Install CAN

Deploy a sovereign, end-to-end encrypted Cloud Area Network on your own infrastructure — on any hyperscaler or on-premises hypervisor.

Self-hosted

End-to-end encrypted

Azure · AWS · GCP · VMware · vCenter · Proxmox

~30 min setup

Install the Core

The Core is the control plane of your Cloud Area Network — it manages identity, certificates, policy, and connectivity for all nodes and users.

Get Image

The CanMe Core appliance is available in the Azure Marketplace image gallery. Contact CanMe to receive your gallery access link.

Request Azure Image Access

Minimum: 4 vCPUs

RAM: 16 GB

Disk: 80 GB

Deploy in Azure

1
In the Azure Portal, navigate to Virtual Machines → Create → Azure virtual machine. Under Image, select the CanMe Core image from the shared gallery or Marketplace.
2
Choose a VM size with at least 4 vCPUs and 16 GB RAM. Standard_D4s_v3 or Standard_D4as_v4 are suitable starting points.
3
Under Networking, create or assign a Network Security Group (NSG) with the inbound and outbound rules listed in the port table below.
4
Assign a Static Public IP address. Note this IP — you will use it when creating the DNS A record in the Core Rollout steps below.
5
Review and create the VM. Once booted, the Rollout Page is reachable at https://:8443 after approximately 30 seconds.

Get Image

The CanMe Core appliance is available as an Amazon Machine Image (AMI) in AWS Marketplace. Contact CanMe to receive your AMI ID or Marketplace link.

Request AWS AMI Access

Minimum: 4 vCPUs

RAM: 16 GB

Disk: 80 GB

Deploy in AWS

1
In the AWS Console, navigate to EC2 → Launch Instance. Under Application and OS Images, search for the CanMe Core AMI by ID or via Marketplace.
2
Choose an instance type with at least 4 vCPUs and 16 GB RAM. t3.xlarge, m5.xlarge, or c5.xlarge are all suitable.
3
Under Network Settings, create or select a Security Group with the inbound and outbound rules from the port table below. Ensure the instance is in a public subnet.
4
Assign an Elastic IP for a stable address. Note this IP — you will use it when creating the DNS A record in the Core Rollout steps below.
5
Verify the root EBS volume is 80 GB (gp3) and launch the instance.

Note: AWS Security Groups are stateful — inbound rules automatically permit the corresponding outbound reply traffic. Explicit outbound rules are still recommended for clarity.

Get Image

The CanMe Core appliance is available in the Google Cloud Marketplace. Contact CanMe to receive your Marketplace listing link.

Request GCP Image Access

Minimum: 4 vCPUs

RAM: 16 GB

Disk: 80 GB

Deploy in Google Cloud

1
In Google Cloud Console, go to Compute Engine → VM Instances → Create Instance. Under Boot disk, select the CanMe Core image from Marketplace.
2
Choose a machine type with at least 4 vCPUs and 16 GB RAM. n2-standard-4 or c2-standard-4 are recommended.
3
Under Networking, reserve a Static External IP and configure VPC Firewall Rules for all required ports. Apply rules via the instance’s network tag.
4
Note the static external IP — you will use it when creating the DNS A record in the Core Rollout steps below.
5
Create the instance and wait for it to reach running state.

Download ISO

Download the CanMe Core ISO image directly. The ISO is a bootable appliance installer — no additional OS installation is required.

Download Core ISO (VMware)

Minimum: 4 vCPUs

RAM: 16 GB

Disk: 80 GB

Deploy in VMware vSphere / ESXi

1
Upload the ISO to a vSphere datastore via the vSphere Client (Storage → Upload Files) or via the ESXi host datastore browser.
2
Create a new VM: right-click the host or cluster and select New Virtual Machine. Set 4+ vCPUs, 16 GB+ RAM, and add an 80 GB disk. Choose Other Linux (64-bit) as the guest OS if prompted.
3
Under CD/DVD Drive, select Datastore ISO file and point to the uploaded ISO. Ensure Connect at power on is checked.
4
Assign the VM to a port group with outbound internet access. Ensure your upstream firewall permits the required ports listed below.
5
Power on the VM. The appliance boots from the ISO and self-installs. Once complete, note the IP address shown in the console. Ensure port-forwarding or a public IP is configured upstream so the appliance is reachable externally.

Firewall and port-forwarding rules are the responsibility of the administrator in on-premises environments. Verify all required ports are open at both the VM firewall level and any upstream firewall or router.

Download ISO

Download the CanMe Core ISO image. This image is compatible with vCenter-managed clusters and standalone ESXi hosts equally.

