Deploy the Deep Security Manager VM for Azure Marketplace

To start protecting your Azure virtual machines (VM) with Deep Security Manager VM for Azure Marketplace, basic steps include:

  1. Buy Deep Security from the Azure Marketplace.
  2. Add a Microsoft Azure account to Deep Security.
  3. Create a policy.
  4. Deploy Deep Security Agents.

If you are upgrading an existing Deep Security Manager VM for Azure Marketplace, see Upgrade Deep Security Manager VM for Azure Marketplace

Buy Deep Security from the Azure Marketplace

You can buy Deep Security from the Azure Marketplace as Deep Security Manager (BYOL).

To buy Deep Security Manager (BYOL) , you need to have already obtained a license for Deep Security. If you need a license, contact azure@trendmicro.com for help with obtaining one.

  1. Log in to your Azure portal and click the Marketplace blade.
  2. Click the Security + Identity blade and search for "Deep Security".
  3. In the search results, click Deep Security (BYOL).
  4. Review the information provided and click Create.
  5. Follow the seven steps of the Create Deep Security Manager journey to create a Deep Security virtual machine.
    1. Specify the name of the Deep Security Manager VM and configure other general settings on the Basics blade and then click OK.
      • The credentials you specify in this blade are what you will use to log on to the Deep Security Manager virtual machine.
      • Depending on the type of authentication you select, you have to enter a strong password or an SSH public key.
      • Type in a name into Resource group to create a new Resource group.

      Azure does not allow Deep Security Manager VM to be deployed on existing Resource groups. A new Resource group must be created.

    2. Select a virtual machine size, configure the Deep Security Manager URL and port numbers on the Deep Security Manager VM blade, and then click OK.
      • Use the DNS name you enter in Deep Security Manager URL (for example, azurevmdemo01).
      • Specify the port number for the Deep Security Manager console port to access and log into Deep Security Manager (for example, https://azurevmdemo01.eastus.cloudapp.azure.com:443).
      • Specify the heartbeat port number used by the Deep Security Agents to communicate with Deep Security Manager.
    3. Create a new database or enter the name of an existing one on the Database Settings blade and then click OK.
      • Do not type anything into Database Hostname if you create a new database. However, if you click Use Existing then the database host name is required.
      • You can view the names of existing Azure SQL databases by going to the SQL databases blade and viewing the properties of a database (Settings blade > Properties blade > Server name).
    4. Enter the name of the administrator account you will use to sign in to Deep Security Manager on the Deep Security Credentials blade and enter and confirm the password for that account and click OK.
    5. Click the arrows to review the settings for the new virtual network and the subnet for the Deep Security Manager VM on the Network Settings blade and click OK twice.
    6. Review the information on the Summary blade and click OK when Validation passed appears at the top of the summary to finish creating the virtual machine.

      Validation passed message

    1. Click Terms of use, privacy policy, and Azure Marketplace Terms on the Buy blade to review them and then click Create.

    It will take approximately 30-40 minutes before your new virtual machine is running.

  6. When installation is complete, open a browser and go to:

    https://<DNS name>:8443

    where the DNS name is the name you specified on the Deep Security Manager blade (for example, azurevmdemo01.eastus.cloudapp.azure.com). To view the DNS name for your Deep Security virtual machine, select the virtual machine in the Public IP address blade, and then click Overview. It will be in the DNS name field.

  7. Enter the Subscription ID for the virtual machine and click Sign in.

    If the installation succeeded, you will be redirected to Deep Security Manager. If the installation failed you will see an error message. If this happens, click Install Deep Security Manager again and verify all settings as you step through the installation again.

Add a Microsoft Azure account to Deep Security

Once you've installed Deep Security Manager, you can add and protect Microsoft Azure virtual machines by connecting a Microsoft Azure account to the Deep Security Manager. For instructions on how to do so, see Add a Microsoft Azure account to Deep Security.

Create a policy

After you have added Microsoft Azure virtual machines to Deep Security, you need to create a policy that specifies how Deep Security should protect them.

You have two options for creating a policy:

  • You can make a duplicate copy of one of the server policies that comes with Deep Security and modify it as required.
  • You can build your own policy using the Base Policy as your starting point.

For more information on how to create a policy, see Create policies to protect your computers and other resources.

For more information on how policies work in Deep Security, see Policies, inheritance, and overrides.

Deploy Deep Security Agents

To start Deep Security protecting your Microsoft Azure virtual machines, you need to deploy Deep Security Agents to them. You can do this in multiple ways:

Generate and run a deployment script

You can generate Deep Security deployment scripts for automatically deploying agents using deployment tools such as RightScale, Chef, Puppet, and SSH.

For more information on how to do so, see Use deployment scripts to add and protect computers.

Add a custom script extension to an existing virtual machine

You can also add a custom script extension to an existing virtual machine to deploy and activate the Deep Security Agent. To do this, navigate to your existing virtual machine in the Azure management portal and follow the steps below to upload and execute the deployment script on your Azure VM.

  1. Log in to the Azure portal.
  2. Switch to the preview portal, and then click the virtual machine that you want to add the custom script to.
  3. In the Settings blade, click Extensions, in the Extensions blade, click Add extension, in the New Resource blade, select Custom Script, and then click Create.
  4. In the Add Extension blade under Script File (required), click upload, select the saved .ps1 deployment script, and then click OK.

Upload custom script to Azure

Add the Deep Security Agent extension on Microsoft Azure management portal

You can add the Deep Security Agent to a new or existing virtual machine. This installs the Deep Security Agent software and also registers the Deep Security Agent with the Deep Security Manager.

  1. Log in to the Azure portal.
  2. If creating a new virtual machine, in the Create virtual machine blade, enter the information required by Azure for the Basics and Size steps.
  3. In the virtual machine Settings blade, click Extensions, in the Extensions blade, click Add extension, in the New Resource blade, select Deep Security Agent, and then click Create.
  4. In the Install extension blade, enter the following information for the extension and then click OK:

    Manager Address

    The DNS name of the Azure Marketplace Deep Security Manager. This will be the Deep Security Manager URL you entered during configuration of the Deep Security Manager virtual machine.

    Activation Port

    The discovery and heartbeat port number of the Azure Marketplace Deep Security Manager. This will be the Deep Security Manager console port you entered during configuration of the Deep Security Manager virtual machine.

    Tenant Identifier

    The tenant ID of your Deep Security Manager.

    For the Deep Security Manager virtual machine, enter "NA".

    Tenant Activation Password

    The tenant password of your Deep Security Manager.

    If your Deep Security Agents are configured to use an "Agent activation secret" when communicating with the Deep Security Manager virtual machine, enter the secret. Otherwise enter "NA".

    Security Policy Identifier(optional)

    The policy ID in your Deep Security Manager that you want to assign to this Azure VM. It is displayed in the deployment script generated by Deep Security Manager.

Use a PowerShell script to install the Deep Security Agent extension

The instructions and PowerShell scripts for installing the Deep Security extension are available on our GitHub repository: https://github.com/deep-security/azure-vm-extensions