Applies to on-premise Deep Security software installations only

Deploy Deep Security

Prepare your environment

This document is your checklist. Choose your Deep Security 10.0 platform, then follow these steps for a basic, functional deployment. Once finished, you'll be ready to make security policies.

  1. Download software: Get your license activation codes.

    • Download any required vCenter, ESXi, VMware Tools, and NSX Manager software from VMware.
    • Download the latest patch and Deep Security Manager installer (https://help.deepsecurity.trendmicro.com/software.html).
    • Agent and relay installers are not required; they can be downloaded via the manager.
      All Deep Security Relays must be upgraded before upgrading the Deep Security Agent. Failure to do so may cause the relay upgrade to fail.
  2. Verify that the Deep Security installers are authentic (check hashes):

    To verify software authenticity, check the SHA256 hash (also called a fingerprint). Trend Micro publishes its hashes on the Deep Security Software page. You must click the plus sign next to the software to see the hash (see the figure below).

  3. Check compatibility: Start the installer. Before it installs anything, it will check your environment. This will verify system requirements, and that all your deployment components are compatible with the new version of Deep Security Manager. The readiness check will generate a "to do" list of compatibility issues (if any) for your specific environment.

    For example, you may need to free disk space, allocate more vRAM, or upgrade old Deep Security Agents to supported versions. If you're not ready yet, you can cancel the install, and return when ready.

    This is new in Deep Security 10.

    The readiness check also customizes this guide for your environment's needs when you click View My Upgrade Guide. Before you install, all sections under Prepare your environment must be complete.

    Supported Deep Security features vary by platform. See Supported features by platform.
  4. Back up your data: Before you install, make a system restore point or VM snapshot of the server and each protected computer. (Multi-node Deep Security Manager deployments should have a backup for each server node.) Also, if upgrading, stop the service and back up your existing Deep Security Manager database.

    Verify your backups. If you don't have backups, and the installer is interrupted for any reason, you won't be able to revert your deployment. This could require you to re-install your entire deployment.
    If you have an existing multi-tenant deployment, back up all databases.
    • With Microsoft SQL, there's one main database and an additional database for each tenant.
    • With Oracle, all tenant information is in one Deep Security Manager database, but an additional user is created for each tenant. Each user has its own tables.

Hardware requirements

Recommended hardware varies by enabled features, size of your deployment, and future growth. See sizing guidelines.

On the Deep Security Manager server where you are running the installer, the installer's readiness check will verify hardware before it installs. If hardware does not meet minimum system requirements, the installer will either warn you about reduced performance, or block the install.

Only the local server's hardware and some other deployment information that is stored in the database is tested. You must manually verify other servers' hardware, run the readiness check on any other manager nodes, or both.

On Linux, reserved system memory is separate from process memory. Therefore, although the installer's estimate might be similar, it will detect less RAM than the computer actually has. To verify the computer's actual total RAM, log in with a superuser account and enter:

grep MemTotal /proc/meminfo

After you install Deep Security 10.0 , you may be able to optimize performance. See Configure Deep Security Manager memory usage, Low disk space alerts, and Performance profiles.

Network requirements

Before you run the installer, verify that the Deep Security Manager server can use its required network services. This includes NTP for reliable time stamps and DNS for name resolution. For a list of protocols, associated features, expected source or destination, and required open network port numbers, see Port numbers, URLs, and IP addresses.

The system clock of the manager operating system must be synchronized with the clock of the database. Both computers should use the same NTP service.

Once Deep Security Manager is installed, when you deploy new agents, appliances, and relays, the manager will automatically apply firewall rules to open their required ports.

If network connectivity is unreliable on required ports, some features may be unreliable or fail.

For some features, Deep Security must be able to resolve host names into IP addresses. If your DNS server does not already have entries so that the manager can resolve each computer or VM's host name to its IP address, then either use their IP address instead, or perform one of the following actions:

  • Add an A recprd, an AAAA record, or both on your DNS server so that the manager, agents, appliances, and relays can perform DNS lookup queries.
  • Add an entry in the agent or appliance computer's hosts file.
Deep Security Manager's certificate generator for SSL or TLS connections requires that the server have an RFC 1034-compliant FQDN. The server's DNS name cannot start with a number, such as 0000-dsm.example.com. If it does, the install log will have the error message:
java.io.IOException: DNSName components must begin with a letter

Network topology

If you are deploying multiple server nodes of Deep Security Manager for a large scale deployment, a load balancer can help to ensure even distribution of connections with Deep Security Agents and Virtual Appliances. Load balancers with virtual IPs can also provide a single inbound port number such as TCP 443, instead of the multiple port numbers that Deep Security normally requires.

