Piszki Lab | EN

My case study in the clouds…

Configure Trend Micro Deep Security with VMware NSX for vShield Endpoint


VMware NSX achieved the status of GA and now each holder of a vCenter Standard license can download and install VMware NSX for vShield Endpoint. Generally, this is a very good move on that waiting a lot of people. At this point, it is now possible to migrate from VMware vShield Manager to VMware NSX in the vCenter 6 environment (particularly for holders of vCloud Suite 6 license). It also means the ability to migrate Trend Micro Deep Security from version 9.5 to version 9.6. But before you cast in to perform the upgrade as described here, think about it twice and thought to everything thoroughly. License NSX for vShield Endpoint is a very stripped down, basically has only two functions. Agentless antivirus (AV offloading) and Integrity Monitoring. This means that if you have a full license for all Deep Security modules you must use the agent in combination mode to use them all.


My suggestion is also such that you do not upgrade vShield Manager to the NSX. Using the NSX for vShield Endpoint licenses best option you can do is deactivate the all machines in the Deep Security, perform unprepare on ESXi hosts (remove the connection to the vShield Manager in vCenter configuration on DSM), uninstall vShield Endpoint and remove DSVA. So completely clean environment and install VMware NSX from scratch (and reconnect NSX with Deep Security). It is very easy, just load NSX OVA to the environment, run and configure. In relation to what I have described here, there are a few differences, we do not have to do anything except installing NSX Guest Introspection.


All VIB you need will be installed during this process.


However, if you try to perform a Host Preparation, you will meet with the simple message (Operations is not allowed by the applied NSX license.):


Before we make the next move, we have to wait until the process is completed successfully (Service Status reaches “up”):


The next step is to ensure that Trend Micro Deep Security 9.6.2 have loaded DSVA 9.5 and the agent for Red Hat Enterprise Linux 6 x64 version 9.6.2 (even if we do not use Red Hat in the environment). Without this agent DSVA will not be upgraded to version 9.6 (it will work correctly in version 9.5 but will produce additional error messages). We proceed to install the service Trend Micro Deep Security (all necessary steps have been described here).


We will be a warning about the lack of all necessary components, ignore it and continue.


The process ends immediately with error, but did not click Resolve!


In the background the installation of Trend Micro Deep Security (DSVA) is running correctly.


We look forward to the completion of the installation process, after starting DSVA will be upgraded to the latest version, it takes a very long time. Wait patiently, correct completion of the process can be identified by the fact that DSVA check in with DSM (green version 9.6.2).


Configuration of NSX policies I described here, if everything ended correctly, the virtual machines will be activated automatically. In combined mode for Windows anti-virus protection is implemented by DSVA.


Additional information can be found on the Trend Micro SUPPORT page. Once again I repeat, for the upgrade of the vShield Manager and DSM 9.5, I recommend clearing the configuration and installation from scratch.

Rate this article:
[Total: 2 Average: 4.5]

Author: Piotr Pisz

Computer always, since I got a Commodore 64 at the end of primary school, through his beloved Amiga and Linux infinite number of consoles, until today, fully virtual day. Since 2001, Unix/Linux Systems Administrator, for seven years a faithful companion and protector of Solaris system, until his sad end. In the year 2011 came in the depths of virtualization, then smoothly ascended into the clouds and continues there today. Professionally working as Systems Architect in the Polish Security Printing Works.

Leave a Reply

Required fields are marked *.