Deep Security 9 Install Guide en

/K>G= (B<KH $G<HKIHK:M>= K>L>KO>L MA> KB@AM MH F:D> <A:G@>L MH MABL =H<NF>GM :G= MH MA> IKH=N<ML =>L<KB;>= A>K>BG
PBMAHNM GHMB<>. B>?HK>

BGLM:EEBG@ :G= NLBG@ MA> LH?MP:K>, IE>:L> K>OB>P MA> K>:=F> ?BE>L, K>E>:L> GHM>L, :G= MA> E:M>LM O>KLBHG H? MA> :IIEB<:;E> NL>K =H<NF>GM:MBHG,
PAB<A :K> :O:BE:;E> ?KHF MA> /K>G= (B<KH 2>; LBM> :M:
http://www.trendmicro.com/download
/K>G= (B<KH, MA> /K>G= (B<KH M-;:EE EH@H, D>>I .><NKBMR, CHGMKHE .>KO>K +EN@-BG, D:F:@> CE>:GNI .>KOB<>L, >.>KO>K +EN@-BG, $GM>K.<:G,
)>MPHKD 1BKNL2:EE, .<:G(:BE, .>KO>K+KHM><M, :G= /K>G=':;L :K> MK:=>F:KDL HK K>@BLM>K>= MK:=>F:KDL H? /K>G= (B<KH, $G<HKIHK:M>=. AEE HMA>K
IKH=N<M HK <HFI:GR G:F>L F:R ;> MK:=>F:KDL HK K>@BLM>K>= MK:=>F:KDL H? MA>BK HPG>KL.
DH<NF>GM O>KLBHG: 1.0
DH<NF>GM GNF;>K: A+(95811/121212
->E>:L> =:M>: %:G 2013
DH<NF>GM @>G>K:M>=: !>; 1, 2013 (12:58:25)
Deep Security 9 Installation Guide
2
Table of Contents
$GMKH=N<MBHG ........................................................................................................................................ 5
A;HNM D>>I .><NKBMR ................................................................................................................................................................................6
2A:M'L )>P BG D>>I .><NKBMR 9..............................................................................................................................................................10
A@>GM-B:L>= +KHM><MBHG (H=>EL.............................................................................................................................................................13
A@>GME>LL +KHM><MBHG (H=>EL..................................................................................................................................................................15
#R;KB= +KHM><MBHG (H=>EL ......................................................................................................................................................................18
$GLM:EE:MBHG ........................................................................................................................................ 20
2A:M RHN PBEE )>>=................................................................................................................................................................................21
.RLM>F ->JNBK>F>GML .............................................................................................................................................................................27
+K>I:KBG@ : 1(P:K> GOBKHGF>GM ?HK A@>GME>LL +KHM><MBHG.................................................................................................................30
$GLM:EE : D:M:;:L> ?HK D>>I .><NKBMR ......................................................................................................................................................33
$GLM:EEBG@ : D:M:;:L> ?HK D>>I .><NKBMR ((NEMB-/>G:G<R ->JNBK>F>GML) ..............................................................................................34
$GLM:EE D>>I .><NKBMR (:G:@>K ...............................................................................................................................................................38
$GLM:EEBG@ MA> D>>I .><NKBMR ->E:R.........................................................................................................................................................42
+K>I:KBG@ .3B ?HK D>>I .><NKBMR 1BKMN:E AIIEB:G<> D>IEHRF>GM .......................................................................................................45
D>IEHRBG@ MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<>....................................................................................................................................47
ANMHF:MB<:EER D>IEHRBG@ :G AIIEB:G<> ?HK .M:M>E>LL .3B...................................................................................................................50
$GLM:EE D>>I .><NKBMR A@>GML..................................................................................................................................................................56
$GLM:EEBG@ MA> D>>I .><NKBMR )HMB?B>K......................................................................................................................................................67
G:;E> (NEMB-/>G:G<R ............................................................................................................................................................................68
(NEMB-/>G:G<R (A=O:G<>=) ....................................................................................................................................................................78
CHG?B@NK> OCEHN= ?HK $GM>@K:MBHG PBMA D>>I .><NKBMR...........................................................................................................................81
CHG?B@NK> AF:SHG C2 ->LHNK<>L ?HK $GM>@K:MBHG PBMA D>>I .><NKBMR................................................................................................84
0I@K:=BG@ ......................................................................................................................................... 85
0I@K:=> .<>G:KBHL..................................................................................................................................................................................86
0I@K:=BG@ ?KHF D. 8.0 .+2 PBMA A@>GME>LL AGMB-(:EP:K> +KHM><MBHG ($G<EN=>L NI@K:=BG@ .3B 4.1 MH 5.Q) ....................................87
0I@K:=BG@ ?KHF D. 8.0 PBMA A@>GME>LL !2 :G= D+$ *GER (0I@K:=BG@ ?KHF .3B 4.1 MH 5.0) ...........................................................91
0I@K:=BG@ ?KHF D>>I .><NKBMR 8.0 PBMA $G-@N>LM A@>GM-B:L>= +KHM><MBHG *GER..................................................................................94
0I@K:=> D>>I .><NKBMR A@>GML ..............................................................................................................................................................95
0I@K:=> MA> D>>I .><NKBMR )HMB?B>K.......................................................................................................................................................96
,NB<D .M:KM ........................................................................................................................................ 97
,NB<D .M:KM: .RLM>F CHG?B@NK:MBHG ........................................................................................................................................................98
,NB<D .M:KM: +KHM><MBG@ : .>KO>K...........................................................................................................................................................106
$FIHKM D>>I .><NKBMR .H?MP:K>............................................................................................................................................................115
CHG?B@NKBG@ MA> D>>I .><NKBMR ->E:R ..................................................................................................................................................116
AII>G=B<>L ..................................................................................................................................... 117
.NIIHKM>= !>:MNK>L ;R +E:M?HKF...........................................................................................................................................................118
D>>I .><NKBMR (:G:@>K .>MMBG@L +KHI>KMB>L !BE>..................................................................................................................................120
D>>I .><NKBMR (:G:@>K (>FHKR 0L:@> ..............................................................................................................................................126
D>>I .><NKBMR 1BKMN:E AIIEB:G<> (>FHKR 0L:@>................................................................................................................................127
+>K?HKF:G<> !>:MNK>L ...........................................................................................................................................................................128
CK>:MBG@ :G ..' ANMA>GMB<:MBHG C>KMB?B<:M>.........................................................................................................................................130
(BGBFNF 1(P:K> +KBOBE>@>L ?HK D.1A D>IEHRF>GM ........................................................................................................................133
0GBGLM:EEBG@ D>>I .><NKBMR ..................................................................................................................................................................136
!K>JN>GMER ALD>= ,N>LMBHGL ................................................................................................................................................................141
/KHN;E>LAHHMBG@....................................................................................................................................................................................143
Introduction
About Deep Security
D>>I .><NKBMR IKHOB=>L :=O:G<>= L>KO>K L><NKBMR ?HK IARLB<:E, OBKMN:E, :G= <EHN= L>KO>KL. $M IKHM><ML >GM>KIKBL>
:IIEB<:MBHGL :G= =:M: ?KHF ;K>:<A>L :G= ;NLBG>LL =BLKNIMBHGL PBMAHNM K>JNBKBG@ >F>K@>G<R I:M<ABG@. /ABL
<HFIK>A>GLBO>, <>GMK:EER F:G:@>= IE:M?HKF A>EIL RHN LBFIEB?R L><NKBMR HI>K:MBHGL PABE> >G:;EBG@ K>@NE:MHKR
<HFIEB:G<> :G= :<<>E>K:MBG@ MA> -*$ H? OBKMN:EBS:MBHG :G= <EHN= IKHC><ML. /A> ?HEEHPBG@ MB@AMER BGM>@K:M>=
FH=NE>L >:LBER >QI:G= MA> IE:M?HKF MH >GLNK> L>KO>K, :IIEB<:MBHG, :G= =:M: L><NKBMR :<KHLL IARLB<:E, OBKMN:E, :G=
<EHN= L>KO>KL, :L P>EE :L OBKMN:E =>LDMHIL.
Protection Modules
Anti-Malware
Integrates with VMware environments for agentless protection, or provides an agent to defend physical
servers and virtual desktops in local mode.
$GM>@K:M>L G>P 1(P:K> O.AB>E= G=IHBGM A+$L MH IKHOB=> :@>GME>LL :GMB-F:EP:K> IKHM><MBHG ?HK 1(P:K>
OBKMN:E F:<ABG>L PBMA S>KH BG-@N>LM ?HHMIKBGM. #>EIL :OHB= L><NKBMR ;KHPG-HNML <HFFHGER L>>G BG ?NEE LRLM>F
L<:GL :G= I:MM>KG NI=:M>L. AELH IKHOB=>L :@>GM-;:L>= :GMB-F:EP:K> MH IKHM><M IARLB<:E L>KO>KL, #RI>K-1 :G=
3>G-;:L>= OBKMN:E L>KO>KL, IN;EB< <EHN= L>KO>KL :L P>EE :L OBKMN:E =>LDMHIL BG EH<:E FH=>. CHHK=BG:M>L
IKHM><MBHG PBMA ;HMA :@>GME>LL :G= :@>GM-;:L>= ?HKF ?:<MHKL MH IKHOB=> :=:IMBO> L><NKBMR MH =>?>G= OBKMN:E
L>KO>KL :L MA>R FHO> ;>MP>>G MA> =:M: <>GM>K :G= IN;EB< <EHN=.
Web Reputation
Strengthens protection against web threats for servers and virtual desktops.
$GM>@K:M>L PBMA MA> /K>G= (B<KHW .F:KM +KHM><MBHG )>MPHKDW P>; K>INM:MBHG <:I:;BEBMB>L MH L:?>@N:K= NL>KL
:G= :IIEB<:MBHGL ;R ;EH<DBG@ :<<>LL MH F:EB<BHNL NKEL. +KHOB=>L L:F> <:I:;BEBMR BG OBKMN:E >GOBKHGF>GML BG
:@>GME>LL FH=> MAKHN@A MA> L:F> OBKMN:E :IIEB:G<> MA:M :ELH =>EBO>KL :@>GME>LL L><NKBMR M><AGHEH@B>L ?HK @K>:M>K
L><NKBMR PBMAHNM :==>= ?HHMIKBGM.
Integrity Monitoring
Detects and reports malicious and unexpected changes to files and systems registry in real time. Now
available in agentless form factor.
+KHOB=>L :=FBGBLMK:MHKL PBMA MA> :;BEBMR MH MK:<D ;HMA :NMAHKBS>= :G= NG:NMAHKBS>= <A:G@>L F:=> MH MA>
BGLM:G<>. /A> :;BEBMR MH =>M><M NG:NMAHKBS>= <A:G@>L BL : <KBMB<:E <HFIHG>GM BG RHNK <EHN= L><NKBMR LMK:M>@R :L BM
IKHOB=>L MA> OBLB;BEBMR BGMH <A:G@>L MA:M <HNE= BG=B<:M> MA> <HFIKHFBL> H? :G BGLM:G<>.
Deep Security 9 Installation Guide About Deep Security
6
Intrusion Prevention
Shields known vulnerabilities from unlimited exploits until they can be patched.
#>EIL :<AB>O> MBF>ER IKHM><MBHG :@:BGLM DGHPG :G= S>KH-=:R :MM:<DL. 0L>L ONEG>K:;BEBMR KNE>L MH LAB>E= : DGHPG
ONEG>K:;BEBMR -- ?HK >Q:FIE> MAHL> =BL<EHL>= FHGMAER ;R (B<KHLH?M -- ?KHF :G NGEBFBM>= GNF;>K H? >QIEHBML.
*??>KL HNM-H?-MA>-;HQ ONEG>K:;BEBMR IKHM><MBHG ?HK HO>K 100 :IIEB<:MBHGL, BG<EN=BG@ =:M:;:L>, P>;, >F:BE :G=
!/+ L>KO>KL. ANMHF:MB<:EER =>EBO>KL KNE>L MA:M LAB>E= G>PER =BL<HO>K>= ONEG>K:;BEBMB>L PBMABG AHNKL, :G= <:G ;>
INLA>= HNM MH MAHNL:G=L H? L>KO>KL BG FBGNM>L, PBMAHNM : LRLM>F K>;HHM.
Defends against web application vulnerabilities
G:;E>L <HFIEB:G<> PBMA +C$ ->JNBK>F>GM 6.6 ?HK MA> IKHM><MBHG H? P>; :IIEB<:MBHGL :G= MA> =:M: MA:M MA>R
IKH<>LL. D>?>G=L :@:BGLM .,' BGC><MBHGL :MM:<DL, <KHLL-LBM> L<KBIMBG@ :MM:<DL, :G= HMA>K P>; :IIEB<:MBHG
ONEG>K:;BEBMB>L. .AB>E=L ONEG>K:;BEBMB>L NGMBE <H=> ?BQ>L <:G ;> <HFIE>M>=.
Identifies malicious software accessing the network
$G<K>:L>L OBLB;BEBMR BGMH, HK <HGMKHE HO>K, :IIEB<:MBHGL :<<>LLBG@ MA> G>MPHKD. $=>GMB?B>L F:EB<BHNL LH?MP:K>
:<<>LLBG@ MA> G>MPHKD :G= K>=N<>L MA> ONEG>K:;BEBMR >QIHLNK> H? RHNK L>KO>KL.
Firewall
Decreases the attack surface of your physical and virtual servers.
C>GMK:EBS>L F:G:@>F>GM H? L>KO>K ?BK>P:EE IHEB<R NLBG@ : ;B-=BK><MBHG:E LM:M>?NE ?BK>P:EE. .NIIHKML OBKMN:E
F:<ABG> SHGBG@ :G= IK>O>GML D>GB:E H? .>KOB<> :MM:<DL. +KHOB=>L ;KH:= <HO>K:@> ?HK :EE $+-;:L>= IKHMH<HEL :G=
?K:F> MRI>L :L P>EE :L ?BG>-@K:BG>= ?BEM>KBG@ ?HK IHKML :G= $+ :G= (AC :==K>LL>L.
Log Inspection
Provides visibility into important security events buried in log files.
*IMBFBS>L MA> B=>GMB?B<:MBHG H? BFIHKM:GM L><NKBMR >O>GML ;NKB>= BG FNEMBIE> EH@ >GMKB>L :<KHLL MA> =:M: <>GM>K.
!HKP:K=L LNLIB<BHNL >O>GML MH : .$( LRLM>F HK <>GMK:EBS>= EH@@BG@ L>KO>K ?HK <HKK>E:MBHG, K>IHKMBG@ :G=
:K<ABOBG@. '>O>K:@>L :G= >GA:G<>L HI>G-LHNK<> LH?MP:K> :O:BE:;E> :M *..C.
Deep Security Components
D>>I .><NKBMR <HGLBLML H? MA> ?HEEHPBG@ L>M H? <HFIHG>GML MA:M PHKD MH@>MA>K MH IKHOB=> IKHM><MBHG:
7
V Deep Security Manager, MA> <>GMK:EBS>= 2>;-;:L>= F:G:@>F>GM <HGLHE> PAB<A :=FBGBLMK:MHKL NL>
MH <HG?B@NK> L><NKBMR IHEB<R :G= =>IEHR IKHM><MBHG MH MA> >G?HK<>F>GM <HFIHG>GML: MA> D>>I .><NKBMR
1BKMN:E AIIEB:G<> :G= MA> D>>I .><NKBMR A@>GM.
V Deep Security Virtual Appliance BL : L><NKBMR OBKMN:E F:<ABG> ;NBEM ?HK 1(P:K> O.IA>K>
>GOBKHGF>GML MA:M IKHOB=>L AGMB-(:EP:K>, $GMKNLBHG +K>O>GMBHG, $GM>@KBMR (HGBMHKBG@, !BK>P:EE, 2>;
AIIEB<:MBHG +KHM><MBHG :G= AIIEB<:MBHG CHGMKHE IKHM><MBHG.
V Deep Security Agent BL : L><NKBMR :@>GM =>IEHR>= =BK><MER HG : <HFINM>K PAB<A <:G IKHOB=>
$GMKNLBHG +K>O>GMBHG, !BK>P:EE, 2>; AIIEB<:MBHG +KHM><MBHG, AIIEB<:MBHG CHGMKHE, $GM>@KBMR
(HGBMHKBG@ :G= 'H@ $GLI><MBHG IKHM><MBHG.
V Deep Security Relay: /A> D>>I .><NKBMR ->E:R =>EBO>KL NI=:M>L MH MA> A@>GML :G= 1BKMN:E
AIIEB:G<>L. /A> ->E:R A:L :G >F;>==>= A@>GM MH IKHOB=> EH<:E IKHM><MBHG HG MA> AHLM F:<ABG>.
V Deep Security Notifier: /A> D>>I .><NKBMR )HMB?B>K BL : 2BG=HPL .RLM>F /K:R :IIEB<:MBHG MA:M
<HFFNGB<:M>L MA> LM:M> H? MA> D>>I .><NKBMR A@>GM :G= D>>I .><NKBMR ->E:R HG EH<:E <HFINM>KL.
Deep Security Manager
D>>I .><NKBMR (:G:@>K ("MA> (:G:@>K") BL : IHP>K?NE, <>GMK:EBS>= P>;-;:L>= F:G:@>F>GM LRLM>F MA:M :EEHPL
L><NKBMR :=FBGBLMK:MHKL MH <K>:M> :G= F:G:@> <HFIK>A>GLBO> L><NKBMR IHEBL :G= MK:<D MAK>:ML :G= IK>O>GMBO>
:<MBHGL M:D>G BG K>LIHGL> MH MA>F. D>>I .><NKBMR (:G:@>K BGM>@K:M>L PBMA =B??>K>GM :LI><ML H? MA> =:M:<>GM>K
BG<EN=BG@ 1(P:K> OC>GM>K :G= (B<KHLH?M A<MBO> DBK><MHKR, :G= A:L : P>; L>KOB<>L A+$ ?HK BGM>@K:MBHG PBMA
=:M:<>GM>K :NMHF:MBHG >GOBKHGF>GML.
Policies
+HEBL :K> M>FIE:M>L MA:M LI><B?R MA> L>MMBG@L :G= L><NKBMR KNE>L MH ;> <HG?B@NK>= :G= >G?HK<>= :NMHF:MB<:EER
?HK HG> HK FHK> <HFINM>KL. /A>L> <HFI:<M, F:G:@>:;E> KNE> L>ML F:D> BM LBFIE> MH IKHOB=> <HFIK>A>GLBO>
L><NKBMR PBMAHNM MA> G>>= MH F:G:@> MAHNL:G=L H? KNE>L. D>?:NEM +HEBL IKHOB=> MA> G><>LL:KR KNE>L ?HK : PB=>
K:G@> H? <HFFHG <HFINM>K <HG?B@NK:MBHGL.
Dashboard
/A> <NLMHFBS:;E>, P>;-;:L>= 0$ F:D>L BM >:LR MH JNB<DER G:OB@:M> :G= =KBEE =HPG MH LI><B?B< BG?HKF:MBHG. $M
IKHOB=>L:
V QM>GLBO> LRLM>F, >O>GM :G= <HFINM>K K>IHKMBG@, PBMA =KBEE-=HPG <:I:;BEBMB>L
V "K:IAL H? D>R F>MKB<L PBMA MK>G=L, PBMA =KBEE-=HPG
V D>M:BE>= >O>GM EH@L, PBMA =KBEE-=HPG
V A;BEBMR MH L:O> FNEMBIE> I>KLHG:EBS>= =:LA;H:K= E:RHNML
8
Built-in Security
-HE>-;:L>= :<<>LL :EEHPL FNEMBIE> :=FBGBLMK:MHKL (0L>KL), >:<A PBMA =B??>K>GM L>ML H? :<<>LL :G= >=BMBG@ KB@AML,
MH >=BM :G= FHGBMHK =B??>K>GM :LI><ML H? MA> LRLM>F :G= K><>BO> BG?HKF:MBHG :IIKHIKB:M> MH MA>F. DB@BM:E
LB@G:MNK>L :K> NL>= MH :NMA>GMB<:M> LRLM>F <HFIHG>GML :G= O>KB?R MA> BGM>@KBMR H? KNE>L. .>LLBHG >G<KRIMBHG
IKHM><ML MA> <HG?B=>GMB:EBMR H? BG?HKF:MBHG >Q<A:G@>= ;>MP>>G <HFIHG>GML.
Deep Security Virtual Appliance
/A> D>>I .><NKBMR 1BKMN:E AIIEB:G<> KNGL :L : 1(P:K> OBKMN:E F:<ABG> :G= IKHM><ML MA> HMA>K OBKMN:E
F:<ABG>L HG MA> L:F> .3 .>KO>K, >:<A PBMA BML HPG BG=BOB=N:E L><NKBMR IHEB<R.
Deep Security Agent
/A> D>>I .><NKBMR A@>GM ("MA> A@>GM") BL : AB@A I>K?HKF:G<>, LF:EE ?HHMIKBGM, LH?MP:K> <HFIHG>GM BGLM:EE>=
HG : <HFINM>K MH IKHOB=> IKHM><MBHG.
Deep Security Relay
/A> D>>I .><NKBMR ->E:R BL : L>KO>K PAB<A K>E:RL D>>I .><NKBMR 0I=:M>L ?KHF MA> /K>G= (B<KH @EH;:E NI=:M>
L>KO>K MH MA> D>>I .><NKBMR LRLM>F. BR NLBG@ ->E:RL RHN <:G BFIKHO> I>K?HKF:G<> ;R =BLMKB;NMBG@ MA> M:LD H?
=>EBO>KBG@ NI=:M>L MH MA> (:G:@>K, AIIEB:G<>L, :G= A@>GML H? RHNK D>>I .><NKBMR BGLM:EE:MBHG.
Deep Security Notifier
/A> D>>I .><NKBMR )HMB?B>K BL : 2BG=HPL .RLM>F /K:R :IIEB<:MBHG MA:M <HFFNGB<:M>L MA> LM:M> H? MA> D>>I
.><NKBMR A@>GM :G= D>>I .><NKBMR ->E:R MH <EB>GM F:<ABG>L. /A> )HMB?B>K =BLIE:RL IHINI NL>K GHMB?B<:MBHGL
PA>G MA> D>>I .><NKBMR A@>GM ;>@BGL : L<:G, HK ;EH<DL F:EP:K> HK :<<>LL MH F:EB<BHNL P>; I:@>L. /A>
)HMB?B>K :ELH IKHOB=>L : <HGLHE> NMBEBMR MA:M :EEHPL MA> NL>K MH OB>P >O>GML :G= <HG?B@NK> PA>MA>K IHINIL :K>
=BLIE:R>=. /A> )HMB?B>K A:L : LF:EE ?HHMIKBGM HG MA> <EB>GM F:<ABG>, K>JNBKBG@ E>LL MA:G 1(B H? =BLD LI:<> :G=
1(B H? F>FHKR.
9
What's New in Deep Security 9
Multi-Tenancy
(NEMB-/>G:G<R E>ML RHN <K>:M> BG=>I>G=>GM BGLM:EE:MBHGL H? D>>I .><NKBMR PBMABG RHNK >GM>KIKBL>. 4HN <:G
<K>:M> D>>I .><NKBMR />G:GL ?HK BG=BOB=N:E =>I:KMF>GML HK EBG>L H? ;NLBG>LL PBMABG RHNK HK@:GBS:MBHG. :<A
/>G:GM A:L :<<>LL MH :EE MA> ?NG<MBHG:EBMR H? D>>I .><NKBMR >Q<>IM <HK> LRLM>F L>MMBG@L. />G:GML :K> K>LIHGLB;E>
?HK MA> <K>:MBHG :G= F:G:@>F>GM MA>BK HPG :LL>ML, 0L>KL, +HEBL :G= -NE>L BG=>I>G=>GMER H? HMA>K />G:GML.
)H />G:GM'L :LL>ML HK L><NKBMR <HFIHG>GML :K> OBLB;E> MH :GR HMA>K />G:GML. :<A />G:G<R BL BG=>I>G=>GM :G=
BLHE:M>= ?KHF >O>KR HMA>K />G:G<R.
Multi-Level Policy Inheritance
D>>I .><NKBMR GHP LNIIHKML FNEMBIE> E>O>EL H? IHEB<R BGA>KBM:G<>. A G>PER <K>:M>= IHEB<R <:G ;> <HG?B@NK>= MH
BGA>KBM :EE HK LHF> H? BML L>MMBG@L ?KHF : I:K>GM IHEB<R. /ABL E>ML RHN <K>:M> : MK>> LMKN<MNK> H? L><NKBMR IHEBL
PAB<A @>M IKH@K>LLBO>ER FHK> @K:GNE:K :G= =>M:BE>=. !HK >Q:FIE>, RHN <:G <K>:M> : I:K>GM IHEB<R <:EE>=
"2BG=HPL .>KO>K" :G= MPH <ABE= IHEBL, "2BG=HPL .>KO>K 2008" :G= "2BG=HPL .>KO>K 2003", PAB<A BGA>KBM
?KHF MA>BK I:K>GM IHEB<R. :<A H? MAHL> <ABE= IHEBL <:G BG MNKG A:O> <ABE= IHEBL H? MA>BK HPG ?HK =B??>K>GM
>=BMBHGL H? 2BG=HPL .>KO>K:
CABE= +HEBL <:G BGA>KBM :EE MA>BK L>MMBG@L ?KHF MA>BK I:K>GM +HEB<R, HK LI><B?B< L>MMBG@L <:G ;> HO>KKB==>G.
Protection of Virtual Machines deployed on VMware vCloud and Amazon EC2
Infrastructure
D>>I .><NKBMR GHP IKHOB=>L LNIIHKM ?HK OBKMN:E F:<ABG>L =>IEHR>= BG 1(P:K> OCEHN= :G= AF:SHG C2
>GOBKHGF>GML. /ABL LNIIHKM BG<EN=>:
Deep Security 9 Installation Guide What's New in Deep Security 9
10
V =BL<HO>KR :G= LRG<AKHGBS:MBHG H? OBKMN:E =:M:<>GM>K HK@:GBS:MBHG:E OB>PL HK IKHOB=>K ;:L>= OBKMN:E
=:M:<>GM>K OB>PL
V B=>GMB?B<:MBHG :G= F:G:@>F>GM H? 1( BGLM:G<>L BG MA> <EHN= >GOBKHGF>GM
V :<MBO:MBHG :G= +HEB<R :LLB@GF>GM ?HK 1(L BG MA> <EHN= >GOBKHGF>GM :G= MA>BK <EHG>L MH >G:;E> :NMH-
L<:EBG@.
V L>KOB<> <:M:EH@ LNIIHKM BG MA> OCEHN= DBK><MHK
V =:LA;H:K=/AE>KML/K>IHKMBG@ ;:L>= HG : />G:GM'L I:KMB<NE:K OD:M:C>GM>K <HG?B@NK:MBHG
Improved performance and efficiency of Malware scans in both Agent-based and
Agentless environments
*G 2BG=HPL A@>GML, MA> ,NB<D .<:G HIMBHG <:KKB>L HNM : ?:LM AB@A E>O>E L<:G H? :K>:L MA:M :K> FHLM <HFFHGER
:M KBLD H? BG?><MBHG. $G A@>GME>LL >GOBKHGF>GML, (:EP:K> L<:GGBG@ A:L ;>>G HIMBFBS>= MH IK>O>GM FNEMBIE>
L<:GL H? K>LHNK<>L LA:K>= :<KHLL OBKMN:E F:<ABG>L.
Full IPv6 Support
$+O6 BL GHP LNIIHKM>= ;R MA> D>>I .><NKBMR !BK>P:EE :G= $GMKNLBHG +K>O>GMBHG FH=NE>L. QBLMBG@ -NE>L PBEE ;>
:IIEB>= MH ;HMA $+O4 :G= $+O6 MK:??B<. )>P -NE>L <:G ;> <K>:M>= MA:M :IIER MH $+O4, $+O6, HK ;HMA.
Agentless Recommendation Scans
-><HFF>G=:MBHGL .<:GL <:G GHP ;> I>K?HKF>= HG OBKMN:E F:<ABG>L ;>BG@ IKHM><M>= ;R : D>>I .><NKBMR
1BKMN:E AIIEB:G<>. $GMKNLBHG +K>O>GMBHG :G= $GM>@KBMR (HGBMHKBG@ -NE>L <:G ;> :NMHF:MB<:EER :LLB@G>= ;:L>= HG
MA> K>LNEM H? : K><HFF>G=:MBHG L<:G :G= !BK>P:EE -NE>L <:G ;> :NMHF:MB<:EER :LLB@G>= ;:L>= HG MA> K>LNEM H? :
L<:G ?HK HI>G IHKML.
Improvements to the automation of Agent installation, activation, and Policy assignment
.<KBIMBG@ LNIIHKM A:L ;>>G :==>= MH D>>I .><NKBMR MH :EEHP MA> :NMHF:M>= =>IEHRF>GM :G= :<MBO:MBHG H?
A@>GML. 0IHG :<MBO:MBHG, A@>GML <:G :NMHF:MB<:EER KNG : K><HFF>G=:MBHG L<:G :G= :LLB@G KNE>L ;:L>= HG MA>
K>LNEML.
Improved control of Event-based Tasks for discovered assets.
