Deploy the appliance (NSX-V)

You can watch Deep Security 12 - Agentless Deployment on YouTube to review the setup of agentless protection for a VMware environment with an NSX-V Manager. The video shows you how to import the Deep Security Virtual Appliance, synchronize vCenter and NSX Manager with your Deep Security Manager, deploy Guest Introspection and the appliance, and test the Anti-Malware protection with an EICAR file.

If you want agentless protection for your VMware images, you must deploy the Deep Security Virtual Appliance.

To deploy the appliance on NSX Data Center for vSphere (NSX-V), follow the steps below.

To deploy on NSX-T Data Center, see instead Deploy the appliance (NSX-T).

You can also Upgrade the Deep Security Virtual Appliance to protect against new OS vulnerabilities.

Before you begin

Before you begin:

  • Review this table to see which NSX licenses and versions are supported.
  • Review these system requirements.
  • If the features you want are not available agentlessly, use 'combined mode'.
  • If you configured guest VMs to have direct access to a network card, install agents on those VMs. In this case there is no opportunity to intercept packets and an in-guest agent is preferable. See Choose agentless vs. combined mode protection for details.

Step 1: Import appliance packages into Deep Security Manager

Follow the instructions below to download the Deep Security Virtual Appliance and import it into Deep Security Manager.

  1. On your Deep Security Manager computer, go to the software page at https://help.deepsecurity.trendmicro.com/software.html.
  2. Download the latest Deep Security Virtual Appliance package to your computer.
  3. On Deep Security Manager, go to Administration > Updates > Software > Local.
  4. Click Import and upload the package to Deep Security Manager.

    When you import the appliance package, Deep Security Manager automatically downloads Deep Security Agent software that is compatible with the operating system of the appliance's virtual machine. This agent software appears under Administration > Updates > Software > Local. When you deploy the appliance, the embedded agent software will be auto-upgraded to the latest compatible version in Local Software by default. You can change the auto-upgrade version by clicking Administration > System Settings > Updates tab > Virtual Appliance Deployment.

    It is acceptable to have multiple versions of the Deep Security Virtual Appliance package appear under Local Software. The newest version is always selected when you deploy a new Deep Security Virtual Appliance.

  5. Optionally, for guest VMs that run Microsoft Windows, you can also download the Deep Security Notifier. The notifier is a component that displays messages for Deep Security system events in the system tray. For details, see Install the Deep Security Notifier.

Step 2: Add vCenter to Deep Security Manager

Add vCenter to Deep Security Manager following the instructions in Add a VMware vCenter.

After you have finished:

  • your guest VMs are displayed in Deep Security Manager.
  • the Trend Micro Deep Security service is registered with NSX-V.

Step 3: Prepare ESXi servers

If you are using NSX Advanced Edition or NSX Enterprise Edition, you must prepare your ESXi servers by installing the drivers necessary for network traffic inspection. This operation is performed on the cluster.

If you are using another NSX edition, skip this section.

  1. In your vSphere Web Client, go to Home > Networking & Security > Installation > Host Preparation:

  2. Locate the NSX cluster you are going to protect with Deep Security in the Clusters & Hosts list and click Install in the Installation Status column. The installation will complete and the driver version will be displayed in the Installation Status column:

    ESXi host preparation is now complete. For more complete instructions on host preparation, see VMware documentation.

Step 4: Install Guest Introspection

If you want file-based protection such as Anti-Malware or Intrusion Prevention for your VMs, you must install the Guest Introspection service on your ESXi servers.

If you do not install Guest Introspection, the Anti-Malware and Intrusion Prevention features will not work.

  1. In vSphere Web Client, go to Home > Networking & Security > Installation, then click the Service Deployments tab.

    VMware service deployments

  2. Click the green plus icon ().

    The Deploy Network & Security Services window appears.

  3. Select Guest Introspection, then click Next.

  4. Select the cluster that contains the ESXi servers and VMs that you want to protect, then click Next.

  5. Select the datastore, the distributed port group used by your NSX cluster, and IP assignment method, then click Next.

  6. Review your settings, then click Finish.

    vSphere may take a few minutes to install the guest introspection service on your ESXi servers. When it is finished, Installation Status will display "Succeeded". To update the status, you may need to refresh the vSphere Web Client.

    vSphere Client refresh

Step 5: Install the Deep Security Virtual Appliance on NSX-V

  1. In the vSphere Web Client, go to Home > Networking and Security > Installation > Service Deployments.
  2. Click the green plus sign ().

