Deploy a VM for Running the Secure Device Connector and Secure Event Connector
When using device credentials to connect Security Cloud Control to a device, it is a best practice to download and deploy an SDC in your network to manage the communication between Security Cloud Control and the device. Typically, these devices are nonperimeter based and do not have a public IP address, or have an open port to the outside interface.
The SDC monitors Security Cloud Control for commands that need to be executed on your managed devices, and messages that need to be sent to your managed devices. The SDC executes the commands on behalf of Security Cloud Control, sends messages to Security Cloud Control on behalf of the managed devices, and returns replies from the managed devices to Security Cloud Control.
The number of devices a single SDC can manage depends on the features that are implemented on those devices and the size of their configuration files. To plan your deployment, however, we expect one SDC to support approximately 500 devices. For more information, see Using Multiple SDCs on a Single Security Cloud Control Tenant.
This procedure describes how to install an SDC in your network, using Security Cloud Control's VM image. This is the recommended and most reliable way to create an SDC.
Before you begin
-
Security Cloud Control requires strict certificate checking and does not support Web or Content Proxy inspection between the Secure Device Connector (SDC) and the internet. If using a proxy server, disable inspection for traffic between the SDC and Security Cloud Control.
-
The SDC must have full outbound access to the internet on TCP port 443, or the port you have configured for device management.
-
The devices that are managed by Security Cloud Control must allow inbound traffic from the SDC VM’s IP address.
-
Review Connect Connect Security Cloud Control to your Managed Devices to the Secure Device Connector to ensure proper network access.
-
If you are using a proxy on your network, ensure that you have all the required details before running the host setup command. Most of the issues are related to incorrect proxy configurations. Important details are:
-
The IP/hostname of your proxy.
-
Whether or not your proxy intercepts traffic and reencrypts it using its own cert. This detail is the cause of most of the complications with the SDC VM setup.
-
If your proxy does intercept traffic, have the root certificate ready when configuring the VM. You can paste it in when prompted so that the host and the SDC know to trust the certificates generated by your proxy.
-
If your proxy does _not_ intercept traffic, then nothing else is required here.
-
-
The following items are most likely the same for proxied HTTP _and_ HTTPS connections. However, if you use a different proxy for each protocol, you would need all of the following for each:
-
The IP address of your proxy
-
The port your proxy uses
-
Whether your proxy requires that the connection to the proxy itself be over HTTPS (typically not the case). For example, if the address of your proxy is listed as _https://proxy.corp.com:80_ then you would answer yes. If the listed address is _http://proxy.corp.com:80_ then you would answer no. Note that both URLs use port 80, but the protocol is different.
-
The authentication details of your proxy including:
-
Whether your proxy requires auth (most do not)
-
If yes, then you’ll need the username and password available when you configure the host.
-
-
-
Supported Installations
-
Security Cloud Control supports installing its SDC VM OVF image using the vSphere web client or the ESXi web client.
-
Security Cloud Control does not support installing the SDC VM OVF image using the vSphere desktop client.
-
Security Cloud Control supports installing the SDC on your own Ubuntu instance. Versions 20LTS - 24LTS are currently supported.
-
ESXi 5.1 hypervisor.
System Requirements
-
System requirements for a VM with one SDC:
-
2 vCPUs
-
2 GB of memory
-
64 GB of disk space
-
-
Each SDC you add to your host requires an additional 1 vCPU and 1 GB of RAM.
-
System requirements for a VM with one SEC (a component that is used in Cisco Security Analytics and Logging):
-
4 vCPUs minimum
-
8 GB of memory
-
-
Each SEC you add to the host requires doubling its resources, therefore, these are the requirements for a VMware ESXi host with one SDC and one SEC:
-
6 vCPUs
-
10 GB memory
-
64 GB of disk space
-
-
The container’s IP must be in a different subnet than the SDC's IP range and the device's IP range.