Database requirements

The Deep Security Manager must be co-located on the same network as its database, with the connection speed of 1 GB LAN or higher. Connections over WAN are discouraged. Deep Security Manager relies on the database to function. Any increase in latency can have a serious negative impact on Deep Security Manager’s performance and availability.

Requirements vary by database type. See Prepare a database for Deep Security Manager.

If you are installing Deep Security for the first time, before you run the installer, create and grant permissions to the database where Deep Security Manager will store its data.

As Deep Security 10.0 Update 2 added support for Microsoft SQL Server Express in certain limited deployments. For details, see Microsoft SQL Server Express considerations.

Migrate to a supported database

If the database is not compatible, you must migrate to a supported database before you can install Deep Security Manager 10.0.

If you are upgrading Deep Security, to continue to store new data until you are ready to install Deep Security Manager 10.0, migrate to a database that is compatible with both current and future software. For databases supported by each version, see both the System requirements for this version and the install guide for older versions.

For example, if you were currently using an Oracle 10g database with Deep Security Manager 9.5, you would migrate the database to Oracle 11g or 12c first (since it is supported by both Deep Security Manager 9.5 and 10.0), and then upgrade to Deep Security Manager 10.0.

  1. Stop the Deep Security Manager service.

    Deep Security Agents will continue with their current protection policies while the manager is stopped.

  2. Back up the database(s).
  3. Back up the database connection settings file:

    [Deep Security install directory]/webclient/webapps/ROOT/WEB-INF/dsm.properties

  4. Migrate to a database type that's supported by both your current Deep Security Manager version and Deep Security 10.0.

    To support multiple nodes of Deep Security Manager, you must use either a Microsoft SQL Server or Oracle database. Microsoft SQL Express databases are intended for testing only, and are not supported for multi-node deployments.
  5. If the migration did not preserve existing databases, load the database backup(s) into the new database engine.
  6. If required, edit dsm.properties to use the migrated database.
  7. Restart the Deep Security Manager service.

Change the remote SQL query timeout

If you use Microsoft SQL Server databases, go to SQL management studio > SQL Server properties > Connections > Remote query timeout and select 0 (No Timeout). This setting prevents database connection timeouts that can occur when you upgrade if each database schema migration operation takes a long time to complete.

Choose agent-based vs. agentless protection

If you are installing Deep Security for the first time, and you want to protect VMs, you may be able to provide some protection without installing a Deep Security Agent, using a Deep Security Appliance instead, or by using both together ("combined mode"). See Choose agentless vs. combined mode protection and Deploy agentless protection in a vCloud environment.

Install a supported OS

If your server's operating system (OS) is not supported by Deep Security Manager 10.0, you must install a supported OS before you can install Deep Security Manager.

If you have an existing multi-node deployment, depending on whether you have a load balancer, you might be able to migrate servers to another OS without downtime.

For example, if you already had Deep Security Manager 9.5 on Windows 2003, to migrate the OS you would:

  1. Add another manager node that is running a newer OS supported by both Deep Security Manager 9.5 and 10.0, such as Windows Server 2012 (64-bit).

    For a list of supported operating systems, see the install documentation for your current version of Deep Security Manager.

    To add the new node, on the Windows 2012 server, run the Deep Security Manager 9.5 installer. When the installer wizard reaches the Database screen, enter the same database connection settings that you used for your other Deep Security Manager node(s). The next page will allow you to specify that you want to add a new manager node. Alternatively, you can perform a silent install to add a new node. For instructions, see Silent install of Deep Security Manager.

  2. Verify that everything is working correctly.
  3. In Deep Security Manager, go to Administration > Manager Nodes, right-click the old Windows 2003 node and select Decommission to remove it.
  4. Upgrade the OS of the decommissioned node, then return it to the pool.
  5. Repeat these steps with any other nodes that have an unsupported OS.

Upgrade unsupported Deep Security Managers

If your manager is old and the installer does not support upgrading it, the installer will prevent you from continuing. You must upgrade the manager to a supported version first. After that, you can install Deep Security Manager 10.0.

The installer supports upgrade from:

  • Deep Security Manager 9.6 Service Pack 1 Patch 1
  • Deep Security Manager 9.6 Patch 1
  • Deep Security Manager 9.5 Service Pack 1 Patch 3
  • Deep Security Manager 9.5 critical patch

For instructions on how to upgrade from an unsupported version to a supported version, see the installation documentation for the unsupported version.

