Deploy the appliance (NSX-T)
If you want agentless protection for your VMware images, you must deploy the Deep Security Virtual Appliance.
To deploy the appliance on NSX-T Data Center, follow the steps below.
To deploy on NSX Data Center for vSphere (NSX-V), see instead Deploy the appliance (NSX-V).
- Before you begin
- Step 1: Import appliance packages into Deep Security Manager
- Step 2: Prepare Fabric settings
- Step 3: Add vCenter to Deep Security Manager
- Step 4: Install the Deep Security Virtual Appliance on NSX-T
- Step 5: Configure Endpoint Protection
- Step 6: Prepare for activation on NSX-T
- Step 7: Trigger an activation and policy assignment
- Step 8: Check that VMs are activated and assigned a policy
- Next steps (how to add new VMs)
You can also Upgrade the Deep Security Virtual Appliance to protect against new OS vulnerabilities.
Before you begin:
- Review this table to see which NSX licenses and versions are supported.
- Review these system requirements.
- If the features you want are not available agentlessly, use 'combined mode'.
- If you configured guest VMs to have direct access to a network card, install agents on those VMs. In this case there is no opportunity to intercept packets and an in-guest agent is preferable. See Choose agentless vs. combined mode protection for details.
Follow the instructions below to download the Deep Security Virtual Appliance and import it into Deep Security Manager.
- On your Deep Security Manager computer, go to the software page at https://help.deepsecurity.trendmicro.com/software.html.
- Download the latest Deep Security Virtual Appliance package to your computer.
- On Deep Security Manager, go to Administration > Updates > Software > Local.
- Click Import and upload the package to Deep Security Manager.
When you import the appliance package, Deep Security Manager automatically downloads Deep Security Agent software that is compatible with the operating system of the appliance's virtual machine. This agent software appears under Administration > Updates > Software > Local. When you deploy the appliance, the embedded agent software will be auto-upgraded to the latest compatible version in Local Software by default. You can change the auto-upgrade version by clicking Administration > System Settings > Updates tab > Virtual Appliance Deployment.
It is acceptable to have multiple versions of the Deep Security Virtual Appliance package appear under Local Software. The newest version is always selected when you deploy a new Deep Security Virtual Appliance.
- Optionally, for guest VMs that run Microsoft Windows, you can also download the Deep Security Notifier. The notifier is a component that displays messages for Deep Security system events in the system tray. For details, see Install the Deep Security Notifier.
First, add your vCenter through NSX-T Manager:
- Make sure the vCenter and ESXi servers have been configured for management.
- In NSX-T Manager, at the top, click System, and then click Fabric > Compute Managers on the left.
- Click +ADD.
- The New Compute Manager dialog box appears.
- Fill in the fields with your vCenter information. For example:
- Click ADD. The vCenter is added.
- Verify that the vCenter's Registration Status is Registered, and its Connection Status is Up.
You have now added your vCenter.
Next, if you have not done so already, configure a Deep Security transport zone:
- Still in NSX-T Manager, click Fabric > Transport Zones, and then click +ADD to create a transport zone for the virtual appliance.
- The New Transport Zone dialog box appears.
- Fill in the fields. You can set Host Membership Criteria and Traffic Type any way you want. In the example above, we chose Standard (For all hosts) and Overlay.
- Click ADD.
A transport zone is created.
Next, if you have not done so already, create a Deep Security transport node profile:
- Still in NSX-T Manager, on the left, click Profiles, and then in the main pane, click Transport Node Profiles.
The Add Transport Node Profile dialog box appears.
- Fill out the fields as shown in the image above. Make sure to move the Deep Security transport zone to the Selected column.
- Click N-VDS at the top of the dialog box, and fill out the fields as follows:
- For the N-VDS Name, select DSVA or whatever name you specified when you created your Deep Security transport zone.
- For the NIOC Profile, select nsx-default-nioc-hostswitch-profile.
