Microsoft Azure Deployment Guide

This deployment guide contains the information for deploying, interacting, and configuring Centralized Appliance Management Service (CAMS) QGS Appliance on Microsoft Azure Cloud.

Pre-requisites

• To set up the CAMS QGS appliance on Azure Cloud Platform, you need Microsoft Azure account.
• You must have CLI installed on your machine to use Azure CLI to launch and execute the command.
• To get the CAMS/QGS Azure VHD image, submit a service request to Qualys support.

How to Deploy VM From the Image

1. Go to the Azure marketplace. Search for Qualys Gateway Service Appliance. Click Qualys Gateway Service Appliance to launch the instance.
   
   
   
2. Under Instance Details, select the image you want to use from the list.
3. Ensure the VM minimum requirement is selected as mentioned in the QGS User Guide.
   
4. Select any option for Authentication type under the Administrator account You can select any of the available options for authentication. As QGS is a hardening appliance, neither authentication method is implemented on the virtual machine.
   
5. The public inbound ports should strictly be selected as None.
   
   
6. From the disk tab, make sure to click the Delete with VM checkbox so as not to flood Azure with redundant disks.
   1. You can also attach a secondary disk (required minimum disk size 250 GB), if required and then click the Delete with VM checkbox.
      
7. In Networking tab, select None as the public IP and NIC network security group as Basic.
   
8. Select Delete public IP and Delete NIC when VM is deleted so you do not run out of NICs.
   
9. Do not select any options on the Management and Monitoring tab.
   
10. Add relevant tags as required and create a VM.
11. On Review + create tab, check for "Validation passed" and after reviewing details perform create operation.
    

How to add an Inbound Port on the CAMS/QGS Azure Appliance

To use the tunnel, cache, or patch port on the appliance; you must to add the inbound port rule on the CAMS/QGS Azure appliance, as mentioned in the following section.

1. Click the Networking tab of the appliance to which the inbound port rules need to be added.

   

2. Add the inbound port rule as per your network standards. Make sure to use the correct port; here, in the example cache port is 8080, and the selected protocol is TCP. Save the rule, and it can be added to the VM.
   

How to Access the CAMS/QGS Azure Appliance Using the Text UI

The following are the steps given for accessing the CAMS/QGS Azure appliance using the text UI.

1. Click the CAMS/QGS Azure VM.
2. Go to Serial console under Help in the left panel.
3. The appliance Text UI displays as shown below.

1. Click System to access the System Settings configuration.

   

2. On System Configuration, click POD Suffix.

   

   An input field is displayed to provide the Platform URL Suffix (POD Suffix).

3. Enter the Qualys Platform URL Suffix corresponding to the platform where your subscription is hosted. To identify the Platform URL Suffix for your subscription, refer to Qualys Platform Identification.

   

4. Once the POD Suffix is successfully updated and network settings are configured, the appliance should display as below. Verify that the QAG Status shows Connected to ensure your appliance runs successfully.

   

5. We recommend running a connectivity test to ensure all Qualys backend services are reachable.

   To run a connectivity test, follow these steps.

   If the VM Instance is configured on a private IP network, configure your upstream proxy network before appliance registration. Refer to the Proxy Servers section of the Qualys User Guide to learn more.

   1. Navigate back to the Configuration screen.
      

   2. Click Diagnostics > Connectivity Test

6. Click Registration to register the appliance.

Follow the steps instructed in the Registration section of the QGS User Guide to complete the appliance registration.

How to add a Secondary Hard Disk on the CAMS/QGS Azure Appliance

The following are steps for adding the secondary hard disk while deploying the Azure VM.

1. Go to the Disks tab and select Create and attach a new disk.
   
2. Add a required size (more than 250GB in case of patch mode), Name, select the Source type, etc, and click OK.
   • Another method for adding the secondary disk to the appliance is to use the Disks option on the left-hand pane of a deployed Azure VM.

3. Click Create and attach a new disk option.
   

4. Click the Edit icon, add the secondary disk details and click Save

How to Collect the Diagnostics Reports on the Azure Appliance

To collect the diagnostics report, you must add an inbound port rule on port 22. Otherwise, you cannot SCP on the port to collect the diagnostics report.

Note: Disable the rule after collecting the report if the rule is no longer in use.

How to Create Public IP Address Prefixes

To create public IP address prefixes, you need to visit the Azure portal. Follow all the steps mentioned in the Azure portal.

How to Create a Public IP Address and a VM Association

Note the NIC of your VM using the following steps:

1. Log in to the Azure portal.
2. Navigate to Public IP Prefixes.
   
3. Under the Public IP Prefix section, click Add IP Address to add a new IP address.
   
   Note: The prefixes should contain an IP range that is allowed on the customer network.
4. Now, go to the Public IP addresses tab and click on the IP you created.
   
5. Associate this IP with the NIC of your VM.
   
6. Next, select the Virtual machines options and select the appropriate virtual machine.
   
   
7. Go to the CAMS/QGS azure VM under the Virtual machines tab.
   
8. Go to Networking option under the Setting tab. You can view the associated public IP address.

Create VM Instance Using User Data

You can also configure a Azure VM Instances using the User Data setting. We recommend using the User Data option only when the VM Instance is launched using scripts.

Follow the steps below to create a VM using User Data.

1. Navigate to the Advanced options on the VM deployment page during the Azure VM Instance creation.

In the Advanced tab, select Enable user data and Add the following details as user data.

#cloud-config write_files:

- owner: root:root

path: /opt/qualys/cloud.env permissions: '0644' content: |

POD_SUFFIX="Add your corresponding POD suffix here"

To identify the Platform URL Suffix for your subscription, refer to the Platform URL Suffix section of the Qualys Platform Identification.

Important:

While copying the user data, avoid the spaces or blank lines after the last sentence of the user data.

Use any Online YAML validator to ensure the indentation in the user data is correct. Every dot represents one space.

To ensure a valid YAML configuration, follow the steps laid out in the Important section on page 8 of the Qualys Gateway Service AWS Deployment Guide.