Download Core ISO (vCenter)

Minimum: 4 vCPUs

RAM: 16 GB

Disk: 80 GB

Deploy via vCenter

1
Log in to the vSphere Web Client connected to your vCenter Server. Navigate to the target cluster or host in the inventory.
2
Upload the ISO to a shared datastore accessible from the target host (Datastore → Upload Files).
3
Right-click the target host and select New Virtual Machine. Set 4+ vCPUs, 16 GB+ RAM, and add an 80 GB disk. Select Other Linux (64-bit) as the guest OS type.
4
Add a CD/DVD Drive backed by the uploaded ISO. Ensure Connect at power on is enabled.
5
Assign the VM to a distributed port group (or standard port group) with outbound internet access and the required firewall rules in place.
6
Power on the VM. The appliance boots and self-installs. Note the IP address from the console once complete. Ensure public reachability via port-forwarding or a public IP upstream.

vCenter does not manage external network access or firewall rules — those must be configured on your physical switches, NSX-T, or upstream router.

Download ISO

Download the CanMe Core ISO image. Upload it to Proxmox storage and boot a new VM from it directly.

Download Core ISO (Proxmox)

Minimum: 4 vCPUs

RAM: 16 GB

Disk: 80 GB

Deploy in Proxmox VE

1
Upload the ISO to Proxmox storage via Datacenter → Storage → ISO Images → Upload, or via the CLI: scp canme-core.iso root@proxmox:/var/lib/vz/template/iso/
2
Create a new VM in the Proxmox UI: click Create VM. Set 4+ vCPUs, 16 GB+ RAM, and add an 80 GB disk (virtio-scsi recommended).
3
Under CD/DVD, select the uploaded ISO as the boot media. Ensure Boot Order has the CD drive first.
4
Set the network bridge (e.g. vmbr0) with outbound internet access. Configure port-forwarding or assign a public IP upstream for external reachability.
5
Start the VM. The appliance boots from the ISO and self-installs. Note the IP address shown in the Proxmox console once the appliance is running.

Port-forwarding and firewall rules must be configured at the Proxmox host level or on the upstream router. Verify all required ports are reachable from the internet before proceeding.

Required Firewall Ports — Core

Configure these rules in your cloud provider’s security group, NSG, or firewall before booting the appliance.

Inbound (to appliance)

Port	Purpose
80/TCP	HTTP redirect and certificate provisioning
443/TCP	Management UI (Cansole), API, authentication, overlay network
8440/TCP	Overlay network control plane — edge node connections
9000/TCP	Overlay network inter-node links
8443/TCP	Rollout page — temporary, only during initial setup

Outbound (from appliance)

Port	Destination	Purpose
53/TCP	1.1.1.1, 8.8.8.8	DNS
443/TCP	support.canme.network	Support access
443/TCP	license.canme.network	License server
443/TCP	acrcanme.azurecr.io	System updates
443/TCP	acme-v02.api.letsencrypt.org	TLS certificate provisioning

Core Rollout Same for all platforms

The Rollout Page is a one-time setup wizard served by the appliance at https://:8443. Once the Core is installed, Cansole will be available at the FQDN you configure below.

1

Open the Rollout Page

Navigate to https://:8443 in your browser and accept the self-signed certificate warning.
2

Click “Install Core”

On the choice screen, select Install Core to begin the Core installation process.

Fill in the installation form

Field	Description
License Key	Your CanMe license key (from your CanMe account)
Core Address	The network-wide FQDN for your Core and Cansole, e.g. canme.example.com. This address becomes the entry point for the entire Cloud Area Network — choose it carefully.
Customer Name	Used to derive the internal domain name

4

Create a DNS A record

In your DNS provider, create an A record pointing your chosen Core Address (e.g. canme.example.com) to the appliance’s public IP address. This record must resolve before you click Install, as the Core uses it to provision a TLS certificate from Let’s Encrypt.
5

Click “Install” and wait

The progress bar updates in real time. Installation typically takes 3–8 minutes. Wait until the status shows Completed.
6

Retrieve your credentials

Enter your License Key in the verification field and click Retrieve Credentials. Credentials are displayed once only — copy or save them before closing the page.
7

Access Cansole

The rollout service disables itself automatically. Cansole is now reachable at your configured Core Address (e.g. https://canme.example.com). You will be prompted to set your password on first login.

Troubleshooting: If the installation fails, a Download Logs button appears on the error screen. Download the log bundle and send it to support@canme.cloud.

