Skip to main content
Defenders installed as a Virtual Appliance

Search

Defender Virtual Appliance on VMware ESXi

© 2024 Cequence Security. All Rights Reserved.

Defender Virtual Appliance on VMware ESXi

  • Updated on
  • ~ minute read
Download PDF

Introduction

This document outlines the official procedure for deploying the Cequence Defender virtual appliance within your VMware ESXi environment. Defender serves as an integral inline component within the comprehensive Cequence Unified API Protection (UAP) platform, safeguarding your critical APIs.

Prerequisites

  • Pre-deployed Cequence UAP platform: Ensure your Cequence UAP platform is fully operational. Refer to the Cequence documentation for specific CQAI deployment instructions.
  • Enable Traffic Filter on Cequence UAP platform: Make sure all traffic filters are enabled using the following guide - Enable Traffic Filters
  • VMware Compatibility: The target environment must be a VMware ESXi 6.7 or later system.
  • vCenter Access: You must possess authorized access to the VMware vCenter Management Console.
  • OVA Management Capabilities: The ability to upload and launch OVA templates through vCenter is required.
  • Hardware Resources: Allocate sufficient resources for optimal performance: 2 vCPUs (x86_64 architecture), 4 GB RAM, and 8 GB SSD or better storage.

Deployment Procedure

Acquire Defender OVA:

Access the Cequence portal and download the latest available version of the Defender OVA here Download Defender OVA

Launch Defender Instance:

  1. Utilize your authorized credentials to log in to the vSphere HTML5 Client.
  2. Navigate to the target host or cluster for deployment within the vSphere interface.
  3. Select the "Actions" menu and choose "Deploy OVF Template" to initiate the wizard.
  4. Browse and locate the downloaded Defender OVA file.
  5. Carefully review and confirm all displayed OVF template details for accuracy.
  6. Assign a descriptive name and deployment location for the virtual machine.
  7. Choose the appropriate deployment configuration based on your specific environment's needs.
  8. Review and finalize any necessary configuration adjustments before proceeding.
  9. Click "Finish" to begin the deployment process.
  10.  

Monitor and Power On

  • Utilize the vSphere HTML5 Client to track the deployment progress in real-time.
  • Once complete, power on the newly deployed virtual machine.

Defender Setup

Generate Traffic Client and Secret

  • Log in to the Cequence UAP web UI.
Screenshot 2023-12-03 at 6.38.44 PM.png
  • Navigate to User Management, click on "Clients" and then click on "Add New Client"
Screenshot 2023-12-03 at 6.39.32 PM.png
  • Provide a "Client Name", say defender-client-0 and select "Traffic Ingestion". Click "Save".
Screenshot 2023-12-03 at 6.40.34 PM.png
  • Click on the secret icon.
Screenshot 2023-12-03 at 6.41.04 PM.png
  • Dialog box with the Client Secret shows up.
Screenshot 2023-12-03 at 6.42.46 PM.png
  • Hence forth, we will interchangeably refer to "Client Name" as "client-id" and "Client Secret" as "client-secret". 

SSH to the Defender Virtual Machine

username: cq-user
password: apiprotection

Setup

  • Collect and note down the following and set them as environment variables for future reference:
    • cqai.yourdomain.com: your subdomain used in the DNS for CQAI
    • upstream.apiserver.com:  your api upstream server
    • client-id: "Client Name" created in the previous step
    • client-secret: "Client Secret" created in the previous step
UAP_SUBDOMAIN=<cqai.yourdomain.com>
UPSTREAM_SERVER=<upstream.apiserver.com>
CLIENT_ID=<client-id>
CLIENT_SECRET=<client-secret>
  • Test connectivity with CQAI: Successful execution of the curl returns HTTP request with 200 OK.
curl -k -v -o /dev/null \
  --location "https://auth.${UAP_SUBDOMAIN}/auth/realms/cequence/protocol/openid-connect/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "client_id=${CLIENT_ID}" \
  --data-urlencode "client_secret=${CLIENT_SECRET}" \
  --data-urlencode "grant_type=client_credentials"
  • Run setup command with the same parameters:
/opt/cequence/bin/setup.sh \
  ${UAP_SUBDOMAIN} \
  ${UPSTREAM_SERVER} \
  ${CLIENT_ID} \
  ${CLIENT_SECRET}

Note: For advanced configuration options and detailed troubleshooting procedures, please refer to the in-product Cequence documentation.

Verify Defender on the Cequence UAP Platform Portal

Once the Defender is successfully onboarded, on the Cequence UAP portal, navigate to System Diagnostics and scroll to the bottom of the page to list the Defender instances. 

Screenshot 2023-12-04 at 9.26.13 PM.png

The newly added Defender can be identified as defender-<machine-id>, where machine-id is the virtual machine's unique identifier located in /etc/machine-id of the Defender Virtual Machine.

 

Next Steps

Was this article helpful?