Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Setting up OfficeScan as a Service Remote Connection to Control Manager (TMCM)

    • Updated:
    • 22 Nov 2017
    • Product/Version:
    • OfficeScan as a Service All.All
    • OfficeScan XG.All
    • Platform:
    • Windows 2012
    • Windows 2012 Server R2
    • Windows 2016
Summary

This article shows you how to create an OfficeScan as a Service Remote Connection to on-premise TMCM.

Details
Public

Prepare a server in the DMZ that can successfully connect to the On-premise Control Manager server.

 
The server in the DMZ must be able to connect to OfficeScan as a Service using port 4433.
  1. Download OfficeScan as a Service remote connection tool and extract it.
  2. Do one of the following options depending on your CA to sign the certificate for the OfficeScan as a Service remote connection tool.

    Option I. For users using the default CA for on-premise Control Manager server, follow the procedure below:

    1. Copy TMCM_SignCert.bat under "Cert signing script" folder to to "\certificate" on the On-premise Control Manager server.
    2. Start a command prompt as an administrator.
    3. Navigate to the <Control Manager installation folder>\certificate folder.
    4. Execute the batch file by running “<Control Manager installation folder>\certificate\TMCM_SignCert.bat <common name of the host to install OfficeScan as a Service remote connection tool>” as administrator under folder "<Control Manager installation folder>\certificate".
     
    A common name must be chosen carefully when signing the certificate. It must be either the IP address, host name, or FQDN of the server installed OfficeScan as a Service remote connection tool that OfficeScan as a Service can connect to.
     
    If it is needed to run the command more than twice, set “unique_subject = no” in “index.txt.attr” under folder “<Control Manager installation folder>\certificate\CA”.

    Option II. For users using their own CA for on-premise Control Manager server, please follow the procedure below:

    1. Generate CSR file for the OfficeScan as a Service Remote Connection Tool by executing the command under "certificate signing request script" folder.

      cmd: CSRGenerate.bat <common name of the host to install OfficeScan as a Service remote connection tool>

       
      A common name must be chosen carefully when signing the certificate. It must be either the IP address, host name, or FQDN of the server installed OfficeScan as a Service remote connection tool that OfficeScan as a Service can connect to.
      ​After doing so, two (2) files will be generated under the SignedCert folder.
      • WebServer_Key.pem
      • WebServer_Req.pem
    2. Generate certificate with the organization CA by copying the WebServer_Req.pem generated at previous step to the organization’s CA host and sign the corresponding certificate, say WebServer_Cert.pem.
    3. Convert the certificate into a p12 format by copying WebServer_Cert.pem back to the OfficeScan as a Service Remote Connection Tool host's “certificate signing request script\SignedCert” folder and execute:

      cmd: CertificateConvert.bat SignedCert\WebServer_Key.pem SignedCert\WebServer_Cert.pem

      After execution, a file SignedCert\WebServer_Cert.p12 will be generated.

  3. Install OfficeScan as a Service remote connection tool on the DMZ host.
    • Put the extracted package files under "OfficeScan as a Service remote connection tool" folder into "C:\Program Files (x86)\Trend Micro\Smart Relay" (create the folder if needed) on the host and execute install.bat as an administrator to setup Smart Relay as a service.
       
      Do not start the Smart Relay service at this point.
  4. Install the certificate signed by Control Manager on to the host installed OfficeScan as a Service remote connection tool.

    1. Copy the certificate “<Control Manager installation Folder>\Certificate\SignedCert\WebServer_Cert.p12” signed from Step 1.2 to the DMZ server.
    2. Open mmc (Microsoft management console) and add Snap-ins by going to File > Add/Remove Snap-in.
    3. Add certificates snap-in and choose Computer account.
    4. Navigate to Personal > Certificates, then right-click on Certificates. Click on All Tasks > Import, and choose WebServer_Cert.p12 we got from Step 1.2. (You do not need to type the password during the certificate import process.)
  5. Configure the OfficeScan as a Service remote connection tool in apricot_config.xml.
    1. Configure the common name of the server installed OfficeScan as a Service remote connection tool.
      <cert_cn>Common_Name_of_Host</cert_cn>
    2. Under the <name>TMCM</name>, configure the address of the Control Manager host.
      <uplink_server>https://Control_Manager_address:port </uplink_server>.
  6. Start the Smart Relay service by running “net start smartrelay” command.
  7. Add the IP address and port number of the server installed OfficeScan as a Service remote connection tool to the on-premises Control Manager server “<Control Manager installation folder>/SystemConfiguration.xml""
    <m_SaaSReverseProxyAddress> and <m_SaaSReverseProxyPort>
  8. Restart the Trend Micro Control Manager service.
 
OfficeScan as a Service only supports re-registration to an on-premise TMCM 7.0 (or later) servers.

If you are registering to an on-premises Control Manager 7.0 (or later) server, you must first run the OfficeScan as a Service Remote Connection Tool on an endpoint in the DMZ to facilitate communication between the cloud-based OfficeScan SaaS console and the local Control Manager server.

    1. Go to Administration > Settings > Control Manager.
    2. Click Register to a Different Control Manager Server.
    3. Specify the Server FQDN or IP address of the new Control Manager server.
       
      You must specify a different on-premise TMCM server than the server that OfficeScan SaaS is currently registered. If you have set up an endpoint to establish a remote connection to an on-premises TMCM server, specify the Server FQDN or IP address of the remote connection endpoint.
    4. Specify the Port (HTTPS) of the TMCM server.
       
      If you have set up an endpoint to establish a remote connection to an on-premises Control Manager server, specify the Port (HTTPS) of the remote connection endpoint.
    5. Beside Control Manager certificate, click Browse...and select the certificate file downloaded from the target Control Manager server. To obtain the Control Manager certificate file, go to the on-premise TMCM server and copy the certificate file to the OfficeScan SaaS server from the following location: <TMCM installation folder>\Certificate\CA\TMCM_CA_Cert.pem.
       
      If your company uses a customized certificate on the Control Manager server, you must upload the Root CA certificate during the Control Manager registration.
      If the IIS web server of the onpremises Control Manager server requires authentication, type the user name and password. Specify the Entity display name that identifies the OfficeScan SaaS server on the Control Manager console. By default, entity display name includes the server computer's host name and this product's name (for example, Server_OSCE). Click Connect.
  1. Log on to the OfficeScan as a Service console.
  2. Go to Administration > Managed Servers.
  3. Select Trend Micro Security (for Mac) as server type.
  4. Click the Delete icon on right side of TMSM server hyperlink.
  5. Logon to the on-Premise Control Manager console.
  6. Go to Administration > Managed Servers.
  7. Select OfficeScan as Server Type.
  8. Go to Administration > Account Management > User Accounts.
  9. Add a User Role as built-in Administrator with Username and Password.
  10. Navigate to On-Premise Control Manager console.
  11. Go to Administration > Managed Servers.
  12. Select Trend Micro Security (for Mac) as server type .
  13. Click Add, and provide the SaaS TMSM service information, then click Save (Use the account that was created on step 9).
  14. Wait for a minute, then click Refresh.
  15. Click the TMSM service console hyperlink.
Premium
Internal
Rating:
Category:
Configure; Register
Solution Id:
1118614
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.