/:LDL LN<A :L +HEB<R, -NE>, :G= "KHNI :LLB@GF>GM <:G ;> :NMHF:MB<:EER <:KKB>= HNM HG G>PER =BL<HO>K>= :LL>ML
;:L>= HG MA>BK AHLMG:F>L, $+L, />G:G<R $D, />G:G<R />FIE:M>, $GLM:G<> /RI>, HK HMA>K <EHN= :LL>M IKHI>KMB>L.
11
Support for VMware Trusted Platform Module (TPM) on ESXi.
1(P:K>W /+(W BL : A:K=P:K>-;:L>= >G<KRIMBHG FH=NE> :MM:<A>= MH :G .3B NL>= MH @>G>K:M> :G= LB@G
BG?HKF:MBHG @>G>K:M>= =NKBG@ MA> .3 ;HHM L>JN>G<>. A <A:G@> MH MA> /+( LB@G:MNK> BG=B<:M>L MA:M MA> .3
;HHM L>JN>G<> A:L <A:G@>= PAB<A <HNE= K>IK>L>GM :G :MM:<D (: <A:G@> MA:M K>IE:<>L HK :EM>KL : <KBMB<:E
<HFIHG>GM BG MA> ARI>KOBLHK). /A> D>>I .><NKBMR $GM>@KBMR (HGBMHKBG@ FH=NE> <:G FHGBMHK /+( LB@G:MNK>L
:G= K:BL> AE>KML B? <A:G@>L :K> =>M><M>=.
12
Agent-Based Protection Models
Single-Tenant installation
/A> ?HEEHPBG@ =B:@K:F BEENLMK:M>L : LBG@E> D>>I .><NKBMR (:G:@>K F:G:@BG@ MAK>> IARLB<:E F:<ABG>L :G= LBQ
OBKMN:E F:<ABG>L BG : 1(P:K> OC>GM>K. /A> OC>GM>K A:L GHM ;>>G BFIHKM>= BGMH MA> D>>I .><NKBMR (:G:@>K.
AEE MA> <HFINM>KL A:O> ;>>G :==>= MH MA> D>>I .><NKBMR F:G:@>K ?KHF MA> EH<:E G>MPHKD. /A>R :K> :EE ;>BG@
IKHM><M>= ;R BG-@N>LM A@>GML.
/H BFIE>F>GM MABL A@>GM-;:L>= IKHM><MBHG FH=>E:
1. ->OB>P What you will Need (page 21) :G= System Requirements (page 27) BG?HKF:MBHG.
2. Install a Database for Deep Security (page 33)
3. Install Deep Security Manager (page 38)
4. Install a Deep Security Relay (page 42)
5. Install Deep Security Agents (page 56)
6. G:;E> +KHM><MBHG HG RHNK OBKMN:E F:<ABG>L. .>> Quick Start: Protecting a Server (page 106).
Multi-Tenancy installation with Agent-Based Protection
/A> ?HEEHPBG@ =B:@K:F BEENLMK:M>L FNEMBIE> D>>I .><NKBMR (:G:@>K />G:GML F:G:@BG@ IARLB<:E :G= OBKMN:E
F:<ABG>L. /A> 1(L A:O> ;>>G BFIHKM>= BGMH MA> />G:GM'L D>>I .><NKBMR (:G:@>KL BG=>I>G=>GMER H? MA>
OC>GM>K :G= :EE <HFINM>KL :K> ;>BG@ IKHM><M>= ;R BG-@N>LM A@>GML.
Deep Security 9 Installation Guide Agent-Based Protection Models
13
/H BFIE>F>GM MABL A@>GME>LL IKHM><MBHG FH=>E:
4. Enable Multi-Tenancy (page 68)
5. Install a Deep Security Relay (page 42)
6. Install Deep Security Agents (page 56)
7. />G:GML FNLM >G:;E> IKHM><MBHG HG MA>BK F:G:@>= <HFINM>KL. .>> Quick Start: Protecting a Server
(page 106).
Deep Security 9 Installation Guide Agent-Based Protection Models
14
Agentless Protection Models
Single-Tenant installation with VMware vCenter
/A> ?HEEHPBG@ =B:@K:F BEENLMK:M>L : D>>I .><NKBMR (:G:@>K F:G:@BG@ MA> OBKMN:E F:<ABG>L BG : 1(P:K>
OC>GM>K.
/A> OC>GM>K A:L ;>>G BFIHKM>= BGMH MA> D>>I .><NKBMR (:G:@>K :G= MA> 1(L :K> ;>BG@ IKHM><M>= A@>GME>LLER
;R MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<>L (D.1AL) KNGGBG@ HG >:<A .3B. D>>I .><NKBMR (:G:@>K BL =>IEHR>=
PBMAHNM (NEMB-/>G:G<R, :G= : LBG@E> D>>I .><NKBMR (:G:@>K A:L ;>>G NL>= MH IK>I:K> :G= :<MBO:M> MA> D.1AL
HG MA> .3B :G= MH :<MBO:M> MA> 1(L.
2. Prepare a VMware Environment for Agentless Protection (page 30)
3. D>IEHR MA> D>>I .><NKBMR >GOBKHGF>GM
3. Install the Deep Security Relay (page 42)
4. Prepare ESXi for Deep Security Virtual Appliance Deployment (page 45)
5. Deploy the Deep Security Virtual Appliance (page 47)
6. Installing the Deep Security Notifier (page 67)
Multi-Tenancy installation with VMware vCenter
/A> ?HEEHPBG@ =B:@K:F BEENLMK:M>L : (NEMB-/>G:G<R D>>I .><NKBMR BGLM:EE:MBHG PA>K> (NEMB-/>G:G<R A:L ;>>G
>G:;E>=, :G= >:<A />G:GM A:L BFIHKM>= : OC>GM>K BGMH MA>BK D>>I .><NKBMR (:G:@>K :G= :K> BG ?NEE <HGMKHE H?
MA> OC>GM>K BG<EN=BG@ MA> F:G:@>F>GM H? D.1AL HG MA> AHLM .3B'L.
Deep Security 9 Installation Guide Agentless Protection Models
15
$G MABL =B:@K:F MA> D>>I .><NKBMR (:G:@>K A:L (NEMB-/>G:G<R >G:;E>= ;NM MA> IKBF:KR />G:GM /0 A:L GHM
BFIHKM>= : OC>GM>K. /A> OC>GM>KL A:O> ;>>G BFIHKM>= ;R MA> /1 :G= /2 D>>I .><NKBMR />G:GML.
7. Installing the Deep Security Notifier (page 67)
Multi-Tenancy installation with VMware vCenter with Private vCloud
/A> ?HEEHPBG@ =B:@K:F BEENLMK:M>L : (NEMB-/>G:G<R BGLM:EE:MBHG BG PAB<A />G:GML A:O> ;>>G @BO>G :<<>LL MH MA>
1(L BG : OCEHN= *K@:GBS:MBHG.
16
$G MABL LBMN:MBHG, MA> +KBF:KR D>>I .><NKBMR />G:GM, /0, F:G:@>L MA> OC>GM>K :G= MA> =>IEHRF>GM :G=
F:G:@>F>GM H? D.1AL. /A> />G:GML :K> GHM F:G:@BG@ MA> D.1AL HG MA> AHLM .3B'L. $G MA>BK D>>I .><NKBMR
F:G:@>K <HGLHE>L, MA>R L>> MA> 1(L BG MA> OCEHN= *K@:GBS:MBHG PAB<A MA>R'O> :==>= :L : "CEHN= A<<HNGM" ;NM
GHM MA> .3B AHLML HK MA> D.1AL. /A> 1(L MH ;> IKHM><M>= BG MA> OCEHN= *K@:GBS:MBHG :K> :<MBO:M>= :G= MA>BK
IKHM><MBHG BL F:G:@>= ;R MA> />G:GML.
3. Integrate Deep Security with VMware vCloud (page 81)
7. Configure vCloud for Integration with Deep Security (page 81)
8. Install the Deep Security Notifier (page 67)
17
Hybrid Protection Models
Multi-Tenancy installation in hybrid environment (VMware vCenter with
vCloud private cloud, Amazon and vCloud public clouds
/A> ?HEEHPBG@ =B:@K:F BEENLMK:M>L : (NEMB-/>G:G<R BGLM:EE:MBHG H? D>>I .><NKBMR BG : AR;KB= >GOBKHGF>GM BG
PAB<A MA> />G:GML BG : LBG@E> D>>I .><NKBMR BGLM:EE:MBHG :K> F:G:@BG@ MA> L><NKBMR H? : O:KB>MR H? K>LHNK<>L.
Tenant T1 BL F:G:@BG@ MA> L><NKBMR H? MA> 1(L BG Org 1 H? : IKBO:M> OCEHN= (PAB<A :K> ;>BG@ IKHM><M>=
:@>GME>LLER ;R MA> D.1A, F:G:@>= ;R +KBF:KR NL>K T0, BGLM:EE>= HG MA> .3B AHLMBG@ MA> 1( BG MA> IKBO:M>
OC>GM>K), :G= : 1( ?KHF : IN;EB< AF:SHG <EHN= :<<HNGM (PAB<A BL IKHM><M>= ;R :G A@>GM BGLM:EE>= :G=
F:G:@>= ;R Tenant T1).
Tenants T2 and T3 are BL F:G:@BG@ MA> L><NKBMR H? MA> 1(L BG Org 1 H? : IKBO:M> OCEHN=, PAB<A :K> ;>BG@
IKHM><M>= :@>GME>LLER ;R MA> D.1A, F:G:@>= ;R +KBF:KR NL>K T0, BGLM:EE>= HG MA> .3B AHLMBG@ MA> 1( BG MA>
IKBO:M> OC>GM>K.
Tenant T4 BL F:G:@BG@ MA> L><NKBMR MA> 1(L ?KHF : L><HG= OC>GM>K. /4 A:L BFIHKM>= MA> OC>GM>K :G= BL
F:G:@BG@ MA> =>IEHRF>GM H? MA> D.1A HG MA> AHLM .3B'L :L P>EE :L MA> L><NKBMR H? MA> 1(L.
Tenant T5 BL HGER F:G:@BG@ MA> L><NKBMR H? 1( ?KHF IN;EB< <EHN=L.
/H BFIE>F>GM :GR H? MA> L><MBHGL H? MABL AR;KB= FH=>E, L>> Agentless Protection Models (page 15) :G= Agent-
Based Protection Models (page 13).
Deep Security 9 Installation Guide Hybrid Protection Models
18
Deep Security 9 Installation Guide Hybrid Protection Models
19
Installation
What you will Need
/ABL L><MBHG =>L<KB;>L PA:M RHN PBEE G>>= ?HK : LN<<>LL?NE D>>I .><NKBMR D>IEHRF>GM
Deep Security Installer Packages
/A>K> :K> D>>I .><NKBMR A@>GM I:<D:@>L :O:BE:;E> ?HK L>O>K:E MRI>L H? HI>K:MBG@ LRLM>FL. DHPGEH:= : D>>I
.><NKBMR A@>GM BGLM:EE I:<D:@> ?HK >:<A MRI> H? <HFINM>K MA:M RHN G>>= MH IKHM><M.
+E:<> MA> BGLM:EE I:<D:@>L ?HK MA> D>>I .><NKBMR (:G:@>K, MA> D>>I .><NKBMR ->E:R, MA> D>>I .><NKBMR 1BKMN:E
AIIEB:G<>, :G= MA> D>>I .><NKBMR !BEM>K DKBO>K BG MA> L:F> ?HE=>K ?KHF PAB<A RHN PBEE KNG MA> D>>I .><NKBMR
(:G:@>K BGLM:EE>K. /ABL P:R MA> D>>I .><NKBMR (:G:@>K PBEE :NMHF:MB<:EER BFIHKM MA> ->E:RL, A@>GML, 1BKMN:E
AIIEB:G<>, :G= MA> !BEM>K DKBO>K =NKBG@ BGLM:EE:MBHG. ($? MA> D>>I .><NKBMR F:G:@>K ?BG=L : ->E:R BG MA> ?HE=>K, BM
PBEE H??>K RHN MA> HIMBHG H? BGLM:EEBG@ : ->E:R :EHG@ PBMA MA> D>>I .><NKBMR (:G:@>K.)
License (Activation Codes)
4HN PBEE K>JNBK> D>>I .><NKBMR A<MBO:MBHG CH=>L ?HK MA> IKHM><MBHG FH=NE>L :G= : L>I:K:M> A<MBO:MBHG CH=>
?HK (NEMB-/>G:G<R B? RHN BGM>G= MH BFIE>F>GM BM.
(1(P:K> 'B<>GL>L PBEE :ELH ;> K>JNBK>= ?HK 1(P:K> <HFIHG>GML.)
Administrator/Root Privileges
4HN G>>= MH A:O> A=FBGBLMK:MHK/-HHM IKBOBE>@>L HG MA> <HFINM>KL HG PAB<A RHN PBEE BGLM:EE D>>I .><NKBMR
LH?MP:K> <HFIHG>GML.
Available Ports
On the Deep Security Manager Host Machine
4HN FNLM F:D> LNK> MA> ?HEEHPBG@ IHKML HG MA> F:<ABG> AHLMBG@ D>>I .><NKBMR (:G:@>K :K> HI>G :G= GHM
K>L>KO>= ?HK HMA>K INKIHL>L:
V Port 4120: /A> "A>:KM;>:M" IHKM, NL>= ;R D>>I .><NKBMR A@>GML :G= AIIEB:G<>L MH <HFFNGB<:M> PBMA
D>>I .><NKBMR (:G:@>K (<HG?B@NK:;E>).
V Port 4119: 0L>= ;R RHNK ;KHPL>K MH <HGG><M MH D>>I .><NKBMR (:G:@>K. AELH NL>= ?HK
<HFFNGB<:MBHG ?KHF .3B :G= K>JN>LML ?HK .><NKBMR 0I=:M>L ;R MA> D.1A (<HG?B@NK:;E>).
V Port 1521: ;B-=BK><MBHG:E *K:<E> D:M:;:L> L>KO>K IHKM.
V Ports 1433 and 1434: ;B-=BK><MBHG:E (B<KHLH?M .,' .>KO>K D:M:;:L> IHKML.
Deep Security 9 Installation Guide What you will Need
21
V Ports 389, 636, and 3268: <HGG><MBHG MH :G 'DA+ .>KO>K ?HK A<MBO> DBK><MHKR BGM>@K:MBHG
(<HG?B@NK:;E>).
V Port 25: <HFFNGB<:MBHG MH : .(/+ .>KO>K MH L>G= >F:BE :E>KML (<HG?B@NK:;E>).
V Port 53: ?HK D). 'HHDNI.
V Port 514: ;B-=BK><MBHG:E <HFFNGB<:MBHG PBMA : .RLEH@ L>KO>K (<HG?B@NK:;E>).
For more details about how each of these ports are used by Deep Security, see Ports Used by
Deep Security in the Reference section of the online help or the Administrator's Guide.
On the Deep Security Relay, Agents, and Appliances
4HN FNLM F:D> LNK> MA> ?HEEHPBG@ IHKML HG MA> F:<ABG> AHLMBG@ D>>I .><NKBMR ->E:R :K> HI>G :G= GHM K>L>KO>=
?HK HMA>K INKIHL>L:
V Port 4122: ->E:R MH A@>GM/AIIEB:G<> <HFFNGB<:MBHG.
V Port 4118: (:G:@>K-MH-A@>GM <HFFNGB<:MBHG.
V Port 4123: 0L>= ?HK BGM>KG:E <HFFNGB<:MBHG. .AHNE= GHM ;> HI>G MH MA> HNMLB=>.
V Port 80, 443: <HGG><MBHG MH /K>G= (B<KH 0I=:M> .>KO>K :G= .F:KM +KHM><MBHG .>KO>K.
V Port 514: ;B-=BK><MBHG:E <HFFNGB<:MBHG PBMA : .RLEH@ L>KO>K (<HG?B@NK:;E>).
/A> D>>I .><NKBMR (:G:@>K :NMHF:MB<:EER BFIE>F>GML LI><B?B< !BK>P:EE -NE>L MH HI>G MA> K>JNBK>=
<HFFNGB<:MBHG IHKML HG F:<ABG>L AHLMBG@ D>>I .><NKBMR ->E:RL, A@>GML :G= AIIEB:G<>L.
Network Communication
CHFFNGB<:MBHG ;>MP>>G D>>I .><NKBMR (:G:@>K :G= D>>I .><NKBMR ->E:RL/A@>GML/AIIEB:G<>L :G=
ARI>KOBLHKL NL>L D). AHLMG:F>L ;R =>?:NEM. $G HK=>K ?HK D>>I .><NKBMR A@>GM/AIIEB:G<>/->E:R =>IEHRF>GML
MH ;> LN<<>LL?NE, RHN FNLM >GLNK> MA:M >:<A <HFINM>K <:G K>LHEO> MA> AHLMG:F> H? MA> D>>I .><NKBMR (:G:@>K.
/ABL F:R K>JNBK> MA:M MA> D>>I .><NKBMR (:G:@>K <HFINM>K A:O> : D). >GMKR HK :G >GMKR BG MA> ->E:R/A@>GM/
AIIEB:G<> <HFINM>K'L AHLML ?BE>.
You will be asked for this hostname as part of the Deep Security Manager installation procedure.
If you do not have DNS, enter an IP address during the installation.
Reliable Time Stamps
AEE <HFINM>KL HG PAB<A D>>I .><NKBMR .H?MP:K> BL KNGGBG@ LAHNE= ;> LRG<AKHGBS>= PBMA : K>EB:;E> MBF> LHNK<>.
!HK >Q:FIE>, K>@NE:KER <HFFNGB<:MBG@ PBMA : )>MPHKD /BF> +KHMH<HE ()/+) L>KO>K.
Note:
Note:
22
Performance Recommendations
/A> ?HEEHPBG@ @NB=>EBG>L IKHOB=> : @>G>K:E B=>: H? MA> BG?K:LMKN<MNK> K>JNBK>F>GML ?HK D>>I .><NKBMR
=>IEHRF>GML H? =B??>K>GM L<:E>L.
Deep Security Manager and Database Hardware
(:GR D>>I .><NKBMR (:G:@>K HI>K:MBHGL (LN<A :L 0I=:M>L :G= -><HFF>G=:MBHG .<:GL) K>JNBK> AB@A C+0 :G=
(>FHKR K>LHNK<>L. /K>G= (B<KH K><HFF>G=L MA:M >:<A (:G:@>K GH=> A:O> ?HNK <HK>L :G= LN??BGM -A( BG
AB@A L<:E> >GOBKHGF>GML.
/A> D:M:;:L> LAHNE= ;> BGLM:EE>= HG A:K=P:K> MA:M BL >JN:E MH HK ;>MM>K MA:G MA> LI><B?B<:MBHGL H? MA> ;>LM D>>I
.><NKBMR (:G:@>K GH=>. !HK MA> ;>LM I>K?HKF:G<> MA> =:M:;:L> LAHNE= A:O> 8-16"B H? -A( :G= ?:LM :<<>LL MH
MA> EH<:E HK G>MPHKD :MM:<A>= LMHK:@>. 2A>G>O>K IHLLB;E> : =:M:;:L> :=FBGBLMK:MHK LAHNE= ;> <HGLNEM>= HG MA>
;>LM <HG?B@NK:MBHG H? MA> =:M:;:L> L>KO>K :G= : F:BGM>G:G<> IE:G LAHNE= ;> INM BG >??><M.
Multiple Deep Security Manager Nodes
4HN F:R P:GM MH IK>I:K> FHK> MA:G HG> F:<ABG> ?HK D>>I .><NKBMR (:G:@>K BGLM:EE:MBHG. $G : IKH=N<MBHG
>GOBKHGF>GM, FNEMBIE> D>>I .><NKBMR (:G:@>K GH=>L <HGG><M>= MH : LBG@E> =:M:;:L> <:G ;> L>M NI MH IKHOB=>
EH:= ;:E:G<BG@ :G= K><HO>KR L>KOB<>L.
Dedicated Servers
/A> D>>I .><NKBMR (:G:@>K :G= MA> =:M:;:L> <:G ;> BGLM:EE>= HG MA> L:F> <HFINM>K B? RHNK ?BG:E =>IEHRF>GM BL
GHM >QI><M>= MH >Q<>>= 1000 <HFINM>KL (K>:E HK OBKMN:E). $? RHN MABGD RHN F:R >Q<>>= 1000 <HFINM>KL, MA>
D>>I .><NKBMR (:G:@>K :G= MA> =:M:;:L> LAHNE= ;> BGLM:EE>= HG =>=B<:M>= L>KO>KL. $M BL :ELH BFIHKM:GM MA:M MA>
=:M:;:L> :G= MA> D>>I .><NKBMR (:G:@>K ;> <H-EH<:M>= HG MA> L:F> G>MPHKD PBMA : 1"B 'A) <HGG><MBHG MH
>GLNK> NGABG=>K>= <HFFNGB<:MBHG ;>MP>>G MA> MPH. /A> L:F> :IIEB>L MH :==BMBHG:E D>>I .><NKBMR (:G:@>K
)H=>L: =>=B<:M>=, <H-EH<:M>= L>KO>KL. A MPH FBEEBL><HG= E:M>G<R HK ;>MM>K BL K><HFF>G=>= ?HK MA> <HGG><MBHG
?KHF MA> (:G:@>K(L) MH MA> D:M:;:L>.
It is a good idea to run multiple Manager Nodes for redundancy reasons, whether you have 1000
managed computers or not.
High Availability Environments
$? RHN NL> 1(P:K>'L #B@A AO:BE:;BEBMR (#A) ?>:MNK>L, F:D> LNK> MA:M MA> #A >GOBKHGF>GM BL >LM:;EBLA>= ;>?HK>
RHN ;>@BG BGLM:EEBG@ D>>I .><NKBMR. D>>I .><NKBMR FNLM ;> =>IEHR>= HG :EE .3B ARI>KOBLHKL (BG<EN=BG@ MA>
HG>L NL>= ?HK K><HO>KR HI>K:MBHGL). D>IEHRBG@ D>>I .><NKBMR HG :EE ARI>KOBLHKL PBEE >GLNK> MA:M IKHM><MBHG
K>F:BGL BG >??><M :?M>K : #A K><HO>KR HI>K:MBHG.
Note:
23
When a Virtual Appliance is deployed in a VMware environment that makes use of the VMware
Distributed Resource Scheduler (DRS), it is important that the Appliance does not get vMotioned
along with the virtual machines as part of the DRS process. Virtual Appliances must be "pinned"
to their particular ESXi host. You must actively change the DRS settings for all the Virtual
Appliances to "Manual" or "Disabled" (recommended) so that they will not be vMotioned by the
DRS. If a Virtual Appliance (or any virtual machines) is set to "Disabled", vCenter Server does
not migrate that virtual machine or provide migration recommendations for it. This is known as
"pinning" the virtual machine to its registered host. This is the recommended course of action for
Virtual Appliances in a DRS environment. An alternative is to deploy the Virtual Appliance onto
local storage as opposed to shared storage. When the Virtual Appliance is deployed onto local
storage it cannot be vMotioned by DRS. For further information on DRS and pinning virtual
machines to a specific ESXi host, please consult your VMware documentation.
If a virtual machine is vMotioned by DRS from an ESXi protected by a DSVA to an ESXi that is
not protected by a DSVA, the virtual machine will become unprotected. If the virtual machine is
subsequently vMotioned back to the original ESXi, it will not automatically be protected again
unless you have created an Event-based Task to activate and protect computers that have been
vMotioned to an ESXi with an available DSVA. For more information, see the Event-Based Tasks
sections of the online help or the Administrator's Guide.
Multi-Tenancy
(NEMB-/>G:G<R E>ML RHN <K>:M> FNEMBIE> =BLMBG<M F:G:@>F>GM >GOBKHGF>GML NLBG@ : LBG@E> D>>I .><NKBMR
(:G:@>K :G= =:M:;:L> L>KO>K BGLM:EE:MBHG. $M ?NEER BLHE:M>L MA> L>MMBG@L, +HEBL, :G= O>GML ?HK >:<A />G:GM :G=
F:D>L NL> H? : GNF;>K H? :==BMBHG:E BG?K:LMKN<MNK> L<:EBG@ HIMBHGL.
(NEMB-/>G:G<R P:L =>LB@G>= MH IKHOB=> L>@F>GM:MBHG ?HK ;NLBG>LL NGBML PBMABG :G HK@:GBS:MBHG :G= ?:<BEBM:M>
M>LMBG@ BG LM:@BG@ >GOBKHGF>GML IKBHK MH ?NEE IKH=N<MBHG =>IEHRF>GML. $M :ELH :EEHPL MA> IKHOBLBHG H? D>>I
.><NKBMR MH <NLMHF>KL PBMABG : L>KOB<> FH=>E.
2A>G MA> D>>I .><NKBMR (:G:@>K BL ?BKLM BGLM:EE>=, BM BL MA> HG>-:G=-HGER />G:GM. A?M>K :<MBO:MBG@ FNEMB-
M>G:G<R, MA> BGBMB:E D>>I .><NKBMR (:G:@>K ;><HF>L MA> "+KBF:KR />G:GM" (/0). 4HN <:G LN;L>JN>GMER <K>:M>
:==BMBHG:E />G:GML ;NM MA> +KBF:KR />G:GM K>F:BGL LI><B:E. $M F:G:@>L :G= A:L <HGMKHE HO>K MA> HMA>K M>G:GML
:G= <:GYM ;> =>E>M>=. (.>> Multi-Tenancy (page 68) ?HK FHK> BG?HKF:MBHG.)
The requirements for Deep Security Multi-Tenancy are:
V D>>I .><NKBMR (:G:@>K 9
V *K:<E> D:M:;:L> HK (B<KHLH?M .,' .>KO>K
V /A> G><>LL:KR =:M:;:L> :<<HNGM IKBOBE>@>L ?HK =:M:;:L> <K>:M>/=>E>M> HI>K:MBHGL. (.>> Multi-Tenancy
(Advanced) (page 78).)
V (NEMB-/>G:GM A<MBO:MBHG CH=>
Note:
Note:
24
Optional but recommended:
V (NEMB-GH=> (:G:@>K (FHK> MA:G HG> D>>I .><NKBMR (:G:@>K GH=> IHBGM>= MH MA> L:F> =:M:;:L> ?HK
L<:E:;BEBMR)
V .(/+ L>KO>K
Architecture
In SQL Server the data store for a Tenant is called a "database". In Oracle, the term is "User/
Tablespace". This section uses the term "database" but the information applies to both SQL
Server and Oracle.
(NEMB-/>G:G<R BG D>>I .><NKBMR (:G:@>K HI>K:M>L LBFBE:KER MH : ARI>KOBLHK. (NEMBIE> />G:GML >QBLM PBMABG MA>
L:F> D>>I .><NKBMR (:G:@>K BGLM:EE:MBHG ;NM MA>BK =:M: BL AB@AER BLHE:M>=. AEE (:G:@>K )H=>L IKH<>LL "0$,
#>:KM;>:M HK %H; K>JN>LML ?HK :GR />G:GM. !HK MA> ;:<D@KHNG= IKH<>LLBG@ >:<A />G:GM BL :LLB@G>= : (:G:@>K
)H=> MA:M M:D>L <:K> H? CH; JN>NBG@, F:BGM>G:G<> :G= HMA>K ;:<D@KHNG= M:LDL. /A> :LLB@G>= (:G:@>K GH=> BL
:NMHF:MB<:EER K>;:E:G<>= PA>G F:G:@>K GH=>L :K> :==>= HK M:D>G H??EBG>. /A> F:CHKBMR H? >:<A />G:GM'L =:M: BL
LMHK>= BG : L>I:K:M>= =:M:;:L>. /ABL =:M:;:L> F:R <H->QBLM HG MA> L:F> =:M:;:L> L>KO>K :L HMA>K />G:GML, HK <:G
;> BLHE:M>= HGMH BML HPG =:M:;:L> L>KO>K. $G :EE <:L>L LHF> =:M: HGER >QBLML BG MA> IKBF:KR =:M:;:L> (MA> HG>
D>>I .><NKBMR (:G:@>K P:L BGLM:EE>= PBMA). 2A>G FNEMBIE> =:M:;:L> L>KO>KL :K> :O:BE:;E>, />G:GML :K> <K>:M>=
HG MA> =:M:;:L> L>KO>K PBMA MA> E>:LM :FHNGM H? EH:=.
Single Tenant Multi-Tenant
(:G:@>= <HFINM>KL 100,000 1,000,000 HK FHK>
D>>I .><NKBMR (:G:@>K )H=>L 1-5 1-50
D:M:;:L>L 1 1-10,000
D:M:;:L> .>KO>KL 1 (2BMA HK PBMAHNM K>IEB<:MBHG) 1-100
*G<> (NEMB-/>G:G<R A:L ;>>G >G:;E>=, MA> +KBF:KR />G:GM K>M:BGL :EE H? MA> <:I:;BEBMB>L H? : K>@NE:K BGLM:EE:MBHG
H? D>>I .><NKBMR (:G:@>K. #HP>O>K, LN;L>JN>GMER <K>:M>= />G:GML <:G A:O> MA>BK :<<>LL MH D>>I .><NKBMR
?NG<MBHG:EBMR K>LMKB<M>= MH O:KRBG@ =>@K>>L ;:L>= HG O:KBHNL <HG?B@NK:MBHG HIMBHGL L>M BG Administration
L><MBHG H? MA> +KBF:KR />G:GM'L D>>I .><NKBMR (:G:@>K.
