Skip to main content

 

 

Cisco Defense Orchestrator

Deploy an On-Premises Secure Device Connector Using CDO's VM Image

Cisco Defense Orchestrator (CDO) enables communication between supported devices and services to CDO using the Secure Device Connector (SDC). The SDC enables this communication by acting as a proxy between a remote location and CDO cloud services.

This procedure describes how to create an SDC for CDO, installed on-premise, using CDO's VM image. This is the preferred, easiest, and most reliable way to create an SDC. If you need to create the SDC using a VM that you create, follow Deploy an On-Premise SDC on a Virtual Machine you Create

If you have a cloud-based SDC and you want to convert it to an on-premises SDC, start with Switch Between Cloud SDC and On-Premises SDC.

Prerequisites

  • CDO requires strict certificate checking and does not support Web/Content Proxy inspection between the SDC and the Internet. If using a proxy server, disable inspection for traffic between the SDC and CDO.
  • The SDC must have full outbound access to the Internet on TCP port 443.
  • Review Connect to Cisco Defense Orchestrator using Secure Device Connector to ensure proper network access.
  • CDO supports installing its SDC VM OVF image using the vSphere web client or the ESXi web client.
  • CDO does not support installing the SDC VM OVF image using the vSphere desktop client.
  • ESXi 5.1 hypervisor.
  • Cent OS 7 guest operating system.
  • System requirements for a VM with only an SDC:
    • VMware ESXi host needs 2 CPU.
    • VMware ESXi host needs a minimum of 2 GB of memory.
    • VMware ESXi requires 64GB disk space to support the virtual machine depending on your provisioning choice.
  • System requirements for a VM with an SDC and a single SEC for your tenant. (The SEC is a component used in Cisco Security Analytics and Logging.)
    • VMware ESXi host needs 6 CPU.
    • VMware ESXi host needs a minimum of 10 GB of memory.
    • VMware ESXi requires 64GB disk space to support the virtual machine depending on your provisioning choice.
  • System requirements for a VM with a light-weight SDC and a Secure Event Connector (SEC). Use these requirements if you are installing a second, third, or additional SEC. The SEC is a component used in Cisco Security Analytics and Logging.)
    • CPU: Assign an additional 4 CPUs to accommodate the SEC.
    • Memory: Assign an additional 8 GB of memory for the SEC. 
  • Gather this information before you begin the installation:
    • Static IP address you want to use for your SDC. 
    • Passwords for the root and cdo users that you create during the installation process.
    • The IP address of the DNS server your organization uses. 
    • The gateway IP address of the network the SDC address is on. 
    • The FQDN or IP address of your time server. 
  • The on-premise SDC virtual machine is configured to install security patches on a regular basis and in order to do this, opening port 80 outbound is required.

Procedure

  1. Log on to the CDO Tenant you are creating the SDC for.
  2. Click the Account menu and select Secure Connectors.

account_menu.jpg

  1. Click Deploy an On-Premises Secure Device Connector.
  2. In Step 1, click Download the SDC VM image.
  3. Extract all the files from the .zip file. They will look similar to these:
    • CDO-SDC-VM-ddd50fa.ovf
    • CDO-SDC-VM-ddd50fa.mf
    • CDO-SDC-VM-ddd50fa-disk1.vmdk

6. Log on to your VMware server as an administrator using the vSphere Web Client. 

Note: Do not use the ESXi Web Client use the vSphere Web Client from vCenter.

  1. Deploy the on-premise Secure Device Connector virtual machine from the OVF template by following the prompts. 
  2. When the setup is complete, power on the SDC VM.
  3. Open the console for your new SDC VM.
  4. Login as the cdo user. The default password is adm123.
  5. At the prompt type sudo sdc-onboard setup
[cdo@localhost ~]$ sudo sdc-onboard setup
  1. When prompted, enter the default password for the cdo user: adm123
  2. Follow the prompts to create a new password for the root user.
  3. Follow the prompts to create a new password for the cdo user.
  4. Follow the prompts to enter your Cisco Defense Orchestrator domain information.
  5. Enter the static IP address you want to use for the SDC VM.
  6. Enter the gateway IP address for the network on which the SDC VM is installed. 
  7. Enter the NTP server address or FQDN for the SDC VM. 
  8. When prompted, enter the information for the Docker bridge or leave it blank if it is not applicable and press <Enter>.
  9. Confirm your entries.
  10. Log out of the VM console session by typing n when prompted, "Would you like to setup the SDC now."
  11. Create an SSH connection to the SDC by logging in as the cdo user.
  12. At the prompt type sudo sdc-onboard bootstrap
[cdo@localhost ~]$ sudo sdc-onboard bootstrap

 

  1. When prompted, enter the cdo password you created in step 11.
  2. When prompted, return to CDO and copy the bootstrap data, then paste it into your SSH session. 

To copy the bootstrap data:

  1. Log into CDO.
  2. From the user menu, select Secure Connectors.
  3. In the Actions pane, click Deploy an On-Premises Secure Device Connector.
  4. Copy the bootstrap data in step 2 of the dialog box.

 

  1. When you are satisfied with the bootstrap settings, enter n when prompted if you want to update the settings. 
  2. Return to the Secure Device Connector page. Refresh the screen until you see the status of your new SDC change to Active

Related Article: