# Gateway/Virtual Machine ## Platforms CloudGuard WAF can be deployed as a VM on different platforms, containing a fully managed Reverse Proxy gateway, protected by a CloudGuard WAF Agent. Select your platform type below to see the corresponding deployment instructions: {% content-ref url="gateway-virtual-machine/aws" %} [aws](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws) {% endcontent-ref %} {% content-ref url="gateway-virtual-machine/azure" %} [azure](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure) {% endcontent-ref %} {% content-ref url="gateway-virtual-machine/vmware" %} [vmware](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/vmware) {% endcontent-ref %} {% hint style="info" %} A fully managed Reverse Proxy protected by a CloudGuard WAF Agent is also available as [container in docker](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker) environment. {% endhint %} ## Certificates and Private Keys CloudGuard WAF's Gateways implement a reverse proxy that can serve pages to users over HTTPS. To use this capability, you need to provide a Certificate and Private keys that correspond to the site name(s) that users will access (e.g. , ). ### Storage options There are two methods for storing certificates and private keys when deploying on AWS or Azure. When deploying on VMWare, only the first option is available: * [On the WAF Gateway itself](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway) - a simple procedure allows you to upload the certificates and private keys directly to your gateway(s) using Secure Copy Protocol (SCP/SSH). No further configuration is required - CloudGuard WAF will locate the local files automatically. * **Advantage**: you have full control of your secrets * **Disadvantage**: does not support automatic scaling * If you are using CloudGuard WAF on [AWS ](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/aws/store-certificates-in-aws)or [Azure ](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-in-azure)you can store secrets in secured vaults of these platforms and CloudGuard WAF's Gateway can fetch it from there. {% hint style="info" %} The certificates are fetched when CloudGuard WAF's Gateway first loads and checked again for updates every time you Enforce policy. {% endhint %} When deploying on Azure/AWS, storage selection occurs during the asset configuration wizard if a new profile is created. It is also available via **Cloud->Profiles** for CloudGuard WAF's Gateway profiles that enforce assets with HTTPS URLs. ![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FEob3711p1x4P0sWd09jv%2Fappsec-profiles-ssl-certificates-aws.PNG?alt=media\&token=dcb0361b-0ddf-4201-9ddf-9e0bfa4bf828) ![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FCJUOrmoaEURE7Fn7XLJO%2Fappsec-profiles-ssl-certificates-azure.PNG?alt=media\&token=16446833-a490-4881-9869-f234c65ff7dd) For all other deployment options, the same location still contains "**Setup Instructions**" for the method to deploy certificates for HTTPS traffic. ### Multiple certificates When there are multiple Web Applications APIs, CloudGuard WAF's Gateway can automatically fetch the relevant certificates and private keys. **Example**: you have two applications and one API end-point to protect: * [www.acme.com](http://www.acme.com) * [www.acme.com/sales](http://www.acme.com/sales) * products.acme.com/catalog Consider two possible cases: 1. You have one wildcard certificate for \*.acme.com * Place the certificate on your gateway by following the instructions in the next section. CloudGuard WAF will use it for all relevant applications. 2. You have two certificates: (1) for [www.acme.com](http://www.acme.com) and (2) for products.acme.com * Place both certificates on your gateway by following the instructions in the next section. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application. ### Validating the certificate of the internal server The reverse proxy takes incoming HTTP/S requests and forwards them to an internal server. When using HTTPS, the forwarded request to the internal server returns with a certificate which the best practice is to validate. [Advanced Reverse Proxy settings](https://waf-doc.inext.checkpoint.com/how-to/edit-reverse-proxy-advanced-settings-for-a-web-asset) include the configuration option for "**Trusted CA chain for protected server SSL verification**". Use this option to configure the trusted CA chain that will validate the certificate presented by the internal server for enhanced security.