/A> L>@F>GM:MBHG H? >:<A />G:GM'L =:M: BGMH : =:M:;:L> IKHOB=>L :==BMBHG:E ;>G>?BML:
V Data destruction: D>E>MBG@ : />G:GM K>FHO>L :EE MK:<>L H? MA:M />G:GML =:M: (.NIIHKM>= BG MA>
IKH=N<M)
V Backup: :<A />G:GM'L =:M: <:G ;> LN;C><M MH =B??>K>GM ;:<DNI IHEBL. /ABL F:R ;> NL>?NE ?HK
LHF>MABG@ EBD> M>G:G<R ;>BG@ NL>= ?HK LM:@BG@ :G= IKH=N<MBHG PA>K> MA> LM:@BG@ >GOBKHGF>GM K>JNBK>L
E>LL LMKBG@>GM ;:<DNIL (B:<DNIL :K> MA> K>LIHGLB;BEBMR H? MA> :=FBGBLMK:MHK L>MMBG@ NI D>>I .><NKBMR
(:G:@>K)
Note:
25
V Balancing: /A> IHM>GMB:E ?HK ?NMNK> K>-;:E:G<BG@ MH F:BGM:BG :G >O>G EH:= HG :EE =:M:;:L> L>KO>KL
26
System Requirements
V Memory: 8"B, PAB<A BG<EN=>L:
Z 4"B A>:I F>FHKR
Z 1.5"B %1( HO>KA>:=
Z 2"B HI>K:MBG@ LRLM>F HO>KA>:=
V Disk Space: 1.5"B (5"B K><HFF>G=>=)
V Operating System: (B<KHLH?M 2BG=HPL 2012 (64-;BM), 2BG=HPL .>KO>K 2008 (64-;BM), 2BG=HPL
.>KO>K 2008 -2 (64-;BM), 2BG=HPL 2003 .>KO>K .+2 (64-;BM), ->= #:M 'BGNQ 5/6 (64-;BM)
V Database: *K:<E> 11@, *K:<E> 10@, (B<KHLH?M .,' .>KO>K 2012 (AEE .>KOB<> +:<DL), (B<KHLH?M .,'
.>KO>K 2008 (AEE .>KOB<> +:<DL)
V Web Browser: !BK>?HQ 12+, $GM>KG>M QIEHK>K 8.Q, $GM>KG>M QIEHK>K 9.Q, $GM>KG>M QIEHK>K 10.Q,
CAKHF> 20+, .:?:KB 5+. (CHHDB>L FNLM ;> >G:;E>= BG :EE ;KHPL>KL.)
Deep Security Agent
V Memory:
Z with Anti-Malware protection: 512(B
Z without Anti-Malware protection: 128(B
V Disk Space: 500(B (1"B K><HFF>G=>= PBMA AGMB-(:EP:K> IKHM><MBHG >G:;E>=)
V Windows: 2BG=HPL 8 (32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2012 (64-;BM), 2BG=HPL 7 (32-;BM :G=
64-;BM), 2BG=HPL .>KO>K 2008 -2 (64-;BM), 2BG=HPL .>KO>K 2008 (32-;BM :G= 64-;BM), 2BG=HPL 1BLM:
(32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2003 .I1 32-;BM :G= 64-;BM) PBMA I:M<A "2BG=HPL .>KO>K 2003
.<:E:;E> )>MPHKDBG@ +:<D", 2BG=HPL .>KO>K 2003 .+2 (32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2003 -2
.+2 (32-;BM :G= 64-;BM), 2BG=HPL 3+ (32-;BM :G= 64-;BM)
V Solaris: .HE:KBL 9, 10, 11 (64-;BM .I:K<), .HE:KBL 10 :G= 11, (64-;BM Q86)
V Linux: ->= #:M 5 (32-;BM :G= 64-;BM), ->= #:M 6 (32-;BM :G= 64-;BM), *K:<E> 'BGNQ 5 (32-;BM :G=
64-;BM), *K:<E> 'BGNQ 6 (32-;BM :G= 64-;BM), .N. 10 (32-;BM :G= 64-;BM), .N. 11 (32-;BM :G= 64-;BM),
0;NGMN 10.04 '/. (64-;BM), 0;NGMN 12.04 '/. (64-;BM), C>GM*. 5 (32-;BM :G= 64-;BM), C>GM*. 6
(32-;BM :G= 64-;BM), AF:SHG 'BGNQ (32-;BM :G= 64-;BM).
(A@>GM-;:L>= AGMB-(:EP:K> BL GHM LNIIHKM>= HG 32-;BM O>KLBHGL H? 'BGNQ)
V AIX: A$3 5.3, 6.1 (/A> A$3 A@>GML =H GHM LNIIHKM AGMB-(:EP:K> HK 2>; ->INM:MBHG IKHM><MBHG.)
V HP-UX: 11B O3 (11.31) (/A> #+-03 A@>GML HGER LNIIHKM $GM>@KBMR (HGBMHKBG@ :G= 'H@ $GLI><MBHG.)
Windows Agents running on Windows XP or Windows 2003 will not function in an IPv6
environment.
Note:
Deep Security 9 Installation Guide System Requirements
27
Deep Security Relay
V Memory: 512(B
V Disk Space: 500(B (1"B K><HFF>G=>= PBMA AGMB-(:EP:K> IKHM><MBHG >G:;E>=)
V Windows: 2BG=HPL 8 (32-;BM :G= 64-;BM), 2BG=HPL 7 (32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2012
(64-;BM), 2BG=HPL .>KO>K 2008 (32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2008 -2 (64-;BM), 2BG=HPL 1BLM:
(32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2003 .+2 (32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2003 -2 (32-;BM
:G= 64-;BM), 2BG=HPL 3+ (32-;BM :G= 64-;BM)
V Linux: ->= #:M 5 (64-;BM), ->= #:M 6 (64-;BM), C>GM*. 5 (64-;BM), C>GM*. 6 (64-;BM)
V Memory: 2"B ((>FHKR K>JNBK>F>GML <:G O:KR =>I>G=BG@ HG MA> GNF;>K H? 1(L ;>BG@ IKHM><M>=.
V Disk Space: 20"B
V Operating System: 1(P:K> OC>GM>K 5.Q, :G= .3B 5.Q
For a list of which features are supported on versions 5.0 and 5.1, see Supported
Features by Platform (page 118).
V Additional VMware Utilities: 1(P:K> /HHEL, 1(P:K> O.AB>E= (:G:@>K 5.Q, 1(P:K> O.AB>E=
G=IHBGM .><NKBMR 5.Q (.3B5 I:M<A .3B500-201109001 HK E:M>K ?HK O.AB>E= G=IHBGM DKBO>K).
V VMware Endpoint Protection supported guest platforms: 2BG=HPL 7 (32-;BM :G= 64-;BM),
2BG=HPL 1BLM: (32-;BM :G= 64-;BM), 2BG=HPL 3+ .+2 (32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2003 .+2
(32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2003 -2 (32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2008 (32-;BM :G=
64-;BM), 2BG=HPL .>KO>K 2008 -2 (64-;BM). (!HK MA> E:M>LM EBLM H? LNIIHKM>= @N>LM IE:M?HKFL, L>> RHNK
1(P:K> =H<NF>GM:MBHG.)
ESXi Requirements for the Deep Security Virtual Appliance
$G :==BMBHG MH MA> .3B LM:G=:K= LRLM>F K>JNBK>F>GML, MA> ?HEEHPBG@ LI><B?B<:MBHGL FNLM ;> F>M:
V CPU: 64-;BM, $GM>E-1/ IK>L>GM :G= >G:;E>= BG B$*.
V Supported vSwitch: LM:G=:K= O.PBM<A HK 3K= I:KMR O.PBM<A X CBL<H )>QNL 1000O
/+( ARI>KOBLHK BGM>@KBMR FHGBMHKBG@ K>JNBK>L .3B 5.1, :G= BL GHM LNIIHKM>= HG .3B 5.0.
A virtualized ESXi environment (hypervisor running as a VM) is not supported.
Deep Security Notifier System Requirements
V Windows: 2BG=HPL 8 (32-;BM :G= 64-;BM), 2BG=HPL 7 (32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2012
(64-;BM, GHG-<HK>), 2BG=HPL .>KO>K 2008 -2 (64-;BM), 2BG=HPL .>KO>K 2008 (32-;BM :G= 64-;BM),
Note:
Note:
28
2BG=HPL 1BLM: (32-;BM :G= 64-;BM), 2BG=HPL .>KO>K 2003 .I1 32-;BM :G= 64-;BM) PBMA I:M<A
"2BG=HPL .>KO>K 2003 .<:E:;E> )>MPHKDBG@ +:<D", 2BG=HPL .>KO>K 2003 .+2 (32-;BM :G= 64-;BM),
2BG=HPL .>KO>K 2003 -2 .+2 (32-;BM :G= 64-;BM), 2BG=HPL 3+ (32-;BM :G= 64-;BM)
On VMs protected by a Virtual Appliance, the Anti-Malware module must be licensed and
enabled on the VM for the Deep Security Notifier to display information.
Note:
29
Preparing a VMware Environment for Agentless Protection
/A> ?HEEHPBG@ =>L<KB;>L : D>>I .><NKBMR =>IEHRF>GM BG : MRIB<:E 1(P:K> >GOBKHGF>GM.
/PH .3B #HLML :K> K>JNBK>=:
V Host A: BL :G .3B ARI>KOBLHK HG PAB<A :K> KNGGBG@ BG=BOB=N:E OBKMN:E F:<ABG>L (1(L) ?HK D>>I
.><NKBMR (:G:@>K 9.0, O.AB>E= (:G:@>K 5.Q, :G= OC>GM>K .>KO>K 5.Q. *IMBHG:EER, /K>G= (B<KH .F:KM
+KHM><MBHG .>KO>K :G= D>>I .><NKBMR ->E:R <:G ;> BGLM:EE>= HG OBKMN:E F:<ABG>L HG #HLM A. AG
:==BMBHG:E OBKMN:E F:<ABG> <:G :ELH ;> IKHOB=>= ?HK : L><HG= D>>I .><NKBMR (:G:@>K GH=>. *G> 1(
LAHNE= :ELH ;> IKHOB=>= ?HK BGLM:EEBG@ MA> D>>I .><NKBMR D:M:;:L>.
V Host B: BL :G .3B ARI>KOBLHK HG PAB<A :K> KNGGBG@ D>>I .><NKBMR 1BKMN:E AIIEB:G<> (D.1A) :G=
MA> 1(L K>JNBKBG@ IKHM><MBHG.
The vCenter Server, the vShield Manager and the Deep Security Manager are installed on a
separate ESXi because the protected ESXi must be restarted during the course of Deep Security
deployment. Also note that the Deep Security database is not shown in this diagram. It also can
be installed on a physical machine or on a VM.
Required Resources Checklist
Check Software Requirements Notes
1(P:K> OC>GM>K 5.Q
$G<EN=>L OC>GM>K .>KO>K :G= OC>GM>K CEB>GM "0$ :IIEB<:MBHG. 'B<>GL> BL K>JNBK>= =NKBG@ IKH=N<M
BGLM:EE:MBHG.
1(P:K> O.AB>E= (:G:@>K 5.Q 'B<>GL> BL K>JNBK>= =NKBG@ IKH=N<M BGLM:EE:MBHG.
/K>G= (B<KH D>>I .><NKBMR
(:G:@>K 9.0 (D.()
'B<>GL> BL K>JNBK>= =NKBG@ IKH=N<M BGLM:EE:MBHG.
Note:
Deep Security 9 Installation Guide Preparing a VMware Environment for Agentless Protection
30
Check Software Requirements Notes
1(P:K> O.AB>E= G=IHBGM 5.Q A== MA> EB<>GL> MH OC>GM>K
/K>G= (B<KH D>>I .><NKBMR !BEM>K
DKBO>K 9.0 (!D)
/K>G= (B<KH D>>I .><NKBMR 1BKMN:E
AIIEB:G<> 9.0 (D.1A)
.NIIHKM>= "N>LM *.
O.AB>E= G=IHBGM =KBO>KL K>JNBK>= HG >:<A @N>LM 1(. (.BG<> .3B 5 I:M<A
.3B500-201109001, O.AB>E= G=IHBGM =KBO>K BL BG<EN=>= BG 1(P:K> /HHEL).
Install vShield Endpoint on ESXi Host B
/ABL L><MBHG EBLML :==BMBHG:E M:LDL G><>LL:KR MH <HFIE>M> MA> D>>I .><NKBMR BGM>@K:MBHG PBMA MA> 1(P:K>
>GOBKHGF>GM ?HK A@>GME>LL IKHM><MBHG.
At this point...
V /A> 1(P:K> GOBKHGF>GM BL :EK>:=R L>MNI :L =>L<KB;>= BG +K>I:KBG@ : 1(P:K> GOBKHGF>GM ?HK
A@>GME>LL +KHM><MBHG
V D>>I .><NKBMR (:G:@>K (:G= =:M:;:L>) BL :EK>:=R BGLM:EE>=
V A D>>I .><NKBMR ->E:R A:L ;>>G BGLM:EE>= :G= <HG?B@NK>=.
VMware vShield Endpoint Deployment on ESXi Host B
1. 'H@BG MH O.AB>E= (:G:@>K ;R ;KHPLBG@ MH https://<vSM-ip>
2. *G MA> Settings and Reports > Configuration M:;, >GM>K RHNK OC>GM>K .>KO>K $G?HKF:MBHG
3. $G MA> E>?M G:OB@:MBHG I:G>, L>E><M MA> .3B ARI>KOBLHK MH ;> IKHM><M>= ;R D>>I .><NKBMR (#HLM B).
4. *G MA> Summary M:;, <EB<D MA> Install EBGD ?HK MA> vShield Endpoint Service
5. .>E><M MA> L>KOB<>L MH BGLM:EE/NI@K:=>, <A><D vShield Endpoint :G= <EB<D MA> Install ;NMMHG :M MA> MHI
KB@AM H? MA> L<K>>G. CEB<D OK.
6. A?M>K BGLM:EEBG@, F:D> LNK> MA> .>KOB<> O.AB>E= G=IHBGM <HKK><MER =BLIE:RL MA> BGLM:EE>= O>KLBHG (/A>
Install EBGD PBEE A:O> <A:G@>= MH Uninstall)
Install vShield Endpoint Drivers on the VMs to be protected on ESXi Host B
On each VM to be protected agentlessly by a Deep Security Virtual Appliance
1. $GLM:EE @N>LM *.. ($? NLBG@ 2BG=HPL 2003 .>KO>K, F:D> LNK> RHN BGLM:EE .>KOB<> +:<D 2)
2. (:D> LNK> MA> @N>LM 1( A:L : ;:LB< =BLD OHENF>. DRG:FB< =BLDL :K> GHM LNIIHKM>=. ()HM>: /A>
=>?:NEM BGLM:EE:MBHG H? 2BG=HPL 2003 A:L : ;:LB< =BLD OHENF>.)
31
3. $GLM:EE MA> 1(P:K> O.AB>E= G=IHBGM =KBO>K MH MABL F:<ABG>. /A> O.AB>E= G=IHBGM =KBO>K BL
<HGM:BG>= PBMABG MA> O.AB>E= DKBO>KL BG 1(P:K> /HHEL. ()HM> MA:M O.AB>E= DKBO>KL :K> GHM BGLM:EE>=
;R =>?:NEM =NKBG@ MA> BGLM:EE:MBHG H? 1(P:K> /HHEL.)
1. ':NG<A MA> 1(P:K> /HHEL BGLM:EE>K :G= L>E><M MH I>K?HKF :G $GM>K:<MBO> $GLM:EE
2. DNKBG@ 1(P:K> /HHEL BGLM:EE:MBHG, L>E><M Custom Install
3. QI:G= 1(P:K> D>OB<> DKBO>KL
4. QI:G= 1(C$ DKBO>K
5. .>E><M O.AB>E= DKBO>KL :G= <AHHL> This feature will be installed on local drive.
6. CEB<D Yes MH K>LM:KM MA> F:<ABG>.
If you plan to use manual or scheduled scans be sure to turn off sleep and standby mode on the
guest virtual machines. If a guest virtual machine goes into sleep or standby mode during a scan
you will see an error indicating that the scan terminated abnormally. Virtual Machines must be in
the running state for scans to complete successfully.
In a High Availability environment, you must install Deep Security Virtual Appliances on all the
ESXi hypervisors in a cluster in order to provide Agentless protection for vMotioned guests.
Note:
Note:
32
Install a Database for Deep Security
!HK (NEMB-/>G:G<R BGLM:EE:MBHGL, L>> MA> :==BMBHG:E K>JNBK>F>GML BG Installing a Database (Multi-Tenancy
Requirements) (page 34).
!HK >GM>KIKBL> =>IEHRF>GML, D>>I .><NKBMR K>JNBK>L (B<KHLH?M .,' .>KO>K 2012 HK 2008, HK *K:<E> D:M:;:L>
11@ HK 10@. (D>>I .><NKBMR (:G:@>K <HF>L PBMA :G >F;>==>= =:M:;:L> (AI:<A> D>K;R), PAB<A BL HGER
LNBM:;E> ?HK >O:EN:MBHG INKIHL>L.)
You must install the database software, create a database, and create a user account (which Deep
Security Manager will use to access the database) before you install Deep Security Manager.
Account Details
(:D> : GHM> H? MA> :<<HNGM =>M:BEL NL>= BG <K>:MBHG H? RHNK =:M:;:L> BGLM:G<> :L MA>R PBEE ;> K>JNBK>= =NKBG@
MA> D>>I .><NKBMR (:G:@>K BGLM:EE:MBHG IKH<>LL.
When creating a SQL Server database, the SQL Server account must be granted DB_Creator
Server Roles and DB_Owner of the Deep Security Manager Database.
When creating an Oracle database, the account must be assigned the roles of CONNECT and
RESOURCE and the account must be granted privileges to CREATE TABLES, CREATE
SEQUENCES, and CREATE TRIGGERS.
Deep Security Manager Communication with SQL Server
2A>G NLBG@ G:F>= IBI>L MH <HGG><M MH : .,' .>KO>K, : IKHI>KER :NMA>GMB<:M>= (B<KHLH?M 2BG=HPL
<HFFNGB<:MBHG <A:GG>E FNLM ;> :O:BE:;E> ;>MP>>G D>>I .><NKBMR (:G:@>K'L AHLM :G= MA> .,' .>KO>K AHLM.
/ABL F:R :EK>:=R >QBLM B?:
V MA> .,' .>KO>K BL HG MA> L:F> AHLM :L D>>I .><NKBMR (:G:@>K,
V ;HMA AHLML :K> F>F;>KL H? MA> L:F> =HF:BG, HK
V : MKNLM K>E:MBHGLABI >QBLML ;>MP>>G MA> MPH AHLML.
$? GH LN<A <HFFNGB<:MBHG <A:GG>E BL :O:BE:;E>, D>>I .><NKBMR (:G:@>K PBEE GHM ;> :;E> MH <HFFNGB<:M> MH MA>
.,' .>KO>K HO>K G:F>= IBI>L.
Note:
Note:
Note:
Deep Security 9 Installation Guide Install a Database for Deep Security
33
Installing a Database for Deep Security (Multi-Tenancy
Requirements)
Configuring Database User Accounts
.,' .>KO>K :G= *K:<E> NL> =B??>K>GM M>KFL ?HK =:M:;:L> <HG<>IML =>L<KB;>= ;>EHP.
SQL Server Oracle
Process where multiple Tenants execute D:M:;:L> .>KO>K D:M:;:L>
One Tenant's set of data D:M:;:L> /:;E>LI:<>/0L>K
/A> ?HEEHPBG@ L><MBHG NL>L MA> .,' .>KO>K M>KFL ?HK ;HMA .,' .>KO>K :G= *K:<E>.
SQL Server
.BG<> (NEMB-/>G:G<R K>JNBK>L MA> :;BEBMR ?HK MA> LH?MP:K> MH <K>:M> =:M:;:L>L, MA> dbcreator KHE> BL K>JNBK>= HG
.,' .>KO>K. !HK >Q:FIE>:
!HK MA> NL>K KHE> H? MA> IKBF:KR />G:GM BM BL BFIHKM:GM MH :LLB@G DB HPG>K MH MA> F:BG =:M:;:L>:
Deep Security 9 Installation Guide Installing a Database for Deep Security (Multi-Tenancy Requirements)
34
$? =>LBK>=, KB@AML F:R ;> ?NKMA>K K>?BG>= MH BG<EN=> HGER MA> :;BEBMR MH FH=B?R MA> L<A>F: :G= :<<>LL MA> =:M:.
2BMA MA> dbcreator KHE> MA> =:M:;:L>L <K>:M>= ;R MA> :<<HNGM PBEE :NMHF:MB<:EER ;> HPG>= ;R MA> L:F> NL>K.
!HK >Q:FIE> A>K> :K> MA> IKHI>KMB>L ?HK MA> NL>K :?M>K MA> ?BKLM />G:GM A:L ;>>G <K>:M>=:
35
/H <K>:M> MA> ?BKLM :<<HNGM HG : L><HG=:KR =:M:;:L> L>KO>K, HGER MA> dbcreator L>KO>K KHE> BL K>JNBK>=. )H NL>K
F:IIBG@ A:L MH ;> =>?BG>=.
Oracle
(NEMB-/>G:G<R BG *K:<E> BL LBFBE:K MH .,' .>KO>K ;NM PBMA : ?>P BFIHKM:GM =B??>K>G<>L. 2A>K> .,' .>KO>K A:L
: LBG@E> NL>K :<<HNGM I>K =:M:;:L> L>KO>K, *K:<E> NL>L HG> NL>K :<<HNGM I>K />G:GM. /A> NL>K MA:M D>>I .><NKBMR
P:L BGLM:EE>= PBMA F:IL MH MA> IKBF:KR />G:GM. /A:M NL>K <:G ;> @K:GM>= I>KFBLLBHG MH :EEH<:M> :==BMBHG:E NL>KL
:G= M:;E>LI:<>L.
Although Oracle allows special characters in database object names if they are surrounded by
quotes, Deep Security does not support special characters in database object names. This page
on Oracle's web site describes the allowed characters in non-quoted names:
http://docs.oracle.com/cd/E14072_01/server.112/e10592/sql_elements008.htm#i27570
Deep Security derives Tenant database names from the main (Primary Tenant) Oracle database.
For example, if the main database is "MAINDB", the first Tenant's database name will be
"MAINDB_1", the second Tenant's database name will be "MAINDB_2", and so on. (Keeping the
main database name short will make it easier to read the database names of your Tenants.)
$? (NEMB-/>G:G<R BL >G:;E>=, MA> ?HEEHPBG@ *K:<E> I>KFBLLBHGL FNLM ;> :LLB@G>=:
Note:
Note:
36
/>G:GML :K> <K>:M>= :L NL>KL PBMA EHG@ K:G=HF I:LLPHK=L :G= @BO>G MA> ?HEEHPBG@ KB@AML:
!HK L><HG=:KR *K:<E> L>KO>KL, MA> ?BKLM NL>K :<<HNGM (: ;HHMLMK:I NL>K :<<HNGM) FNLM ;> <K>:M>=. /ABL NL>K PBEE
A:O> :G >LL>GMB:EER >FIMR M:;E>LI:<>. /A> <HG?B@NK:MBHG BL B=>GMB<:E MH MA> IKBF:KR NL>K :<<HNGM.
37
Install Deep Security Manager
Copy the Installer Packages
CHIR MA> :IIKHIKB:M> D>>I .><NKBMR (:G:@>K BGLM:EE>K :G= D>>I .><NKBMR ->E:R $GLM:EE>K MH MA> M:K@>M F:<ABG>.
One or more Deep Security Relays are required for Deep Security functionality. If you intend to
install a Deep Security Relay co-located on the Deep Security Manager's computer, you should
copy a Deep Security Relay installer package to the same location as your Deep Security
Manager installer package. During the Deep Security Manager installation, the installer checks
for the Deep Security Relay package and if present and selected, will automatically continue with
the Deep Security Relay installation once the Deep Security Manager has successfully installed.
Installing the Deep Security Manager for Windows
If you are installing DSM in a vCenter where you plan to protect virtual machines, the DSM must
not be installed on the same ESXi as the VMs you are planning to protect.
Only install Deep Security Manager on the same ESXi hypervisor as one that is hosting the VMs
you want to protect if that ESXi is part of an ESXi cluster. This is because installing the Deep
Security Manager will force the ESXi to go into maintenance mode. If the ESXi is part of a
cluster, the VMs, including the Deep Security Manager, will be vMotioned to another ESXi host
during this process.
1. .M:KM MA> D>>I .><NKBMR (:G:@>K ;R =HN;E>-<EB<DBG@ MA> BGLM:EE>K I:<D:@>.
2. 2A>G MA> $GLM:EE:MBHG 2BS:K= :II>:KL, <EB<D Next.
3. $? RHN :@K>> MH MA> M>KFL H? MA> EB<>GL> :@K>>F>GM, <EB<D Next.
4. .I><B?R MA> ?HE=>K PA>K> RHN PHNE= EBD> D>>I .><NKBMR (:G:@>K MH ;> BGLM:EE>= :G= <EB<D Next.
When selecting a folder, the installer may append the suggested folder name on the end
of the path you have selected. Review the folder entry before proceeding if you have
used the 'browse' button.
5. .I><B?R MA> MRI> H? =:M:;:L> RHN PBLA MH NL>. $? RHN :K> NLBG@ :G *K:<E> HK .,' .>KO>K =:M:;:L>, BM
FNLM ;> <K>:M>= ;>?HK> D>>I .><NKBMR (:G:@>K BL BGLM:EE>=. GM>K MA> :<<HNGM =>M:BEL.
6. GM>K RHNK A<MBO:MBHG CH=>(L). GM>K MA> <H=> ?HK AEE +KHM><MBHG (H=NE>L HK MA> <H=>L ?HK MA>
BG=BOB=N:E FH=NE>L ?HK PAB<A RHN A:O> INK<A:L>= : EB<>GL>. 4HN <:G IKH<>>= PBMAHNM >GM>KBG@ :GR
<H=>L, ;NM GHG> H? MA> +KHM><MBHG (H=NE>L PBEE ;> :O:BE:;E> ?HK NL>. (4HN <:G >GM>K RHNK ?BKLM HK
:==BMBHG:E <H=>L :?M>K BGLM:EE:MBHG H? MA> D>>I .><NKBMR (:G:@>K ;R @HBG@ MH Administration >
Licenses.)
Note:
Note:
Note:
Deep Security 9 Installation Guide Install Deep Security Manager
38
7. GM>K MA> AHLMG:F>, 0-', HK $+ :==K>LL H? MABL <HFINM>K. /A> (:G:@>K A==K>LL FNLM ;> >BMA>K :
K>LHEO:;E> AHLMG:F>, : ?NEER JN:EB?B>= =HF:BG G:F>, HK :G $+ :==K>LL. $? D). BL GHM :O:BE:;E> BG RHNK
>GOBKHGF>GM, HK B? LHF> <HFINM>KL :K> NG:;E> MH NL> D)., : ?BQ>= $+ :==K>LL LAHNE= ;> NL>= BGLM>:=
H? : AHLMG:F>. *IMBHG:EER, <A:G@> MA> =>?:NEM <HFFNGB<:MBHG IHKML: /A> "(:G:@>K +HKM" BL MA> IHKM
HG PAB<A MA> (:G:@>K'L ;KHPL>K-;:L>= 0$ BL :<<>LLB;E> MAKHN@A #//+.. /A> "#>:KM;>:M +HKM" BL MA>
IHKM HG PAB<A MA> (:G:@>K EBLM>GL ?HK <HFFNGB<:MBHG ?KHF MA> A@>GML/AIIEB:G<>L. CEB<D Next.
8. GM>K : NL>KG:F> :G= I:LLPHK= ?HK MA> (:LM>K A=FBGBLMK:MHK :<<HNGM. .>E><MBG@ MA> G?HK<> LMKHG@
I:LLPHK=L (K><HFF>G=>=) K>JNBK>L MABL :G= ?NMNK> :=FBGBLMK:MHK I:LLPHK=L MH BG<EN=> NII>K :G=
EHP>K-<:L> E>MM>KL, GHG-:EIA:GNF>KB< <A:K:<M>KL, :G= GNF;>KL, :G= MH K>JNBK> : FBGBFNF GNF;>K H?
<A:K:<M>KL. CEB<D Next.
9. .>E><M ANMHF:MB< 0I=:M>L (K><HFF>G=>=). $? L>E><M>=, D>>I .><NKBMR (:G:@>K PBEE :NMHF:MB<:EER
K>MKB>O> MA> E:M>LM CHFIHG>GML HK <A><D ?HK G>P .H?MP:K>. (4HN <:G <HG?B@NK> NI=:M>L E:M>K NLBG@ MA>
D>>I .><NKBMR (:G:@>K.) CEB<D Next.
10. .>E><M PA>MA>K MH BGLM:EE : <H-EH<:M>= D>>I .><NKBMR ->E:R. ($? RHN =H GHM A:O> MA> D>>I .><NKBMR
->E:R BGLM:EE>K I:<D:@> BG MA> L:F> EH<:MBHG :L MA> D>>I .><NKBMR (:G:@>K BGLM:EE>K MABL LM>I PBEE ;>
;RI:LL>=.)
If you choose not to install a co-located relay at this time, you can do so later by
installing a Deep Security Relay as described in Installing the Deep Security Relay
(page 42).
CEB<D Next.
