To use Apex One SaaS in hybrid mode, the environment must fulfill following prerequisites
- Certificate Backup
Back up the certificate for Apex Central On-Premise: TMCM_CA_Cert.pem, which can be found in %directory%\Trend Micro\Control Manager\Certificate\CA
- Licenses
List or get a screenshot of the Apex One as a Service licenses that you had availed. You can get the screenshot by going to these pages from the Apex One as a Service console:- Go to Administration > License Management > Managed Products.
- Go to Administration > License Management > Apex Central.
- Go to Administration > License Management > Managed Products.
- Patch Level
Product Required Patch Apex Central on-premise Hotfix build 4604 or later Apex One on-premise Critical Patch 2146 or later - If customer using Apex One On-Premise and Endpoint Sensor feature, Critical Patch 2146 is required to make investigation tasks work in hybrid environment.
- Endpoint Sensor License must be deployed first to your Apex One SaaS before switching to Hybrid Mode. If you're currently in Hybrid Mode already, please contact Trend Micro Support to enable Endpoint Sensor. Note that Endpoint Sensor License is purchased separately.
- Network Configuration
- Firewall Exception
Direction Allow Rules Inbound TCP, port 443 (Source is Apex One as a Service) Outbound The server address and port for the on-premise TMCM or Apex Central server. - IP/Domain/DNS whitelisting:
Refer to this KB article for the list of IP/Domain/Domain to whitelist: https://success.trendmicro.com/solution/KA-0012233
- Firewall Exception
- Download Apex One as a Service Remote Connection Tool and extract it.
- Do one of the following options depending on your CA to sign the certificate for the Apex One as a Service remote connection tool. Do either of the following:
- For Users using the default CA for On-Premise Control Manager or Apex Central Server:
- From the extracted Apex One as a Service Remote Connection Tool_03072019\RemoteConnectionTool\Cert signing script folder, copy TMCM_SignCert.bat in the "Cert signing script" folder to "<Control Manager or Apex Central installation folder>\Certificate" on the On-Premise TMCM or Apex Central server.
- Open a command prompt as an administrator.
- Navigate to the <Control Manager or Apex Central installation folder>\certificate folder.
- Execute the batch file by running “<Control Manager or Apex Central installation folder>\certificate\TMCM_SignCert.bat <common name of the host to install Apex One as a Service remote connection tool>” as administrator under folder "< Control Manager or Apex Central installation folder>\certificate".
A common name must be chosen carefully when signing the certificate. It must be either the host name or FQDN of the server installed Apex One as a Service remote connection tool that Apex One as a Service can connect to. - For Users using their own CA for On-Premise Control Manager or Apex Central server:
- Generate CSR file for the Apex One as a Service Remote Connection Tool, by executing the command under "certificate signing request script" folder from the extracted OfficeScan as a Service remote connection tool_112217.zip:
CSRGenerate.bat <common name of the host to install Apex One as a Service remote connection tool>
After doing the above command, two (2) files will be generated under the SignedCert folder.- WebServer_Key.pem
- WebServer_Req.pem
- Generate certificate with the organization CA by copying the WebServer_Req.pem generated at previous step to the organization’s CA host and sign the corresponding certificate, say WebServer_Cert.pem.
- Convert the certificate into a p12 format by copying WebServer_Cert.pem back to the Apex One as a Service Remote Connection Tool host's “certificate signing request script\SignedCert” folder and execute:
CertificateConvert.bat SignedCert\WebServer_Key.pem SignedCert\WebServer_Cert.pem
After executing the command above, a file SignedCert\WebServer_Cert.p12 will be generated.
- Generate CSR file for the Apex One as a Service Remote Connection Tool, by executing the command under "certificate signing request script" folder from the extracted OfficeScan as a Service remote connection tool_112217.zip:
- For Users using the default CA for On-Premise Control Manager or Apex Central Server:
- Install Apex One as a Service remote connection tool on the DMZ host.
Put the extracted package files under "RemoteConnectionTool\RemoteConnectionTool" folder into "C:\Program Files (x86)\Trend Micro\Smart Relay" (create the folder if needed) on the host and execute install.bat as an administrator to set up Smart Relay as a service.Do not start the Smart Relay service at this point. - Install the certificate signed by Control Manager or Apex Central on to the host installed Apex One as a Service remote connection tool.
- Copy the certificate “<Control Manager or Apex Central installation Folder>\Certificate\SignedCert\WebServer_Cert.p12” signed from Step 1.2 to the DMZ server.
- Open mmc (Microsoft management console) and add Snap-ins by going to File > Add/Remove Snap-in.
- Add certificates snap-in and choose Computer account.
- Navigate to Personal > Certificates, then right-click on Certificates. Click on All Tasks > Import, and choose WebServer_Cert.p12 we got from Step 1.2. (You do not need to type the password during the certificate import process.)
