When onboarding a device to CDO using device credentials, CDO considers it a best practice to download and deploy a Secure Device Connector (SDC) in your network to proxy communications between the devices and CDO. However, if you prefer, you can enable a device to receive direct communications through its outside interface from CDO. Adaptive Security Appliances (ASAs), Firepower Threat Defense devices (FTDs), Firepower Management Centers (FMCs), Secure Firewall Cloud Native devices, and SSH and IOS devices, can all be onboarded to CDO using an SDC.
The SDC monitors CDO for commands that need to be executed on your managed devices, and messages that need to be sent to your managed devices. The SDC executes the commands on behalf of CDO, sends messages to CDO on behalf of the managed devices, and returns replies from the managed devices to CDO.
The SDC uses secure communication messages signed and encrypted using AES-128-GCM over HTTPS (TLS 1.2) to communicate with CDO. All credentials for onboarded devices and services are encrypted directly from the browser to the SDC as well as encrypted at rest using AES-128-GCM. Only the SDC has access to the device credentials. No other CDO service has access to the credentials. See Connect to Cisco Defense Orchestrator using Secure Device Connector for information explaining how to allow communication between between an SDC and CDO.
The SDC may be installed on an appliance, as a virtual machine on a hypervisor, or in a cloud environment like AWS or Azure. You can install an SDC by using a combined virtual machine and SDC image provided by CDO, or you can create your own virtual machine and install the SDC on it. The SDC virtual appliance includes a CentOS operating system and runs within a Docker container.
Each CDO tenant can have an unlimited number of SDCs. These SDCs are not shared between tenants, they are dedicated to a single tenant. The number of devices a single SDC can manage depends on the features implemented on those devices and the size of their configuration files. For the purposes of planning your deployment, however, expect one SDC to support approximately 500 devices.
Deploying more than one SDC for your tenant also provides these benefits:
- You can manage more devices with your CDO tenant without experiencing performance degradation.
- You can deploy an SDC to an isolated network segment within your network and still manage the devices in that segment with the same CDO tenant. Without multiple SDCs, you would need to manage the devices in those isolated network segments with different CDO tenants.
The procedure for deploying a second or subsequent SDC is the same for deploying your first SDC. The initial SDC on your tenant incorporates the name of your tenant and the number 1 and is displayed on the Secure Connectors page of CDO. Each additional SDC is numbered in order. See Deploy an On-Premises Secure Device Connector Using CDO's VM Image and Deploy an On-Premises Secure Device Connector on your own VM.
- Connect Cisco Defense Orchestrator to the Secure Device Connector
- Deploy an On-Premises Secure Device Connector Using CDO's VM Image
- Deploy an On-Premises Secure Device Connector on your own VM
- Remove an On-Premises Secure Device Connector
- Secure Device Connector Open Source and 3rd Party License Attribution
- How the SDC Virtual Machine Receives Software Packages and Updates
- Troubleshoot an On-Premise Secure Device Connector
- Update your On-Premises Secure Device Connector