Activate and protect agents using agent-initiated activation and communication
When you enable agent-initiated activation (AIA), instead of the Deep Security Manager contacting the agents directly, the agents initiate communication with the manager and establish an encrypted TCP connection over the manager heartbeat port (4120 by default).
Enabling AIA can prevent communication issues between the manager and agents, and simplify agent deployment when used with deployment scripts. Trend Micro recommends that you use AIA if:
- Your network environment prevents the manager from initiating connections to agents.
- You need to deploy many agents at once.
- You are protecting computers in cloud accounts.
Before enabling AIA, ensure that agents can reach the manager URL and heartbeat port. You can find the manager URL(s) and heartbeat port under Administration > System Information > System Details > Manager Node.
Enable agent-initiated activation and communication
Proceed with the following steps:
- Create or modify policies with agent-initiated communication enabled.
- Enable agent-initiated activation.
- Assign the policy to agents.
- Use a deployment script to activate the agents.
For your agents to continue initiating communication with the manager after activation, you'll need to enable agent-initiated communication on any policies the agents will use. You can do this by either modifying an existing policy or by creating a new one, which you'll assign to the agents.
You can quickly create a new policy from an existing policy by right-clicking it and selecting Duplicate.
- On the Policies page, double-click the policy.
- Go to Settings > General.
- Under Communication Direction, select Agent/Appliance Initiated.
- Click Save.
- Go to Administration > System Settings > Agents.
- Select Allow Agent-Initiated Activation.
- Select Allow Agent to specify hostname.
- From the If a computer with the same name exists list, select Re-activate the existing computer.
- Click Save.
You can either assign the policy to the agents during the deployment script configuration, or by using an event-based task after the deployment script has been run.
If all the agents will use the same policy, you can assign the policy in the deployment script as part of the next step. If groups of agents need to use different policies, create an event-based task to assign the policies before proceeding with the next step.
See the Generate a deployment section of Generate a deployment script to learn how to use a deployment script to activate the agents. If you are assigning a policy during deployment script configuration, you'll select it from the Security Policy list.