Deep Security 10.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Deep Security Manager uses TLS 1.2
- Running a deployment script on a computer to install agent
- Deploying a DSVA OVF package to VMware vCenter 5.5
Support for TLS 1.2 on Windows computers
The deployment script that installs agent on a computer requires Windows PowerShell 4.0. If your target computer has PowerShell 3.0 or an earlier version installed, you need to install version 4.0 or later.
The following Windows operating systems do not support PowerShell 4.0 or later:
- Windows XP
- Windows 2003
- Windows 2008
Support for TLS 1.2 on Linux computers
The agent deployment scripts for Linux use curl to download agent packages. curl versions 7.3.4 and higher support the TLS 1.2 protocol. Ensure that a version of curl that supports TLS 1.2 is installed on the Linux computer before running the deployment script.
Use agent deployment scripts on older operating systems
You can use agent deployment scripts on operating systems that do not support Windows PowerShell 4.0 or later, or do not have curl 7.3.4 or later. You need to host the agent package on a web server and modify the deployment scripts to download it. Ensure the agent can connect with the web server, and secure the connection according to your business standards.
- In your web browser, open the Deep Security Software page and download the Deep Security agent installation package for your operating system.
- Copy the installation package to your web server.
- Follow the instructions in the Use a deployment script article, but instead of using manager to generate the script, use the Windows script or the Linux script that is provided on this page.
Make DSVAs available to VMware vCenter 5.5 servers
VMware vCenter 5.5 cannot connect to Deep Security Manager on port 4119 over TLS 1.2. To enable vCenter 5.5 servers to download DSVA packages, you need to host the packages on a web server instead of the manager computer. Ensure the vCenter server can connect with the web server, and secure the connection according to your business standards.
- In your web browser, open the Deep Security Software page and download Deep Security Virtual Appliance 9.5.
- Copy the DSVA OVF package to your web server.
- In Deep Security Manager, click Computers.
- Right-click the vCenter to configure and click Properties.
- On the NSX Configuration tab, select Host the Deep Security Virtual Appliance software package on a local Web Server instead of in the Deep Security Manager database.
- Specify the URL of the DSVA OVF package on your web server.
- Click OK.
Agent deployment scripts for older operating systems
Windows script
Use the following script on Windows computers.
You must set the baseUrl variable to the URL of your agent package on your web server.
$env:LogPath = "$env:appdata\Trend Micro\Deep Security Agent\installer"
New-Item -path $env:LogPath -type directory
Start-Transcript -path "$env:LogPath\dsa_deploy.log" -append
echo "$(Get-Date -format T) - DSA download started"
$baseUrl=<server/package>
echo "$(Get-Date -format T) - Download Deep Security Agent Package" $sourceUrl
(New-Object System.Net.WebClient).DownloadFile($sourceUrl, "$env:temp\agent.msi")
if ( (Get-Item "$env:temp\agent.msi").length -eq 0 ) {
echo "Failed to download the Deep Security Agent. Please check if the package is on the server. "
exit 1 }
echo "$(Get-Date -format T) - Downloaded File Size:" (Get-Item "$env:temp\agent.msi").length
echo "$(Get-Date -format T) - DSA install started"
echo "$(Get-Date -format T) - Installer Exit Code:" (Start-Process -FilePath msiexec -ArgumentList "/i $env:temp\agent.msi /qn ADDLOCAL=ALL /l*v `"$env:LogPath\dsa_install.log`"" -Wait -PassThru).ExitCode
Stop-Transcript
echo "$(Get-Date -format T) - DSA Deployment Finished"
Linux script
Use the script that is appropriate for your Linux distribution.
Replace <server/package> with the URL of the agent package on your web server.
For Linux distributions that use the RPM Package Manager:
#!/usr/bin/env bash
curl <server/package> -o /tmp/agent.rpm --insecure –silent
rpm -ihv /tmp/agent.rpm
For Debian-based Linux distributions:
#!/usr/bin/env bash
curl <server/package> -o /tmp/agent.deb --insecure –silent
dpkg -i /tmp/agent.deb
Re-enable TLS 1.0 on the Deep Security Manager
If you upgrade your Deep Security Manager to version 10.1 or later, any Deep Security 9.5 or 9.6 relays that are already in your environment will fail to replicate and serve the Deep Security Agent 10.1 or later packages.
To resolve this:
- Temporarily enable TLS 1.0, 1.1, and 1.2 by adding this line to the dsm.properties file:
protocols=TLSv1,TLSv1.1,TLSv1.2
- Reboot the Deep Security Manager server.
- Ensure that all relays and agents have upgraded successfully.
- Remove TLSv1,TLSv1.1 from the line you edited in step 1.
- Reboot the Deep Security Manager server.