Qualys Gateway Service AWS VM

Deployment Guide
Version 1.2

August 10, 2023

Copyright 2022-23 by Qualys, Inc. All Rights Reserved.
Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks
are the property of their respective owners.

Qualys, Inc.
919 E Hillsdale Blvd
4th Floor
Foster City, CA 94404
1 (650) 801 6100
 Table of Contents
About this Deployment Guide .......................................................................4
About Qualys ........................................................................................................................... 4
Qualys Support ........................................................................................................................ 4

Overview ............................................................................................................. 5
Pre-requisites ........................................................................................................................... 5
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using old User Interface .. 5
How to Interact with the Appliance .................................................................................... 13
How to Launch QGS Instances Using AWS CLI .................................................................. 15
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using new User Interface 16
POD Suffixes ........................................................................................................................... 20
 About this Deployment Guide
About Qualys

About this Deployment Guide

This deployment guide contains the information for deploying, interacting, and
configuring Centralized Appliance Management Service (CAMS) QGS Appliance on AWS
Cloud. Also, it outlines the details on launching the QGS instances using AWS Command
Line Interface (CLI).

About Qualys
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses
simplify security operations and lower the cost of compliance by delivering critical
security intelligence on demand and automating the full spectrum of auditing,
compliance and protection for IT systems and web applications.
Founded in 1999, Qualys has established strategic partnerships with leading managed
service providers and consulting organizations including Accenture, BT, Cognizant
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT,
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also
founding member of the Cloud Security Alliance (CSA). For more information, please visit
www.qualys.com

Qualys Support
Qualys is committed to providing you with the most thorough support. Through online
documentation, telephone help, and direct email support, Qualys ensures that your
questions will be answered in the fastest time possible. We support you 7 days a week,
24 hours a day. Access online support information at www.qualys.com/support/.

4
 Overview
Pre-requisites

Overview
Qualys Gateway Service (QGS) is a packaged virtual appliance developed by Qualys that
provides proxy services for Qualys Cloud Agent deployments requiring proxy connectivity
to connect with the Qualys Cloud Platform.
This document outlines the steps required to set up a Centralized Appliance Management
Service (CAMS) Qualys Gateway Service (QGS) appliance on the AWS cloud.

Pre-requisites
- To set up the CAMS QGS appliance on AWS Cloud, you need an AWS account.
- You must have CLI installed on your machine to use AWS CLI to launch and execute the
command.
- To get the QGS AMI, submit a service request to Qualys support with your AWS account
ID and AWS Region. Qualys support will share the QGS AMI in your AWS account.

Deploy and Configure CAMS QGS Appliance on AWS Cloud

Using old User Interface
Follow these steps to deploy and configure a CAMS QGS appliance on the AWS Cloud using
old user interface:
1. Log in to your AWS account.
2. Go to Launch a virtual machine with EC2.

5
 Overview
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using old User Interface

3. On the EC2 experience page, go to Images > AMIs (Amazon Machine Images).

4. Select the QGS AMI and click Launch Instances to launch an EC2 instance.

6
 Overview
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using old User Interface

5. Select the latest AMI image shared by Qualys support and SRE. Contact Qualys support
to get the latest AMI image.
Note: You need not deploy a new instance if you already have one with an old AMI image
that can be auto-upgraded.
- An AMI is a template that contains the software configuration required to launch your
instance. You can select an AMI provided by AWS Marketplace, Community or your
available AMIs.

6. Select a t3.xlarge size of the instance and click Next: Configure Instance Details.

7
 Overview
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using old User Interface

7. If you want to assign a public IP to the QGS appliances, then configure the instance
details by selecting the network and set the Auto-assign Public IP field to Enable.
- If you want to assign a private IP to the QGS appliances, then do not enable the Auto-
assign Public IP option.

IMPORTANT: If configuring the instance using the latest image version 2.1.0-48, you can
directly configure the POD suffix using the TextUI by selecting the options System
Settings > POD Suffix without using the User Data option. To know more detailed steps to
configure the POD suffix without using the User Data option, Refer to the Appendix
section of the Qualys Gateway Service User Guide.
However, we recommend using the User Data option only when the instance is launched
using the scripts while creating the instance.
8. On the same Instance Detail Configuration screen, scroll down to the User data section
and add the following user data and click Next: Add Storage.
#cloud-config
write_files:
- owner: root:root
path: /opt/qualys/cloud.env
permissions: '0644'
content: |
POD_SUFFIX=Add your QGS Platform URL here

Note: If the instance does not accept pod suffix without double quotes, then add the pod
suffix between the double quotes, e.g., POD_SUFFIX="Add your QGS Platform URL here"

8
 Overview
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using old User Interface

IMPORTANT:
Perform the following steps precisely to ensure a valid YAML configuration:
• As you know, 'MS Word' is used as an example of a popular word-processing application.
You can use it but make sure you 'show formatting marks'.
• Use any web 'Browser' or 'PDF Viewer' to view/open Qualys AWS Deployment Guide.

1. Open MS Word and your Browser, side-by-side

2. In MS Word, enable Paragraph markers and choose font 'Courier New' (a monospaced
font).
3. In your Browser, open the QGS AWS Deployment Guide to page 8, step 8.
4. Select the text that begins '#cloud-config' and ends 'Add your corresponding POD suffix
here.'
5. Paste this into MS Word; you should see the YAML config file, monospaced, with space
and paragraph markers clearly visible.

6. Now in your Browser, scroll to the last page of the QGS AWS Deployment Guide and the
table, 'POD Suffixes'.
7. Find your POD suffix from the 'Platform URL' column; paste this into MS Word, after
the entry 'POD_SUFFIX=', do not use any quotation marks.
8. Scroll back to page 10, 'Example.' Verify that the YAML file configuration you have in
MS Word matches exactly, including all the space marks '.' and paragraph markers '?',
your POD_SUFFIX Platform URL value needs to match where your subscription is located.

