Applies to on-premise Deep Security software installations only Deploy Deep Security Prepare your environmentThis document is your checklist., then follow these steps for a basic, functional deployment. Once finished, you'll be ready to make security policies.Download software: Get your license activation codes. Download any required vCenter, ESXi, VMware Tools, and NSX Manager software from.
![](/uploads/1/2/6/4/126487490/235565949.jpg)
Download the latest patch and Deep Security Manager installer. Agent and relay installers are not required; they can be downloaded via the manager. All Deep Security Relays must be upgraded before upgrading the Deep Security Agent. Failure to do so may cause the relay upgrade to fail.Verify that the Deep Security installers are authentic (check hashes):To verify software authenticity, check the SHA256 hash (also called a fingerprint). Trend Micro publishes its hashes on the page.
The Deep Security Relay is a server which relays Deep Security Updates from the Trend Micro global update server to the Deep Security system. By using Relays you can improve performance by distributing the task of delivering updates to the Manager, Appliances, and Agents of your Deep Security installation. Don't have an account? Get up and running in minutes! Try a free 30-day trial of Deep Security as a Service.
You must click the plus sign next to the software to see the hash (see the figure below).Check compatibility: Start the installer. Before it installs anything, it will check your environment. This will verify, and that all your deployment components are compatible with the new version of Deep Security Manager.
The readiness check will generate a 'to do' list of compatibility issues (if any) for your specific environment.For example, you may need to free disk space, allocate more vRAM, or upgrade old Deep Security Agents to supported versions. If you're not ready yet, you can cancel the install, and return when ready.This is new in Deep Security 10.The readiness check also customizes this guide for your environment's needs when you click View My Upgrade Guide. Before you install, all sections under must be complete. If you have an existing multi-tenant deployment, back up all databases. With Microsoft SQL, there's one main database and an additional database for each tenant. With Oracle, all tenant information is in one Deep Security Manager database, but an additional user is created for each tenant.
Each user has its own tables.Hardware requirementsRecommended hardware varies by enabled features, size of your deployment, and future growth. See.On the Deep Security Manager server where you are running the installer, the installer's readiness check will verify hardware before it installs. If hardware does not meet, the installer will either warn you about reduced performance, or block the install.Only the local server's hardware and some other deployment information that is stored in the database is tested. You must manually verify other servers' hardware, run the readiness check on any other manager nodes, or both. On Linux, reserved system memory is separate from process memory.
Therefore, although the installer's estimate might be similar, it will detect less RAM than the computer actually has. To verify the computer's actual total RAM, log in with a superuser account and enter: grep MemTotal /proc/meminfoAfter you install Deep Security 10.0, you may be able to optimize performance. Network requirementsBefore you run the installer, verify that the Deep Security Manager server can use its required network services. This includes NTP for reliable time stamps and DNS for name resolution. For a list of protocols, associated features, expected source or destination, and required open network port numbers, see.The system clock of the manager operating system must be synchronized with the clock of the database.
Both computers should use the same NTP service.Once Deep Security Manager is installed, when you deploy new agents, appliances, and relays, the manager will automatically apply firewall rules to open their required ports. If network connectivity is unreliable on required ports, some features may be unreliable or fail.For some features, Deep Security must be able to resolve host names into IP addresses.
If your DNS server does not already have entries so that the manager can resolve each computer or VM's host name to its IP address, then either use their IP address instead, or perform one of the following actions:. Add an A recprd, an AAAA record, or both on your DNS server so that the manager, agents, appliances, and relays can perform DNS lookup queries. Add an entry in the agent or appliance computer's hosts file. Deep Security Manager's certificate generator for SSL or TLS connections requires that the server have an RFC 1034-compliant FQDN.
The server's DNS name cannot start with a number, such as 0000-dsm.example.com. If it does, the install log will have the error message:java.io.IOException: DNSName components must begin with a letter Network topologyIf you are deploying multiple server nodes of Deep Security Manager for a large scale deployment, a load balancer can help to ensure even distribution of connections with Deep Security Agents and Virtual Appliances. Load balancers with virtual IPs can also provide a single inbound port number such as TCP 443, instead of the multiple port numbers that Deep Security normally requires.Database requirementsThe Deep Security Manager must be co-located on the same network as its database, with the connection speed of 1 GB LAN or higher.
