Use TLS 1.2 with Deep Security

In Deep Security Manager 11.1 and higher, TLS 1.2 is enforced by default for new installations.

Topics on this page:

Benefits of TLS 1.2

Transport Layer Security (TLS), and the earlier Secure Sockets Layer (SSL), are encryption protocols that enable secure connections between different endpoints. When Deep Security components need to communicate, they determine the latest mutually-supported version of the encryption protocol and then use that version to secure all communication for the duration of their session. The latest version of TLS is 1.2. SSL has been discontinued due to security issues.

Trend Micro strongly recommends that you use TLS 1.2 communication between all its components. This page describes the benefits of TLS 1.2, and how to use it in your Deep Security environment.

The main benefit of TLS 1.2 is additional security. TLS 1.2 has been enhanced to safeguard against the latest exploits.

TLS architecture

Figure 1 shows the TLS communication in a Deep Security as a Service environment. You can see that 10.0 or higher agents communicate with Deep Security as a Service over TLS 1.2, while 9.6 versions communicate over early TLS. Similarly, newer third-party applications use TLS 1.2, while older ones use early TLS.

Figure 1: TLS communication in a Deep Security as a Service environment

Enable the TLS 1.2 architecture

To enable TLS 1.2 in your Deep Security as a Service environment, you may need to upgrade your agents and relays. Follow these guidelines:

  • If you have 9.6 agents in your environment, you must upgrade them to 10.0 or later. Only 10.0 or later agents support TLS 1.2.
  • If you have 9.6 relays in your environment, you must upgrade them to 10.0 or later. Only 10.0 or later relays support TLS 1.2.

First, upgrade your agents:

Next, upgrade your relays (the instructions are the same as those for agents):

Next steps (deploy new agents and relays)

After setting up your TLS 1.2 environment, if you decide to Use deployment scripts to add and protect computers (among other methods) to deploy new agents and relays, adhere to the guidelines below.

Guidelines for using deployment scripts

  1. If you are deploying an agent or relay onto Windows computers, use PowerShell 4.0 or higher, which uses TLS 1.2 to communicate with the manager or relay to obtain agent software and install it.
  2. If you are deploying an agent or relay onto Linux, use curl 7.34.0 or higher. This version uses TLS 1.2 to communicate with the manager or relay to obtain agent software and install it.
  3. If you are deploying onto Red Hat Enterprise Linux 6 which uses curl 7.19 by default, upgrade to curl 7.34.0 or later. If you can't upgrade curl, see the next step for a workaround.
  4. If you are deploying onto Windows XP, 2003, or 2008, where PowerShell 4.0 is not supported...
  5. OR

    If you are deploying onto a Red Hat Enterprise Linux 6 computer where you can't upgrade to curl 7.34.0 or higher...

    ...Do this:

    • From Deep Security Manager, download the agent installation package for your operating system. See Get Deep Security Agent software for details.
    • Copy the installation package to your web server.
    • Follow the instructions in Use deployment scripts to add and protect computers to add and protect computers, but instead of using the manager to generate the script, use the Windows script or the Linux script that is provided below.

      You cannot use the deployment scripts offered through Deep Security Manager, because they assume TLS 1.2 is being used, which is not supported by older OSs.

    Windows script:

    You must set the baseUrl variable to the URL of your agent package on your web server.

    $env:LogPath = "$env:appdata\Trend Micro\Deep Security Agent\installer"

    New-Item -path $env:LogPath -type directory

    Start-Transcript -path "$env:LogPath\dsa_deploy.log" -append

    echo "$(Get-Date -format T) - DSA download started"

    $baseUrl=<server/package>

    echo "$(Get-Date -format T) - Download Deep Security Agent Package" $sourceUrl

    (New-Object System.Net.WebClient).DownloadFile($sourceUrl, "$env:temp\agent.msi")

    if ( (Get-Item "$env:temp\agent.msi").length -eq 0 ) {

    echo "Failed to download the Deep Security Agent. Please check if the package is on the server. "

    exit 1 }

    echo "$(Get-Date -format T) - Downloaded File Size:" (Get-Item "$env:temp\agent.msi").length

    echo "$(Get-Date -format T) - DSA install started"

    echo "$(Get-Date -format T) - Installer Exit Code:" (Start-Process -FilePath msiexec -ArgumentList "/i $env:temp\agent.msi /qn ADDLOCAL=ALL /l*v `"$env:LogPath\dsa_install.log`"" -Wait -PassThru).ExitCode

    Stop-Transcript

    echo "$(Get-Date -format T) - DSA Deployment Finished"

    Linux script:

    Use the script that is appropriate for your Linux distribution.

    Replace <server/package> with the URL of the agent package on your web server.

    For Linux distributions that use the RPM Package Manager:

    #!/usr/bin/env bash

    curl <server/package> -o /tmp/agent.rpm –silent

    rpm -ihv /tmp/agent.rpm

    For Debian-based Linux distributions:

    #!/usr/bin/env bash

    curl <server/package> -o /tmp/agent.deb –silent

    dpkg -i /tmp/agent.deb