and install it first.

    3. Run the cd command to change the current working directory to where the VirtualBox is installed.
    4. Run the following command to convert the VMDK file to a VHD file: .\VBoxManage.exe clonehd <vmdk_path> <vhd_path> --format vhd

      A VHD file is generated in the specified directory.

  2. Sign in to the Microsoft Azure portal as an administrator and create an Azure Storage account.
    1. Search for Storage accounts in the Search text box and then click Storage accounts.

      The Storage accounts screen appears.

    2. Click Create.

      The Create a storage account screen appears.

    3. On the Basics tab, specify the following fields:
      • Subscription: Select the subscription in which to create the new storage account.

      • Resource group: Select a new or existing resource group to organize and manage your storage account together with other resources.

      • Storage account name: Specify a uniquely identifiable name for the storage account.

      • Region: Select the region of the app that you want to control access to.

      • Performance: Select Standard.

      • Redundancy: Select Geo-redundant storage (GRS).

    4. Click Review + create.
    5. On the Review + create tab that appears, review and confirm the settings and click Create.

      The storage account is successfully created and displayed on the Storage accounts screen.

    6. Click the storage account and then select Access keys in the left navigation.
    7. Record the storage account name and key for later steps.
      Note:

      Click Show keys to display the key value.

    8. Click Containers in the left navigation, and then click Container.
    9. On the New container panel that appears, specify a name for the container, select Private (no anonymous access) from the Public access level drop-down list, and then click Create.
  3. Upload the VHD file to the Azure Storage account as page blob.
    1. Download Go version 1.11 or later from the Go website and install it on your local machine.

      You will need Go to install azure-vhd-utils to upload the local VHD file to Azure Storage. For more information about Azure VHD utilities, see https://github.com/microsoft/azure-vhd-utils.

    2. Run the following command to install azure-vhd-utils: go get github.com/Microsoft/azure-vhd-utils
    3. Launch a command prompt on your local machine and run the following command to upload the VHD file to Azure Storage: azure-vhd-utils upload [command options]

      Command options include:

      • localvhdpath: Specify the path to your source VHD in the local machine

      • stgaccountname: Use the Storage account name you got in step 2g.

      • stgaccountkey: Use the key you got in step 2g.

      • containername: Use the container name created in step 2i.

      • blobname: Specify a uniquely identifiable name for the destination page blob

      • parallelism: Number of concurrent goroutines to be used for upload

      This process may take about 15 minutes. Wait until Upload completed appears on the command prompt.

      Once uploaded, you can create an image based on this page blob on the Azure portal and use the image to create an Azure virtual machine.

  4. Create an image.
    1. On the Azure portal, enter the Storage account created in step 2, click Containers in the left navigation, and then click the container created to hold the VHD file in the right pane.
    2. On the screen that appears, click the VHD file uploaded in step 3.
    3. On the page blob that appears, record the URL on the Overview tab for later steps.
    4. On the top of the screen, search for Images in the Search text box and then click Images.
    5. Click Create, and on the Create an image screen, specify the following fields:
      • Subscription: Select the subscription to manage the image.

      • Resource group: Select a new or existing resource group to organize and manage the image.

      • Name: Specify a uniquely identifiable name for the image.

      • Region: Select the region of the app that you want to control access to.

      • OS type: Select Linux.

      • VM generation: Select Gen 1.

      • Storage blob: Use the URL copied in step 4c.

      • Account type: Select Standard SSD.

      • Host caching: Select Read/write.

      • Encryption type: Select (Default) Encryption at-rest with a platform-managed key.

    6. Click Review + create.
    7. On the Review + create tab that appears, review and confirm the settings and click Create.

      The image is successfully created and displayed on the Images screen.

  5. Create a virtual machine for the Private Access Connector.
    1. Enter the Overview screen of the newly-created image, and then click Create VM in the right pane.
    2. On the Create a virtual machine screen that appears, specify the following field:
      • Subscription: Select the subscription to manage the VM.

      • Resource group: Select a new or existing resource group to organize and manage the VM.

      • Virtual machine name: Specify a uniquely identifiable name for the image.

      • Image: This field is automatically filled in.

      • Size: Select Standard_D2s_v3 - 2 vcpus, 8 GiB memory.

      • Authentication type: Select SSH public key.

      • Username: Specify a uniquely identifiable user name for the VM.

      • Key pair name: Specify a uniquely identifiable name for the VM.

      • Public inbound ports: Select Allow selected ports.

      • Select inbound ports: Select HTTP (80), HTTPS (443), SSH (22).

      • License type: Select Others.

    3. Click Review + create.
    4. On the Review + create tab that appears, review and confirm the settings and click Create.

      The deployment process overview screen appears, indicating the deployment status.

    5. Wait until the Status of the resource whose type is Microsoft.Compute/virtualMachines changes to Created.
  6. Launch the Connector VM and register the Connector to Trend Micro Vision One.
    1. On the Azure portal, search for Virtual machines in the Search text box and then click Virtual machines.
    2. Locate and open the newly created VM, and on the Overview screen that appears, copy the public IPv4 address of the VM.
    3. Open a command prompt and run the following ssh command to log on to the Connector virtual appliance with the default credentials.

      ssh admin@<public_IP_address_of_the_VM>

      Password: saseztna

    4. Run the following command and then press the Enter key to change your password for the enable command: passwd

      The default password is saseztna. Your new password cannot be the same as the default password.

      The admin user, root user, and privileged mode share the same password.

    5. Type enable and then press the Enter key to enter privileged mode. Provide the updated password when asked.

      The command prompt changes from > to #.

    6. (Optional) Run the following command to change the time zone of the Connector: configure timezone <timezone>

      The default time zone is America/Los_Angeles.

    7. Run the following command to register the Connector virtual appliance to Trend Micro Vision One: register <registration_token>

      You can obtain the token from the same screen you downloaded the virtual appliance on Trend Micro Vision One.

  7. Use the CLI to configure other settings, if required.

    For more information on available commands, see Private Access Connector CLI Commands.

    After successful deployment, the Connector virtual appliance appears under the corresponding connector group on the Private Access Connectors tab.

Add an internal app of your organization and associate it with the corresponding connector group on the Trend Micro Vision One console. For more information, see Adding an Internal Application.