11. .>E><M PA>MA>K RHN P:GM MH >G:;E> /K>G= (B<KH .F:KM !>>=;:<D (K><HFF>G=>=). (4HN <:G >G:;E> HK
<HG?B@NK> .F:KM !>>=;:<D E:M>K NLBG@ MA> D>>I .><NKBMR (:G:@>K). *IMBHG:EER >GM>K RHNK BG=NLMKR ;R
L>E><MBG@ ?KHF MA> =KHI-=HPG EBLM. CEB<D Next.
12. CHG?BKF .>MMBG@L. 1>KB?R MA> BG?HKF:MBHG RHN >GM>K>= :G= <EB<D Finish MH <HGMBGN>.
13. CEB<D Finish MH <EHL> MA> .>MNI PBS:K=.
/A> D>>I .><NKBMR (:G:@>K L>KOB<> PBEE LM:KM PA>G L>MNI BL <HFIE>M>. $? RHN L>E><M>= MH BGLM:EE : <H-EH<:M>=
D>>I .><NKBMR ->E:R BG .M>I 10, MA> ->E:R BGLM:EE:MBHG PBEE KNG LBE>GMER GHP. /A> BGLM:EE>K IE:<>L : LAHKM<NM MH
D>>I .><NKBMR (:G:@>K BG MA> IKH@K:F F>GN. 4HN LAHNE= M:D> GHM> H? MABL 0-' B? RHN P:GM MH :<<>LL MA>
(:G:@>K ?KHF : K>FHM> EH<:MBHG.
Installing the Deep Security Manager for Linux
/H BGLM:EE ?KHF : 'BGNQ "0$, MA> BGLMKN<MBHGL :K> B=>GMB<:E MH BGLM:EEBG@ MA> D>>I .><NKBMR (:G:@>K ?HK
2BG=HPL (:;HO>).
Silent Install of Deep Security Manager
To initiate a silent install on Windows, enter the command:
Manager-Windows-<Version>.x64.exe -q -console -varfile <PropertiesFile>
Note:
39
To initiate a silent install on Linux, enter the command:
Manager-Linux-<Version>.x64.sh -q -console -varfile <PropertiesFile>
/A> "-q" L>MMBG@ ?HK<>L BGLM:EE4C MH >Q><NM> BG NG:MM>G=>= (LBE>GM) FH=>.
/A> "-console" L>MMBG@ ?HK<>L F>LL:@>L MH :II>:K BG MA> <HGLHE> (LM=HNM).
/A> <PropertiesFile> :K@NF>GM BL MA> <HFIE>M>/:;LHENM> I:MA MH : LM:G=:K= %:O: IKHI>KMB>L ?BE>. :<A IKHI>KMR
BL B=>GMB?B>= ;R BML >JNBO:E>GM "0$ L<K>>G :G= L>MMBG@ BG MA> 2BG=HPL D>>I .><NKBMR (:G:@>K BGLM:EE:MBHG
(=>L<KB;>= :;HO>). !HK >Q:FIE>, MA> D>>I .><NKBMR (:G:@>K :==K>LL HG MA> "A==K>LL :G= +HKML" L<K>>G BL
LI><B?B>= :L:
AddressAndPortsScreen.ManagerAddress=
(HLM H? MA> IKHI>KMB>L BG MABL ?BE> A:O> :<<>IM:;E> =>?:NEML :G= F:R ;> HFBMM>=. /A> HGER K>JNBK>= O:EN>L ?HK :
LBFIE> BGLM:EE:MBHG NLBG@ :G >F;>==>= =:M:;:L> :K>:
LicenseScreen.License
CredentialsScreen.Administrator.Username
CredentialsScreen.Administrator.Password
!HK : <HFIE>M> =>L<KBIMBHG H? :O:BE:;E> L>MMBG@L, L>> Deep Security Manager Settings Properties File (page
120).
Running Deep Security Manager
/A> D>>I .><NKBMR (:G:@>K L>KOB<> LM:KML :NMHF:MB<:EER :?M>K BGLM:EE:MBHG. /A> L>KOB<> <:G ;> LM:KM>=, K>LM:KM>=
:G= LMHII>= ?KHF MA> (B<KHLH?M .>KOB<>L (:G:@>F>GM CHGLHE>. /A> L>KOB<> G:F> BL "/K>G= (B<KH D>>I
.><NKBMR (:G:@>K".
/H KNG MA> 2>;-;:L>= F:G:@>F>GM <HGLHE>, @H MH MA> Trend Micro IKH@K:F @KHNI BG MA> .M:KM F>GN :G= <EB<D
Deep Security Manager.
/H KNG MA> 2>;-;:L>= F:G:@>F>GM <HGLHE> ?KHF : K>FHM> <HFINM>K RHN PBEE A:O> MH F:D> GHM> H? MA> 0-':
https://[hostname]:[port]/
PA>K> [hostname] BL MA> AHLMG:F> H? MA> L>KO>K HG PAB<A RHN A:O> BGLM:EE>= D>>I .><NKBMR (:G:@>K :G=
[port] BL MA> "(:G:@>K +HKM" RHN LI><B?B>= BG LM>I 8 H? MA> BGLM:EE:MBHG (4119 ;R =>?:NEM).
0L>KL :<<>LLBG@ MA> 2>;-;:L>= F:G:@>F>GM <HGLHE> PBEE ;> K>JNBK>= MH LB@G BG PBMA MA>BK 0L>K A<<HNGM
<K>=>GMB:EL. (/A> <K>=>GMB:EL <K>:M>= =NKBG@ MA> BGLM:EE:MBHG <:G ;> NL>= MH EH@ BG :G= <K>:M> HMA>K 0L>K
:<<HNGML.)
40
Deep Security Relay Configuration
D>>I .><NKBMR K>JNBK>L :M E>:LM HG> D>>I .><NKBMR ->E:R MH ;> BGLM:EE>= :G= <HG?B@NK>=.
$? RHN L>E><M>= MH BGLM:EE : <H-EH<:M>= D>>I .><NKBMR ->E:R, NL> MA> D>>I .><NKBMR (:G:@>K MH <HG?B@NK> MA>
D>>I .><NKBMR ->E:R :L =>L<KB;>= BG Configuring the Deep Security Relay (page 116).
41
Installing the Deep Security Relay
D>>I .><NKBMR (:G:@>K K>JNBK>L :M E>:LM HG> D>>I .><NKBMR ->E:R MH INEE =HPG NI=:M>L ?KHF MA> /K>G= (B<KH
0I=:M> .>KO>K. 0I=:M>L :K> K>JNBK>= ?HK :EE IKHM><MBHG ?NG<MBHG:EBMR >Q<>IM !BK>P:EE.
D>>I .><NKBMR (:G:@>K @>ML NI=:M> BG?HKF:MBHG HGER ?KHF MA> D>>I .><NKBMR ->E:R. A MRIB<:E <HG?B@NK:MBHG BL
?HK MA> D>>I .><NKBMR (:G:@>K MH NL> : D>>I .><NKBMR ->E:R <H-EH<:M>= HG MA> L:F> <HFINM>K. $? RHN A:O>
<AHL>G GHM MH BGLM:EE MA> <H-EH<:M>= D>>I .><NKBMR ->E:R, RHN LAHNE= BGLM:EE : D>>I .><NKBMR ->E:R HG :GHMA>K
<HFINM>K.
/ABL L><MBHG =>L<KB;>L MA> LM:G=-:EHG> D>>I .><NKBMR ->E:R BGLM:EE:MBHG.
/A>L> LM>IL :K> GHM K>JNBK>= B? RHN A:O> :EK>:=R BGLM:EE>= : <H-EH<:M>= D>>I .><NKBMR ->E:R :L I:KM H? MA> D>>I
.><NKBMR (:G:@>K BGLM:EE:MBHG.
Preparation
When using Relay Groups, Deep Security Relays on Linux will not update correctly if they use
Deep Security Relays on Windows as their update source. It is recommended that Deep Security
Relays on Windows and Linux only ever be configured to update from the Trend Micro Global
Update source, or from Relays of the same platform.
/A> <EH<D HG : D>>I .><NKBMR ->E:R (D.-) F:<ABG> FNLM ;> LRG<AKHGBS>= PBMA D>>I .><NKBMR (:G:@>K
(D.() MH PBMABG : I>KBH= H? 24 AHNKL. $? MA> D.- <EH<D BL ;>ABG= MA> D.( <EH<D MA>G :G "A@>GM A<MBO:M>"
HI>K:MBHG PBEE ?:BE ;><:NL> MA> <>KMB?B<:M> @>G>K:M>= ?HK MA> D.- ;R D>>I .><NKBMR (:G:@>K PBEE GHM R>M ;>
O:EB=.
If this condition is encountered an "Agent Activate Failed" event will be recorded in the System
Events: "A client error occurred in the Deep Security Manager to Deep Security Agent protocol:
HTTP client error received: certificate is not yet valid".
Copy the Installer Package
CHIR MA> BGLM:EE:MBHG ?BE> MH MA> M:K@>M F:<ABG>.
Installing Deep Security Relay for Windows
The Deep Security Relay installer installs both Relay Server and Deep Security Agent
functionality on Windows machines.
Note:
Note:
Note:
Deep Security 9 Installation Guide Installing the Deep Security Relay
42
->F>F;>K MA:M RHN FNLM A:O> :=FBGBLMK:MHK IKBOBE>@>L MH BGLM:EE :G= KNG MA> D>>I .><NKBMR ->E:R HG 2BG=HPL
F:<ABG>L.
1. DHN;E>-<EB<D MA> BGLM:EE:MBHG ?BE> MH KNG MA> BGLM:EE>K I:<D:@>. CEB<D Next MH ;>@BG MA> BGLM:EE:MBHG.
2. A<<>IM MA> EB<>GL> :@K>>F>GM :G= <EB<D Next MH <HGMBGN>.
3. .>E><M MA> ?>:MNK>L RHN P:GM MH BGLM:EE (LHF> ?>:MNK>L LN<A :L AGMB-(:EP:K> :K> HIMBHG:E).
CEB<D Browse MH LI><B?R MA> EH<:MBHG PA>K> RHN PHNE= EBD> D>>I .><NKBMR ->E:R MH ;> BGLM:EE>=. ($?
RHN :K> NI@K:=BG@, RHN PBEE GHM ;> :;E> MH <A:G@> MA> BGLM:EE:MBHG =BK><MHKR. /H BGLM:EE MH : =B??>K>GM
=BK><MHKR, RHN PBEE A:O> MH ?BKLM NGBGLM:EE MA> IK>OBHNL O>KLBHG.)
CEB<D Reset MH K>L>M MA> ?>:MNK> L>E><MBHG MH MA> =>?:NEM L>MMBG@L.
Firewall and Intrusion Prevention features may not be deselected. These features form
part of the core Deep Security Agent architecture and are always installed, even if
Firewall and Intrusion Prevention functions will not be used. Click Disk Usage to see
the total space required for the selected features and compare with the available space
on your selected destination location.
CEB<D Next MH <HGMBGN>.
4. CEB<D Install MH IKH<>>= PBMA MA> BGLM:EE:MBHG.
5. CEB<D Finish MH <HFIE>M> MA> BGLM:EE:MBHG.
/A> D>>I .><NKBMR ->E:R BL GHP BGLM:EE>= :G= KNGGBG@ HG MABL <HFINM>K, :G= PBEE LM:KM >O>KR MBF> MA> F:<ABG>
;HHML. 4HN PBEE L>> MA> D>>I .><NKBMR )HMB?B>K B<HG BG RHNK 2BG=HPL .RLM>F /K:R.
During an install, network interfaces will be suspended for a few seconds before being restored. If
you are using DHCP, a new request will be generated, potentially resulting in a new IP address
for the restored connection.
Installing the Deep Security Relay over Windows Remote Desktop is NOT recommended because
of the temporary loss of connectivity during the install process. However, using the following
command line switch when starting Remote Desktop will allow the install program to continue on
the server after the connection is lost: On Windows Server 2008 or Windows Vista SP1 and later
or Windows XP SP3 and later, use:
mstsc.exe /admin
On earlier versions of Windows, use:
mstsc.exe /console
Note:
Note:
Note:
43
Installing the Deep Security Relay for Linux
To install the Deep Security Relay on a Linux machine, you need to log on as "root".
Alternatively, you can use the "sudo" utility.
To install the Deep Security Relay for Linux:
1. 0L> "KIF -B" MH BGLM:EE MA> =L9:@>GM I:<D:@>:
# rpm -i Relay-RedHat_ELx_i686-9.0.0-xxx.x86_64.rpm
Preparing... ########################################## [100%]
1:ds_agent ########################################## [100%]
Loading ds_filter_im module version 2.6.x [ OK ]
Starting ds_agent: [ OK ]
Use "rpm -U" to upgrade from a previous install. This approach will preserve your
profile settings.
2. /A> D>>I .><NKBMR ->E:R LM:KM :NMHF:MB<:EER :?M>K BGLM:EE:MBHG.
To start, stop and reset the Deep Security Relay on Linux:
CHFF:G=-EBG> HIMBHGL:
/etc/init.d/ds_agent start - starts the Agent
/etc/init.d/ds_agent status - displays the status of the Agent
/etc/init.d/ds_agent stop - stops the Agent
/etc/init.d/ds_agent reset - resets the Agent
/etc/init.d/ds_agent restart - restarts the Agent
Note:
Note:
44
Preparing ESXi for Deep Security Virtual Appliance
Deployment
/ABL L><MBHG =>L<KB;>L AHP MH IK>I:K> MA> 1(P:K> >GOBKHGF>GM ?HK A@>GME>LL IKHM><MBHG NLBG@ MA> D.1A.
At this point...
V /A> 1(P:K> GOBKHGF>GM BL :EK>:=R L>MNI :L BG +K>I:KBG@ : 1(P:K> GOBKHGF>GM ?HK A@>GME>LL
+KHM><MBHG.
V D>>I .><NKBMR (:G:@>K (:G= =:M:;:L>) BL :EK>:=R BGLM:EE>=.
V 1(P:K> O.AB>E= G=IHBGM A:L ;>>G =>IEHR>= HG MA> IKHM><M>= #HLM .3.
V /A> D>>I .><NKBMR !BEM>K DKBO>K :G= 1BKMN:E AIIEB:G<> LH?MP:K> A:L ;>>G =HPGEH:=>= ?KHF /K>G=
(B<KH :G= BFIHKM>= BGMH MA> D>>I .><NKBMR (:G:@>K.
Add vCenter to the Deep Security Manager's list of Managed Computers.
D>>I .><NKBMR (:G:@>K <HG?B@NK:MBHG FNLM ;> I>K?HKF>= ;R NLBG@ : D>>I .><NKBMR (:G:@>K NL>K :<<HNGM PBMA
!NEE A<<>LL KB@AML.
1. !KHF MA> D>>I .><NKBMR (:G:@>K Computers L<K>>G, <EB<D New > Add VMware vCenter...
2. GM>K MA> OC>GM>K .>KO>K $+ A==K>LL (HK AHLMG:F>), 0L>KG:F> :G= +:LLPHK= ?HK MA> OC>GM>K. CEB<D
Next.
Make sure DNS is configured and able to resolve FQDN to IP Addresses used by all
machines in this environment, otherwise enter the IP Address.
3. GM>K MA> O.AB>E= (:G:@>K .>KO>K A==K>LL, 0L>KG:F> :G= +:LLPHK=. (4HN <:G :ELH <HG?B@NK> MABL
BG?HKF:MBHG E:M>K ?KHF MA> D>>I .><NKBMR (:G:@>K). CEB<D Next.
4. A<<>IM MA> O.AB>E= (:G:@>K ..' <>KMB?B<:M>.
5. A<<>IM MA> OC>GM>K <>KMB?B<:M>.
6. ->OB>P MA> OC>GM>K BG?HKF:MBHG. CEB<D Finish.
7. /A> VMware vCenter has been successfully added F>LL:@> PBEE ;> =BLIE:R>=. CEB<D Close.
In a large environment with more than 3000 machines reporting to a vCenter Server, this process
may take 20 to 30 minutes to complete. You can check the vCenter's Recent Task section to verify
if there are activities running.
Note:
Note:
Deep Security 9 Installation Guide Preparing ESXi for Deep Security Virtual Appliance Deployment
45
Prepare ESXi for Virtual Appliance deployment by Installing the Filter Driver
The ESXi will be placed in maintenance mode for this task. All virtual machines running on this
ESXi must be stopped/paused or vMotioned to another ESXi host (make sure a cluster server with
vMotion support is set up so that this can be done automatically).
1. !KHF MA> D>>I .><NKBMR (:G:@>K, .>E><M Computers > vCenter > Hosts and Clusters
2. !BG= MA> .3B AHLM BG MA> CHFINM>KL EBLM (BML status <HENFG LAHNE= K>:= Unprepared), KB@AM-<EB<D :G=
L>E><M Actions > Prepare ESXi MH =BLIE:R MA> +K>I:K> .3B .>KO>K 2BS:K=. CEB<D Next.
3. .>E><M Yes MH :EEHP MA> D>>I .><NKBMR (:G:@>K :NMHF:MB<:EER ;KBG@ MA> .3B BG :G= HNM H?
F:BGM>G:G<> FH=>. CEB<D Finish.
4. /A> .3B IK>I:K:MBHG IKH<>LL PBEE <HFIE>M> :EE :<MBOBMB>L PBMA GH ?NKMA>K BGINM G><>LL:KR. (/A> .3B
PBEE ;> IE:<>= BG F:BGM>G:G<> FH=>, MA> D>>I .><NKBMR !BEM>K DKBO>K PBEE ;> BGLM:EE>=, :G= MA> .3B
PBEE ;> K>LM:KM>=).
5. *G<> MA> IKH<>LL BL <HFIE>M>, RHN :K> @BO>G MA> HIMBHG MH <HGMBGN> PBMA MA> G>QM LM>I, =>IEHRBG@ MA>
D>>I .><NKBMR 1BKMN:E AIIEB:G<>. .>E><M No thanks, I will deploy later. CEB<D Close. (/A> D>>I
.><NKBMR 1BKMN:E AIIEB:G<> =>IEHRF>GM BL =>L<KB;>= BG Deploying the Deep Security Virtual
Appliance (page 47)).
6. /ABL <HFIE>M>L MA> .3B IK>I:K:MBHG.
You can monitor the preparation process in the VMware vSphere Client management
console.
Verification Steps
1. "H ;:<D MH Computers > vCenter :G= F:D> LNK> MA> status H? MA> .3B BL L>M MH Prepared.
2. $G MA> 1(P:K> O.IA>K> <EB>GM, @H MH ESXi Server > Configuration > Networking. CA><D MA:M MA>
O.PBM<A A:L ;>>G <K>:M>=.
3. ..# BGMH MA> .3B .>KO>K ("/><A .NIIHKM (H=>" FNLM ;> >G:;E>= HG MA> .3B) :G= KNG MA> ?HEEHPBG@
<HFF:G=L MH <HG?BKF MA> 1(P:K> :G= /K>G= (B<KH =KBO>KL :K> BGLM:EE>= IKHI>KER:
vmkload_mod l | grep dvfilter
dvfilter comes with the ESXi installation. dvfilter-dsa is the Trend Micro driver installed
to the ESXi when the preparation process has completed .
esxcli software vib list | grep Trend
CA><D MA:M MA> <HKK><M O>KLBHG :G= LM:MNL H? =O?BEM>K-=L: BL =BLIE:R>=.
Note:
Note:
Note:
Deep Security 9 Installation Guide Preparing ESXi for Deep Security Virtual Appliance Deployment
46
Deploying the Deep Security Virtual Appliance
/ABL L><MBHG =>L<KB;>L AHP MH $GLM:EE :G= A<MBO:M> MA> D.1A MH IKHOB=> A@>GME>LL IKHM><MBHG.
AM MABL IHBGM...
V /A> 1(P:K> GOBKHGF>GM BL :EK>:=R L>MNI :L BG +K>I:KBG@ : 1(P:K> GOBKHGF>GM ?HK A@>GME>LL
+KHM><MBHG.
V 1(P:K> O.AB>E= G=IHBGM A:L ;>>G =>IEHR>= HG MA> IKHM><M>= #HLM .3B, :G= OC>GM>K A:L ;>>G
:==>= MH MA> D>>I .><NKBMR (:G:@>K'L EBLM H? (:G:@>= CHFINM>KL, L>> A==BMBHG:E CHG?B@NK:MBHG ?HK
1(P:K> $GM>@K:MBHG.
V /A> IKHM><M>= .3B AHLM A:L ;>>G IK>I:K>= ?HK D>>I .><NKBMR 1BKMN:E AIIEB:G<> D>IEHRF>GM.
For a detailed list of required VMware permissions, see Minimum VMware Privileges for DSVA
Deployment (page 133).
Deploy Deep Security Appliance (DSVA) to the ESXi
!NEE A<<>LL KB@AML.
1. !KHF MA> D>>I .><NKBMR (:G:@>K, L>E><M Computers > vCenter.
2. -B@AM-<EB<D HG MA> .3B #HLM ;>BG@ IKHM><M>= :G= L>E><M Actions > Deploy Appliance. CEB<D Next.
3. GM>K :G AIIEB:G<> ):F> ?HK MA> AIIEB:G<> :G= L>E><M : Datastore ?HK MA> AIIEB:G<>.
.>E><M MA> Folder ?HK MA> D:M:<>GM>K :G= L>E><M MA> Management Network ?HK MA> AIIEB:G<>. CEB<D
Next.
4. D>?BG> MA> AIIEB:G<> #HLMG:F>. GM>K MA> $+O4 A==K>LL :G=/HK $+O6 A==K>LL ?HK MA> AIIEB:G<>.
(D#C+ BL >G:;E>= ;R =>?:NEM). CEB<D Next.
5. .>E><M /AB<D +KHOBLBHG>= ?HKF:M.
6. CEB<D Finish :G= P:BM ?HK ?HK MA> D.1A MH ;> NIEH:=>=.
7. $G MA> Activate Deep Security Appliance L><MBHG, L>E><M No thanks, I will activate it later.
(A<MBO:MBHG BL =>L<KB;>= E:M>K). CEB<D Close.
/A> 1BKMN:E AIIEB:G<> BL GHP =BLIE:R>= :EHG@ PBMA MA> HMA>K <HFINM>KL BG MA> vCenter "KHNI BG MA> D>>I
.><NKBMR (:G:@>K Computers > vCenter EBLM.
Note:
Deep Security 9 Installation Guide Deploying the Deep Security Virtual Appliance
47
Verification Steps:
1. *G OC>GM>K CHGLHE>, @H MH MA> D.1A CHGLHE> M:;. (:D> : GHM> H? MA> (:G:@>F>GM A==K>LL H? MA>
D.1A, :G= PA>MA>K BM BL NLBG@ >MA0 HK >MA1. (:D> LNK> MA> G>MPHKD :=:IM>KL :K> <HG?B@NK>= <HKK><MER
:G= MA:M MA>R :K> HG MA> <HKK><M G>MPHKD IHHE.
2. "H MH MA> 1BKMN:E (:<ABG> Properties > Summary M:;, :G= <EB<D Edit Settings.
3. "H MH MA> #:K=P:K> M:;, MA>K> :K> MAK>> BGM>K?:<>L :O:BE:;E>.
Network Adapter 0 is always the management network. DSVA uses this interface to
communicate with Deep Security Manager.
)>MPHKD A=:IM>K 1 BL NL>= ;R MA> D.1A MH <HFFNGB<:M> PBMA MA> 1( &>KG>E 1)$C $+. CA><D MA>
.3B )>MPHKD CHG?B@NK:MBHG MH F:D> LNK> MA:M MA> OFL>KOB<>-MK>G=-I@ BL HG MA> L:F> OBKMN:E LPBM<A
:L OFL>KOB<>-OFDGB<-I@.
Activate the Deep Security Virtual Appliance
!NEE A<<>LL KB@AML.
1. !KHF MA> D>>I .><NKBMR (:G:@>K, L>E><M Computers > vCenter
2. -B@AM CEB<D HG MA> D.1A F:<ABG> :G= L>E><M Actions > Activate Appliance. CEB<D Next.
3. !HK +HEB<R, L>E><M Deep Security Virtual Appliance. CEB<D Next. /A> :<MBO:MBHG IKH<>LL BL LM:KM>=.
4. /A> D.1A PBEE K>@BLM>K BML>E? PBMA O.AB>E= (:G:@>K. 4HN PBEE L>> FNEMBIE> M:LDL ;>BG@ >Q><NM>= BG
OC>GM>K CHGLHE>.
The DSVA requires vShield Manager to configure the VMX file of each machine that is
on the ESXi. Depending on the number of Virtual Machines, it could take several hours
to complete the activation.
$? O.AB>E= (:G:@>K BL >QI>KB>G<BG@ IKH;E>FL, MA> D.1A F:R ?:BE MH :<MBO:M>. CA><D B? RHN <:G HI>G
MA> O.AB>E= (:G:@>K P>; <HGLHE>. $? BM BL GHM K>LIHG=BG@, RHN <:G K>;HHM MA> O.AB>E= (:G:@>K :G=
P:BM ?HK : ?>P FBGNM>L :?M>K O.AB>E= BL ;:<D HG EBG> MH :MM>FIM D.1A :<MBO:MBHG :@:BG.
5. $G Activate Host Virtual Machines, L>E><M No thanks, I will activate them later. (/ABL LM>I PBEE ;>
=>L<KB;>= E:M>K) CEB<D Close.
/A> D.1A BL GHP :<MBO:M>=. "H ;:<D MH Computers > vCenter :G= F:D> LNK> MA> status H? D.1A BL
=BLIE:R>= :L Managed (Online).
Note:
Note:
48
Activating Guest Virtual Machines
Assign Guest Virtual Machines to the ESXi
1. (HO> OBKMN:E F:<ABG>L MH MA> .3B #HLM.
2. +HP>K-HG MA> F:<ABG>L B? MA>R :K> H??EBG>.
Activating a Virtual Machine and Applying a Policy
1. !KHF MA> D>>I .><NKBMR (:G:@>K, L>E><M Computers > vCenter
2. -B@AM-<EB<D HG MA> 1BKMN:E (:<ABG> :G= L>E><M Actions > Activate
3. *IMBHG:EER, >G:;E> AGMB-(:EP:K> IKHM><MBHG ;R KB@AM-<EB<DBG@ HG MA> 1BKMN:E (:<ABG> :G= L>E><MBG@
Actions > Assign Policy :G= L>E><MBG@ : LNBM:;E> +HEB<R PAB<A A:L AGMB-(:EP:K> >G:;E>= (MA>
Windows Anti-Malware Protection +HEB<R, ?HK >Q:FIE>, PAB<A A:L HGER AGMB-F:EP:K> IKHM><MBHG
>G:;E>=).
4. CA><D MA> LM:MNL H? MA> 1BKMN:E (:<ABG> :G= F:D> LNK> AGMB-(:EP:K> LM:MNL BL :<MBO>.
Verification steps:
$? RHN :K> :<MBO:MBG@ AGMB-(:EP:K> IKHM><MBHG ;NM AGMB-(:EP:K> LM:MNL BL =BLIE:RBG@ AGMB-(:EP:K> G@BG>
H??EBG>, MA>K> :K> : ?>P MABG@L RHN <:G <A><D:
1. (:D> LNK> MA> 1(P:K> MHHEL :K> NI-MH-=:M> HG MA> OBKMN:E F:<ABG>
2. (:D> LNK> O.AB>E= G=IHBGM A@>GM BL BGLM:EE>= :G= MA> OL>I?EM =KBO>K BL KNGGBG@ HG MA> 1(:
sc query vsepflt
3. (:D> LNK> D>>I .><NKBMR (:G:@>K BL :;E> MH LRG<AKHGBS> BG?HKF:MBHG PBMA OC>GM>K
4. $G MA> D>>I .><NKBMR (:G:@>K'L CHFINM>KL EBLM, F:D> LNK> MA:M MA> .3B LM:MNL BL vShield Endpoint:
Installed
5. $G MA> D>>I .><NKBMR (:G:@>K'L CHFINM>KL EBLM, F:D> LNK> MA:M MA> D.1A LM:MNL BL vShield Endpoint:
Registered
6. (:D> LNK> MA> IKHM><M>= <HFINM>K'L AGMB-(:EP:K> LM:MNL BL On HK Real-Time.
49
Automatically Deploying an Appliance for Stateless ESXi
$G :==BMBHG MH MA> .3B 5.0 LM:G=:K= LRLM>F K>JNBK>F>GML, MA> ?HEEHPBG@ FNLM ;> BGLM:EE>= :G= <HG?B@NK>= MH
:NMH-=>IEHR :G :IIEB:G<> ?HK LM:M>E>LL .3B:
V 1(P:K> 1BKMN:E C>GM>K (:L =>L<KB;>= BG Preparing a VMware Environment for Agentless
Protection (page 30))
V /!/+ L>KO>K
V 1(P:K> ANMH-=>IEHR +EN@-BG
V $? RHN :K> NLBG@ D#C+, MA> D#C+ L>KO>K FNLM ;> <HG?B@NK>= ?HK +3
V #HLM IKH?BE> MAKHN@A OC>GM>K MH A:G=E> MA> <HG?B@NK:MBHG I:KM H? MA> .3B HG<> BM :NMH-;HHML
V O.IA>K> IHP>KC'$ BGLM:EE>= HG : 2BG=HPL F:<ABG> MA:M BM <:G K>:<A MA> OC>GM>K L>KO>K HO>K MA>
G>MPHKD
V D>>I .><NKBMR !BEM>K DKBO>K :G= 1BKMN:E AIIEB:G<>
Install TFTP Server
$GLM:EE : /!/+ L>KO>K, LN<A :L 2BGA@>GML /!/+ L>KO>K. CK>:M> : =BK><MHKR HG RHNK 2BG=HPL L>KO>K, ?HK
>Q:FIE>: :7M?MIKHHM :G= F:D> MABL RHNK /!/+ KHHM =BK><MHKR.
