Deploy the Deep Security Virtual Appliance with NSX Advanced or Enterprise

If you want agentless protection for your VMware images when you deploy deep security, you must download the Deep Security Virtual Appliance onto Deep Security Manager and then install the appliance as a service on each of your ESXi servers. You can also update the appliance to protect against new OS vulnerabilities.

If you are using NSX Manager 6.3.0 or later and Deep Security Manager 10.0 without any updates, check your failOpen settings before you deploy new appliances. See Configure failOpen. Alternatively, upgrade your Deep Security Manager to version 10.0 Update 1 or later, where the failOpen issue has been resolved.

If you configured guest VMs to have direct access to a network card, install agents on those VMs. In this case there is no opportunity to intercept packets and an in-guest agent is preferable. See Choose agentless vs. combined mode protection for details.

To deploy the appliance with NSX:

  1. Verify your Deep Security Manager version
  2. Import appliance packages into Deep Security Manager
  3. Add a VMware vCenter
  4. Prepare ESXi servers for NSX and appliances
  5. Install the Guest Introspection service on VMware ESXi
  6. Deploy the appliance and NSX services via vSphere
  7. Create an "NSX Security Group Change" event-based task with Automated policy management in NSX environments
  8. Create NSX security groups and policies

The virtual appliances run an image of the CentOS operating system. When you deploy the appliance, a version of Deep Security Agent is deployed on the appliance to protect the CentOS operating system. When updates become available, you can update the appliance software, as well as the agent that protects its operating system. See Update Deep Security software

Verify your Deep Security Manager version

Make sure you're using Deep Security Manager 10.0 Update 12 or later which is required for compatibility with Deep Security Virtual Appliance 10.0. To obtain Update 12 or later, go here: https://help.deepsecurity.trendmicro.com/software-10-0.html.

Deep Security Manager 10.1 does not support Deep Security Virtual Appliance 10.0.

Import appliance packages into Deep Security Manager

Download the Deep Security Virtual Appliance and import it into Deep Security Manager.

You can import multiple versions of the appliance. When deploying, the latest version is used.

When you import the appliance, Deep Security Manager automatically downloads Deep Security Agent software that is compatible with the operating system of the appliance's virtual machine. When you deploy the appliance, the agent software is also deployed on the operating system of the appliance's virtual machine.

  1. On your management computer, go to the Deep Security software download page (https://help.deepsecurity.trendmicro.com/software.html).

  2. Download the Deep Security Virtual Appliance 10.0 package to your computer.

  3. On Deep Security Manager, go to Administration > Updates > Software > Local.

  4. Click Import and upload the package to Deep Security Manager.

  5. Optionally, for guest VMs that run Microsoft Windows, you can also download the Deep Security Notifier. The notifier is a component that displays messages for Deep Security system events in the system tray.

Once you've completed the above steps, move on to Add a VMware vCenter.

Deploy the appliance and NSX services via vSphere

  1. Before you begin, make sure you've followed the NSX set-up steps to deploy the appliance with NSX.
  2. In the vSphere Web Client, go to Home > Networking and Security > Installation > Service Deployments.
  3. Click the green plus sign ().
  4. On the new window that appears, select the Trend Micro Deep Security service and then click Next.
  5. Select the ESXi cluster(s) where you want to deploy the "Trend Micro Deep Security" service and then click Next.

  6. For each cluster, select:

    • a datastore where you want to store the Deep Security Virtual Appliance
    • a distributed virtual port group (dvSwitch) where the appliance will be attached to the vNetwork
    • how you want to assign an IP address to the appliance, such as DHCP or manually.

    Click Next.

    In IP assignment, if you select static IP pools for the Deep Security service or Guest Introspection service, verify that your default gateway and DNS is reachable, and that the prefix length is correct. The Deep Security Virtual Appliance and Guest Introspection service VMs' IP addresses aren't on the same subnet as Deep Security Manager and NSX Manager, so if the gateway is incorrect, the appliances won't be able to activate, and they won't be able to communicate with their managers.

  7. Click Finish.

    When deployment is complete, the Trend Micro Deep Security service will appear in the list of network and security service deployments on the cluster.

    Once you've completed the above steps, move on to Automated policy management in NSX environments