Connections over WAN are discouraged. Deep Security Manager relies on the database to function. Any increase in latency can have a serious negative impact on Deep Security Manager’s performance and availability.Requirements vary by database type. See.If you are installing Deep Security for the first time, before you run the installer, create and grant permissions to the database where Deep Security Manager will store its data. As Deep Security 10.0 Update 2 added support for Microsoft SQL Server Express in certain limited deployments.
For details, see. Migrate to a supported databaseIf the database is not compatible, you must migrate to a supported database before you can install Deep Security Manager 10.0.If you are upgrading Deep Security, to continue to store new data until you are ready to install Deep Security Manager 10.0, migrate to a database that is compatible with both current and future software. To support multiple nodes of Deep Security Manager, you must use either a Microsoft SQL Server or Oracle database. Microsoft SQL Express databases are intended for testing only, and are not supported for multi-node deployments. If the migration did not preserve existing databases, load the database backup(s) into the new database engine.
If required, edit dsm.properties to use the migrated database. Restart the Deep Security Manager service.Change the remote SQL query timeoutIf you use Microsoft SQL Server databases, go to SQL management studio SQL Server properties Connections Remote query timeout and select 0 (No Timeout). This setting prevents database connection timeouts that can occur when you upgrade if each database schema migration operation takes a long time to complete. Choose agent-based vs.
![Deep security manager install certificate Deep security manager install certificate](/uploads/1/2/6/4/126487490/714443341.png)
Agentless protectionIf you are installing Deep Security for the first time, and you want to protect VMs, you may be able to provide some protection without installing a Deep Security Agent, using a Deep Security Appliance instead, or by using both together ('combined mode'). Deep Security 10.0 requires 64-bit relays.For instructions on how to upgrade to a supported version, see.After you have upgraded the manager, to use new features, you will upgrade the relays again to Deep Security Relay 10.0. Upgrade VMware and virtual appliancesIf you want to use agentless or combined mode protection, follow the steps below to before you install the new Deep Security.If you are upgrading, and your existing appliances are not compatible with the new Deep Security, also follow those steps to install compatible versions. vSphere or ESXi — ESXi 6.0 or later is required.vCNS — vCloud Networking & Security (vCNS) is not supported. If you have legacy vCNS infrastructure for agentless anti-malware and integrity monitoring with Deep Security Virtual Appliances, VMware has discontinued support, so Deep Security Manager 10.0 cannot support it. You must update vCNS to VMware's equivalent new solution: NSX.Use either:.
NSX Advanced or Enterprise license — Full agentless protection. Requires Deep Security Virtual Appliance 10.0 or later and ESXi 6.0 or later. NSX vShield Endpoint or Standard license — Only agentless anti-malware and integrity monitoring. (No network protection: firewall, intrusion prevention, web reputation.) Also requires manual sync of Deep Security Manager with NSX Manager or vCenter to determine NSX security group membership. Requires Deep Security Virtual Appliance 10.0 or later and ESXi 6.0 or later.Alternatively, for full protection including network protection features, combine the virtual appliance with a Deep Security Agent on each guest VM (also known as 'combined mode').During vCNS upgrade, you must also replace the network filter driver with the NetX API on each ESXi server. The VMware Tools driver for EPSec on each guest VM must also be upgraded, and is now called Guest Introspection.NSX — NSX 6.2.4 or later is required. If you are using NSX Manager 6.3.0 or later and Deep Security Manager 10.0 without any updates, check your failOpen settings before you deploy new appliances.
Alternatively, upgrade your Deep Security Manager to version 10.0 Update 1 or later, where the failOpen issue has been resolved. Deep Security Virtual Appliances — Deep Security Virtual Appliances 10.0 or later are required. See the.Since it would break part of your deployment, the installer will warn you if you have incompatible versions of virtual appliances, although the installer will not stop installation if a specific appliance is not compatible. (This allows you to proceed if the virtual appliance isn't used, or is offline.) However, the installer will not allow you to continue if you have incompatible versions of ESXi or vShield Manager or NSX Manager.VMware dependencies exist. You must select versions that are compatible with each other. To easily choose compatible versions, see Trend Micro Support's VMware compatibility matrix (updated with each release). To ensure that you don't lose connectivity by upgrading an infrastructure component to a version that isn't compatible with the others, and to minimize downtime, update in this order.
