Skip to main content



Cisco Defense Orchestrator

Deploy a Secure Device Connector Using CDO's VM Image

When using device credentials to connect CDO to a device, it a best practice to download and deploy a Secure Device Connector (SDC) in your network to manage the communication between CDO and the device. Typically, these devices are non-perimeter based, do not have a public IP address, or have an open port to the outside interface. Adaptive Security Appliances (ASAs), Firepower Threat Defense devices (FTDs), Firepower Management Centers (FMCs), Secure Firewall Cloud Native devices, and SSH and IOS devices, can all be onboarded to CDO using an SDC. 

The SDC monitors CDO for commands that need to be executed on your managed devices, and messages that need to be sent to your managed devices. The SDC executes the commands on behalf of CDO, sends messages to CDO on behalf of the managed devices, and returns replies from the managed devices to CDO.   

The number of devices a single SDC can manage depends on the features implemented on those devices and the size of their configuration files. For the purposes of planning your deployment, however, we expect one SDC to support approximately 500 devices. See Using Multiple SDCs on a Single CDO Tenant for more information.

This procedure describes how to install an SDC in your network, using CDO's VM image. This is the preferred, easiest, and most reliable way to create an SDC. If you need to create the SDC using a VM that you create, follow Deploy an On-Premise SDC on a Virtual Machine you Create


  • CDO requires strict certificate checking and does not support Web/Content Proxy inspection between the SDC and the Internet. If using a proxy server, disable inspection for traffic between the SDC and CDO.
  • The SDC must have full outbound access to the Internet on TCP port 443, or the port you have configured for device management. If the devices managed by CDO must also allow inbound traffic from this port.
  • Review Connect to Cisco Defense Orchestrator using Secure Device Connector to ensure proper network access.
  • CDO supports installing its SDC VM OVF image using the vSphere web client or the ESXi web client.
  • CDO does not support installing the SDC VM OVF image using the vSphere desktop client.
  • ESXi 5.1 hypervisor.
  • Cent OS 7 guest operating system.
  • System requirements for a VM with only an SDC:
    • VMware ESXi host needs 2 CPU.
    • VMware ESXi host needs a minimum of 2 GB of memory.
    • VMware ESXi requires 64GB disk space to support the virtual machine depending on your provisioning choice.
  • System requirements for a VM with an SDC and a single SEC for your tenant. (The SEC is a component used in Cisco Security Analytics and Logging.)
    • VMware ESXi host needs 6 CPU.
    • VMware ESXi host needs a minimum of 10 GB of memory.
    • VMware ESXi requires 64GB disk space to support the virtual machine depending on your provisioning choice.
  • System requirements for a VM with a CDO Connector and a Secure Event Connector (SEC). 
    • CPU: Assign an additional 4 CPUs to accommodate the SEC.
    • Memory: Assign an additional 8 GB of memory for the SEC. 
  • The dockers IP must be in a different subnet than the SDC's IP range and the device IP range.
  • Gather this information before you begin the installation:
    • Static IP address you want to use for your SDC. 
    • Passwords for the root and cdo users that you create during the installation process.
    • The IP address of the DNS server your organization uses. 
    • The gateway IP address of the network the SDC address is on. 
    • The FQDN or IP address of your time server. 
  • The SDC virtual machine is configured to install security patches on a regular basis and in order to do this, opening port 80 outbound is required.


  1. Log on to the CDO tenant you are creating the SDC for.
  2. Click the User menu and select Secure Connectors.


  1. On the Secure Connectors page, click the blue plus button and select Secure Device Connector.


  1. In Step 1, click Download the SDC VM image. This opens in a separate tab.


  1. Extract all the files from the .zip file. They will look similar to these:
    • CDO-SDC-VM-ddd50fa.ovf
    • CDO-SDC-VM-ddd50fa-disk1.vmdk

6. Log on to your VMware server as an administrator using the vSphere Web Client from vCenter.

Note: Do not use the ESXi Web Client. 

  1. Deploy the Secure Device Connector virtual machine from the OVF template by following the prompts. 
  2. When the setup is complete, power on the SDC VM.
  3. Open the console for your new SDC VM.
  4. Login with the username cdo. The default password is adm123.
  5. At the prompt, type sudo sdc-onboard setup.
[cdo@localhost ~]$ sudo sdc-onboard setup
  1. When prompted for the password, enter adm123.
  2. Follow the prompts to create a new password for user  root. Enter your password for the root user.
  3. Follow the prompts to create a new password for user cdo. Enter your password for the cdo user
  4. When prompted with Please choose the CDO domain you connect to, enter your Cisco Defense Orchestrator domain information.
  5. Enter the following domain information of the SDC VM when prompted:
    1. IP Address/CIDR
    2. Gateway
    3. DNS Server
    4. NTP Server or FQDN
    5. Docker Bridge or press enter if a docker bridge is not applicable.
  6. When prompted with Are these values correct? (y/n), confirm your entries with  y.
  7. Confirm your entries.
  8. When prompted with Would you like to setup the SDC now? (y/n), enter n.
  9. The VM console automatically logs you out. 
  10. Create an SSH connection to the SDC. Login as the cdo user and enter your password.
  11. At the prompt, type sudo sdc-onboard bootstrap.
[cdo@localhost ~]$ sudo sdc-onboard bootstrap
  1. When prompted with [sudo] password, enter the cdo password you created in step 14.
  2. When prompted with Please copy the bootstrap data form the Secure Connector Page of CDO, follow this procedure:
    1. Log into CDO.
    2. From the user menu, select Secure Connectors.
    3. In the Actions pane, click Deploy an On-Premises Secure Device Connector.
    4. Click Copy the bootstrap data in step 2 of the dialog box and paste into the SSH window.
  3. When prompted with Do you want to update these setting? (y/n)enter n.

  4. Return to the Secure Device Connector page. Refresh the screen until you see the status of your new SDC change to Active

Related Article: