Setting up Apex One™ as a Service Remote Connection to Control Manager (TMCM)

1. Prepare a server in the DMZ that can successfully connect to the On-premise Control Manager server.
2. Configure this DMZ server’s firewall settings:

   Direction	Allow Rules
   Inbound	TCP, port: 4433. (Source is the Apex One™ as a Service)
   Outbound	The server address and port for the On-Premise TMCM server.

1. Download Apex One™ as a Service remote connection tool and extract it.
2. Do one of the following options depending on your CA to sign the certificate for the Apex One™ as a Service remote connection tool.

   Option I. For users using the default CA for on-premise Control Manager server, follow the procedure below:

   1. Copy TMCM_SignCert.bat under "Cert signing script" folder to to "\certificate" on the On-premise Control Manager server.
   2. Start a command prompt as an administrator.
   3. Navigate to the <Control Manager installation folder>\certificate folder.
   4. Execute the batch file by running “<Control Manager installation folder>\certificate\TMCM_SignCert.bat <common name of the host to install Apex One™ as a Service remote connection tool>” as administrator under folder "<Control Manager installation folder>\certificate".
   A common name must be chosen carefully when signing the certificate. It must be either the IP address, host name, or FQDN of the server installed Apex One™ as a Service remote connection tool that Apex One™ as a Service can connect to.
   If it is needed to run the command more than twice, set “unique_subject = no” in “index.txt.attr” under folder “<Control Manager installation folder>\certificate\CA”.

   Option II. For users using their own CA for on-premise Control Manager server, please follow the procedure below:

   1. Generate CSR file for the Apex One™ as a Service Remote Connection Tool by executing the command under "certificate signing request script" folder.

      cmd: CSRGenerate.bat <common name of the host to install Apex One™ as a Service remote connection tool>

      A common name must be chosen carefully when signing the certificate. It must be either the IP address, host name, or FQDN of the server installed Apex One™ as a Service remote connection tool that Apex One™ as a Service can connect to.
      ​After doing so, two (2) files will be generated under the SignedCert folder.
      • WebServer_Key.pem
      • WebServer_Req.pem
   2. Generate certificate with the organization CA by copying the WebServer_Req.pem generated at previous step to the organization’s CA host and sign the corresponding certificate, say WebServer_Cert.pem.
   3. Convert the certificate into a p12 format by copying WebServer_Cert.pem back to the Apex One™ as a Service Remote Connection Tool host's “certificate signing request script\SignedCert” folder and execute:

      cmd: CertificateConvert.bat SignedCert\WebServer_Key.pem SignedCert\WebServer_Cert.pem

      After execution, a file SignedCert\WebServer_Cert.p12 will be generated.

3. Install Apex One™ as a Service remote connection tool on the DMZ host.
   • Put the extracted package files under "Apex One™ as a Service remote connection tool" folder into "C:\Program Files (x86)\Trend Micro\Smart Relay" (create the folder if needed) on the host and execute install.bat as an administrator to setup Smart Relay as a service.
     Do not start the Smart Relay service at this point.

4. Install the certificate signed by Control Manager on to the host installed Apex One™ as a Service remote connection tool.

   1. Copy the certificate “<Control Manager installation Folder>\Certificate\SignedCert\WebServer_Cert.p12” signed from Step 1.2 to the DMZ server.
   2. Open mmc (Microsoft management console) and add Snap-ins by going to File > Add/Remove Snap-in.
   3. Add certificates snap-in and choose Computer account.
   4. Navigate to Personal > Certificates, then right-click on Certificates. Click on All Tasks > Import, and choose WebServer_Cert.p12 we got from Step 1.2. (You do not need to type the password during the certificate import process.)
5. Configure the Apex One™ as a Service remote connection tool in apricot_config.xml.
   1. Configure the common name of the server installed Apex One™ as a Service remote connection tool.
      <cert_cn>Common_Name_of_Host</cert_cn>
   2. Under the <name>TMCM</name>, configure the address of the Control Manager host.
      <uplink_server>https://Control_Manager_address:port </uplink_server>.
6. Start the Smart Relay service by running “net start smartrelay” command.
7. Add the IP address and port number of the server installed Apex One™ as a Service remote connection tool to the on-premises Control Manager server “<Control Manager installation folder>/SystemConfiguration.xml""
   <m_SaaSReverseProxyAddress> and <m_SaaSReverseProxyPort>
8. Restart the Trend Micro Control Manager service.

If you are registering to an on-premises Control Manager 7.0 (or later) server, you must first run the Apex One™ as a Service Remote Connection Tool on an endpoint in the DMZ to facilitate communication between the cloud-based OfficeScan SaaS console and the local Control Manager server.

1. Go to Administration > Settings > Control Manager.
2. Click Register to a Different Control Manager Server.
3. Specify the Server FQDN or IP address of the new Control Manager server.
   You must specify a different on-premise TMCM server than the server that OfficeScan SaaS is currently registered. If you have set up an endpoint to establish a remote connection to an on-premises TMCM server, specify the Server FQDN or IP address of the remote connection endpoint.
4. Specify the Port (HTTPS) of the TMCM server.
   If you have set up an endpoint to establish a remote connection to an on-premises Control Manager server, specify the Port (HTTPS) of the remote connection endpoint.
5. Beside Control Manager certificate, click Browse... and select the certificate file downloaded from the target Control Manager server. To obtain the Control Manager certificate file, go to the on-premise TMCM server and copy the certificate file to the OfficeScan SaaS server from the following location: <TMCM installation folder>\Certificate\CA\TMCM_CA_Cert.pem.
   If your company uses a customized certificate on the Control Manager server, you must upload the Root CA certificate during the Control Manager registration.
   If the IIS web server of the onpremises Control Manager server requires authentication, type the user name and password. Specify the Entity display name that identifies the OfficeScan SaaS server on the Control Manager console. By default, entity display name includes the server computer's host name and this product's name (for example, Server_OSCE). Click Connect.

1. Log on to the Apex One™ as a Service console.
2. Go to Administration > Managed Servers.
3. Select "Apex One (Mac)" as the Server Type.
4. Click the Delete icon on right side of the Apex One (Mac) server hyperlink.
   Before deleting the Apex One (Mac) server, please make a copy of the server URL first.
5. Log on to the on-Premise Control Manager console.
6. Go to Administration > Managed Servers.
7. Select "Apex One" as the Server Type.
8. Single Sign-On to Apex One™ as a Service.
9. Go to Administration > Account Management > User Accounts.
10. Add a User Role as built-in Administrator with Username and Password.
11. Navigate to the On-Premise Control Manager console.
12. Go to Administration > Managed Servers.
13. Select "Apex One (Mac)" as the Server Type .
14. Click Add and provide the Apex One (Mac) server URL, then click Save.
    Use the server URL you copied in Step 4 and the account/password created in Step 10.
15. Wait for a minute, then click Refresh.
16. Click the Apex One (Mac) as service console hyperlink.