Deploy a Connector in VMware

Secure Access provides an OVA virtual appliance image for resource connectors running on VMware ESXi.

You can deploy this template using VMware vSphere or vCenter.


  • Gather required information, and understand and meet the Requirements and Prerequisites for Resource Connectors and Connector Groups.
  • Add a connector group in the region nearest to the geographical location in which you will deploy these connectors, and choose VMware ESXi connectors.
    All connectors in a group must use the same virtual environment, for example AWS or VMware, otherwise registration will fail.
  • Obtain the connector image.
    • You can download the image once and use it for any number of connectors in any connector group.
    • If you use a previously downloaded image, ensure that the image you deploy is the latest version.
    • For more details, see Obtain the Connector Image.
  • Copy the provisioning key for the specific connector group for which you will deploy connectors.
    See Provisioning Keys for Resource Connectors.
  • Disk encryption is recommended for your connectors. You configure this during connector deployment, but you should complete any prerequisites before deploying the image. See the VMware documentation for information.
  • (Recommended) If you will want to troubleshoot a connector or request technical support from Cisco, you must generate an SSH key pair using a standard tool such as ssh-keygen, and provide the public key at the time you configure the connector. YOU CANNOT SET UP SSH ACCESS AFTER DEPLOYING A CONNECTOR.
    • Supported SSH public key types are ssh-rsa and ssh-ed25519.
    • For keys of type ssh-rsa, key length of 2048 bits or 4096 bits is recommended.

Procedure Overview

Extract the downloaded .tar file

This tar file includes: 

  • an .ova template containing the virtual hard disks that need to be deployed on VMware 
  • a signature file 
  • a Cisco public key to validate the signature 
  • a readme file 

To extract the contents of the tar file, use the command tar –xvf.

Verify the Integrity of the Image

Validate the signature and verify the checksum of the signing key:

Validate the Signature

To verify the authenticity of the image's signature and ensure that the image hasn't been tampered with, use the openssl dgst command with SHA-512 hash.

Example command string:

openssl dgst -sha512 -verify resource-connector-v0.2.10-240116.pubkey -signature resource-connector-v0.2.10-240116.sign resource-connector-v0.2.10-240116.ova

On successful signature validation, you should see a message saying “Verified OK."

Verify the Checksum of the Signing Key

The image download includes a .pubkey file. To enhance security and ensure the authenticity of this signing key, you can verify its checksum using the shasum command.

Example command string:

shasum -a 256 resource-connector-v0.2.10-240116.pubkey

The hash generated by this command should match this string:

Deploy the OVF Template

These instructions are for vSphere, but you can also use vCenter.

  1. Sign in to your VMware vSphere client

  2. Click the File tab.

  3. Click Deploy OVF Template and choose the extracted .ova template.
    You can use a local copy of the file or a copy of the file stored in your library.

  4. Complete the deployment wizard as needed for your environment.
    Keep the following in mind:

    1. You will not be able to make changes later; if necessary, deploy a new connector.

    2. On the Select Networks page: Select only a single network.

    3. (Recommended) Enable disk encryption.

    4. On the Customize Template page:

      • The provisioning key is required.
      • SSH access is required in order to troubleshoot some issues, including with Cisco technical support.
        The username is acadmin.
        • If you don't add the SSH key now, you will not be able to do so later.
        • Requirements for this key are described in the prerequisites on this page.
        • The key must be entered as a single line, without spaces, returns, or new lines.
        • Include only the key on the "SSH public key" line; do not include the key type.
        • Provide the key type on the following line. Key type is case-sensitive.
      • For NTP server, we recommend using an NTP server on your own network.
        If you use an internet NTP server, be sure to allow traffic through your firewall to that address on UDP port 123.
      • All other settings on the Customize Template page are as needed for your environment.
      • Important: Information you provide on the Customize Template page is not validated during configuration. Verify your entries carefully. If there are errors, your only option will be to delete and redeploy the connector.
    5. On the Ready to Complete page, ensure that your configurations are correct.
      If you entered an SSH key on the Customize Template page, verify that the entire key, and only the key, appears on the line and meets the formatting requirements noted above.

  5. Repeat this procedure to deploy additional connectors as needed.

Power on connector instances

After deploying, power on each connector instance. Connectors will automatically connect to Secure Access.

Confirm connectors

To complete the connector configuration, you must confirm each connector instance. See the Confirm Connectors section in Add Connectors to a Connector Group.

If you do not see connectors in the Confirm Connectors list, see Troubleshoot Resource Connectors and Connector Groups.

Provisioning Keys for Resource Connectors < Deploy a Connector in VMware > Deploy a Connector in AWS