Upgrade unsupported relays

If your relays don't meet minimum system requirements, you must upgrade them to be compatible with the new version of the manager before you upgrade the manager itself. Since it would break part of your deployment, the installer will warn you if you have incompatible versions, although it won't stop you if a specific relay isn't compatible. This allows you to continue if a specific relay isn't being used now, or is offline.

Deep Security 10.0 requires 64-bit relays.

For instructions on how to upgrade to a supported version, see those versions' install documentation.

https://docs.trendmicro.com/en-us/enterprise/deep-security.aspx

After you have upgraded the manager, to use new features, you will upgrade the relays again to Deep Security Relay 10.0.

Upgrade VMware and virtual appliances

If you want to use agentless or combined mode protection, follow the steps below to install compatible VMware components before you install the new Deep Security.

If you are upgrading, and your existing appliances are not compatible with the new Deep Security, also follow those steps to install compatible versions.

  • vSphere or ESXi —  ESXi 6.0 or later is required.
  • vCNS —   vCloud Networking & Security (vCNS) is not supported. If you have legacy vCNS infrastructure for agentless anti-malware and integrity monitoring with Deep Security Virtual Appliances, VMware has discontinued support, so Deep Security Manager 10.0 cannot support it. You must update vCNS to VMware's equivalent new solution: NSX.

    Use either:

    • NSX  Advanced or Enterprise license — Full agentless protection. Requires Deep Security Virtual Appliance 10.0 or later and ESXi 6.0 or later.
    • NSX vShield Endpoint or Standard license — Only agentless anti-malware and integrity monitoring. (No network protection: firewall, intrusion prevention, web reputation.) Also requires manual sync of Deep Security Manager with NSX Manager or vCenter to determine NSX security group membership. Requires Deep Security Virtual Appliance 10.0 or later and ESXi 6.0 or later.
      Alternatively, for full protection including network protection features, combine the virtual appliance with a Deep Security Agent on each guest VM (also known as "combined mode").

    During vCNS upgrade, you must also replace the network filter driver with the NetX API on each ESXi server. The VMware Tools driver for EPSec on each guest VM must also be upgraded, and is now called Guest Introspection.

  • NSX — NSX 6.2.4 or later is required.

    If you are using NSX Manager 6.3.0 or later and Deep Security Manager 10.0 without any updates, check your failOpen settings before you deploy new appliances. See Configure failOpen. Alternatively, upgrade your Deep Security Manager to version 10.0 Update 1 or later, where the failOpen issue has been resolved.
  • Deep Security Virtual Appliances —  Deep Security Virtual Appliances 10.0 or later are required. See the minimum system requirements.

Since it would break part of your deployment, the installer will warn you if you have incompatible versions of virtual appliances, although the installer will not stop installation if a specific appliance is not compatible. (This allows you to proceed if the virtual appliance isn't used, or is offline.) However, the installer will not allow you to continue if you have incompatible versions of ESXi or vShield Manager or NSX Manager.

VMware dependencies exist. You must select versions that are compatible with each other. To easily choose compatible versions, see Trend Micro Support's VMware compatibility matrix (updated with each release):

https://success.trendmicro.com/solution/1060499

To ensure that you don't lose connectivity by upgrading an infrastructure component to a version that isn't compatible with the others, and to minimize downtime, update in this order.
  1. Back up the vCenter database. Refer to your VMware documentation for instructions. Methods vary by version and storage.
  2. Upgrade vCenter.
  3. If you are upgrading, on Deep Security Manager, go to Computers. Deactivate agentless computers or agents in combined mode.

    Deactivate the Deep Security Virtual Appliances.

    In NSX Manager, also delete the virtual appliances on each ESXi server.

    Alternatively, to ensure continuous protection during the upgrade of NSX, ESXi, or virtual appliances, configure computers to use agents for protection instead. Otherwise, computer's won't be protected until you install and activate the appliances and agents again.
  4. If they exist, on protected guest VMs, uninstall the VMware Tools EPSec driver. On ESXi servers, uninstall the VMsafe-net API (network filter driver).

    In Deep Security Manager, disconnect vShield Manager or NSX 6.2.3 or earlier (not vCenter).

    Then upgrade vShield Manager or older NSX versions to NSX 6.2.4.

    If you don't have legacy vShield Manager or its components (such as the filter driver) and you have NSX 6.2.4 or later, skip this step.

    You must replace vShield Manager with NSX. Otherwise any configured agentless protection won't work after you upgrade to Deep Security 10.0. This could compromise the security of your protected computers.
  5. Upgrade ESXi.

