Multi-tenant settings

The Tenants tab appears only if you have enabled multi-tenant mode.

  • Multi-Tenant License Mode: The multi-tenant license mode can be changed after multi-tenant is setup, however it is important to note that switching from inherited to per-tenant will cause existing tenants to no longer have any licensed module.
  • Allow Tenants to use the "Run Script" Scheduled Task: Scripts present a potentially dangerous level of access to the system, however the risk can be mitigated because scripts have to be installed on the Manager using file-system access.
  • Allow Tenants to run "Computer Discovery" (directly and as a Scheduled Task): Determines if discovery is allowed. This may not be desirable in service provider environments where network discovery has been prohibited.
  • Allow Tenants to run "Port Scan" (directly and as a Scheduled Task): Determines if port scans can be executed. This may not be desirable in service provider environments where network scan has been prohibited.
  • Allow Tenants to add VMware vCenters: Determines for each tenant if vCenter connectivity should be allowed. If the deployment occurs via an unsecured or public network such as the Internet, usually this option should be disabled.
  • Allow Tenants to add with Cloud Accounts: Determines if tenants can setup cloud sync. This is generally applicable to any deployment.
  • Allow Tenants to synchronize with LDAP Directories: Determines if tenants can setup both User and Computer sync with Directories (LDAP or Active Directory for Computers, Active Directory only for users). If deployment occurs via an unsecured or public network such as the Internet, usually this option should be disabled.
  • Allow Tenants to configure independent Event Forwarding SIEM settings: Displays the SIEM settings on the Event Forwarding tab.
  • Allow Tenants to configure SNS settings: Displays the SNS settings on the Event Forwarding tab.
  • Allow Tenants to configure SNMP settings: Allow tenants to forward System Events to a remote computer (via SNMP). If this option is not selected, all tenants use the settings located on the Event Forwarding tab for all event types and syslogs are relayed via the Deep Security Manager.
  • Show the "Forgot Password?" option: Displays a link on the sign in screen which Users can access to reset their password. SMTP settings must be properly configured on the Administration > System Settings > SMTP tab for this option to work.
  • Show the "Remember Account Name and Username" option: Deep Security will remember the User's Account Name and Username and populate these fields when the sign in screen loads.
  • Allow Tenants to control access from the Primary Tenant: By default, the primary tenant can sign in to a tenant's account by using the Sign In As Tenant option on the Administration > Tenants page. When the Allow Tenants to control access from Primary Tenant option is selected, tenants are given the option (under Administration > System Settings > Advanced in their ) to allow or prevent access by primary tenant to their Deep Security environment. (When this option is enabled, the default setting in the tenant's environment is to prevent access by the primary tenant.)
    Whenever the primary tenant accesses a tenant's account, the access is recorded in the tenant's System Events.
  • Allow Tenants to use Primary Tenant's Trend Micro Apex Central and Deep Discovery Analyzer Server settings: Enables the primary tenant to share their Connected Threat Defense settings with tenants. For details, see Detect emerging threats using Connected Threat Defense.
  • Allow Tenants to use the Relays in my "Default Relay Group": gives tenants automatic access to relays setup in the primary tenant. This saves tenants from having to setup dedicated Relays for Security Updates.
    Tenants can reject the usage of "shared" relays by going to the Updates tab on the Administration > System Settings and deselecting Use the Primary Tenant Relay Group as my Default Relay Group (for unassigned Relays). Then they must set up relays for themselves.
    When relays are shared, the primary tenant must keep the relays up-to-date. To ensure this, you can create Download Security Update scheduled tasks for all relays at a regular intervals.
  • Enable the automatic download of Security Updates on new Tenants: As soon as you create a new tenant account, it will check for and download the latest available security updates.
  • Lock and hide the following options (all Tenants will use the Primary Tenant's configurations):
    • Data Privacy options on the "Agents" Tab:Allows the primary tenant to configure data privacy settings. (This setting only applies to "Allow Packet Data Capture on Encrypted Traffic (SSL)" in on the Administration > System Settings > Agents tab.)
    • All options on the "SMTP" Tab: Locks all settings on the SMTP tab.
    • All options on the "Storage" Tab:Locks all settings on the Storage tab.

Database servers

By default, all tenants will be created on the same database server that Deep Security Manager was installed with. In order to provide additional scalability, Deep Security Manager supports adding additional database servers. For details, see Set up a multi-tenant environment.

New tenant template

Using a tenant template, you can conveniently create a customized "out-of-the-box" experience for new tenants. This feature can be useful in service provider (MSSP) environments where some of the examples are not applicable, or special examples need to be created.

Existing tenants are not affected when you create a new template.
  1. Log in as the primary tenant.
  2. Create a new tenant.
  3. Log out, then log in as the new tenant.
  4. Customize the example policies (such as adding, removing, or modifying policies) and/or the security update version (such as applying newer versions).

    Tenants should use the example policies as a starting point, and then customize to match their unique needs.

    Security update packages must have a valid digital signature. If you specify an invalid security update, new tenant creation will fail. See also About upgrades.

  5. Log out, then log in again as the primary tenant.
  6. Run the tenant template wizard.
  7. Select the tenant to create a snapshot.

Templates include:

  • Latest Security Update rules (Updates that have been applied to the template when created. This includes intrusion prevention rules provided by Trend Micro, change monitoring rules, security log monitoring rules)
  • Policy Firewall rules
  • IP list
  • MAC list
  • Directory listing
  • File list
  • File extension list
  • Port list
  • Contexts
  • Schedule
  • Firewall Stateful Configuration
  • Malware scan settings

Templates exclude:

  • Custom Intrusion Prevention rules
  • Custom Application Types
  • Custom Integrity Monitoring rules
  • Custom Log Inspection rules
  • Custom Log Inspection Decoders
  • Dashboard
  • Alert settings
  • System settings
  • Scheduled tasks
  • Event-based tasks
  • Users
  • Roles
  • Contact information

Protection usage monitoring

Deep Security collects information about protected computers. This information is visible on the dashboard in the tenants widget and the Tenant Protection Activity widget. The information is also provide in the Tenant report and is available via the legacy REST API.

In the most basic case, the monitoring can help determine the percentage usage of Deep Security Manager by hours of protection through the report or the API. Commonly called viewback or chargeback this information can be used in a variety of ways. In more advanced cases, this can be used for custom billing based on characteristics like tenant computer operating systems.

Use these options determine which additional tenant computer details are recorded.