Prepare for Installation
-
To configure networking manually on the host, gather the following information:
-
The static IP address that you want to use for your VM
-
The passwords to use for the
cdo
user (or whichever user has sudo access) and the `sdc` user (the user under which Docker runs) -
The IP address of the DNS server your organization uses
-
The gateway IP address of the network the SDC address is on
-
The FQDN or IP address of your time/NTP server
-
-
The SDC virtual machine is configured to install security patches regularly and to do this, opening port 80 outbound is required.
If your network is using allow/deny lists for outbound connections, you need to allow connections to ubuntu.com so those security updates can be applied.
NoteUbuntu secures its updates with checksums and only uses HTTP, not HTTPS. To pull security updates, you must allow HTTP connections to ubuntu.com.
Deploy the VM
There are two options for deploying the VM used to run the SDC and SEC.
-
Follow the steps below to download the VMware image provided by Security Cloud Control.
-
To deploy Ubuntu 20, 22, or 24 yourself. If deploying your own Ubuntu instance, you may skip the following section and proceed to the Configure the VM section.
Procedure
-
Log in to the Security Cloud Control tenant for which you are creating the SDC or SEC.
-
In the left pane, click .
-
Select the Secure Connectors tab on the Services page, click the blue plus button, and select Secure Device Connector.
-
Click Download the SDC VM image. This opens in a new tab.
-
Extract all the files from the .zip file. They look similar to these:
-
CDO-SDC-VM-ddd50fa.ovf
-
CDO-SDC-VM-ddd50fa.mf
-
CDO-SDC-VM-ddd50fa-disk1.vmdk
-
-
Log in to your VMware server as an administrator using the vSphere Web Client.
NoteDo not use the ESXi Web Client.
Deploy the Secure Device Connector virtual machine from the OVF template by following the prompts.
-
When the setup is complete, power on the SDC VM.
-
Open the console for your new SDC VM.
-
Log in with the
CDO
username. The default password isadm123
.
Configure the VM
Now you are able to bring up the console for the VM image you deployed (or SSH into it if you rolled your own and enabled SSH), you should run the configuration script to get your host ready to run the SDC or SEC Docker container(s).
-
If you downloaded the Security Cloud Control-provided VM, the CLI is already installed, and you can proceed to step 2. If you have deployed your own VM, SSH into it and run the command to install the CLI:
curl -O https://s3.us-west-2.amazonaws.com/download.defenseorchestrator.com/sdc-cli/sdc-cli-package-latest.tgz && tar -xvf sdc-cli-package-latest.tgz && chmod +x ./install.sh && ./install.sh
-
Start the host configuration by runing the command:
sudo sdc host configure
-
When prompted for the password, enter adm123 for the Security Cloud Control-provided VM or whatever admin password you chose for your own VM.
-
Follow the prompts to configure the
sdc
user. -
When prompted for the networking configuration, choose one of the following:
-
Manually configure this host with a static IP: If you want to specify the IP, gateway, DNS server, and so on, for this host and write it to the system config on the VM.
-
DHCP: If you have a DHCP server assigning static IPs to your VMs.
-
Static IP is already configured and I don't want to change my networking now.
-
-
When prompted, answer the questions about your proxy configuration. Review the detailed list at the top of this topic for all the prerequisites and potential proxy configuration options.
-
If you have configured a proxy, you will be prompted to reboot the VM for all the proxy settings to take effect. If you did not, you will not be prompted to reboot and you can move on to step 8.
-
Set a custom internet access test URL. You only need to do this if you deny all outbound connections by default. If you do, then specify a publicly accessible web url such at https://google.com that is on your allow list.
-
Install the latest security patches, some requires os tools and Docker server.
-
When prompted, indicate whether you want to have the script harden your SSH configuration.
If using our VM, proceed. If you are using your own VM and configuring SSH yourself, you may want to skip this step to avoid changing your current configuration.
-
When prompted to enable automatic updates for the SDC or SEC and the CLI itself, it is recommended that you do this to stay up to date with bug fixes, patches, and new features. If your policies prevent you from allowing automatic updates, see Update your Secure Device Connector.