    Depending on your architecture, you might also be required to upgrade:

  6. Run the installer for Deep Security Manager.
  7. If you disconnected NSX Manager in step 4, in Deep Security Manager, go to Computers > vCenter. Reconnect NSX Manager. Click Test Connection to verify the connection.

    This will add "Trend Micro Deep Security service" to NSX Manager.

  8. On every protected guest VM, upgrade VMware Tools to install the Guest Introspection driver.

    VMware vShield Endpoint Driver in VMware Tools 5.x will become Guest Introspection in NSX 6.2.4 or later.

    You must install VMware Tools. If you don't, Deep Security Manager won't be able to get the VM's correct hostname and IP address. If the manager forwards incorrect data to Trend Micro Control Manager, Control Manager won't be able to display that endpoint.
  9. On NSX Manager, deploy new Deep Security Virtual Appliances onto each ESXi.

    Do not upgrade the virtual appliance's VMware Tools; it is packaged with a compatible version, and upgrading them can break connectivity.
    If you are using NSX Manager 6.3.0 or later and Deep Security Manager 10.0 without any updates, check your failOpen settings before you deploy new appliances. See Configure failOpen. Alternatively, upgrade your Deep Security Manager to version 10.0 Update 1 or later, where the failOpen issue has been resolved.

    A "VMware Network Fabric" service dependency alert might appear, even if communications succeed. To dismiss the alert, click Failed, then click Resolve.

  10. Verify that ESXi and NSX are integrated and communicating.
  11. Create NSX security groups.

    If using the vShield Endpoint or Standard license, also manually sync Deep Security Manager with vCenter or vShield Endpoint or Standard to retrieve the NSX security group membership and start protection.

  12. Create NSX security policies (guest introspection policies).

    If VMs might change security groups, set up automated NSX security policy management or Synchronize Deep Security Policies with NSX

  13. Enable agentless protection of vCloud VMs.

    Configure VMware vCloud resources for integration with Deep Security.

  14. Deploy and activate new Deep Security Virtual Appliances.

    If you are using the VMware Distributed Resource Scheduler (DRS) for high availability (HA), use affinity rules to "pin" each virtual appliance to its specific ESXi host.

  15. Install and activate new Deep Security Agents.

    If NSX has the vShield Endpoint or Standard license, network-based protection features (firewall, intrusion prevention, or web reputation) is not supported by the new NSX license. To maintain protection and provide those features, configure agents in combined mode. To verify that security features are working again, you can test each feature's configuration:

    https://success.trendmicro.com/solution/1098449

    Firewall features can now be provided by the NSX Distributed Firewall. You can disable the firewall in Deep Security 10.0. Alternatively, you can exclude VMs from the NSX Distributed Firewall, and use the Deep Security firewall instead (see Exclude Virtual Machines from Firewall Protection).

If you are upgrading, after you have installed Deep Security Manager 10.0, if you want to use the new features, you will upgrade your virtual appliances, agents, and relays again, to Deep Security 10.0.

Conversion of coordinated approach to combined mode

  • Coordinated approach — In Deep Security 9.5, if the agent on a VM was offline, protection features would be provided by the Deep Security Virtual Appliance instead as an alternative. However, it could not be configured separately for each feature.
  • Combined mode — In Deep Security 9.6, each protection feature was configurable to use either the agent or appliance. However, if the preferred protection source was offline, the computer didn't use the other alternative.

In the new Deep Security, its "protection source" settings provide both behaviors:

  • whether each feature is provided by the agent or appliance
  • whether to use the agent or appliance alternative if the preferred protection is not available

So if you need behavior like the old coordinated approach, you might want to upgrade directly from Deep Security 9.5 to 10.0not from 9.5 to 9.6 and then 10.0.

Pin appliances with VMware HA

If you will use agentless protection, and use VMware Distributed Resource Scheduler (DRS) for high availability (HA), configure it before you install Deep Security. Then deploy Deep Security Virtual Appliance on all ESXi hypervisors (including backup hypervisors), and use affinity settings "pin" them to each ESXi server. This will ensure that agentless protection is still being applied after HA failover.

If DRS moves a VM from an ESXi that has an appliance to one that doesn't, the VM will become unprotected. If the VM then returns to the original ESXi, it still won't be protected again unless you create an event-based task to re-activate and protect a VM when vMotion moves it to an ESXi with an appliance. For more information, see Create an event-based task.
Don't apply vMotion to the appliance. Keep each appliance on its specific ESXi server: in the DRS settings, select Disabled (recommended) or Manual. (Alternatively, deploy the appliance onto local storage, not shared storage. When the virtual appliance is deployed onto local storage, DRS won't apply vMotion.) For more information, see your VMware documentation.

