Abstract
This document describes the process of deploying the Trend Micro Vision One Service Gateway Appliance on a Proxmox VE system.
Officially, Trend Micro only supports (as of this writing) the following virtualization platforms and cloud service providers:
- VMware ESXi (OVA)
- Microsoft Hyper-V (VHDX)
- Nutanix AHV (QCOW2)
- Amazon Web Services (AWS)
- Microsoft Azure
Notice that beautiful qcow2 support hiding behind the Nutanix brand. That’s because Nutanix uses KVM for AHV and CentOS for Acropolis OS (AOS) – just with a slight cost markup. That makes our little project much, much easier.
That being said, the Trend Micro Service Gateway itself is a stripped down version of Rocky Linux.
Download Service Gateway Virtual Appliance
You can fetch the appliance from your Vision One console under the Workflow and Automation section in the Service Gateway Management subgroup. Click the big blue “Download Virtual Appliance” button to begin the process.
From here, select the “Nutanix AHV (QCOW2)” platform. I’m using the Standard image, but for a smaller setup, you can select Minimal.
Appliance Sizing Reference
- Standard: 12 cores CPU, 16 GB memory, 500 GB storage
- Minimal: 8 cores CPU, 12 GB memory, 200 GB storage
Copy the registration token and save it somewhere – we will need it later.
Upload to PVE
Your downloaded package will be a qcow2 image file (ex: “sg-va-3.0.20.10447.qcow2”).
Login to your Proxmox web interface. Navigate to Datacenter > Node > local (Node) – or wherever you setup VM storage. My node is named “rizzo”, and the storage for it is a directory on a local RAID array (thinpools are too restrictive for uploads) called “rizzo-raid5”:
For storage options, you should have available a type called “Import.” If it isn’t there, edit your storage entry under Datacenter and make sure it is selected (it isn’t by default). It should look something like this (after uploading the qcow2 file – I’m jumping ahead with this screenshot):
Click Upload, find your qcow2 file, then upload it.
Create a New Virtual Machine
Now go back to your node and right click on it. Select “Create VM“
Virtual Appliance Specifications
- General
- VM ID: your choice
- Name: your choice
- Start at boot: Checked
- OS
- Do not use any media
- System (Note: This is not a UEFI w/ EFI image)
- Machine: q35
- BIOS: Default (SeaBIOS)
- SCSI Controller: VirtIO SCSI Single
- Add TPM: Unchecked
- Disk
- Bus/Device: VirtIO Block
- Storage: same as VM
- Disk size (GiB): 500 GB (or 200GB for the Minimal image)
- CPU
- Sockets: 1
- Cores: 12 (or 8 for the Minimal image)
- Type: host
- Memory
- Memory (MiB): 16384 (or 12288 for the Minimal image)
- Network
- Bridge: vmbr1 (or whatever your network is)
- Firewall: Unchecked
- Confirm
- Double check everything, then click Finish without checking the “Start after created” option
Move and Attach Service Gateway qcow2 Image to VM
- SSH into the Proxmox node (or use the console shell access)
- Navigate to the storage directory (VMID is the one you set at creation):
# cd /mnt/pve/<STORAGE>/images/<VMID>- On my system, it is
/mnt/pve/rizzo-raid5/images/401
- On my system, it is
- Move your uploaded qcow2 file to this directory and rename it to follow standard convention:
# mv /mnt/pve/<STORAGE>/import/sg-va-<version>.qcow2 vm-<VMID>-disk-0.qcow2- On my system, it is:
mv /mnt/pve/rizzo-raid5/import/sg-va-3.0.20.10447-standard.qcow2 vm-401-disk-0.qcow2
- On my system, it is:
- Attach the image disk to VM as a virtio-block device:
# qm set <VMID> --virtio0 <STORAGE>:<VMID>/vm-<VMID>-disk-0.qcow2- On my system, it is:
qm set 401 --virtio0 rizzo-raid5:401/vm-401-disk-0.qcow2
- On my system, it is:
- Set this as the default (and only) boot device:
# qm set <VMID> --boot order=virtio0- On my system, it is:
qm set 401 --boot order=virtio0
- On my system, it is:
Start and Configure Virtual Appliance
Go back to the node in Proxmox and click on the VM to select it. Navigate to the “>_ Console” and click “Start Now” – you will soon be presented with a login prompt (probably full of crap messages you can ignore).
