Migrate agents to Trend Vision One Endpoint Security - Server & Workload Protection

Upgrade to Trend Vision One Endpoint Security - Server & Workload Protection is a multi-step process.

Prerequisites

• Ensure that you are using Deep Security Manager 20.0.321 (20 LTS 2021-01-26) or later for upgrading via APIs, or Deep Security Manager 20.0.513 (20 LTS Update 2021-10-14) or later for upgrading using the Deep Security Manager update tool.
• Ensure that you are using Deep Security Agent 20.0.0-3445 (20 LTS Update 2021-11-24) or later. Then, in the Trend Vision One Endpoint Security - Server & Workload Protection console, go to Administration > Updates > Software > Local and make sure your account has the corresponding Deep Security Agent package.
• Ensure that your agents are running on platforms that support migration:
  • The Deep Security Agent platform support table lists agent platforms supported by Deep Security Manager 20.
  • Migrating agents is currently fully validated only on Windows and Linux platforms on Intel architecture.
  • Migrating agents is not supported on Windows 2008 32-bit.
• Due to feature differences between Deep Security Manager and Trend Vision One Endpoint Security - Server & Workload Protection, disable the following before migrating agents:
  • FIPS 140: Deep Security Manager cannot be updated if FIPS 140 is enabled.
  • Virtual Appliance: Computers protected by Virtual Appliance (agent-less or combined-mode) cannot be updated.
• If you have not done so already, complete the earlier steps described in Upgrade to Trend Vision One Endpoint Security - Server & Workload Protection, including configuring the Trend Vision One Endpoint Security - Server & Workload Protection account, creating an API key, and preparing a link to Trend Vision One Endpoint Security - Server & Workload Protection.

Migrate agents using the migration tool

1. In the upper-right corner of the Deep Security Manager console, select Support > Upgrade to Trend Vision One Endpoint Security.
2. On the Upgrade to Trend Vision One Endpoint Security dialog that appears, select the Agents tab.
3. Select Migrate using Computers to have the Deep Security Computers page displayed.
4. Select one or more computers that you want to migrate.
5. Select Actions > Upgrade to Trend Vision One Endpoint Security.
6. In the dialog that appears, specify the settings that you want applied to the agents when moved, and then click Migrate:
• Security Policy: If you have migrated your Deep Security policies to Trend Vision One Endpoint Security - Server & Workload Protection and want to keep the same policy applied to the migrated agent, select Assign migrated policy. If you want to assign a different policy, choose Select a policy from Trend Vision One Endpoint Security - Server & Workload Protection, and then select the new policy.
• Computer Group: The computer group where the agents will be located in Trend Vision One Endpoint Security - Server & Workload Protection.
• Relay Group: All agents are assigned to the Primary Relay Group in Trend Vision One Endpoint Security - Server & Workload Protection.
• Proxy to contact Server & Workload Protection Manager: Select a proxy if agents need one to contact Trend Vision One Endpoint Security - Server & Workload Protection.
• Proxy to contact Relay(s): Select a proxy if agents need one to contact relays on Trend Vision One Endpoint Security - Server & Workload Protection.
• Migrate with existing hostname, display name, and description: Select this option to use the existing hostname, display name, and description for the migrated agent.
• Migrate with settings override at computer level: Select this option to migrate any settings that have an override at the computer level. This does not include rule assignments.
7. Check the move status.
8. If you run into problems, check Troubleshooting

Check the move status

The status of move tasks is available from the API response, Computers page, and system events. The move status is also a search criteria in smart folders.

The original state of a move task is that the agent is managed by an on-premises Deep Security Manager.

