Cisco Defense Orchestrator (CDO) uses two different deployment models: cloud and on-premises. Choosing the cloud model requires allowing the relevant management IP addresses and ports to be opened on your corporate firewall for communication. Allow access to the following IP addresses to your devices:
Europe, the Middle East, and Africa (EMEA):
United States (US):
In circumstances where you don't want to open these ports, CDO gives you the option to install an on-premises SDC. The SDC acts as a proxy between your devices and CDO's Cloud Services. The on-premises SDC works best with full, outbound access on TCP port 443.
- ESXi host installed with vCenter web client
- ESXi host needs 2GB of memory and 10GB disk space to support the virtual machine
How to Deploy an On-Premises Secure Device Connector
To deploy your on-premises secure device connector, perform these two tasks:
- Create the Virtual Machine Environment for your On-Premises SDC
- Install your On-Premises SDC in the Virtual Machine Environment
Create the Virtual Machine Environment for your On-Premises SDC
- Download the SDC OVA image (CDO-SDC-VM-rev3.ova) from one of these two sites:
- Connect to your VMWare ESXi server and create the SDC virtual machine (VM) from the SDC OVA image.
Tip: For best results, use the vCenter Web Client to create the SDC VM.
- After creating the SDC VM, launch the console for the SDC and log in using these credentials:
Username: root Password: adm123
- Once logged in, change the root password to something you will remember. Your new password must include:
- 15 characters
- 1 uppercase letter
- 1 number
- 1 non alpha-numeric character
[root@cdo-sdc ~]# passwd Changing password for user root. New password: <enter new password> Retype new password: <enter new password> passwd: all authentication tokens updated successfully.
- Create a new user that you can use to SSH to the VM. The password characteristics are the same as for the root user.
[root@cdo-sdc ~]# useradd user1 [root@cdo-sdc ~]# passwd user1 Changing password for user user1. New password: <enter new password> Retype new password: <enter new password> passwd: all authentication tokens updated successfully.
- Add the new user to the wheel group so you can run operations as root.
[root@cdo-sdc ~]# usermod -aG wheel user1
- Connect to the /etc/sysconfig/network-scripts directory.
[root@cdo-sdc ~]# cd /etc/sysconfig/network-scripts [root@cdo-sdc network-scripts]#
- Use the rm command to remove wired interface file ifcfg-Wired_connection_1.
[root@cdo-sdc network-scripts]# rm ifcfg-Wired_Connection_1 rm: remove regular file 'ifcfg-Wired_connection_1'? yes [root@cdo-sdc network-scripts]#
- Create a new interface file and name it ifcfg-ens192. You can use vi or install nano to make the edits. The examples in this procedure use vi.
[root@cdo-sdc network-scripts]# vi ifcfg-ens192
- Add the following lines to the ifcfg-ens192 file.
Note: Include the quotes with the value of the variable. For example, the BOOTPROTO value in the ifcfg-ens192 file is "none" including the quotes.
BOOTPROTO="none" NAME="ens192" DEVICE="ens192" ONBOOT="yes" IPADDR="<VM_IP_ADDRESS>" PREFIX="24" GATEWAY="<VM_GATEWAY_IP_ADDRESS>" DNS1="<DNS_IP_ADDRESS>"
- After you have added the correct values, save the ifcfg-ens192 file and restart the network service as shown below:
[root@cdo-sdc ~]# service network restart Restarting network (via systemctl): [ OK ]
- Close the VM console session, and open an SSH session, as the user you created in step 5, to the VM using the IP address assigned in step 10 .
- Set the NTP client by editing the /etc/ntp.conf file. Set the NTP client to use only your company's NTP server. Once the change is made, restart the ntpd service and check to see that the VM has synced against the defined NTP server.
Note: While acting as your new user, elevate your privileges to edit the ntp.conf file using the sudo command as show in the example below:
[user1@cdo-sdc ~]$ sudo vi /etc/ntp.conf ..... # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 198.51.100.5 server 0.centos.pool.ntp.org iburst #server 1.centos.pool.ntp.org iburst #server 2.centos.pool.ntp.org iburst #server 3.centos.pool.ntp.org iburst [user1@cdo-sdc ~]$ sudo service ntpd restart Redirecting to /bin/systemctl restart ntpd.service [user1@cdo-sdc ~]$ ntpstat synchronised to NTP server (172.18.108.15) at stratum 2 time correct to within 7942 ms polling server every 64 s
Note: If you do not see the time synchronized after restarting the ntpd process, restart the process a second time, and run ntpstat again.
- (If necessary) If you feel that it's taking too long for the NTP server to sync and you'd like to continue with the deployment of the SDC, log in as the root user and manually sync with your specified NTP server by running the bolded commands in the example below:
[root@cdo-sdc ~]# service ntpd stop Redirecting to /bin/systemctl stop ntpd.service [root@cdo-sdc ~]# ntpd -gq ntpd: time slew +0.011142s [root@cdo-sdc ~]# service ntpd start Redirecting to /bin/systemctl start ntpd.service [root@cdo-sdc ~]#
- Update the yum plugin as the root user or as the user you created in step 5 using sudo to elevate your privileges if you are not logged in as root.
[root@cdo-sdc ~]#yum update
[user1@cdo-sdc ~]$sudo yum update
- After updating the yum plugin, reboot the SDC.
Install your On-Premises SDC in the Virtual Machine Environment
- Log into your on-premises tenant at https://www.defenseorchestrator.com.
- Click your account in the top right-hand corner, and select the Secure Device Connectors option.
- Select the Request On-Prem SDC option. This creates an SDC entry in the Onboarding state. This state remains until you complete the SDC registration on the VM.
- Click the newly created SDC entry.
- In the dialog box that opens, go to Step 2 of the procedure and click Copy Command to copy the entire curl command.
- Return to the SDC virtual machine, login as the user you created in Create the Virtual Machine Environment for your On-Premises SDC, and connect to the home directory of the sdc user: /usr/local/cdo.
- Set ownership to sdc user for the entire /usr/local/cdo/ directory.
[user1@cdo-sdc ~]$ sudo chown -R sdc:sdc /usr/local/cdo/ [user1@cdo-sdc ~]$
[user1@cdo-sdc ~]$ sudo su sdc bash-4.2$
- Extract the bootstrap tarball.
bash-4.2$ cd /usr/local/cdo/ bash-4.2$ tar xzvf admin1.bootstrap.tar.gz bootstrap/environment_settings.sh bootstrap/config.json bootstrap bootstrap/bootstrap.sh bootstrap/common.sh
- Run the bootstrap.sh script as the sdc user to start the installation.
bash-4.2$ ./bootstrap/bootstrap.sh [2016-10-20 09:11:16] environment properly configured download: s3://onprem-sdc/toolkit/prod/toolkit.tar to toolkit/toolkit.tar toolkit.sh common.sh [2016-10-20 09:11:18] startup new container d57ebc48b22a2d0a63a2a11bc3ca0a4c9f9ca2ee3432b52a207668a829c1367e no crontab for sdc
At this point your SDC should show as Active in the CDO GUI.
If your SDC does not show as Active, and you receive the error, "IPv4 forwarding is disabled. Networking will not work." you may need to enable IPv4 forwarding on the VM. Exit out of the sdc user session, and run the sysctl command with sudo as seen in the example below:
bash-4.2$ exit exit [user1@cdo-sdc ~]$ [user1@cdo-sdc ~]$ sudo sysctl -w net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1
Go back to step 7 to login as the SDC user and repeat the follow the instructions from that point.