Deploy the appliance (NSX-T 2.x)

After completing the tasks in Before deploying the appliance, you are ready to deploy the appliance on NSX-T 2.x Data Center. Follow the steps below.

You can also Upgrade the appliance to protect against new OS vulnerabilities.

Step 1: Import the appliance package into Deep Security Manager

After completing the tasks in Before deploying the appliance, you are ready to import the appliance ZIP into Deep Security Manager.

As an alternative to importing the appliance ZIP, you can place the OVF file at a URL location to make it faster for NSX to download. For details, see Configure the appliance OVF location.

  1. Go to:

    https://help.deepsecurity.trendmicro.com/software.html

  2. Download the Deep Security Virtual Appliance package. Check the version requirements in system requirements.

    You can import multiple versions of the appliance. The manager will choose the newest package.

  3. On Deep Security Manager, go to Administration > Updates > Software > Local.
  4. Click Import and upload the package to Deep Security Manager.

    On import, Deep Security Manager also automatically downloads and imports an agent that is compatible with the operating system of the virtual appliance VM. This agent has the same protection modules as Deep Security Agent for 64-bit Red Hat Enterprise Linux.

  5. If you want to specify a different embedded agent, go to Administration > System Settings > Updates and look for Virtual Appliance Deployment. By default, the Virtual Appliance Deployment option is set to Latest Available (Recommended). This indicates to the manager to upgrade the virtual appliance to use the newest imported, embedded agent. Change this setting, as required.

Step 2: Prepare Fabric settings

First, add your vCenter through NSX-T Manager:

  1. Make sure the vCenter and ESXi servers have been configured for management.
  2. In NSX-T Manager, at the top, click System, and then click Fabric > Compute Managers on the left.
  3. Click +ADD.
  4. The New Compute Manager dialog box appears.
  5. Fill in the fields with your vCenter information. For example:

  6. Click ADD. The vCenter is added.

  7. Verify that the vCenter's Registration Status is Registered, and its Connection Status is Up.

    You have now added your vCenter.

Next, make sure an overlay transport zone exists, and if not create one:

  1. Still in NSX-T Manager, go to System > Fabric > Transport Zones.
  2. Check whether a transport zone with a Traffic Type of Overlay already exists.
  3. If an overlay transport zone does not exist, click +ADD to create one.

    The New Transport Zone dialog box appears.

  4. Fill in the fields. Set Traffic Type to Overlay. Other fields can be set according to your needs.
  5. Click ADD.

    An overlay transport zone is created.

Next, create a Deep Security transport node profile:

  1. Still in NSX-T Manager, on the left, click Fabric > Profiles, and then in the main pane, click Transport Node Profiles.
  2. Click + ADD to create a transport node profile.

    The Add Transport Node Profile dialog box appears.

  3. Fill out the fields as shown in the image above. Make sure to move the Deep Security transport zone to the Selected column.
  4. Click N-VDS at the top of the dialog box, and fill out the fields as follows:
    • For the N-VDS Name, select DSVA or whatever name you specified when you created your Deep Security transport zone.
    • For the NIOC Profile, select nsx-default-nioc-hostswitch-profile.
    • For the Uplink Profile, select nsx-default-uplink-hostswitch-profile.
    • For the LLDP Profile, select LLDP [Send Packet Enabled].
    • For the IP Assignment, select Use IP Pool or Use DHCP. Use the one you want.
    • If IP Pool is visible, click OR Create and Use new a new IP Pool, and create an IP pool with a Name of dsva-ip-pool and then use it as the IP Pool value.
    • If Physical NICs is visible, add a physical NIC. For example, use vmnic2 with uplink-1.

      The assigned NIC(s) must be available on the ESXi servers. In the example, our ESXi hosts have vmnic2 which can be used for the N-VDS n-vds-overlay.

  5. For details on any of the values, click at the top of the dialog box.

    The dialog box now looks similar to the following:

  6. After filling out the General and N-VDS tabs, click ADD.

    A transport node profile called Deep Security Transport Node Profile is created.

Next, apply the Deep Security transport node profile to your clusters:

  1. Click Fabric > Nodes, and in the main pane click Host Transport Nodes.
  2. From the Managed by drop-down list, select the vCenter you added previously. In this example, the vCenter is 10.201.111.111.

  3. Select a cluster that contains the VMs that you want to protect with Deep Security Virtual Appliance. If there is more than one cluster, select all the ones that you want to protect with the Deep Security Virtual Appliance.
  4. Click CONFIGURE NSX.
  5. From the Select Deployment Profile drop-down list, select Deep Security Profile or whatever you called your Deep Security transport node profile.

