Upgrade the Deep Security Virtual Appliance

Trend Micro recommends that you upgrade the Deep Security Virtual Appliance with the newest version to take advantage of the latest security patches, updates, and ongoing support. You can upgrade the appliance service virtual machine (SVM), or just the agent embedded in the appliance SVM.

The term 'appliance SVM' refers to the Deep Security Virtual Appliance virtual machine deployed in your VMware infrastructure.

You have a few upgrade options:

• Option 1: Upgrade an existing appliance SVM automatically (recommended if you have no other ESXi hosts and protection loss during the upgrade period is acceptable)
• Option 2: Upgrade an existing appliance SVM manually (recommended if you have another ESXi host to which you can vMotion your VMs and keep protection)
• Option 3: Upgrade the agent embedded on the appliance SVM and apply OS patches (only use this option if upgrading the appliance SVM is not feasible)

See also Upgrade the NSX license to Advanced or Enterprise.

Upgrade an existing appliance SVM automatically

With this upgrade option, your guest VMs lose protection during the upgrade process, which takes five to fifteen minutes depending on the resources of your VMware components and network stability. If you would like to maintain protection of the guest VMs, see instead Upgrade an existing appliance SVM manually.

Any resource adjustments or custom configurations you may have made to the current appliance SVM, such as extending the CPU or memory or changing a password, will not be carried over to the new appliance SVM after the upgrade. You will need to manually re-apply these configurations when the upgrade finishes.

Step 1: Verify permissions

1. Make sure that the vCenter account that you registered in Deep Security Manager has these permissions:
   • VirtualMachine.Interaction.Power Off, and
   • VirtualMachine.Inventory.Remove, and
   • ESX Agent Manager.Modify
2. Make sure that the NSX Manager account that you registered in Deep Security Manager belongs to one of these NSX Manager roles:
   • Security Engineer, or
   • Security Administrator, or
   • Enterprise Administrator

Step 2: Import the new virtual appliance packages into the manager

1. On your Deep Security Manager computer, go to the software page at https://help.deepsecurity.trendmicro.com/software.html.
2. Download the latest Deep Security Virtual Appliance package to your computer.
3. On Deep Security Manager, go to Administration > Updates > Software > Local.
4. Click Import and upload the package to Deep Security Manager.

   When you import the appliance package, Deep Security Manager automatically downloads Deep Security Agent software that is compatible with the operating system of the appliance's virtual machine. This agent software appears under Administration > Updates > Software > Local. When you deploy the appliance, the embedded agent software will be auto-upgraded to the latest compatible version in Local Software by default. You can change the auto-upgrade version by clicking Administration > System Settings > Updates tab > Virtual Appliance Deployment.

   It is acceptable to have multiple versions of the Deep Security Virtual Appliance package appear under Local Software. The newest version is always selected when you deploy a new Deep Security Virtual Appliance.
   

5. Optionally, for guest VMs that run Microsoft Windows, you can also download the Deep Security Notifier. The notifier is a component that displays messages for Deep Security system events in the system tray. For details, see Install the Deep Security Notifier.

Step 3: Upgrade the appliance SVM in the manager

1. In Deep Security Manager, click Computers at the top.
2. Right-click the ESXi host where your existing appliance SVM is located, and select Actions > Upgrade Appliance (SVM).

   You can use Shift+click to select multiple ESXi hosts, if you want to upgrade several at once.

   The Upgrade Appliance (SVM) option is only available if the latest virtual appliance package in Local Software is newer than the one that's currently in use. To make the option available, try importing the latest appliance package. If that doesn't work, it's likely because you're already using the latest version of the appliance SVM. To check, look at the Appliance (SVM) Version property on the computer details page of the appliance virtual machine.

   

   The Upgrade Appliance (SVM) page appears with a check box, warnings, and a note.

   

3. (Optional.) Select Check NSX alarms before upgrade, and cancel the process if any alarms exist if you want the manager to check the service status from NSX Manager before the upgrade begins. Deselect the check box if you want to skip the check and proceed with the upgrade despite possible alarms.
4. Review the warnings and note on the page.
5. Click OK.

   The upgrade process begins, including a pre-upgrade service status check, if you enabled it.

6. (Optional.) Still in the manager, go back to the Computers page, find your ESXi host, and look at its TASK(S) column to view the status of the upgrade.

   If you previously shift+clicked several ESXi hosts on which to perform an upgrade, the ESXi hosts are processed sequentially (one at a time). You can look at the TASK(S) column to find out which server is currently being processed.

   The TASK(S) column displays one of the following:

   • Upgrading Appliance (SVM) (Pending): The manager has received the upgrade request, but has not yet put it into the queue.
   • Upgrading Appliance (SVM) (In Queue): The manager has queued the process, and will start the upgrade soon.
   • Upgrading Appliance (SVM) (In Progress): The manager is processing the upgrade.
7. (Optional.) Still in the manager, go to the Computer Details page of one of your ESXi hosts and click the System Events tab to verify that the upgrade is proceeding successfully.