Upgrade unsupported agents

If your agents don't meet minimum system requirements, you must upgrade them to be compatible with the new version of the manager before you upgrade the manager itself. Since it would break part of your deployment, the installer will warn you if you have incompatible versions, although it won't stop you if a specific agent isn't compatible. This allows you to continue if a specific agent isn't being used now, or is offline.

For instructions on how to upgrade to a supported version, see those versions' install documentation.

After you have upgraded the manager, to use new features, you will upgrade the agents again to Deep Security Agent 10.0.

Run the installer

This is new in Deep Security 10.

Once your environment is ready, install the latest patches (if any), then run the installer as root, superuser, or (on Windows) Administrator. You can use either:

  • Graphical, interactive installer (follow the steps in the wizard)
  • Silent installer

If you are installing Deep Security Manager on Linux with iptables enabled, also configure the iptables to allow agents' heartbeat port numbers and management traffic.

If you are upgrading to the new Deep Security Manager, if you want to use the new features, upgrade your virtual appliances, agents, and relays again to match the new version.

Multi-node manager

For high availability and scalability in larger deployments, use a load balancer, and install same version of Deep Security Manager on multiple servers ("nodes"). Connect them to the same database storage.

All nodes that use the same database must have the same software version. This ensures data compatibility, and that how they handle protected computers is consistent.

To avoid high load on database servers, don't connect more than 2 Deep Security Manager nodes to each database server.

To verify that high availability and failover are working correctly:

  1. Check both Deep Security consoles to confirm they display the same data from the protected environment.
  2. Shut down or disable the network interface on the operating system of one Deep Security Manager. The second Deep Security console should still function and display data.
  3. Start or enable the first Deep Security Manager again.
  4. Shut down or disable the network interface or the operating system on the second Deep Security Manager. The first Deep Security console should still function and display data.

If you are upgrading a multi-node Deep Security Manager:

  1. Stop all nodes.
  2. Upgrade one server first.

    When upgrade is complete for the first node, its service will start. Until other nodes are also upgraded, it will be the only node whose software is compatible with the database, so initially it will be the only available manager. Because it must perform all jobs, you might notice that performance is reduced during this time. On Administration > System Information, Network Map with Activity Graph will indicate that other nodes are offline, and that they require an upgrade.

  3. Upgrade other nodes.

    As you upgrade them too, other nodes will return online, and begin to share the load again.

Never run the installer on multiple nodes at the same time. Simultaneous upgrades can corrupt the database. If this happens, you must restore the database backup, then start the upgrade again.

Other steps in the install or upgrade process are the same, regardless of whether you have one server or multiple.

Install Deep Security Manager on Linux

You can use the command line to perform a silent install, or, if you have X Windows installed, you can use the graphical installer.

  1. Run the install package. Follow the instructions in the setup wizard.
  2. The installer will detect existing Deep Security Manager installations on that server. Select either:

    • Fresh install (can use existing or new database): Install Deep Security software. Initialize the database.
    • Upgrade: Install new Deep Security software, but keep existing computer details, policies, intrusion prevention rules, firewall rules, etc. Migrate data to new formats if required.
    If you select Fresh install (can use existing or new database), the installer will delete all data from any previous installation.
  3. If iptables is enabled, configure rules to allow incoming connections from agents' heartbeat and management traffic port numbers. See also Port numbers, URLs, and IP addresses.

Install Deep Security Manager on Windows

You can use the command line to perform a silent install, or you can use the graphical installer.

  1. Run the install package. Follow the instructions in the setup wizard.
  2. The installer will detect existing Deep Security Manager installations on that server. Select either:

    • Fresh install (can use existing or new database): Install Deep Security software. Initialize the database.
    • Upgrade: Install new Deep Security software, but keep existing computer details, policies, intrusion prevention rules, firewall rules, etc. Migrate data to new formats if required.
    If you select Fresh install (can use existing or new database), the installer will delete all data from any previous installation.

Install a relay on the Deep Security Manager's server

Deep Security requires at least one Deep Security Relay. Relays distribute security updates to protected computers.

When you run the Deep Security Manager installer, it will search its local directory for a full ZIP package of the agent installer. (Relays are agents whose relay feature is enabled.) If it's not found, then the manager's installer will try to download one from the Trend Micro Download Center on the Internet.

  • If an agent installer is found in either location, the manager's installer will offer to install the newest relay.

