Skip to main content

 

 

Cisco Defense Orchestrator

Deploy an On-Premises Secure Device Connector Using Defense Orchestrator's VM Image

Cisco Defense Orchestrator (Defense Orchestrator) enables direct communication between supported devices and services to Defense Orchestrator via the Secure Device Connector (SDC). The SDC enables this communication by acting as a proxy between a remote location and Defense Orchestrator cloud services.

This procedure describes how to create an SDC for Defense Orchestrator, installed on-premise, using Defense Orchestrator's VM image. This is the preferred, easiest, and most reliable way to create an SDC.  If you need to create the SDC using a VM that you create, follow Deploy an On-Premise SDC on a Virtual Machine you Create

Prerequisites

  • Defense Orchestrator requires strict certificate checking and does not support a Web/Content Proxy between the SDC and the Internet.
  • We require allowing the SDC full outbound access on TCP port 443.
  • VMware ESXi host installed with vCenter web client.
  • VMware ESXi host needs 2GB of memory and up to 64GB disk space to support the virtual machine depending on your provisioning choice.
  • Gather this information before you begin the installation:
    • Static IP address you want to use for your SDC. 
    • Passwords for the root and cdo users that you create during the installation process.
    • The IP address of the DNS server your organization uses. 
    • The gateway IP address of the network the SDC address is on. 
    • The FQDN or IP address of your time server. 
  • The on-premise SDC virtual machine is configured to install security patches on a regular basis and in order to do this, opening port 80 outbound is required.

Procedure

  1. Log on to the Defense Orchestrator Tenant you are creating the SDC for.
  2. Click the Account menu and select Secure Device Connectors.

sdc menu.png

  1. Click Deploy an On-Premises Secure Device Connector.
  2. In Step 1, click Download the SDC VM image.
  3. Extract all the files from the .zip file. They will look similar to these:
    • CDO-SDC-VM-6c187f3.ovf
    • CDO-SDC-VM-6c187f3.mf
    • CDO-SDC-VM-6c187f3-disk1.vmdk
  4. Log on to your VMware server as an administrator using vsphere web client.
  5. Deploy the on-premise Secure Device Connector virtual machine from the OVF template. 

Notes:

  • In Step 1-Select template of the Deploy OVF Template wizard, when uploading the CDO-SDC-VM files, select all three files you extracted from the .zip file you downloaded. If the version of vSphere Web Client you use only allows you to upload one file, upload the .ovf file.
  • In Step 7-Customize template
    • In step 1 - Save the passwords for the "root" and "cdo" user. 
    • When you reach Step 3, CDO Authentication:

sdc_bootstrap_data_prompt.png
return to the Cisco Defense Orchestrator, Deploy OVF Template dialog box and click Copy bootstrap data:

copy_bootstrap_data.png

Then, return to the vSphere web client and enter the CDO Bootstrap data in the "CDO Bootstrap Data" field. Click OK.

  • Review the entries in Step 8-Ready to complete and click Finish if the entries are correct. 
  1. After deploying the SDC OVF in your vSphere, start the VM.
  2. Return to the Secure Device Connector page. Refresh the screen until you see the status of your new SDC change to Active

Troubleshooting

SDC status does not become active on Defense Orchestrator

  1. If Defense Orchestrator does not indicate that your on-premise SDC is active after about 10 minutes, open a local console and connect to the SDC VM using SSH. Use the cdo user and password you created during setup.
  2. Review the instructions on the terminal.
  • The /opt/cdo/configure.log log shows you the configuration settings you entered for the SDC and if they were applied successfully. 
  • Running sudo sdc-onboard setup guides you through all the configuration steps you took in the setup wizard GUI and gives you an opportunity to make changes.
  1. If after reviewing the log and running sdc-onboard,Defense Orchestrator still does not indicate that the SDC is Active contact Defense Orchestrator support