  3. In the new window that appears, select the Trend Micro Deep Security service and then click Next. If you do not see this service, it might be because you have not yet added your vCenter to Deep Security Manager. For details, see Step 2: Add vCenter to Deep Security Manager.

  4. Click Finish.

    When deployment is complete, the Trend Micro Deep Security service appears in the list of network and security service deployments in the cluster.

Step 6: Prepare for activation on NSX-V

In an upcoming step, you will be activating your VMs in Deep Security. To prepare for this activation, you can use Method 1, 2, or 3. Consult the table to learn more. Look below the table to find the associated procedures.

 

    Deep Security Virtual Appliance deployment
  NSX for vSphere (NSX-V) 6.3.x - 6.4.x NSX for vSphere (NSX-V) 6.4.1+ NSX-T 2.4+
Method

Standard

OR

NSX for vShield Endpoint (free)

Advanced Enterprise NSX Data Center Standard NSX Data Center Professional NSX Data Center Advanced NSX Data Center Enterprise Plus NSX Data Center for Remote Office Branch Office NSX Data Center Standard NSX Data Center Professional NSX Data Center Advanced NSX Data Center Enterprise Plus NSX Data Center for Remote Office Branch Office

Method 1: Create a 'Computer Created' event-based task.

Method 2: Create an 'NSX Security Group Change' event-based task.

X 1 1 X X 1 1 1 X X X X X

Method 3: Synchronize your Deep Security policies to NSX.

X 1 1 X X 1 1 1 X X X X X

1 Requires VMware's Network Introspection Service.

Method 1: Create a 'Computer Created' event-based task.

Method 2: Create an 'NSX Security Group Change' event-based task

Method 3: Synchronize your Deep Security policies to NSX

Step 7: Create NSX security groups and policies

First, create NSX security group(s):

  1. In vSphere Web Client, go to Home > Networking & Security > Service Composer > Security Groups.
  2. Click New Security Group():

  3. Define Dynamic Membership: If you want to restrict membership in this group based on filtering criteria, enter those criteria here.

  4. Select the objects that will be included. Follow this guidance:

    • If you decided to use event-based tasks, you can add all your VMs to the security group if you want.
    • If you decided to use policy synchronization, only add those VMs that correspond to the Deep Security policy you want to assign. For example, if you want to assign the Windows Server 2016 policy, only include Windows Server 2016 VMs.
    • There are many ways to include or exclude objects in a NSX security group. For this example, we will include the NSX cluster that contains the ESXi hosts and VMs that we want to protect. In the Select objects to include options, select Cluster from the Object Type menu, and move the NSX cluster that contains the VMs to protect to the Selected Objects column.

    If a VM is included in more than one security group, then when you go to Computers in Deep Security Manager and search for the VM's name, it will appear more than once in search results. For more information, please see Duplicate host records appear in Computer page when the host is located in more than one NSX security group.
  5. Click Finish to create the new security group and return to the Security Groups tab to see the newly listed security group.

Next, create an NSX security policy:

  1. In vSphere Web Client, go to Home > Networking and Security > Service Composer > Security Policies.
  2. Click New Security Policy.

  3. Guest Introspection Services: Configure Guest Introspection Services if you are using the Anti-Malware or Intrusion Prevention modules.

    If you do not install Guest Introspection, the Anti-Malware and Intrusion Prevention features will not work.

    Click the green plus sign () to add an Endpoint Service. Provide a name for the Endpoint Service and select the following settings:
    • Action: Apply
    • Service Name: Trend Micro Deep Security
    • Service Profile: Select one of the following:
      • If you decided to use event-based tasks, select Default (EBT). This is a profile configuration that is configured to trigger event-based task(s) in Deep Security Manager.
      • If you decided to use policy synchronization, select the profile configuration that matches the Deep Security policy that you want to apply.
    • State: Enabled
    • Enforce: Yes

    Click OK, then click Next.