    Trend Micro recommends that you install a local relay to:

    • Provide a relay that is local to the manager
    • Ensure that at least one relay is always available, even when you decommission old computers with relays
    When the manager's installer adds an agent to its server, it only enables the relay feature. It does not apply any default security settings. To protect the server, in Deep Security Manager, apply a security policy to its agent.
  • If no agent installer is found, you can download and install an agent or relay later.

Schema updates

Unlike with Deep Security Manager 9.6 and earlier, if you are updating, your database administrator (DBA) doesn't need to update the manually database schema first. The installer will make any required database schema changes. If that is interrupted for any reason, simply restore your database backup, then try again. Many possible causes are temporary, such as unusually high load or network maintenance. If the problem persists, contact your support provider. Errors, if any, are logged in:

<install-directory>/DBUpgrade/SchemaUpdate

where the default <install-directory> is /opt/dsm (Linux) or C:\Program Files\Trend Micro\Deep Security Manager (Windows). Two types of files are created:

  • T-00000-Plan.txt - All data definition language (DDL) SQL statements that the installer will use to update the schema.
  • T-00000-Progress.txt - Schema update progress logs. When finished, the installer changes the file name to either T-00000-Done.txt (successful update) or T-00000-Failed.txt (update failure).

If the schema update fails for t0 (the root tenant), the installer will not continue. You must restore the database backup and then try again.

However, if multi-tenancy is enabled, and if the upgrade fails for any other tenant(s), the installer will continue. For each tenant, the installer will create one of each type of log file, where "00000" is the tenant number, such as "00001" for tenant t1. You can either restore the database backup and try again, or retry the schema update for that specific tenant (see Force a multi-tenant upgrade).

Force a multi-tenant database upgrade

If you have a multi-tenant environment, and are upgrading Deep Security Manager:

  1. The installer updates the database schema.
  2. The installer migrates data into the new structures for the primary tenant (t0).

    If t0 migration fails, the installer can't recover. It will not continue. You must restore the database from backup, and then try again.

  3. The installer migrates data for other tenants (five in each batch).

    If any non-primary tenant's migration fails, the installer will continue, but those tenant's state on Administration > Tenants will be Database Upgrade Required (offline). You can either restore from backup and run the installer again, or you can retry migration for that specific tenant.

To retry a tenant's migration, use the tenant's interface. If forcing a retry does not work, please contact your support provider.

After the installer

The "Trend Micro Deep Security Manager" service starts automatically when you finish its installer. To log into Deep Security Manager's GUI, open a web browser and go to:

https://[hostname]:[port]/

where [hostname] is the IP address or domain name of the server where you installed Deep Security Manager, and [port] is the Manager Port you specified during installation. (If you have forgotten it, you can reset the Deep Security administrator password.)

Complete the deployment by installing the:

  1. Relay(s)
  2. Virtual appliance(s), if any
  3. Agent(s), if any
Upgrade to Deep Security Manager 10.0before you upgrade relays, appliances, and agents to 10.0. They must be of the same version or less than their manager. If they aren't, they may not be able to communicate with the manager until you upgrade it, too.

Self-signed certificate

If you are installing Deep Security for the first time, the installer creates a self-signed server certificate that Deep Security Manager will use to identify itself during secure connections with agents, appliances, relays, and your web browser. It is valid for 10 years. However, because it is not signed by a trusted certificate authority (CA), and therefore the manager's identity can't be automatically authenticated, your web browser will display warnings. To eliminate the error message and improve security, replace Deep Security's server certificate with one signed by a trusted CA. For information on using a certificate from a CA, see Replace the Deep Security Manager TLS certificate.

Upgrades keep the manager's server certificate. You won't need to re-install it each time, unless you perform a fresh install.

Strengthen encryption

If you are upgrading, the manager's server certificate is kept. You won't need to re-install it each time, unless you perform a fresh install. Weak cryptography usually violates compliance, however. Exploits and fast brute force exist for old authentication, encryption methods, and protocols. This includes SHA-1. So you may need to replace your Deep Security certificates anyway. See Upgrade the Deep Security cryptographic algorithm and Replace the Deep Security Manager TLS certificate.

Event data migration

This is new in Deep Security 10.

If you are upgrading, the installer will make any required database schema changes. It then migrates data for protected computers into the new schema.

Part of the database is event data. Event data can be large, depending on how much data you chose to keep during the installer. Event data isn't required for policy and computer management features, however, so the installer won't wait until all event data is migrated.

