Set up a data center gateway

A data center gateway enables communication between Workload Security and your vCenter, allowing Workload Security to retrieve your virtual machine inventory from the vCenter server. Gateways that are installed in your data center contact the vCenter servers on behalf of Workload Security, as seen in the diagram below.

Diagram of data center gateway communication

Data center gateways and Workload Security authenticate each other and communicate via encrypted channels (TLS/443).

Each data center gateway maintains a list of addresses for its accessible vCenter servers. While Workload Security intends to synchronize virtual machine data with a vCenter, a connected data center gateway bridges the request from Workload Security to the designated vCenter server.

For layered protection, deploy a firewall around a data center gateway to limit its destination.

Configure a data center gateway

1. Ensure you have the the correct system requirements

Data center gateways are supported on the following platforms:

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Ubuntu 18.04
  • Ubuntu 20.04

At a minimum, one virtual CPU with 2 GB of memory and 1 GB of disk space is required.

2. Enable Full Access rights on data center gateways

Go to Administration > User Management > Roles > Properties > Other Rights and select "Full" for Data Center Gateways.

Other Rights tab

3. Download the data center gateway software

Date Version RPM Download DEB Download Release Notes
Aug. 30, 2021 1.0.17 Enhance tunnel logging and dcgw-control helper supports proxy configuration
Jul. 26, 2021 1.0.15 Data center gateway supports proxy to connect to Trend Micro required internet facing services and internal vCenter destinations
May. 28, 2021 1.0.14 Fixed the issue that the service does not start up automatically at boot time.
Mar. 28, 2021 1.0.12 Updated python library dependencies.
Jan. 25, 2021 1.0.7

Improved instructions on what to do if destination_allow_list.yaml fails to load.

Fixed service startup issue in RedHat.

Dec. 08, 2020 1.0.2

4. Download the data center gateway credential file

The credential file contains keys and identifiers for authenticating and communicating with Workload Security.

  1. In the Workload Security console, go to Administration > System Settings > Data Center Gateway and click New.
  2. Enter a Display Name, and click Next.
  3. Click Download Credential File.

Note that:

  • You can not change the name of the file, as it is required for installation.
  • This credential file contains secrets and need to be protected properly.
  • You must download a credential file for each data center gateway installation. Sharing configurations with multiple installations could lead to unexpected behavior.

5. Create a list of vCenter servers and configure proxy

A list of vCenter servers that the data center gateway connects to is required during the installation process. Ensure the addresses in the list are accessible from the data center gateway server. The list should be in YAML format and named destination_allow_list.yaml.

Optionally, you could configure the data center gateway proxy when there are limited internet or internal vCenter connectivity in which the data center gateway resides. Data center gateway will leverage gateway_proxy to establish internet connections to gateway.workload.{region}.trendmicro.com and gateway-control.workload.{region}.trendmicro.com with port 443. Each vCenter destination can have its own proxy setting for the data center gateway to connect internal vCenter servers. You could omit proxy the username and password when there is no authentication required.

For example:

gateway_proxy:
  - HostName: "proxy.to.internet"
    Port: 3128
    Username: "intenet_proxy_user"
    Password: "internet_proxy_password"
destinations:
  - HostName: "vcenter1.datacenter.internal"
    Port: 443
  - HostName: "192.168.123.45"
    Port: 443
    Proxy:
      HostName: "proxy.vCenter.internal"
      Port: 3128
      Username: "vcenter_proxy_user"
      Password: "vcenter_proxy_password"

Note that:

  • The HostName listed in the allow list is the identifier that is used to add vCenter accounts through the Workload Security console or API.
  • Different destinations should not point to the same vCenter server, either through different IP addresses or hostnames, otherwise unexpected behaviors on managed Deep Security Agents might occur.
  • To avoid duplication, if multiple records of destinations are resolved to the same IP address, only the first record with a hostname will take effect (IP address is less preferable). In the example below, Workload Security is able to communicate with the vCenter server with the hostname vc1.dc.internal.
 # Both "vc1.dc.internal" and "vc1.dc.example.com" are resolved to 192.168.100.1
destinations:
  - HostName: "192.168.100.1"       # not effective because IP address is less preferable than a hostname resolved to the same address
    Port: 443
  - HostName: "vc1.dc.internal"     # effective record
    Port: 443
  - HostName: "vc1.dc.example.com"  # not effective because it resolved to the same address with previous record
    Port: 443

