Deploying a Service Gateway Virtual Appliance with Microsoft Azure

Launch a Service Gateway virtual appliance from Microsoft Azure using an Azure Virtual Machine image.

If you do not have VMware or Microsoft Hyper-V in your environment, you can deploy the Service Gateway virtual appliance from Microsoft Azure using Azure Virtual Machine (VM) images. Before you begin, review the Service Gateway Appliance System Requirements to ensure your virtual appliance has the settings needed to deploy the services you want to use.

Note:

The steps contained in these instructions are valid as of April 2023.

  1. Obtain the Service Gateway registration token.
    1. On the Trend Vision One console, go to Workflow and Automation > Service Gateway Management.
    2. Click Download Virtual Appliance.
    3. Copy the Registration Token.
      Note:

      The registration token is used to register the Service Gateway virtual appliance to Service Gateway Inventory after installation and setup are complete. The registration token expires after 24 hours if not used.

  2. To initiate the instance launch, sign in to the Microsoft Azure portal.
  3. In the Azure portal, click Virtual machines in the Azure services widget.
    Tip:

    If you don't see the virtual machines service, click More services and use the filter to search for the service.

  4. In the Virtual machines screen, click Create and choose Azure Virtual Machine.
  5. Specify the Project details.

    • Select the Subscription to assign the instance to.

    • Select an existing Resource group or click Create new to assign the instance to a new group.

  6. Specify the Instance details.
    1. Specify the Virtual machine name.
    2. Select the Region for your network needs.
    3. (Optional) Select the Availability options.
    4. Select the Availability zone.
      Note:

      The region can be set to any region you require the Service Gateway to be deployed. If you are unsure which region to select, use the default region for your Azure subscription.

      For more information on Availability options and Availability zone, and what settings are best for your organization, refer to the Microsoft Azure help documentation.

    5. For Security type, select Standard.
      Important:

      Selecting a higher level of security may interfere with the ability of Service Gateway virtual appliance to connect with Trend Vision One.

    6. Under the Image drop-down, click the See all images link.
    7. Search for Trend Micro Service Gateway.
    8. Find Trend Vision One Service Gateway, and click Select.
    9. Select Trend Vision One Service Gateway - x64 Gen 1.
      Note:

      Service Gateway does not support Arm64 VM architecture.

      For reliable connectivity, do not enable Run with Azure Spot discount.

    10. Click the Size drop-down and select Standard_F8s_v2.
      Tip:

      The instance size should appear in the Size drop-down under Recommended by image publisher. If you do not see the size, click See all sizes and search for F8s. Select F8s_v2 and click Select.

  7. Configure the settings under the Administrator account section.
    Note:

    Trend Micro recommends accessing the Service Gateway virtual machine using an SSH client. Follow these steps to configure a key pair for SSH access.

    1. For Authentication type, select SSH public key.
    2. For Username, type azureuser.
    3. For SSH public key source, generate a new key pair or select an existing key pair.
    4. If you choose to generate a new key pair, specify the Key pair name.
  8. Under the Inbound port rules section, select None for Public inbound ports.
  9. Click Next: Disks.
  10. Select Premium SSD (locally-redundant storage) for the OS disk type.
    Note:

    Trend Micro recommends using the default configuration for all other settings.

  11. Click Next: Networking.
  12. Configure the settings under the Network interface section.
    1. Select the Virtual network for the instance to connect to.
    2. Select the Subnet.
      Note:

      Refer to the Microsoft Azure documentation on how to set up a virtual network and subnet.

    3. For Public IP, select None.
    4. For NIC network security group, select None.
  13. Under the Load balancing section, select None for Load balancing options.
  14. Click Next: Management.

    Use default settings for the screens listed below. Click Next to navigate to the next screen.

    • Management

    • Monitoring

    • Advanced

  15. On the Tags screen, set your desired tags, then click Next: Review + Create.
    Tip:

    Assigning tags helps locate and categorize resources for easier management. For more information, see the Microsoft Azure documentation.