9. Go to your Browser, open the website, 'www.yamllint.com'.

9
 Overview
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using old User Interface

10. In MS Word, select all text and copy it with Ctrl-C or Command-C.
11. In your Browser, paste the text into the blank YAML window and click 'go'. You should
see a green bar saying 'Valid YAML!'. Refer to the following screenshot.

12. It is now possible to copy that validated YAML from yamllint.com into your AWS
Console.
Example:

Click here to know the POD suffixes for corresponding PODs, For example, for platform
US2, you can use the platform URL qg2.apps.qualys.com to add your corresponding POD
suffix. Similarly, for platform IN1, you can use the platform URL qg1.apps.qualys.in

10
 Overview
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using old User Interface

9. On the Add Storage page, you can attach additional EBS volumes and instance store
volumes to your instance.
Note: If you want to use your appliance for Patch caching purposes, then you need to add
another storage volume of at least 256 GB.
After adding the volumes to your instance, click Next: Add Tags.

10. On the Add Tags page, you can add Owner and Name tags details then click Next:
Configure Security Groups.

11. On the Configure Security Group page, you can select an appropriate Security Group
and click Review and Launch.

11
 Overview
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using old User Interface

Note: A security group is a set of firewall rules that control the traffic for your instance.
You can add rules to allow specific traffic to reach your instance.

12. Verify that all the settings are matching with the selected values and click Launch.

13. Choose to ‘Proceed without a key pair’ from the dropdown and acknowledge the
check-box and click Launch Instances.

12
 Overview
How to Interact with the Appliance

The following is the sample screenshot that shows the instance launch status.

How to Interact with the Appliance

To communicate with the QGS appliance, use the AWS EC2 Connect feature. This is a
secure and straightforward method of connecting to your instances. It shortens the time
required to boot and obtain new instances.
1. Go to your AWS account, select the running instance and click Connect.

2. Go to EC2 Instance Connect and change the User name to core and click Connect.
Note: Use the EC2 Instance Connect option to connect your instance if you've enabled the
Auto-assign public IP while configuring the instance details to assign the public IP to your
appliances.

13
 Overview
How to Interact with the Appliance

Note: If you want to assign a private IP to your QGS appliances then use the EC2 Serial
Console option to connect your instance.

3. Once you connect your instance, you are redirected to the appliance console.

Note: We would recommend you to keep trying to connect, in case it takes longer time to
connect to your instance.
4. After you have launched your EC2 instance, verify from the Info tab that the QAG
Status is shown as Connected.

14
 Overview
How to Launch QGS Instances Using AWS CLI

5. Register the appliance with Qualys. For detailed steps on registration of the appliance,
refer to Qualys Gateway Service User Guide.

How to Launch QGS Instances Using AWS CLI

The following script can be used to launch one or more QGS instances in the AWS cloud.
You can use AWS CLI to launch the below command.
Note: You must have CLI installed on your machine to use AWS CLI to launch and execute
the below command.

Command to Launch QGS Instances in the AWS Cloud

aws ec2 run-instances \
--image-id ami-046a1afb413842c91 \
--instance-type t3.large \
--security-group-ids sg-0********** sg-0********** \
--subnet-id subnet-0*************** \
--user-data file://ec2-userdata.yml \
--associate-public-ip-address \
--count 1 \
--block-device-mappings
'DeviceName=/dev/sdb,Ebs={DeleteOnTermination=True,VolumeSize=256,
Encrypted=False}' \
--tag-specifications
'ResourceType=instance,Tags=[{Key=Name,Value="QGS Appliance"}]'

Content of ec2-userdata.yml file used in previous command.

#cloud-config
write_files:
- owner: root:root
path: /opt/qualys/cloud.env
permissions: '0644'
content: |
POD_SUFFIX=Refer last page to know which POD suffix to use

15
 Overview
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using new User Interface

Deploy and Configure CAMS QGS Appliance on AWS Cloud

Using new User Interface
Follow these steps to deploy and configure a CAMS QGS appliance on the AWS Cloud using
new user interface:
1. Login to AWS account (aws-qualys-dev-qgsint) from qualys.okta.com.
2. Go to the EC2 service AMI section.

3. Launch an EC2 instance using the QGS AMI by selecting the image and clicking the
Launch button.
4. Select a t3.xlarge size of the instance.

5. Click the Edit button on the Network setting and use the VPC as per the pod preference,
and the subnet will be selected automatically based on your VPC settings. Refer to the
following screenshot.

16
 Overview
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using new User Interface

6. Select the static IP assignment as per the requirement of static IP.

7. Select "Select Existing security Group" as per the requirement.

17
 Overview
Deploy and Configure CAMS QGS Appliance on AWS Cloud Using new User Interface

8. Add a secondary disk to the appliance, select the Advanced option, and add the required
disk size.

Also, make sure to delete the disk on termination of your instance.

9. Select the Advanced Details option to add the user-data. The user data should be in
proper JSON format. Always use a tool to ensure the user-data is in the right format;
otherwise, the appliance would show "Not connected" with incorrect/incomplete
Qagpublic and camspublic URL.
Note: To ensure a valid YAML configuration, refer to the Important section on page 8 and
perform the steps precisely.

18
 Overview
POD Suffixes

10. Verify the summary and click Launch Instance.

11. To interact with the appliance, use the AWS EC2 Connect feature.
i) Select the running instance and click Connect.

ii) On the next window, change the user to the core and click connect.

POD Suffixes
To identify the Platform URL Suffix for your subscription, refer to the Platform URL Suffix
section of the Qualys Platform Identification.

19