Views:
When using the File Security Virtual Appliance (FSVA) deployed as a Service Gateway instance, no additional configuration is required to enable ONTAP agent support. Both the scanner (gRPC) and management (WebSocket) endpoints are built into the appliance and available at port 443 out of the box.

Endpoints

Service
Protocol
Endpoint
Port
Scanner (gRPC) gRPC over TLS <instance IP> 443
Management (WebSocket) WSS <instance IP>/ontap 443
These correspond to the Scanner Service endpoint and Management Service endpoint fields in the ONTAP agent installer.

Network requirements

Ensure the following inbound rule is open on the Service Gateway instance security group (or equivalent firewall):
Type
Protocol
Port
Source
Reason
HTTPS/WSS/gRPC TCP 443 Vscan server IP / CIDR ONTAP agent scanner + management traffic
Note
Note
Port 443 is already required for SDK scan clients per the FSVA Inbound/Outbound Configuration. If you previously opened 443 only to your SDK client CIDRs, expand the source to include the Vscan server IP as well.

Test the endpoints

Before installing the ONTAP agent, verify both endpoints from the Vscan server:
Management Service (expect 401 — confirms connectivity, not authentication):
websocat --exit-on-eof wss://<instance IP>/ontap
Scanner Service:
tmfs scan file:<sample-file> --endpoint=<instance IP>

Generate an onboarding token for the ONTAP agent

  1. Log in to the Service Gateway instance as sgowner
  2. Find the management service container. All FSVA containers run in a single pod under the sg-sfs-scanner namespace. Get the current pod name:
    kubectl get pods -n sg-sfs-scanner
    For further kubectl operations on the Service Gateway instance, refer to KA-0014380.
  3. Exec into the management service container:
    kubectl exec -it <pod-name> -n sg-sfs-scanner -c sg-sfs-scanner-management-service -- bash
    Example:
    kubectl exec -it sg-sfs-scanner-6db74d58c-47g5p -n sg-sfs-scanner -c sg-sfs-scanner-management-service -- bash
  4. Create an agent slot and issue an onboarding token:
    clish agent create --name <agent-name>
    clish agent onboarding-token issue --instance <agent-name>

Install the ONTAP agent

  • Install on the Windows Vscan server.
  • Configure the ONTAP agent with:
    • Generated onboarding token
    • Scanner Service endpoint: <instance IP>
    • Management Service endpoint: <instance IP>/ontap

Configure the ONTAP agent with the Management Service

  1. Exec into the management service container.
  2. Check the agent connection status:
    clish agent show --instance <agent-name>
  3. Configure privileged-user credentials:
    clish agent credential modify --instance <agent-name>

Verification

Run vserver vscan connection-status show-all on the ONTAP management console and verify the agent connection status via clish agent show.