- For the Uplink Profile, select nsx-default-uplink-hostswitch-profile.
- For the LLDP Profile, select LLDP [Send Packet Enabled].
- For the IP Assignment, select Use IP Pool or Use DHCP. Use the one you want.
- If IP Pool is visible, click OR Create and Use new a new IP Pool, and create an IP pool with a Name of dsva-ip-pool and then use it as the IP Pool value.
- If Physical NICs is visible, add a physical NIC. For example, use vmnic2 with uplink-1.
- After filling out the General and N-VDS tabs, click ADD.
A transport node profile called Deep Security Transport Node Profile is created.
For details on any of the values, click at the top of the dialog box.
The dialog box now looks similar to the following:
Next, if you have not done so already, apply the Deep Security transport node profile to your clusters:
- Click Fabric > Nodes, and in the main pane click Host Transport Nodes.
- From the Managed by drop-down list, select the vCenter you added previously. In this example, the vCenter is 10.201.111.111.
- Select a cluster that contains the VMs that you want to protect with Deep Security Virtual Appliance. If there is more than one cluster, select all the ones that you want to protect with the Deep Security Virtual Appliance.
- Click CONFIGURE NSX.
- From the Select Deployment Profile drop-down list, select Deep Security Profile or whatever you called your Deep Security transport node profile.
- Click SAVE.
The following occurs:
- The Deep Security transport node profile is applied to the clusters.
- While the profile is being applied, an NSX Install in Progress message may appear.
- When the operation finishes, each node's Configuration Status changes to Success and its Node Status changes to Up. If you have multiple ESXi servers, they should all be marked with Success and Up.
You have now prepared the Fabric settings in NSX-T Manager.
Add vCenter to Deep Security Manager following the instructions in Add a VMware vCenter.
After you have finished:
- your guest VMs are displayed in Deep Security Manager.
- the Trend Micro Deep Security service is registered with NSX-T.
You must install the Deep Security Virtual Appliance to each of your clusters.
- In NSX-T Manager, click System, and then select Service Deployments.
- From the Partner Service drop-down list, select Trend Micro Deep Security. This Trend Micro Deep Security service was registered when you added your vCenter in Deep Security Manager previously.
- Click DEPLOY SERVICE.
- Fill out the fields as follows:
- For the Service Deployment Name, enter a name. If you have multiple clusters, consider using a name that includes the name of the cluster to which you're deploying. The cluster is listed under the Cluster heading on the same page. Example: DSVA Cluster 1.
- For the Compute Manager, select the vCenter you added previously. In our example, vCenter is 10.201.111.111.
- For the Cluster, select a cluster you configured previously. The Trend Micro Deep Security service will be installed to all the ESXi servers in this cluster. If you have multiple clusters, pick one now. You can come back later to pick another cluster.
- For the Data Store, select the option that is appropriate for your environment. In our example, we selected Specified on Host.
- For Networks, click Set or Edit Details, whichever is available, and then configure ens0 - MANAGEMENT. Choose the Network and Network Type you want to use. Click SAVE.
- For Deployment Specification, select Deep Security - Medium.
- For Deployment Template, select EPP_Attributes_For_OVF_Env_Vars.
Your service deployment details should look similar to the following:
- Click SAVE.
The service deployment begins.
The Status column in NSX-T Manager indicates In Progress.
- Wait. When the deployment is finished, the Status changes to Up.
If you have multiple ESXi servers in the assigned cluster, then a Trend Micro Deep Security service is deployed onto each ESXi server. The services will be labeled as follows to differentiate them:
- Trend Micro_Deep Security (1) (for the first ESXi server)
- Trend Micro_Deep Security (2) (for the second ESXi server)
...and so on.
- (Optional) Check the status of the deployment by accessing vCenter through the vSphere Client. The vSphere Client shows the progress in more detail. Wait until the Status changes to Complete.