Install VMware Auto-deploy Plug-in
1. $GLM:EE MA> OC>GM>K ANMH D>IEHR LH?MP:K>. /ABL <:G ;> BGLM:EE>= HG RHNK OC>GM>K L>KO>K HK <:G KNG HG
: L>I:K:M> 2BG=HPL L>KO>K :G= <HG?B@NK>= MH IHBGM MH RHNK OC>GM>K L>KO>K. (4HN PBEE G>>= MH IKHOB=>
MA> $+ H? MA> OC>GM>K L>KO>K :G= <K>=>GMB:EL.)
2. $GLM:EE MA> ANMH D>IEHR :L : IEN@-BG BG RHNK O.IA>K> $G?K:LMKN<MNK> CEB>GM. (4HN PBEE L>> MA> ANMH
D>IEHR B<HG HG MA> #HF> M:;.)
3. A== : ;HHM BF:@> MH RHNK /!/+ L>KO>K KHHM =BK><MHKR :L ?HEEHPL:
1. $G MA> O.IA>K> <EB>GM, <EB<D MA> ANMH D>IEHR IEN@-BG.
2. CAHHL> MH =HPGEH:= MA> /!/+ BHHM 5BI :G= >QMK:<M MABL 5$+ ?BE> BGMH RHNK /!/+ KHHM
=BK><MHKR.
3. />LM RHNK <HG?B@NK:MBHG ;R ;HHMBG@ :G .3B AHLM HK : 1(. (:D> LNK> MA:M MA> .3B AHLM HK
1( BL NLBG@ +3 ;HHM. 4HN LAHNE= L>> MA:M BM BL :LLB@G>= :G $+ :==K>LL :G= BM LM:KML EH:=BG@
: /!/+ BF:@>.
4. 4HN PBEE L>> MA:M :EMAHN@A : /!/+ BF:@> P:L EH:=>=, MA>K> P:L GH .3B BF:@> :LLH<B:M>=
PBMA MABL AHLM.
Deep Security 9 Installation Guide Automatically Deploying an Appliance for Stateless ESXi
50
Configure DHCP Server for PXE.
$? RHN :K> NLBG@ D#C+, <HG?B@NK> MA> D#C+ L>KO>K ?HK +3 ;HHM. /A> LI><B?B< LM>IL =>I>G= HG MA> IKH=N<M
RHN :K> NLBG@ ?HK D#C+. 4HN G>>= MH HI>G MA> L<HI> HG RHNK D#C+ L>KO>K :G= :== MA> ?HEEHPBG@ HIMBHGL:
066 - Boot server host name: <ip of your TFTP / PXE boot server>
067 - Boot file name: undionly.kpxe.vmw-hardwired
Add the Deep Security Filter Driver to the VIB Image
!HK MA> /K>G= (B<KH ?BEM>K =KBO>K OB; MH ;> :NMHF:MB<:EER =>IEHR>= :L I:KM H? MA> +3 ;HHM BF:@>, M:D> : =>?:NEM
.3B BF:@> :G= K>;NBE= BM PBMA MA> /K>G= (B<KH ?BEM>K =KBO>K OB; :L I:KM H? : G>P BF:@> :G= K>G:F> MA> ?BE>.
!HK >Q:FIE>, B? RHN :K> NLBG@ 1(P:K>-.3B-5.0.0-441354-=>IHM.SBI, G:F> MA> ?BE> 1(P:K>-
.3B-5.0.0-441354-/K>G=-=O?BEM>K-=>IHM.SBI.
A==BG@ MA> ?BEM>K =KBO>K MH MA> BF:@> :EHG@ PBMA : AHLM IKH?BE> :EEHPL MA> .3B MH :II>:K :L "IK>I:K>=" MH MA>
D>>I .><NKBMR (:G:@>K.
/A> 1(P:K> OC>GM>K .>KO>K AIIEB:G<> BL :O:BE:;E> ?KHF 1(P:K>, PAB<A BL : IK><HG?B@NK>= 'BGNQ-;:L>=
OBKMN:E F:<ABG> PBMA +3 ;HHM ?NG<MBHG:EBMR :EK>:=R :O:BE:;E>. 0LBG@ 1(P:K> OC>GM>K .>KO>K AIIEB:G<>
K>JNBK>L E>LL L>MNI ?HK :NMH-=>IEHR MA:G NLBG@ 2BG=HPL OC>GM>K 1BKMN:E C>GM>K. !HK 1(P:K> OC>GM>K .>KO>K
AIIEB:G<> BGLM:EE:MBHG, L>> MA> O.IA>K> $GLM:EE:MBHG :G= .>MNI IN;EB<:MBHG.
Install vSphere PowerCLI
1. DHPGEH:= MA> O.IA>K> 5 +HP>KC'$ :G= BGLM:EE BM HG MA> L>KO>K HG PAB<A RHN PBEE ;> PHKDBG@ PBMA
RHNK BF:@>L.
2. /H M>LM B? RHNK 1(P:K> +HP>KC'$ BL PHKDBG@, LM:KM MA> 1(P:K> O.IA>K> +HP>KC'$ <HFF:G=
IKHFIM :G= KNG:
Get-DeployCommand
/ABL PBEE =BLIE:R : EBLM H? :EE MA> <HFF:G=L RHN PBEE G>>= MH PHKD PBMA ANMH D>IEHR. AM MABL IHBGM, :EE
K>JNBK>F>GML ?HK O.IA>K> ANMH D>IEHR A:O> ;>>G BGLM:EE>=.
Prepare the First Image
/H IK>I:K> MA> ?BKLM BF:@> RHN PBEE G>>= MH IKHOB=> MA> ?HEEHPBG@ BG?HKF:MBHG:
V $+ :==K>LL H? MA> AHLM :G= MA> D). AHLMG:F>
V (AC :==K>LL H? MA> AHLM
V $F:@> G:F>, :L =HPGEH:=>= ?KHF 1(P:K> LBM>)-?HK >Q:FIE>, "1(P:K>-.3B-5.0.0-441354-/K>G=-
=O?BEM>K-=>IHM.SBI"
V $F:@> G:F>, :?M>K ;>BG@ :==>= MH MA> =>IHM-?HK >Q:FIE>, ".3B-5.0.0-441354-LM:G=:K="
51
V /A> =BK><MHKR ?HK RHNK .H?MP:K>D>IHM, PAB<A PBEE ;> NL>= ;R MA> ANMH D>IEHR LH?MP:K>.
Preparing the Image
1. CK>:M> : =BK><MHKR G:F>= ".M:@BG@".
2. CK>:M> : =BK><MHKR <:EE>= "1$B-=HPGEH:=L" BG PAB<A RHN PBEE LMHK> MA> 1$BL :G= BF:@>L RHN P:GM MH
=>IEHR.
3. D>IEHR MA> ;:LB< 1(P:K> .3B 5.0 BF:@> MH : G>P AHLM PBMAHNM :GR ?NKMA>K <HG?B@NK:MBHG.
4. AMM:<A MA> BF:@> MH MA> AHLM, ;:L>= HG MA> (AC :==K>LL, LH MA:M MA> AHLM :II>:KL BG RHNK OC>GM>K BG :
?HE=>K G:F>= BG MA> ".M:@BG@" ?HE=>K. .BG<> BM A:L GH <HG?B@NK:MBHG, BM PBEE GHM :II>:K BG : <ENLM>K R>M.
5. CK>:M> : D#C+ K>L>KO:MBHG ?HK MA> (AC :==K>LL.
6. $G RHNK D#C+ L<HI>, <K>:M> MA> K>L>KO:MBHG :G= NL> MA> IKHI>K AHLMG:F>. $G D)., <K>:M> :G A-K><HK=
?HK MABL AHLMG:F> :G= $+ :==K>LL :G= @BO> BM : +/-/K>O>KL> EHHDNI K><HK=.
Add a New Image to the Depot
1. -NG MA> ?HEEHPBG@ <HFF:G= MH BGL>KM MA> BF:@> BGMH MA> ".H?MP:K>D>IHM" =BK><MHKR:
Add-EsxSoftwareDepot "E:\VIB-downloads\VMware-
ESXi-5.0.0-441354-depot.zip"
2. -NG MA> ?HEEHPBG@ <HFF:G= MH L>> PA:M BF:@>L :K> IK>L>GM BG RHNK =>IHM:
Get-EsxImageProfile
/A> BF:@> BL GHP K>:=R MH =>IEHR.
Deploy the First Host
2A>G MA> AHLM K>;HHML, BM PBEE IB<D NI MA> /!/+ BF:@> :G= PBEE :LD MA> O.IA>K> ANMH D>IEHR L>KO>K ?HK :G
BF:@>.
When creating rules, there are two rule sets: a 'working-set' and an 'active-set'. The 'working-set'
is serves as a depot of rules, the 'active-set' are the rules that are available to hosts.
Deploying the Host
1. CK>:M> : KNE> MH <HGG><M MA> BF:@> MH MA> AHLM NLBG@ MA> ')>P-D>IEHR-NE>' <HFF:G=:
New-DeployRule -Name "<rule_name" -Item "<image_name",
"<folder_name>" -Pattern "mac=<mac_address>"
Note:
52
/A> G>P KNE> MA:M A:L CNLM ;>>G <K>:M>= BL <:EE>= "+K>.M:@BG@". $M PBEE >GLNK> MA:M MA> BF:@> <:EE>=
".3B-5.0.0-441354-LM:G=:K=" (">M-LQ$F:@>+KH?BE> ) PBEE ;> =>IEHR>= MH : AHLM PBMA MA> LI><B?B>=
(AC :==K>LL :G= PBEE ;> IE:<>= BG MA> ".M:@BG@" ?HE=>K BG OC>GM>K.
!HK >Q:FIE>, MA> ?HEEHPBG@ <HFF:G= <K>:M>L : KNE> <:EE>= "+K>.M:@BG@" :G= PBEE >GLNK> MA:M MA>
BF:@> <:EE>= ".3B-5.0.0-441354-LM:G=:K=" (">M-LQ$F:@>+KH?BE> ) PBEE ;> =>IEHR>= MH : AHLM PBMA
MA> (AC :==K>LL H? 00:1::92:;8:=::77 :G= PBEE ;> IE:<>= BG MA> ".M:@BG@" ?HE=>K BG OC>GM>K:
New-DeployRule -Name "PreStaging" -Item
"ESXi-5.0.0-441354-standard", "Staging" -Pattern
"mac=00:1a:92:b8:da:77"
2. /H L>> MA> KNE> RHN A:O> <K>:M>=, NL> MA> <HFF:G=:
Get-DeployRule
/ABL BL : KNE> BG MA> 'PHKDBG@ L>M'.
3. /H F:D> MA> KNE> I:KM H? MA> ':<MBO> L>M' NL> MA> ?HEEHPBG@ <HFF:G=:
Add-DeployRule -DeployRule "PreStaging"
4. /H <A><D MA> KNE>L BG MA> ':<MBO> L>M', KNG MA> ">M-D>IEHR-NE>.>M <HFF:G=:
Get-DeployRuleSet
5. BHHM RHNK AHLM MH BGLM:EE. /A> AHLM PBEE :II>:K BG RHNK OC>GM>K.
Configure the Host Profile
A?M>K RHNK AHLM :II>:KL BG OC>GM>K, <HG?B@NK> : AHLM IKH?BE>, BG<EN=BG@ O.PBM<A>L, :MM:<A MA> =:M:LMHK>L, :G=
<HG?BKF MA> )/+ L>MMBG@L. B><:NL> MABL BL : =BLDE>LL AHLM, L>M NI LRLEH@ :G= MA> <HK> =NFI EH<:MBHG. (/A> LRLEH@
MHHE :G= MA> CHK>=NFI NMBEBMR <:G ;> ?HNG= BG MA> OC>GM>K MHHEL =BK><MHKR.)
If you would configure the host and reboot at this point, all changes will be lost. To preserve the
configuration, you must define a host profile.
When working with advanced host configurations, you may want to use the vSphere Enable/
Disable Profile Configurations option for troubleshooting.
4HNK L>KO>K <:G GHP :ELH K><>BO> <HK> =NFIL BG <:L> :G .3B AHLM K><>BO>L :G >KKHK.
Note:
Note:
53
1. CHG?B@NK> RHNK .3B AHLM MH NL> MA> CHK>=NFI L>KO>K. /H =H MABL, @H BGMH MA> <HG?B@NK:MBHG L<K>>G H?
RHNK AHLM, @H MH MA> L><NKBMR IKH?BE> :G= >G:;E> ..#, MA>G EH@HG MH MA> .3B <HGLHE> NLBG@ RHNK :G
..# <EB>GM :G= KNG MA> ?HEEHPBG@ <HFF:G=L:
esxcli system coredump network set --interface-name vmk0 --server-
ipv4 192.168.0.40 --server-port 6500
esxcli system coredump network set --enable true
esxcli system coredump network get
/A> E:LM EBG> BG=B<:M>L B? MA> G>P L>MMBG@L A:O> ;>>G >G:;E>=.
2. 'H@ HNM ?KHF MA> .3B AHLM :G= LPBM<A ;:<D MH RHNK O.IA>K> CEB>GM.
3. "H MH MA> "#HLM :G= CENLM>KL" OB>P BG RHNK O.IA>K> <EB>GM :G= L>E><M MA> AHLM RHN A:O> CNLM IK>I:K>=.
4. -B@AM-<EB<D MA> AHLM :G= L>E><M CK>:M> +KH?BE> ?KHF AHLM.
5. "BO> MA> IKH?BE> : G:F>-?HK >Q:FIE> '+KH?BE>-CENLM>K01".
6. AMM:<A MA> IKH?BE> MH MABL AHLM NLBG@ MA> #HLM +KH?BE>L L><MBHG BG MA> O.IA>K> <EB>GM :G= <A><D MA:M MA>
IKH?BE> BL <HFIEB:GM.
Auto-deploy the Host with the Host Profile
/A> ?BKLM KNE> <K>:M>= :;HO> >GLNK>L MA:M MA> AHLM PBMA : <>KM:BG (AC :==K>LL PBEE ;> <HGG><M>= MH MA> LM:G=:K=
BF:@> :G= INM BG MA> ".M:@BG@" ?HE=>K:
New-DeployRule -Name "PreStaging" -Item "ESXi-5.0.0-441354-standard",
"Staging" -Pattern "mac=00:1a:92:b8:da:77"
Auto-deploying the Host
1. CK>:M> : KNE> MH FHO> MA> AHLM BGMH MA> IKH=N<MBHG <ENLM>K. 0L> MA> $+ K:G@> MA:M RHN NL> BG MA> D#C+
L<HI> ?HK MA> .3B AHLML :G= <K>:M> : K>L>KO:MBHG BG MA> D#C+ L<HI> ?HK >:<A AHLM :G= :ELH <K>:M> :
D). K><HK= NLBG@ MA> ?HEEHPBG@ ?HKF:M: New-DeployRule -Name "<rule_name>" -Item
"<image_name>", "<cluster_name>", "<host_profile>" -Pattern
"ipv4=<DHCP-range>"
!HK >Q:FIE>, BG MA> ?HEEHPBG@ <HFF:G=:
New-DeployRule -Name "Prod-CL01" -Item "ESXi-5.0.0-441354-standard",
"CL01", "Profile-Cluster01" -Pattern
"ipv4=192.168.0.100-192.168.0.110"
'+KH=-C'01' BL MA> G:F> H? MA> KNE>, 'C'01' BL MA> G:F> H? MA> <ENLM>K, '+KH?BE>-CENLM>K01' BL MA> G:F>
H? MA> AHLM IKH?BE> :G= BIO4 BL MA> D#C+ K:G@>.
54
2. $G MA> 'PHKDBG@-L>M' :K> GHP MPH KNE>L ("+K>.M:@BG@" :G= "+KH=-C'01") :G= BG MA> ':<MBO>-L>M' MA>
"+K>.M:@BG@" KNE> BL :<MBO>. 0LBG@ MA> K>FHO> <HFF:G=, K>FHO> MA> "+K>.M:@BG@" KNE> ?KHF MA>
':<MBO>-L>M' :G= G>QM P> :== MA> "+KH=-C'01" MH MA> ':<MBO>-L>M' :G= =HN;E> <A><D PA:M P> A:O> =HG>:
Remove-DeployRule -DeployRule "PreStaging"
Add-DeployRule -DeployRule "Prod-CL01"
Get-DeployRuleSet
/A> <HG?B@NK:MBHG BL GHP <HFIE>M>. 2A>G RHN K>;HHM RHNK AHLML, MA>R PBEE <HF> ;:<D :G= PBEE ;> :==>= MH MA>
C'01 <ENLM>K ?NEER I:KMB<BI:MBG@ :L : GHKF:E AHLM.
55
Install Deep Security Agents
Manual Install
/ABL L><MBHG =>L<KB;>L AHP MH BGLM:EE :G= :<MBO:M> D>>I .><NKBMR A@>GML HG >:<A MRI> H? LNIIHKM>= IE:M?HKF.
A ?NEE EBLM H? LNIIHKM>= IE:M?HKFL <:G ;> ?HNG= BG System Requirements (page 27)
At this point...
Preparation
The clock on a Deep Security Agent (DSA) machine must be synchronized with Deep Security
Manager (Deep Security Manager) to within a period of 24 hours. If the DSA clock is behind the
Deep Security Manager clock then an "Agent Activate" operation will fail because the certificate
generated for the DSA by Deep Security Manager will not yet be valid. If this condition is
encountered an "Agent Activate Failed" event will be recorded in the System Events: "A client
error occurred in the Deep Security Manager to Deep Security Agent protocol: HTTP client error
received: certificate is not yet valid". To avoid this problem, all clocks on Deep Security
component machines should be synchronized with a internet time service if possible.
Copy the Installer Package
CentOS uses the Red Hat 5 RPM and will appear as "Red Hat" in the Deep Security Manager. To
use the Deep Security Agent on CentOS, follow the instructions for installing the Linux Agent.
Installing the Deep Security Agent for Windows
Remember that you must have administrator privileges to install and run the Deep Security Agent
on Windows machines.
1. DHN;E>-<EB<D MA> BGLM:EE:MBHG ?BE> MH KNG MA> BGLM:EE>K I:<D:@>. CEB<D Next MH ;>@BG MA> BGLM:EE:MBHG
2. ->:= MA> EB<>GL> :@K>>F>GM :G= <EB<D Next.
Note:
Note:
Note:
Deep Security 9 Installation Guide Install Deep Security Agents
56
3. .>E><M MA> ?>:MNK>L RHN P:GM MH BGLM:EE :G= <EB<D BKHPL> MH LI><B?R MA> EH<:MBHG PA>K> RHN PHNE= EBD>
D>>I .><NKBMR A@>GM MH ;> BGLM:EE>=. ($? RHN :K> NI@K:=BG@, RHN PBEE GHM ;> :;E> MH <A:G@> MA>
BGLM:EE:MBHG =BK><MHKR. /H BGLM:EE MH : =B??>K>GM =BK><MHKR, RHN PBEE A:O> MH ?BKLM NGBGLM:EE MA> IK>OBHNL
O>KLBHG.) CEB<D Reset MH K>L>M MA> ?>:MNK> L>E><MBHG MH MA> =>?:NEM L>MMBG@L.
Firewall and Intrusion Prevention features may not be deselected. These features form
part of the core Deep Security Agent architecture and are always installed, even if
Firewall and Intrusion Prevention functions will not be used.
CEB<D Disk Usage MH L>> MA> MHM:E LI:<> K>JNBK>= ?HK MA> L>E><M>= ?>:MNK>L :G= <HFI:K> PBMA MA>
:O:BE:;E> LI:<> HG RHNK L>E><M>= =>LMBG:MBHG EH<:MBHG.
CEB<D Next.
/A> D>>I .><NKBMR A@>GM BL GHP BGLM:EE>= :G= KNGGBG@ HG MABL <HFINM>K, :G= PBEE LM:KM >O>KR MBF> MA> F:<ABG>
;HHML.
During an install, network interfaces will be suspended for a few seconds before being restored. If
you are using DHCP, a new request will be generated, potentially resulting in a new IP address
for the restored connection.
Installing the Deep Security Agent over Windows Remote Desktop is NOT recommended because
of the temporary loss of connectivity during the install process. However, using the following
command line switch when starting Remote Desktop will allow the install program to continue on
the server after the connection is lost: On Windows Server 2008 or Windows Vista SP1 and later
or Windows XP SP3 and later, use:
mstsc.exe /admin
On earlier versions of Windows, use:
mstsc.exe /console
Installing the Deep Security Agent for Linux
Starting the Deep Security Agent's ds_filter service will disable iptables.
For SuSE 11, on the target machine before beginning the installation procedure:
in:
Note:
Note:
Note:
Note:
Note:
57
/etc/init.d/jexec
after
# Required-Start: $local_fs
add the line:
# Required-Stop:
To install the Deep Security Agent on Red Hat or SuSE
The following instructions apply to both Red Hat and SuSE. To install on SuSE, substitute the
SuSE RPM name in place of Red Hat.
You must be logged on as "root" to install the Agent. Alternatively, you can use "sudo".
1. 0L> "KIF -B" MH BGLM:EE MA> =L9:@>GM I:<D:@>:
# rpm -i Agent-RedHat_ELx_ 9.0.0-xxxx.x.rpm
Preparing... ########################################## [100%]
1:ds_agent ########################################## [100%]
Loading ds_filter_im module version ELx.x [ OK ]
Starting ds_agent: [ OK ]
(0L> "KIF -0" MH NI@K:=> ?KHF : IK>OBHNL BGLM:EE. /ABL :IIKH:<A PBEE IK>L>KO> RHNK IKH?BE> L>MMBG@L)
2. /A> D>>I .><NKBMR A@>GM PBEE LM:KM :NMHF:MB<:EER NIHG BGLM:EE:MBHG.
To install the Deep Security Agent on Ubuntu:
/H BGLM:EE HG 0;NGMN, NL> MA> ?HEEHPBG@ <HFF:G=:
sudo dpkg -i <driver_deb_pkg>
PA>K> <driver_deb_pkg> BL MA> D>;B:G I:<D:@> PBMA MA> =KBO>K MA:M P:L ;NBEM :G= IE:<>= BG MA>
<D.>/LK</=L:/:@>GM/=>;/ =BK><MHKR.
Note:
Note:
58
To start, stop and reset the Agent on Linux:
Command-line options:
/H LM:KM MA> A@>GM:
/etc/init.d/ds_agent start
/H LMHI MA> A@>GM:
/etc/init.d/ds_agent stop
/etc/init.d/ds_filter stop
/H K>L>M MA> A@>GM:
/etc/init.d/ds_agent reset
/H K>LM:KM MA> A@>GM:
/etc/init.d/ds_agent restart
Installing the Deep Security Agent for Solaris
Requirements:
!HK .HE:KBL .I:K</9:
V EB;B<HGO 1.11 HK ;>MM>K
V I?BE9.HE:KBL9Q.ID@
V A@>GM-.HE:KBL95.Q9LI:K<-9.Q.Q-RRR.LI:K<.ID@.@S
!HK .HE:KBL .I:K</10:
V .0)2@<<KNGMBF>, "CC -NGMBF> EB;K:KB>L
V I?BE9.HE:KBL910LI:K<.ID@ (L>> GHM> ;>EHP)
V A@>GM-.HE:KBL95.10907-9.0.0-QQQ.Q86964.ID@.@S
V A@>GM-.HE:KBL95.10905-9.0.0-QQQ.Q86964.ID@.@S
!HK .HE:KBL 386/11:
V .0)2@<<KNGMBF>, "CC -NGMBF> EB;K:KB>L
V I?BE9.HE:KBL910Q86.ID@ (L>> GHM> ;>EHP)
V A@>GM-.HE:KBL95.11-9.0.0-QQQ.B386.I5I.@S
59
All Solaris versions up to and including Solaris 10 Update 3 require pfil to be installed.
To install the Solaris 10 Agent:
For Solaris 10 Update 4 and above, you only need to perform steps 5 and 6.
1. A<JNBK> :EE H? MA> K>JNBK>= I:<D:@>L (L>> :;HO>)
2. +K>I:K> MH K>FHO> MA> .NG O>KLBHG H? BI?BEM>K :G= I?BE
:. )HM> MA> O>KLBHG GNF;>KL :G= HMA>K BG?HKF:MBHG FH=BG?H T @K>I I?BE FH=BG?H T @K>I BI?
ID@BG?H -E .0)2BI?K ID@BG?H -E .0)2BI?N
;. /H <A><D MA> LM:MNL LO<L -Q BI?BEM>K LO<L -Q I?BE
<. $? >BMA>K H? MA>L> <HFF:G=L @BO>L >KKHKL, MA>G MA> IKH;E>F LAHNE= ;> <HKK><M>= ;>?HK>
IKH<>>=BG@ ?NKMA>K. AELH <A><D MA:M .NG'L O>KLBHG H? I?BE EH:=L <HKK><MER. B?<HG?B@ <>0 FH=EBLM
(NL> RHNK G>MPHKD BGM>K?:<>) AG= L>> B? I?BE BL BG MA> EBLM ;>MP>>G "BI" :G= RHNK G>MPHKD
BGM>K?:<>. $? BM BLG'M, MA>G <A><D MA:M RHNK BGM>K?:<> MRI> BL NG<HFF>GM>= BG />M</BI?/I?BE.:I,
K>;HHM :G= MKR :@:BG. DHG'M IKH<>>= ?NKMA>K NGMBE RHN :K> <HGOBG<>= MA:M .NG'L O>KLBHG H?
BI?BEM>K/I?BE BL PHKDBG@ <HKK><MER.
=. QIHKM <NKK>GM BI?BEM>K :G= I?BE L>KOB<> <HG?B@NK:MBHGL LO<<?@ >QIHKM G>MPHKD/I?BE > /O:K/MFI/
I?BE.LO< LO<<?@ >QIHKM G>MPHKD/BI?BEM>K > /O:K/MFI/BI?BEM>K.LO<
>. DBL:;E> MA> MPH L>KOB<>L LO<:=F -O =BL:;E> I?BE LO<:=F -O =BL:;E> BI?BEM>K
?. ->;HHM MA> LRLM>F
3. ->FHO> MA> .NG O>KLBHG H? BI?BEM>K :G= I?BE
:. CA><D MA:M MA> D>KG>E FH=NE>L :K> GHM EH:=>= :?M>K K>;HHM FH=BG?H T @K>I BI? FH=BG?H T @K>I
I?BE
;. .:O> <HIB>L H? LHF> H? MA> .NG I?BE ?BE>L ;>?HK> K>FHOBG@ MA> .NG I:<D:@>L. ->FHOBG@ MA>
.NG I:<D:@>L PBEE K>FHO> MA>L> ?BE>L :G= RHN PBEE G>>= MA>F MH E:NG<A MA> IN;EB< =HF:BG
O>KLBHG H? I?BE. MAH=/I?BE /EB;/LO</F>MAH=/I?BE.=BLM M</BI?/I?BE.:I />M</BI?/I?BE.:I.=BLM
<. ->FHO> MA> .NG $+!BEM>K I:<D:@>L ID@KF .0)2BI?N ID@KF .0)2BI?K
=. ->;HHM MA> LRLM>F
4. $GLM:EE I?BE
:. ->LMHK> MA> I?BE L>KOB<> <HG?B@NK:MBHG ?BE> MAH=/I?BE.=BLM /EB;/LO</F>MAH=/I?BE
;. $GLM:EE I?BE ID@:== -= I?BE9.HE:KBL910QQQQ.ID@ :EE
<. A?M>K BGLM:EE:MBHG, K>FHO> MA> .HE:KBL 9 LM:KMNI L<KBIML :L MA>R :K> GHM G>>=>=, I?BE PBEE ;>
NLBG@ "LO<:=F" KF />M</K<2.=/.10I?BE KF />M</K<..=/.10I?BE KF />M</BGBM.=/I?BE =. ->LMHK> MA>
I?BE <HG?B@NK:MBHG ?BE>, )*/, MA> <HG?B@ ?BE>L ?HK MA> IN;EB< =HF:BG I?BE :K> BG />M</HIM/BI?,
PABE> .NG'L <HG?B@ ?BE>L :K> BG />M</BI?, ;><:NL> MA> L>KOB<> <HG?B@ ?BE>L L:O>= BG LM>I 4.
=. LMBEE K>?>K MH .NG'L <HG?B@ ?BE> I:MA, RHN LAHNE= NL> />M</BI? ?HK <HGLBLM>G<R PBMA .HE:KBL 10.