Instead, when you exit it, the installer will restart the Deep Security Manager service. Then Deep Security Manager will continue to migrate older event data into the new schema. Progress is indicated in the status bar at the bottom of the window, in new events, and (if an error occurs) alerts. Total migration time required varies by the amount of data, disk speed, RAM, and processing power.

New event data will still be recorded, and is available as usual during that time.

Alerts, dashboards, event search, and reports all use event data. Until database upgrade migration is complete, results which include older event data may be incomplete, and counters may be inaccurate.

Upgrade relays on Debian-based Linux

For Linux distributions that use the dpkg package manager such as Debian and Ubuntu, the command is the same.

  1. Go to Administration > Updates > Software > Download Center. Get Deep Security Agent software.
  2. Go to Computers.
  3. Find the computer that you want to upgrade.
  4. Right-click the computer and select Actions > Upgrade Agent software.

    The new agent software will be sent to the computer and the relay will be upgraded.

    Alternatively, manually copy the agent installer file to the computer and run it.

    1. Copy the agent installer file to the computer.
    2. Enter the command:

      sudo dpkg -i <installer file>

Upgrade relays on Red Hat-based Linux

For Linux distributions that use the rpm package manager, such as Red Hat, CentOS, Amazon Linux, Cloud Linux, and SUSE, the command is the same.

  1. Go to Administration > Updates > Software > Download Center. Get Deep Security Agent software.
  2. Go to Computers.
  3. Find the computer that you want to upgrade.
  4. Right-click the computer and select Actions > Upgrade Agent software.

    The new agent software will be sent to the computer and the relay will be upgraded.

    Alternatively, manually copy the agent installer file to the computer and run it.

    1. Copy the agent installer file to the computer.
    2. Enter the command:

      sudo rpm -U <installer rpm>

      (The "-U" argument instructs the installer to perform an upgrade.)

Upgrade relays on Windows

  1. On Deep Security Manager, go to Settings > General > Agent Self Protection.
  2. Disable agent self-protection so that the agent will allow the upgrade.
  3. Go to Computers.
  4. Find the computer that you want to upgrade.
  5. Right-click the computer and select Actions > Upgrade Agent software.

    The new agent software will be sent to the computer and the relay will be upgraded.

    Alternatively, manually copy the agent installer file to the computer and run it. Follow the wizard's instructions.

Upgrade agents on Windows

  1. On Deep Security Manager, go to Settings > General > Agent Self Protection.
  2. Disable agent self-protection so that the agent will allow the upgrade.
  3. Go to Computers.
  4. Find the computer that you want to upgrade.
  5. Right-click the computer and select Actions > Upgrade Agent software.

    The new agent software will be sent to the computer and the agent will be upgraded.

    Alternatively, manually copy the agent installer file to the computer and run it. Follow the wizard's instructions.

  6. If anti-malware is enabled, and you upgraded the agent on Windows Server 2012 or later (or, for personal computers, Windows 8 or later), reboot the computer.

    The upgrade will not be complete (and protection may not be functional) until you reboot.

Upgrade agents on Linux

  1. Go to Administration > Updates > Software > Download Center. Get Deep Security Agent software.
  2. Go to Computers.
  3. Find the computer that you want to upgrade.
  4. Right-click the computer and select Actions > Upgrade Agent software.

    The new agent software will be sent to the computer and the relay will be upgraded.

    Alternatively, manually copy the agent installer file to the computer and run it.

    1. Copy the agent installer file to the computer.
    2. If the computer uses Red Hat-based Linux (Red Hat, CentOS, Amazon Linux, Cloud Linux, SUSE), enter the command:

      sudo rpm -U <installer file>

      (The "-U" argument instructs the installer to perform an upgrade.)

      If the computer uses Debian or Ubuntu, enter the command:

      sudo dpkg -i <installer file>

Upgrade agents on Solaris

You can upgrade agents via Deep Security Manager. If network connectivity restrictions prevent you from installing the agent software remotely, you can manually install the agent locally.

  1. Go to Administration > Updates > Software > Download Center. Get Deep Security Agent software.
  2. Go to Computers.
  3. Find the computer that you want to upgrade.
  4. Right-click the computer and select Actions > Upgrade Agent software.

    The new agent software will be sent to the computer and the relay will be upgraded.

    Alternatively, manually copy the agent installer file to the computer and run it.

