Skip to main content

 

 

Cisco Defense Orchestrator

Deploy an On-Premise SDC on a Virtual Machine you Create

Overview

CDO uses two different deployment models: a cloud deployment model and on-premise deployment model. Choosing the cloud deployment model requires allowing the relevant management IP addresses and ports to be opened on your corporate firewall for communication from the following IP addresses to your devices:

Europe, the Middle East, and Africa (EMEA):

  • 35.157.12.126
  • 35.157.12.15

United States (US):

  • 52.34.234.2
  • 52.36.70.147

In circumstances where you don't want to open these ports, CDO gives you the option to install an on-premises SDC. The SDC acts as a proxy between your devices and CDO's Cloud Services. The on-premises SDC works best with full outbound access on TCP port 443.  

Create Your Own VM or use Ours?

You can create your virtual machine environment for your on-premise SDC in one of two ways: 

  • The preferred, easiest, and most reliable way to create the virtual machine (VM) environment for your on-premise SDC is to download our SDC OVA image and install it. See Deploy an On-Premises Secure Device Connector Using CDO's VM Image for those instructions.
  • You can also create your own virtual machine environment an install SDC on it. This method is described in this procedure. 

Prerequisites

  • ESXi host installed with vCenter web client
  • ESXi host needs 2GB of memory and 10GB disk space to support the virtual machine

How to Deploy an On-Premises Secure Device Connector

To deploy your on-premises secure device connector, perform these tasks:

  1. Create the Virtual Machine Environment Yourself
  2. Install the On-Premises SDC in your VM Environment

Create the Virtual Machine Environment Yourself

To create the virtual machine for your SDC follow this outline:

  1. Prepare a docker host, either physical or virtual, with the following components:
  • CentOS v7.2
  • Docker Engine v1.12+ for CentOS
  • AWS CLI v1.10.56+
  1. Make sure NTP is enabled and configured properly.
  2. Enable and start Docker Engine using the following commands:
sudo systemctl enable docker.service
sudo systemctl start docker
  1. Prepare an OS user named "sdc" using the following commands:
sudo adduser -d /usr/local/cdo sdc
sudo usermod -aG docker sdc
  1. Configure DNS (Domain Name Servers).
  2. Configure NTP (Network Time Protocol).

Install your On-Premises SDC in the VM Environment

  1. Log into your on-premises tenant at https://www.defenseorchestrator.com or https://www.defenseorchestrator.eu depending on your region. 
  2. Click your account in the top right-hand corner, and select the Secure Device Connectors option.

sdc menu.png

  1. Select the Request On-Prem SDC option. This creates an SDC entry in the Onboarding state. This state remains until you complete the SDC registration on the VM.

on-prem-secure-device-connectors.png

  1. Click the newly created SDC entry. 
  2. In the dialog box that opens, go to Step 2 of the procedure and click Copy Command copy_command.png to copy the entire curl command. 
  3. Return to the SDC virtual machine, login as the user you created in Create the Virtual Machine Environment for your On-Premises SDC, and connect to the home directory of the sdc user: /usr/local/cdo.  
  4. Set ownership to sdc user for the entire /usr/local/cdo/ directory.
[user1@cdo-sdc ~]$ sudo chown -R sdc:sdc /usr/local/cdo/
[user1@cdo-sdc ~]$
  1. Log in to the sdc user.
[user1@cdo-sdc ~]$ sudo su sdc
bash-4.2$
  1. Extract the bootstrap tarball.
bash-4.2$ cd /usr/local/cdo/
bash-4.2$ tar xzvf admin1.bootstrap.tar.gz
bootstrap/environment_settings.sh
bootstrap/config.json
bootstrap
bootstrap/bootstrap.sh
bootstrap/common.sh
  1. Run the bootstrap.sh script as the sdc user to start the installation.
bash-4.2$ ./bootstrap/bootstrap.sh
[2016-10-20 09:11:16] environment properly configured
download: s3://onprem-sdc/toolkit/prod/toolkit.tar to toolkit/toolkit.tar
toolkit.sh
common.sh
[2016-10-20 09:11:18] startup new container
d57ebc48b22a2d0a63a2a11bc3ca0a4c9f9ca2ee3432b52a207668a829c1367e
no crontab for sdc

At this point your SDC should show as Active in the CDO GUI. 

on-prem-verify.png

Troubleshooting

If your SDC does not show as Active, and you receive the error, "IPv4 forwarding is disabled. Networking will not work." you may need to enable IPv4 forwarding on the VM. Exit out of the sdc user session, and run the sysctl command with sudo as seen in the example below:

bash-4.2$ exit
exit
[user1@cdo-sdc ~]$ 
[user1@cdo-sdc ~]$ sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

Go back to step 8 to login as the SDC user and repeat the follow the instructions from that point.

  • Was this article helpful?