Skip to main content



Cisco Defense Orchestrator

Deploy an On-Premise SDC on a Virtual Machine you Create


CDO uses two different deployment models: a cloud deployment model and on-premise deployment model. Choosing the cloud deployment model requires allowing the relevant management IP addresses and ports to be opened on your corporate firewall for communication from the following IP addresses to your devices:

Europe, the Middle East, and Africa (EMEA):


United States (US):


In circumstances where you don't want to open these ports, CDO gives you the option to install an on-premises SDC. The SDC acts as a proxy between your devices and CDO's Cloud Services. The on-premises SDC works best with full outbound access on TCP port 443.  

Create Your Own VM or use Ours?

You can create your virtual machine environment for your on-premise SDC in one of two ways: 

  • The preferred, easiest, and most reliable way to create the virtual machine (VM) environment for your on-premise SDC is to download our SDC OVA image and install it. See Deploy an On-Premises Secure Device Connector Using CDO's VM Image for those instructions.
  • You can also create your own virtual machine environment an install SDC on it. This method is described in this procedure. 


  • ESXi host installed with vCenter web client
  • ESXi host needs 2GB of memory and 10GB disk space to support the virtual machine

How to Deploy an On-Premises Secure Device Connector

To deploy your on-premises secure device connector, perform these tasks:

  1. Create the Virtual Machine Environment Yourself
  2. Install the On-Premises SDC in your VM Environment

Create the Virtual Machine Environment Yourself

To create the virtual machine for your SDC follow this outline:

  1. Prepare a docker host, either physical or virtual, with the following components:
  • CentOS v7.2
  • Docker Engine v1.12+ for CentOS
  • AWS CLI v1.10.56+
  1. Make sure NTP is enabled and configured properly.
  2. Enable and start Docker Engine using the following commands:
sudo systemctl enable docker.service
sudo systemctl start docker
  1. Prepare an OS user named "sdc" using the following commands:
sudo adduser -d /usr/local/cdo sdc
sudo usermod -aG docker sdc
  1. Configure DNS (Domain Name Servers).
  2. Configure NTP (Network Time Protocol).

Install your On-Premises SDC in the VM Environment

  1. Log into your on-premises tenant at or depending on your region. 
  2. Click your account in the top right-hand corner, and select the Secure Device Connectors option.

sdc menu.png

  1. Select the Request On-Prem SDC option. This creates an SDC entry in the Onboarding state. This state remains until you complete the SDC registration on the VM.


  1. Click the newly created SDC entry. 
  2. In the dialog box that opens, go to Step 2 of the procedure and click Copy Command copy_command.png to copy the entire curl command. 
  3. Return to the SDC virtual machine, login as the user you created in Create the Virtual Machine Environment for your On-Premises SDC, and connect to the home directory of the sdc user: /usr/local/cdo.  
  4. Set ownership to sdc user for the entire /usr/local/cdo/ directory.
[user1@cdo-sdc ~]$ sudo chown -R sdc:sdc /usr/local/cdo/
[user1@cdo-sdc ~]$
  1. Log in to the sdc user.
[user1@cdo-sdc ~]$ sudo su sdc
  1. Extract the bootstrap tarball.
bash-4.2$ cd /usr/local/cdo/
bash-4.2$ tar xzvf admin1.bootstrap.tar.gz
  1. Run the script as the sdc user to start the installation.
bash-4.2$ ./bootstrap/
[2016-10-20 09:11:16] environment properly configured
download: s3://onprem-sdc/toolkit/prod/toolkit.tar to toolkit/toolkit.tar
[2016-10-20 09:11:18] startup new container
no crontab for sdc

At this point your SDC should show as Active in the CDO GUI. 



If your SDC does not show as Active, and you receive the error, "IPv4 forwarding is disabled. Networking will not work." you may need to enable IPv4 forwarding on the VM. Exit out of the sdc user session, and run the sysctl command with sudo as seen in the example below:

bash-4.2$ exit
[user1@cdo-sdc ~]$ 
[user1@cdo-sdc ~]$ sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

Go back to step 8 to login as the SDC user and repeat the follow the instructions from that point.

  • Was this article helpful?