- Configure the Apex One as a Service remote connection tool in apricot_config.xml
- Configure the common name of the server installed Apex One as a Service remote connection tool.
<cert_cn>Common_Name_of_Host</cert_cn> - Under the <name>TMCM</name>, configure the address of the Control Manager or Apex Central host.
<uplink_server>https://[Control Manager or Apex Central_address]:[port] </uplink_server>
- Configure the common name of the server installed Apex One as a Service remote connection tool.
- Start the Smart Relay service by running “net start smartrelay” command.
- For Smart Relay Service in Windows Services, set the Startup type to Automatic after the entire configuration is completed.
- Add the FQDN or the host name and port number of the server installed Apex One as a Service remote connection tool to the on-premise Control Manager or Apex Central server “<Control Manager or Apex Central installation folder>/SystemConfiguration.xml".
<m_SaaSReverseProxyAddress> and <m_SaaSReverseProxyPort>If Apex Central was installed with internet connection, it’s not required to use remote connection tool, but you still need to specify public facing IP (or FQDN)/Port here. - Restart the "Trend Micro Control Manager" or "Trend Micro Apex Central" service.
- Apex One as a Service only supports re-registration to an On-Premise TMCM 7.0 (or later) or Apex Central servers.
- If you are registering to an on-premise Control Manager 7.0 (or later) or Apex Central server, you must first run the Apex One as a Service Remote Connection Tool on an endpoint in the DMZ to facilitate communication between the cloud-based Apex One as a Service console and the local Control Manager or Apex Central server.
- Login to Apex Central Saas and SSO to Apex One SaaS web console.
- Go to Administration > Settings > Apex Central.
- Click Register to a Different Apex Central Server.
- Under the Apex Central Connection window, specify the following:
- The Server FQDN or IP address of the machine with Apex One as a Service Remote Connection Tool installed (from Step 1).
It is recommended to specify an On-Premise TMCM or Apex Central server that is different from the server that Apex One as a Service is currently registered. If you have set up an endpoint to establish a remote connection to an on-premise TMCM or Apex Central server, specify the Server FQDN or IP address of the remote connection endpoint.
- The port (HTTPS) of the machine with Apex One as a Service Remote Connection Tool installed (from Step 1).
If you have set up an endpoint to establish a remote connection to an on-premise Control Manager or Apex Central server, specify the Port (HTTPS) of the remote connection endpoint.
- The Apex Central Certificate to use. Beside the Control Manager or Apex Central certificate, click Browse... and select the certificate file downloaded from the target Control Manager or Apex Central server.
To obtain the Control Manager or Apex Central certificate file, go to the On-Premise TMCM or Apex Central server and copy the certificate file to the Apex One as a Service server from the following location: <TMCM or Apex Central installation folder>\Certificate\CA\TMCM_CA_Cert.pem.If your company uses a customized certificate on the Control Manager or Apex Central server. Kindly use the same WebServer_Cert.pem signed by your CA from Option II in Step 1. - (Optional) If the IIS web server of the on-premise Control Manager or Apex Central server requires authentication, type the user name and password.
- Specify the Entity display name that identifies the Apex One as a Service server on the Control Manager or Apex Central console. By default, entity display name includes the server computer's host name and this product's name (for example, Server_OSCE). Click Connect.
- The Server FQDN or IP address of the machine with Apex One as a Service Remote Connection Tool installed (from Step 1).
- Log on to the Apex Central as a Service console.
- Go to Administration > Managed Servers > Server Registration, and then select Apex One (Mac) as the Server Type.
- Click the Delete icon on right side of the Apex One (Mac) server hyperlink.
Before deleting the Apex One (Mac) server, make a copy of the server URL first.
- Log on to the On-Premise Control Manager or Apex Central console.
- Go to Administration > Managed Servers > Server Registration > select Apex One as the Server Type > Single Sign-On to Apex One as a Service.
- On the Apex One as a Service console, Go to Administration > Account Management > User Accounts.
- Add a User Role as built-in Administrator with Username and Password.
- Go back to the On-premise Apex Central console or On-premise Control Manager console
- Go to Administration > Managed Servers > Select Apex One (Mac) as the Server Type and click Add.
- Provide the Apex One (Mac) SaaS server URL, then click Save.
Use the server URL you copied in Step 4 and the account/password created in Step 7.
- Wait for a minute, then click Refresh.
- Click the Apex One (Mac) as Service console hyperlink and check if you can SSO to the Apex One (Mac) as a Service console.
- Certificate Backup
Back up the certificate for Apex Central On-Premise: TMCM_CA_Cert.pem, which can be found in %directory%\Trend Micro\Control Manager\Certificate\CA
- Licenses
List or get a screenshot of the Apex One SaaS licenses that you had availed. You can get the screenshot by going to these pages from the Apex One SaaS console:- Go to Administration > License Management > Managed Products.
- Go to Administration > License Management > Apex Central.
