Please refer to the KB article on Setting up Trend Micro Apex One™ as a Service Remote Connection to Control Manager (TMCM) or Apex Central.

Refer to the Deep Discovery Installation and Deployment Guide.

DDAN hardening can be performed by separating the Management Port and System Port. The default Management Port can be seen under Administration > System Settings. Below is an example of DDAN network settings:

Below are the steps to enable separate Management Port and System Port:

1. Enable the System Port of DDAN.
   1. Open the RDQA page to enable separation of Management Port and System Port by opening the following URL:

      https://<DDAN IP>/pages/rdqa.php

   2. Go to System Settings.
   3. Look for the section Port Binding.
   4. Below is the default setting (eth0 only).

      

   5. Under Bind service to: select eth0(management) and eth1(system).
   6. Click Save.

      

   7. On the Port Binding popup message, click Configure Now.

      

2. Configure the System Port IP Address Settings
   1. Under eth1(system) section, populate the required fields (IP address, Subnet mask, Gateway, DNS server).
   2. Click Save.

      

   3. After clicking Save, wait for it to complete, it will display, "Saving…" status.
   4. Afterwards, you will see at the top corner of the web console the message, "The setting has been saved."

   As an example, below is how it looks like when there are two separate ports for Management Port and System Port.

   

Please take note of the caveat below before registering DDAN to Apex Central:

• In Apex Central, there is only one text box to enter the FQDN of DDAN.
• This FQDN will be synchronized to Apex One as a Service Server (Cloud). It will be used when it submits samples to DDAN (On Premise).
• The port forward rule in firewall should point to the System Port IP Address of DDAN, and not the Management Port IP Address.
• At the same time, Apex Central needs to communicate to the Management Port IP Address of DDAN. If it attempts to register using the System Port IP Address of DDAN, it will fail registering.
• The workaround for this is to override the hosts file of Apex Central and map the Management Port IP Address of DDAN to its public FQDN.
• Edit hosts file by adding the Management Port IP Address of DDAN and map it to the public FQDN. This way Apex Central Server would know how to reach the Management IP of DDAN, while Apex One as a Service Server would still use the public FQDN and use DNS to resolve the public IP, which is port forwarded to the DDAN System Port to receive sample submissions.

Below are the steps:

1. Go to Apex Central Server.
2. Open the Command prompt as Administrator, and enter the following command:

   notepad C:\Windows\System32\drivers\etc\hosts

3. Add the following line:

   <X.X.X.X> <DDAN_PUBLIC_FQDN>

   Below is an example where 172.20.0.36 is an example Management IP of Deep Discovery Analyzer, vddan.tekchallenge.com is a public FQDN)

   172.20.0.36 vddan.tekchallenge.com

   

   For more info on editing hosts file, refer to this page on How to Edit the HOSTS File in Windows.

Below are the requirements:

• When adding the DDAN (On Premise) to Apex Central (On Premise), use a publicly accessible FQDN of DDAN (DNS A Record), because this FQDN will be synchronized to Apex One (as a Service).
• Deploy DDAN (On Premise) in DMZ segment (System Port).
• On your perimeter firewall create the following:
  • Access rule for INBOUND TCP port 443 from Apex One as a Service connect to DDAN public IP/FQDN.
  • Port forward the above incoming TCP port 443 traffic to DDAN in DMZ (System Port).

    Source	Destination	Port	Protocol	Direction
    Apex One as a Service IP/URL	Deep Discovery Analyzer	443	TCP	Inbound

• IP/Domain/DNS whitelisting. Please refer to this KB article for the list of IP/Domain/Domain to whitelist.

Below are the steps:

1. Open Apex Central (on-premise) web console. Navigate to Administration > Managed Servers > Server Registration.
2. Under the Server Type dropdown list, select Deep Discovery Analyzer the click Add.

   

3. Populate the required fields then click Save.

   Server Information

   Server: <Use Deep Discovery Analyzer's public FQDN>
   Display name:
   Product: Deep Discovery Analyzer

   Authentication

   User name: <Deep Discovery Analyzer Admin account>
   Password: <Deep Discovery Analyzer Admin password>

   Connection

   Proxy Server: <Specify proxy server if you are using proxy server>

   

Follow these steps:

1. Open Apex Central (on-premise) web console. Navigate to Administration > Managed Servers > Server Registration.
2. Under the Server Type dropdown list, select Apex One then click the edit icon on the Actions column.

   

3. On Edit Server page, under Virtual Analyzer dropdown list, select your Deep Discovery Analyzer then click Save.

   

Follow these steps:

1. Open Apex Central (on-premise) web console, and navigate to Policies > Policy Management.

   

2. Under the Product dropdown list, select Apex One Security Agent then click your Policy.

   

3. Under Edit Policy, expand Sample Submission then tick the box beside "Enable suspicious file submission to Virtual Analyzer".

   

4. Still under Edit Policy page, expand Real-time Scan.

   

5. Under Virus/Malware Scan Settings Only, tick the box beside "Enable CVE exploit scanning for files downloaded through web and email channels".

   

6. Click Deploy.