Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Setting up Apex One as a Service Remote Connection to Control Manager (TMCM) or Apex Central

    • Updated:
    • 25 Mar 2019
    • Product/Version:
    • Apex Central All.All
    • Apex One as a Service All.All
    • OfficeScan XG.All
    • Platform:
    • Windows 2012
    • Windows 2012 Server R2
    • Windows 2016
Summary

This article shows you how to create an Apex One™ as a Service Remote Connection to on-premise TMCM/Apex Central.

Details
Public
  1. Prepare a server in the DMZ that can successfully connect to the On-Premise TMCM/Apex Central server.
  2. Configure this DMZ server’s firewall settings:
    DirectionAllow Rules
    InboundTCP, port: 4433. (Source is the Apex One as a Service)
    OutboundThe server address and port for the On-Premise TMCM/Apex Central server.
  1. Download Apex One as a Service remote connection tool and extract it.
  2. Do one of the following options depending on your CA to sign the certificate for the Apex One as a Service remote connection tool.

    Option I. For users using the default CA for On-Premise TMCM/Apex Central server, follow the procedure below:

    1. Copy TMCM_SignCert.bat under "Cert signing script" folder to to "\certificate" on the On-Premise TMCM/Apex Central server.
    2. Start a command prompt as an administrator.
    3. Navigate to the <Control Manager installation folder>\certificate folder.
    4. Execute the batch file by running “<Control Manager installation folder>\certificate\TMCM_SignCert.bat <common name of the host to install Apex One as a Service remote connection tool>” as administrator under folder "<Control Manager installation folder>\certificate".
     
    A common name must be chosen carefully when signing the certificate. It must be either the IP address, host name, or FQDN of the server installed Apex One as a Service remote connection tool that Apex One as a Service can connect to.
     
    If it is needed to run the command more than twice, set “unique_subject = no” in “index.txt.attr” under folder “<Control Manager/Apex Central installation folder>\certificate\CA”.

    Option II. For users using their own CA for On-Premise TMCM/Apex Central server, please follow the procedure below:

    1. Generate CSR file for the Apex One as a Service Remote Connection Tool by executing the command under "certificate signing request script" folder.

      cmd: CSRGenerate.bat <common name of the host to install Apex One as a Service remote connection tool>

       
      A common name must be chosen carefully when signing the certificate. It must be either the IP address, host name, or FQDN of the server installed Apex One as a Service remote connection tool that Apex One as a Service can connect to.

      After doing so, two (2) files will be generated under the SignedCert folder.

      • WebServer_Key.pem
      • WebServer_Req.pem
    2. Generate certificate with the organization CA by copying the WebServer_Req.pem generated at previous step to the organization’s CA host and sign the corresponding certificate, say WebServer_Cert.pem.
    3. Convert the certificate into a p12 format by copying WebServer_Cert.pem back to the Apex One as a Service Remote Connection Tool host's “certificate signing request script\SignedCert” folder and execute:

      cmd: CertificateConvert.bat SignedCert\WebServer_Key.pem SignedCert\WebServer_Cert.pem

      After execution, a file SignedCert\WebServer_Cert.p12 will be generated.

  3. Install Apex One as a Service remote connection tool on the DMZ host.
    • Put the extracted package files under "Apex One as a Service remote connection tool" folder into "C:\Program Files (x86)\Trend Micro\Smart Relay" (create the folder if needed) on the host and execute install.bat as an administrator to setup Smart Relay as a service.
       
      Do not start the Smart Relay service at this point.
  4. Install the certificate signed by Control Manager on to the host installed Apex One as a Service remote connection tool.