  6. Click SAVE.

    The following occurs:

    • The Deep Security transport node profile is applied to the clusters.
    • While the profile is being applied, an NSX Install in Progress message may appear.
    • When the operation finishes, each node's Configuration Status changes to Success and its Node Status changes to Up. If you have multiple ESXi servers, they should all be marked with Success and Up.

You have now prepared the Fabric settings in NSX-T Manager.

Step 3: Add vCenter to Deep Security Manager

Follow the instructions in Add a VMware vCenter.

After you have finished:

  • your guest VMs are displayed in Deep Security Manager.
  • the Trend Micro Deep Security service is registered with NSX-T.

Step 4: Install the Deep Security Virtual Appliance on NSX-T

You must install the Deep Security Virtual Appliance to each of your clusters.

  1. In NSX-T Manager, click System, and then select Service Deployments.

  2. From the Partner Service drop-down list, select Trend Micro Deep Security. This Trend Micro Deep Security service was registered when you added your vCenter in Deep Security Manager previously.
  3. Click DEPLOY SERVICE.
  4. Fill out the fields as follows:
    • For the Service Deployment Name, enter a name. If you have multiple clusters, consider using a name that includes the name of the cluster to which you're deploying. The cluster is listed under the Cluster heading on the same page. Example: DSVA Cluster 1.
    • For the Compute Manager, select the vCenter you added previously. In our example, vCenter is 10.201.111.111.
    • For the Cluster, select a cluster you configured previously. The Trend Micro Deep Security service will be installed to all the ESXi servers in this cluster. If you have multiple clusters, pick one now. You can come back later to pick another cluster.
    • For the Data Store, select the option that is appropriate for your environment. In our example, we selected Specified on Host.
    • For Networks, click Set or Edit Details, whichever is available, and then configure ens0 - MANAGEMENT. Set Network to Specified on Host or DVPG, and Network Type to DHCP or Static IP Pool. Click SAVE.

      If Specified on Host or DVPG are not visible or selectable, refer this knowledge base page for a workaround.

    • For Deployment Specification, select Deep Security - Medium.
    • For Deployment Template, select EPP_Attributes_For_OVF_Env_Vars.

      Your service deployment details should look similar to the following:

  5. Click SAVE.

    The service deployment begins.

    The Status column in NSX-T Manager indicates In Progress.

  6. Wait. When the deployment is finished, the Status changes to Up.

    If you have multiple ESXi servers in the assigned cluster, then a Trend Micro Deep Security service is deployed onto each ESXi server. The services will be labeled as follows to differentiate them:

    • Trend Micro_Deep Security (1) (for the first ESXi server)
    • Trend Micro_Deep Security (2) (for the second ESXi server)

      ...and so on.

  7. (Optional) Check the status of the deployment by accessing vCenter through the vSphere Client. The vSphere Client shows the progress in more detail. Wait until the Status changes to Complete.

    In the image below, you see two Trend Micro Deep Security services listed on the left. Two services were deployed because there were two ESXi servers in the cluster.

  8. Verify the deployment in Deep Security Manager by clicking Computers at the top and then on the left, expanding the vCenter where the Trend Micro Deep Security service was deployed.

    Trend Micro_Deep Security (1) appears under Virtual Machines > Datacenter > ESX Agents with a Platform of Deep Security Virtual Appliance. You see one virtual appliance per ESXi server in your cluster.

  9. Repeat all the steps in Step 4: Install the Deep Security Virtual Appliance on NSX-T for each cluster.

    Although your VMs appear in Deep Security Manager, they are not yet protected.

Step 5: Configure Endpoint Protection

To start, create a group that will contain the VMs you want to protect with the Deep Security Virtual Appliance:

  1. Still in NSX-T Manager, at the top, click Inventory and then on the left, click Groups.
  2. Click ADD GROUP to create a group which will contain the VMs protected by Deep Security Virtual Appliance. Fill out the fields as follows:
    • For the Name, enter a name for your group. Example: DSVA-Protection-Group.
    • For the Domain, select default, or create a new domain under Inventory > Domains.
    • For the Compute Members, click Set Members to select which VMs will go in the group.

    The following instructions demonstrate the simplest way to add members. For more complex ways, such as the use of Membership Criteria, see the NSX-T documentation.

  3. Click Members (0) at the top, and then select VirtualMachine (selected: 0).
  4. Click Refresh at this bottom if your VMs are not visible.
  5. Select the guest VMs you want to add to the group. These VMs will become protected by the Deep Security Virtual Appliance.