In the image below, you see two Trend Micro Deep Security services listed on the left. Two services were deployed because there were two ESXi servers in the cluster.
- Verify the deployment in Deep Security Manager by clicking Computers at the top and then on the left, expanding the vCenter where the Trend Micro Deep Security service was deployed.
Trend Micro_Deep Security (1) appears under Virtual Machines > Datacenter > ESX Agents with a Platform of Deep Security Virtual Appliance. You see one virtual appliance per ESXi server in your cluster.
- Repeat all the steps in Step 4: Install the Deep Security Virtual Appliance on NSX-T for each cluster.
Although your VMs appear in Deep Security Manager, they are not yet protected.
Configuring Endpoint Protection is required in order to protect existing VMs with Deep Security Virtual Appliance.
First, create a group that will contain the VMs you want to protect with the Deep Security Virtual Appliance:
- Still in NSX-T Manager, at the top, click Inventory and then on the left, click Groups.
- Click ADD GROUP to create a group which will contain the VMs protected by Deep Security Virtual Appliance. Fill out the fields as follows:
- For the Name, enter a name for your group. Example: DSVA-Protection-Group.
- For the Domain, select default, or create a new domain under Inventory > Domains.
- For the Compute Members, click Set Members to select which VMs will go in the group.
The following instructions demonstrate the simplest way to add members. For more complex ways, such as the use of Membership Criteria, see the NSX-T documentation.
- Click Members (0) at the top, and then select VirtualMachine (selected: 0).
- Click Refresh at this bottom if your VMs are not visible.
- Select the guest VMs you want to add to the group. These VMs will become protected by the Deep Security Virtual Appliance.
Your Select Members dialog box now looks similar to the following, with guest VMs selected, and Trend Micro_Deep Security deselected because the virtual appliance does not need to be protected:
- Verify the VM count in the Members tab near the top. In the example above, the count is 1.
- Click APPLY.
The ADD GROUP page now shows an updated count.
- Click SAVE.
You have now added a group with some members.
Next, configure a service profile for the Deep Security Virtual Appliance:
- Still in NSX-T Manager, click Security at the top, and then on the left, click Endpoint Protection.
- In the main pane, click SERVICE PROFILES.
- From the Partner Service drop-down list, select Trend Micro Deep Security if it is not already selected.
- Click ADD SERVICE PROFILE and fill out the fields as follows:
- For the Service Profile Name field, specify a name. Example: DSVA-Service-Profile
- For the Service Profile Description, enter a description. Example: Deep Security Service Profile
- For the Vendor Template, select Default (EBT). This template was loaded at the same time as the Trend Micro Deep Security service.
The ADD SERVICE PROFILE page should now look similar to the following:
- Click SAVE.
- Switch to RULES and click + ADD POLICY.
- In the Name column, click within the New Policy cell and change the name. For example, use: DSVA-Policy
- Select the check box next to DSVA-Policy and click + ADD RULE. A rule appears under DSVA-Policy.
Name the rule and select the corresponding groups and service profiles. For example, name the rule DSVA-Rule, and select DSVA-Protection-Group and DSVA-Service-Profile. There is now a mapping between the VMs in the DSVA-Protection-Group and the Default (EBT) template specified in the DSVA-Service-Profile.
The policy should now look similar to the following:
- Click PUBLISH to finish the policy and rule creation.
You have now configured Endpoint Protection in NSX-T. Your VMs are not yet protected.
In an upcoming step, you will be activating your existing VMs in Deep Security. Consult the following table to learn more about the activation methods. Look below the table to find the procedure for Method 1 (which is the only method supported with the NSX-T deployment).
|Deep Security Virtual Appliance deployment|
|NSX for vSphere (NSX-V) 6.3.x - 6.4.x||NSX for vSphere (NSX-V) 6.4.1+||NSX-T 2.4+|
NSX for vShield Endpoint (free)
|Advanced||Enterprise||NSX Data Center Standard||NSX Data Center Professional||NSX Data Center Advanced||NSX Data Center Enterprise Plus||NSX Data Center for Remote Office Branch Office||NSX Data Center Standard||NSX Data Center Professional||NSX Data Center Advanced||NSX Data Center Enterprise Plus||NSX Data Center for Remote Office Branch Office|
Method 1: Create a 'Computer Created' event-based task.
