Skip to main content

 

 

Cisco Defense Orchestrator

Deploy an On-Premises Secure Device Connector Using CDO's VM Image

Cisco Defense Orchestrator (CDO) enables communication between supported devices and services to CDO using the Secure Device Connector (SDC). The SDC enables this communication by acting as a proxy between a remote location and CDO cloud services.

This procedure describes how to create an SDC for CDO, installed on-premise, using CDO's VM image. This is the preferred, easiest, and most reliable way to create an SDC. If you need to create the SDC using a VM that you create, follow Deploy an On-Premise SDC on a Virtual Machine you Create

If you have a cloud-based SDC and you want to convert it to an on-premises SDC, start with Switch Between Cloud SDC and On-Premises SDC.

Prerequisites

  • CDO requires strict certificate checking and does not support Web/Content Proxy inspection between the SDC and the Internet. If using a proxy server, disable inspection for traffic between the SDC and CDO.
  • The SDC must have full outbound access to the Internet on TCP port 443, or the port you have configured for device management. If the devices managed by CDO must also allow inbound traffic from this port.
  • Review Connect to Cisco Defense Orchestrator using Secure Device Connector to ensure proper network access.
  • CDO supports installing its SDC VM OVF image using the vSphere web client or the ESXi web client.
  • CDO does not support installing the SDC VM OVF image using the vSphere desktop client.
  • ESXi 5.1 hypervisor.
  • Cent OS 7 guest operating system.
  • System requirements for a VM with only an SDC:
    • VMware ESXi host needs 2 CPU.
    • VMware ESXi host needs a minimum of 2 GB of memory.
    • VMware ESXi requires 64GB disk space to support the virtual machine depending on your provisioning choice.
  • System requirements for a VM with an SDC and a single SEC for your tenant. (The SEC is a component used in Cisco Security Analytics and Logging.)
    • VMware ESXi host needs 6 CPU.
    • VMware ESXi host needs a minimum of 10 GB of memory.
    • VMware ESXi requires 64GB disk space to support the virtual machine depending on your provisioning choice.
  • System requirements for a VM with a light-weight SDC and a Secure Event Connector (SEC). Use these requirements if you are installing a second, third, or additional SEC. The SEC is a component used in Cisco Security Analytics and Logging.)
    • CPU: Assign an additional 4 CPUs to accommodate the SEC.
    • Memory: Assign an additional 8 GB of memory for the SEC. 
  • The dockers IP must be in a different subnet than the SDC's IP range and the device IP range.
  • Gather this information before you begin the installation:
    • Static IP address you want to use for your SDC. 
    • Passwords for the root and cdo users that you create during the installation process.
    • The IP address of the DNS server your organization uses. 
    • The gateway IP address of the network the SDC address is on. 
    • The FQDN or IP address of your time server. 
  • The on-premise SDC virtual machine is configured to install security patches on a regular basis and in order to do this, opening port 80 outbound is required.

Procedure

  1. Log on to the CDO Tenant you are creating the SDC for.
  2. Click the Account menu and select Secure Connectors.

account_menu.jpg

  1. Click Deploy an On-Premises Secure Device Connector.
    onprem_2.png
  2. In Step 1, click Download the SDC VM image. This opens in a separate tab.deploy_onprem_1.png
  3. Extract all the files from the .zip file. They will look similar to these:
    • CDO-SDC-VM-ddd50fa.ovf
    • CDO-SDC-VM-ddd50fa.mf
    • CDO-SDC-VM-ddd50fa-disk1.vmdk

6. Log on to your VMware server as an administrator using the vSphere Web Client. 

Note: Do not use the ESXi Web Client use the vSphere Web Client from vCenter.

  1. Deploy the on-premise Secure Device Connector virtual machine from the OVF template by following the prompts. 
  2. When the setup is complete, power on the SDC VM.
  3. Open the console for your new SDC VM.
  4. Login with the username cdo. The default password is adm123.
  5. At the prompt, type sudo sdc-onboard setup.
[cdo@localhost ~]$ sudo sdc-onboard setup
  1. When prompted for the password, enter adm123 .
  2. Follow the prompts to create a new password for user  root. Enter your password for the root user.
  3. Follow the prompts to create a new password for user cdo. Enter your password for the cdo user
  4. When prompted with Please choose the CDO domain you connect to, enter your Cisco Defense Orchestrator domain information.
  5. Enter the following domain information of the SDC VM when prompted:
    1. IP Address/CIDR
    2. Gateway
    3. DNS Server
    4. NTP Server or FQDN
    5. Docker Bridge or press enter if a docker bridge is not applicable.
  6. When prompted with Are these values correct? (y/n), confirm your entries with  y.
  7. Confirm your entries.
  8. When prompted with Would you like to setup the SDC now? (y/n), enter n.
  9. The VM console automatically logs you out. 
  10. Create an SSH connection to the SDC. Login as: cdo and enter your password.
  11. At the prompt, type sudo sdc-onboard bootstrap.
[cdo@localhost ~]$ sudo sdc-onboard bootstrap
  1. When prompted with [sudo] password, enter the cdo password you created in step 14.
  2. When prompted with Please copy the bootstrap data form the Secure Connector Page of CDO, follow this procedure:
    1. Log into CDO.
    2. From the user menu, select Secure Connectors.
    3. In the Actions pane, click Deploy an On-Premises Secure Device Connector.
    4. Click Copy the bootstrap data in step 2 of the dialog box and paste into the SSH window.
       

deploy_onprem_2.png

  1. When prompted with Do you want to update these setting? (y/n)enter n.

  2. Return to the Secure Device Connector page. Refresh the screen until you see the status of your new SDC change to Active

Related Article: