Upgrade the appliance

After completing the pre-upgrade tasks, you are ready to upgrade the appliance. You have a few upgrade options:

If you are using NSX-T, you can use Option 2 or 3.

If you are using NSX-V, you can use any Option.

See also Upgrade the NSX license for more Deep Security features.

Upgrade an existing appliance SVM automatically

With this upgrade option, your guest VMs lose protection during the upgrade process, which takes five to fifteen minutes depending on the resources of your VMware components and network stability. If you would like to maintain protection of the guest VMs, see instead Upgrade an existing appliance SVM manually.

Any resource adjustments or custom configurations you may have made to the current appliance SVM, such as extending the CPU or memory or changing a password, will not be carried over to the new appliance SVM after the upgrade. You will need to manually re-apply these configurations when the upgrade finishes.

To upgrade the appliance SVM automatically, follow these steps:

Step 1: Upgrade the appliance SVM in the manager

  1. In Deep Security Manager, click Computers at the top.
  2. Find the ESXi host where your existing appliance SVM is located. The ESXi host has its PLATFORM column set to VMware ESXi <version_build> (see image below). (It is not a computer with a PLATFORM of Deep Security Virtual Appliance.)
  3. Right-click the ESXi host and select Actions > Upgrade Appliance (SVM).

    You can use Shift+click to select multiple ESXi hosts, if you want to upgrade several at once.

    The Upgrade Appliance (SVM) option is only available if the latest virtual appliance package in Local Software is newer than the one that's currently in use. To make the option available, try importing the latest appliance package. If that doesn't work, it's likely because you're already using the latest version of the appliance SVM. To check, look at the Appliance (SVM) Version property on the computer details page of the appliance virtual machine.

    The Upgrade Appliance (SVM) page appears with a check box, warnings, and a note.

    During the upgrade, the appliance (SVM) will be shut down for about 3 - 10 minutes depending on your vCenter and ESX resources.

  4. (Optional.) Select Check NSX alarms before upgrade, and cancel the process if any alarms exist if you want the manager to check the service status from NSX Manager before the upgrade begins. Deselect the check box if you want to skip the check and proceed with the upgrade despite possible alarms.
  5. Review the warnings and note on the page.
  6. Click OK.

    The upgrade process begins, including a pre-upgrade service status check, if you enabled it.

  7. (Optional.) Still in the manager, go back to the Computers page, find your ESXi host, and look at its TASK(S) column to view the status of the upgrade.

    If you previously shift+clicked several ESXi hosts on which to perform an upgrade, the ESXi hosts are processed sequentially (one at a time). You can look at the TASK(S) column to find out which server is currently being processed.

    The TASK(S) column displays one of the following:

    • Upgrading Appliance (SVM) (Pending): The manager has received the upgrade request, but has not yet put it into the queue.
    • Upgrading Appliance (SVM) (In Queue): The manager has queued the process, and will start the upgrade soon.
    • Upgrading Appliance (SVM) (In Progress): The manager is processing the upgrade.
  8. (Optional.) Still in the manager, go to the Computer Details page of one of your ESXi hosts and click the System Events tab to verify that the upgrade is proceeding successfully.

    Below is a sample of the system events you'll see when an upgrade is successful. For more events, see this complete list of appliance SVM upgrade events.

If you see the Appliance (SVM) Upgrade Failed system event, see Troubleshooting the 'Appliance (SVM) Upgrade Failed' system event.

Troubleshooting the 'Appliance (SVM) Upgrade Failed' system event

If you see the Appliance (SVM) Upgrade Failed system event, review its detailed description for the reason and possible fix. In the worst case scenario, you can go to the NSX Manager console and click the Resolve button (see the image below). Clicking this button manually resolves any alarms and redeploys the appliance. Guest VMs are activated according to how you set up activation when you deployed your old Deep Security Virtual Appliance. For details on activation set up, see the activation section of Deploy the appliance (NSX-V).

Step 2: Check that the upgrade succeeded

The appliance SVM should be upgraded successfully. Go to the manager's Computers page and double-check that the appliance SVM and all the guest VMs are back in their protected state (green dot).

Upgrade an existing appliance SVM manually

With a manual upgrade, you'll use the vMotion mechanism to preserve the guest VMs' protection while the upgrade occurs.

To upgrade the appliance SVM, follow these steps:

Step 1: Review or restore identified files

  1. Review or restore identified files as necessary because identified files will be lost when you move your VMs or delete the Deep Security Virtual Appliance.

Step 2: Migrate guest VMs to another ESXi host

Skip this section if you are using NSX-T 3.x.

For brevity, this procedure uses these terms:

  • ESXi_A is the ESXi server with the virtual appliance that you want to upgrade.

  • ESXi_B is the ESXi server where guest VMs are migrated to while the appliance SVM upgrade occurs. We assume it is under the same cluster as ESXi_A.

  1. Enable DRS for the cluster and make sure it has an automation level of Fully Automated. See this VMware article for details.
  2. Find ESXi_A and place this ESXi server in maintenance mode.

    When you enter maintenance mode:

    • ESXi_A's guest VMs are migrated automatically (using vMotion) to ESXi_B in your cluster.
    • The Deep Security Virtual Appliance that is protecting ESXi_A is shut down automatically.
    • Your guest VMs can no longer be powered on until ESXi_A is out of maintenance mode.