With this method, any VMs that you create in your system are automatically activated and assigned a policy. This method, and method 2, require the least amount of setup work.
Method 2: Create an 'NSX Security Group Change' event-based task.
With this method, new and existing VMs are automatically activated and assigned a policy when they are moved into a designated NSX security group. (Conversely, when they are moved out of the NSX security group, they are deactivated.) This method, and method 1, require the least amount of setup work.
Method 3: Synchronize your Deep Security policies to NSX.
With this method, new and existing VMs are activated and assigned a policy with they are moved into a designated NSX security group. This is similar to method 2. However, unlike method 2, Deep Security policies are assigned through the VMware UI.
1 Requires VMware's Network Introspection Service.
Method 1: Create a 'Computer Created' event-based task
- In Deep Security Manager, click Administration at the top.
- On the left, click Event-Based Tasks.
- In the main pane, click New.
- From the Event drop-down list, select Computer Created (by System). The Computer Created (by System) event type is triggered when a new VM is created.
- Select Activate Computer and set it to 5 minutes.
- Select Assign Policy and select a policy from the drop-down list, for example, Windows Server 2016.You can click the arrows to view child policies. Click Next.
- Specify the conditions that restrict when the event-based task is triggered. Add this condition:
vCenter Name matches <your_vCenter_name>
- Add more conditions to further restrict when the event-based task is triggered. For example, if you have a naming convention for your VMs that includes a 'Windows' prefix on all Windows VMs, you would set:
Computer Name matches Windows*
- In the Name field, enter a name for the task that reflects the policy you assigned, for example, Activate Windows Server 2016.
- Select Task Enabled and then click Finish.
- Create additional event-based tasks, one per Deep Security policy you plan on assigning. The event-based task must have an event type of Computer Created (by System) and must be configured to activate the computer and assign a policy.
You have now set up your event-based tasks to activate and assign policies to newly-created VMs. As soon as a VM is created, all the Computer Created (by System) event-based tasks are reviewed. If the conditions in a task are met, the task is triggered, and the VM is activated and assigned the associated policy.
You must now manually activate and assign a policy to your existing VMs:
- Go to Deep Security Manager, click Computers at the top, and click your vCenter on the left. Your guest VMs appear on the right.
- Shift+click a set of VMs, right-click them and then select Actions > Assign Policy. Select a policy and click OK. A Deep Security policy is assigned to your VMs.
- Shift+click the same set of VMs, right-click them and then select Actions > Activate/Reactivate.Your VMs are activated in Deep Security Manager. They are now protected.
- If you have additional, existing VMs you want to protect, repeat the procedure in this section to assign a policy and activate them.
Make sure your VMs in Deep Security Manager become activated, and are assigned a policy.
- In Deep Security Manager, click Computers at the top.
- On the left, expand Computers > <your_vCenter> > Virtual Machines.
- Check the TASK(S) and STATUS and columns. (Click Columns at the top to add them if they are not visible.) The TASK(S) column should indicate Activating, and your VMs should move from the Unmanaged (Unknown) status, to the Unmanaged (No Agent) status, to the Managed (Online) status. You may see the VMs move into the VMware Tools Not Installed status, but this is temporary.
- Check the POLICY column to make sure the correct Deep Security policy was assigned.
You have now deployed Deep Security Virtual Appliance and protected your VMs with it.
To add new VMs to your system and protect them with Deep Security, create a new VM in vCenter. This triggers the Computer Created (by System) event-based task, which activates and assigns policy to the new VM. Your new VM is now protected by Deep Security.