When using the File Security Virtual Appliance (FSVA) deployed as a Service Gateway
instance, no additional configuration is required to enable ONTAP agent support. Both
the scanner (gRPC) and management (WebSocket) endpoints are built into the appliance
and available at port 443 out of the box.
Endpoints
|
Service
|
Protocol
|
Endpoint
|
Port
|
| Scanner (gRPC) | gRPC over TLS | <instance IP> |
443 |
| Management (WebSocket) | WSS | <instance IP>/ontap |
443 |
These correspond to the Scanner Service endpoint and Management Service endpoint fields in the ONTAP agent installer.
Network requirements
Ensure the following inbound rule is open on the Service Gateway instance security
group (or equivalent firewall):
|
Type
|
Protocol
|
Port
|
Source
|
Reason
|
| HTTPS/WSS/gRPC | TCP | 443 | Vscan server IP / CIDR | ONTAP agent scanner + management traffic |
NotePort 443 is already required for SDK scan clients per the FSVA Inbound/Outbound Configuration. If you previously opened 443 only to your SDK client CIDRs, expand the source to
include the Vscan server IP as well.
|
Test the endpoints
Before installing the ONTAP agent, verify both endpoints from the Vscan server:
Management Service (expect 401 — confirms connectivity, not authentication):
websocat --exit-on-eof wss://<instance IP>/ontap
Scanner Service:
tmfs scan file:<sample-file> --endpoint=<instance IP>
Generate an onboarding token for the ONTAP agent
-
Log in to the Service Gateway instance as
sgowner -
Find the management service container. All FSVA containers run in a single pod under the
sg-sfs-scannernamespace. Get the current pod name:kubectl get pods -n sg-sfs-scanner
For furtherkubectloperations on the Service Gateway instance, refer to KA-0014380. -
Exec into the management service container:
kubectl exec -it <pod-name> -n sg-sfs-scanner -c sg-sfs-scanner-management-service -- bash
Example:kubectl exec -it sg-sfs-scanner-6db74d58c-47g5p -n sg-sfs-scanner -c sg-sfs-scanner-management-service -- bash
-
Create an agent slot and issue an onboarding token:
clish agent create --name <agent-name> clish agent onboarding-token issue --instance <agent-name>
Install the ONTAP agent
-
Download the ONTAP agent installer (MSI).
-
Install on the Windows Vscan server.
-
Configure the ONTAP agent with:
-
Generated onboarding token
-
Scanner Service endpoint:
<instance IP> -
Management Service endpoint:
<instance IP>/ontap
-
Configure the ONTAP agent with the Management Service
-
Exec into the management service container.
-
Check the agent connection status:
clish agent show --instance <agent-name>
-
Configure privileged-user credentials:
clish agent credential modify --instance <agent-name>
Verification
Run
vserver vscan connection-status show-all on the ONTAP management console and verify the agent connection status via clish agent show.
