Topics on this page
This feature is part of a controlled release and is in preview.
Set up a data center gateway
A data center gateway enables communication between Workload Security and your vCenter, allowing Workload Security to retrieve your virtual machine inventory from the vCenter server. Gateways that are installed in your data center contact the vCenter servers on behalf of Workload Security, as seen in the diagram below.
Data center gateways and Workload Security authenticate each other and communicate via encrypted channels (TLS/443).
Each data center gateway maintains a list of addresses for its accessible vCenter servers. While Workload Security intends to synchronize virtual machine data with a vCenter, a connected data center gateway bridges the request from Workload Security to the designated vCenter server.
For layered protection, deploy a firewall around a data center gateway to limit its destination.
Set up a data center gateway
1. Ensure you have the the correct system requirements.
Data center gateways are supported on the following platforms:
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Ubuntu 18.04
- Ubuntu 20.04
At a minimum, one virtual CPU with 2 GB of memory is required.
2. Enable Full Access rights
Go to Administration > User Management > Roles > Properties > Other Rights and select "Full" for Data Center Gateways.
|Date||Version||RPM Download||DEB Download|
|Nov. 17, 2020||0.0.59|
4. Download the data center gateway credential file.
During the preview stage, you need to have Full Access to download the credential file.
The credential file contains keys and identifiers for authenticating and communicating with Workload Security.
- In the Workload Security console, go to Administration > System Settings > Data Center Gateway and click New.
- Enter a Display Name, and click Next.
- Click Download Credential File.
- You can not change the name of the file, as it is required for installation.
- This credential file contains secrets and need to be protected properly.
- You must download a credential file for each data center gateway installation. Sharing configurations with multiple installations could lead to unexpected behavior.
5. Create a list of vCenter servers.
A list of vCenter servers that the data center gateway connects to is required during the installation process. Ensure the addresses in the list are accessible from the data center gateway server. The list should be in YAML format and named
destination_allow_list.yaml. For example:
destinations: - HostName: "vcenter1.datacenter.internal" Port: 443 - HostName: "192.168.123.45" Port: 443
HostNamelisted in the allow list is the identifier that is used to add vCenter accounts through the Workload Security console or API.
destinationsshould not point to the same vCenter server, either through different IP addresses or hostnames, otherwise unexpected behaviors on managed Deep Security Agents might occur.
- To avoid duplication, if multiple records of
destinationsare resolved to the same IP address, only the first record with a hostname will take effect (IP address is less preferable). In the example below, Workload Security is able to communicate with the vCenter server with the hostname
Both "vc1.dc.internal" and "vc1.dc.example.com" are resolved to 192.168.100.1 destinations: - HostName: "192.168.100.1" # not effective because IP address is less preferable than a hostname resolved to the same address Port: 443 - HostName: "vc1.dc.internal" # effective record Port: 443 - HostName: "vc1.dc.example.com" # not effective because it resolved to the same address with previous record Port: 443
6. Install the data center gateway.
- Enter the following commands (depending on your OS) to install the gateway:
- Red Hat Enterprise Linux:
$ sudo DCGW_CRED_PATH="<Absolute path to credentials.json>" DCGW_ALLOW_LIST_PATH="<Absolute path to destination_allow_list.yaml>" rpm -ivh /path/to/rpm/file
$ sudo DCGW_CRED_PATH="<Absolute path to credentials.json>" DCGW_ALLOW_LIST_PATH="<Absolute path to destination_allow_list.yaml>" apt install /path/to/deb/file
- Either delete
destination_allow_list.yamlor back them up to a secure location. The installer will copy them to
/var/opt/c1ws-dcgateway/conf/destiantion_allow_list.yaml. It will also set the proper permissions for the files.
- Type the following command to check the data center gateway's status:
$ journalctl -u c1ws-dcgateway.service -f
The vCenter hosts added to the destination list are displayed and that the gateway is running:
If any error messages appear, review the table below:
|File path for 'credentials.json' and 'destination_allow_list.yaml' is required, please set variable 'DCGW_CRED_PATH' and 'DCGW_ALLOW_LIST_PATH' to proceed||The parameters "DCGW_CRED_PATH" and "DCGW_ALLOW_LIST_PATH" were not assigned during installation.||Ensure you've entered the installation command as described above.|
|File name should contains credentials/destination_allow_list file extension||The file name for "DCGW_CRED_PATH" or "DCGW_ALLOW_LIST_PATH" is incorrect.||Ensure you've entered the installation command as described above.|
|No such file, please use 'readlink -f' to get absolute path for credentials.json and destination_allow_list.yaml||The given path for "DCGW_CRED_PATH" and "DCGW_ALLOW_LIST_PATH" did not contain the appropriate file.||Ensure you've entered the correct absolute path during installation.|
Once a data center gateway has been set up, you can Add a VMware vCenter to Workload Security.
To check the connection between the data center gateway and vCenter, SSH or use a remote desktop to connect to the data center gateway host, then follow the actions below.
|Check if the data center gateway is active||
||The process is active and running.|
|Check the data center gateway error log||
||The data center gateway is functioning and dc-gateway-error.log is empty.|
|Check the data center gateway log||
||The dc-gateway.log shows that the data center gateway intends to connect to vCenter and Workload Security.|
|Check if the vCenter port is open. By default, it's 443||
||The data center gateway connects to vCenter without issue.|
Upgrade the data center gateway
- Copy the RPM / DEB file to the data center gateway computer.
- If the computer uses the rpm package manager, enter the command:
sudo rpm -U <new data center gateway installer rpm>The "-U" argument instructs the installer to perform an upgrade.
- If the computer uses the apt package manager, enter the command:
sudo apt --upgrade-only install ./<new data center gateway installer deb>
To confirm if the upgrade is complete:
- Check the data center gateway status and connection.
- Run the following command, depending on your environment, to confirm the current package version:
- RPM package manager:
rpm -q --info <data center gateway package name>
- APT package manager:
apt show <data center gateway package name>
Security best practices
Add a firewall to the data center gateway
The data center gateway uses TLS protocol to communicate with Workload Security and vCenter servers. For host address and port requirements to Workload Security, please refer to the data center gateway ports and URLs for more detail. For requirements to vCenter servers, please refer to the allow list,
destination_allow_list.yaml, of the data center gateway.
High availability deployment plan
To protect against potential problems such as software issues, hardware failures, or incorrect change management of a single gateway, we offer an optional high availability (HA) deployment. Please note that data center gateway credentials should not be shared even in an HA scenario.
The diagram below shows a possible deployment of data center gateways.