Secure Device Connector
Cisco Defense Orchestrator (CDO) enables direct communication between supported devices and services to CDO via the Secure Device Connector (SDC). The SDC enables this communication by acting as a proxy between a remote location and CDO cloud services.
You can use a "Cloud SDC" created by the CDO team, or install an SDC "on-premises." To identify which model is currently associated and active with the account, navigate to the Secure Device Connector page from the User Account details. The account can be configured for either a cloud or on-premises SDC.
- Cloud Secure Device Connector. All cloud SDCs are provisioned automatically and managed by the CDO team. See Connect to Cisco Defense Orchestrator using Secure Device Connector below for establishing communication with the remote device or service.
- On-Premises Secure Device Connector. On-premises SDC is a pre-configured, virtual appliance dedicated to the requested account. The on-premises SDC virtual appliance includes a CentOS operating system and the SDC running on a Docker container. We recommended that you have 2GB memory and 10GB disk space assigned for the SDC virtual appliance.
Both SDC deployment models use secure communication messages signed and encrypted using AES-128-GCM over HTTPS (TLS 1.2) to communicate with CDO. All credentials for onboarded devices and services are encrypted using RSA-2048 directly from the browser to the device connector as well as encrypted at rest using AES-128-GCM. Only the SDC, whether cloud or on-premises, has access to the device credentials. No other CDO service has access to the credentials.
At any time, customers can choose to leverage either the Cisco-managed cloud deployment or the customer-managed on-premises SDC. All requests can be completed by contacting your Cisco account manager, filing a support ticket within the CDO application, or emailing email@example.com.
For desired CDO-managed devices that are non-perimeter based, do not have a public IP address, or an open port to the outside interface, we recommended you use the on-premises SDC which enables onboarding, accessing, reading, and writing to those devices using internal IP addresses.
Connect Cisco Defense Orchestrator to the Cloud Secure Device Connector
CDO communicates with managed devices and services using the SDC. Specifically for ASA and ASA FirePOWER, the SDC uses the same secure communications channel used by ASDM.
By default upon initial account provisioning, a cloud SDC is available and therefore, a publicly accessible outside interface must be configured to allow CDO to communicate with ASA and ASA FirePOWER devices through the SDC.
If you are a customer in Europe, the Middle East, or Africa (EMEA), and you connect to Defense Orchestrator at https://defenseorchestrator.eu, allow inbound access from the following IP addresses:
If you are a customer in the United States, and you connect to Defense Orchestrator at https://defenseorchestrator.com, allow inbound access from the following IP addresses:
If the ASA under management is also configured to accept AnyConnect VPN Client connections, the ASDM HTTP server port must be changed to a value of 1024 or higher. Note that this port number will be the same port number used when onboarding the ASA device into CDO.
Note: If using an on-premises SDC, you must ensure that the virtual appliance has network connectivity to the management interface of the managed device.
The following examples assume that the ASA outside interface is named 'outside' and an AnyConnect client is configured on the ASA so the ASDM HTTP server is listening on port 8443.
To enable the outside interface, enter these commands:
http 18.104.22.168 255.255.255.255 outside
http 22.214.171.124 255.255.255.255 outside
http 126.96.36.199 255.255.255.255 outside
http 188.8.131.52 255.255.255.255 outside
To enable the ASDM HTTP server port, in the case where AnyConnect VPN Client is in use, enter this commands:
http server enable 8443