Deploy the appliance (NSX-V)

After completing the tasks in Before deploying the appliance, you are ready to deploy the appliance on NSX Data Center for vSphere (NSX-V). Follow the steps below.

You can also Upgrade the appliance to protect against new OS vulnerabilities.

Step 1: Import the appliance package into Deep Security Manager

After completing the tasks in Before deploying the appliance, you are ready to import the appliance ZIP into Deep Security Manager.

As an alternative to importing the appliance ZIP, you can place the OVF file at a URL location to make it faster for NSX to download. For details, see Configure the appliance OVF location.

  1. Go to:

    https://help.deepsecurity.trendmicro.com/software.html

  2. Download the Deep Security Virtual Appliance package. Check the version requirements in system requirements.

    You can import multiple versions of the appliance. The manager will choose the newest package.

  3. On Deep Security Manager, go to Administration > Updates > Software > Local.

  4. Click Import and upload the package to Deep Security Manager.

    On import, Deep Security Manager also automatically downloads and imports an agent that is compatible with the operating system of the virtual appliance VM. This agent has the same protection modules as Deep Security Agent for 64-bit Red Hat Enterprise Linux.

  5. If you want to specify a different embedded agent, go to Administration > System Settings > Updates and look for Virtual Appliance Deployment. By default, the Virtual Appliance Deployment option is set to Latest Available (Recommended). This indicates to the manager to upgrade the virtual appliance to use the newest imported, embedded agent. Change this setting, as required.

Step 2: Add vCenter to Deep Security Manager

Follow the instructions in Add a VMware vCenter.

After you have finished:

  • your guest VMs are displayed in Deep Security Manager.
  • the Trend Micro Deep Security service is registered with NSX-T.

Step 3: Prepare ESXi servers

If you are using NSX Advanced Edition or NSX Enterprise Edition, you must prepare your ESXi servers by installing the drivers necessary for network traffic inspection. This operation is performed on the cluster.

If you are using another NSX edition, skip this section.

  1. In your vSphere Web Client, go to Home > Networking & Security > Installation > Host Preparation:

  2. Locate the NSX cluster you are going to protect with Deep Security in the Clusters & Hosts list and click Install in the Installation Status column. The installation will complete and the driver version will be displayed in the Installation Status column:

    ESXi host preparation is now complete. For more complete instructions on host preparation, see VMware documentation.

Step 4: Install Guest Introspection

If you want file-based protection such as Anti-Malware or Intrusion Prevention for your VMs, you must install the Guest Introspection service on your ESXi servers.

The Guest Introspection service consists of a couple of drivers: the File Introspection (vsepflt) driver and Network Introspection (vnetflt) driver.

If you do not install Guest Introspection, the Anti-Malware and Intrusion Prevention features will not work.

  1. In vSphere Web Client, go to Home > Networking & Security > Installation, then click the Service Deployments tab.

    VMware service deployments

  2. Click the green plus icon ().

    The Deploy Network & Security Services window appears.

  3. Select Guest Introspection, then click Next.

  4. Select the cluster that contains the ESXi servers and VMs that you want to protect, then click Next.

  5. Select the datastore, the distributed port group used by your NSX cluster, and IP assignment method, then click Next.

  6. Review your settings, then click Finish.

    vSphere may take a few minutes to install the guest introspection service on your ESXi servers. When it is finished, Installation Status will display "Succeeded". To update the status, you may need to refresh the vSphere Web Client.

    vSphere Client refresh

Step 5: Install the Deep Security Virtual Appliance on NSX-V

  1. In the vSphere Web Client, go to Home > Networking and Security > Installation > Service Deployments.
  2. Click the green plus sign ().

  3. In the new window that appears, select the Trend Micro Deep Security service and then click Next. If you do not see this service, it might be because you have not yet added your vCenter to Deep Security Manager. For details, see Step 2: Add vCenter to Deep Security Manager.

  4. Click Finish.

    When deployment is complete, the Trend Micro Deep Security service appears in the list of network and security service deployments in the cluster.

Step 6: Create an NSX security group and policy

To start, create an NSX security group that will contain the VMs you want to protect with the Deep Security Virtual Appliance:

  1. In vSphere Web Client, go to Home > Networking & Security > Service Composer > Security Groups.

  2. Click New Security Group():

  3. Define Dynamic Membership: If you want to restrict membership in this group based on filtering criteria, enter those criteria here.

