Cisco Defense Orchestrator (CDO) enables communication between supported devices and services to CDO via the Secure Device Connector (SDC). The SDC enables this communication by acting as a proxy between a remote location and CDO cloud services.
This procedure describes how to create an SDC for CDO, installed on-premise, using CDO's VM image. This is the preferred, easiest, and most reliable way to create an SDC. If you need to create the SDC using a VM that you create, follow Deploy an On-Premise SDC on a Virtual Machine you Create.
- CDO requires strict certificate checking and does not support a Web/Content Proxy between the SDC and the Internet.
- We require allowing the SDC full outbound access to the Internet on TCP port 443.
- Review Connect to Cisco Defense Orchestrator using Secure Device Connector to ensure proper network access.
- VMware ESXi host installed with vCenter web client.
- VMware ESXi host needs 8GB of memory and up to 64GB disk space to support the virtual machine depending on your provisioning choice.
- Gather this information before you begin the installation:
- Static IP address you want to use for your SDC.
- Passwords for the root and cdo users that you create during the installation process.
- The IP address of the DNS server your organization uses.
- The gateway IP address of the network the SDC address is on.
- The FQDN or IP address of your time server.
- The on-premise SDC virtual machine is configured to install security patches on a regular basis and in order to do this, opening port 80 outbound is required.
- Log on to the CDO Tenant you are creating the SDC for.
- Click the Account menu and select Secure Connectors.
- Click Deploy an On-Premises Secure Device Connector.
- In Step 1, click Download the SDC VM image.
- Extract all the files from the .zip file. They will look similar to these:
- Log on to your VMware server as an administrator using the vSphere Web Client.
Note: Do not use the vSphere Client use the vSphere Web Client.
- Deploy the on-premise Secure Device Connector virtual machine from the OVF template.
Notes about Wizard entries:
- Source page: Select template of the Deploy OVF Template wizard, when uploading the CDO-SDC-VM files, select all three files you extracted from the .zip file you downloaded. If the version of vSphere Web Client you use only allows you to upload one file, upload the .ovf file.
- Properties page:
- Section 1: Credentials - Save the passwords for the "root" and "cdo" user.
- Section 2: Network - Step 4. NTP Server - It is considered a "best practice" to enter an IP address or FQDN of an NTP server. Without an NTP server, you may have trouble onboarding your devices.
On the host server that is running ESXi, there is a time set on the system. If you enable "guest time sync" on your SDC VM, it will get the time from the host machine running ESXi. But if that time is incorrect or the time is not time synced via NTP, it will prevent correct and consistent communication from the SDC. This is why you must define an NTP server.
- Section 3: Authentication - When you reach Step 3, CDO Authentication, return to the Cisco Defense Orchestrator, Deploy OVF Template dialog box and click Copy bootstrap data . Then, return to the vSphere web client and enter the CDO Bootstrap data in the "CDO Bootstrap Data" field. Click OK.
- Review the entries in the Ready to complete section and click Finish if the entries are correct.
- After deploying the SDC OVF in your vSphere, start the VM.
- Return to the Secure Device Connector page. Refresh the screen until you see the status of your new SDC change to Active.
SDC status does not become active on CDO
- If CDO does not indicate that your on-premise SDC is active after about 10 minutes, open a local console and connect to the SDC VM using SSH. Use the cdo user and password you created during setup.
- Review the instructions on the terminal.
- The /opt/cdo/configure.log log shows you the configuration settings you entered for the SDC and if they were applied successfully.
- Running sudo sdc-onboard setup guides you through all the configuration steps you took in the setup wizard GUI and gives you an opportunity to make changes.
- If after reviewing the log and running sdc-onboard,CDO still does not indicate that the SDC is Active contact Defense Orchestrator support.