Set up a data center gateway

A data center gateway enables communication between Workload Security and your vCenter, allowing Workload Security to retrieve your virtual machine inventory from the vCenter server. Gateways that are installed in your data center contact the vCenter servers on behalf of Workload Security, as seen in the diagram below.

Data center gateways and Workload Security authenticate each other and communicate via encrypted channels (TLS/443).

Each data center gateway maintains a list of addresses for its accessible vCenter servers. While Workload Security intends to synchronize virtual machine data with a vCenter, a connected data center gateway bridges the request from Workload Security to the designated vCenter server.

For layered protection, deploy a firewall around a data center gateway to limit its destination.

Set up a data center gateway

1. Ensure you have the the correct system requirements.

Data center gateways are supported on the following platforms:

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Ubuntu 18.04
  • Ubuntu 20.04

At a minimum, one virtual CPU with 2 GB of memory and 1 GB of disk space is required.

2. Enable Full Access rights on data center gateways.

Go to Administration > User Management > Roles > Properties > Other Rights and select "Full" for Data Center Gateways.

3. Download the data center gateway software.

Date Version RPM Download DEB Download Release Notes
May. 28, 2021 1.0.14 Fixed the issue that the service does not start up automatically at boot time.
Mar. 28, 2021 1.0.12 Updated python library dependencies.
Jan. 25, 2021 1.0.7

Improved instructions on what to do if destination_allow_list.yaml fails to load.

Fixed service startup issue in RedHat.

Dec. 08, 2020 1.0.2

4. Download the data center gateway credential file.

The credential file contains keys and identifiers for authenticating and communicating with Workload Security.

  1. In the Workload Security console, go to Administration > System Settings > Data Center Gateway and click New.
  2. Enter a Display Name, and click Next.
  3. Click Download Credential File.

Note that:

  • You can not change the name of the file, as it is required for installation.
  • This credential file contains secrets and need to be protected properly.
  • You must download a credential file for each data center gateway installation. Sharing configurations with multiple installations could lead to unexpected behavior.

5. Create a list of vCenter servers.

A list of vCenter servers that the data center gateway connects to is required during the installation process. Ensure the addresses in the list are accessible from the data center gateway server. The list should be in YAML format and named destination_allow_list.yaml. For example:

- HostName: "vcenter1.datacenter.internal"
  Port: 443
- HostName: ""
  Port: 443

Note that:

  • The HostName listed in the allow list is the identifier that is used to add vCenter accounts through the Workload Security console or API.
  • Different destinations should not point to the same vCenter server, either through different IP addresses or hostnames, otherwise unexpected behaviors on managed Deep Security Agents might occur.
  • To avoid duplication, if multiple records of destinations are resolved to the same IP address, only the first record with a hostname will take effect (IP address is less preferable). In the example below, Workload Security is able to communicate with the vCenter server with the hostname vc1.dc.internal.
 # Both "vc1.dc.internal" and "" are resolved to
- HostName: ""       # not effective because IP address is less preferable than a hostname resolved to the same address
  Port: 443
- HostName: "vc1.dc.internal"     # effective record
  Port: 443
- HostName: ""  # not effective because it resolved to the same address with previous record
  Port: 443

6. Install the data center gateway.

  1. Enter the following commands (depending on your OS) to install the gateway:
  2. Red Hat Enterprise Linux: $ sudo DCGW_CRED_PATH="<Absolute path to credentials.json>" DCGW_ALLOW_LIST_PATH="<Absolute path to destination_allow_list.yaml>" rpm -ivh /path/to/rpm/file
  3. Ubuntu: $ sudo DCGW_CRED_PATH="<Absolute path to credentials.json>" DCGW_ALLOW_LIST_PATH="<Absolute path to destination_allow_list.yaml>" apt install /path/to/deb/file
  4. Either delete credentials.json and destination_allow_list.yaml or back them up to a secure location. The installer will copy them to /var/opt/c1ws-dcgateway/conf/credentials.json and /var/opt/c1ws-dcgateway/conf/destiantion_allow_list.yaml. It will also set the proper permissions for the files.
  5. Type the following command to check the data center gateway's status: $ journalctl -u c1ws-dcgw.service -f

The vCenter hosts added to the destination list are displayed and that the gateway is running:

If any error messages appear, review the table below:

Error Possible Cause Solution
File path for 'credentials.json' and 'destination_allow_list.yaml' is required, please set variable 'DCGW_CRED_PATH' and 'DCGW_ALLOW_LIST_PATH' to proceed The parameters "DCGW_CRED_PATH" and "DCGW_ALLOW_LIST_PATH" were not assigned during installation. Ensure you've entered the installation command as described above.
File name should contains credentials/destination_allow_list file extension The file name for "DCGW_CRED_PATH" or "DCGW_ALLOW_LIST_PATH" is incorrect. Ensure you've entered the installation command as described above.
No such file, please use 'readlink -f' to get absolute path for credentials.json and destination_allow_list.yaml The given path for "DCGW_CRED_PATH" and "DCGW_ALLOW_LIST_PATH" did not contain the appropriate file. Ensure you've entered the correct absolute path during installation.

Once a data center gateway has been set up, you can Add a VMware vCenter to Workload Security.

Check the data center gateway status and connection

To check the connection between the data center gateway and vCenter, SSH or use a remote desktop to connect to the data center gateway host, then follow the actions below.

Action Command Desired Outcome
Check if the data center gateway is active systemctl status c1ws-dcgw The process is active and running.
Check the data center gateway error log less +G c1ws-dcgw-error.log The data center gateway is functioning and dc-gateway-error.log is empty.
Check the data center gateway log less +G c1ws-dcgw.log The dc-gateway.log shows that the data center gateway intends to connect to vCenter and Workload Security.
Check if the vCenter port is open. By default, it's 443 nc -v vCenter_HOST_IP 443 The data center gateway connects to vCenter without issue.

Upgrade the data center gateway

  1. Copy the RPM / DEB file to the data center gateway computer.
  2. If the computer uses the rpm package manager, enter the command: sudo rpm -U <new data center gateway installer rpm> The "-U" argument instructs the installer to perform an upgrade.
  3. If the computer uses the apt package manager, enter the command: sudo apt --only-upgrade install ./<new data center gateway installer deb>

To confirm if the upgrade is complete:

  1. Check the data center gateway status and connection.
  2. Run the following command, depending on your environment, to confirm the current package version:
  3. RPM package manager: rpm -q --info <data center gateway package name>
  4. APT package manager: apt show <data center gateway package name>

Security best practices

Add a firewall to the data center gateway

The data center gateway uses TLS protocol to communicate with Workload Security and vCenter servers. For host address and port requirements to Workload Security, please refer to the data center gateway ports and URLs for more detail. For requirements to vCenter servers, please refer to the allow list, destination_allow_list.yaml, of the data center gateway.

High availability deployment plan

To protect against potential problems such as software issues, hardware failures, or incorrect change management of a single gateway, we offer an optional high availability (HA) deployment. Please note that data center gateway credentials should not be shared even in an HA scenario.

The diagram below shows a possible deployment of data center gateways.