Within the Service Gateway virtual appliance, logon to the Command Line Interface (CLI) with the default credentials:
- User name: admin
- Password: V1SG@2021
Change your password, and then type enable and press enter to enable the administrative commands. The command prompt changes from > to #.
- Configure the required network settings using the following CLI arguments:
configure network primary ipv4.static <interface> <ip_cidr> <gateway> <dns1> [dns2] [cni]
- Configure the host name of the Service Gateway. This is important – if the host name doesn’t resolve itself, Vision One will show this connection as “Unhealthy”:
configure endpoint tm-sg-va-1.example.com
Example:
Trend Micro Vision One - Service Gateway
To access the Command Line Interface (CLI), log on with your administrator account credentials: localhost login: C 21.470557] Warning: Unmaintained driver is detected: ip_tables
[ 21.953125] Warning: Unmaintained driver is detected: nft_compat
[ 85.8031815] Warning: Unmaintained driver is detected: ip6_tables
[ 163.785878] Warning: Unmaintained driver is detected: ip_set
admin
Password:
You must change your password to continue.
New password:
Retype new password:
Changing password for user admin.
New password: Retype new password: passwd: all authentication tokens updated successfully.
********************************************************************************
* Trend Micro Vision One - Service Gateway *
* *
* WARNING: Authorized Access Only *
* *
* Version: 3.0.20.10447 *
* Status: Unregistered *
* Trend Micro Vision One console: - *
********************************************************************************
Welcome admin - Sun Jun 15 05:43:59 UTC 2025
Available commands:
enable Enable administrative commands
exit Exit the CLI
help Display the CLI syntax
history Display the session's command history
log Process debugging data
show Display Service Gateway settings
> enable
Administrative commands:
configure Configure Service Gateway settings
connect Test connection to Trend Micro Vision One
exit Exit administrative commands
help Display the CLI syntax
history Display the session's command history
ping Ping a specific address
reboot Restart the Service Gateway after a specified delay or immediately
register Register the Service Gateway to Trend Micro Vision One
rollback Rollback the Service Gateway to the last version
shutdown Shut down the Service Gateway after a specified delay or immediately
# configure network primary ipv4.static eth0 192.168.2.2/26 192.168.2.1 192.168.6.9
Please wait... This might take a few minutes. Do not shut down the Service Gateway.
IPv4 address configured successfully.
# configure endpoint tm-sg-va-1.example.com
Hostname configured successfully.
# exitRegister Service Gateway Virtual Appliance with Vision One
To register the SG to Trend Micro Vision One, use an SSH client to access the appliance (the Proxmox noVNC console doesn’t support pasting text), and type the following command (after enable):
# register <registration_token>
Example:
$ ssh admin@192.168.2.2
The authenticity of host '192.168.2.2 (192.168.2.2)' can't be established.
ED25519 key fingerprint is SHA256:ofsAiaxFs7XbrxAUxQM0IWyuMzGSE7IynW+tgD5M6dI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.2' (ED25519) to the list of known hosts.
admin@192.168.2.2's password:
Last login: Sun Jun 15 05:43:46 2025
********************************************************************************
* Trend Micro Vision One - Service Gateway *
* *
* WARNING: Authorized Access Only *
* *
* Version: 3.0.20.10447 *
* Status: Unregistered *
* Trend Micro Vision One console: - *
********************************************************************************
Welcome admin - Sun Jun 15 05:54:12 UTC 2025
Available commands:
enable Enable administrative commands
exit Exit the CLI
help Display the CLI syntax
history Display the session's command history
log Process debugging data
show Display Service Gateway settings
> enable
Administrative commands:
configure Configure Service Gateway settings
connect Test connection to Trend Micro Vision One
exit Exit administrative commands
help Display the CLI syntax
history Display the session's command history
ping Ping a specific address
reboot Restart the Service Gateway after a specified delay or immediately
register Register the Service Gateway to Trend Micro Vision One
rollback Rollback the Service Gateway to the last version
shutdown Shut down the Service Gateway after a specified delay or immediately
# register xxxxxxxxxSOOOPERLONGTOKENfromV1SGMConsolexxxxxxxxxxx
Please wait... This might take a few minutes. Do not shut down the Service Gateway.
Service Gateway registered to Trend Micro Vision One successfully.
#You can obtain the token from the same page you download the virtual appliance on Trend Vision One (although you saved it somewhere safe, right?).
Check the Vision One Service Gateway page for appliance status. Enjoy your new toy.