Skip to main content
Defenders installed as a Virtual Appliance

Search

Defender Virtual Appliance on VMware ESXi

© 2024 Cequence Security. All Rights Reserved.

Defender Virtual Appliance on VMware ESXi

  • Updated on
  • ~ minute read
Download PDF

Introduction

This document outlines the official procedure for deploying the Cequence Defender virtual appliance within your VMware ESXi environment. Defender serves as an integral inline component within the comprehensive Cequence Unified API Protection (UAP) platform, safeguarding your critical APIs.

Prerequisites

  • Pre-deployed Cequence UAP platform: Ensure your Cequence UAP platform is fully operational. Refer to the Cequence documentation for specific CQAI deployment instructions.
  • VMware Compatibility: The target environment must be a VMware ESXi 6.7 or later system.
  • vCenter Access: You must possess authorized access to the VMware vCenter Management Console.
  • OVA Management Capabilities: The ability to upload and launch OVA templates through vCenter is required.
  • Hardware Resources: Allocate sufficient resources for optimal performance: 2 vCPUs (x86_64 architecture), 4 GB RAM, and 8 GB SSD or better storage.

Deployment Procedure

Acquire Defender OVA:

Access the Cequence portal and download the latest available version of the Defender OVA here Download Defender OVA

Launch Defender Instance:

  1. Utilize your authorized credentials to log in to the vSphere HTML5 Client.
  2. Navigate to the target host or cluster for deployment within the vSphere interface.
  3. Select the "Actions" menu and choose "Deploy OVF Template" to initiate the wizard.
  4. Browse and locate the downloaded Defender OVA file.
  5. Carefully review and confirm all displayed OVF template details for accuracy.
  6. Assign a descriptive name and deployment location for the virtual machine.
  7. Choose the appropriate deployment configuration based on your specific environment's needs.
  8. Review and finalize any necessary configuration adjustments before proceeding.
  9. Click "Finish" to begin the deployment process.
  10.  

Monitor and Power On

  • Utilize the vSphere HTML5 Client to track the deployment progress in real-time.
  • Once complete, power on the newly deployed virtual machine.

Defender Setup

Generate Traffic Client and Secret

Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.

  1. Log in to the UAP management portal UI.
    The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name.
  2. Select General Settings > User Management.
    The User Management pane appears.
  3. Click the Clients tab.
  4. Click Add New Client.
    The new client dialog box appears.
  5. Type the client name in the Client Name field.
    This name is the client ID. Note the client ID for later use.
  6. Enable the Traffic Management toggle.
  7. (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
  8. Click Save.
    A dialog box with the client secret appears.
  9. Click the blue Copy icon to copy the secret to the clipboard, then click Close.
    The client is now set up. Note the client name for future use.
    The client list appears.
  10. Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.

SSH to the Defender Virtual Machine

username: cq-user
password: apiprotection

Setup

  • Collect and note down the following and set them as environment variables for future reference:
    • cqai.yourdomain.com: your subdomain used in the DNS for CQAI
    • upstream.apiserver.com:  your api upstream server
    • client-id: "Client Name" created in the previous step
    • client-secret: "Client Secret" created in the previous step
export UAP_SUBDOMAIN=<cqai.yourdomain.com>
export UPSTREAM_SERVER=<upstream.apiserver.com>
export CLIENT_ID=<client-id>
export CLIENT_SECRET=<client-secret>
  • Test connectivity with CQAI: Successful execution of the curl returns HTTP request with 200 OK.
curl -k -v -o /dev/null \
  --location "https://auth.${UAP_SUBDOMAIN}/auth/realms/cequence/protocol/openid-connect/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "client_id=${CLIENT_ID}" \
  --data-urlencode "client_secret=${CLIENT_SECRET}" \
  --data-urlencode "grant_type=client_credentials"
  • Run setup command with the same parameters:
/opt/cequence/bin/setup.sh \
  ${UAP_SUBDOMAIN} \
  ${UPSTREAM_SERVER} \
  ${CLIENT_ID} \
  ${CLIENT_SECRET}

Note: For advanced configuration options and detailed troubleshooting procedures, please refer to the in-product Cequence documentation.

Verify Defender on the Cequence UAP Platform Portal

Once the Defender is successfully onboarded, on the Cequence UAP portal, navigate to System Diagnostics and scroll to the bottom of the page to list the Defender instances. 

Screenshot 2023-12-04 at 9.26.13 PM.png

The newly added Defender can be identified as defender-<machine-id>, where machine-id is the virtual machine's unique identifier located in /etc/machine-id of the Defender Virtual Machine.

 

Next Steps

Was this article helpful?