Upgrade the Deep Security Virtual Appliance

Trend Micro recommends that you upgrade the Deep Security Virtual Appliance with the newest version to take advantage of the latest security patches, updates, and ongoing support.

The appliance has two parts, which can be upgraded separately:

  • the appliance service virtual machine (SVM)
  • the Deep Security Agent embedded in the appliance SVM

The term 'appliance SVM' refers to the Deep Security Virtual Appliance virtual machine deployed in your VMware infrastructure.

Topics:

Appliance support duration and upgrade recommendations

The appliance SVM and the appliance's embedded agent have different release cycles, so you'll need to upgrade them on different schedules. See the table below for details.

Component Release schedule Best practice for upgrades Support
Appliance SVM Released with each Long-term support (LTS) release of Deep Security. There are no feature releases (FRs) of the appliance SVM. Upgrade yearly.

3 years standard support

4 years extended support
Embedded agent Released with the appliance SVM with each LTS release, and as a separate download with each FR. Upgrade at least yearly, or whenever a new compatible agent is available. Matches the appliance SVM support

Do the versions of the appliance SVM, embedded agent, and Deep Security Manager need to match?

No, but the manager version must be equal to or greater than the appliance SVM and embedded agent.

Check whether you need to upgrade

If you're not sure which version of the appliance SVM and embedded agent you're running, or whether new versions are available, read this section to find out. Otherwise, skip this section and proceed directly to Upgrade the appliance.

Consult these sections to determine whether you need to upgrade:

Determine which versions of the appliance SVM and embedded agent you're using

  1. In Deep Security Manager, click Computers.
  2. In the search box at the top right, enter Deep Security Virtual Appliance to find the appliance virtual machines.
  3. Right-click the appliance virtual machine, and click Details > General.
    • The Virtual Appliance Version property indicates the version of the embedded Deep Security Agent. This agent is deployed on the appliance SVM. Write down this value.
    • The Appliance (SVM) Version property indicates the version of the Deep Security Virtual Appliance package that is used to deploy this virtual machine. Write down this value.

Determine whether a new appliance SVM is available

  1. In Deep Security Manager, click Administration.
  2. On the left, expand Updates > Software > Download Center.
  3. In the main pane, enter Appliance-ESX in the search box on the top-right and press Enter. All the appliance SVM software appears.
  4. In the main pane, expand the LTS release that matches your Deep Security Manager release.
  5. Look for the version in the VERSION field and see if it's newer than the installed version.
  6. If you find that you need to upgrade, go to the next section, Upgrade the appliance.

Determine whether a new agent is available

  1. In Deep Security Manager, click Administration.
  2. On the left, expand Updates > Software > Download Center.
  3. In the main pane, in the search box on the top-right, enter the name of an agent that is compatible with your installed appliance SVM. Consult the compatibility table for guidance. For example, enter Agent-RedHat_EL7 into the search box. A list of compatible agents appears.
  4. In the main pane, expand the latest release to view the latest agent.
  5. Look for the version in the VERSION field and see if it's newer than the installed version.
  6. If you find that you need to upgrade, go to the next section, Upgrade the appliance.

Upgrade the appliance

After determining that you need to upgrade your appliance, you have a few upgrade options depending on whether you're using NSX Data Center for vSphere (NSX-V) or NSX-T.

If you are using NSX-V, you have three upgrade options:

  • Option 1: Upgrade an existing appliance SVM automatically. Use this option if:
    • A new version of the appliance SVM is available from Trend Micro.
    • Protection loss of your guest VMs during the upgrade period is acceptable. If protection loss is unacceptable, use Option 2.
    • You are using NSX Data Center for vSphere (NSX-V).
  • Option 2: Upgrade an existing appliance SVM manually. Use this option if:
    • A new version of the appliance SVM is available from Trend Micro.
    • Protection loss of your guest VMs during the upgrade is unacceptable.
  • Option 3: Upgrade the agent embedded on the appliance SVM and apply OS patches. Use this option if:
    • A new version of an appliance-compatible agent is available from Trend Micro.
    • You want the latest protection features offered by the newest agent software without having to complete a full appliance SVM upgrade.

If you are using NSX-T, you can use Option 2 or 3.

See also Upgrade the NSX license for more Deep Security features.

Upgrade an existing appliance SVM automatically

With this upgrade option, your guest VMs lose protection during the upgrade process, which takes five to fifteen minutes depending on the resources of your VMware components and network stability. If you would like to maintain protection of the guest VMs, see instead Upgrade an existing appliance SVM manually.

Any resource adjustments or custom configurations you may have made to the current appliance SVM, such as extending the CPU or memory or changing a password, will not be carried over to the new appliance SVM after the upgrade. You will need to manually re-apply these configurations when the upgrade finishes.

