Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Guidelines on Apex One hybrid deployment with on-premise Deep Discovery Analyzer (DDAN)

    • Updated:
    • 20 Nov 2020
    • Product/Version:
    • Apex One 2019
    • Apex One as a Service
    • Deep Discovery Analyzer All
    • Platform:
Summary

This article provides a guide in setting up a hybrid deployment for Apex One as a Service with an on-premise DDAN.

Overview of the deployment:

Module state

In addition, below is the list of the DDAN traffic per interface.

NICNameNetworkDescription
eth0Management PortInternalDeep Discovery Analyzer Management
eth1System PortDMZReceiving sample submissions
eth2Sandbox PortInternalDirty Line for VM Sandbox
eth3HA PortN/AReserved for High Availability Heartbeat

If you need to restrict your network zones via Access Control Lists, below is the list of required open ports of DDAN:

FromToPorts/ServiceDescription
Internaleth0443, SSH, Deep Discovery Director, Apex Central / Control Manager, SNMPDeep Discovery Analyzer Management
eth0InternetNTPNetwork Time Protocol
eth1Internet443, DNS, Syslog, SMTPSoftware Updates from Trend Micro
Apex One as a Service (Refer to KB 1119967)eth1443Apex One as a Service sample submissions
Internaleth1443Internal submissions (e.g. other Trend Micro Products)
eth2InternetAll TrafficDirty line for VM Sandbox
Details
Public

Follow these steps:

Refer to the Deep Discovery Installation and Deployment Guide.

DDAN hardening can be performed by separating the Management Port and System Port. The default Management Port can be seen under Administration > System Settings. Below is an example of DDAN network settings:

Module state

Below are the steps to enable separate Management Port and System Port:

  1. Enable the System Port of DDAN.
    1. Open the RDQA page to enable separation of Management Port and System Port by opening the following URL:

      https:///pages/rdqa.php

    2. Go to System Settings.
    3. Look for the section Port Binding.
    4. Below is the default setting (eth0 only).

      Module state

    5. Under Bind service to: select eth0(management) and eth1(system).
    6. Click Save.

      Module state

    7. On the Port Binding popup message, click Configure Now.

      Module state

  2. Configure the System Port IP Address Settings
    1. Under eth1(system) section, populate the required fields (IP address, Subnet mask, Gateway, DNS server).
    2. Click Save.

      Module state

    3. After clicking Save, wait for it to complete, it will display, "Saving…" status.

      Module state

    4. Afterwards, you will see at the top corner of the web console the message, "The setting has been saved."

      Module state

    As an example, below is how it looks like when there are two separate ports for Management Port and System Port.

    Module state

Please take note of the caveat below before registering DDAN to Apex Central:

  • In Apex Central, there is only one text box to enter the FQDN of DDAN.
  • This FQDN will be synchronized to Apex One as a Service Server (Cloud). It will be used when it submits samples to DDAN (On Premise).
  • The port forward rule in firewall should point to the System Port IP Address of DDAN, and not the Management Port IP Address.
  • At the same time, Apex Central needs to communicate to the Management Port IP Address of DDAN. If it attempts to register using the System Port IP Address of DDAN, it will fail registering.
  • The workaround for this is to override the hosts file of Apex Central and map the Management Port IP Address of DDAN to its public FQDN.
  • Edit hosts file by adding the Management Port IP Address of DDAN and map it to the public FQDN. This way Apex Central Server would know how to reach the Management IP of DDAN, while Apex One as a Service Server would still use the public FQDN and use DNS to resolve the public IP, which is port forwarded to the DDAN System Port to receive sample submissions.

Below are the steps:

  1. Go to Apex Central Server.
  2. Open the Command prompt as Administrator, and enter the following command:

    notepad C:\Windows\System32\drivers\etc\hosts

  3. Add the following line:

    <X.X.X.X> <DDAN_PUBLIC_FQDN>

    Below is an example where 172.20.0.36 is an example Management IP of Deep Discovery Analyzer, vddan.tekchallenge.com is a public FQDN)

    172.20.0.36 vddan.tekchallenge.com

    Module state

    For more info on editing hosts file, refer to this page on How to Edit the HOSTS File in Windows.

Below are the requirements:

  • When adding the DDAN (On Premise) to Apex Central (On Premise), use a publicly accessible FQDN of DDAN (DNS A Record), because this FQDN will be synchronized to Apex One (as a Service).
  • Deploy DDAN (On Premise) in DMZ segment (System Port).
  • On your perimeter firewall create the following:
    • Access rule for INBOUND TCP port 443 from Apex One as a Service connect to DDAN public IP/FQDN.
    • Port forward the above incoming TCP port 443 traffic to DDAN in DMZ (System Port).
      SourceDestinationPortProtocolDirection
      Apex One as a Service IP/URLDeep Discovery Analyzer443TCPInbound
  • IP/Domain/DNS whitelisting. Please refer to this KB article for the list of IP/Domain/Domain to whitelist.

Below are the steps:

  1. Open Apex Central (on-premise) web console. Navigate to Administration > Managed Servers > Server Registration.
  2. Under the Server Type dropdown list, select Deep Discovery Analyzer the click Add.

    Module state

  3. Populate the required fields then click Save.

    Server Information

    Server: <Use Deep Discovery Analyzer's public FQDN>
    Display name:
    Product: Deep Discovery Analyzer

    Authentication

    User name: <Deep Discovery Analyzer Admin account>
    Password: <Deep Discovery Analyzer Admin password>

    Connection

    Proxy Server: <Specify proxy server if you are using proxy server>

    Module state

Follow these steps:

  1. Open Apex Central (on-premise) web console. Navigate to Administration > Managed Servers > Server Registration.
  2. Under the Server Type dropdown list, select Apex One then click the edit icon on the Actions column.

    Module state

  3. On Edit Server page, under Virtual Analyzer dropdown list, select your Deep Discovery Analyzer then click Save.

    Module state

Follow these steps:

  1. Open Apex Central (on-premise) web console, and navigate to Policies > Policy Management.

    Module state

  2. Under the Product dropdown list, select Apex One Security Agent then click your Policy.

    Module state

  3. Under Edit Policy, expand Sample Submission then tick the box beside "Enable suspicious file submission to Virtual Analyzer".

    Module state

  4. Still under Edit Policy page, expand Real-time Scan.

    Module state

  5. Under Virus/Malware Scan Settings Only, tick the box beside "Enable CVE exploit scanning for files downloaded through web and email channels".

    Module state

  6. Click Deploy.
Premium
Internal
Partner
Rating:
Category:
Configure; Deploy; Install
Solution Id:
000281914
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.