Connect with Cannector

Cannector is the client application for Windows and macOS that connects users and devices to your Cloud Area Network.

Prerequisites

1. Network Address ▾

You need the network address of the Core controller — the fully qualified domain name you configured during Step 1 (e.g. canme.example.com), shown in the credentials displayed at the end of the Core Rollout. Cannector uses this to reach the enrollment and management endpoints.

2. Identity ▾

You need one of the following, depending on how access was provisioned:

Identity Type	What You Need
CAN-User (local or Entra ID)	A user account in the network — either locally created or synced from Microsoft Entra ID (Azure AD). Your administrator will confirm which applies.
Device PSK	A pre-shared key issued by your network administrator for device-level enrollment.

3. Outbound Network Access ▾

Only a single outbound port is required from the machine running Cannector:

Direction	Port	Protocol	Destination
Outbound	443	HTTPS/TLS	Network controller and meshes

If your environment uses a web proxy or firewall with SSL inspection, the controller’s TLS certificate chain must be trusted by the machine running Cannector.

4. No Conflicting VPN Software ▾

Cannector installs its own network tunnel. Any other VPN client must be disconnected (not uninstalled) before starting Cannector. Running two tunnel clients simultaneously causes routing conflicts.

This includes: Cisco AnyConnect, GlobalProtect, Pulse Secure, WireGuard, OpenVPN, and similar tools.

5. Local Administrator Rights ▾

Windows: The installer requires administrator rights to install the Ziti Edge Tunnel service and configure the network adapter.

macOS: The VPN network extension must be authorized during first launch. macOS will prompt for this; without it the tunnel cannot function.

Download Cannector

Windows (.exe) macOS (.pkg)

Join Your Network

Use the credentials from Step 1 to enroll Cannector into your new Core. The Join Guide walks you through the enrollment process step by step.

Open Join Guide →

Add a Mesh Node

Mesh nodes (and Gate nodes) are edge appliances that route encrypted traffic between users and resources within your Cloud Area Network. You can add as many as needed.

Minimum: 2 vCPUs (4 recommended)

RAM: 8 GB

Disk: 60 GB

The Core’s FQDN must be resolvable and reachable on all required ports from the Mesh node. The Mesh FQDN must be resolvable by the Core, all other Meshes and Gates, and all Cannector clients. Only Cores and Meshes require public DNS A records — Cannector clients do not.

Get Image

The CanMe Mesh/Gate appliance is available in the Azure Marketplace image gallery. Contact CanMe to receive your gallery access link.

Request Azure Image Access

Deploy in Azure

1
In the Azure Portal, create a new VM from the CanMe Mesh/Gate gallery image. Choose a size with at least 2 vCPUs and 8 GB RAM (Standard_D2s_v3 or larger; use 4 vCPUs for higher load).
2
Assign a Static Public IP and configure an NSG with the inbound and outbound rules from the port table below.
3
Note the public IP address — you will create a DNS A record for the Mesh FQDN in the Gate/Mesh Rollout steps below.
4
Boot the VM and proceed to Gate/Mesh Rollout.

Get Image

The CanMe Mesh/Gate appliance is available as an Amazon Machine Image (AMI) in AWS Marketplace. Contact CanMe to receive your AMI ID or Marketplace link.

Request AWS AMI Access

Deploy in AWS

1
Launch a new EC2 instance from the CanMe Mesh/Gate AMI. Choose t3.large (2 vCPU, 8 GB) or larger (t3.xlarge for higher load).
2
Assign an Elastic IP and configure a Security Group with the inbound and outbound rules from the port table below.
3
Note the Elastic IP — you will create a DNS A record for the Mesh FQDN in the Gate/Mesh Rollout steps below.
4
Boot and proceed to Gate/Mesh Rollout.

Get Image

The CanMe Mesh/Gate appliance is available in Google Cloud Marketplace. Contact CanMe to receive your Marketplace listing link.

Request GCP Image Access

Deploy in Google Cloud

1
Create a Compute Engine instance from the CanMe Mesh/Gate Marketplace image. Choose n2-standard-2 (2 vCPU, 8 GB) or larger (n2-standard-4 for higher load).
2
Reserve a Static External IP and configure VPC Firewall Rules for all required ports.
3
Note the external IP — you will create a DNS A record for the Mesh FQDN in the Gate/Mesh Rollout steps below.
4
Boot and proceed to Gate/Mesh Rollout.

Download ISO

Download the CanMe Mesh/Gate bootable ISO and use it to create a new VM in vSphere / ESXi.