  4. Select the objects that will be included.

    There are many ways to include or exclude objects in a NSX security group. For this example, we will include the NSX cluster that contains the ESXi hosts and VMs that we want to protect. In the Select objects to include options, select Cluster from the Object Type menu, and move the NSX cluster that contains the VMs to protect to the Selected Objects column.

    If a VM is included in more than one security group, then when you go to Computers in Deep Security Manager and search for the VM's name, it will appear more than once in search results. For more information, please see Duplicate host records appear in Computer page when the host is located in more than one NSX security group.

  5. Click Finish to create the new security group and return to the Security Groups tab to see the newly listed security group.

Next, create an NSX security policy:

  1. In vSphere Web Client, go to Home > Networking and Security > Service Composer > Security Policies.
  2. Click New Security Policy.

  3. Guest Introspection Services: Configure Guest Introspection Services if you are using the Anti-Malware or Intrusion Prevention modules.

    If you do not install Guest Introspection, the Anti-Malware and Intrusion Prevention features will not work.

    Click the green plus sign () to add an Endpoint Service. Provide a name for the Endpoint Service and select the following settings:
    • Action: Apply
    • Service Name: Trend Micro Deep Security
    • Service Profile: Select Default (EBT). This is a profile configuration that is configured to trigger event-based task(s) in Deep Security Manager.
    • State: Enabled
    • Enforce: Yes

    Click OK, then click Next.

  4. Firewall Rules: do not make any changes. Click Next.
  5. Network Introspection Services: Network Introspection Services are only available with NSX Advanced and Enterprise, and only need to be configured if you are using the Web Reputation, Firewall, or Intrusion Prevention modules. You will be adding two Network Introspection Services to the NSX Security Policy: a first one for outbound traffic, and a second one for inbound traffic.
    1. For the first, outbound, service, in the Network Introspection Services options, click the green plus sign to create a new service. In the Add Network Introspection Service window, provide a name for the service (preferably one that includes the word "Outbound") and select the following settings:
      • Action: Redirect to service
      • Service Name: Trend Micro Deep Security
      • Service Profile: Select Default (EBT)
      • Source: Policy's Security Groups
      • Destination: Any
      • Service: Any
      • State: Enabled
      • Log: Do not log

    2. For the second, inbound, service, in the Network Introspection Services options, click the green plus sign to create a new service. In the Add Network Introspection Service window, provide a name for the service (preferably one that includes the word "Inbound") and select the following settings:
      • Redirect to service: Yes
      • Service Name: Trend Micro Deep Security
      • Service Profile: Select Default (EBT)
      • Source: Any
      • Destination: Policy's Security Groups
      • Service: Any
      • State: Enabled
      • Log: Do not log

    3. Click OK in the Add Network Inspection Service window, and then click Finish to complete and close the New Security Policy window.

    You have now created an NSX security policy for Deep Security.

Finally, associate the NSX security policy you just created with the NSX security group you also just created:

  1. Stay on the Security Policies tab of the Home > Networking & Security > Service Composer page in your vSphere Web Client.
  2. With the new security policy selected, click the Apply Security Policy icon ().
  3. In the Apply Policy to Security Groups window, select the security group that contains the VMs you want to protect and click OK.

    The NSX security policy is now applied to the VMs in the NSX security group.

You have now created NSX security groups and policies. Any VMs that are added to these NSX security groups will be activated in Deep Security Manager, and assigned a Deep Security policy.

Step 7: Prepare for activation on NSX-V

To prepare for activation, you can use Method 1, 2, or 3:

  • Some methods aren't supported with some NSX versions. Consult the table below for details.
  • Method 1: With this method, any VMs that you newly create in your system are automatically activated and assigned a policy.
  • Method 2: With this method, new and existing VMs are automatically activated and assigned a policy when they are moved into a designated NSX security group.
  • Method 3: With this method, new and existing VMs are activated and assigned a policy when they are moved into a designated NSX security group. This is similar to method 2. However, unlike method 2, Deep Security policies are assigned through the VMware UI instead of through a Deep Security event-based task.
    Deep Security Virtual Appliance deployment
   NSX for vSphere (NSX-V) 6.4.x NSX-T 2.5.x NSX-T 3.x
Method