Before you begin

  1. Make sure you're using NSX Data Center for vSphere (NSX-V). The automatic upgrade is not supported on NSX-T.
  2. Make sure that the vCenter account that you specified in Deep Security Manager has these permissions:
    • VirtualMachine.Interaction.Power Off, and
    • VirtualMachine.Inventory.Remove, and
    • ESX Agent Manager.Modify
  3. Make sure that the NSX Manager account that you specified in Deep Security Manager belongs to one of these NSX Manager roles:
    • Security Engineer, or
    • Security Administrator, or
    • Enterprise Administrator

Step 1: Import the new virtual appliance packages into the manager

  1. On your Deep Security Manager computer, go to the software page at https://help.deepsecurity.trendmicro.com/software.html.
  2. Download the latest Deep Security Virtual Appliance package to your computer.
  3. On Deep Security Manager, go to Administration > Updates > Software > Local.
  4. Click Import and upload the package to Deep Security Manager.

    When you import the appliance package, Deep Security Manager automatically downloads Deep Security Agent software that is compatible with the operating system of the appliance's virtual machine. This agent software appears under Administration > Updates > Software > Local. When you deploy the appliance, the embedded agent software will be auto-upgraded to the latest compatible version in Local Software by default. You can change the auto-upgrade version by clicking Administration > System Settings > Updates tab > Virtual Appliance Deployment.

    It is acceptable to have multiple versions of the Deep Security Virtual Appliance package appear under Local Software. The newest version is always selected when you deploy a new Deep Security Virtual Appliance.

  5. Optionally, for guest VMs that run Microsoft Windows, you can also download the Deep Security Notifier. The notifier is a component that displays messages for Deep Security system events in the system tray. For details, see Install the Deep Security Notifier.

Step 2: Upgrade the appliance SVM in the manager

  1. In Deep Security Manager, click Computers at the top.
  2. Find the ESXi host where your existing appliance SVM is located. The ESXi host has its PLATFORM column set to VMware ESXi <version_build> (see image below). (It is not a computer with a PLATFORM of Deep Security Virtual Appliance.)
  3. Right-click the ESXi host and select Actions > Upgrade Appliance (SVM).

    You can use Shift+click to select multiple ESXi hosts, if you want to upgrade several at once.

    The Upgrade Appliance (SVM) option is only available if the latest virtual appliance package in Local Software is newer than the one that's currently in use. To make the option available, try importing the latest appliance package. If that doesn't work, it's likely because you're already using the latest version of the appliance SVM. To check, look at the Appliance (SVM) Version property on the computer details page of the appliance virtual machine.

    The Upgrade Appliance (SVM) page appears with a check box, warnings, and a note.

    During the upgrade, the appliance (SVM) will be shut down for about 3 - 10 minutes depending on your vCenter and ESX resources.

  4. (Optional.) Select Check NSX alarms before upgrade, and cancel the process if any alarms exist if you want the manager to check the service status from NSX Manager before the upgrade begins. Deselect the check box if you want to skip the check and proceed with the upgrade despite possible alarms.
  5. Review the warnings and note on the page.
  6. Click OK.

    The upgrade process begins, including a pre-upgrade service status check, if you enabled it.

  7. (Optional.) Still in the manager, go back to the Computers page, find your ESXi host, and look at its TASK(S) column to view the status of the upgrade.

    If you previously shift+clicked several ESXi hosts on which to perform an upgrade, the ESXi hosts are processed sequentially (one at a time). You can look at the TASK(S) column to find out which server is currently being processed.

    The TASK(S) column displays one of the following:

    • Upgrading Appliance (SVM) (Pending): The manager has received the upgrade request, but has not yet put it into the queue.
    • Upgrading Appliance (SVM) (In Queue): The manager has queued the process, and will start the upgrade soon.
    • Upgrading Appliance (SVM) (In Progress): The manager is processing the upgrade.
  8. (Optional.) Still in the manager, go to the Computer Details page of one of your ESXi hosts and click the System Events tab to verify that the upgrade is proceeding successfully.

    Below is a sample of the system events you'll see when an upgrade is successful. For more events, see this complete list of appliance SVM upgrade events.

If you see the Appliance (SVM) Upgrade Failed system event, see Troubleshooting the 'Appliance (SVM) Upgrade Failed' system event.

Troubleshooting the 'Appliance (SVM) Upgrade Failed' system event

If you see the Appliance (SVM) Upgrade Failed system event, review its detailed description for the reason and possible fix. In the worst case scenario, you can go to the NSX Manager console and click the Resolve button (see the image below). Clicking this button manually resolves any alarms and redeploys the appliance. Guest VMs are activated according to how you set up activation when you deployed your old Deep Security Virtual Appliance. For details on activation set up, see the activation section of Deploy the appliance (NSX-V).

Step 4: Final step

The appliance SVM should be upgraded successfully. Go to the manager's Computers page and double-check that the appliance SVM and all the guest VMs are back in their protected state (green dot).