Status	Description	How to recover to original state
Move Requested	A move task to Trend Vision One Endpoint Security - Server & Workload Protection has been requested. The move task has been accepted by Deep Security Manager, but not yet sent to the agent.	N/A
Moving	Computer is being moved to Trend Vision One Endpoint Security - Server & Workload Protection. The agent has accepted the move task, and is moving to Trend Vision One Endpoint Security - Server & Workload Protection.	N/A
Move Complete	Computer has been moved successfully to Trend Vision One Endpoint Security - Server & Workload Protection. Deep Security Manager is able to identify that the moved agent is activated on Trend Vision One Endpoint Security - Server & Workload Protection.	Manually reactivate the agent back to Deep Security Manager. Note that the agent has already trusted the Trend Vision One Endpoint Security - Server & Workload Protection public certificate. You must remove the ds_agent_dsm_public_ca.crt file manually before activating the agent back to Deep Security Manager.
Move Failed	Computer was not moved to Workload Security due to a connectivity issue from the agent to Trend Vision One Endpoint Security - Server & Workload Protection. The agent has rejected the move task while performing its precheck. Before trying the move again: Ensure that all parameters specified for the move are correct, including the account information, activation token, public CA certificate, and proxy settings. Ensure that there are no networking or firewall settings preventing the agent from reaching Trend Vision One Endpoint Security - Server & Workload Protection. Use the CLI to create an agent diagnostic package, which will include a ds_agent.log file containing information about the failed move. For instructions on creating diagnostic packages, see Create a diagnostic package and logs.	Clear warnings on the console. The agent is still managed by Deep Security Manager.
Move Failed (No response)	Computer was not moved to Trend Vision One Endpoint Security - Server & Workload Protection because the agent did not respond to the move task in a timely manner. Before trying the move again: Ensure that the agent is up and running. Ensure that the agent can communicate properly with Deep Security Manager.	Clear warnings on the console. The agent is still managed by Deep Security Manager.
Move Failed (Failed to activate)	The move to Trend Vision One Endpoint Security - Server & Workload Protection failed due to an activation issue and was rolled back. The precheck passed, but the agent was unable to activate to Trend Vision One Endpoint Security - Server & Workload Protection. Before trying the move again: Ensure that the Trend Vision One Endpoint Security - Server & Workload Protection Link is up to date. Ensure that all parameters specified for the move are correct, including the account information, activation token, public CA certificate, and proxy settings. Use the CLI to create an agent diagnostic package, which will include dsa_move.log and dsa_control.log files containing information about the failed move. For instructions on creating diagnostic packages, see Create a diagnostic package and logs.	Clear warnings on the console. The agent is still managed by Deep Security Manager.
Move Failed (Unmanaged)	The move to Trend Vision One Endpoint Security - Server & Workload Protection failed due to an activation issue, and the move could not be rolled back automatically. The computer is in an unmanaged state. The precheck is passed, but the agent was unable to activate to Trend Vision One Endpoint Security - Server & Workload Protection. An agent in this state may have encountered unknown issues during roll back, and the agent needs manual intervention. To troubleshoot this issue: Examine the dsa_move.log file which contains information about the failed move. Manually restore the agent or reactivate the agent. See Troubleshooting for details. Before trying the move again: Ensure that the Trend Vision One Endpoint Security - Server & Workload Protection Link is up to date. Ensure that all parameters specified for the move are correct including the account information, activation token, public CA certificate, and proxy settings.	Manually restore the agent back to Deep Security Manager. The agent is still protecting the host computer but is not being managed by Deep Security Manager. See Troubleshooting for more details.

Use Smart Folder to view move status

1. From the Smart Folder Editor, expand Search Criteria.
2. In the first list, select the property Status: Move Status.
3. In the second list, select a value such as Move Complete or Move Failed.

Troubleshooting

Restore an unmanaged agent manually

Examine the dsa_move.log file to identify the root cause of the move failure. The agent restore may have failed because the agent failed to stop or failed to start.

Agent failed to stop

If the agent failed to stop during the restore process, the following error message appears in the logs:

Unable to stop the agent. Agent restore failed.

To restore the agent:

1. Stop the agent service.
2. Restore the agent backup.
   1. Locate the agent work directory.
   • The agent work directory in Windows: %ProgramData%\Trend Micro\Deep Security Agent\
   • The agent work directory in Linux/Unix: /var/opt/ds_agent/
   2. Within that directory, the backup name starts with backup_ and ends with the date. For example: backup_2021-05-11_20.11.45
   3. Remove everything from the agent work directory except the diag and backup_* directories.
   4. Copy everything from the backup_* directory to the agent work directory.
3. Start the agent service.
4. Send a heartbeat to Deep Security Manager using dsa_control -m
5. Remove the backup_* directory if the agent was restored successfully (activated successfully with Deep Security Manager).

Agent failed to start

If the agent failed to start during the restore process, the following error message appears in the logs:

Unable to start the agent. Agent restore failed.

To restore the agent:

1. Start the agent service.
2. Send a heartbeat to Deep Security Manager using dsa_control -m

Other methods for migrating agents

If your environment contains sufficient automation tools, you can reactivate agents by extracting the activation command from deployment scripts within the Trend Vision One Endpoint Security - Server & Workload Protection console. New hosts that do not have an agent should run the entire script. Hosts with existing up-to-date agents can run the dsa_control command located in a comment at the end of the deployment script. If proxies are in use, note the several lines preceding this command and execute them with the correct values prior to running the activation command. Reactivation does not require a reboot or cause loss of protection during the process.

Environments without sufficient automation infrastructure can use the Deep Security MoveAgent API. This reactivates agents automatically, using the Trend Vision One Endpoint Security - Server & Workload Protection Link configured for the target Trend Vision One Endpoint Security - Server & Workload Protection account. This method requires Deep Security Manager 20.0.321 (20 LTS 2021-01-26) or later and Deep Security Agent 20.0.0-3445 (20 LTS Update 2021-11-24) or later. For instructions, see Upgrade using the Deep Security and Trend Vision One Endpoint Security - Server & Workload Protection APIs.

You should enable the option in Trend Vision One Endpoint Security - Server & Workload Protection to automatically upgrade agents on activation to get the full security control provided with the latest agent. The minimum agent version available in each Trend Vision One Endpoint Security region is different. Trend Micro recommends using the latest agent version whenever possible, but if you require an older agent version that is not available in your account, contact Trend Micro support.