- Initiate the instance launch.
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- In the navigation bar at the top of the screen, select a Region for the instance that meets your requirements.
- From the Amazon EC2 console dashboard, select Launch instance.
- Choose the AMI for Service Gateway.
- On the Choose an Amazon Machine Image (AMI) screen, select AWS Marketplace in the left pane.
- In the search box, search for Trend Micro Service Gateway.
- After the search results appear, click Select for Trend Micro Service Gateway.
- Choose an Instance Type.
On the Choose an Instance Type screen, select an instance type that meets the minimum specifications based on your service installation. "C5.2xlarge" is recommended, please note at least 4vCPU and 8G memory is needed for service gateway. For details, please check this Online Help Center article.
Click the image to enlarge.
- Configure the Instance basic settings.
- On the Configure Instance Details screen, change the follow settings:
- Network: Select the VPC.
- Subnet: Select the subnet into which to launch your instance. Select a subnet that is planned for the data port subnet.
- Auto-assign Public IP: Select Disable. Trend Micro recommends that you deploy the Service Gateway Virtual Appliance behind an AWS NAT gateway.
- Add Storage to specify the root volume size of your instance. The default disk size is set to 200GB. If you need to extend the storage, you may add a new disk.
- Add Tags if you prefer custom tags. On the Add Tags screen, specify tags by requirement.
- On the Configure Instance Details screen, change the follow settings:
- Configure Security Group.
- On the Configure Security Group screen, use a security group to define firewall rules for the Service Gateway Virtual Appliance instance.
- To use existing security group, select Select an existing security group, and select your security group.
- To create a new security group, select Create a new security group
- Verify that your selected security group contains the following rules:
Type Protocol Port Range Source Reason SSH TCP 22 CIDR that can reach your instance For accessing Service Gateway Virtual Appliance CLISH command HTTPS TCP 443 CIDR that can reach your instance For Service queries, Predictive Machine Learning, File Reputation Services, or Third-Party Integration queries HTTP TCP 80 CIDR that can reach your instance For Service queries, Predictive Machine Learning, File Reputation Services, or Third-Party Integration queries CUSTOM TCP TCP 5274 CIDR that can reach your instance Web Reputation Services or Web Inspection Service queries CUSTOM TCP TCP 5275 CIDR that can reach your instance Web Reputation Services or Web Inspection Service queries CUSTOM TCP TCP 8080 CIDR that can reach your instance Forward Proxy Service listening port for connection CUSTOM TCP TCP 8088 CIDR that can reach your instance Zero Trust Secure Access On-Premises Gateway listening port for connection Outbound Rules: Rules in default security group allow all traffic. The Service Gateway Virtual Appliance works well with default outbound rules.
- Click Review and Launch.
- On the Configure Security Group screen, use a security group to define firewall rules for the Service Gateway Virtual Appliance instance.
- Review Instance Launch and select key pair.
- On the Review Instance Launch screen, check the details of your instance, and make any necessary changes by choosing the appropriate Edit link.
- Click Launch.
- For the key pair dialog box, please choose "Select an existing key pair or create a new key pair dialog box".
- To launch your instance, select the acknowledgment check box, then click Launch Instances.
- Wait for the Service Gateway Virtual Appliance to become ready.
View the Service Gateway installation progress by using the following steps:
- In the left navigation page, click Instances.
- Select the Service Gateway Virtual Appliance instance.
- Check the instance state.
When the Service Gateway Virtual Appliance instance state becomes "running", it is ready.
- Connect to instance.
After the instance startup, use key pair with user "admin" to login in:
- Sometimes the key created will need some time for it to sync to EC2 . If you cannot connect to EC2 with the key you created then please wait for about five (5) minutes for key syncing to finish and try again.
- When updating the Service Gateway Virtual Appliance, the trusted hosts cannot be automatically updated. Please remove the known hosts of Service Gateway Virtual Appliance in trusted file ~/.ssh/known_hosts and then connect again.
Register to Trend Mico Vision One
- Type enable and press the ENTER key to enable administrative commands. Provide your password when asked.
The command prompt changes from > to #.
- Use the configure command to configure the required network settings, such as the IP address and DNS settings.
- Type the following command to register the Service Gateway virtual appliance to Trend Micro Vision One.
register <registration_token>
You can obtain the token from the same screen you downloaded the virtual appliance on Trend Micro Vision One.
Trend Micro recommends using an SSH client to easily copy and paste the registration token.
Cipher Requirements
Service Gateway has Cipher Suite limitation to connect that for high-security level.
The table below shows the Cipher Suite requirements of SG 2.0.9:
| Cipher Suite | Code |
|---|---|
| TLS_RSA_WITH_AES_256_GCM_SHA384 | 0x009d |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | 0x003d |
| TLS_RSA_WITH_AES_256_CBC_SHA | 0x0035 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | 0x009c |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | 0x003c |
| TLS_RSA_WITH_AES_128_CBC_SHA | 0x002f |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 0xc028 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 0xc014 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 0xc027 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 0xc013 |
If you cannot connect via SSH tool, this may be the cause. Please check Cipher Suite for the SSH tool side.
(Optional) Configure Other Settings
Use the CLI to configure other settings, if required. For more information on available commands, see Service Gateway 2.0 CLI Commands.