Deploy the Deep Security Virtual Appliance with NSX Advanced/Enterprise

Applies to on-premise Deep Security software installations only

See Deploy Deep Security for steps that you must perform before proceeding with the steps in this article.

To provide agentless protection to the virtual machines on your ESXi servers, you must install the Deep Security service (the Deep Security Virtual Appliance) on the cluster that your ESXi servers belong to. Before installing the service, you must import the appliance software into Deep Security Manager.

Import the appliance software into Deep Security Manager

You will need to manually import the Deep Security Virtual Appliance software package from a local directory into the manager. You can also import the Deep Security Notifier, which is an optional component that you can install on your protected Windows VMs. It displays local notifications of system events in the notification area.

Download the software packages from the Trend Micro Download Center ( to the Deep Security Manager host machine.

In Deep Security Manager, go to Administration > Updates > Software > Local, click Import, and import the software packages into Deep Security. (The Deep Security Manager will then automatically download the latest 64-bit Red Hat agent software package which will later be used to upgrade the Virtual Appliance's Protection Modules.)

Install the Deep Security Virtual Appliance

  1. In the vSphere Web Client, go to Home > Networking and Security > Installation > Service Deployments and click the green plus sign () to display the Deploy Network & Security Services window:
  2. Select services & schedule: select the Trend Micro Deep Security service and then click Next.
  3. Select clusters: select the cluster(s) that includes the ESXi servers on which to deploy the Deep Security service and then click Next.
  4. Select storage and Management Network: For each cluster, select a datastore on which to store the Deep Security Virtual Appliance, the network (the distributed port group used by the vDS on the data center) and the IP assignment method for the Deep Security service to use. Click Next.
    If you are assigning static IP pools in the "IP Assignment" column to the Deep Security service or Guest Introspection service, make sure your default gateway and DNS is reachable/resolvable and the prefix length is correct. If you do not, the Deep Security and Guest Introspection service VMs will not get activated and they will not be able to talk to NSX manager or Deep Security Manager because their IPs are not on the same network as the Deep Security Manager or the NSX Manager.
  5. Ready to complete: click Finish to complete the deployment of the Deep Security service:
  6. When deployment is complete, you'll see the Trend Micro Deep Security service in the list of Network & Security Service Deployments:

The Deep Security service is now deployed to the cluster.