Skip to main content

 

 

Cisco Defense Orchestrator

Connect to Cisco Defense Orchestrator using Secure Device Connector

Secure Device Connector

Cisco Defense Orchestrator (CDO) enables direct communication between supported devices and services to CDO. This communication is enabled by the CDO Secure Device Connector (SDC) acting as a proxy between a remote location and CDO cloud services. CDO provides two configurations for SDC deployment models: cloud and on-premises. To identify which model is currently associated and active with the account, navigate to the Secure Device Connector page from the User Account details. The account can be configured for either a cloud or on-premises SDC.

  • Cloud Secure Device Connector. All cloud SDCs are provisioned automatically and managed by the CDO team. See the below prerequisites for establishing communication with the remote device or service.
  • On-Premises Secure Device Connector. On-premises SDC is a pre-configured, virtual appliance dedicated to the requested account. The on-premises SDC virtual appliance includes a CentOS operating system and the SDC running on a Docker container. We recommended that you have 2GB memory and 10GB disk space assigned for the SDC virtual appliance.

Both SDC deployment models use secure communication messages signed and encrypted using AES-128-GCM over HTTPS (TLS 1.2) to communicate with CDO. All credentials for onboarded devices and services are encrypted using RSA-2048 directly from the browser to the device connector as well as encrypted at rest using AES-128-GCM. Only the SDC, whether cloud or on-premises, has access to the device credentials. No other CDO service has access to the credentials.

At any time, customers can choose to leverage either the Cisco-managed cloud deployment or the customer-managed on-premises SDC. All requests can be completed by contacting your Cisco account manager, filing a support ticket within the CDO application, or emailing cdo.support@cisco.com.

For desired CDO-managed devices that are non-perimeter based or do not have a public IP address or an open port to the outside interface, we recommended you use the on-premises SDC which enables onboarding, accessing, reading, and writing to those devices using internal IP addresses.

Connect to Cisco Defense Orchestrator using the Secure Device Connector 

CDO communicates with managed devices and services using the SDC (cloud or on-premises deployment models). Specifically for ASA and ASA with FirePOWER Services, the SDC uses the same secure communications channel as is used by ASDM. As a result, an ASDM image must be present and enabled on the ASA.

By default upon initial account provisioning, a cloud SDC is available and therefore, a publicly accessible outside interface must be configured to allow CDO to communicate with ASA and FirePOWER Services devices through the SDC. To enable this access, allow connections to the following IP addresses:

Europe, the Middle East, and Africa (EMEA):

  • 35.157.12.126
  • 35.157.12.15

United States (US):

  • 52.34.234.2
  • 52.36.70.147

If the ASA under management is also configured to accept AnyConnect VPN Client connections, the ASDM HTTP server port must be changed to a value of 1024 or higher. Note that this port number will be the same port number used when onboarding the ASA device into CDO.

Note: If using an on-premises SDC, you must ensure that the virtual appliance has network connectivity to the management port of the managed device.

Example Commands

The following examples assume that the ASA outside interface is named 'outside' and an AnyConnect client is configured on the ASA so the ASDM HTTP server is listening on port 8443.

To enable the outside interface, enter these commands:

EMEA:

http 35.157.12.126 255.255.255.255 outside

http 35.157.12.15 255.255.255.255 outside

United States:

http 52.34.234.2 255.255.255.255 outside

http 52.36.70.147 255.255.255.255 outside

To enable the ASDM HTTP server port, in the case where AnyConnect VPN Client is in use, enter these commands:

http server enable 8443