Standard

OR

NSX for vShield Endpoint (free)

Advanced Enterprise NSX Data Center
Standard		 NSX Data Center
Professional		 NSX Data Center
Advanced		 NSX Data Center
Enterprise Plus		 NSX Data Center for
Remote Office
Branch Office		 All license types All license types

Method 1

Method 2

 X 1 1 X X 1 1 1

Method 3

 X 1 1 X X 1 1 1

1 Requires VMware's Network Introspection Service.

Requires the following software combination: Deep Security Manager FR 2019-12-12 (build 12.5.494) or newer with Deep Security Agent Linux FR 2020-04-02 (build 12.5.0-814) or newer.

Method 1: Create a 'Computer Created' event-based task

The instructions below are task-based. For more explanatory information on event-based tasks, see Automated policy management in NSX environments.

  1. In Deep Security Manager, click Administration at the top.
  2. On the left, click Event-Based Tasks.
  3. In the main pane, click New.
  4. From the Event drop-down list, select Computer Created (by System). Click Next.
  5. Select Activate Computer and set it to 5 minutes.
  6. Select Assign Policy and select a policy from the drop-down list, for example, Windows Server 2016.You can click the arrows to view child policies. Click Next.
  7. Specify the conditions that restrict when the event-based task is triggered. Add this condition:

    vCenter Name matches <your_vCenter_name>

  8. Add more conditions to further restrict when the event-based task is triggered. For example, if you have a naming convention for your VMs that includes a 'Windows' prefix on all Windows VMs, you would set:

    Computer Name matches Windows*

    Click Next.

  9. In the Name field, enter a name for the task that reflects the policy you assigned, for example, Activate Windows Server 2016.
  10. Select Task Enabled and then click Finish.
  11. Create additional event-based tasks, one per Deep Security policy you plan on assigning. The event-based task must have an event type of Computer Created (by System) and must be configured to activate the computer and assign a policy.

    You have now set up your event-based tasks to activate and assign policies to newly-created VMs. As soon as a VM is created, all the Computer Created (by System) event-based tasks are reviewed. If the conditions in a task are met, the task is triggered, and the VM is activated and assigned the associated policy.

Method 2: Create an 'NSX Security Group Change' event-based task

The instructions below are task-based. For more explanatory information on event-based tasks, see Automated policy management in NSX environments.

To start, create or modify the Activate event-based task:

  1. In Deep Security Manager, click Administration at the top.
  2. On the left, click Event-Based Tasks.
  3. In the main pane, look for the event-based task called Activate <your_vCenter_name>. It may or may not exist.
  4. If the Activate event-based task exists, double-click it and review the table below make sure it is configured properly. If it doesn't exist, click New and run through the wizard, making sure to conform to the table below.
  5. Create additional Activate event-based tasks if you added multiple vCenter servers to the manager.

Settings in the table below may appear in a different order from shown.

To configure the 'Activate' event-based task, set... To...
Name A name for the task that reflects the action and vCenter assigned under Conditions, for example, Activate your_vCenter_name>.
Event NSX Security Group Change

The NSX Security Group Change event is triggered when the manager receives a notification from the data plane (the Deep Security Virtual Appliance).
Task Enabled Enabled.
Activate Computer 5 minutes.
Assign Policy A policy, for example, Windows Desktop.You can click the arrows to view child policies.
Conditions

Mandatory condition to restrict when the event-based task is triggered:

  • vCenter Name matches <your_vCenter_name>

Examples of optional conditions to further restrict triggering:

  • Appliance Protection Available matches True.
  • Appliance Protection Activated matches False.
  • NSX Security Group Name matches .+ (which means any)

Next, create or modify the Deactivate event-based task:

  1. Still in Deep Security Manager, in the main pane, look for the event-based task called Deactivate <your_vCenter_name>. It may or may not exist.
  2. If the Deactivate event-based task exists, double-click it and review the table below make sure it is configured properly. If it doesn't exist, click New and run through the wizard, making sure to conform to the table below.
  3. Create additional Deactivate event-based tasks if you added multiple vCenter servers to the manager.

Settings in the table below may appear in a different order from shown.