Download Mesh ISO (VMware)

Deploy in VMware

1
Upload the ISO to a vSphere/ESXi datastore. Create a new VM with at least 2 vCPU, 8 GB RAM, and a 60 GB virtual disk. Attach the ISO as the boot media.
2
Connect the VM to a port group with outbound internet access and connectivity to the Core on all required ports.
3
Power on the VM. The appliance boots from the ISO and self-installs. Note the IP from the console once complete.
4
Ensure the IP is reachable on all required inbound ports (configure upstream firewall or NAT as needed) and proceed to Gate/Mesh Rollout.

Download ISO

Download the CanMe Mesh/Gate bootable ISO and deploy it as a new VM through vCenter.

Download Mesh ISO (vCenter)

Deploy via vCenter

1
Upload the ISO to a shared datastore accessible by your ESXi hosts. In vCenter, create a new VM via New Virtual Machine, set at least 2 vCPU, 8 GB RAM, and 60 GB disk, and attach the ISO to the CD/DVD drive.
2
Assign the VM to a port group (standard or distributed) that has outbound internet access and connectivity to the Core.
3
Power on the VM. The appliance boots from the ISO and self-installs. Note the IP from the console once complete.
4
Ensure all required inbound ports are reachable (configure NSX rules or upstream firewall as needed) and proceed to Gate/Mesh Rollout.

Download ISO

Download the CanMe Mesh/Gate bootable ISO and use it to create a new VM in Proxmox VE.

Download Mesh ISO (Proxmox)

Deploy in Proxmox

1
Upload the ISO to a Proxmox storage. Create a new VM with at least 2 vCPU, 8 GB RAM, and a 60 GB virtual disk. Set the ISO as the boot media under the CD/DVD Drive.
2
Attach the VM to a network bridge with internet access. Configure port-forwarding at the host or upstream router for the required inbound ports.
3
Start the VM. The appliance boots from the ISO and self-installs. Note the IP from the console once complete.
4
Verify reachability on all required ports and proceed to Gate/Mesh Rollout.

Required Firewall Ports — Mesh / Gate

Outbound (from Mesh to external)

Port	Destination	Purpose
443/TCP	Core and Meshes	Management and overlay
8440/TCP	Core	Overlay control plane
9000/TCP	Core and Meshes	Inter-node links
53/TCP	1.1.1.1, 8.8.8.8	DNS
443/TCP	support.canme.network	Support access

Inbound (public / WAN)

Port	Purpose
443/TCP	Overlay network and client connections
9000/TCP	Inter-node overlay links
8443/TCP	Rollout page — temporary, initial setup only

Gate / Mesh Rollout Same for all platforms

The rollout has two parts: generating a token in Cansole, then entering it on the device’s Rollout Page.

Part 1 — Generate a Rollout Token in Cansole

1

Create a DNS A record for the Mesh FQDN

In your DNS provider, create an A record pointing the Mesh FQDN (e.g. mesh-01.canme.example.com) to the public IP of the Mesh appliance. This record must resolve before the Core can reach the node. Only Cores and Meshes require public DNS A records — Gate nodes do not require a public FQDN.
2

Open Infrastructure → Management in Cansole

Log in to Cansole at your Core Address and navigate to Infrastructure → Management.
3

Create a new Mesh or Gate

Click the + button and select Mesh or Gate.

Fill in the creation form

Field	Description
Name	Unique identifier for the node
Hostname	Hostname of the device
FQDN (Mesh only)	e.g. mesh-01.canme.example.com — the A record you created in step 1

5

Copy the rollout token

Click Create. The rollout token is displayed once — copy or download it before closing the dialog.

Part 2 — Enroll the Device

1

Open the Rollout Page on the device

Navigate to https://:8443 and accept the self-signed certificate warning.
2

Click “Gate/Mesh Enrollment”

On the choice screen, select Gate/Mesh Enrollment.
3

Paste the rollout token and start

Paste the token from Part 1 into the input field and click Start Gate/Mesh Rollout. The progress bar updates in real time.
4

Wait for “Completed”

The rollout service disables itself automatically once the status shows Completed. The device is now connected to the Core.

Troubleshooting: If the rollout fails, a Download Logs button appears. Download the bundle and send it to support@canme.cloud.

Your CAN is live

You have deployed a sovereign, end-to-end encrypted, microsegmented Cloud Area Network.

Core Control plane, certificate authority, and identity provider

Mesh Edge node routing encrypted traffic across your network

Users Connect via Cannector through a fully encrypted overlay

Onboard Users → My CanMe Dashboard