Back up the vCenter database. Refer to your VMware documentation for instructions. Methods vary by version and storage.If you are upgrading, on Deep Security Manager, go to Computers. Deactivate agentless computers or agents in combined mode.Deactivate the Deep Security Virtual Appliances.In NSX Manager, also delete the virtual appliances on each ESXi server. Alternatively, to ensure continuous protection during the upgrade of NSX, ESXi, or virtual appliances, configure computers to use agents for protection instead. Otherwise, computer's won't be protected until you install and activate the appliances and agents again.If they exist, on protected guest VMs,.In Deep Security Manager, disconnect vShield Manager or NSX 6.2.3 or earlier ( not vCenter).Then.If you don't have legacy vShield Manager or its components (such as the filter driver) and you have NSX 6.2.4 or later, skip this step. You must replace vShield Manager with NSX.
Otherwise any configured agentless protection won't work after you upgrade to Deep Security 10.0. This could compromise the security of your protected computers.Depending on your architecture, you might also be required to upgrade:. for Deep Security Manager.If you disconnected NSX Manager in step 4, in Deep Security Manager, go to Computers vCenter. Reconnect NSX Manager.
Click Test Connection to verify the connection.This will add 'Trend Micro Deep Security service' to NSX Manager.On every protected guest VM, upgrade VMware Tools to.VMware vShield Endpoint Driver in VMware Tools 5.x will become Guest Introspection in NSX 6.2.4 or later. If you are using NSX Manager 6.3.0 or later and Deep Security Manager 10.0 without any updates, check your failOpen settings before you deploy new appliances. Alternatively, upgrade your Deep Security Manager to version 10.0 Update 1 or later, where the failOpen issue has been resolved.A 'VMware Network Fabric' service dependency alert might appear, even if communications succeed. Firewall features can now be provided by the NSX Distributed Firewall.
You can disable the firewall in Deep Security 10.0. Alternatively, you can exclude VMs from the NSX Distributed Firewall, and use the Deep Security firewall instead (see ).If you are upgrading, after you have installed Deep Security Manager 10.0, if you want to use the new features, you will upgrade your virtual appliances, agents, and relays again, to Deep Security 10.0. Conversion of coordinated approach to combined mode. Coordinated approach — In Deep Security 9.5, if the agent on a VM was offline, protection features would be provided by the Deep Security Virtual Appliance instead as an alternative.
However, it could not be configured separately for each feature. Combined mode — In Deep Security 9.6, each protection feature was configurable to use either the agent or appliance. However, if the preferred protection source was offline, the computer didn't use the other alternative.In the new Deep Security, its 'protection source' settings provide both behaviors:.
whether each feature is provided by the agent or appliance. whether to use the agent or appliance alternative if the preferred protection is not availableSo if you need behavior like the old coordinated approach, you might want to upgrade directly from Deep Security 9.5 to 10.0 — not from 9.5 to 9.6 and then 10.0. Pin appliances with VMware HAIf you will use protection, and use VMware Distributed Resource Scheduler (DRS) for high availability (HA), configure it before you install Deep Security. Then deploy Deep Security Virtual Appliance on all ESXi hypervisors (including backup hypervisors), and use affinity settings 'pin' them to each ESXi server.
This will ensure that agentless protection is still being applied after HA failover. Don't apply vMotion to the appliance.
Keep each appliance on its specific ESXi server: in the DRS settings, select Disabled (recommended) or Manual. (Alternatively, deploy the appliance onto local storage, not shared storage. When the virtual appliance is deployed onto local storage, DRS won't apply vMotion.) For more information, see your VMware documentation. Upgrade unsupported agentsIf your agents don't meet, you must upgrade them to be compatible with the new version of the manager before you upgrade the manager itself. Since it would break part of your deployment, the installer will warn you if you have incompatible versions, although it won't stop you if a specific agent isn't compatible.
This allows you to continue if a specific agent isn't being used now, or is offline.For instructions on how to upgrade to a supported version, see.After you have upgraded the manager, to use new features, you will upgrade the agents again to Deep Security Agent 10.0. Run the installerThis is new in Deep Security 10.Once your environment is ready, install the latest patches (if any), then run the installer as root, superuser, or (on Windows) Administrator.