To configure the 'Deactivate' event-based task, set... To...
Name

A name for the task that reflects the action and vCenter assigned under Conditions, for example, Deactivate your_vCenter_name>.
Event NSX Security Group Change

The NSX Security Group Change event is triggered when the manager receives a notification from the data plane (the Deep Security Virtual Appliance).
Task Enabled Enabled.
Deactivate Computer Enabled.
Conditions
  • Appliance Protection Activated matches True.
  • NSX Security Group Name matches ^$ (which means none)
  • vCenter Name matches <your_vCenter_name>

You have now set up your event-based tasks to activate your VMs. If the conditions in a task are met, the task is triggered, and the VM is activated (and assigned the associated policy).

Method 3: Synchronize your Deep Security policies to NSX-V

The instructions below are task-based. For more explanatory information on synchronizing policies, see Synchronize Deep Security policies with NSX.

To start, configure Deep Security Manager:

  1. Log in to Deep Security Manager.
  2. Make sure that all of the policies in Deep Security Manager have a unique name before they are synchronized with NSX. All the default ones have unique names.
  3. At the top, click Computers.
  4. On the left, right-click the vCenter where you want to enable synchronization and select Properties.
  5. On the NSX Configuration tab, select Synchronize Deep Security Policies with NSX Service Profiles. Click OK.

Next, check that your policies are loading into vSphere:

  1. In the vSphere Web Client Home page, click the Networking & Security button. NSX Home appears.
  2. On the left, click Service Definitions.
  3. In the main pane, under the Services tab, right-click Trend Micro Deep Security and select Edit settings.
  4. In the main pane, select the Manage tab, and under that, select Profile Configurations.
  5. Make sure the Deep Security policies are loading. They appear as individual NSX profile configurations of the same name. Each profile configuration has an ID that starts with a 'P', for example, P1, P2, P3, and so on. The 'P' indicates they are based on Deep Security policies.

    You have now added your Deep Security policies as profile configurations in NSX.

Finally, reconfigure your security groups and policies:

  1. Go back to Step 6: Create an NSX security group and policy and run through the steps again, but this time making the adjustments described in the remaining steps.
  2. Create multiple NSX security groups.
  3. Create multiple NSX security policies. For each policy, set the Guest Introspection Services and Network Introspection Services (both inbound and outbound) Service Profile to one of the Deep Security policies that you just loaded.
  4. Associate the NSX security policies with the NSX security groups.

Step 8: Trigger an activation and policy assignment

Your VMs are now ready to be activated and assigned a policy.

  • If you chose Method 1, you'll need to manually synchronize the vCenter. Go to Deep Security Manager, right-click the vCenter on the left, and select Synchronize Now. Your existing VMs should now be protected.
  • If you chose Method 2 or 3, all VMs should be activated and assigned policy automatically now. To check, see the next step.

Step 9: Check that VMs are activated and assigned a policy

To check:

  1. In Deep Security Manager, click Computers at the top.
  2. On the left, expand Computers > <your_vCenter> > Virtual Machines.
  3. Check the TASK(S) and STATUS and columns. (Click Columns at the top to add them if they are not visible.) The TASK(S) column should indicate Activating, and your VMs should move from the Unmanaged (Unknown) status, to the Unmanaged (No Agent) status, to the Managed (Online) status. You may see the VMs move into the VMware Tools Not Installed status, but this is temporary.
  4. Check the POLICY column to make sure the correct Deep Security policy was assigned.

You have now deployed Deep Security Virtual Appliance and protected your VMs with it.

Next steps (how to add new VMs)

Follow the instructions below to learn how to add new VMs to your system and protect them with Deep Security.

To add a new VM if you chose Method 1 (create a 'Computer Created' event-based task):

  • Create a new VM in vCenter. This triggers the Computer Created (by System) event-based task, which activates and assigns policy to the new VM.

To add a new VM if you chose Method 2 (create an 'NSX Security Group Change' event-based task):

  • Create or move the VM into one of the NSX security groups. This triggers the NSX Security Group Change event-based task, which activates and assigns policy to the new VM.

To add a new VM if you chose Method 3 (synchronize Deep Security policies to NSX):

  • Create or move the VM into one of the NSX security groups. This activates and assigns policy to the new VM.