Upgrade an existing appliance SVM manually

This upgrade option works for both NSX-V and NSX-T environments.

With a manual upgrade, you'll use the vMotion mechanism to preserve the guest VMs' protection while the upgrade occurs.

To upgrade the appliance SVM, follow these steps:

Step 1: Import the new virtual appliance packages into the manager

  1. On your Deep Security Manager computer, go to the software page at https://help.deepsecurity.trendmicro.com/software.html.
  2. Download the latest Deep Security Virtual Appliance package to your computer.
  3. On Deep Security Manager, go to Administration > Updates > Software > Local.
  4. Click Import and upload the package to Deep Security Manager.

    When you import the appliance package, Deep Security Manager automatically downloads Deep Security Agent software that is compatible with the operating system of the appliance's virtual machine. This agent software appears under Administration > Updates > Software > Local. When you deploy the appliance, the embedded agent software will be auto-upgraded to the latest compatible version in Local Software by default. You can change the auto-upgrade version by clicking Administration > System Settings > Updates tab > Virtual Appliance Deployment.

    It is acceptable to have multiple versions of the Deep Security Virtual Appliance package appear under Local Software. The newest version is always selected when you deploy a new Deep Security Virtual Appliance.

  5. Optionally, for guest VMs that run Microsoft Windows, you can also download the Deep Security Notifier. The notifier is a component that displays messages for Deep Security system events in the system tray. For details, see Install the Deep Security Notifier.

Step 2: Review or restore identified files

  1. Review or restore identified files as necessary because identified files will be lost when you move your VMs or delete the Deep Security Virtual Appliance.
  2. There is no need to shut down the guest VMs while replacing the appliance SVM.

Step 3: Migrate guest VMs to another ESXi host

For brevity, this procedure uses these terms:

  • ESXi_A is the ESXi server with the virtual appliance that you want to upgrade.

  • ESXi_B is the ESXi server where guest VMs are migrated to while the appliance SVM upgrade occurs. We assume it is under the same cluster as ESXi_A.

  1. Enable DRS for the cluster and make sure it has an automation level of Fully Automated. See this VMware article for details.
  2. Find ESXi_A and place this ESXi server in maintenance mode.

    When you enter maintenance mode:

    • ESXi_A's guest VMs are migrated automatically (using vMotion) to ESXi_B in your cluster.
    • The Deep Security Virtual Appliance that is protecting ESXi_A is shut down automatically.
    • Your guest VMs can no longer be powered on until ESXi_A is out of maintenance mode.

Step 4: Upgrade your old appliance SVM

  1. Go to VMware vSphere Web Client > Hosts and Clusters.
  2. Find the Trend Micro Deep Security appliance SVM that is powered off. It's the one without a green arrow (shown in the following image). The appliance SVM was automatically powered off when you put the corresponding ESXi server into maintenance mode.
  3. Right-click the Trend Micro Deep Security appliance SVM that is powered off and select Delete from Disk.

  4. If you see a Confirm Delete message, click Yes.

  5. If the deletion fails with this message...

    This operation not allowed in the current state

    Do this:

    1. Right-click the Trend Micro Deep Security appliance SVM again, and this time select Remove from Inventory (which appears just above Delete from Disk). This removes the appliance SVM from vCenter but preserves it in the datastore.
    2. In the navigation pane, select the datastore tab and select the datastore where the old virtual appliance resides.
    3. In the main pane, select the Files tab.
    4. Right-click the old appliance SVM folder and select Delete File.

    5. If you are using NSX-V, skip to The NSX-V instructions

    6. If you are using NSX-T, skip to The NSX-T instructions

      The NSX-V instructions

    7.  Open VMware vSphere Web Client, go to Home > Networking and Security > Installation > Service Deployments.

      You see the following:

      • The deleted Trend Micro Deep Security appliance SVM Installation Status column shows Failed.
      • If you are in maintenance mode, the Guest Introspection service also shows as Failed.

    8. Click the Resolve button on the Guest Introspection service if its Installation Status is Failed. The Failed status changes to Enabling and then to Succeeded. The Guest Introspection service is powered on and maintenance mode is exited.

    9. Click the Resolve button on the Trend Micro Deep Security service that is Failed.The Failed status changes to Enabling and then to Succeeded. The following occurred:

      • The Trend Micro Deep Security appliance SVM was redeployed with the latest software that you loaded into Deep Security Manager.
      • The appliance SVM was activated.
      • The embedded agent on the appliance SVM was auto-upgraded to the latest compatible version in Local Software by default.

    This ends the NSX-V instructions. You can proceed to Step 5: Check that maintenance mode was turned off.