You can use either:. Graphical, interactive installer (follow the steps in the wizard).If you are installing Deep Security Manager on Linux with iptables enabled, also configure the iptables to allow and.If you are upgrading to the new Deep Security Manager, if you want to use the new features, upgrade your virtual appliances, agents, and relays again to match the new version. Multi-node managerFor high availability and scalability in larger deployments, and install same version of Deep Security Manager on multiple servers ('nodes'). Connect them to the same database storage.All nodes that use the same database must have the same software version.
This ensures data compatibility, and that how they handle protected computers is consistent. To avoid high load on database servers, don't connect more than 2 Deep Security Manager nodes to each database server.To verify that high availability and failover are working correctly:. Check both Deep Security consoles to confirm they display the same data from the protected environment. Shut down or disable the network interface on the operating system of one Deep Security Manager. The second Deep Security console should still function and display data. Start or enable the first Deep Security Manager again. Shut down or disable the network interface or the operating system on the second Deep Security Manager.
The first Deep Security console should still function and display data.If you are upgrading a multi-node Deep Security Manager:. Stop all nodes.Upgrade one server first.When upgrade is complete for the first node, its service will start. Until other nodes are also upgraded, it will be the only node whose software is compatible with the database, so initially it will be the only available manager. Because it must perform all jobs, you might notice that performance is reduced during this time.
On Administration System Information, Network Map with Activity Graph will indicate that other nodes are offline, and that they require an upgrade.Upgrade other nodes.As you upgrade them too, other nodes will return online, and begin to share the load again. Never run the installer on multiple nodes at the same time. Simultaneous upgrades can corrupt the database.
If this happens, you must restore the database backup, then start the upgrade again.Other steps in the install or upgrade process are the same, regardless of whether you have one server or multiple. Install Deep Security Manager on LinuxYou can use the command line to perform a, or, if you have X Windows installed, you can use the graphical installer. Run the install package.
Follow the instructions in the setup wizard.The installer will detect existing Deep Security Manager installations on that server. Select either:. Fresh install (can use existing or new database): Install Deep Security software. Initialize the database. Upgrade: Install new Deep Security software, but keep existing computer details, policies, intrusion prevention rules, firewall rules, etc. Migrate data to new formats if required.
If you select Fresh install (can use existing or new database), the installer will delete all data from any previous installation. If iptables is enabled, configure rules to allow incoming connections from agents' heartbeat and management traffic port numbers. See also.Install Deep Security Manager on WindowsYou can use the command line to perform a, or you can use the graphical installer. Run the install package. Follow the instructions in the setup wizard.The installer will detect existing Deep Security Manager installations on that server. Select either:. Fresh install (can use existing or new database): Install Deep Security software.
Initialize the database. Upgrade: Install new Deep Security software, but keep existing computer details, policies, intrusion prevention rules, firewall rules, etc. Migrate data to new formats if required.
When the manager's installer adds an agent to its server, it only enables the relay feature. It does not apply any default security settings. To protect the server, in Deep Security Manager, to its agent. If no agent installer is found, you can download and.Schema updatesUnlike with Deep Security Manager 9.6 and earlier, if you are updating, your database administrator (DBA) doesn't need to update the manually database schema first. The installer will make any required database schema changes. If that is interrupted for any reason, simply restore your database backup, then try again. Many possible causes are temporary, such as unusually high load or network maintenance.
If the problem persists, contact your support provider. Errors, if any, are logged in:/DBUpgrade/SchemaUpdatewhere the default is /opt/dsm (Linux) or C:Program FilesTrend MicroDeep Security Manager (Windows). Two types of files are created:. T-00000-Plan.txt - All data definition language (DDL) SQL statements that the installer will use to update the schema.
T-00000-Progress.txt - Schema update progress logs. When finished, the installer changes the file name to either T-00000-Done.txt (successful update) or T-00000-Failed.txt (update failure).If the schema update fails for t0 (the root tenant), the installer will not continue. You must restore the database backup and then try again.However, if multi-tenancy is enabled, and if the upgrade fails for any othertenant(s), the installer will continue. For each tenant, the installer will create one of each type of log file, where '00000' is the tenant number, such as '00001' for tenant t1.