    Your Select Members dialog box now looks similar to the following, with guest VMs selected, and Trend Micro_Deep Security deselected because the virtual appliance does not need to be protected:

  6. Verify the VM count in the Members tab near the top. In the example above, the count is 1.
  7. Click APPLY.

    The ADD GROUP page now shows an updated count.

  8. Click SAVE.

    You have now added a group with some members.

Next, configure a service profile for the Deep Security Virtual Appliance:

  1. Still in NSX-T Manager, click Security at the top, and then on the left, click Endpoint Protection.
  2. In the main pane, click SERVICE PROFILES.
  3. From the Partner Service drop-down list, select Trend Micro Deep Security if it is not already selected.
  4. Click ADD SERVICE PROFILE and fill out the fields as follows:
    • For the Service Profile Name field, specify a name. Example: DSVA-Service-Profile
    • For the Service Profile Description, enter a description. Example: Deep Security Service Profile
    • For the Vendor Template, select Default (EBT). This template was loaded at the same time as the Trend Micro Deep Security service.

      The ADD SERVICE PROFILE page should now look similar to the following:

  5. Click SAVE.

Next, map the service profile to the group:

  1. Switch to RULES and click + ADD POLICY.
  2. In the Name column, click within the New Policy cell and change the name. For example, use: DSVA-Policy
  3. Select the check box next to DSVA-Policy and click + ADD RULE. A rule appears under DSVA-Policy.
  4. Name the rule and select the corresponding groups and service profiles. For example, name the rule DSVA-Rule, and select DSVA-Protection-Group and DSVA-Service-Profile. There is now a mapping between the VMs in the DSVA-Protection-Group and the Default (EBT) template specified in the DSVA-Service-Profile.

    The policy should now look similar to the following: 

  5. Click PUBLISH to finish the policy and rule creation.

    You have now configured Endpoint Protection in NSX-T. Your VMs are not yet protected.

Step 6: Prepare for activation on NSX-T

To prepare for activation, you can use Method 1, 2, or 3:

Method 1: Create a 'Computer Created' event-based task

Method 2: Create an 'NSX Security Group Change' event-based task

Method 3: Synchronize your Deep Security policies to NSX-T

Step 7: Trigger an activation and policy assignment

If you chose Method 1, you can trigger an activation and policy assignment manually. For instructions, see below.

If you chose Method 2 or 3, all VMs should be activated and assigned policy automatically now. They are protected.

To activate and assign a policy through the Actions button:

  1. Go to Deep Security Manager, click Computers at the top, and click your vCenter on the left. Your guest VMs appear on the right.
  2. Shift+click a set of VMs, right-click them and then select Actions > Assign Policy. Select a policy and click OK. A Deep Security policy is assigned to your VMs.
  3. Shift+click the same set of VMs, right-click them and then select Actions > Activate/Reactivate.Your VMs are activated in Deep Security Manager. They are now protected.
  4. If you have additional, existing VMs you want to protect, repeat the procedure in this section to assign a policy and activate them.

Step 8: Check that VMs are activated and assigned a policy

To check:

  1. In Deep Security Manager, click Computers at the top.
  2. On the left, expand Computers > <your_vCenter> > Virtual Machines.
  3. Check the TASK(S) and STATUS and columns. (Click Columns at the top to add them if they are not visible.) The TASK(S) column should indicate Activating, and your VMs should move from the Unmanaged (Unknown) status, to the Unmanaged (No Agent) status, to the Managed (Online) status. You may see the VMs move into the VMware Tools Not Installed status, but this is temporary.
  4. Check the POLICY column to make sure the correct Deep Security policy was assigned.

You have now deployed Deep Security Virtual Appliance and protected your VMs with it.

Next steps (how to add new VMs)

Follow the instructions below to learn how to add new VMs to your system and protect them with Deep Security.

To add a new VM if you chose Method 1 (create a 'Computer Created' event-based task):

  • Create a new VM in vCenter. This triggers the Computer Created (by System) event-based task, which activates and assigns policy to the new VM.

To add a new VM if you chose Method 2 (create an 'NSX Security Group Change' event-based task):

  • Create or move the VM into one of the NSX security groups. This triggers the NSX Security Group Change event-based task, which activates and assigns policy to the new VM.

To add a new VM if you chose Method 3 (synchronize Deep Security policies to NSX):

  • Create or move the VM into one of the NSX security groups. This activates and assigns policy to the new VM.