Abstract
This document describes the process of deploying the Trend Micro Vision One Service Gateway Appliance on a Virtual Private Server (VPS). You don’t need AWS, Azure, or GCP… or their associated high prices. There are so many viable cloud service providers (CSP) that offer much better value, without the vendor lock-in and overly complex architecture.
Most, if not all, VPS hosts only provide boot/installation ISOs for a select group of Linux distributions. If you’re lucky, you have one that let’s you upload your own ISO to use. But even that doesn’t help us when all we have is a virtual machine image (like qcow2) to work with.
Officially, Trend Micro only supports (as of this writing) the following virtualization platforms and cloud service providers:
- VMware ESXi (OVA)
- Microsoft Hyper-V (VHDX)
- Nutanix AHV (QCOW2)
- Amazon Web Services (AWS)
- Microsoft Azure
Notice that beautiful qcow2 support hiding behind the Nutanix brand. That’s because Nutanix uses KVM for AHV and CentOS for Acropolis OS (AOS) – just with a slight cost markup. That makes our little project much, much easier. The Trend Micro Service Gateway itself is a stripped down version of Rocky Linux.
One trick we can use to deploy our own VM image is by writing the raw bits (qcow2 image) straight to the storage device (ex. /dev/sda). It’s a little weird, but with some effort, it works great.
Download Service Gateway Virtual Appliance
You can fetch the appliance from your Vision One console under the Workflow and Automation section in the Service Gateway Management subgroup. Click the big blue “Download Virtual Appliance” button to begin the process.
From here, select the “Nutanix AHV (QCOW2)” platform. I’m using the Standard image, but for a smaller setup, you can select Minimal.
Appliance Sizing Reference
- Standard: 12 cores CPU, 16 GB memory, 500 GB storage
- Minimal: 8 cores CPU, 12 GB memory, 200 GB storage
Copy the registration token and save it somewhere – we will need it later.
Boot into GParted or Other Live Linux Environment
Most VPS providers have a “boot to rescue” option. Ideally this would be something as simple as GParted, but may be any of the live Linux distributions.
In a CLI console, install the QEMU utilities that will help us work with the qcow2 image. GParted is a Debian based distribution, so I’m using APT. If you are in a different environment, find the equivalent for that platform.
If you are root user, the following commands will work as is. If not, add sudo when necessary.
# apt update# apt install qemu-utils
Transfer QCOW2 Image to VPS
Fetch via wget or sftp the Service Gateway Virtual Appliance downloaded from the Vision One Service Gateway Management page. I have my own SFTP server for storage, so it’s easy to move files around. If your VPS remote console allows copy/paste, then just use the direct link from the Vision One console.
Identify the System Disk
Find the target disk (the one to overwrite). Remember, if you use the Minimal image, the storage device must be at least 200G. If it is the Standard image, then at least 500G:
root@debian:~# lsblk
Let’s say your system disk is /dev/sda.
Write the QCOW2 Image to /dev/sda
root@debian:~# qemu-img convert -p -f qcow2 -O raw sg-va-3.0.20.10447-standard.qcow2 /dev/sdaThis process may take a while depending on your system. Mine hung around (99.34/100%) for maybe 25 minutes.
NOTE: The -p (progress) flag in
qemu-img convertis not real-time disk I/O-aware. Instead, it’s based on how much of the input file has been read, not how much has actually been flushed or written to the output.
Reboot
Once writing is complete:
root@debian:~# sync
root@debian:~# rebootRemove or detach the rescue environment (ISO or PXE), so the system boots from the newly written disk.
Configure Virtual Appliance
If all went well, it should boot into the CLI for the SG appliance. If not, have fun troubleshooting! I mean that. It’s fun. Usually. Unless you’re in a hurry. But we love this stuff, right?
Within the Service Gateway virtual appliance, logon to the Command Line Interface (CLI) with the default credentials:
- User name: admin
- Password: V1SG@2021
Change your password, and then type enable and press enter to enable the administrative commands. The command prompt changes from > to #.
