Deploying a Service Gateway virtual appliance with GCP

Procedure

1. Obtain the Service Gateway registration token.
   1. On the Trend Vision One console, go to Workflow and Automation → Service Gateway Management.
   2. Click Download Virtual Appliance.
   3. Copy the Registration Token.

      Note The registration token is used to register the Service Gateway virtual appliance to Service Gateway Inventory after installation and setup are complete. The registration token expires after 24 hours if not used.

2. To initiate the instance launch, sign in to the Google Cloud portal.
3. Create a firewall policy for the Service Gateway virtual appliance you want to deploy.
   1. In the Google Cloud portal, open the navigation menu at the upper left of the screen. Go to VPC Network → Firewall.

      Note If you don't see the service, use the search bar at the top of the screen to search for Firewall. Find Firewall under Search results.

   2. Click Create firewall policy.

      

   3. In the 1 Configure policy step, specify a Policy name, select the deployment scope of the firewall policy, and click Continue.
   4. In the 2 Add rules step, click Create firewall rule to create a new firewall rule for the Service Gateway virtual appliance.

      

   5. On the Create a firewall rule panel on the right, configure the firewall rule settings.
      1. For Priority, specify a positive integer.
         For more information on priority, refer to the Google Cloud documentation.
      2. For Direction of traffic, select Ingress.
      3. For Action on match, select Allow.
      4. For Target, select the instance where you would like to apply this firewall rule.
      5. For Source network type, select the network type that matches the source where the ingress traffic comes.
      6. For Source filters, specify the IP type and IP ranges of the source.

         Note Trend Micro recommends specifying the source IP addresses/CIDR ranges that are within your network.

      7. For Protocols and ports, select Specified protocols and ports, select TCP, and add the ports according to the following table.

         Service	Destination port ranges	Protocol	Action	Description
         SSH	22	TCP	Allow	For accessing Service Gateway virtual appliance CLISH command
         HTTP	80	TCP	Allow	Service enabled queries for on-premises Active Directory servers, connected Trend Micro products (such as endpoint agents), Predictive Machine Learning, File Reputation Services, or Third-Party Integration
         HTTPS	443	TCP	Allow	Service enabled queries for on-premises Active Directory servers, connected Trend Micro products (such as endpoint agents), Predictive Machine Learning, File Reputation Services, or Third-Party Integration
         Custom TCP	5274	TCP	Allow	Web Reputation Services or Web Inspection Service queries
         Custom TCP	5275	TCP	Allow	Web Reputation Services or Web Inspection Service queries
         Custom TCP	8080	TCP	Allow	Forward Proxy Service listening port for connection
         Custom TCP	8088	TCP	Allow	Zero Trust Secure Access On-Premises Gateway listening port for connection

      8. For Enforcement, select Enabled.
      9. Review the configuration of this firewall rule, then click Create.
      10. Select the firewall just created, and click Continue.
   6. In the 3 Associate policy with VPC networks (optional) step, click Associate to associate this firewall policy with existing VPC networks.

      Note If you do not have any VPC network, refer to Google Cloud documentation to create one.

   7. Review the configuration of this firewall policy, then click Create.
4. Create a VM instance.
   1. Go to Compute Engine → VM instances.
   2. In the Virtual instances screen, click Create instance.

      

   3. In the Create an instance screen, choose Create VM from… → Marketplace.

      

   4. In the Marketplace screen, select Trend Vision One™ Service Gateway to deploy.
      1. In the Marketplace screen, search for the product Trend Vision One™ Service Gateway.

         

      2. Select Trend Vision One™ Service Gateway in the results.
      3. Click Get Started and agree to the terms and agreements before the deployment.
      4. A dialog for successfully agreeing to terms will pop up. Click Deploy to proceed.
      5. Click Launch to proceed with the deployment.

         

      6. Choose one of the following ways to deploy Trend Vision One™ Service Gateway.

         Deployment method	Steps
         Terraform	Specify a Deployment name. In the Deployment Service Account section: Select an Existing account which has the roles/config.agent, roles/compute.admin, and roles/iam.serviceAccountUser roles, or create a new account for the deployment. Select a Zone for the location where Trend Vision One™ Service Gateway will be deployed. In the Machine type section, select a machine type that meets the specifications for your deployment. Note The default machine type is e2-highcpu-16 with 16 vCPU and 16 GB memory. For more information, see Service Gateway appliance system requirements. In the Boot Disk section: Select the disk type that meet the specifications for your deployment in Boot disk type. Specify a disk size for Boot disk size in GB. Note The default disk size and disk type is 500 GB and Balanced Persistent Disk respectively. For more information, see Service Gateway appliance system requirements. In the Network interfaces section, edit the following settings of the network interface: Select the VPC where the firewall policy created in previous steps is applied for Network. Select the desired subnetwork for Subnetwork. Note Refer to the Google Cloud documentation on how to set up a VPC network and subnets. Select None for External IP. Review the VM instance settings, and click Deploy to deploy Trend Vision One™ Service Gateway.
         Command-line deployment	Agree to the terms of service and click Next. In the Configure a service account (Optional) section, click Configure to select an existing account which has the roles/compute.admin and roles/iam.serviceAccountUser roles, or create a new account for the deployment. In the Configure gcloud section, run all the mentioned commands to configure the gcloud environment. Note Install gcloud before running these commands. In the Review VM images section, click Download to download the zipped file, which includes the Terraform scripts of deploying Trend Vision One™ Service Gateway, to your local environment. Unzip the downloaded file. Click SHOW COMMAND to display all the required Terraform commands for the deployment. Open a terminal, change the current directory to the unzipped folder, and run all the Terraform commands mentioned in step 6 for deploying a Trend Vision One™ Service Gateway VM instance to the specified Google Cloud project.  # Configure the current gcloud environment for Terraform gcloud config set project <project_name> gcloud auth application-default login # Deploy Trend Vision One™ Service Gateway VM instance on Google Cloud Platform cd path/to/unzipped/folder terraform init terraform apply # There are two parameters to be input during the deployment: # var.goog_cm_deployment_name # The name of the deployment and VM instance. # var.project_id # The ID of the project in which to provision resources. # After providing values for these parameters, type `yes` to proceed. Note Install Terraform before running these commands.

   5. After the deployment is completed, go to Compute Engine → VM instances screen.
      Trend Vision One™ Service Gateway is ready to connect and configure when Status shows (green check).
5. Connect to the VM instance.
   1. In the Virtual instances screen, click next to SSH of the Service Gateway virtual appliance instance, and select Open in browser window.
   2. In the SSH-in-browser that pops up, click Authorize to authorize this SSH connection via your Google account.
      Now you are connected to the Service Gateway virtual appliance instance.
6. Configure and register the Service Gateway.
   1. Type the following command to switch the user to admin: su admin
   2. Input the default password: V1SG@2021.
   3. Change your password.
   4. After the new password is applied, the Command Line Interface (CLI) appears.
   5. Type enable and press the ENTER key to enable administrative commands.
      The command prompt changes from > to #.
   6. Use the configure command to configure the required network settings, such as the IP address and DNS settings.
   7. Type the following command to register the Service Gateway virtual appliance to Trend Vision One. register <registration_token>
      Use the registration token you obtained from Service Gateway Inventory.
7. Use the CLI to configure other settings, if required.
   For more information on available commands, see Service Gateway CLI commands.