Deploying the Private Access Connector on Microsoft Azure

Connect your Azure Marketplace applications with Zero Trust Secure Access Private Access and prevent unauthorized intrusions.

Private Access Connectors connect your internal applications with Zero Trust Secure Access Private Access, which allows you to control access to sensitive corporate resources. To ensure high availability (HA) and facilitate load-balancing on high traffic apps, install and group together at least 2 connectors in each environment. Before attempting to deploy the Private Access Connector, ensure that your environment meets the minimum system requirements.

In the Trend Vision One console, go to Zero Trust Secure Access > Secure Access Configuration > Private Access Configuration.
For customers that need to create a new connector group, click Add Private Access Connector Group.
1. Provide a unique name and description for the group.
2. Click Save.
Locate your Connector group name in the list and click the New connector () icon.
The Private Access Connector Virtual Appliance panel appears.
Select Microsoft Azure from the Platform list.
Copy the Registration token for later use.
Sign in to the Azure Marketplace and locate the Trend Micro Vision One - Zero Trust Secure Access app.
Important:
The steps contained in these instructions were valid as of October 2022.
On the Trend Micro Vision One - Zero Trust Secure Access Azure application screen, click Get It Now.
Sign in to Azure Marketplace as a super administrator when prompted.
On the Create this app in Azure screen, click Continue.
The app deployment screen appears.

Create multiple virtual machine (VM) instances for the Private Access Connector virtual appliances.

On the app deployment screen, click Create.

On the Basics tab that appears, specify the following fields.

Field	Description
Subscription	Select the subscription to manage the VM instances.
Resource group	Select a new or existing resource group to organize and manage the VM instances.
Region	Select an Azure region. Trend Micro recommends you select the same region as where the resource group is located.
Scale set instance name	Specify a uniquely identifiable name for the scale set.
Scale set instance count	Use drag-and-drop to select the number of VM instances to deploy. You can modify the instance count on the Microsoft Azure portal after the deployment.
Appliance VM size	Select the system resources as necessary.
Registration token	Paste the registration token that you obtained on the Trend Vision One console. The system automatically registers all the Connector virtual appliances in the scale set to Trend Vision One during the deployment.
SSH public key source	Select the SSH public key source. Important: Trend Vision One does not support logon to a VM using a password. Select Generate new key pair and specify a uniquely identifiable name for the key pair. You will need to download the private key at a later step. Select Use existing key stored in Azure and select a stored key from the drop-down list. Select Use existing public key and paste your public key to the text box.

Click the Networking tab and specify the following fields.

Field	Description
Virtual network	Select a virtual network from the drop-down list or click Create new to add a virtual network for the scale set. Make sure that the virtual network can connect to the internal applications that you want to protect.
Management subnet	Select a subnet of the virtual network from the drop-down list. For a newly created virtual network, the subnet of the virtual network is automatically filled in.

Field

Description

Virtual network

Select a virtual network from the drop-down list or click Create new to add a virtual network for the scale set.

Make sure that the virtual network can connect to the internal applications that you want to protect.

Management subnet

Select a subnet of the virtual network from the drop-down list.

For a newly created virtual network, the subnet of the virtual network is automatically filled in.

Click the Advanced tab and configure Boot diagnostics as necessary.
Click Review + create.
On the Review + create tab that appears, review and confirm the settings and click Create.
If you selected Generate new key pair at an earlier step, the Generate new key pair screen appears.
(Optional) Click Download private key and create resource. and save the private key file to your local machine.
Important:
Make sure your private key file is secure and accessible. You will need to use the private key to log on to the VM.

The deployment process overview screen appears, indicating the deployment status.
Wait until the deployment is complete, and then click Go to resource.
The Overview screen of the newly created virtual machine scale set appears. The number of successfully deployed VM instances displays next to Status.

(Optional) Scale the VM instances either by manually choosing a specific instance count or via a custom autoscale policy.
(Optional) Launch and configure a Private Access Connector VM.
1. In the left navigation, click Instances.
2. From the VM instances under this scale set, click the name of a VM.
3. On the Overview screen that appears, copy the public IPv4 address of the VM.
4. Open a command prompt and run the following ssh command to log on to the Private Access Connector virtual appliance with the default credentials.
  ssh -i <path_of_the_private_key_file> admin@<public_IP_address_of_the_VM>
5. Run the following command and then press the Enter key to set your password for the enable command:
  passwd
  
  The admin user and privileged mode share the same password.
6. Type enable and then press the Enter key to enter privileged mode. Provide the updated password when asked.
  The command prompt changes from > to #.
7. Run the following command to change the time zone of the Private Access Connector:
  configure timezone <timezone>
  
  The default time zone is America/Los_Angeles.
8. Check whether the Private Access Connector can connect to the NTP server 0.pool.ntp.org.
  The Private Access Connector requires connectivity to an NTP server to synchronize its clock. By default, Trend Vision One uses the public NTP server 0.pool.ntp.org. You can also configure the Private Access Connector to connect to another public NTP server or a local NTP server within your organization.
  
  Run the following command to configure the NTP server: configure ntp server <address>
  
  Note:
  To use public NTP servers, make sure that your firewall configuration allows outbound UDP traffic on port 123.
Use the CLI to configure other settings, if required.
For more information on available commands, see Private Access Connector CLI Commands.

After successful deployment, the Private Access Connector virtual appliances appear under the corresponding connector group on the Private Access Connectors tab.

(Optional) On the Microsoft Azure portal, perform the following tasks to configure the VM scale set you have created when necessary.

Task	Description
Delete a specific VM instance	In the left navigation, click Instances. On the Instances screen that appears, select one or multiple VM instances and click Delete.
Update the registration token	In the left navigation, click Operating system. On the Operating system screen that appears, select Modify user data in the User data section, and then paste the updated registration token in the User data text box. Click Save. In the left navigation, click Instances. On the Instances screen that appears, select all VM instances and click Upgrade. The update process takes about one minute. During the process, the system does not restart the instances and automatically registers the instances to Trend Vision One again.

Task

Description

Delete a specific VM instance

In the left navigation, click Instances.
On the Instances screen that appears, select one or multiple VM instances and click Delete.

Update the registration token

In the left navigation, click Operating system.
On the Operating system screen that appears, select Modify user data in the User data section, and then paste the updated registration token in the User data text box.
Click Save.
In the left navigation, click Instances.
On the Instances screen that appears, select all VM instances and click Upgrade.

The update process takes about one minute. During the process, the system does not restart the instances and automatically registers the instances to Trend Vision One again.