Deep Security 10.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Agent-Manager communication
Deep Security Manager and the agent communicate using the latest mutually-supported version of TLS.
During a heartbeat, the Manager collects this information:
- the status of the drivers (on- or off-line)
- the status of the Agent/Appliance (including clock time)
- Agent/Appliance logs since the last heartbeat
- data to update counters
- a fingerprint of the Agent/Appliance security configuration (used to determine if it is up to date)
You can change which computer initiates a heartbeat, how often heartbeats occur, and how many missed heartbeats can elapse before an alert is triggered.
Who initiates communication?
By default, both the agent/appliance and the Deep Security Manager connect to each other on their required port numbers. They connect to send a heartbeat (indicating that the service is available), and for updates to the configuration. (In other words, connectivity is Bidirectional.)
If you select the Manager Initiated option, only Deep Security Manager will initiate connections. The Manager will connect to agents when it is time for a heartbeat, when it performs scheduled updates, and when you click Activate/Reactivate or Send Policy.
If you need to harden security on the agents by closing all listening port numbers, you can instead select Agent/Appliance Initiated so that only the agent initiates heartbeat and configuration communications.
Unlike other communication types between them, port scans only use one direction, regardless of this setting: only Deep Security Managers perform port scans of the agents.
Configure communication directionality
The heartbeat can be configured at multiple levels: on a base or parent policy, on a sub-policy, or on an individual computer.
To configure the communication direction in a policy:
- Open the Policy editorTo open the Policy editor, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). for the policy whose communications settings you want to configure.
- Go to Settings > General > Communication Direction.
- In the Direction of Deep Security Manager to Agent/Appliance communication menu, select one of the three options ("Manager Initiated", "agent/appliance Initiated", or "Bidirectional"), or choose "Inherited". If you select "Inherited", the Policy will inherit the setting from its parent Policy in the Policy hierarchy. Selecting one of the other options will override the inherited setting.
- Click Save to apply the changes.
To configure the communication direction on a specific computer:
- Open the Computer editorTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). for the computer whose communications settings you want to configure.
- Go to Settings > General > Communication Direction.
- In the "Direction of Deep Security Manager to agent/appliance communication: " menu, select one of the three options ("Manager Initiated", "agent/appliance Initiated", or "Bidirectional"), or choose "Inherited". If you select "Inherited", the computer will inherit its setting from the Policy that has been applied to it. Selecting one of the other options will override the inherited setting.
- Click Save to apply the changes.
Supported cipher suites for agent-manager communication
Deep Security Manager and the agent communicate using the latest mutually-supported version of TLS.
The Deep Security Agent supports the following ciphers for communication with the manager. If you need to know the ciphers supported by the Deep Security Manager, contact Trend Micro.
The ciphers consist of a key exchange asymmetric algorithm, a symmetric data encryption algorithm and a hash function.
Deep Security Agent 9.5 supports these TLSv1.0 ciphers:
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Deep Security Agent 9.6 supports these TLSv1.0 ciphers:
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Deep Security Agent 10.0 supports these TLSv1.2 ciphers:
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256