Skip to main content

 

 

Cisco Defense Orchestrator

Deploy an On-Premises Secure Device Connector Using CDO's VM Image

Overview

This procedure describes how to create a Secure Device Connector (SDC) for Cisco Defense Orchestrator (CDO) using CDO's VM image.

CDO uses two different deployment models: cloud deployment and on-premise deployment. Choosing the cloud deployment model requires allowing the relevant management IP addresses and ports to be opened on your corporate firewall for communication from the following IP addresses to your devices:

Europe, the Middle East, and Africa (EMEA):

  • 35.157.12.126
  • 35.157.12.15

United States (US):

  • 52.34.234.2
  • 52.36.70.147

In circumstances where you don't want to open the relevant ports and IP addresses, CDO gives you the option to install an on-premise Secure Device Connector (SDC). The SDC acts as a proxy between your devices and CDO's Cloud Services. The on-premises SDC works best with full outbound access on TCP port 443.  

Use CDO's Prepared VM Image

This procedure describes installing an SDC using CDO's VM image. This is the preferred, easiest, and most reliable way to create an SDC.  If you need to create the SDC using a VM that you create, follow Deploy an On-Premise SDC on a Virtual Machine you Create

Prerequisites

  • VMware ESXi host installed with vCenter web client
  • VMware ESXi host needs 2GB of memory and up to 64GB disk space to support the virtual machine depending on your provisioning choice.
  • Gather this information before you begin the installation:
    • Static IP address you want to use for your SDC. 
    • Passwords for the root and cdo users that you create during the installation process.
    • The IP address of the DNS server your organization uses. 
    • The gateway IP address of the network the SDC address is on. 
    • The FQDN or IP address of your time server. 

Procedure

  1. Log on to the CDO Tenant you are creating the SDC for.
  2. Click the Account menu and select Secure Device Connectors.

sdc menu.png

  1. Click Deploy an On-Premises Secure Device Connector.
  2. In Step 1, click Download the SDC VM image.
  3. Extract all the files from the .zip file. They will look similar to these:
    • CDO-SDC-VM-6c187f3.ovf
    • CDO-SDC-VM-6c187f3.mf
    • CDO-SDC-VM-6c187f3-disk1.vmdk
  4. Log on to your VMware server as an administrator using vsphere web client.
  5. Deploy the on-premise Secure Device Connector virtual machine from the OVF template. 

Notes:

  • In Step 1-Select template of the Deploy OVF Template wizard, when uploading the CDO-SDC-VM files, select all three files you extracted from the .zip file you downloaded. If the version of vSphere Web Client you use only allows you to upload one file, upload the .ovf file.
  • In Step 7-Customize template
    • In step 1 - Save the passwords for the "root" and "cdo" user. 
    • When you reach Step 3, CDO Authentication:

sdc_bootstrap_data_prompt.png
return to the Cisco Defense Orchestrator, Deploy OVF Template dialog box and click Copy bootstrap data:

copy_bootstrap_data.png

Then, return to the vSphere web client and enter the CDO Bootstrap data in the "CDO Bootstrap Data" field. Click OK.

  • Review the entries in Step 8-Ready to complete and click Finish if the entries are correct. 
  1. After deploying the SDC OVF in your vSphere, start the VM.
  2. Return to the Secure Device Connector page. Refresh the screen until you see the status of your new SDC change to Active

Troubleshooting

SDC status does not become active on CDO

  1. If CDO does not indicate that your on-premise SDC is active after about 10 minutes, open a local console and connect to the SDC VM using SSH. Use the cdo user and password you created during setup.
  2. Review the instructions on the terminal.
  • The /opt/cdo/configure.log log shows you the configuration settings you entered for the SDC and if they were applied successfully. 
  • Running sudo sdc-onboard setup guides you through all the configuration steps you took in the setup wizard GUI and gives you an opportunity to make changes.
  1. If after reviewing the log and running sdc-onboard,CDO still does not indicate that the SDC is Active contact CDO support