    1. With root permission, copy the agent installer package to the computer.
    2. Unzip the package using gunzip.
    3. If the computer runs Solaris 10, create an installation configuration file named ds_adm.file with the following content, and then save it in the root directory.

      mail=
      instance=overwrite
      partial=nocheck
      runlevel=quit
      idepend=nocheck
      rdepend=quit
      space=quit
      setuid=nocheck
      conflict=quit
      action=nocheck
      proxy=
      basedir=default

    4. Run the command to install the package.

      On Solaris 10:

      pkgadd -G -v -a /root/ds_adm.file -d Agent-Core-Solaris_5.10_U7-10.0.0-1783.x86_64.pkg

      On Solaris 11:

      pkg update -r -g file:///root/Agent-Core-Solaris_5.11-10.0.0-2076.x86_64.p5p pkg:/security/ds-agent

Download security updates for Deep Security Agent 8.0 and 9.0

For a few platforms, Deep Security Manager 10.0 supports older versions.

  • Deep Security Agent 8.0 on Windows 2000
  • Deep Security Agent 9.0 on AIX 5.3, 6.1, or 7.1
  • Deep Security Agent 9.0 on HP-UX 11.31
  • Deep Security Agent 9.0 and 10.0 on Solaris 10 or 11

Security update package formats vary by version. By default, to conserve disk space, Deep Security Relay will not download and distribute these less common packages. To enable it, go to Administration > System Settings > Update. Select Allow supported 8.0 and 9.0 Agents to be updated.

Because they are not Deep Security Agent 10.0, older agents don't support new features.

Choose and agent or appliance for each protection feature

This is new in Deep Security 10.

If a computer could be protected by either an appliance or agent, you can select which will provide each protection feature.

Log inspection and application control do not have this setting. With current VMware integration technologies, Deep Security Virtual Appliance cannot provide those features.

To configure the protection source, import a VMware vCenter into Deep Security Manager, then in the Computer or Policy editorClosed You can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., go to Settings > General.

For each protection module or group of protection modules, select either:

  • Appliance Only: Only the Deep Security Virtual Appliance will provide protection, even if there is an agent on the VM and the appliance is deactivated or removed.

    Don't use the appliance if you require the scanner (SAP). It requires Deep Security Agent anti-malware.
    When anti-malware is enabled on the agent, the agent downloads the Anti-malware Solution Platform (AMSP) and starts it as a service. If you do not want this, then from Anti-Malware, select Appliance Only. That way, even if the appliance is deactivated, the agent won't start the AMSP service.
  • Appliance Preferred: If there is an activated appliance on the ESXi server, it will provide the protection. But if the appliance is deactivated or removed, then the agent will provide protection instead.
  • Agent Only:Only the agent will provide protection, even if there is an activated appliance available.
  • Agent Preferred: If there is an activated agent on the VM, it will provide the protection. But if there is no activated agent, then the appliance will provide protection instead.

Install a new Deep Security Agent or Relay

To use new features, you must install Deep Security Agent or Relay 10.0.

If you don't require the newest features, or if you need compatibility with legacy systems, however, you can install any supported version. For supported Deep Security Agent versions on each platform, see System requirements.

Most steps are the same, whether you want to install a Deep Security Agent or Relay.

Deep Security deployments require at least one Deep Security Relay to distribute updates. If you did not create one on the same server while installing Deep Security Manager, then you must enable the relay feature on at least one of your agents.

Deep Security Agent is designed to protect servers, not laptops.
To protect AWS WorkSpaces virtual desktop infrastructure (VDI) workstations, add the “Plus” application bundle instead. It includes Trend Micro Worry-Free Business Security.

  1. Go to Administration > Updates > Software > Download Center. Get Deep Security Agent software.
  2. Install the agent software on computers. There are multiple methods:

  3. Activate the agent.
  4. Assign a policy to a computer.
  5. If you want to enable the agent to act as a Deep Security Relay, see Configure relays.
  6. If you require security update packages for Deep Security Agent 8.0 or 9.0 for AIX, HP-UX, or Windows 2000, go to Administration > System Settings > Update and select Allow supported 8.0 and 9.0 Agents to be updated.

Set up alerts

Deep Security Manager can notify you when important system events occur. Go to Alerts and Administration > System Settings > Alerts (see Alert settings).

Alternatively, if you have an external SIEM, you can forward events to it. Go to Policies > Common Objects > Other > Syslog Configurations and Administration > System Settings > Event Forwarding (see Forward events to an external Syslog or SIEM server).

Run a recommendation scan

If you're not sure how to begin configuring your security policies, Deep Security Manager can scan your protected computers, looking for vulnerable software and settings, and provide recommended security settings. Go to Computers and select Actions > Scan for Recommendations (see Manage and run recommendation scans).