  16. Review the virtual machine settings, then click Create.
    Note:

    If you chose to create a new key pair, the Generate new key pair prompt appears. Click Download private key and create resource to download the key pair and start the instance creation.

    Once you create the instance, the Service Gateway virtual appliance begins installation. Installation may take a few minutes to complete. You can view the status of the instance in the Virtual machines screen.

    The Service Gateway virtual appliance is ready to connect and configure when the Status is Running.

  17. After installation is completed, go to the Virtual machines screen and click on the name of the Service Gateway virtual appliance instance.
  18. In the virtual machine panel, go to Settings > Networking.
  19. Click Add inbound port rule.
  20. Configure the inbound port rules.
    1. Specify the Source.
      Note:

      Trend Micro recommends setting Source to IP Addresses and specifying Source IP addresses/CIDR ranges that are within your network.

    2. For Source port ranges, type * to allow any source port.
    3. For Destination, select Any.
    4. Specify Service, Destination port ranges, Protocol, and Action according to the following table.

      Service

      Destination port ranges

      Protocol

      Action

      Description

      SSH

      22

      TCP

      Allow

      For accessing Service Gateway virtual appliance CLISH command

      HTTP

      80

      TCP

      Allow

      Service enabled queries for on-premises Active Directory servers, connected Trend Micro products (such as endpoint agents), Predictive Machine Learning, File Reputation Services, or Third-Party Integration

      HTTPS

      443

      TCP

      Allow

      Service enabled queries for on-premises Active Directory servers, connected Trend Micro products (such as endpoint agents), Predictive Machine Learning, File Reputation Services, or Third-Party Integration

      Custom TCP

      5274

      TCP

      Allow

      Web Reputation Services or Web Inspection Service queries

      Custom TCP

      5275

      TCP

      Allow

      Web Reputation Services or Web Inspection Service queries

      Custom TCP

      8080

      TCP

      Allow

      Forward Proxy Service listening port for connection

      Custom TCP

      8088

      TCP

      Allow

      Zero Trust Secure Access On-Premises Gateway listening port for connection
    5. Specify the Priority of the rule.
      Note:

      For more information on priority, refer to Microsoft Azure documentation.

    6. Specify the rule Name.
    Note:

    Trend Micro recommends using default settings for outbound port rules. Setting additional outbound rules may affect the ability of Service Gateway to connect to Service Gateway Inventory.

  21. Connect to the instance.
    Note:

    Trend Micro recommends using an SSH client to connect to the Service Gateway virtual appliance to make copying the registration token easier. The following steps outline how to connect with an SSH client.

    1. In the Virtual machines screen, click the name of the Service Gateway virtual appliance instance.
    2. In the Virtual machine panel, click Connect and select SSH.
    3. Review the steps and copy the IP address in the example command.
    4. Open an SSH client.
    5. Type the following command to connect to the Service Gateway virtual appliance:

      ssh -i "keypair.pem" admin@<IPaddress>

      Note:

      Use the full file name of your key pair including the file extension.

      The user name is admin.

      For example, if your key pair file is named my_key_pair.pem and the Service Gateway virtual appliance IP address is 127.0.0.1, type the command:

      ssh -i "my_key_pair.pem" admin@127.0.0.1

      Important:

      If you are unable to immediately connect to the appliance, you may need to reset the trusted hosts file.

      The trusted hosts file cannot be automatically updated from EC2. In your SSH client, type the command ~/.ssh/known_hosts to remove the known hosts in the trusted file, then try connecting again.

  22. Configure and register the Service Gateway.
    1. After connecting to the instance and signing on, the Command Line Interface (CLI) appears.
    2. Type enable and press the ENTER key to enable administrative commands.

      The command prompt changes from > to #.

    3. Use the configure command to configure the required network settings, such as the IP address and DNS settings.
    4. Type the following command to register the Service Gateway virtual appliance to Trend Vision One.

      register <registration_token>

      Use the registration token you obtained from Service Gateway Inventory.

  23. Use the CLI to configure other settings, if required.

    For more information on available commands, see Service Gateway CLI Commands.

Parent topic: Deployment Guides