  4. Firewall Rules: do not make any changes. Click Next.
  5. Network Introspection Services: Network Introspection Services are only available with NSX Advanced and Enterprise, and only need to be configured if you are using the Web Reputation, Firewall, or Intrusion Prevention modules. You will be adding two Network Introspection Services to the NSX Security Policy: a first one for outbound traffic, and a second one for inbound traffic.
    1. For the first, outbound, service, in the Network Introspection Services options, click the green plus sign to create a new service. In the Add Network Introspection Service window, provide a name for the service (preferably one that includes the word "Outbound") and select the following settings:
      • Action: Redirect to service
      • Service Name: Trend Micro Deep Security
      • Service Profile: Select the same NSX profile configuration as you did in step 4.
      • Source: Policy's Security Groups
      • Destination: Any
      • Service: Any
      • State: Enabled
      • Log: Do not log

    2. For the second, inbound, service, in the Network Introspection Services options, click the green plus sign to create a new service. In the Add Network Introspection Service window, provide a name for the service (preferably one that includes the word "Inbound") and select the following settings:
      • (NSX 6.3) Action: Redirect to service

        OR

      • (NSX 6.4.1 or higher) Redirect to service: Yes
      • Service Name: Trend Micro Deep Security
      • Service Profile: Select the same NSX profile configuration as you did in step 4.
      • Source: Any
      • Destination: Policy's Security Groups
      • Service: Any
      • State: Enabled
      • Log: Do not log

    3. Click OK in the Add Network Inspection Service window, and then click Finish to complete and close the New Security Policy window.

    You have now created an NSX security policy for Deep Security.

Next, associate the NSX security policy you just created with the NSX security group you also just created:

  1. Stay on the Security Policies tab of the Home > Networking & Security > Service Composer page in your vSphere Web Client.
  2. With the new security policy selected, click the Apply Security Policy icon ().
  3. In the Apply Policy to Security Groups window, select the security group that contains the VMs you want to protect and click OK.

    The NSX security policy is now applied to the VMs in the NSX security group.

As a final step, if you decided to use policy synchronization, create additional NSX security policies and groups:

This step is not required if you decided to use event-based tasks.

  1. For each Deep Security policy that you want to assign, create:
    1. an NSX security group with a name that reflects the Deep Security policy you plan to assign. For example, Linux Server Security Group.
    2. an NSX security policy (for example, Linux Server Security Policy) that has its Service Profile set to the Deep Security policy you want to assign.

    You should now have multiple NSX security policies and groups. For example:

    Linux Server Security Group
    Linux Server Security Policy

    Windows 10 Desktop Security Group
    Windows 10 Desktop Security Policy

    ...and so on.

  2. Associate each policy with the corresponding security group. For example, associate the Linux Server Security Policy with the Linux Server Security Group.

You have now created NSX security groups and policies. Any VMs that are added to these NSX security groups will be activated in Deep Security Manager, and assigned a Deep Security policy.

Step 8: Trigger an activation and policy assignment

Your VMs are now ready to be activated and assigned a policy.

If you chose Method 1: Create a 'Computer Created' event-based task., you'll need to manually synchronize the vCenter. Go to Deep Security Manager, right-click the vCenter on the left, and select Synchronize Now. Your existing VMs should now be protected.

If you chose Method 2: Create an 'NSX Security Group Change' event-based task, all VMs should be activated and assigned policy automatically now. To check, see the next step.

If you chose Method 3: Synchronize your Deep Security policies to NSX, all VMs should be activated and assigned policy automatically now. To check, see the next step.

Step 9: Check that VMs are activated and assigned a policy

Make sure your VMs in Deep Security Manager become activated, and are assigned a policy.

  1. In Deep Security Manager, click Computers at the top.
  2. On the left, expand Computers > <your_vCenter> > Virtual Machines.
  3. Check the TASK(S) and STATUS and columns. (Click Columns at the top to add them if they are not visible.) The TASK(S) column should indicate Activating, and your VMs should move from the Unmanaged (Unknown) status, to the Unmanaged (No Agent) status, to the Managed (Online) status. You may see the VMs move into the VMware Tools Not Installed status, but this is temporary.
  4. Check the POLICY column to make sure the correct Deep Security policy was assigned.

You have now deployed Deep Security Virtual Appliance and protected your VMs with it.

Next steps (how to add new VMs)

Follow the instructions below to learn how to add new VMs to your system and protect them with Deep Security.

To add a new VM if you chose Method 1: Create a 'Computer Created' event-based task.:

  • Create a new VM in vCenter. This triggers the Computer Created (by System) event-based task, which activates and assigns policy to the new VM.

To add a new VM if you chose Method 2: Create an 'NSX Security Group Change' event-based task

  • Create or move the VM into one of the NSX security groups. This triggers the NSX Security Group Change event-based task, which activates and assigns policy to the new VM.

To add a new VM if you chose Method 3: Synchronize your Deep Security policies to NSX:

  • Create or move the VM into one of the NSX security groups. This activates and assigns policy to the new VM.