   Below is a sample of the system events you'll see when an upgrade is successful. For more events, see this complete list of appliance SVM upgrade events.

   

If you see the Appliance (SVM) Upgrade Failed system event, see Troubleshooting the 'Appliance (SVM) Upgrade Failed' system event.

Troubleshooting the 'Appliance (SVM) Upgrade Failed' system event

If you see the Appliance (SVM) Upgrade Failed system event, review its detailed description for the reason and possible fix. In the worst case scenario, you can go to the NSX Manager console and click the Resolve button (see the image below). Clicking this button manually resolves any alarms and redeploys the appliance. Guest VMs are activated according to how you set up activation when you deployed your old Deep Security Virtual Appliance.

Step 4: Final step

The appliance SVM should be upgraded successfully. Go to the manager's Computers page and double-check that the appliance SVM and all the guest VMs are back in their protected state (green dot).

Upgrade an existing appliance SVM manually

With this upgrade option, you'll use the vMotion mechanism to preserve the guest VMs' protection while the upgrade occurs.

To upgrade the appliance SVM, follow these steps:

• Step 1: Import the new virtual appliance packages into the manager
• Step 2: Review or restore identified files
• Step 3: Migrate guest VMs to another ESXi host
• Step 4: Upgrade your old appliance SVM
• Step 5: Check that maintenance mode was turned off
• Step 6: Check that the new appliance SVM is activated
• Step 7: Final step

Step 1: Import the new virtual appliance packages into the manager

1. On your Deep Security Manager computer, go to the software page at https://help.deepsecurity.trendmicro.com/software.html.
2. Download the latest Deep Security Virtual Appliance package to your computer.
3. On Deep Security Manager, go to Administration > Updates > Software > Local.
4. Click Import and upload the package to Deep Security Manager.

   When you import the appliance package, Deep Security Manager automatically downloads Deep Security Agent software that is compatible with the operating system of the appliance's virtual machine. This agent software appears under Administration > Updates > Software > Local. When you deploy the appliance, the embedded agent software will be auto-upgraded to the latest compatible version in Local Software by default. You can change the auto-upgrade version by clicking Administration > System Settings > Updates tab > Virtual Appliance Deployment.

   It is acceptable to have multiple versions of the Deep Security Virtual Appliance package appear under Local Software. The newest version is always selected when you deploy a new Deep Security Virtual Appliance.
   

5. Optionally, for guest VMs that run Microsoft Windows, you can also download the Deep Security Notifier. The notifier is a component that displays messages for Deep Security system events in the system tray. For details, see Install the Deep Security Notifier.

Step 2: Review or restore identified files

1. Review or restore identified files as necessary because quarantined files will be lost when you move your VMs or delete the Deep Security Virtual Appliance.
2. There is no need to shut down the guest VMs while replacing the appliance SVM.

Step 3: Migrate guest VMs to another ESXi host

For brevity, this procedure uses these terms:

• ESXi_A is the ESXi server with the virtual appliance that you want to upgrade.

• ESXi_B is the ESXi server where guest VMs are migrated to while the appliance SVM upgrade occurs. We assume it is under the same cluster as ESXi_A.

  

1. Enable DRS for the cluster and make sure it has an automation level of Fully Automated. See this VMware article for details.
2. Find ESXi_A and place this ESXi server in maintenance mode.

   When you enter maintenance mode:

   • ESXi_A's guest VMs are migrated automatically (using vMotion) to ESXi_B in your cluster.
   • The Deep Security Virtual Appliance that is protecting ESXi_A is shut down automatically.
   • Your guest VMs can no longer be powered on until ESXi_A is out of maintenance mode.

Step 4: Upgrade your old appliance SVM

1. Go to VMware vSphere Web Client > Hosts and Clusters.
2. Find the Trend Micro Deep Security appliance SVM that is powered off. It's the one without a green arrow (shown in the following image). The appliance SVM was automatically powered off when you put the corresponding ESXi server into maintenance mode.
3. Right-click the Trend Micro Deep Security appliance SVM that is powered off and select Delete from Disk.

   

4. If you see a Confirm Delete message, click Yes.

   

5. If the deletion fails with this message...

   This operation not allowed in the current state

   Do this:

   1. Right-click the Trend Micro Deep Security appliance SVM again, and this time select Remove from Inventory (which appears just above Delete from Disk). This removes the appliance SVM from vCenter but preserves it in the datastore.
   2. In the navigation pane, select the datastore tab and select the datastore where the old virtual appliance resides.
   3. In the main pane, select the Files tab.
   4. Right-click the old appliance SVM folder and select Delete File.

      

6. In VMware vSphere Web Client, go to Home > Networking and Security > Installation > Service Deployments.

   You see the following:

   • The deleted Trend Micro Deep Security appliance SVM Installation Status column shows Failed.
   • If you are in maintenance mode, the Guest Introspection service also shows as Failed.

     

7. Click the Resolve button on the Guest Introspection service if its Installation Status is Failed.

   The Guest Introspection service is powered on and maintenance mode is exited.

   Check that the Failed status changes to Enabling and then to Succeeded.

