Topics on this page
Set up a data center gateway
If you want Workload Security to get an inventory of your computers from your VMware vCenter and/or Active Directory servers, then you must put a data center gateway between them, as shown in the diagram below. The data center gateway proxies the connections between them.
For high availability (HA) in case of network interruptions or component failures, you can also deploy multiple data center gateways as shown in the diagram below.
Basic steps include:
- Verify system requirements
- Grant permissions
- Download the data center gateway software
- Download the credential files
- Configure the vCenter/Active Directory servers and proxies (if any)
- Install the data center gateway
Verify system requirements
Data center gateways are supported on:
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Ubuntu Linux 18.04
- Ubuntu Linux 20.04
Minimum hardware requirements:
- 1 CPU or virtual CPU (vCPU)
- 2 GB memory (RAM)
- 1 GB free disk space
Firewalls and proxies must also allow network connections with required port numbers, host names, and IP addresses
During installation, you will be required to configure the data center gateway with its authentication credentials. Because these credentials do not belong to your own user account, an administrator must grant special permissions to access them.
- On Workload Security, go to Administration > User Management > Roles.
- Edit the role of the user who will download credentials for the data center gateways.
- Select Properties > Other Rights. For Data Center Gateways, select Full.
Download the data center gateway software
Download an RPM file for Red Hat Enterprise Linux, and a DEB file for Ubuntu.
Download the credential files
Each credential file contains keys and identifiers that its data center gateway will use to authenticate and communicate with Workload Security.
- On Workload Security, go to Administration > System Settings > Data Center Gateway.
- Click New.
- Enter a Display Name. Click Next.
- Click Download Credential File. Don't change the name of the file. It is required by the installer.
- Repeat the previous steps to download one credential file for each data center gateway that you will install.
Only use a credential file with its own data center gateway. Even data center gateways that are deployed as high availability (HA) pairs have unique credential files. Copying the same file to multiple installations could lead to unexpected behavior.
Keep the credential files in a secure place and use permissions to restrict access. Keys are secrets, similar to passwords. Unauthorized access can result in security compromise.
Configure the vCenter/Active Directory servers and proxies (if any)
During installation, you will need to provide a list of VMware vCenter and/or Microsoft Active Directory servers that the data center gateway connects to. Use a plaintext editor to write the list. The list must be in YAML format and named
Use a linter to verify that the list is in valid YAML format. Invalid files cannot be used by the installer.
Verify that the data center gateway can reach all network addresses in the list. If data center gateways must connect through a proxy to the Internet, or to the internal network's vCenter and/or Active Directory servers, then also configure the data center gateway to use the proxies.
destination_allow_list.yaml could contain:
gateway_proxy: - HostName: "internet.proxy.example.com" Port: 3128 Username: "intenet_proxy_user" Password: "internet_proxy_password" destinations: - HostName: "vcenter1.datacenter.internal" Port: 443 - HostName: "192.168.123.45" Port: 443 - HostName: "adserver1.datacenter.internal" Port: 389 - HostName: "192.168.123.46" Port: 389 Proxy: HostName: "proxy.vCenter.internal" Port: 3128 Username: "vcenter_proxy_user" Password: "vcenter_proxy_password"
gateway_proxysection defines the proxy that the data center gateway will use to connect to Workload Security.
destinationssection defines the vCenter and/or Active Directory servers and the proxies used to connect to them (if any).
HostNameis the identifier that is used to add vCenter/Active Directory servers in the Workload Security console or API.
Passwordare the login that the data center gateway uses to connect to a proxy. Omit them if no authentication is required.
destination_allow_list.yaml in a secure place and use permissions to restrict access. It contains passwords. Unauthorized access can result in security compromise.
HostName must be unique. If the domain name or IP address point to the same vCenter/Active Directory server as another
HostName, it can cause unexpected behaviors on managed agents.
To avoid duplication if multiple
HostName entries resolve to the same IP address, only the first domain name will take effect. Domain names take precedence over IP addresses. For example, given the configuration below, the data center gateway will communicate with a vCenter server at the hostname
# Both "vc1.dc.internal" and "vc1.dc.example.com" resolve to 192.168.100.1 destinations: - HostName: "192.168.100.1" # Does not take effect because hostnames take precedence over IP addresses Port: 443 - HostName: "vc1.dc.internal" # Takes effect Port: 443 - HostName: "vc1.dc.example.com" # Does not take effect because it resolves to the same IP address as previous hostname Port: 443
Install the data center gateway
On the server where you want to install the data center gateway, upload the installer, authentication credentials, and configuration file, and then enter the installer command:
- Red Hat Enterprise Linux:
sudo DCGW_CRED_PATH="</absolute/path/to/credentials.json>" DCGW_ALLOW_LIST_PATH="</absolute/path/to/destination_allow_list.yaml>" rpm -ivh /path/to/rpm/file
sudo DCGW_CRED_PATH="</absolute/path/to/credentials.json>" DCGW_ALLOW_LIST_PATH="</absolute/path/to/destination_allow_list.yaml>" apt install /path/to/deb/file
If any of the following error messages appear, then correct the problem and try again.
|Error Message||Possible Cause||Solution|
|File path for
||Set the variable
|File name should contains credentials or destination_allow_list file extension||
||Verify that the value of
Do not modify these file names.
|No such file, please use
||The given path for
||Use the command
When the installation has succeeded, either delete
destination_allow_list.yaml or back them up to a secure location. (The installer copies them to
/var/opt/c1ws-dcgateway/conf/destiantion_allow_list.yaml with correct permissions. You don't need to keep the original files.)
Verify the status of the data center gateway
To determine if the data center gateway is active (its process is running), use SSH or Remote Desktop to connect to its server and then enter the command:
journalctl -u c1ws-dcgw.service -f
or the command:
systemctl status c1ws-dcgw
It should display the status, and which vCenter and/or Active Directory servers have been added:
Status only shows which servers have been added to the list of destinations. It does not test the network connections with vCenter or Active Directory, which must be done separately.
Also enter this command to verify that the error log is empty:
less +G c1ws-dcgw-error.log
Verify the network connections for a data center gateway
To verify that vCenter or Active Directory server's port is open and that it is reachable from the data center gateway, log into the data center gateway server and enter the command:
nc -v SERVER_HOST_IP SERVER_HOST_PORT
SERVER_HOST_IPis the hostname or IP address of the vCenter or Active Directory server.
SERVER_HOST_PORTis the listening port number. By default, it's 443 for vCenter, and 389(StarTLS)/636(LDAPS) for Active Directory.
The connection test should succeed.
If it does not succeed, then verify that the port number is open. Also verify DNS settings and any routers, firewalls, and proxies between them. (If there is a proxy, the connection must succeed to the proxy, not directly to the vCenter or Active Directory server.)
If the connection test shows that the servers are reachable, but Workload Security is still not receiving data, then examine the data center gateway error log and logs that show connection attempts:
less +G c1ws-dcgw.log
It should show connection attempts to both vCenter or Active Directory servers (
destination) and Workload Security FQDNs. Verify the configured host names and port numbers.
Upgrade the data center gateway
On the server where you want to upgrade the data center gateway, upload the RPM or DEB file and then enter the upgrade command:
- Red Hat Enterprise Linux:
sudo rpm -U <new data center gateway installer rpm>
- Ubuntu Linux:
sudo apt --only-upgrade install ./<new data center gateway installer deb>
To verify that the upgrade is complete: