The title of this post is quite enigmatic, but it touches a very serious problem. How to perform an upgrade of such a complex environment as vSphere with NSX and Trend Micro Deep Security without interruption in ensuring security? The Trend Micro statement says that to perform the upgrade, you must remove the protection, unregister the service, uninstall DSVA, perform the upgrade, re-register in NSX, install DSVA and enable protection. This means a long break in the operation of the environment. Can we resolve this problem in the production system? Fortunately, you can bend this and that and upgrade so that you do not destroy anything by the way. Upgrade Trend Micro Deep Security Management Server to version 11 is quite a simple task and in my opinion there is no point in describing it in detail (just run exe).
We will start with DSVA, for a long time there has not been a new version of this appliance. Now we have a new, 11 version, do we have to use it? Well, not necessarily. We need to distinguish between two aspects, upgrade the OS appliance (this brings version 11) and upgrade the agent to version 11 inside the appliance.
The problem is that once registered Deep Security in NSX appears as a service, there is no possibility to upgrade its version. And every interference in the service interrupts the protection of virtual machines. Following the Trend Micro instructions, we would have to destroy the whole configuration and then create it from scratch. With a large environment, this is a very serious problem.
What can we do then? We can import a new version for DSVA, but it does not mean its automatic upgrade. We can delete DSVA from NSX level and upload a new version, but this will stop the protection on the machines. We can also standardly upgrade the agent inside DSVA and this is the quickest method (the interval is minimal, as much as reloading the agent). After this operation, we have an old appliance with a new agent and everything works.
What about the ESXi upgrade to version 6.7? In the service definition, we have the Deployment section, it is clear that for each version of ESXi there is the same DSVA file. Just add a new definition for ESXi 6.7. No other modifications are needed.
Thanks to this, we have support for ESXi 6.7 without having to re-register Deep Security in NSX. And the same in the future for subsequent versions, unless the whole structure in the vSphere, NSX and Deep Security schema changes.
Of course, a new version of DSVA will be uploaded for new hosts (if necessary).
The complicated topic turned out to be quite simple to work around. What’s new in DSM 11? Increasing integration with AWS, with Docker, Kubernetes and finally we can use the PostgreSQL database, not much in the change interface, the most interesting concerns the new menu with news:
Version 11.1 supports vSphere 6.7 with NSX 6.4.1.