Many devices managed by CDO, though not all, connect to CDO through a Secure Device Connector (SDC). In these cases, CDO and the devices it manages do not communicate directly. Meraki MX, Firepower Threat Defense (FTD) when onboarded using a serial number or registration token, and AWS devices do not require an SDC to connect to CDO.
SDCs can be deployed in the cloud or in your network using the following methods:
- On-Premises Secure Device Connector. The on-premises SDC is a virtual appliance installed in your network. You can create your on-premises SDC by using an image provided by CDO or you can create your own VM and install the SDC on it. The on-premises SDC virtual appliance includes a CentOS operating system and runs on a Docker container. For CDO-managed devices that are non-perimeter based, do not have a public IP address, or an open port to the outside interface, we recommended you use the on-premises SDC which enables onboarding, accessing, reading, and writing to those devices using internal IP addresses.
- Cloud Secure Device Connector. If you request it, the CDO support team can deploy a cloud-based SDC for your tenant when it is created. Only the CDO support team can deploy and service a cloud-based SDC.
Both SDC deployment models use secure communication messages signed and encrypted using AES-128-GCM over HTTPS (TLS 1.2) to communicate with CDO. All credentials for onboarded devices and services are encrypted directly from the browser to the SDC as well as encrypted at rest using AES-128-GCM. Only the SDC, whether cloud or on-premises, has access to the device credentials. No other CDO service has access to the credentials. See Connect to Cisco Defense Orchestrator using Secure Device Connector for information explaining how to allow communication between an SDC and CDO.
For CDO-managed devices that are non-perimeter based, do not have a public IP address, or an open port to the outside interface, we recommend that you deploy an on-premises SDC which enables onboarding, accessing, reading, and writing to those devices using internal IP addresses.
Deploying more than one SDC for your tenant allows you to manage more devices with your CDO tenant without experiencing performance degradation. The number of devices a single SDC can manage depends on the features implemented on those devices and the size of their configuration files. For the purposes of planning your deployment, however, we expect one SDC to support approximately 500 devices. See Using Multiple SDCs on a Single CDO Tenant for more information.
- Connect Cisco Defense Orchestrator to the Secure Device Connector
- Deploy an On-Premises Secure Device Connector Using CDO's VM Image
- Deploy an On-Premises Secure Device Connector on your own VM
- Remove an On-Premises Secure Device Connector
- Secure Device Connector Open Source and 3rd Party License Attribution
- How the SDC Virtual Machine Receives Software Packages and Updates
- Troubleshoot an On-Premise Secure Device Connector
- Update your On-Premises Secure Device Connector