NSX Bytes: Trend Deep Security 9.6 DSVA Deployment Gotchya

This week I’ve been working with Trend Deep Security 9.6 to get a Proof of Concept up and running to protect some internal management virtual machines with Trends agentless protection feature. Trend now integrates with NSX and In an NSX enabled environment, the Deep Security Virtual Appliance (DSVA) provides Anti-Malware, Integrity Monitoring, Web Reputation Service, Firewall, and Intrusion Prevention for your virtual machines, without requiring an Agent.

After following the Install Guide and having installed the Deep Security Manager and connected the vCenter and NSX Managers through the DSM Web Console I installed the NSX Guest Introspection ESX Agents under Service Deployments and got to the part to deploy the Trend Micro Deep Security Service from the same location in the Web Client I got the following error.

Checking the Service Definitions menu under Trend Micro I saw that the Deployment settings looked correct as per the install guide. Heading to the URL provided I got an error from the DSM saying that there was a database error and the file was not found…matching the error above.

After a little digging I checked to see what was listed in the DSM Local Software repository and couldn’t see the ESX Agent in the list. This needs to be imported first before you can use the Service Deployment section to deploy the Trend Micro DSVAs (Download Link). Under > Updates > Software > Local page and click Import. Once imported you should see the following.

Once that has been done you can click on the Resolve Button in the System Alarm window of the NSX Service Deployment section and the appliances will be deployed as version 9.5 as shown below.

Important Note:
EDIT: Trend has responded in the comments:

As mentioned on the download page:

If you are implementing Agentless protection, install the 9.5 version of the DSVA and import the Agent Software for Red Hat Enterprise Linux 6 64-bit package. Afterward, the DSVA will be able to upgrade to the version 9.6…but DONT! 

Upgrade Notice: Version 9.6 of the DSVA is limited to providing Anti-Malware and Integrity Monitoring protection for your virtual machines. If you need pure Agentless protection with Anti-Malware, Firewall, Intrusion Prevention and Integrity Monitoring, do not activate the Deep Security Agent on the VMs and do not upgrade your DSVA to 9.6.

So if you want that agentless protection for all Trend Deep Security features as listed above do not upgrade to the 9.6 version of the DSVA. I’m not sure why this is the case, but I will chase this up and update this post when I know more.

References:

http://docs.trendmicro.com/all/ent/ds/v9.6/en-us/Deep_Security_96_Install_Guide_nsx_EN.pdf

http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4856&lang_loc=1

3 comments

  • Hi, Martin from Trend Micro here.

    If you are using NSX, you can safely upgrade the DSVA 9.5 to 9.6 and agentless Antimalware and Firewall/IPS will continue to work.

    The warning is intended for users of ESXi 5.5/5.1 with Vsphere 5.5/5.1 without NSX.

    Should you run a Vsphere 5.5/5.1 with ESXi 5.5/5.1 environment using agentless Firewall/IPS, upgrading the DSVA to 9.6 will stop the network component from working agentlessly.

    Agentless network protection has never worked on ESXi 6.0 without NSX however agentless Antimalware continues to work as before.

    For further information, the best practice guide is available here http://docs.trendmicro.com/all/ent/ds/v9.6_sp1/en-us/Deep_Security_96_SP1_Best_Practice_Guide.pdf

    Thanks.

    • Thanks for the clarification … Though in the 9.6 with ESXi 5.5 antimalware isn’t working agentless?

      • ESXi 5.1/5.5 with DSVA 9.5 has agentless antimalware and agentless network protection.
        ESXi 5.1/5.5 with DSVA 9.6 has agentless antimalware but does not have agentless network protection. (unless you deploy NSX)
        ESXi 6 must use DSVA 9.6. Without NSX, only the antimalware can be agentless. With NSX the antimalware and Network protection can be agentless.

        I hope this clears things up.

        If you want to have network protection on ESXi 6.0, you can deploy agentless antimalware and also deploy the agent. The antimalware component will be agentless as the agent will let the DSVA do the antimalware work whilst the agent does the network protection. We call this combined mode. In this mode, the agent is tiny – it uses around 36 MB of disk space and a similar amount of RAM (although this is OS and installed application dependant)

        No special configuration is required. If the Guest has the Guest Introspection driver installed and resides on a host with a DSVA protecting it, simply install the agent, apply the relevant policy and you’re done.

Leave a Reply