M</BI?/I?BE.:I.=BLM />M</BI?/I?BE.:I
>. CHG?B@NK> I?BE G>MPHKD =>OB<> OB />M</BI?/I?BE.:I (NG<HFF>GM :IIKHIKB:M> =>OB<>(L))
Note:
Note:
60
?. G:;E> MA> I?BE L>KOB<> LO<:=F -O >G:;E> I?BE B? RHN K><>BO> :G >KKHK HG MABL <HFF:G=, MA>G
MA> L>KOB<> <HG?B@NK:MBHG ?BE> ?HK I?BE P:L K>FHO>= :G= G>>=L MH ;> K>OBO>= ?KHF MA>
>QIHKM>= <HIR BG LM>I 4.= LO<<?@ -O BFIHKM /O:K/MFI/I?BE.LO< LO<:=F -O >G:;E> I?BE
@. ->;HHM MA> LRLM>F
A. 1>KB?R MA> I?BE L>KOB<> LM:KM>= FH=BG?H T @K>I I?BE /ABL LAHNE= LAHP MA> IN;EB< =HF:BG
O>KLBHG H? I?BE (I?BE .MK>:F FH=NE> 2.1.11) (I?BE .MK>:FL =KBO>K 2.1.11) AELH <A><D MA:M I?BE
BL EH:=>= BGMH MA> M<I/BI LM:<D <HKK><MER B?<HG?B@ <>0 FH=EBLM (NL> RHNK G>MPHKD BGM>K?:<>) $?
BM BLG'M, MA>G <A><D MA:M RHNK BGM>K?:<> MRI> BL NG<HFF>GM>= BG MA> I?BE <HG?B@NK:MBHG ?BE> />M</
BI?/I?BE.:I, K>;HHM :G= MKR :@:BG
5. (:D> LNK> .0)2@<<KNGMBF> BL BGLM:EE>=. $? BM BLG'M, EH<:M> MA> I:<D:@> :G= BGLM:EE BM: ID@:== X= .
.0)2@<<KNGMBF>
6. $GLM:EE MA> A@>GM: @NGSBI A@>GM-.HE:KBL95.10907-9.0.0-QQQ.Q86964.ID@.@S ID@:== -= A@>GM-
.HE:KBL95.10907-9.0.0-QQQ.Q86964.ID@ :EE
To install the Solaris Sparc 9 Agent:
1. A<JNBK> :EE H? MA> K>JNBK>= I:<D:@>L (L>> :;HO>)
2. $GLM:EE EB;B<HGO-1.8-LHEQ-LI:K<.@S:
gunzip libiconv-1.8-solx-sparc.gz
pkgadd -d libiconv-1.8-solx-sparc all
3. $GLM:EE EB;@<<-3.4.6-LHEQ-LI:K<.@S:
gunzip libgcc-3.4.6-solx-sparc.gz
pkgadd -d libgcc-3.4.6-solx-sparc all
4. $GLM:EE I?BE:
pkgadd -d pfil_Solaris_x.pkg all
5. +NLA MA> I?BE LMK>:F FH=NE> BGMH MA> G>MPHKD BGM>K?:<>:
ifconfig <interface> modinsert pfil@2
pfil should go right after ip in the network interface stream. To determine where ip is,
perform: ifconfig <interface> modlist and ensure that the number used on the modinsert
is one higher than the number of ip in the modlist.
Note:
61
pfil must be added to the network stack for each of the interfaces the Agent will be
protecting touch /etc/ipf.conf /etc/init.d/pfil start (For more information, see "Notes on
Installing PFIL on a Solaris (8 and 9 Sparc) Host ", below.)
6. $GLM:EE MA> A@>GM:
gunzip Agent-Solaris_5.x_sparc-9.x.x-xxxx.sparc.pkg.gz
pkgadd -d Agent-Solaris_5.x_sparc-9.x.x-xxxx.sparc.pkg all
To start, stop and reset the Agent on Solaris 10
V svcadm enable ds_agent - LM:KML MA> A@>GM
V svcadm disable ds_agent - LMHIL MA> A@>GM
V /opt/ds_agent/dsa_control -r - K>L>ML MA> A@>GM
V svcadm restart ds_agent - K>LM:KML MA> A@>GM
V svcs a | grep ds X =BLIE:RL A@>GM LM:MNL
To start, stop and reset the Agent on Solaris 9:
V />M</BGBM.=/=L9:@>GM LM:KM - LM:KML MA> A@>GM
V />M</BGBM.=/=L9:@>GM LMHI - LMHIL MA> A@>GM
V />M</BGBM.=/=L9:@>GM K>L>M - K>L>ML MA> A@>GM
V />M</BGBM.=/=L9:@>GM K>LM:KM - K>LM:KML MA> A@>GM
Note that the filtering activity log files are in /var/log/ds_agent
2A>G RHN A:O> <HFIE>M>= MA> BGLM:EE:MBHG, NL> MA> D>>I .><NKBMR (:G:@>K MH <HG?B@NK> IKHM><MBHG HG MA>
<HFINM>K ;R ?HEEHPBG@ MA> LM>IL BG Protecting a Server (page 106) MH:
V A== CHFINM>KL MH MA> D>>I .><NKBMR (:G:@>K
V G:;E> IKHM><MBHG HG <HFINM>KL
Notes on Installing PFIL on a Solaris (8 and 9 Sparc) Host
/A> .HE:KBL A@>GM NL>L MA> +!$' $+ ?BEM>K <HFIHG>GM =>O>EHI>= ;R D:KK>G ->>=. D>>I .><NKBMR <NKK>GMER
LNIIHKML O>KLBHG 2.1.11. 2> A:O> ;NBEM MABL LHNK<> <H=> :G= IKHOB=>= : I:<D:@> HG MA> /K>G= (B<KH DHPGEH:=
C>GM>K, AMMI://=HPGEH:=<>GM>K.MK>G=FB<KH.<HF.
!NKMA>K BG?HKF:MBHG <:G ;> ?HNG= :M: AMMI://<HHF;L.:GN.>=N.:N/U:O:EHG. (!HK : <HIR H? MA> +!$' LHNK<> <H=>,
<HGM:<M RHNK LNIIHKM IKHOB=>K.)
Note:
Note:
62
Notes on pfil
(/A> ?HEEHPBG@ :LLNF>L RHNK BGM>K?:<> BL AF>)
$? RHN =H "B?<HG?B@ FH=EBLM", RHN PBEE L>> : EBLM H? ./-A(. FH=NE>L INLA>= HGMH MA> BGM>K?:<> EBD> MABL (?HK
AF>0):
0 arp
1 ip
2 hme
4HN G>>= MH BGL>KM I?BE ;>MP>>G BI :G= AF>:
ifconfig hme0 modinsert pfil@2
CA><DBG@ MA> EBLM, RHN LAHNE= L>>:
0 arp
1 ip
2 pfil
3 hme
/H <HG?B@NK> MA> I?BE .MK>:FL FH=NE> MH ;> :NMHF:MB<:EER INLA>= PA>G MA> =>OB<> BL HI>G>=:
autopush -f /etc/opt/pfil/iu.ap
AM MABL IHBGM,
strconf < /dev/hme
LAHNE= K>MNKG:
pfil
hme
AELH, modinfo LAHNE= LAHP:
# modinfo | grep pfil
110 102d392c 6383 24 1 pfil (pfil Streams module 2.1.11)
110 102d392c 6383 216 1 pfil (pfil Streams driver 2.1.11)
Installing the Deep Security Agent for AIX
1. 'H@ BG :L -HHM
63
2. CHIR MA> I:<D:@> MH : M>FIHK:KR ?HE=>K ("/MFI")
3. 0GSBI MA> I:<D:@> NLBG@ @NGSBI:
/tmp> gunzip Agent-AIX_5.3-7.x.x-x.powerpc.bff.gz
4. $GLM:EE MA> A@>GM:
/tmp> installp a d /tmp ds_agent
Installing the Deep Security Agent for HP-UX:
1. 'H@ BG :L -HHM
2. CHIR MA> I:<D:@> MH : M>FIHK:KR ?HE=>K ("/MFI")
3. 0GSBI MA> I:<D:@> NLBG@ @NGSBI:
/tmp> gunzip Agent-HPUX_11.23_ia64-7.x.x-x.ia64.depot.gz
4. $GLM:EE MA> A@>GM: ()HM> MA:M MA> I:<D:@> BL K>?>K>G<>= NLBG@ MA> ?NEE I:MA. ->E:MBO> I:MAL PBEE GHM ;>
:<<>IM>=.)
/MFI> LPBGLM:EE XL /MFI/A@>GM-#+03911.239B:64-7.Q.Q-Q.B:64.=>IHM =L9:@>GM
/H LM:KM :G= LMHI MA> A@>GM HG #+-03, >GM>K HG> H? MA> ?HEEHPBG@:
V /sbin/init.d/ds_agent start
V /sbin/init.d/ds_agent stop
Deployment Scripts
A==BG@ : <HFINM>K MH RHNK EBLM H? IKHM><M>= K>LHNK<>L BG D>>I .><NKBMR :G= BFIE>F>GMBG@ IKHM><MBHG BL : FNEMB-
LM>I IKH<>LL. AEFHLM :EE H? MA>L> LM>IL <:G ;> I>K?HKF>= ?KHF MA> <HFF:G= EBG> HG MA> <HFINM>K :G= <:G
MA>K>?HK> ;> L<KBIM>=. /A> D>>I .><NKBMR (:G:@>K <HGM:BGL : =>IEHRF>GM L<KBIM PKBMBG@ :LLBLM:GM PAB<A <:G ;>
:<<>LL>= ?KHF MA> (:G:@>K'L #>EI F>GN.
To generate a deployment script:
64
1. .M:KM MA> D>IEHRF>GM .<KBIM @>G>K:MHK ;R L>E><MBG@ Deployment Scripts ?KHF MA> D>>I .><NKBMR
(:G:@>K'L #>EI F>GN (:M MA> MHI KB@AM H? MA> D>>I .><NKBMR (:G:@>K PBG=HP).
2. .>E><M PA>MA>K RHN :K> =>IEHRBG@ :G= A@>GM HK : ->E:R.
3. .>E><M MA> IE:M?HKF MH PAB<A RHN :K> =>IEHRBG@ MA> LH?MP:K>. (+E:M?HKFL EBLM>= BG MA> =KHI-=HPG F>GN
PBEE <HKK>LIHG= MH MA> LH?MP:K> MA:M RHN A:O> BFIHKM>= BGMH MA> D>>I .><NKBMR (:G:@>K ?KHF MA>
/K>G= (B<KH DHPGEH:= C>GM>K. !HK BG?HKF:MBHG HG BFIHKMBG@ D>>I .><NKBMR .H?MP:K>, L>>
Administration > System Settings > Software Updates BG MA> HGEBG> A>EI HK A=FBGBLMK:MHK'L
"NB=>.)
4. .>E><M Activate the Agent Automatically. (A@>GML FNLM ;> :<MBO:M>= ;R MA> D>>I .><NKBMR (:G:@>K
;>?HK> : IKHM><MBHG +HEB<R <:G ;> BFIE>F>GM>=.)
5. .>E><M MA> +HEB<R RHN PBLA MH BFIE>F>GM HG MA> <HFINM>K (HIMBHG:E)
6. .>E><M MA> <HFINM>K "KHNI (HIMBHG:E)
7. .>E><M MA> ->E:R "KHNI (HIMBHG:E)
AL RHN F:D> MA> :;HO> L>E><MBHGL, MA> D>IEHRF>GM .<KBIM ">G>K:MHK PBEE @>G>K:M> : L<KBIM PAB<A RHN <:G
BFIHKM BGMH RHNK =>IEHRF>GM MHHE H? <AHB<>.
The deployment scripts generated by Deep Security Manager for Windows Agent deployments
require Windows Powershell version 2.0 or later.
Optionally on Windows computers, if you do not intend to enable Anti-Malware protection, you
may want to prevent the installation of the Anti-Malware engine entirely. To do so, delete the
string "ADDLOCAL=ALL" from the Windows deployment scripts.
Note:
Note:
65
66
Installing the Deep Security Notifier
/A> D>>I .><NKBMR )HMB?B>K BL : NMBEBMR ?HK IARLB<:E HK OBKMN:E 2BG=HPL F:<ABG>L PAB<A IKHOB=>L EH<:E
GHMB?B<:MBHG PA>G F:EP:K> BL =>M><M>= HK F:EB<BHNL 0-'L :K> ;EH<D>=. /A> D>>I .><NKBMR )HMB?B>K BL
:NMHF:MB<:EER BGLM:EE>= :L I:KM H? MA> D>>I .><NKBMR A@>GM HK ->E:R BGLM:EE:MBHG HG 2BG=HPL F:<ABG>L. /A>
LM:G=-:EHG> BGLM:EE:MBHG =>L<KB;>= A>K> BL BGM>G=>= ?HK NL> HG A@>GME>LL 2BG=HPL F:<ABG>L ;>BG@ IKHM><M>= ;R
MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<>.
Copy the Installation Package
Installing the Deep Security Notifier for Windows
Remember that you must have administrator privileges to install and run the Deep Security
Notifier on Windows machines.
1. DHN;E>-<EB<D MA> BGLM:EE:MBHG ?BE> MH KNG MA> BGLM:EE>K I:<D:@>. CEB<D Next MH ;>@BG MA> BGLM:EE:MBHG
2. ->:= MA> EB<>GL> :@K>>F>GM :G= <EB<D Next.
/A> D>>I .><NKBMR )HMB?B>K BL GHP BGLM:EE>= :G= KNGGBG@ HG MABL <HFINM>K, :G= MA> )HMB?B>K B<HG :II>:KL BG MA>
2BG=HPL .RLM>F /K:R. /A> )HMB?B>K PBEE :NMHF:MB<:EER IKHOB=> IHI-NI GHMB?B<:MBHGL PA>G F:EP:K> BL =>M><M>=
HK : 0-' A:L ;>>G ;EH<D>=. (4HN <:G F:GN:EER =BL:;E> GHMB?B<:MBHGL ;R =HN;E>-<EB<DBG@ MA> MK:R B<HG MH HI>G
MA> )HMB?B>K LM:MNL :G= <HG?B@NK:MBHG PBG=HP).
On VMs protected by a Virtual Appliance, the Anti-Malware module must be licensed and
enabled on the VM for the Deep Security Notifier to display information.
Note:
Note:
Deep Security 9 Installation Guide Installing the Deep Security Notifier
67
Enable Multi-Tenancy
To enable Multi-Tenancy:
1. $G MA> D>>I .><NKBMR (:G:@>K, @H MH Administration > System Settings > Advanced :G= <EB<D
Enable Multi-Tenancy BG MA> Multi-Tenant Options :K>: MH =BLIE:R MA> Multi-Tenant
Configuration PBS:K=.
2. GM>K MA> A<MBO:MBHG CH=> :G= <EB<D Next.
3. CAHHL> : EB<>GL> FH=> MH BFIE>F>GM:
Z Inherit Licensing from Primary Tenant: "BO>L :EE />G:GML MA> L:F> EB<>GL>L :L MA>
+KBF:KR />G:GM.
Z Per Tenant Licensing: $G MABL FH=>, />G:GML MA>FL>EO>L >GM>K : EB<>GL> PA>G MA>R LB@G BG
?HK MA> ?BKLM MBF>.
4. CEB<D Next MH ?BGBLA >G:;EBG@ (NEMB-/>G:G<R BG RHNK D>>I .><NKBMR (:G:@>K.
Managing Tenants
*G<> (NEMB-/>G:GM FH=> BL >G:;E>=, />G:GML <:G ;> F:G:@>= ?KHF MA> Tenants I:@> MA:M GHP :II>:KL BG MA>
Administration L><MBHG.
Creating Tenants
To create a new Tenant:
1. "H MH MA> Administration > Tenants I:@> :G= <EB<D New MH =BLIE:R MA> New Tenant PBS:K=.
Deep Security 9 Installation Guide Enable Multi-Tenancy
68
2. GM>K : />G:GM A<<HNGM ):F>. /A> :<<HNGM G:F> <:G ;> :GR G:F> >Q<>IM "+KBF:KR" PAB<A BL
K>L>KO>= ?HK MA> +KBF:KR />G:GM.
3. GM>K :G F:BE A==K>LL. /A> >F:BE :==K>LL BL K>JNBK>= BG HK=>K MH A:O> : <HGM:<M IHBGM I>K />G:GM. $M
BL :ELH NL>= ?HK MPH H? MA> MAK>> =B??>K>GM NL>K :<<HNGM @>G>K:MBHG F>MAH=L BG MA> G>QM LM>I.
4. .>E><M MA> 'H<:E>. /A> 'H<:E> =>M>KFBG>L MA> E:G@N:@> H? MA> D>>I .><NKBMR (:G:@>K NL>K BGM>K?:<>
?HK MA:M />G:GM.
5. /BF> 5HG>. AEE />G:GM-K>E:M>= O>GML PBEE ;> LAHPG MH MA> />G:GM 0L>KL BG MA> MBF> SHG> H? MA>
/>G:GM :<<HNGM. CEB<D Next.
6. GM>K : NL>KG:F> ?HK MA> ?BKLM 0L>K H? MA> G>P />G:GM :<<HNGM.
7. .>E><M HG> H? MA> MAK>> I:LLPHK= HIMBHGL:
Z No Email: /A> />G:G<R'L ?BKLM 0L>K'L NL>KG:F> :G= I:LLPHK= :K> =>?BG>= A>K> :G= GH
>F:BEL :K> L>GM.
Z Email Confirmation Link: 4HN L>M MA> />G:G<R'L ?BKLM 0L>K'L I:LLPHK=. #HP>O>K MA>
:<<HNGM BL GHM :<MBO> NGMBE MA> 0L>K <EB<DL : <HG?BKF:MBHG EBGD A> PBEE K><>BO> ;R >F:BE.
Z Email Generated Password: /ABL :EEHPL MA> />G:GM <K>:MHK MH @>G>K:M> : />G:GM PBMAHNM
LI><B?RBG@ MA> I:LLPHK=. /ABL BL FHLM :IIEB<:;E> PA>G F:GN:EER <K>:MBG@ :<<HNGML ?HK NL>KL
PA>K> MA> <K>:MHK =H>L GHM G>>= :<<>LL
All three options are available via the REST API. The confirmation option provides a
suitable method for developing public registration. A CAPTCHA is recommended to
ensure that the Tenant creator is a human not an automated "bot". The email
confirmation ensures that the email provided belongs to the user before they can access
the account.
8. CEB<D Next MH ?BGBLA PBMA MA> PBS:K= :G= <K>:M> MA> />G:GM. ($M F:R M:D> ?KHF 30 L><HG=L MH 2 FBGNM>L
MH <K>:M> MA> G>P />G:GM =:M:;:L> :G= IHINE:M> BM PBMA =:M: :G= L:FIE> +HEBL.)
Examples of messages sent to Tenants
Email Confirmation Link: Account Confirmation Request
Welcome to Deep Security! To begin using your account, click the following
confirmation URL. You can then access the console using your chosen
password.
Account Name: AnyCo
Username: admin
Click the following URL to activate your account:
https://managername:4119/SignIn.screen?confirmation=1A16EC7A-D84F-
D451-05F6-706095B6F646&tenantAccount=AnyCo&username=admin
Note:
69
Email Generated Password: Account and Username Notification
Welcome to Deep Security! A new account has been created for you. Your
password will be generated and provided in a separate email.
Account Name: AnyCo
Username: admin
You can access the Deep Security management console using the following
URL:
https://managername:4119/SignIn.screen?tenantAccount=AnyCo&username=admin
Email Generated Password: Password Notification
This is the automatically generated password for your Deep Security
account. Your Account Name, Username, and a link to access the Deep
Security management console will follow in a separate email.
Password: z3IgRUQ0jaFi
Managing Tenants
/A> Tenants I:@> (Administration > Tenants) =BLIE:RL MA> EBLM H? :EE />G:GML. A />G:GM <:G ;> BG :GR H? MA>
?HEEHPBG@ States:
V Created: $G MA> IKH@K>LL H? ;>BG@ <K>:M>= ;NM GHM R>M :<MBO>
V Confirmation Required: CK>:M>=, ;NM MA> :<MBO:MBHG EBGD BG MA> <HG?BKF:MBHG >F:BE L>GM MH MA> />G:GM
0L>K A:L GHM R>M ;>>G <EB<D>=. (4HN <:G F:GN:EER HO>KKB=> MABL LM:M>.)
V Active: !NEER HGEBG> :G= F:G:@>=
V Suspended: )H EHG@>K :<<>IMBG@ LB@G BGL.
V Pending Deletion: />G:GML <:G ;> =>E>M>=, AHP>O>K MA> IKH<>LL BL GHM BFF>=B:M>. /A> />G:GM <:G ;>
BG MA> I>G=BG@ =>E>MBHG LM:M> ?HK NI MH L>O>G =:RL ;>?HK> MA> =:M:;:L> BL K>FHO>=.
70
V Database Upgrade Failure: !HK />G:GML MA:M ?:BE>= MA> NI@K:=> I:MA. /A> D:M:;:L> 0I@K:=> ;NMMHG
<:G ;> NL>= MH K>LHEO> MABL LBMN:MBHG
Tenant Properties
DHN;E>-<EB<D HG : />G:GM MH OB>P MA> />G:GM'L Properties PBG=HP.
General
/A> 'H<:E>, /BF> SHG> :G= .M:M> H? MA> />G:GM <:G ;> :EM>K>=. B> :P:K> MA:M <A:G@BG@ MA> MBF> SHG> :G= EH<:E>
=H>L GHM :??><M >QBLMBG@ />G:GM 0L>KL. $M PBEE HGER :??><M G>P 0L>KL BG MA:M />G:G<R :G= O>GML :G= HMA>K I:KML
H? MA> 0$ MA:M :K> GHM 0L>K-LI><B?B<.
/A> D:M:;:L> ):F> BG=B<:M>L MA> G:F> H? MA> =:M:;:L> NL>= ;R MABL />G:G<R. /A> L>KO>K MA> =:M:;:L> BL
KNGGBG@ HG <:G ;> :<<>LL>= OB: MA> ARI>KEBGD.
71
Modules
/A> Modules M:; IKHOB=>L HIMBHGL ?HK IKHM><MBHG FH=NE> OBLB;BEBMR. BR =>?:NEM :EE NGEB<>GL>= FH=NE>L :K>
AB==>G. 4HN <:G <A:G@> MABL ;R =>L>E><MBG@ Always Hide Unlicensed Modules. AEM>KG:MBO>ER, L>E><M>=
FH=NE>L <:G ;> LAHPG HG : I>K-/>G:GM ;:LBL.
$? RHN L>E><M Inherit License from Primary Tenant, :EE ?>:MNK>L MA:M RHN :L MA> +KBF:KR />G:GM :K> EB<>GL>=
?HK PBEE ;> OBLB;E> MH :EE />G:GML. /A> L>E><M>= OBLB;BEBMR <:G ;> NL>= MH MNG> PAB<A FH=NE>L :K> OBLB;E> ?HK
PAB<A />G:GML.
$? NLBG@ MA> "+>K />G:GM" EB<>GLBG@ ;R =>?:NEM HGER MA> EB<>GL>= FH=NE>L ?HK >:<A />G:GM PBEE ;> OBLB;E>.
$? RHN :K> >O:EN:MBG@ D>>I .><NKBMR BG : M>LM >GOBKHGF>GM :G= P:GM MH L>> PA:M : ?NEE (NEMB-/>G:G<R
BGLM:EE:MBHG EHHDL EBD>, RHN <:G >G:;E> (NEMB-/>G:G<R D>FH (H=>.
2A>G BG D>FH (H=>, MA> (:G:@>K IHINE:M>L BML =:M:;:L> PBMA LBFNE:M>= />G:GML, <HFINM>KL, O>GML, AE>KML,
:G= HMA>K =:M:. $GBMB:EER, L>O>G =:RL PHKMA H? =:M: BL @>G>K:M>= ;NM G>P =:M: BL @>G>K:M>= HG :G HG@HBG@ ;:LBL MH
D>>I MA> (:G:@>K'L D:LA;H:K=, ->IHKML :G= O>GML I:@>L IHINE:M>= PBMA =:M:.
Demo Mode is not intended to be used in a production environment!
72
Statistics
/A> LM:MBLMB<L M:; LAHPL BG?HKF:MBHG ?HK MA> <NKK>GM />G:GM BG<EN=BG@ =:M:;:L> LBS>, CH;L IKH<>LL>=, EH@BGL,
L><NKBMR >O>GML :G= LRLM>F >O>GML. /A> LF:EE @K:IAL LAHP MA> E:LM 24 AHNKL H? :<MBOBMR.
Agent Activation
/A> A@>GM A<MBO:MBHG M:; =BLIE:RL : <HFF:G=-EBG> BGLMKN<MBHG. MA:M <:G ;> KNG ?KHF MA> A@>GM BGLM:EE =BK><MHKR
H? MABL />G:GM'L <HFINM>KL PAB<A PBEE :<MBO:M> MA> :@>GM HG MA> <HFINM>K LH MA:M MA> />G:GM <:G :LLB@G +HEBL
:G= I>K?HKF HMA>K <HG?B@NK:MBHG IKH<>=NK>L ?KHF MA> D>>I .><NKBMR (:G:@>K.
73
Primary Contact
Deep Security Relays
:<A D>>I .><NKBMR (:G:@>K FNLM A:O> :<<>LL MH :M E>:LM HG> D>>I .><NKBMR ->E:R, :G= MABL BG<EN=>L MA>
/>G:GML BG : (NEMB-/>G:G<R D>>I .><NKBMR BGLM:EE:MBHG. BR =>?:NEM, MA> ->E:RL BG MA> IKBF:KR />G:GM'L "D>?:NEM
->E:R "KHNI" :K> :O:BE:;E> MH MA> HMA>K />G:GML. /A> L>MMBG@ BL ?HNG= BG MA> IKBF:KR />G:GM'L D>>I .><NKBMR
(:G:@>K BG MA> Administration > System Settings > Tenants > Multi-Tenant Options :K>:. $? MABL HIMBHG BL
=BL:;E>=, />G:GML PBEE A:O> MH BGLM:EE :G= F:G:@> MA>BK HPG D>>I .><NKBMR ->E:RL.
The Tenant Account User's View of Deep Security
The Tenant "User experience"
2A>G (NEMB-M>G:G<R BL >G:;E>=, MA> LB@G-BG I:@> A:L :G :==BMBHG:E Account Name M>QM ?B>E=:
/>G:GML :K> K>JNBK>= MH >GM>K MA>BK :<<HNGM G:F> BG :==BMBHG MH MA>BK NL>KG:F> :G= I:LLPHK=. /A> :<<HNGM G:F>
:EEHPL />G:GML MH A:O> HO>KE:IIBG@ NL>KG:F>L. (!HK >Q:FIE>, B? FNEMBIE> />G:GML LRG<AKHGBS> PBMA MA> L:F>
A<MBO> DBK><MHKR L>KO>K).
When you (as the Primary Tenant) log in, leave the Account name blank or use "Primary". Note:
74
2A>G />G:GML EH@ BG, MA>R A:O> : O>KR LBFBE:K >GOBKHGF>GM MH : ?K>LA BGLM:EE H? D>>I .><NKBMR (:G:@>K. .HF>
?>:MNK>L BG MA> 0$ :K> GHM :O:BE:;E> MH />G:GM 0L>KL. /A> ?HEEHPBG@ :K>:L :K> AB==>G ?HK />G:GML:
V (:G:@>K )H=>L 2B=@>M
V (NEMB-/>G:GM 2B=@>ML
V A=FBGBLMK:MBHG > .RLM>F $G?HKF:MBHG
V A=FBGBLMK:MBHG > 'B<>GL>L ($? $GA>KBM HIMBHG L>E><M>=)
V A=FBGBLMK:MBHG > (:G:@>K )H=>L
V A=FBGBLMK:MBHG > />G:GML
V A=FBGBLMK:MBHG > .RLM>F .>MMBG@L:
Z />G:GM /:;
Z .><NKBMR /:; > .B@G $G (>LL:@>
Z 0I=:M>L /:; > .>MMBG@ ?HK AEEHPBG@ />G:GML MH NL> ->E:RL ?KHF MA> +KBF:KR />G:GM
Z A=O:G<>= /:; > 'H:= B:E:G<>KL
Z A=O:G<>= /:; > +EN@@:;E> .><MBHG
V .HF> H? MA> A>EI <HGM>GM GHM :IIEB<:;E> MH />G:GML
V .HF> K>IHKML GHM :IIEB<:;E> MH />G:GML
V *MA>K ?>:MNK>L ;:L>= HG MA> (NEMB-/>G:GM *IMBHGL (=BL<NLL>= E:M>K)
V .HF> AE>KM /RI>L PBEE :ELH ;> AB==>G ?KHF />G:GML:
Z #>:KM;>:M .>KO>K !:BE>=
Z 'HP DBLD .I:<>
Z (:G:@>K *??EBG>
Z (:G:@>K /BF> *NM *? .RG<
Z )>P>K 1>KLBHG H? D>>I .><NKBMR (:G:@>K :O:BE:;E>
Z )NF;>K H? CHFINM>KL Q<>>=L D:M:;:L> 'BFBM
Z AG= PA>G BGA>KBM>= EB<>GLBG@ BL >G:;E>= :GR H? MA> EB<>GL>-K>E:M>= :E>KML
$M BL :ELH BFIHKM:GM MH GHM> MA:M />G:GML <:GGHM L>> :GR H? MA> (NEMB-/>G:GM ?>:MNK>L H? MA> IKBF:KR />G:GM HK
:GR =:M: ?KHF :GR HMA>K />G:GM. $G :==BMBHG, <>KM:BG A+$L :K> K>LMKB<M>= LBG<> MA>R :K> HGER NL:;E> PBMA +KBF:KR
/>G:GM KB@AML (LN<A :L <K>:MBG@ HMA>K />G:GML).
