Multi-tenant settings

Applies to on-premise Deep Security software installations only

The Tenants tab appears only if you have enabled multi-tenant mode.

  • Multi-Tenant License Mode: The multi-tenant license mode can be changed after multi-tenant is setup, however it is important to note that switching from inherited to per-tenant will cause existing tenants to no longer have any licensed module.
  • Allow Tenants to use the "Backup" Scheduled Task: Determines if the Backup Scheduled Task should be available to tenants. In most cases backups should be managed by the database administrator and this option should be selected.
  • Allow Tenants to use the "Run Script" Scheduled Task: Scripts present a potentially dangerous level of access to the system, however the risk can be mitigated because scripts have to be installed on the Manager using file-system access.
  • Allow Tenants to run "Computer Discovery" (directly and as a Scheduled Task): Determines if discovery is exposed. This may not be desirable in service provider environments where network discovery has been prohibited.
  • Allow Tenants to run "Port Scan" (directly and as a Scheduled Task): Determines if port scans can be executed. This may not be desirable in service provider environments where network scan has been prohibited.
  • Allow Tenants to add VMware vCenters: Determines for each tenant if vCenter connectivity should be exposed. If the deployment is intended through a public service (internet), this option should most likely be disabled since there will not be a secured route to the vCenter from a hosted service.
  • Allow Tenants to add Cloud Accounts: Determines if tenants can setup cloud sync. This is generally applicable to any deployment.
  • Allow Tenants to synchronize with LDAP Directories: Determines if tenants can setup both User and Computer sync with Directories (LDAP or Active Directory for Computers, Active Directory only for users). If the deployment is intended to be made through a public service (internet), this option should most likely be disabled since there will not be a secure route to the directory from a hosted service.
  • Allow Tenants to configure SNMP settings: Allow Tenants to forward System Events to a remote computer (via SNMP)
  • Show Introduction to Tenants (Recommended only if all "add" and "synchronize" options are enabled): Automatically displays the introductory slide show to tenants when they first sign in. (The slide show can be accessed by clicking the Support link at the top right of the Deep Security Manager window and selecting Introduction.)
  • Show "Forgot Password?" option: Displays a link on the sign in screen which Users can access to reset their password. (Note that SMTP settings must be properly configured on the Administration > System Settings > SMTP tab for this option to work.)
  • Show "Remember Account Name and Username" option: Deep Security will remember the User's Account Name and Username and populate these fields when the sign in screen loads.
  • Allow Tenants to control access from Primary Tenant: By default, the primary tenant can sign in to a Tenant's account by using the Sign In As Tenant option on the Administration > Tenants page. When the Allow Tenants to control access from Primary Tenant option is selected, tenants are given the option (under Administration > System Settings > Advanced in their ) to allow or prevent access by primary tenant to their Deep Security environment. (When this option is enabled, the default setting in the Tenant's environment is to prevent access by the Primary Tenant.)
    Whenever the Primary Tenant accesses a Tenant's account, the access is recorded in the Tenant's System Events.
  • Allow Tenants to use Primary Tenant's Trend Micro Control Manager and Deep Discovery Analyzer settings: Enables the primary tenant to share their Connected Threat Defense settings with tenants. For details, see Detect emerging threats using Connected Threat Defense.

  • Allow Tenants to use the Relays in my "Default Relay Group" (for unassigned Relays): gives tenants automatic access to relays setup in the primary tenant. This saves tenants from having to setup dedicated Relays for Security Updates.
    Tenants can reject the usage of "shared" relays by going to the Updates tab on the Administration > System Settings page and deselecting the Use the Primary Tenant Relay Group as my Default Relay Group (for unassigned Relays) option. If Tenants deselect this setting they must set up dedicated Relays for themselves.
    When relays are shared, it is the responsibility of the primary tenant to keep the relays up to date. This usually involves creating Download Security Update Scheduled Tasks for all relays at a regular intervals.
  • New Tenants automatically download the latest Security Updates: As soon as you create a new tenant account, it will check for and download the latest available security updates.
  • Lock and hide the following (all Tenants will use the options configured for the primary Tenant):
    • Data Privacy options on the "Agents" Tab: Allows the Primary Tenant to configure data privacy settings. (This setting only applies to "Allow Packet Data Capture on Encrypted Traffic (SSL)" in on the Administration > System Settings > Agents tab.)
    • All options on the "SIEM" Tab (All Tenants use the settings located on the SIEM tab for ALL event types and syslog is relayed via the Manager): Allows the primary Tenant to configure syslog for all Tenants at once. All tenants will inherit the primary tenant's syslog settings. In CEF format the Tenant name is included as TrendMicroDsTenant .
    • All options on the "SMTP" Tab: Locks all settings on the SMTP tab.
    • All options on the "Storage" Tab: Locks all settings on the Storage tab.

Database Servers

By default all Tenants will be created on the same database server Deep Security Manager was installed with. In order to provide additional scalability Deep Security Manager supports adding additional database servers.

For SQL Server the secondary database server requires a hostname, username and password (domain and named instance are optional). The TCP/Named Pipes setting has to be the same as the primary database (TCP is always recommended). The user (the Deep Security Manager) must have the following permissions:

  • Create databases
  • Delete databases
  • Define schema

This account is used not only to create the database but to authenticate to the databases that are created.

Oracle Multi-Tenant uses a different model. The new database definition defines a user that is bound to a tablespace. That user is used to "bootstrap" the creation of additional users on Oracle.

For information on setting up database user accounts for multi-tenancy see Set up a multi-tenant environment.

Database servers (other than the primary) can be deleted provided there are no Tenants located on the server.

If the hostname, username, password or any details change the GUI can be used to change for database servers (other than the primary). To change values for the primary the Deep Security Manager must be shutdown (all nodes) and the file edited with the new details.

New tenant template

The tenant template feature provides a convenient way of creating a customized "out-of-the-box" experience for new tenants.

The process is as follows:

  1. Create a new tenant.
  2. Log in as that tenant.
  3. Customize the example policies (adding/removing/modifying) and the security update version (applying newer versions).
  4. Return to the primary tenant and run the tenant template wizard.
  5. Select the tenant to snapshot.

All future tenants will have the example policies and rule update version included in the snapshot.

This feature may be useful in service provider environments where some of the examples are not applicable, or special examples need to be created.

As always the examples are meant to be a starting point. Tenants are encouraged to create policies based on their unique needs.

Creating a new template will not affect existing tenants.

Protection usage monitoring

Deep Security collects information about protected computers. This information is visible on the dashboard in the Tenants widget and the Tenant Protection Activity widget. The information is also provide in the Tenant Report and is available via the REST API.

In the most basic case, the monitoring can help determine the percentage usage of Deep Security Manager by hours of protection through the report or the API. Commonly called viewback or chargeback this information can be used in a variety of ways. In more advanced cases, this can be used for custom billing based on characteristics like tenant computer operating systems.

Use these options determine which additional tenant computer details are recorded.