    The NSX-T instructions

    1. Open the NSX-T Manager and go to System > Service Deployments > DEPLOYMENT.
    2. You see the following:

    3. Click Resolve > RESOLVE ALL > OK. The Status should change from Down, to In Progress, to Up.

    This ends the NSX-T instructions. You can proceed to Step 5: Check that maintenance mode was turned off.

Step 5: Check that maintenance mode was turned off

Step 6: Check that the new appliance SVM is activated

  1. In Deep Security Manager, at the top, click Computers.
  2. Find Trend Micro Deep Security in the list and double-click it. This is the appliance.
  3. Check the following:
    1. Check that the status is set to Managed (Online). This indicates that the agent was successfully activated.
    2. Check that the Virtual Appliance Version is set to the version of the embedded Deep Security Agent. This version should match the version of the newest agent software found under Administration > Updates > Software > Local or a specific version you set in Administration > System Settings > Updates > Virtual Appliance Deployment.
    3. Check that the Appliance (SVM) Version is set to the version of the newest Deep Security Virtual Appliance package under Administration > Updates > Software > Local.

You have now upgraded your appliance SVM.

Step 7: Final step

  1. Repeat all the steps in this section, starting at Step 2: Review or restore identified files and ending at Step 6: Check that the new appliance SVM is activated for each appliance SVM that needs to be upgraded.

Guest VMs are activated according to how you set up activation when you deployed your old Deep Security Virtual Appliance. For details on activation set up, see the activation section of Deploy the appliance (NSX-V) or Deploy the appliance (NSX-T).

Upgrade the agent embedded on the appliance SVM and apply OS patches

You can upgrade just the Deep Security Agent that's embedded on the appliance SVM, and apply OS patches at the same time, without redeploying the appliance SVM.

When you upgrade just the embedded agent, the appliance SVM’s original end-of-support date remains in effect. For details, see Appliance support duration and upgrade recommendations

Follow these instructions to upgrade the embedded agent on the appliance SVM.

  1. Determine which versions of the appliance SVM and embedded agent you're using. You'll need this information to complete the remaining steps in this procedure.
  2. Import appliance patches, if they exist (failure to do so generates system event 740 to indicate that the patch was not imported):
    1. Log in to Deep Security Manager.
    2. On the left, expand Updates > Software > Download Center.
    3. In the main pane, enter Agent-DSVA in the search bar on the top-right and press Enter.
      One or more patches appear with the name Agent-DSVA-CentOS<version>-<patch-version>-<date>.x86_64.zip.
    4. Select a patch that is compatible with your appliance SVM. Consult the compatibility table that follows for guidance. If you don't see a compatible patch, it's because it doesn't exist for the version of the appliance SVM you're running, and no patch needs to be installed.
    5. Click the button in the Import Now column to import the patch into Deep Security Manager.
    6. On the left, click Local Software to verify that the patch was imported successfully.
    7. Repeat for any additional patches.
  3. Import the compatible agent:
    1. Still in Deep Security Manager, on the left, expand Updates > Software > Download Center.
    2. Select the agent software that is compatible with your appliance SVM. Consult the compatibility table that follows for guidance.
    3. Click the button in the Import Now column to import the agent into Deep Security Manager.
    4. On the left, click Local Software to verify that the agent was imported successfully.

    You have now imported the patches and Deep Security Agent that are compatible with your appliance SVM version. You are ready to upgrade the agent on the appliance SVM and apply the patches.

  4. Upgrade the agent on the appliance SVM and apply the patches:
    1. Click Computers and double-click your appliance computer.
    2. Click Actions > Upgrade Appliance.
    3. Select the agent version to install on the appliance. This is the agent you just imported.
    4. Click OK.
  5. Click Events & Reports and search on 710 to find the report about the installation of the update file.

You have now upgraded the agent on the appliance SVM and installed one or more OS patches (if they existed).

If you upgraded the Deep Security Agent before importing the OS patch for the appliance SVM, you will see system event 740. To fix this problem, use the following procedure.

  1. Import the appliance patches for the version of the appliance SVM that you are upgrading. See above in this section for instructions. The appliance patches appear on the Local Software page in Deep Security Manager.
  2. Go to the Computers page.
  3. Right-click the virtual machine where you want to upgrade the appliance and click Send Policy. The appliance downloads and installs the patches.

If the appliance fails to download the patches, it could be that the relay hasn’t received the patch files yet. Wait until the relay receives the files and then click Send Policy. For information on relays, see Distribute security and software updates with relays.

Compatibility table: appliance, agent, and patch

Appliance SVM version Image OS Compatible agent software Compatible appliance patch (if it exists)
Appliance-ESX-10.0 or higher CentOS 7

Agent-RedHat_EL7-<version>.x86_64.zip

where <version> is the version of the agent software. Select the latest version. This version of the agent will be used as the embedded agent.

 Agent-DSVA_CENTOS7.0-<patch-version>-<date-stamp>.x86_64.zip