Deep Security Manager uses TLS 1.2

As of Deep Security 10.1, Deep Security Manager now requires clients to use the TLS 1.2 protocol to connect on port 4119. The change to use the TLS 1.2 protocol, which offers a higher level of security than the preceding versions of TLS, affects the following client activities that involve downloading agent and Deep Security Virtual Appliance (DSVA) packages from Deep Security Manager:

  • Running a deployment script on a computer to install agent
  • Deploying a DSVA OVF package to VMware vCenter 5.5

Support for TLS 1.2 on Windows computers

The deployment script that installs agent on a computer requires Windows PowerShell 4.0. If your target computer has PowerShell 3.0 or an earlier version installed, you need to install version 4.0 or later.

The following Windows operating systems do not support PowerShell 4.0 or later:

  • Windows XP
  • Windows 2003
  • Windows 2008

Support for TLS 1.2 on Linux computers

The agent deployment scripts for Linux use curl to download agent packages. curl versions 7.3.4 and higher support the TLS 1.2 protocol. Ensure that a version of curl that supports TLS 1.2 is installed on the Linux computer before running the deployment script.

Use agent deployment scripts on older operating systems

You can use agent deployment scripts on operating systems that do not support Windows PowerShell 4.0 or later, or do not have curl 7.3.4 or later. You need to host the agent package on a web server and modify the deployment scripts to download it. Ensure the agent can connect with the web server, and secure the connection according to your business standards.

  1. In your web browser, go to the Deep Security Software page and download the Deep Security agent.installation package for your operating system.
  2. Copy the installation package to your web server.
  3. Follow the instructions in Use deployment scripts to add and protect computers, but instead of using the manager to generate the script, use the Windows script or the Linux script that is provided on this page.

Make DSVAs available to VMware vCenter 5.5 servers

VMware vCenter 5.5 cannot connect to Deep Security Manager on port 4119 over TLS 1.2. To enable vCenter 5.5 servers to download DSVA packages, you need to host the packages on a web server instead of the manager computer. Ensure the vCenter server can connect with the web server, and secure the connection according to your business standards.

  1. In your web browser, go to the Deep Security Software page and download Deep Security Virtual Appliance 9.5.
  2. Copy the DSVA OVF package to your web server.
  3. In Deep Security Manager, click Computers.
  4. Right-click the vCenter to configure and click Properties.
  5. On the NSX Configuration tab, select Host the Deep Security Virtual Appliance software package on a local Web Server instead of in the Deep Security Manager database.
  6. Specify the URL of the DSVA OVF package on your web server.
  7. Click OK.

Agent deployment scripts for older operating systems

Windows script

Use the following script on Windows computers.

You must set the baseUrl variable to the URL of your agent package on your web server.

$env:LogPath = "$env:appdata\Trend Micro\Deep Security Agent\installer"
New-Item -path $env:LogPath -type directory
Start-Transcript -path "$env:LogPath\dsa_deploy.log" -append
echo "$(Get-Date -format T) - DSA download started"
$baseUrl=<server/package>
echo "$(Get-Date -format T) - Download Deep Security Agent Package" $sourceUrl
(New-Object System.Net.WebClient).DownloadFile($sourceUrl, "$env:temp\agent.msi")
if ( (Get-Item "$env:temp\agent.msi").length -eq 0 ) {
echo "Failed to download the Deep Security Agent. Please check if the package is on the server. "
exit 1 }
echo "$(Get-Date -format T) - Downloaded File Size:" (Get-Item "$env:temp\agent.msi").length
echo "$(Get-Date -format T) - DSA install started"
echo "$(Get-Date -format T) - Installer Exit Code:" (Start-Process -FilePath msiexec -ArgumentList "/i $env:temp\agent.msi /qn ADDLOCAL=ALL /l*v `"$env:LogPath\dsa_install.log`"" -Wait -PassThru).ExitCode
Stop-Transcript
echo "$(Get-Date -format T) - DSA Deployment Finished"

Linux script

Use the script that is appropriate for your Linux distribution.

Replace <server/package> with the URL of the agent package on your web server.

For Linux distributions that use the RPM Package Manager:

#!/usr/bin/env bash
curl <server/package> -o /tmp/agent.rpm --insecure –silent
rpm -ihv /tmp/agent.rpm

For Debian-based Linux distributions:

#!/usr/bin/env bash
curl <server/package> -o /tmp/agent.deb --insecure –silent
dpkg -i /tmp/agent.deb

Re-enable TLS 1.0 on the Deep Security Manager

If you upgrade your Deep Security Manager to version 10.1 or later, any Deep Security 9.5 or 9.6 relays that are already in your environment will fail to replicate and serve the Deep Security Agent 10.1 or later packages.

To resolve this:

  1. Temporarily enable TLS 1.0, 1.1, and 1.2 by adding this line to the dsm.properties file:

    protocols=TLSv1,TLSv1.1,TLSv1.2

  2. Reboot the Deep Security Manager server.
  3. Ensure that all relays and agents have upgraded successfully.
  4. Remove TLSv1,TLSv1.1 from the line you edited in step 1.
  5. Reboot the Deep Security Manager server.