Deploying an Internet Access On-Premises Gateway

Deploy a Service Gateway virtual appliance and enable the Zero Trust Internet Access On-Premises Gateway service.

The Zero Trust Internet Access On-Premises Gateway service supports the following external connections via proxy server.
  • Communication with Trend Vision One to get the latest settings, such as policies, and queries to services including Web Reputation Services and ActiveUpdate.

  • Forwarding both HTTP and HTTPS end-user web traffic to final destinations.


The Internet Access On-Premises Gateway requires high levels of system resources. To avoid negative impact on system performance, Trend Micro recommends setting up the on-premises gateway on an appliance with no other installed or enabled services.

  1. On the Trend Vision One console, go to Zero Trust Secure Access > Secure Access Configuration > Internet Access Configuration.
  2. On the Gateways tab, click Deploy New On-Premises Gateway.
  3. Set up an Internet Access On-Premises Gateway by clicking Go to Service Gateway Inventory.

    Only Service Gateway 2.0 supports the Zero Trust Internet Access On-Premises Gateway service.

    1. Select an existing Service Gateway that identifies your corporate location, or deploy a new Service Gateway virtual appliance for the Zero Trust Internet Access On-Premises Gateway service.
    2. Install and enable the Zero Trust Internet Access On-Premises Gateway service. For details, see Managing Services in Service Gateway.
  4. Allow some time for the deployment to complete, and then check the service status and other information about the on-premises gateway on the Gateways tab.
  5. Configure the basic and advanced settings, for example, time zone, user authentication, and log forwarding, for the on-premises gateway by clicking the edit icon ().
    • Update the location name and time zone, and add a description as needed.

      By default, Location shows the hostname of the Service Gateway virtual appliance that the on-premises gateway is running on. You can better identify the corporate location managed by the on-premises gateway by changing the location Name or adding a Description.

    • On the Advanced Settings tab, configure the user authentication and upstream proxy settings.

      • To enforce internet access rules on certain types of devices directly connected to the gateway that do not require user authentication (including shared devices or devices without specific users such as cameras or servers), click and disable user authentication for Traffic forwarding.

      • If the on-premises gateway is unable to access the internet directly, configure your third-party proxy server via Service Gateway CLI Commands and then enable upstream proxy for your deployed on-premises gateway by clicking () and enabling Upstream Proxy.

    • On the Log Forwarding tab, configure whether to send detection logs or activity data on the on-premises gateway to Trend Vision One or to a syslog server.

      To send activity data to a syslog server, specify the server address, port, and protocol used for data transmission with the server.


      The Internet Access On-Premises Gateway currently supports sending activity data in Common Event Format (CEF) syslog format only. For more information about the content mapping between Internet Access log output and CEF syslog format, see Syslog Content Mapping - CEF.

  6. Click Save.
  7. Configure and apply PAC files to forward HTTP/HTTPS traffic to the on-premises gateway.
    1. Add the FQDN or IP address of the on-premises gateway to one or multiple PAC files that you use for proxy settings.
    2. Apply the PAC files to the protected devices.