Deploy a Smart Protection Server in AWS

If you have Deep Security Agents in AWS, and you want them to be able to access Trend Micro's Smart Protection Network, then you must allow them to connect to the Internet on port 80 (HTTP) or 443 (HTTPS). (See Port numbers, URLs, and IP addresses.) If this is not possible, you can deploy your own Smart Protection Server (SPS) within your Virtual Private Network (VPC) in AWS, or another VPC. The Smart Protection Server connects outbound to the Smart Protection Network to retrieve the latest anti-malware, file reputation, and web reputation information and then passes this information along to your agents.

To deploy a Smart Protection Server in AWS, you can either:

  • use an AWS CloudFormation template created by Trend Micro . This is the easiest way to deploy the server because the configuration is automated.
  • install it manually. See the Smart Protection Server documentation for details.

The instructions below describe how to deploy the Smart Protection Server using the CloudFormation template.

  1. In AWS, at the top, click Services and search for the CloudFormation service.
  2. On the CloudFormation service page, click Create Stack.

    The Select Template page appears.

  3. Select Specify an Amazon S3 template URL and enter this URL into the underlying field:

  4. Click Next.

    Finish entering settings in the template. Choose the AWS key pairs you would like to use to authenticate to the server, the VPC and subnet where the Smart Protection Server will reside, and an administrator password. The password cannot contain special characters such as: !@#$%^&*()

    Do not enter a password that contains dictionary words. It should be at least 8 characters in length. Failure to do this will result in a weak password that is vulnerable to guessing and brute force attacks, and could compromise the security of your network.

  5. Click Next.
  6. Optionally, create any tags that you would like to associate with this server, then click Next.

  7. Review your settings, and then click Create.

    While your server is being installed, the screen will indicate progress. To verify that the process has completed, you may need to click Refresh at the top of the screen.

  8. After it is done creating, click the Outputs tab at the bottom of the screen. You see three URLS. In the Deep Security Manager's GUI, you must configure your computers to use the Smart Protection Server.
  9. Log in to Deep Security Manager.
  10. At either the policy level (recommended method) or at the computer level, go to the anti-malware section.
  11. Click the Smart Protection tab at the top. Toward the bottom of the screen, deselect Inherited under Smart Protection Server for File Reputation Service.
  12. Select Use locally installed Smart Protection Server.
  13. Enter in the URL from the Outputs screen in your AWS console labeled "FRSurl" and click Add.
  14. Click Save.
  15. Open the web reputation section of the policy or computer and click the Smart Protection tab at the top.
  16. Deselect Inherited under Smart Protection Server for Web Reputation Service.
  17. Select Use locally installed Smart Protection Server.
  18. Add the URL from the Outputs screen in your AWS console labeled "WRSurl" or "WRSHTTPSurl" and click Add. You can use the HTTP or HTTPS URL, but HTTPS is only supported with 11.0 Deep Security Agents and up.
  19. Click Save.
  20. If you don’t have your system set up to automatically send policies, you will need to manually send the policy from your Deep Security Manager.