- Patch Level
Product Required Patch Apex Central on-premise Hotfix build 4604 or later Apex One on-premise Critical Patch 2146 or later - If customer is using Apex One On-Premise and Endpoint Sensor feature, Critical Patch 2146 is required to make investigation tasks work in hybrid environment.
- Endpoint Sensor License must be deployed first to your Apex One SaaS before switching to Hybrid Mode. If you're currently in Hybrid Mode already, please contact Trend Micro Support to enable Endpoint Sensor. Note that Endpoint Sensor License is purchased separately.
- Network Configuration
- Firewall Exception
Source Destination Port Protocol Apex One as a Service URL Apex Central On-Premise 443, 80 TCP Apex Central On-Premise Apex One as a Service URL 443, 80 TCP - IP/Domain/DNS whitelisting:
Refer to this KB article for the list of IP/Domain/Domain to whitelist: https://success.trendmicro.com/solution/KA-0012233
- Firewall Exception
- Certificate
- Common Name (CN) in Apex Central On-Premise certificate subject column must be the FQDN of Apex Central web console.
- The FQDN of Apex Central On-Premise certificate can be resolved and mapping to the public facing IP address from internet (e.g. Apex One SaaS side)
- The FQDN of Apex Central On-Premise certificate can be resolved and mapping to the internal facing IP address from the intranet (e.g. Apex One On-Premise, or other managed On-Premise Trend Micro products)
- (Optional) If customer using commercial CA to issue certificate, both CN in subject column and DNS Name in Subject Alternative Name in Apex Central On-Premise certificate must be the same FQDN.
- Common Name (CN) in Apex Central On-Premise certificate subject column must be the FQDN of Apex Central web console.
- Add the IP address and port number of the server installed Apex One as a Service remote connection tool to the on-premise Control Manager or Apex Central server “<Control Manager or Apex Central installation folder>/SystemConfiguration.xml"
<m_SaaSReverseProxyAddress> and <m_SaaSReverseProxyPort>If Apex Central was installed with internet connection, it’s not required to use remote connection tool, but you still need to specify public facing IP (or FQDN)/Port here.
- Restart the "Trend Micro Control Manager" or "Trend Micro Apex Central" service.
- Apex One as a Service only supports re-registration to an On-Premise TMCM 7.0 (or later) or Apex Central servers.
- If you are registering to an on-premise Control Manager 7.0 (or later) or Apex Central server, you must first run the Apex One as a Service Remote Connection Tool on an endpoint in the DMZ to facilitate communication between the cloud-based Apex One as a Service console and the local Control Manager or Apex Central server.
- Login to Apex Central Saas and SSO to Apex One SaaS web console.
- Go to Administration > Settings > Apex Central.
- Click Register to a Different Apex Central Server.
- Under the Apex Central Connection window, specify the following:
- The Server FQDN or IP address. Use the published FQDN of your Apex Central.
- The port (HTTPS): 443
- The Apex Central Certificate to be used. Beside the Control Manager or Apex Central certificate, click Browse... and select the certificate file downloaded from the target Control Manager or Apex Central server.
To obtain the Control Manager or Apex Central certificate file, go to the On-Premise TMCM or Apex Central server and copy the certificate file to the Apex One as a Service server from the following location: <TMCM or Apex Central installation folder>\Certificate\CA\TMCM_CA_Cert.pem.If your company uses a customized certificate on the Apex Central server, you must upload the Root CA certificate during the Apex Central registration. - (Optional) If the IIS web server of the on-premise Control Manager or Apex Central server requires authentication, type the user name and password.
- Specify the Entity display name that identifies the Apex One as a Service server on the Control Manager or Apex Central console. By default, entity display name includes the server computer's host name and this product's name (for example, Server_OSCE). Click Connect.
- Log on to the Apex Central as a Service console.
- Go to Administration > Managed Servers > Server Registration, and then select Apex One (Mac) as the Server Type.
- Click the Delete icon on right side of the Apex One (Mac) server hyperlink.
Before deleting the Apex One (Mac) server, make a copy of the server URL first.
- Log on to the On-Premise Control Manager or Apex Central console.
- Go to Administration > Managed Servers > Server Registration > select Apex One as the Server Type > Single Sign-On to Apex One as a Service.
- On the Apex One as a Service console, Go to Administration > Account Management > User Accounts.
- Add a User Role as built-in Administrator with Username and Password.
- Go back to the On-premise Apex Central console or On-premise Control Manager console
- Go to Administration > Managed Servers > Select Apex One (Mac) as the Server Type and click Add.
- Provide the Apex One (Mac) SaaS server URL, then click Save.
Use the server URL you copied in Step 4 and the account/password created in Step 7.
- Wait for a minute, then click Refresh.
- Click the Apex One (Mac) as Service console hyperlink and check if you can SSO to the Apex One (Mac) as a Service console.