Deploying an Internet Access On-Premises Gateway

Views:

Deploy a Service Gateway virtual appliance and enable the Zero Trust Internet Access On-Premises Gateway service.

The Zero Trust Internet Access On-Premises Gateway service supports the following external connections via proxy server.

Communication with Trend Vision One to get the latest settings and policies
Queries to services such as Web Reputation Services and ActiveUpdate
Forwarding of both HTTP and HTTPS end-user web traffic to final destinations

Important

The Internet Access On-Premises Gateway requires high levels of system resources. To avoid negative impact on system performance, Trend Micro recommends setting up the on-premises gateway on an appliance with no other installed or enabled services.

Procedure

On the Trend Vision One console, go to Zero Trust Secure Access → Secure Access Configuration → Internet Access and AI Service Access Configuration.
On the Gateways tab, click Deploy New On-Premises Gateway.

Set up an Internet Access On-Premises Gateway by clicking Go to Service Gateway Inventory.

Important

Only Service Gateway 2.0 and later supports the Zero Trust Internet Access On-Premises Gateway service.

Select an existing Service Gateway that identifies your corporate location, or deploy a new Service Gateway virtual appliance for the Zero Trust Internet Access On-Premises Gateway service.

Important

Disable Cloud Service Extension on the Service Gateway when using the Internet Access On-Premises Gateway service. The cloud service extension might interfere with normal operations of the on-premises gateway. For more information, see Configuring Service Gateway settings.

Install and enable the Zero Trust Internet Access On-Premises Gateway service. For details, see Managing services in Service Gateway.

After the deployment completes, check the service status and other information about the on-premises gateway under On-Premises Gateways in Internet Access and AI Service Access Configuration.

Configure the settings for the on-premises gateway by clicking the edit icon ( edit_icon=GUID-1F1D1164-5310-4D6D-ACD0-6049C86960AF.png

Configure basic settings such as the corporate location name and time zone, and add an optional description as needed. The default location name is the hostname of the Service Gateway virtual appliance running the on-premises gateway.
Choose a service mode for the on-premises gateway and configure the required settings.

The following table outlines the available service modes for the on-premises gateway and describes the configuration options.

Service mode

Configuration options

Forward proxy

In forward proxy mode, you may configure the following settings:

User Authentication: Require user authentication for endpoints connecting without the Secure Access Module installed

If desired, select or create
- Private IP address groups for connected endpoints without the Secure Access Module that may always bypass user authentication
- Private IP address groups for connected endpoints that may never bypass user authentication

Note

Disabling user authentication for endpoints connecting without the Secure Access Module installed enforces Internet Access rules on the endpoints when connected.

Upstream Proxy Rules: Enable upstream proxy rules to specify the upstream proxy used for data traffic sent to specific IP addresses, domains, or subdomains
- You may set up to 10 rules using different proxy options.
- For details, see Configuring upstream proxy rules

ICAP

Enables the on-premises gateway to act as an internet content adaptation protocol (ICAP) server to handle threat protection or data loss prevention (DLP) on HTTP requests (default port 1344). Use the supplied RECMOD and RESMOD URLs to configure your ICAP clients.

Enable ICAP over SSL to connect your ICAP clients to the on-premises gateway over a secure connection (default port 11344). You may use the default SSL certificate or provide a custom certificate with private key and passphrase.
If desired, select specific ICAP response and request headers to use.

Important

On-premises gateways in ICAP service mode can only integrate with ICAP v1.0-compliant proxy servers and do not support:

HTTPS inspection
HTTP/HTTPS traffic filters
Botnet detection
Tenancy restrictions
Device posture-based access control
End-user authentication
Risk control rules
Bandwidth control
Rate limiting

Reverse proxy

Important

To use reverse proxy mode, ensure you have updated your Service Gateway and corresponding Internet Access On-Premises Gateway service to the latest version.
Rate limiting capabilities enabled by reverse proxy mode only apply to on-premises gateways protecting private generative AI services.
On-premises gateways protecting generative AI services must be deployed in front of the server hosting the service in order to receive and manage requests.

Reverse proxy mode enables the on-premises gateway to apply access control, threat protection, data loss prevention (DLP), or rate limiting on HTTP requests to configured private apps or generative AI services (default port 8088). For more information, see Configuring reverse proxy mode.

Enable an HTTPS listening port to handle secure requests (default port 8443). You may use the default SSL certificate or provide a custom certificate with private key and passphrase.
Provide the name of the private app you wish to protect and specify whether it is a general app or a private generative AI service.
If desired, specify the FQDN or IP address and port used for the private app along with the weight of traffic (from 0 to 100 percent) to be routed through the FQDN/IP. You may provide up to 10 FQDNs or IP addresses.
Once reverse proxy mode is configured, you may configure rate limiting rules targeting requests to the on-premises gateway if the protected app is a private generative AI service. For more information, see Managing rate limiting rules.

Important

In order to use reverse proxy mode to protect a private generative AI service and apply rate limiting to connecting endpoints, you must configure the server hosting your private generative AI service to add the original endpoint IP addresses to the X-Forwarded-For request header. Otherwise, the on-premises gateway cannot identify the endpoint.

If desired, configure additional settings for the on-premises gateway.

The following table describes the additional settings you may choose to enable when configuring the on-premises gateway.

Settings

Description

Log Forwarding

Choose whether to upload detection logs or activity data to Trend Vision One or to send activity data to a separate syslog server in Common Event Format (CEF).

To send activity data to a syslog server, specify the server address, port, and protocol used for communication with the server.
For more information about content mapping between Internet Access log output and CEF syslog format, see Syslog content mapping - CEF.

Deep Discovery Analyzer

Integrate and configure existing Deep Discovery Analyzer appliances to collect file samples from the on-premises gateway for analysis

Tip

Configuring both a primary and a secondary Deep Discovery Analyzer appliance allows for increased appliance availability.

Click Save.
Configure and apply PAC files to forward HTTP/HTTPS traffic to the on-premises gateway.
1. Add the FQDN or IP address of the on-premises gateway to one or multiple PAC files that you use for proxy settings.
2. Apply the PAC files to deployed Secure Access Modules.
Configure bandwidth control to optimize network performance on the on-premises gateway.