!HK FHK> BG?HKF:MBHG HG PA:M BL :G= BL GHM :O:BE:;E> MH />G:GM 0L>KL, L>> MA> HGEBG> A>EI ?HK MA>
Administration > System Settings > Tenants I:@> BG MA> D>>I .><NKBMR (:G:@>K.
AEE />G:GML A:O> MA> :;BEBMR MH NL> -HE>-B:L>= A<<>LL CHGMKHE PBMA FNEMBIE> NL>K :<<HNGML MH ?NKMA>K LN;-
=BOB=> :<<>LL. A==BMBHG:EER MA>R <:G NL> A<MBO> DBK><MHKR BGM>@K:MBHG ?HK NL>KL MH =>E>@:M> MA> :NMA>GMB<:MBHG MH
MA> =HF:BG. /A> />G:GM A<<HNGM ):F> BL LMBEE K>JNBK>= ?HK :GR />G:GM :NMA>GMB<:MBHGL.
Agent-Initiated Activation
A@>GM-BGBMB:M>= :<MBO:MBHG BL >G:;E>= ;R =>?:NEM ?HK :EE />G:GML.
75
Unlike Agent-initiated activation for the Primary Tenant, a password and Tenant ID are required
to invoke the activation for Tenant Users.
/>G:GML <:G L>> MA> :K@NF>GML K>JNBK>= ?HK :@>GM-BGBMB:M>= :<MBO:MBHG ;R <EB<DBG@ MA> View Imported Software
;NMMHG HG MA> Administration > Updates > Software Updates M:;, KB@AM-<EB<DBG@ :G= A@>GM BGLM:EE I:<D:@>,
:G= L>E><MBG@ Generate Deployment Scripts ?KHF MA> <HGM>QM F>GN:
AL :G >Q:FIE>, MA> L<KBIM ?HK A@>GM-$GBMB:M>= A<MBO:MBHG HG : 2BG=HPL F:<ABG> FB@AM EHHD :L ?HEEHPL:
dsa_control -a dsm://manageraddress:4120/ "tenantID:7156CF5A-
D130-29F4-5FE1-8AFD12E0EC02"
"tenantPassword:98785384-3966-B729-1418-3E2A7197D0D5"
Tenant Diagnostics
/>G:GML :K> GHM :;E> MH :<<>LL F:G:@>K =B:@GHLMB< I:<D:@>L =N> MH MA> L>GLBMBOBMR H? MA> =:M: <HGM:BG>= PBMABG
MA> I:<D:@>L. />G:GML <:G LMBEE @>G>K:M> :@>GM =B:@GHLMB<L ;R HI>GBG@ MA> CHFINM>K =BMHK :G= <AHHLBG@ Agent
Diagnostics HG MA> Actions M:; H? MA> Overview I:@>.
Usage Monitoring
D>>I .><NKBMR (:G:@>K K><HK=L =:M: :;HNM />G:GM NL:@>. /ABL BG?HKF:MBHG BL =BLIE:R>= BG MA> Tenant
Protection Activity PB=@>M HG MA> D:LA;H:K=, MA> />G:GM Properties PBG=HP'L Statistics M:;, :G= MA>
CA:K@>;:<D K>IHKM. /ABL BG?HKF:MBHG <:G :ELH ;> :<<>LL>= MAKHN@A MA> .M:MNL (HGBMHKBG@ -./ A+$ PAB<A <:G
>G:;E>= HK =BL:;E>= ;R @HBG@ MH Administration > System Settings > Advanced > Status Monitoring API.
/ABL <A:K@>;:<D (HK OB>P;:<D) BG?HKF:MBHG <:G ;> <NLMHFBS>= MH =>M>KFBG> PA:M :MMKB;NM>L :K> BG<EN=>= BG MA>
K><HK=. /ABL <HG?B@NK:MBHG BL =>LB@G>= MH :<<HFFH=:M> O:KBHNL <A:K@BG@ FH=>EL MA:M F:R ;> K>JNBK>= BG
L>KOB<> IKHOB=>K >GOBKHGF>GML. !HK >GM>KIKBL>L MABL F:R ;> NL>?NE MH =>M>KFBG> MA> NL:@> ;R >:<A ;NLBG>LL NGBM.
Note:
76
Multi-Tenant Dashboard/Reporting
2A>G (NEMB-/>G:G<R BL >G:;E>=, +KBF:KR />G:GM 0L>KL A:O> :<<>LL MH :==BMBHG:E D:LA;H:K= PB=@>ML ?HK
FHGBMHKBG@ />G:GM :<MBOBMR:
.HF> >Q:FIE>L H? />G:GM-K>E:M>= PB=@>ML:
/A> L:F> BG?HKF:MBHG BL :O:BE:;E> HG MA> Administration > Tenants I:@> (LHF> BG HIMBHG:E <HENFGL) :G= HG
MA> Statistics M:; H? : />G:GM'L Properties PBG=HP.
/ABL BG?HKF:MBHG IKHOB=>L MA> :;BEBMR MH FHGBMHK MA> NL:@> H? MA> HO>K:EE LRLM>F :G= EHHD ?HK BG=B<:MHKL H?
:;GHKF:E :<MBOBMR. !HK BGLM:G<> B? : LBG@E> />G:GM >QI>KB>G<>L : LIBD> BG Security Event Activity MA>R F:R ;>
NG=>K :MM:<D.
(HK> BG?HKF:MBHG BL :O:BE:;E> BG MA> Chargeback K>IHKM (BG MA> Events & Reports L><MBHG). /ABL K>IHKM =>M:BEL
IKHM><MBHG AHNKL, MA> <NKK>GM =:M:;:L> LBS>L, :G= MA> GNF;>K H? <HFINM>KL (:<MBO:M>= :G= GHG-:<MBO:M>=) ?HK
>:<A />G:GM.
77
Multi-Tenancy (Advanced)
APIs
D>>I .><NKBMR (:G:@>K BG<EN=>L : GNF;>K H? -./ A+$L ?HK:
1. G:;EBG@ (NEMB-/>G:G<R
2. (:G:@BG@ />G:GML
3. A<<>LLBG@ (HGBMHKBG@ D:M:
4. A<<>LLBG@ CA:K@>;:<D (+KHM><MBHG A<MBOBMR) D:M:
5. (:G:@BG@ .><HG=:KR D:M:;:L> .>KO>KL
$G :==BMBHG MA> E>@:<R .*A+ A+$ BG<EN=>L : G>P authenticate F>MAH= MA:M :<<>IML MA> />G:GM A<<HNGM ):F>
:L : MABK= I:K:F>M>K.
!HK :==BMBHG:E BG?HKF:MBHG HG MA> -./ A+$L IE>:L> L>> MA> -./ A+$ =H<NF>GM:MBHG.
Upgrade
0I@K:=> BL NG<A:G@>= ?KHF IK>OBHNL O>KLBHGL. /A> BGLM:EE>K BL >Q><NM>= :G= =>M><ML :G= >QBLMBG@ BGLM:EE:MBHG. $M
PBEE H??>K :G NI@K:=> HIMBHG. $? NI@K:=> BL L>E><M>= MA> BGLM:EE>K ?BKLM BG?HKFL HMA>K GH=>L MH LANM=HPG :G= MA>G
;>@BGL MA> IKH<>LL H? NI@K:=BG@.
/A> IKBF:KR />G:GM BL NI@K:=>= ?BKLM, ?HEEHP>= ;R MA> />G:GML BG I:K:EE>E (?BO> :M : MBF>). *G<> MA> BGLM:EE>K
?BGBLA>L, MA> L:F> BGLM:EE>K I:<D:@> LAHNE= ;> >Q><NM>= HG MA> K>LM H? MA> (:G:@>K GH=>L.
$G MA> >O>GM H? : IKH;E>F =NKBG@ MA> NI@K:=> H? : />G:GM, MA> />G:GM'L .M:M> (HG MA> Administration > Tenants
I:@>) PBEE :II>:K :L Database Upgrade Required (offline). /A> />G:GML BGM>K?:<> <:G ;> NL>= MH ?HK<> MA>
NI@K:=> IKH<>LL. $? ?HK<BG@ MA> NI@K:=> =H>L GHM PHKD IE>:L> <HGM:<M LNIIHKM.
Supporting Tenants
$G <>KM:BG <:L>L BM F:R ;> K>JNBK>= : +KBF:KR />G:GM MH @:BG :<<>LL MH : />G:GM'L NL>K BGM>K?:<>. /A> />G:GML EBLM
:G= />G:GM IKHI>KMB>L I:@>L IKHOB=> :G HIMBHG MH "ANMA>GMB<:M> AL" : @BO>G />G:GM, @K:GMBG@ MA>F BFF>=B:M>
K>:=-HGER :<<>LL.
0L>KL :K> EH@@>= BG :L : LI><B:E :<<HNGM HG MA> />G:GM NLBG@ MA> IK>?BQ "LNIIHKM9". !HK >Q:FIE> B? +KBF:KR
/>G:GM NL>K C=H> EH@L HG :L : />G:GM :G :<<HNGM BL <K>:M>= <:EE>= "LNIIHKM9C=H>" PBMA MA> "!NEE A<<>LL" KHE>.
/A> NL>K BL =>E>M>= PA>G MA> LNIIHKM NL>K MBF>L HNM HK LB@GL HNM H? MA> :<<HNGM.
Deep Security 9 Installation Guide Multi-Tenancy (Advanced)
78
/A> />G:GM <:G L>> MABL NL>K :<<HNGM <K>:M>=, LB@G BG, LB@G HNM :G= =>E>M>= :EHG@ PBMA :GR HMA>K :<MBHGL BG MA>
.RLM>F >O>GML.
0L>KL BG MA> IKBF:KR />G:GM :ELH A:O> :==BMBHG:E =B:@GHLMB< MHHEL :O:BE:;E> MH MA>F:
1. /A> Administration > System Information I:@> <HGM:BGL :==BMBHG:E BG?HKF:MBHG :;HNM />G:GM
F>FHKR NL:@> :G= MA> LM:M> H? MAK>:=L. /ABL F:R ;> NL>= =BK><MER HK A>EI?NE MH /K>G= (B<KH LNIIHKM.
2. /A> server0.log HG MA> =BLD H? MA> (:G:@>K GH=>L <HGM:BGL :==BMBHG:E BG?HKF:MBHG HG MA> G:F>
H? MA> />G:GM (:G= MA> NL>K B? :IIEB<:;E>) MA:M <:NL>= MA> EH@. /ABL <:G ;> A>EI?NE BG =>M>KFBGBG@ MA>
LHNK<> H? BLLN>L.
$G LHF> <:L>L />G:GML PBEE K>JNBK> <NLMHF :=CNLMF>GML GHM :O:BE:;E> BG MA> "0$. /ABL NLN:EER <HF>L :M MA>
K>JN>LM H? /K>G= (B<KH LNIIHKM. /A> <HFF:G= EBG> NMBEBMR MH :EM>K MA>L> L>MMBG@L :<<>IML MA> :K@NF>GM:
-Tenantname "account name"
MH =BK><M MA> L>MMBG@ <A:G@> HK HMA>K <HFF:G= EBG> :<MBHG :M : LI><B?B< />G:GM. $? HFBMM>= MA> :<MBHG BL HG MA>
IKBF:KR />G:GM.
Load Balancers
BR =>?:NEM, FNEMB-GH=> (:G:@>K IKHOB=>L MA> :==K>LL H? :EE (:G:@>K GH=>L MH :EE :@>GML :G= OBKMN:E :IIEB:G<>L.
/A> :@>GML :G= OBKMN:E :IIEB:G<>L NL> MA> EBLM H? :==K>LL>L MH K:G=HFER L>E><M : GH=> MH <HGM:<M :G= <HGMBGN> MH
MKR MA> K>LM H? MA> EBLM NGMBE GH GH=>L <:G ;> K>:<A>= (HK :K> :EE ;NLR). $? BM <:G'M K>:<A :GR GH=>L BM P:BML NGMBE MA>
G>QM A>:KM;>:M :G= MKB>L :@:BG. /ABL PHKDL O>KR P>EE BG >GOBKHGF>GML PA>K> MA> GNF;>K H? (:G:@>K GH=>L BL
?BQ>= :G= :OHB=L A:OBG@ MH <HG?B@NK> : EH:= ;:E:G<>K BG ?KHGM H? MA> (:G:@>K GH=>L ?HK :O:BE:;BEBMR :G=
L<:E:;BEBMR.
$G (NEMB-/>G:GM >GOBKHGF>GML BM F:R ;> =>LBK:;E> MH :== :G= K>FHO> (:G:@>K GH=>L HG =>F:G= (I>KA:IL
NLBG@ :NMH-L<:EBG@ ?>:MNK>L H? <EHN= >GOBKHGF>GML). $G MABL <:L> :==BG@ :G= K>FHOBG@ (:G:@>KL PHNE= <:NL>
:G NI=:M> H? >O>KR :@>GM :G= OBKMN:E :IIEB:G<> BG MA> >GOBKHGF>GM. /H :OHB= MABL NI=:M> MA> EH:= ;:E:G<>K
L>MMBG@ <:G ;> NL>=.
'H:= ;:E:G<>KL <:G ;> <HG?B@NK>= MH NL> =B??>K>GM IHKML ?HK MA> =B??>K>GM MRI>L H? MK:??B<, HK B? MA> EH:= ;:E:G<>K
LNIIHKML IHKM K>-=BK><MBHG BM <:G ;> NL>= MH >QIHL> :EE H? MA> K>JNBK>= IKHMH<HEL HO>K IHKM 443 NLBG@ MAK>> EH:=
;:E:G<>KL:
79
$G :EE <:L>L MA> EH:= ;:E:G<>K LAHNE= ;> <HG?B@NK>= :L /C+ EH:= ;:E:G<>K (GHM ..' />KFBG:MBG@) PBMA LMB<DR-
L>LLBHGL. /ABL >GLNK>L : @BO>G <HFFNGB<:MBHG >Q<A:G@> PBEE H<<NK =BK><MER ;>MP>>G A@>GM/1BKMN:E AIIEB:G<>
:G= MA> (:G:@>K ?KHF LM:KM MH ?BGBLA. /A> G>QM <HGG><MBHG F:R ;:E:G<> MH : =B??>K>GM GH=>.
Technical Details
:<A />G:GM =:M:;:L> A:L :G HO>KA>:= H? :KHNG= 100(B H? =BLD LI:<> (=N> MH MA> BGBMB:E KNE>L, IHEBL :G=
>O>GML MA:M IHINE:M> MA> LRLM>F).
/>G:GM <K>:MBHG M:D>L ;>MP>>G 30 L><HG=L :G= ?HNK FBGNM>L =N> MH MA> <K>:MBHG H? MA> L<A>F: :G= MA>
IHINE:MBHG H? MA> BGBMB:E =:M:. /ABL >GLNK>L >:<A G>P />G:GM A:L MA> FHLM NI MH =:M> <HG?B@NK:MBHG :G= K>FHO>L
MA> ;NK=>G H? F:G:@BG@ =:M:;:L> M>FIE:M>L (LI><B:EER ;>MP>>G FNEMBIE> =:M:;:L> L>KO>KL).
80
Configure vCloud for Integration with Deep Security
1(P:K> OCEHN= BGM>@K:MBHG :EEHPL />G:GML BG : (NEMB-/>G:G<R BGLM:EE:MBHG MH BFIHKM OCEHN= *K@:GBS:MBHGL :L
CEHN= A<<HNGML :G= :IIER :@>GME>LL D>>I .><NKBMR IKHM><MBHG MH MA>F. /A> IKBF:KR />G:GM :==L MA> OC>GM>K
AHLMBG@ MA> 1(L MH MA>BK D>>I .><NKBMR (:G:@>K :G= MA>G =>IEHRL :G= F:G:@>L MA> D>>I .><NKBMR 1BKMN:E
AIIEB:G<>.
/H >G:;E> OCEHN= BGM>@K:MBHG, RHN FNLM :LLB@G : FBGBFNF L>M H? KB@AML MH MA> NL>K :<<HNGML />G:GML PBEE NL> MH
BFIHKM MA>BK OCEHN= "CEHN= A<<HNGML" :G= RHN FNLM <HG?B@NK> MA> OC>GM>K =:M:;:L> MH :LLB@G NGBJN> 00$DL
MH G>P OBKMN:E F:<ABG>L.
Assigning Minimum vCloud Rights to Cloud Account Tenant Users
/A> 0L>K :<<HNGML RHN <K>:M> BG OCEHN= =BK><MHK MA:M MA> D>>I .><NKBMR />G:GML PBEE NL> MH :== MA>BK CEHN=
A<<HNGML MH MA>BK D>>I .><NKBMR (:G:@>K FNLM A:O> : FBGBFNF L>M H? KB@AML.
To set the minimum rights for a user:
1. 'H@ BG MH OCEHN= DBK><MHK :G= @H MH MA> Administration M:;.
2. "H MH Administration > System Administrators and Roles > Users.
3. -B@AM-<EB<D HG MA> 0L>K PAHL> I>KFBLLBHGL RHN :K> @HBG@ MH FH=B?R :G= L>E><M Properties.
4. $G MA> User Properties PBG=HP, M:D> GHM> H? MA> 0L>K'L Role (?HK >Q:FIE>, ".RLM>F A=FBGBLMK:MHK").
5. CEHL> MA> User Properties PBG=HP.
6. B:<D HG MA> Administration M:;, @H MH Administration > System Administrators and Roles >
Roles.
7. -B@AM-<EB<D HG MA> 0L>K'L -HE> RHN GHM>= IK>OBHNLER :G= L>E><M Properties.
8. $G MA> Role Properties PBG=HP, F:D> LNK> MA> ?HEEHPBG@ Rights :K> >G:;E>=:
Deep Security 9 Installation Guide Configure vCloud for Integration with Deep Security
81
Configuring the vCenter Database to Assign Unique UUIDs to New Virtual
Machines
D>>I .><NKBMR K>JNBK>L MA:M :EE IKHM><M>= OBKMN:E F:<ABG>L A:O> NGBJN> 00$DL. 1BKMN:E (:<ABG>L <K>:M>= ?KHF
: OAII M>FIE:M> <:G ;> :LLB@G>= =NIEB<:M> 00$DL PAB<A <:G <:NL> IKH;E>FL. #HP>O>K, RHN <:G <HG?B@NK>
RHNK =:M:;:L> MH :LLB@G NGBJN> 00$DL MH MA>L> 1(L <K>:M>= ?KHF : M>FIE:M>.
The following information is taken from a VMware Knowledge Base article, "BIOS UUID
duplication in virtual machines created from a vApp template breaks some third-party solutions".
/H <HG?B@NK> MA> =:M:;:L> MH :LLB@G NGBJN> 00$DL MH G>P OBKMN:E F:<ABG>L MA:M :K> <K>:M>= ?KHF : M>FIE:M>,
RHN FNLM L>M MA> CONFIG M:;E> H? MA> =:M:;:L>, PBMA MA> I:K:F>M>K backend.cloneBiosUuidOnVmCopy, MH
0.
To set this parameter in Oracle, E:NG<A *K:<E> GM>KIKBL> (:G:@>K :G= KNG MA> ?HEEHPBG@ <HFF:G=L:
set feedback on echo on
set linesize 120
update "VCLOUD"."CONFIG" set VALUE = '0' where
NAME='backend.cloneBiosUuidOnVmCopy';
commit;
select * from "VCLOUD"."CONFIG" where VALUE = '0' and
NAME='backend.cloneBiosUuidOnVmCopy';
To set this parameter in Microsoft SQL Server, E:NG<A .,' (:G:@>F>GM .MN=BH :G= KNG MA> ?HEEHPBG@
<HFF:G=L:
USE vcloud
GO update CONFIG set value = '0' where
name='backend.cloneBiosUuidOnVmCopy'
commit;
select * from config where value = 0 and
name='backend.cloneBiosUuidOnVmCopy';
2A>G MA> I:K:F>M>K A:L ;>>G L>M, K>LM:KM :EE <>EEL BG OCEHN= DBK><MHK.
This change does not affect previously existing virtual machines.
Note:
Note:
82
Enabling the OVF Environment Transport for VMware Tools on your guest
VMs
G:;EBG@ MA> *1! GOBKHGF>GM /K:GLIHKM ?HK 1(P:K> /HHEL HG RHNK @N>LM 1(L PBEE >QIHL> MA>
guestInfo.ovfEnv >GOBKHGF>GM O:KB:;E> F:DBG@ BM >:LB>K ?HK A@>GML MH NGBJN>ER B=>GMB?R MA>BK 1(L MH MA> D>>I
.><NKBMR (:G:@>K. /ABL PBEE K>=N<> MA> KBLD H? 1( FBLB=>GMB?B<:MBHG.
To enable the OVF Environment Transport for VMware Tools on a guest VM:
1. $G OCEHN= DBK><MHK, HI>G MA> 1('L Properties L<K>>G, @H MA> Guest OS Customization M:; :G=
L>E><M MA> Enable guest customization <A><D;HQ. CEB<D OK.
2. $G OC>GM>K, L>E><M MA> L:F> 1(, HI>G BML Properties L<K>>G, @H MH MA> Options M:;.
3. CEB<D vApp Options :G= L>E><M MA> Enabled K:=BH ;NMMHG. OVF Settings PBEE GHP ;> >QIHL>=.
4. $G OVF Settings, L>E><M MA> VMware Tools <A><D;HQ BG MA> OVF Environment Transport :K>:.
CEB<D OK.
$? RHNK 1( BL KNGGBG@, BM FNLM ;> K>LM:KM>= ?HK MA> <A:G@>L MH M:D> >??><M.
/A> =:M: NL>= ;R D>>I .><NKBMR :K> M:D>G ?KHF MA> ?HEEHPBG@ IKHI>KMB>L: vmware.guestinfo.ovfenv.vcenterid
:G= vmware.guestinfo.ovfenv.vcloud.computername.
83
Configure Amazon EC2 Resources for Integration with
Deep Security
B>?HK> AF:SHG C2 K>LHNK<>L <:G ;> :==>= MH : D>>I .><NKBMR (:G:@>K :L : "CEHN= A<<HNGM", RHN FNLM
@>G>K:M> :G AF:SHG Access Key :G= : Secret Key ?HK MAHL> K>LHNK<>L MA:M : D>>I .><NKBMR 0L>K PBEE NL>
PA>G BFIHKMBG@ MA> K>LHNK<>L MH MA> D>>I .><NKBMR (:G:@>K. /A>G FNLM :LLB@G FBGBFNF I>KFBLLBHGL MH MA>
0L>K :<<HNGM.
To create an Access Key and Secret Key for Deep Security Manager and assign minimum permissions:
1. "H MH RHNK Amazon Web Services <HGLHE> :G= LB@G BG
2. *I>G MA> IAML><MBHG ($? RHN =H GHM A:O> IKBOBE>@>L MH NL> MA> $A( L><MBHG, <HGM:<M MA> :<<HNGM'L
:=FBGBLMK:MHK.)
3. "H MH Users :G= <EB<D Create New User
4. GM>K :G :<<HNGM G:F>, ?HK >Q:FIE> "=>>I9L><NKBMR"
5. CHIR MA> @>G>K:M>= Access Key Id :G= Secret Key Id
6. .>E><M MA> User :G= <AHHL> Permissions
7. #>K>, RHN <:G @K:GM MA> I>KFBLLBHGL >BMA>K :M MA> Role HK :M MA> User E>O>E. /A> FBGBFNF K>JNBK>=
I>KFBLLBHG BL "ec2:Describe*", AHP>O>K RHN <:G NL> MA> "Read Only Access" IHEB<R M>FIE:M> ?HK
LBFIEB<BMR
Having a dedicated account for Deep Security ensures that you can refine the rights and
permissions or revoke the account at any time. Trend Micro recommends that you give Deep
Security a Access/Secret key with no more than read-only permissions.
/A> ?HEEHPBG@ IHEB<R M>FIE:M> PBEE @K:GM MA> K>JNBK>= I>KFBLLBHGL:
{
"Statement": [{
"Sid": "Stmt1354546872297",
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}]
}
Note:
Deep Security 9 Installation Guide Configure Amazon EC2 Resources for Integration with Deep Security
84
Upgrading
Upgrade Scenarios
/H NI@K:=> MH D>>I .><NKBMR 9.0, RHN FNLM KNGGBG@ D>>I .><NKBMR 8.0 .+2 HK E:M>K. $? RHN :K> KNGGBG@ :G >:KEB>K
O>KLBHG H? D>>I .><NKBMR, RHN FNLM ?BKLM NI@K:=> MH D>>I .><NKBMR 8.0 .+2 (HK E:M>K) ;>?HK> NI@K:=BG@ MH
O>KLBHG 9.0. !HK BGLMKN<MBHGL HG AHP MH NI@K:=> MH D>>I .><NKBMR 8.0 .+2, <HGLNEM MA> Deep Security 8.0 SP2
Installation Guide :O:BE:;E> ?KHF MA> /K>G= (B<KH DHPGEH:= C>GM>K .
D>>I .><NKBMR 9.0 =H>L GHM LNIIHKM .3B O>KLBHG 4.1. /H =>IEHR D>>I .><NKBMR 9.0, RHNK 1(P:K>
BG?K:LMKN<MNK> (OC>GM>K, O.AB>E= (:G:@>K, O.AB>E= G=IHBGM, :G= O.AB>E= G=IHBGM =KBO>KL) FNLM ;> NI@K:=>=
MH O>KLBHG 5.Q.
Upgrading from DS 8.0 SP2 with Agentless Anti-Malware and/or Integrity Monitoring
Protection (Includes upgrading ESXi 4.1 to 5.x)
Upgrading from DS 8.0 with Agentless Anti-Malware Protection (Upgrading ESX/ESXi 4.1 to 5.0) (page 87)
=>L<KB;>L MA> IKH<>=NK>L ?HK NI@K:=BG@ ?KHF D>>I .><NKBMR 8.0 MH D>>I .><NKBMR 9.0 BG : 1(P:K> 4.1
>GOBKHGF>GM BG PAB<A A@>GME>LL AGMB-(:EP:K> IKHM><MBHG BL BFIE>F>GM>=.
Upgrading from Deep Security 8.0 SP2 with Agentless FW and DPI Only (Upgrading
ESXi 4.1 to 5.x).
Upgrading from DS 8.0 with Agentless FW and DPI Only (Upgrading from ESX/ESXi 4.1 to 5.0) (page 91)
=>L<KB;>L MA> IKH<>=NK>L ?HK NI@K:=BG@ ?KHF D>>I .><NKBMR 8.0 MH D>>I .><NKBMR 9.0 BG : 1(P:K> 4.1
>GOBKHGF>GM BG PAB<A HGER A@>GME>LL !BK>P:EE :G= D+$ IKHM><MBHG BL BFIE>F>GM>=.
Upgrading from Deep Security 8.0 SP2 with In-guest Agent-Based Protection Only.
Upgrading from Deep Security 8.0 with In-guest Agent-Based Protection Only (page 94) =>L<KB;>L MA>
IKH<>=NK>L ?HK NI@K:=BG@ ?KHF D>>I .><NKBMR 8.0 MH D>>I .><NKBMR 9.0 BG :GR >GOBKHGF>GM BG PAB<A HGER
A@>GM-;:L>= IKHM><MBHG BL ;>BG@ BFIE>F>GM>=.
Deep Security 9 Installation Guide Upgrade Scenarios
86
Upgrading from DS 8.0 SP2 with Agentless Anti-Malware
Protection (Includes upgrading ESXi 4.1 to 5.x)
Deep Security 9.0 does not support ESXi version 4.1. To deploy Deep Security 9.0, your VMware
infrastructure (vCenter, vShield Manager, vShield Endpoint, and vShield Endpoint drivers) must be
upgraded to version 5.x.
Summary of the Upgrade Procedures
The sequence of steps in this procedure is very important. Be sure to read them through at least
once and follow them in the same order as they are written.
/A>K> :K> MPH IA:L>L MH MABL IKH<>=NK>: ?BKLM, NI@K:=BG@ RHNK 1(P:K> <HFIHG>GML, :G= L><HG=, NI@K:=BG@
RHNK D>>I .><NKBMR <HFIHG>GML.
The first phase, NI@K:=BG@ RHNK 1(P:K> <HFIHG>GML, PBEE <HGLBLM H? MA> ?HEEHPBG@ LM>IL:
1. D>:<MBO:M> MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<> HG MA> .3B
2. ->LMHK> MA> .3B (MH NGBGLM:EE MA> D>>I .><NKBMR !BEM>K DKBO>K)
3. 0GBGLM:EE O.AB>E= G=IHBGM ?KHF MA> .3B
4. 0GBGLM:EE MA> O.AB>E= G=IHBGM "N>LM DKBO>KL ?KHF 1(L HG MA> .3B
5. 0I@K:=> RHNK OC>GM>K
6. 0I@K:=> MA> .3B MH .3B 5.Q ($? RHN NI@K:=>= MH .3B 5.0, :IIER I:M<A ".3B 5.0 (;NBE= 474610 HK
E:M>K)")
7. 0I@K:=> MA> O.AB>E= (:G:@>K
8. CHG?B@NK> MA> O.AB>E= (:G:@>K MH BGM>@K:M> PBMA MA> OC>GM>K
9. $GLM:EE O.AB>E= G=IHBGM HG MA> .3B
10. $GLM:EE O.AB>E= G=IHBGM =KBO>KL (?HNG= BG 1(P:K> /HHEL BG<EN=>= PBMA .3B 5.Q) HG MA> 1(L
11. ->LM:KM MA> .3B
Uninstalling a vShield Endpoint module (Step 3) puts the ESXi host into maintenance mode and
reboots it. Migrate your vShield Manager and any other virtual machines to another ESXi host to
avoid shutting down these virtual machines during reboot.