Step 3: Upgrade your old appliance SVM

  1. Go to VMware vSphere Web Client > Hosts and Clusters.
  2. Find the Trend Micro Deep Security appliance SVM that is powered off. It's the one without a green arrow (shown in the following image). The appliance SVM was automatically powered off when you put the corresponding ESXi server into maintenance mode.
  3. Right-click the Trend Micro Deep Security appliance SVM that is powered off and select Delete from Disk.

  4. If you see a Confirm Delete message, click Yes.

  5. If the deletion fails with this message...

    This operation not allowed in the current state

    Do this:

    1. Right-click the Trend Micro Deep Security appliance SVM again, and this time select Remove from Inventory (which appears just above Delete from Disk). This removes the appliance SVM from vCenter but preserves it in the datastore.
    2. In the navigation pane, select the datastore tab and select the datastore where the old virtual appliance resides.
    3. In the main pane, select the Files tab.
    4. Right-click the old appliance SVM folder and select Delete File.

    5.  Open VMware vSphere Web Client, and go to Home > Networking and Security > Installation > Service Deployments.

      You see the following:

      • The deleted Trend Micro Deep Security appliance SVM Installation Status column shows Failed.
      • If you are in maintenance mode, the Guest Introspection service also shows as Failed.

    6. Click the Resolve button on the Guest Introspection service if its Installation Status is Failed. The Failed status changes to Enabling and then to Succeeded. The Guest Introspection service is powered on and maintenance mode is exited.

    7. Click the Resolve button on the Trend Micro Deep Security service that is Failed.The Failed status changes to Enabling and then to Succeeded. The following occurred:

      • The Trend Micro Deep Security appliance SVM was redeployed with the latest software that you loaded into Deep Security Manager.
      • The appliance SVM was activated.
      • The embedded agent on the appliance SVM was auto-upgraded to the latest compatible version in Local Software by default.

    This ends the NSX-V instructions. You can proceed to Step 4: Check that maintenance mode was turned off.

In NSX-T Manager, go to System > Service Deployments > DEPLOYMENT.

Click the menu icon (three dots) > Change Appliance.

c. Select the appliance that you want to update and click the UPDATE button.

Wait for the upgrade process to complete.

Step 4: Check that maintenance mode was turned off

Skip this section if you are using NSX-T 3.x.

Step 5: Check that the new appliance SVM is activated

  1. In Deep Security Manager, at the top, click Computers.
  2. Find Trend Micro Deep Security in the list and double-click it. This is the appliance.
  3. Check the following:
    1. Check that the status is set to Managed (Online). This indicates that the agent was successfully activated.
    2. Check that the Virtual Appliance Version is set to the version of the embedded Deep Security Agent. This version should match the version of the newest agent software found under Administration > Updates > Software > Local or a specific version you set in Administration > System Settings > Updates > Virtual Appliance Deployment.
    3. Check that the Appliance (SVM) Version is set to the version of the newest Deep Security Virtual Appliance package under Administration > Updates > Software > Local.

You have now upgraded your appliance SVM.

Step 6: Final step

  1. Repeat all the steps in this section, starting at Step 1: Review or restore identified files and ending at Step 5: Check that the new appliance SVM is activated for each appliance SVM that needs to be upgraded.

Guest VMs are activated according to how you set up activation when you deployed your old Deep Security Virtual Appliance. For details on activation setup, see the activation section in Deploy the appliance (NSX-T 3.x), or Deploy the appliance (NSX-V).

Upgrade the agent embedded on the appliance SVM

You can upgrade just the Deep Security Agent that's embedded on the appliance SVM without redeploying the appliance SVM.

When you upgrade just the embedded agent, the appliance SVM’s original end-of-support date remains in effect. For details, see Deep Security LTS life cycle dates

Follow these instructions to upgrade the embedded agent on the appliance SVM.

  1. Determine which versions of the appliance SVM and embedded agent you're using. You'll need this information to complete the remaining steps in this procedure.
  2. Import the compatible agent:
    1. Still in Deep Security Manager, on the left, expand Updates > Software > Download Center.
    2. Select the agent software that is compatible with your appliance SVM. Consult the compatibility table that follows for guidance.
    3. Click the button in the Import Now column to import the agent into Deep Security Manager.
    4. On the left, click Local Software to verify that the agent was imported successfully.

    You have now imported the Deep Security Agent that is compatible with your appliance SVM version. You are ready to upgrade the agent on the appliance SVM.

  3. Upgrade the agent on the appliance SVM:
    1. Click Computers and double-click your appliance computer.
    2. Click Actions > Upgrade Appliance.
    3. Select the agent version to install on the appliance. This is the agent you just imported.
    4. Click OK.
  4. Click Events & Reports and search on 710 to find the report about the installation of the update file.

You have now upgraded the agent on the appliance SVM.

Compatibility table: appliance, agent

Appliance SVM version Image OS Compatible agent software
Appliance-ESX-11.0 or higher CentOS 7

Agent-RedHat_EL7-<version>.x86_64.zip

where <version> is the version of the agent software. Select the latest version. This version of the agent will be used as the embedded agent.