    1. Copy the certificate “<Control Manager/Apex Central installation Folder>\Certificate\SignedCert\WebServer_Cert.p12” signed from Step 1.2 to the DMZ server.
    2. Open mmc (Microsoft management console) and add Snap-ins by going to File > Add/Remove Snap-in.
    3. Add certificates snap-in and choose Computer account.
    4. Navigate to Personal > Certificates, then right-click on Certificates. Click on All Tasks > Import, and choose WebServer_Cert.p12 we got from Step 1.2. (You do not need to type the password during the certificate import process.)
  5. Configure the Apex One as a Service remote connection tool in apricot_config.xml.
    1. Configure the common name of the server installed Apex One as a Service remote connection tool.
      <cert_cn>Common_Name_of_Host</cert_cn>
    2. Under the <name>TMCM</name>, configure the address of the Control Manager or Apex Central host.
      <uplink_server>https://Control_Manager_address:port </uplink_server>.
  6. Start the Smart Relay service by running “net start smartrelay” command.
  7. Add the IP address and port number of the server installed Apex One as a Service remote connection tool to the on-premise Control Manager/Apex Central server “<Control Manager installation/Apex Central folder>/SystemConfiguration.xml"
    <m_SaaSReverseProxyAddress> and <m_SaaSReverseProxyPort>
  8. Restart the Trend Micro Control Manager/Apex Central service.
 
Apex One as a Service only supports re-registration to an On-Premise TMCM 7.0 (or later) or Apex Central server.

If you are registering to an on-premise Control Manager 7.0 (or later) or Apex Central server, you must first run the Apex One as a Service Remote Connection Tool on an endpoint in the DMZ to facilitate communication between the cloud-based Apex One as a Service console and the local Control Manager server.

    1. Go to Administration > Settings > Control Manager.
    2. Click Register to a Different Control Manager Server.
    3. Specify the Server FQDN or IP address of the new Control Manager/Apex Central server.
       
      It is recommended to specify an On-Premise TMCM/Apex Central server that is different from the server that Apex One as a Service is currently registered. If you have set up an endpoint to establish a remote connection to an on-premise TMCM/Apex Central server, specify the Server FQDN or IP address of the remote connection endpoint.
    4. Specify the Port (HTTPS) of the TMCM/Apex Central server.
       
      If you have set up an endpoint to establish a remote connection to an on-premise Control Manager/Apex Central server, specify the Port (HTTPS) of the remote connection endpoint.
    5. Beside Control Manager certificate, click Browse... and select the certificate file downloaded from the target Control Manager server. To obtain the Control Manager or Apex Central certificate file, go to the On-Premise TMCM/Apex Central server and copy the certificate file to the Apex One as a Service server from the following location: <TMCM/Apex Central installation folder>\Certificate\CA\TMCM_CA_Cert.pem.
       
      If your company uses a customized certificate on the Control Manager or Apex Central server, you must upload the Root CA certificate during the Control Manager/Apex Central registration.
      If the IIS web server of the on-premise TMCM/Apex Central server requires authentication, type the user name and password. Specify the Entity display name that identifies the Apex One as a Service server on the Control Manager console. By default, entity display name includes the server computer's host name and this product's name (for example, Server_OSCE). Click Connect.
  1. Log on to the Apex One as a Service console.
  2. Go to Administration > Managed Servers.
  3. Select "Apex One (Mac)" as the Server Type.
  4. Click the Delete icon on right side of the Apex One (Mac) server hyperlink.
     
    Before deleting the Apex One (Mac) server, make a copy of the server URL first.
  5. Log on to the On-Premise TMCM/Apex Central console.
  6. Go to Administration > Managed Servers.
  7. Select "Apex One" as the Server Type.
  8. Single Sign-On to Apex One as a Service.
  9. Go to Administration > Account Management > User Accounts.
  10. Add a User Role as built-in Administrator with Username and Password.
  11. Navigate to the On-Premise TMCM/Apex Central console.
  12. Go to Administration > Managed Servers.
  13. Select "Apex One (Mac)" as the Server Type .
  14. Click Add and provide the Apex One (Mac) server URL, then click Save.
     
    Use the server URL you copied in Step 4 and the account/password created in Step 10.
  15. Wait for a minute, then click Refresh.
  16. Click the Apex One (Mac) as service console hyperlink.
Premium
Internal
Rating:
Category:
Configure; Register
Solution Id:
1118614
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.