8. Click the Resolve button on the Trend Micro Deep Security service that is Failed.

   The following occurs:

• The Trend Micro Deep Security appliance SVM is redeployed with the latest software that you loaded into Deep Security Manager.
• The appliance SVM is activated.
• The embedded agent on the appliance SVM is auto-upgraded to the latest compatible version in Local Software by default.

Check that the Failed status changes to Enabling and then to Succeeded.

Step 5: Check that maintenance mode was turned off

• Check that maintenance mode was turned off if you enabled it previously. If it is still on, turn it off now.

Step 6: Check that the new appliance SVM is activated

1. In Deep Security Manager, at the top, click Computers.
2. Find Trend Micro Deep Security in the list and double-click it. This is the appliance.
3. Check the following:
   1. Check that the status is set to Managed (Online). This indicates that the agent was successfully activated.
   2. Check that the Virtual Appliance Version is set to the version of the embedded Deep Security Agent. This version should match the version of the newest agent software found under Administration > Updates > Software > Local or a specific version you set in Administration > System Settings > Updates > Virtual Appliance Deployment.
   3. Check that the Appliance (SVM) Version is set to the version of the newest Deep Security Virtual Appliance package under Administration > Updates > Software > Local.

      

You have now upgraded your appliance SVM.

Step 7: Final step

1. Repeat all the steps in this section, starting at Step 2: Review or restore identified files and ending at Step 6: Check that the new appliance SVM is activated for each appliance SVM that needs to be upgraded.

Guest VMs are activated according to how you set up activation when you deployed your old Deep Security Virtual Appliance.

Upgrade the agent embedded on the appliance SVM and apply OS patches

Although Trend Micro recommends that you upgrade your appliance SVM with the latest version, we understand that this might not be possible. In such a case, you can upgrade just the Deep Security Agent that's embedded on the appliance SVM, and apply OS patches at the same time, without redeploying the appliance SVM.

Follow these instructions to complete the upgrade.

1. Determine the installed appliance version. You'll need this information to complete the remaining steps in this procedure.
2. Import appliance patches, if they exist (failure to do so generates system event 740 to indicate that the patch was not imported):
   1. Log in to Deep Security Manager.
   2. On the left, expand Updates > Software > Download Center.
   3. In the main pane, enter Agent-DSVA in the search bar on the top-right and press Enter.
      
      One or more patches appear with the name Agent-DSVA-CentOS<version>-<patch-version>-<date>.x86_64.zip.
   4. Select a patch that is compatible with your appliance SVM. Consult the compatibility table that follows for guidance. If you don't see a compatible patch, it's because it doesn't exist, and no patch needs to be installed.
   5. Click the button in the Import Now column to import the patch into Deep Security Manager.
   6. On the left, click Local Software to verify that the patch was imported successfully.
   7. Repeat for any additional patches.
3. Import the compatible agent:
   1. Still in Deep Security Manager, on the left, expand Updates > Software > Download Center.
   2. Select the agent software that is compatible with your appliance SVM. Consult the compatibility table that follows for guidance.
   3. Click the button in the Import Now column to import the agent into Deep Security Manager.
   4. On the left, click Local Software to verify that the agent was imported successfully.

   You have now imported the patches and Deep Security Agent that are compatible with your appliance SVM version. You are ready to upgrade the agent on the appliance SVM and apply the patches.

4. Upgrade the agent on the appliance SVM and apply the patches:
   1. Click Computers and double-click your appliance computer.
   2. Click Actions > Upgrade Appliance.
   3. Select the agent version to install on the appliance. This is the agent you just imported.
   4. Click OK.
5. Click Events & Reports and search on 710 to find the report about the installation of the update file.

You have now upgraded the agent on the appliance SVM and installed one or more OS patches (if they existed).

If you upgraded the Deep Security Agent before importing the OS patch for the appliance SVM, you will see system event 740. To fix this problem, use the following procedure.

1. Import the appliance patches for the version of the appliance SVM that you are upgrading. See above in this section for instructions. The appliance patches appear on the Local Software page in Deep Security Manager.
2. Go to the Computers page.
3. Right-click the virtual machine where you want to upgrade the appliance and click Send Policy. The appliance downloads and installs the patches.

If the appliance fails to download the patches, it could be that the relay hasn’t received the patch files yet. Wait until the relay receives the files and then click Send Policy. For information on relays, see Distribute security and software updates with relays.

Compatibility table: appliance, agent, and patch

Appliance SVM version	Image OS	Compatible agent software	Compatible appliance patch (if it exists)
Appliance-ESX-10.0 or higher	CentOS 7	Agent-RedHat_EL7-<version>.x86_64.zip	Agent-DSVA_CENTOS7.0-<patch-version>-<date-stamp>.x86_64.zip

Determine the installed appliance version

Click Computers, select the appliance virtual machine, and click Details > General.

• The Virtual Appliance Version property indicates the version of the Deep Security Agent that is deployed on the appliance SVM.
• The Appliance (SVM) Version property indicates the version of the Deep Security Virtual Appliance package that is used to deploy this virtual machine.