Deploy the Deep Security Manager VM for Azure Marketplace

To start protecting your Azure virtual machines (VM) with Deep Security Manager VM for Azure Marketplace, basic steps include:

  1. Buy Deep Security from the Azure Marketplace.
  2. Add a Microsoft Azure account to Deep Security.
  3. Create a policy.
  4. Deploy Deep Security Agents.

If you are upgrading an existing Deep Security Manager VM for Azure Marketplace, see Upgrade Deep Security Manager VM for Azure Marketplace

Buy Deep Security from the Azure Marketplace

You can buy Deep Security from the Azure Marketplace as Deep Security Manager (BYOL).

To buy Deep Security Manager (BYOL) , you need to have already obtained a license for Deep Security. If you need a license, contact for help with obtaining one.

  1. Log in to your Azure portal and click the Marketplace blade.
  2. Click the Security + Identity blade and search for "Deep Security".
  3. In the search results, click Deep Security (BYOL).
  4. Review the information provided and click Create.
  5. Follow the seven steps of the Create Deep Security Manager journey to create a Deep Security virtual machine.
    1. Specify the name of the Deep Security Manager VM and configure other general settings on the Basics blade and then click OK.
      • The credentials you specify in this blade are what you will use to log on to the Deep Security Manager virtual machine.
      • Depending on the type of authentication you select, you have to enter a strong password or an SSH public key.
      • Type in a name into Resource group to create a new Resource group.

      Azure does not allow Deep Security Manager VM to be deployed on existing Resource groups. A new Resource group must be created.

    2. Select a virtual machine size, configure the Deep Security Manager URL and port numbers on the Deep Security Manager VM blade, and then click OK.
      • Use the DNS name you enter in Deep Security Manager URL (for example, azurevmdemo01).
      • Specify the port number for the Deep Security Manager console port to access and log into Deep Security Manager (for example,
      • Specify the heartbeat port number used by the Deep Security Agents to communicate with Deep Security Manager.
    3. Create a new database or enter the name of an existing one on the Database Settings blade and then click OK.
      • Do not type anything into Database Hostname if you create a new database. However, if you click Use Existing then the database host name is required.
      • You can view the names of existing Azure SQL databases by going to the SQL databases blade and viewing the properties of a database (Settings blade > Properties blade > Server name).
    4. Enter the name of the administrator account you will use to sign in to Deep Security Manager on the Deep Security Credentials blade and enter and confirm the password for that account and click OK.
    5. Click the arrows to review the settings for the new virtual network and the subnet for the Deep Security Manager VM on the Network Settings blade and click OK twice.
    6. Review the information on the Summary blade and click OK when Validation passed appears at the top of the summary to finish creating the virtual machine.

      Validation passed message

    1. Click Terms of use, privacy policy, and Azure Marketplace Terms on the Buy blade to review them and then click Create.

    It will take approximately 30-40 minutes before your new virtual machine is running.

  6. When installation is complete, open a browser and go to:

    https://<DNS name>:8443

    where the DNS name is the name you specified on the Deep Security Manager blade (for example, To view the DNS name for your Deep Security virtual machine, select the virtual machine in the Public IP address blade, and then click Overview. It will be in the DNS name field.

  7. Enter the Subscription ID for the virtual machine and click Sign in.

    If the installation succeeded, you will be redirected to Deep Security Manager. If the installation failed you will see an error message. If this happens, click Install Deep Security Manager again and verify all settings as you step through the installation again.

Add a Microsoft Azure account to Deep Security

Once you've installed Deep Security Manager, you can add and protect Microsoft Azure virtual machines by connecting a Microsoft Azure account to the Deep Security Manager. For instructions, see Add a Microsoft Azure account to Deep Security.

Create a policy

After you have added Microsoft Azure virtual machines to Deep Security, you need to create a policy that specifies how Deep Security should protect them.

You have two options for creating a policy:

  • You can make a duplicate copy of one of the server policies that comes with Deep Security and modify it as required.
  • You can build your own policy using the Base Policy as your starting point.

For more information on how to create a policy, see Create policies to protect your computers and other resources.

For more information on how policies work in Deep Security, see Policies, inheritance, and overrides.

Deploy Deep Security Agents

To start Deep Security protecting your Microsoft Azure virtual machines, you need to deploy Deep Security Agents to them. You can do this in multiple ways:

Generate and run a deployment script

You can generate Deep Security deployment scripts for automatically deploying agents using deployment tools such as RightScale, Chef, Puppet, and SSH.

For more information on how to do so, see Use deployment scripts to add and protect computers.

Add a custom script extension to an existing virtual machine

You can also add a custom script extension to an existing virtual machine to deploy and activate the Deep Security Agent. To do this, navigate to your existing virtual machine in the Azure management portal and follow the steps below to upload and execute the deployment script on your Azure VM.

  1. Log in to the Azure portal.
  2. Switch to the preview portal, and then click the virtual machine that you want to add the custom script to.
  3. In the Settings blade, click Extensions, in the Extensions blade, click Add extension, in the New Resource blade, select Custom Script, and then click Create.
  4. In the Add Extension blade under Script File (required), click upload, select the saved .ps1 deployment script, and then click OK.

Upload custom script to Azure