You can either restore the database backup and try again, or retry the schema update for that specific tenant (see Force a multi-tenant upgrade). Force a multi-tenant database upgradeIf you have a, and are upgrading Deep Security Manager:. The installer updates the database schema.The installer migrates data into the new structures for the primary tenant (t0).If t0 migration fails, the installer can't recover. It will not continue. You must restore the database from backup, and then try again.The installer migrates data for other tenants (five in each batch).If any non-primary tenant's migration fails, the installer will continue, but those tenant's state on Administration Tenants will be Database Upgrade Required (offline). You can either restore from backup and run the installer again, or you can retry migration for that specific tenant.To retry a tenant's migration, use the tenant's interface. If forcing a retry does not work, please contact your support provider.
After the installerThe 'Trend Micro Deep Security Manager' service starts automatically when you finish its installer. To log into Deep Security Manager's GUI, open a web browser and go to:hostname is the IP address or domain name of the server where you installed Deep Security Manager, and port is the Manager Port you specified during installation. (If you have forgotten it, you can.)Complete the deployment by installing the:. Relay(s). Virtual appliance(s), if any.
Agent(s), if any. Upgrade to Deep Security Manager 10.0 before you upgrade relays, appliances, and agents to 10.0. They must be of the same version or less than their manager. If they aren't, they may not be able to communicate with the manager until you upgrade it, too.
Self-signed certificateIf you are installing Deep Security for the first time, the installer creates a self-signed server certificate that Deep Security Manager will use to identify itself during secure connections with agents, appliances, relays, and your web browser. It is valid for 10 years. However, because it is not signed by a trusted certificate authority (CA), and therefore the manager's identity can't be automatically authenticated, your web browser will display warnings. To eliminate the error message and improve security, replace Deep Security's server certificate with one signed by a trusted CA. For information on using a certificate from a CA, see.Upgrades keep the manager's server certificate. You won't need to re-install it each time, unless you perform a fresh install.Strengthen encryptionIf you are upgrading, the manager's server certificate is kept. You won't need to re-install it each time, unless you perform a fresh install.
Weak cryptography usually violates compliance, however. Exploits and fast brute force exist for old authentication, encryption methods, and protocols. This includes SHA-1. So you may need to replace your Deep Security certificates anyway. Event data migrationThis is new in Deep Security 10.If you are upgrading, the installer will make any required database schema changes. It then migrates data for protected computers into the new schema.Part of the database is event data.
Event data can be large, depending on how much data you chose to keep during the installer. Event data isn't required for policy and computer management features, however, so the installer won't wait until all event data is migrated.Instead, when you exit it, the installer will restart the Deep Security Manager service. Then Deep Security Manager will continue to migrate older event data into the new schema.
Progress is indicated in the status bar at the bottom of the window, in new events, and (if an error occurs) alerts. Total migration time required varies by the amount of data, disk speed, RAM, and processing power.New event data will still be recorded, and is available as usual during that time. Alerts, dashboards, event search, and reports all use event data.
Until database upgrade migration is complete, results which include older event data may be incomplete, and counters may be inaccurate. Log inspection and application control do not have this setting.
With current VMware integration technologies, Deep Security Virtual Appliance cannot provide those features.To configure the protection source, import a VMware vCenter into Deep Security Manager, then in the, go to Settings General.For each protection module or group of protection modules, select either:.Appliance Only: Only the Deep Security Virtual Appliance will provide protection, even if there is an agent on the VM and the appliance is deactivated or removed. When anti-malware is enabled on the agent, the agent downloads the Anti-malware Solution Platform (AMSP) and starts it as a service. If you do not want this, then from Anti-Malware, select Appliance Only.
That way, even if the appliance is deactivated, the agent won't start the AMSP service. Appliance Preferred: If there is an activated appliance on the ESXi server, it will provide the protection. But if the appliance is deactivated or removed, then the agent will provide protection instead. Agent Only:Only the agent will provide protection, even if there is an activated appliance available. Agent Preferred: If there is an activated agent on the VM, it will provide the protection. But if there is no activated agent, then the appliance will provide protection instead.Install a new Deep Security Agent or RelayTo use new features, you must install Deep Security Agent or Relay 10.0.If you don't require the newest features, or if you need compatibility with legacy systems, however, you can install any supported version.