- Configure the required network settings using the following CLI arguments:
configure network primary ipv4.static <interface> <ip_cidr> <gateway> <dns1> [dns2] [cni]
- Configure the host name of the Service Gateway. This is important – if the host name doesn’t resolve itself, Vision One will show this connection as “Unhealthy”:
configure endpoint tm-sg-va-1.example.com
Example:
Trend Micro Vision One - Service Gateway
To access the Command Line Interface (CLI), log on with your administrator account credentials: localhost login: C 21.470557] Warning: Unmaintained driver is detected: ip_tables
[ 21.953125] Warning: Unmaintained driver is detected: nft_compat
[ 85.8031815] Warning: Unmaintained driver is detected: ip6_tables
[ 163.785878] Warning: Unmaintained driver is detected: ip_set
admin
Password:
You must change your password to continue.
New password:
Retype new password:
Changing password for user admin.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
********************************************************************************
* Trend Micro Vision One - Service Gateway *
* *
* WARNING: Authorized Access Only *
* *
* Version: 3.0.20.10447 *
* Status: Unregistered *
* Trend Micro Vision One console: - *
********************************************************************************
Welcome admin - Fri Jul 4 17:27:22 UTC 2025
Available commands:
enable Enable administrative commands
exit Exit the CLI
help Display the CLI syntax
history Display the session's command history
log Process debugging data
show Display Service Gateway settings
> enable
Administrative commands:
configure Configure Service Gateway settings
connect Test connection to Trend Micro Vision One
exit Exit administrative commands
help Display the CLI syntax
history Display the session's command history
ping Ping a specific address
reboot Restart the Service Gateway after a specified delay or immediately
register Register the Service Gateway to Trend Micro Vision One
rollback Rollback the Service Gateway to the last version
shutdown Shut down the Service Gateway after a specified delay or immediately
# configure network primary ipv4.static eth0 101.101.101.101/25 101.101.101.1 4.4.4.4
Please wait... This might take a few minutes. Do not shut down the Service Gateway.
IPv4 address configured successfully.
# configure endpoint tm-sg-va-1.example.com
Hostname configured successfully.
# exitRegister Service Gateway Virtual Appliance with Vision One
To register the SG to Trend Micro Vision One, use an SSH client to access the appliance (remember that the VPS remote console doesn’t support pasting text – at least on mine), and type the following command (after enable):
# register <registration_token>
Example:
$ ssh admin@101.101.101.101
The authenticity of host '101.101.101.101 (101.101.101.101)' can't be established.
ED25519 key fingerprint is SHA256:ofsAiaxFs7XbrxAUxQM0IWyuMzGSE7IynW+tgD5M6dI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '101.101.101.101' (ED25519) to the list of known hosts.
admin@101.101.101.101's password:
Last login: Fri Jul 4 17:27:22 UTC 2025
********************************************************************************
* Trend Micro Vision One - Service Gateway *
* *
* WARNING: Authorized Access Only *
* *
* Version: 3.0.20.10447 *
* Status: Unregistered *
* Trend Micro Vision One console: - *
********************************************************************************
Welcome admin - Fri Jul 4 17:35:25 UTC 2025
Available commands:
enable Enable administrative commands
exit Exit the CLI
help Display the CLI syntax
history Display the session's command history
log Process debugging data
show Display Service Gateway settings
> enable
Administrative commands:
configure Configure Service Gateway settings
connect Test connection to Trend Micro Vision One
exit Exit administrative commands
help Display the CLI syntax
history Display the session's command history
ping Ping a specific address
reboot Restart the Service Gateway after a specified delay or immediately
register Register the Service Gateway to Trend Micro Vision One
rollback Rollback the Service Gateway to the last version
shutdown Shut down the Service Gateway after a specified delay or immediately
# register xxxxxxxxxSOOOPERLONGTOKENfromV1SGMConsolexxxxxxxxxxx
Please wait... This might take a few minutes. Do not shut down the Service Gateway.
Service Gateway registered to Trend Micro Vision One successfully.
#You can obtain the token from the same page you download the virtual appliance on Trend Vision One (although you saved it somewhere safe, right?).
Check the Vision One Service Gateway page for appliance status. Enjoy your new toy.