6. Install the data center gateway

  1. Enter the following commands (depending on your OS) to install the gateway:
  2. Red Hat Enterprise Linux: $ sudo DCGW_CRED_PATH="<Absolute path to credentials.json>" DCGW_ALLOW_LIST_PATH="<Absolute path to destination_allow_list.yaml>" rpm -ivh /path/to/rpm/file
  3. Ubuntu: $ sudo DCGW_CRED_PATH="<Absolute path to credentials.json>" DCGW_ALLOW_LIST_PATH="<Absolute path to destination_allow_list.yaml>" apt install /path/to/deb/file
  4. Either delete credentials.json and destination_allow_list.yaml or back them up to a secure location. The installer will copy them to /var/opt/c1ws-dcgateway/conf/credentials.json and /var/opt/c1ws-dcgateway/conf/destiantion_allow_list.yaml. It will also set the proper permissions for the files.
  5. Type the following command to check the data center gateway's status: $ journalctl -u c1ws-dcgw.service -f

The vCenter hosts added to the destination list are displayed and that the gateway is running:

Console showing that gateway is running

If any error messages appear, review the table below:

Error Possible Cause Solution
File path for credentials.json is required, please set the variable DCGW_CRED_PATH to proceed The parameter DCGW_CRED_PATH was not assigned during installation. Set the variable DCGW_CRED_PATH with the full path of the credentials.json file downloaded in the previous step.
File name should contains credentials or destination_allow_list file extension DCGW_CRED_PATH or DCGW_ALLOW_LIST_PATH does not contain the required file name. Ensure the value of DCGW_CRED_PATH ends with the file name credentials.json, or the value of DCGW_ALLOW_LIST_PATH ends with the file name destination_allow_list.yaml.

Do not modify these file names.
No such file, please use readlink -f to get absolute path for credentials.json or destination_allow_list.yaml The given path for DCGW_CRED_PATH or DCGW_ALLOW_LIST_PATH did not contain the appropriate file. Use the readlink -f command to retrieve the correct full path of credentials.json or destination_allow_list.yaml.

Once a data center gateway has been set up, you can Add a VMware vCenter to Workload Security.

Check the data center gateway status and connection

To check the connection between the data center gateway and vCenter, SSH or use a remote desktop to connect to the data center gateway host, then follow the actions below.

Action Command Desired Outcome
Check if the data center gateway is active systemctl status c1ws-dcgw The process is active and running.
Check the data center gateway error log less +G c1ws-dcgw-error.log The data center gateway is functioning and dc-gateway-error.log is empty.
Check the data center gateway log less +G c1ws-dcgw.log The dc-gateway.log shows that the data center gateway intends to connect to vCenter and Workload Security.
Check if the vCenter port is open. By default, it's 443 nc -v vCenter_HOST_IP 443 The data center gateway connects to vCenter without issue.

Upgrade the data center gateway

  1. Copy the RPM / DEB file to the data center gateway computer.
  2. If the computer uses the rpm package manager, enter the command: sudo rpm -U <new data center gateway installer rpm> The "-U" argument instructs the installer to perform an upgrade.
  3. If the computer uses the apt package manager, enter the command: sudo apt --only-upgrade install ./<new data center gateway installer deb>

To confirm if the upgrade is complete:

  1. Check the data center gateway status and connection.
  2. Run the following command, depending on your environment, to confirm the current package version:
  3. RPM package manager: rpm -q --info <data center gateway package name>
  4. APT package manager: apt show <data center gateway package name>

Security best practices

Add a firewall to the data center gateway

The data center gateway uses TLS protocol to communicate with Workload Security and vCenter servers. For host address and port requirements to Workload Security, please refer to the data center gateway ports and URLs for more detail. For requirements to vCenter servers, please refer to the allow list, destination_allow_list.yaml, of the data center gateway.

High availability deployment plan

To protect against potential problems such as software issues, hardware failures, or incorrect change management of a single gateway, we offer an optional high availability (HA) deployment. Please note that data center gateway credentials should not be shared even in an HA scenario.

The diagram below shows a possible deployment of data center gateways.

Diagram of high availability deployment