For supported Deep Security Agent versions on each platform, see.Most steps are the same, whether you want to install a Deep Security Agent or Relay. Deep Security deployments require at least one Deep Security Relay to distribute updates. If you did not create one on the same server while installing Deep Security Manager, then you must enable the relay feature on at least one of your agents.Deep Security Agent is designed to protect servers, not laptops.To protect AWS WorkSpaces virtual desktop infrastructure (VDI) workstations, instead. It includes Trend Micro Worry-Free Business Security.
Go to Administration Updates Software Download Center.Install the agent software on computers. There are multiple methods:. Manual deployment: Run the install package on the computer, then activate it and assign a policy. For instructions, see.
Deployment scripts: Upload and then run the installer using Linux or Unix shell scripts or Microsoft PowerShell. For instructions, see. Ansible: For Ansible recipes, see the on GitHub. Chef: For Chef recipes for deployment and management, see the on GitHub. Puppet: For Puppet manifests, see the on GitHub. SCCM: Microsoft System Center Configuration Manager (SCCM) can install an agent, activate it, and apply a policy.
To use SCCM, go to Administration System Settings Agents and enable agent-initiated activation. Template: Include the agent in your VM template. See. If you want to enable the agent to act as a Deep Security Relay, see. If you require security update packages for Deep Security Agent 8.0 or 9.0 for AIX, HP-UX, or Windows 2000, go to Administration System Settings Update and select Allow supported 8.0 and 9.0 Agents to be updated.Set up alertsDeep Security Manager can notify you when important system events occur. Go to Alerts and Administration System Settings Alerts (see ).Alternatively, if you have an external SIEM, you can forward events to it.
Go to Policies Common Objects Other Syslog Configurations and Administration System Settings Event Forwarding (see ). Run a recommendation scanIf you're not sure how to begin configuring your security policies, Deep Security Manager can scan your protected computers, looking for vulnerable software and settings, and provide recommended security settings. Go to Computers and select Actions Scan for Recommendations (see ).
Trend Micro Deep Security Manager 11 Installation we have already installed windows server 2016 in VMware workstation 15 and install SQL server 2016 the same server. if you create the testing lab in VMware environments. we need below-listed system requirements 100gb disk space is 100gb disk Size 8GB ram 2 Core CPU this configuration only for testing if you implement in production so check with Customer design and also with OEM or how much nods they want to manage by Deep Security manager less then 100 that s fine but. if more than 1000 system we need delegated server with database and good hardware or system resource that is base details now. I have created the youtube created the youtube channel techtabinfo .
I have created the video and uploaded you can check Trend Micro Deep Security Manager 11 Installation step by step just. Deep Security provides a single platform for server security to protect physical, virtual, and cloud servers as well
as hypervisors and virtual desktops.
I have created the video and uploaded you can check Trend Micro Deep Security Manager 11 Installation step by step just. Deep Security provides a single platform for server security to protect physical, virtual, and cloud servers as well
as hypervisors and virtual desktops.
Tightly integrated modules easily expand to offer in-depth defences, including
anti-malware, web reputation, intrusion prevention, firewall, integrity monitoring, and log inspection. It is available
in agentless and agent-based options that can all be managed through a single console across physical, virtual,
and cloud server deployments. Trend Micro Deep Security Manager 11 Installation
anti-malware, web reputation, intrusion prevention, firewall, integrity monitoring, and log inspection. It is available
in agentless and agent-based options that can all be managed through a single console across physical, virtual,
and cloud server deployments. Trend Micro Deep Security Manager 11 Installation
There is a combined mode feature in Deep Security 11.0 that allows the Deep Security Virtual Appliance
and Deep Security Agent to work together in providing security.
and Deep Security Agent to work together in providing security.
In combined mode, the features are
distributed so that some protection is supplied by Deep Security Agent and other protection is given by
Deep Security Virtual Appliance. There is no concept of redundancy or standby, so if either of these
agents fails, then the corresponding protection or feature is lost.
distributed so that some protection is supplied by Deep Security Agent and other protection is given by
Deep Security Virtual Appliance. There is no concept of redundancy or standby, so if either of these
agents fails, then the corresponding protection or feature is lost.
I have shared the download link on the video description so you can download deep security manager 11 by the TrendMicro official site
![](/uploads/1/2/6/4/126487490/235565949.jpg)