Secure Device Connector
When onboarding a device to CDO using device credentials, CDO considers it a best practice to download and deploy a Secure Device Connector (SDC) in your network to proxy communications between the devices and CDO. However, if you prefer, you can enable a device to receive direct communications through its outside interface from CDO. The Adaptive Security Appliances (ASAs), Firepower Threat Defense devices (FTDs), Firepower Management Centers (FMCs), Secure Firewall Cloud Native devices, and SSH and IOS devices, can all be onboarded to CDO using an SDC.
The SDC monitors CDO for commands that need to be executed on your managed devices, and messages that need to be sent to your managed devices. The SDC executes the commands on behalf of CDO, sends messages to CDO on behalf of the managed devices, and returns replies from the managed devices to CDO.
The SDC uses secure communication messages signed and encrypted using AES-128-GCM over HTTPS (TLS 1.2) to communicate with CDO. All credentials for onboarded devices and services are encrypted directly from the browser to the SDC as well as encrypted at rest using AES-128-GCM. Only the SDC has access to the device credentials. No other CDO service has access to the credentials. See Connect to Cisco Defense Orchestrator using Secure Device Connector for information explaining how to allow communication between between an SDC and CDO.
The SDC may be installed on an appliance, as a virtual machine on a hypervisor, or in a cloud environment like AWS or Azure. You can install an SDC by using a combined virtual machine and SDC image provided by CDO, or you can create your own virtual machine and install the SDC on it. The SDC virtual appliance includes a CentOS operating system and runs within a Docker container.
Each CDO tenant can have a maximum of 5 SDCs. These SDCs are not shared between tenants, they are dedicated to a single tenant. The number of devices a single SDC can manage depends on the features implemented on those devices and the size of their configuration files. For the purposes of planning your deployment, however, expect one SDC to support approximately 500 devices.
Deploying more than one SDC for your tenant also provides these benefits:
- You can manage more devices with your CDO tenant without experiencing performance degradation.
- You can deploy an SDC to an isolated network segment within your network and still manage the devices in that segment with the same CDO tenant. Without multiple SDCs, you would need to manage the devices in those isolated network segments with different CDO tenants.
The procedure for deploying a second or subsequent SDC is the same for deploying your first SDC. The initial SDC on your tenant incorporates the name of your tenant and the number 1 and is displayed on the Secure Connectors page of CDO. Each additional SDC is numbered in order. See Deploy an On-Premises Secure Device Connector Using CDO's VM Image and Deploy an On-Premises Secure Device Connector on your own VM.
- Connect Cisco Defense Orchestrator to the Secure Device Connector
- Deploy a Secure Device Connector Using CDO's VM Image
- Deploy a Secure Device Connector on your own VM
- Troubleshoot an On-Premise Secure Device Connector
- Update your On-Premises Secure Device Connector
- Cisco Security Analytics and Logging for ASA Devices
- Cisco Security Analytics and Logging for FTD Devices
- Remove a Secure Device Connector
- Install the Secure Event Connector on an On-Premises SDC Virtual Machine
- Install Multiple SECs for Your Tenant Using a VM Image you Create
- Remove the Secure Event Connector
- Deprovisioning Cisco Security Analytics and Logging (SaaS)