This article shows you how to create an OfficeScan as a Service Remote Connection to on-premise TMCM.
Prepare a server in the DMZ that can successfully connect to the On-premise Control Manager server.
- Download OfficeScan as a Service remote connection tool and extract it.
- Do one of the following options depending on your CA to sign the certificate for the OfficeScan as a Service remote connection tool.
Option I. For users using the default CA for on-premise Control Manager server, follow the procedure below:
- Copy TMCM_SignCert.bat under "Cert signing script" folder to to "\certificate" on the On-premise Control Manager server.
- Start a command prompt as an administrator.
- Navigate to the <Control Manager installation folder>\certificate folder.
- Execute the batch file by running “<Control Manager installation folder>\certificate\TMCM_SignCert.bat <common name of the host to install OfficeScan as a Service remote connection tool>” as administrator under folder "<Control Manager installation folder>\certificate".
A common name must be chosen carefully when signing the certificate. It must be either the IP address, host name, or FQDN of the server installed OfficeScan as a Service remote connection tool that OfficeScan as a Service can connect to.If it is needed to run the command more than twice, set “unique_subject = no” in “index.txt.attr” under folder “<Control Manager installation folder>\certificate\CA”.Option II. For users using their own CA for on-premise Control Manager server, please follow the procedure below:
- Generate CSR file for the OfficeScan as a Service Remote Connection Tool by executing the command under "certificate signing request script" folder.
cmd: CSRGenerate.bat <common name of the host to install OfficeScan as a Service remote connection tool>
A common name must be chosen carefully when signing the certificate. It must be either the IP address, host name, or FQDN of the server installed OfficeScan as a Service remote connection tool that OfficeScan as a Service can connect to.- WebServer_Key.pem
- WebServer_Req.pem
- Generate certificate with the organization CA by copying the WebServer_Req.pem generated at previous step to the organization’s CA host and sign the corresponding certificate, say WebServer_Cert.pem.
- Convert the certificate into a p12 format by copying WebServer_Cert.pem back to the OfficeScan as a Service Remote Connection Tool host's “certificate signing request script\SignedCert” folder and execute:
cmd: CertificateConvert.bat SignedCert\WebServer_Key.pem SignedCert\WebServer_Cert.pem
After execution, a file SignedCert\WebServer_Cert.p12 will be generated.
- Install OfficeScan as a Service remote connection tool on the DMZ host.
- Put the extracted package files under "OfficeScan as a Service remote connection tool" folder into "C:\Program Files (x86)\Trend Micro\Smart Relay" (create the folder if needed) on the host and execute install.bat as an administrator to setup Smart Relay as a service. Do not start the Smart Relay service at this point.
- Put the extracted package files under "OfficeScan as a Service remote connection tool" folder into "C:\Program Files (x86)\Trend Micro\Smart Relay" (create the folder if needed) on the host and execute install.bat as an administrator to setup Smart Relay as a service.
-
Install the certificate signed by Control Manager on to the host installed OfficeScan as a Service remote connection tool.
- Copy the certificate “<Control Manager installation Folder>\Certificate\SignedCert\WebServer_Cert.p12” signed from Step 1.2 to the DMZ server.
- Open mmc (Microsoft management console) and add Snap-ins by going to File > Add/Remove Snap-in.
- Add certificates snap-in and choose Computer account.
- Navigate to Personal > Certificates, then right-click on Certificates. Click on All Tasks > Import, and choose WebServer_Cert.p12 we got from Step 1.2. (You do not need to type the password during the certificate import process.)
- Configure the OfficeScan as a Service remote connection tool in apricot_config.xml.
- Configure the common name of the server installed OfficeScan as a Service remote connection tool.
<cert_cn>Common_Name_of_Host</cert_cn> - Under the <name>TMCM</name>, configure the address of the Control Manager host.
<uplink_server>https://Control_Manager_address:port </uplink_server>.
- Configure the common name of the server installed OfficeScan as a Service remote connection tool.
- Start the Smart Relay service by running “net start smartrelay” command.
- Add the IP address and port number of the server installed OfficeScan as a Service remote connection tool to the on-premises Control Manager server “<Control Manager installation folder>/SystemConfiguration.xml""
<m_SaaSReverseProxyAddress> and <m_SaaSReverseProxyPort> - Restart the Trend Micro Control Manager service.
If you are registering to an on-premises Control Manager 7.0 (or later) server, you must first run the OfficeScan as a Service Remote Connection Tool on an endpoint in the DMZ to facilitate communication between the cloud-based OfficeScan SaaS console and the local Control Manager server.
- Go to Administration > Settings > Control Manager.
- Click Register to a Different Control Manager Server.
- Specify the Server FQDN or IP address of the new Control Manager server. You must specify a different on-premise TMCM server than the server that OfficeScan SaaS is currently registered. If you have set up an endpoint to establish a remote connection to an on-premises TMCM server, specify the Server FQDN or IP address of the remote connection endpoint.
- Specify the Port (HTTPS) of the TMCM server. If you have set up an endpoint to establish a remote connection to an on-premises Control Manager server, specify the Port (HTTPS) of the remote connection endpoint.
- Beside Control Manager certificate, click Browse...and select the certificate file downloaded from the target Control Manager server. To obtain the Control Manager certificate file, go to the on-premise TMCM server and copy the certificate file to the OfficeScan SaaS server from the following location: <TMCM installation folder>\Certificate\CA\TMCM_CA_Cert.pem. If your company uses a customized certificate on the Control Manager server, you must upload the Root CA certificate during the Control Manager registration.
- Log on to the OfficeScan as a Service console.
- Go to Administration > Managed Servers.
- Select "Trend Micro Security (for Mac)" as the Server Type.
- Click the Delete icon on right side of the Trend Micro Security (for Mac) server hyperlink. Before deleting the Trend Micro Security (for Mac) server, please make a copy of the server URL first.
- Log on to the on-Premise Control Manager console.
- Go to Administration > Managed Servers.
- Select "OfficeScan" as the Server Type.
- Single Sign-On to OfficeScan as a Service.
- Go to Administration > Account Management > User Accounts.
- Add a User Role as built-in Administrator with Username and Password.
- Navigate to the On-Premise Control Manager console.
- Go to Administration > Managed Servers.
- Select "Trend Micro Security (for Mac)" as the Server Type .
- Click Add and provide the Trend Micro Security (for Mac) server URL, then click Save. Use the server URL you copied in Step 4 and the account/password created in Step 10.
- Wait for a minute, then click Refresh.
- Click the Trend Micro Security (for Mac) as service console hyperlink.