Install Deep Security Manager


You can find the supported deployment models for Deep Security Manager in section 3.3 of the Deep Security Best Practice Guide (PDF). Please note that auto-scaling of manager nodes is not supported.

Before you begin

Make sure you have completed these pre-installation tasks:

  1. Check system requirements for the manager: See System requirements.
  2. Prepare a database: See Database requirements, Install a database server, and Configure the database.
  3. Open ports: Make sure you allow inbound and outbound communication to and from the manager on the appropriate port numbers. See Deep Security port numbers.
  4. Allow URLs: If you are planning on restricting the URLs to or from the manager server, make sure you allow the URLs described in Deep Security URLs.
  5. Synchronize clocks: Synchronize the OS clock of the manager's server with the clock of the database. Both computers should use the same NTP service.
  6. Configure DNS:  Configure DNS with the appropriate records so that the manager, agents, appliances, and relays can perform DNS lookup queries. Alternatively, use IP addresses, or add entries to the manager's hosts file. The server's DNS name cannot start with a number, such as If it does, the install log shows: DNSName components must begin with a letter
  7. Download the manager software: It's available at
  8. Check the digital signature on the manager's installer file: See Check the signature on installer files (EXE, MSI, RPM or DEB files).
  9. Run the readiness check: See Run a readiness check.

Install the manager

After completing the tasks in Before you begin, you are ready to install the manager. You can use either:

To run the graphical, interactive installer:

  1. If you're installing on Linux, make sure X Windows System is installed so you can see the GUI.
  2. Run the installer as root, superuser, or (on Windows) Administrator.
  3. For details about how to fill out specific sections of the installer, read the sections below.

Test the installation (log in to the manager)

The "Trend Micro Deep Security Manager" service starts automatically when you finish its installer. To log into Deep Security Manager's GUI, open a web browser and go to:


where [host_name] is the IP address or domain name of the server where you installed Deep Security Manager, and [port] is the Manager Port you specified during installation.


Replace the self-signed certificate

When installing Deep Security for the first time, the installer creates a self-signed server certificate that Deep Security Manager uses to identify itself during secure connections with agents, appliances, relays, and your web browser. It is valid for 824 days. However, because it is not signed by a trusted Certificate Authority (CA), your web browser will display warnings. To eliminate these warnings and improve security, consider replacing Deep Security's server certificate with one signed by a trusted CA. For details, see Replace the Deep Security Manager TLS certificate.