When upgrading the vShield Manager on a vCenter, you will have to deactivate all the Virtual
Appliances running on that vCenter. This is because there is only one vShield Manager per
vCenter and all the Virtual Appliances on that vCenter require an active vShield Manager. The
amount of time it takes to deactivate a Virtual Appliance that is providing Agentless protection to
Note:
Note:
Note:
Deep Security 9 Installation Guide Upgrading from DS 8.0 SP2 with Agentless Anti-Malware Protection (Includes upgrading ESXi 4.1 to 5.x)
87
VMs depends on the number of VMs that are being protected. Take this into account when
estimating the amount of time the upgrade procedure will take.
Your VMs will not have Agentless protection on the ESXi while the Deep Security Virtual
Appliance is deactivated.
The second phase, NI@K:=BG@ RHNK D>>I .><NKBMR <HFIHG>GML, PBEE <HGLBLM H? MA>L> LM>IL:
1. 0I@K:=> MA> D>>I .><NKBMR (:G:@>K
2. 0I@K:=> RHNK D>>I .><NKBMR ->E:RL
3. A== : L><NKBMR <>KMB?B<:M> MH MA> D>>I .><NKBMR (:G:@>K ?HK MA> OC>GM>K :G= MA> O.AB>E= (:G:@>K
4. $FIHKM D>>I .><NKBMR 9.0 BGLM:EE:MBHG I:<D:@>L BGMH MA> D>>I .><NKBMR (:G:@>K
5. +K>I:K> MA> .3B (MABL BGLM:EEL MA> D>>I .><NKBMR !BEM>K DKBO>K HG MA> .3B)
6. ->:<MBO:M> RHNK D>>I .><NKBMR 1BKMN:E AIIEB:G<> BG IK>I:K:MBHG ?HK NI@K:=>
7. 0I@K:=> MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<> HG RHNK .3B
8. A<MBO:M> MA> @N>LM 1(L HG MA> .3B
9. 0I@K:=> D>>I .><NKBMR )HMB?B>K (B? K>JNBK>=)
10. D>IEHR D>>I .><NKBMR A@>GML (B? K>JNBK>=)
Phase One: Upgrading Your VMware Components
These instructions provide the sequence in which you should carry out your VMware and Deep
Security upgrade. For detailed instructions on upgrading the components of your VMware
environment, consult your VMware documentation. Refer to VMware's Web site where you can
find the latest information and knowledge base articles.
To upgrade your VMware components:
1. $G MA> D>>I .><NKBMR (:G:@>K, @H MH MA> Computers L<K>>G, KB@AM-<EB<D HG MA> 1BKMN:E AIIEB:G<> :G=
L>E><M Actions > Deactivate Appliance.
2. *G MA> Computers L<K>>G H? MA> D>>I .><NKBMR (:G:@>K, KB@AM-<EB<D MA> .3B :G= L>E><M Actions >
Restore ESX... :G= ?HEEHP MA> LM>IL BG MA> PBS:K=. (/ABL IKH<>=NK> PBEE NGBGLM:EE MA> 8.0 .+2+ D>>I
.><NKBMR !BEM>K DKBO>K ?KHF MA> .3B.)
Uninstalling a vShield Endpoint module puts the ESXi host into maintenance mode and
reboots it.
(B@K:M> RHNK O.AB>E= (:G:@>K :G= :GR HMA>K OBKMN:E F:<ABG>L MH :GHMA>K .3B AHLM MH :OHB= LANMMBG@
=HPG MA>L> OBKMN:E F:<ABG>L =NKBG@ K>;HHM. 0LBG@ O.AB>E= (:G:@>K 4.1, NGBGLM:EE O.AB>E= G=IHBGM
?KHF MA> .3B.
3. 0LBG@ A==/->FHO> +KH@K:FL HG >:<A 1(, NGBGLM:EE O.AB>E= G=IHBGM @N>LM =KBO>KL ?KHF MA> 1(L
HG MA> .3B.
Note:
Note:
Note:
88
4. -NG MA> 1$( BGLM:EE>K ?HEEHPBG@ MA> =BK><MBHGL IKHOB=>= ;R 1(P:K>.
5. 0I@K:=> MA> .3B MH .3B 5.Q ($? NI@K:=BG@ MH .3B 5.0, :IIER I:M<A ".3B 5.0 (;NBE= 474610 HK
E:M>K)".)
6. !HEEHP MA> =BK><MBHGL BG 1(P:K>'L O.AB>E=9,NB<D9.M:KM9"NB=>.I=? MH NI@K:=> MA> O.AB>E= (:G:@>K.
7. 2A>G MA> NI@K:=> H? MA> O.AB>E= (:G:@>K BL <HFIE>M> :G= MA> O.AB>E= (:G:@>K A:L ;>>G K>LM:KM>=,
EH@ BG MH MA> O.AB>E= (:G:@>K <HGLHE> :G= :== MA> <HG?B@NK:MBHG BG?HKF:MBHG K>JNBK>= MH K>-BGM>@K:M>
BM PBMA MA> OC>GM>K.
8. 0L> MA> O.AB>E= (:G:@>K MH BGLM:EE O.AB>E= G=IHBGM HG MA> .3B.
9. 0L> 1(P:K> /HHEL MH BGLM:EE MA> O.AB>E= G=IHBGM @N>LM =KBO>KL HG MA> 1(L.
10. ->LM:KM MA> .3B MH <HFIE>M> MA> 1(P:K> IA:L> H? MA> NI@K:=> IKH<>LL.
2A>G MA> .3B A:L K>LM:KM>=, O>KB?R MA:M :EE <HFIHG>GML H? RHNK OC>GM>K :K> PHKDBG@ <HKK><MER ;>?HK>
<HGMBGNBG@ PBMA IA:L> MPH H? MA> NI@K:=> IKH<>=NK>, NI@K:=BG@ RHNK D>>I .><NKBMR <HFIHG>GML.
Phase Two: Upgrading your Deep Security Components
/A> D>>I .><NKBMR LH?MP:K> FNLM ;> =HPGEH:=>= ?KHF MA> /K>G= (B<KH DHPGEH:= C>GM>K MH : EH<:MBHG ?KHF
PAB<A BM <:G ;> BFIHKM>= BGMH MA> D>>I .><NKBMR (:G:@>K.
You must have successfully completed phase one of this upgrade procedure, Upgrading Your
VMware Components, before upgrading your Deep Security components.
The Deep Security Filter Driver and the Deep Security Virtual Appliance must always be
upgraded to the same version. Upgrading one without the other will leave both in a non-
functional state.
To upgrade your Deep Security Components:
1. 0I@K:=> MA> D>>I .><NKBMR (:G:@>K MH O>KLBHG 9.0. !HEEHP MA> L:F> IKH<>=NK>L :L =>L<KB;>= BG
Installing Deep Security Manager (page 38).
2. !HEEHP MA> BGLMKN<MBHGL =>L<KB;>= BG Deploying the Deep Security Relay (page 42).
3. *G MA> Computers L<K>>G BG MA> D>>I .><NKBMR (:G:@>K, KB@AM-<EB<D HG MA> OC>GM>K :G= L>E><M
Properties. *G MA> OC>GM>K Properties L<K>>G, <EB<D Add/Update Certificate... HG MA> General M:;
MH :== : <>KMB?B<:M> ?HK MA> OC>GM>K, :G= <EB<D Add/Update Certificate... HG MA> vShield Manager M:;
MH :== : <>KMB?B<:M> ?HK MA> O.AB>E= (:G:@>K.
4. $G MA> D>>I .><NKBMR (:G:@>K, @H MH Administration > Updates > Software Updates :G= BFIHKM MA>
D>>I .><NKBMR A@>GM 9, D>>I .><NKBMR ->E:R 9, D>>I .><NKBMR !BEM>K DKBO>K 9, :G= D>>I .><NKBMR
1BKMN:E AIIEB:G<> 9 BGLM:EE:MBHG I:<D:@>L.
5. /A> .3B PBEE ;> "NGIK>I:K>=". !HEEHP MA> BGLMKN<MBHGL BG Preparing ESXi for Deep Security Virtual
Appliance Deployment (page 45) MH IK>I:K> MA> .3B.
6. *G MA> Computers L<K>>G BG MA> D>>I .><NKBMR (:G:@>K, KB@AM-<EB<D HG MA> D>>I .><NKBMR 1BKMN:E
AIIEB:G<> :G= L>E><M Actions > Activate Appliance. DH GHM :<MBO:M> MA> 1(L :M MABL MBF>.
Note:
Note:
89
7. *G MA> CHFINM>KL L<K>>G BG MA> D>>I .><NKBMR (:G:@>K, KB@AM-<EB<D HG MA> D>>I .><NKBMR 1BKMN:E
AIIEB:G<> :G= L>E><M Actions > Upgrade Appliance...
8. A<MBO:M> MA> @N>LM 1(L HG MA> .3B. !HEEHP MA> BGLMKN<MBHGL =>L<KB;>= BG MA> L><MBHG "A<MBO:MBG@
"N>LM 1BKMN:E (:<ABG>L" BG Deploying the Deep Security Virtual Appliance (page 47).
9. 0I@K:=> D>>I .><NKBMR )HMB?B>K (B? K>JNBK>=) :L =>L<KB;>= BG Upgrade the Deep Security Notifier
(page 96).
10. D>IEHR D>>I .><NKBMR A@>GML (B? K>JNBK>=). !HEEHP MA> BGLMKN<MBHGL =>L<KB;>= BG Deploying Deep
Security Agents (page 56).
Upgrading VMware and Deep Security is now complete.
90
Upgrading from DS 8.0 with Agentless FW and DPI Only
(Upgrading from ESXi 4.1 to 5.0)
Deep Security 9.0 does not support ESXi version 4.1. To deploy Deep Security 9.0, your VMware
infrastructure (vCenter, vShield Manager, vShield Endpoint, and vShield Endpoint drivers) must be
upgraded to version 5.x.
/A> ?HEEHPBG@ NI@K:=> IKH<>=NK>L :IIER MH 1(P:K> >GOBKHGF>GML PA>K> D>>I .><NKBMR BL IKHOB=BG@
A@>GME>LL !BK>P:EE :G= D+$ IKHM><MBHG HGER.
Summary of the Upgrade Procedures
The sequence of steps in this procedure is very important. Be sure to read them through at least
once and follow them in the same order as they are written.
/A>K> :K> MPH IA:L>L MH MABL IKH<>=NK>: ?BKLM, NI@K:=BG@ RHNK 1(P:K> <HFIHG>GML, :G= L><HG=, NI@K:=BG@
RHNK D>>I .><NKBMR <HFIHG>GML.
The first phase, NI@K:=BG@ RHNK 1(P:K> <HFIHG>GML, PBEE <HGLBLM H? MA> ?HEEHPBG@ LM>IL:
1. D>:<MBO:M> MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<> HG MA> .3B
2. ->LMHK> MA> .3B (MH NGBGLM:EE MA> D>>I .><NKBMR !BEM>K DKBO>K)
3. 0I@K:=> RHNK OC>GM>K
4. 0I@K:=> MA> .3B MH 5.Q. ($? NI@K:=BG@ MH 5.0, :IIER I:M<A ".3B 5.0 (;NBE= 474610)" HK E:M>K.)
The second phase, NI@K:=BG@ RHNK D>>I .><NKBMR <HFIHG>GML, PBEE <HGLBLM H? MA>L> LM>IL:
1. 0I@K:=> MA> D>>I .><NKBMR (:G:@>K
2. A== : L><NKBMR <>KMB?B<:M> MH MA> D>>I .><NKBMR (:G:@>K ?HK MA> OC>GM>K :G= MA> O.AB>E= (:G:@>K
3. $FIHKM D>>I .><NKBMR 9 BGLM:EE:MBHG I:<D:@>L BGMH MA> D>>I .><NKBMR (:G:@>K
4. +K>I:K> MA> .3B (MABL BGLM:EEL MA> D>>I .><NKBMR !BEM>K DKBO>K HG MA> .3B)
5. ->:<MBO:M> RHNK D>>I .><NKBMR 1BKMN:E AIIEB:G<> BG IK>I:K:MBHG ?HK NI@K:=>
6. 0I@K:=> MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<> HG RHNK .3B
7. D>IEHR :G= <HG?B@NK> : D>>I .><NKBMR ->E:R
8. A<MBO:M> MA> @N>LM 1(L HG MA> .3B
9. D>IEHR D>>I .><NKBMR A@>GML (B? K>JNBK>=)
Note:
Deep Security 9 Installation Guide Upgrading from DS 8.0 with Agentless FW and DPI Only (Upgrading from ESXi 4.1 to 5.0)
91
Phase One: Upgrading Your VMware Components
/A> ?HEEHPBG@ M:;E> EBLML MA> <HFIHG>GML MA:M PBEE ;> NI@K:=>= =NKBG@ MABL IA:L> (B? RHN :K> NI@K:=BG@ MH
1(P:K> 5.0):
1. $G MA> D>>I .><NKBMR (:G:@>K, @H MH MA> CHFINM>KL L<K>>G, KB@AM-<EB<D HG MA> 1BKMN:E AIIEB:G<> :G=
L>E><M A<MBHGL > D>:<MBO:M> AIIEB:G<>.
2. *G MA> CHFINM>KL L<K>>G H? MA> D>>I .><NKBMR (:G:@>K, KB@AM-<EB<D MA> .3B :G= L>E><M A<MBHGL >
->LMHK> .3... :G= ?HEEHP MA> LM>IL BG MA> PBS:K=.
3. -NG MA> 1$( BGLM:EE>K ?HEEHPBG@ MA> =BK><MBHGL IKHOB=>= ;R 1(P:K>.
4. 0I@K:=> MA> .3B MH 5.Q. ($? NI@K:=BG@ MH 5.0, :IIER I:M<A ".3B 5.0 (;NBE= 474610)" HK E:M>K.)
1>KB?R MA:M :EE <HFIHG>GML H? RHNK OC>GM>K :K> PHKDBG@ <HKK><MER ;>?HK> <HGMBGNBG@ PBMA IA:L> MPH H? MA>
NI@K:=> IKH<>=NK>, NI@K:=BG@ RHNK D>>I .><NKBMR <HFIHG>GML. (:D> LNK> MA> O>KLBHG GNF;>KL H? MA>
NI@K:=>= <HFIHG>GML F:M<A MAHL> BG MA> +HLM-0I@K:=> 1>KLBHG <HENFG BG MA> M:;E> :M MA> ;>@BGGBG@ H? MA>L>
LM>IL.
Phase Two: Upgrading your Deep Security Components
/A> D>>I .><NKBMR LH?MP:K> FNLM ;> =HPGEH:=>= ?KHF MA> /K>G= (B<KH DHPGEH:= C>GM>K MH : EH<:MBHG ?KHF
PAB<A BM <:G ;> BFIHKM>= BGMH MA> D>>I .><NKBMR (:G:@>K.
You must have successfully completed phase one of this upgrade procedure, Upgrading Your
VMware Components, before upgrading your Deep Security components.
The Deep Security Filter Driver and the Deep Security Virtual Appliance must always be
upgraded to the same version. Upgrading one without the other will leave both in a non-
functional state.
1. 0I@K:=> MA> D>>I .><NKBMR (:G:@>K MH O>KLBHG 9.0. !HEEHP MA> L:F> IKH<>=NK>L :L =>L<KB;>= BG
2. *G MA> Computers L<K>>G BG MA> D>>I .><NKBMR (:G:@>K, KB@AM-<EB<D HG MA> OC>GM>K :G= L>E><M
Properties. *G MA> OC>GM>K Properties L<K>>G, <EB<D Add/Update Certificate... HG MA> General M:;
MH :== : <>KMB?B<:M> ?HK MA> OC>GM>K, :G= <EB<D Add/Update Certificate... HG MA> vShield Manager M:;
MH :== : <>KMB?B<:M> ?HK MA> O.AB>E= (:G:@>K.
3. $G MA> D>>I .><NKBMR (:G:@>K, @H MH Administration > Updates > Software Updates :G= BFIHKM MA>
D>>I .><NKBMR A@>GM 9, D>>I .><NKBMR ->E:R 9, D>>I .><NKBMR !BEM>K DKBO>K 9, :G= D>>I .><NKBMR
1BKMN:E AIIEB:G<> 9 BGLM:EE:MBHG I:<D:@>L.
4. A?M>K NI@K:=BG@ MA> .3B BG IA:L> HG>, MA> .3B PBEE ;> "NGIK>I:K>=". !HEEHP MA> BGLMKN<MBHGL BG
Preparing ESXi for Deep Security Virtual Appliance Deployment (page 45) MH IK>I:K> MA> .3B.
AIIEB:G<> :G= L>E><M Actions > Activate Appliance. DH GHM :<MBO:M> MA> 1(L :M MABL MBF>.
Note:
Note:
92
AIIEB:G<> :G= L>E><M Actions > Upgrade Appliance...
7. !HEEHP MA> BGLMKN<MBHGL =>L<KB;>= BG Deploying the Deep Security Relay (page 42).
8. !HEEHP MA> BGLMKN<MBHGL =>L<KB;>= BG MA> L><MBHG "A<MBO:MBG@ "N>LM 1BKMN:E (:<ABG>L" BG Deploying
the Deep Security Virtual Appliance (page 47).
9. !HEEHP MA> BGLMKN<MBHGL =>L<KB;>= BG Deploying Deep Security Agents (page 56).
Upgrading to Deep Security 9 with Agentless Firewall and DPI protection only is now complete.
93
Upgrading from Deep Security 8.0 with In-guest Agent-
Based Protection Only
/A> ?HEEHPBG@ NI@K:=> IKH<>=NK>L :IIER MH >GOBKHGF>GML (IARLB<:E HK OBKMN:E) PA>K> D>>I .><NKBMR BL
IKHOB=BG@ BG-@N>LM A@>GM-;:L>= IKHM><MBHG HGER.
If you are running Deep Security 8.0 in a VMware vSphere 4 Environment and you are
implementing in-guest Agent-based protection only, only your Deep Security components need to
be upgraded to 9.0.
The Upgrade Procedure
/A> LH?MP:K> BGLM:EE:MBHG I:<D:@>L FNLM ;> =HPGEH:=>= ?KHF MA> /K>G= (B<KH DHPGEH:= C>GM>K MH : EH<:MBHG
?KHF PAB<A MA>R <:G ;> BFIHKM>= BGMH MA> D>>I .><NKBMR (:G:@>K.
/A> IKH<>=NK>L ?HK NI@K:=BG@ ?KHF D>>I .><NKBMR 8.0 MH D>>I .><NKBMR 9.0 BG : IARLB<:E HK OBKMN:E >GOBKHGF>GM
PA>G IKHOB=BG@ BG-@N>LM A@>GM-;:L>= IKHM><MBHG HGER :K> :L ?HEEHPL:
1. 0I@K:=> MA> D>>I .><NKBMR (:G:@>K ?KHF 8.0 MH 9. !HEEHP MA> L:F> IKH<>=NK>L =>L<KB;>= BG
2. $FIHKM MA> K>F:BGBG@ D>>I .><NKBMR 9 BGLM:EE:MBHG I:<D:@>L. DHPGEH:= MA> D>>I .><NKBMR A@>GM 9.0,
->E:R 9.0, !BEM>K DKBO>K 9.0, :G= 1BKMN:E AIIEB:G<> 9.0 BGLM:EE:MBHG I:<D:@>L ?KHF MA> /K>G= (B<KH
DHPGEH:= C>GM>K MH : EH<:EER :<<>LLB;E> <HFINM>K. /A>G, BG MA> D>>I .><NKBMR (:G:@>K, @H MH
Administration > Updates > Software Updates :G= BFIHKM MA> I:<D:@>L.
3. 0I@K:=> RHNK D>>I .><NKBMR ->E:RL. !HEEHP MA> BGLMKN<MBHGL :L =>L<KB;>= BG Deploying the Deep
Security Relay (page 42).
4. 0I@K:=> RHNK D>>I .><NKBMR A@>GML. !HEEHP MA> BGLMKN<MBHGL =>L<KB;>= BG Deploying Deep Security
Agents (page 56).
Upgrading to Deep Security 9.0 with in-guest Agent-based protection only is now complete.
Note:
Deep Security 9 Installation Guide Upgrading from Deep Security 8.0 with In-guest Agent-Based Protection Only
94
Upgrade Deep Security Agents
Deep Security Agents must be of the same version or less than the Deep Security Manager being
used to manage it. The Deep Security Manager must always be upgraded before the Deep
Security Agents.
D>>I .><NKBMR A@>GML <:G ;> NI@K:=>= NLBG@ MA> D>>I .><NKBMR (:G:@>K BGM>K?:<>, ;NM MA> A@>GM LH?MP:K>
FNLM ?BKLM ;> BFIHKM>= BGMH MA> D>>I .><NKBMR (:G:@>K.
To import Agent software into the Deep Security Manager:
1. $G MA> D>>I .><NKBMR (:G:@>K, @H MH MA> Administration > Updates > Software Updates M:;.
2. AM MA> ;HMMHF H? MA> I:@>, <EB<D HG Open Download Center... MH HI>G : ;KHPL>K PBG=HP MH MA>
/K>G= (B<KH DHPGEH:= C>GM>K P>; LBM>.
3. DHPGEH:= MA> A@>GM LH?MP:K> ?HK IE:M?HKFL RHN K>JNBK> MH : EH<:MBHG :<<>LLB;E> ?KHF MA> L>KO>K
AHLMBG@ MA> D>>I .><NKBMR (:G:@>K.
4. CEHL> MA> DHPGEH:= C>GM>K ;KHPL>K PBG=HP.
5. B:<D BG MA> D>>I .><NKBMR (:G:@>K HG MA> Software Updates M:;, <EB<D Import Software... MH LM:KM
MA> Import Software PBS:K=.
6. 0L> MA> PBS:K= MH G:OB@:M> MH MA> EH<:MBHG PA>K> RHN =HPGEH:=>= MA> A@>GML :G= BFIHKM MA>F BGMH
MA> D>>I .><NKBMR (:G:@>K.
/A> A@>GM LH?MP:K> BL GHP BFIHKM>= BGMH MA> D>>I .><NKBMR (:G:@>K.
Once the new software is imported into the Deep Security Manager, depending on how your
Alerts are configured, you may get a Agent Upgrade Recommended alert for each computer on
which the Agent is determined to be out of date.
To Upgrade Deep Security Agents using the Deep Security Manager:
1. $G MA> D>>I .><NKBMR (:G:@>K, @H MH MA> Computers L<K>>G.
2. ?BG= MA> <HFINM>K HG PAB<A RHN P:GM MH NI@K:=> MA> A@>GM.
3. -B@AM-<EB<D MA> <HFINM>K :G= L>E><M Actions > Upgrade Agent software.
4. /A> A@>GM LH?MP:K> PBEE ;> L>GM MH MA> <HFINM>K :G= MA> A@>GM LH?MP:K> PBEE ;> NI@K:=>= :G= :E>KML
PBEE ;> =BLFBLL>= :NMHF:MB<:EER.
A@>GM LH?MP:K> NI@K:=> BL GHP <HFIE>M>.
You can manually upgrade the Agents locally on the computer. To do this, follow the instructions
in Install Deep Security Agents (page 56).
Note:
Note:
Note:
Deep Security 9 Installation Guide Upgrade Deep Security Agents
95
Upgrade the Deep Security Notifier
Upgrading the Deep Security Notifier is only required on virtual machines being protected
Agentlessly by a Deep Security Virtual Appliance. On machines with an in-guest Agent, the
Notifier will be upgraded along with the Deep Security Agent.
To upgrade the Deep Security Notifier:
1. 0GBGLM:EE D>>I .><NKBMR )HMB?B>K 8.0
2. $GLM:EE D>>I .><NKBMR )HMB?B>K 9.0 :<<HK=BG@ MH MA> IKH<>=NK>L =>L<KB;>= BG Installing the Deep
Security Notifier (page 67).
The Deep Security Notifier must always be the same version as the Deep Security Manager.
Note:
Note:
Deep Security 9 Installation Guide Upgrade the Deep Security Notifier
96
Quick Start
Quick Start: System Configuration
/ABL ,NB<DLM:KM "NB=> =>L<KB;>L MA> BGBMB:E ;:LB< D>>I .><NKBMR LRLM>F <HG?B@NK:MBHG MA:M BL K>JNBK>= ;>?HK> RHN
<:G LM:KM IKHM><MBG@ RHNK <HFINM>K K>LHNK<>L.
/H <HFIE>M> ;:LB< D>>I .><NKBMR LRLM>F <HG?B@NK:MBHG, RHN PBEE G>>= MH:
1. (:D> LNK> RHN A:O> :M E>:LM HG> D>>I .><NKBMR ->E:R
2. CHG?B@NK> D>>I .><NKBMR'L :;BEBMR MH K>MKB>O> 0I=:M>L ?KHF /K>G= (B<KH
3. CA><D MA:M RHN A:O> : .<A>=NE>= /:LD MH I>K?HKF K>@NE:K 0I=:M>L
4. .>M NI >F:BE GHMB?B<:MBHG H? BFIHKM:GM >O>GML
Make sure you have at least one Deep Security Relay
/A> D>>I .><NKBMR ->E:R BL K>LIHGLB;E> ?HK K>MKB>OBG@ .><NKBMR 0I=:M>L ?KHF /K>G= (B<KH :G= =BLMKB;NMBG@
MA>F MH RHNK IKHM><M>= <HFINM>KL, MA>K>?HK> RHN FNLM A:O> :M E>:LM HG> D>>I .><NKBMR ->E:R BGLM:EE>=. .>>
Installing the Deep Security Relay (page 42) B? RHN =H GHM.
Relays are always organized into Relay Groups, even if it's a only a group of one. Deep Security
has a default Relay Group (named "Default Relay Group") to which all new Relays are assigned.
You can create multiple Relay Groups if you have a large number of computers and want to create
a hierarchical Relay structure or if your computers are spread out over large geographical areas.
For more information on Relay Groups, see Configuring the Deep Security Relay (page 116) and
Relay Groups in the online help or the Administrator's Guide.
/H OB>P RHNK D>>I .><NKBMR ->E:RL, @H MH MA> Administration > System Settings > Updates M:; :G= <EB<D
View Relay Groups... BG MA> Relays :K>:: ((:D> LNK> RHN :K> HG MA> Updates tab HG MA> System Settings
page :G= GHM MA> Updates page EH<:M>= I:K:EE>E MH MA> System Settings I:@>.)
Note:
Deep Security 9 Installation Guide Quick Start: System Configuration
98
/ABL PBEE =BLIE:R RHNK <NKK>GM ->E:R "KHNIL BG MA> Relay Groups PBG=HP. 0LN:EER RHN PBEE HGER A:O> MA>
LBG@E> Default Relay Group.
DHN;E>-<EB<D MA> D>?:NEM ->E:R "KHNI MH =BLIE:R BML Relay Group Properties PBG=HP:
$G MA> (>F;>KL :K>: H? MA> Relay Group Properties PBG=HP RHN'EE L>> MA> ->E:RL MA:M :K> F>F;>KL H? MA>
@KHNI.
If there are no computers in the Members area see Installing the Deep Security Relay (page 42)
and Configuring the Deep Security Relay (page 116).
Note:
99
Configure Deep Security's ability to retrieve Updates from Trend Micro
)HP MA:M RHN'O> <HG?BKF>= MA:M RHN A:O> : ->E:R, RHN <:G ?BG= MA> ->E:R BG RHNK CHFINM>KL EBLM :G= <A><D MA:M
BM <:G K>MKB>O> NI=:M>L ?KHF /K>G= (B<KH.
"H MH MA> Administration > Updates > Security Updates M:; :G= <EB<D MA> Download Security Updates ...
;NMMHG.
/ABL PBEE =BLIE:R MA> Security Update 2BS:K= PAB<A <HGM:<ML MA> /K>G= (B<KH 0I=:M> .>KO>KL :G= =HPGEH:=L
MA> E:M>LM .><NKBMR 0I=:M>L :G= =BLMKB;NM>L MA>F MH RHNK <HFINM>KL. $? NIHG <HFIE>MBHG MA> PBS:K= =BLIE:RL MA>
LN<<>LL F>LL:@> BM F>:GL RHNK ->E:R <:G <HFFNGB<:M> PBMA MA> 0I=:M> L>KO>KL:
If your Relays are unable to update their Components, see Installing the Deep Security Relay
(page 42) and Configuring the Deep Security Relay (page 116).
Note:
100
Check that you have a Scheduled Task to perform regular Updates
)HP MA:M RHN DGHP RHNK ->E:R <:G <HFFNGB<:M> PBMA MA> 0I=:M> L>KO>KL, RHN LAHNE= <K>:M> : .<A>=NE>= /:LD
PAB<A PBEE K>@NE:KER K>MKB>O> :G= =BLMKB;NM> L><NKBMR 0I=:M>L.
"H MH Administration > Scheduled Tasks. /A>K> RHN LAHNE= L>> :M E>:LM HG> .<A>=NE>= /:LD <:EE>= Daily
Download Security Updates:
DHN;E>-<EB<D MA> .<A>=NE>= /:LD MH OB>P BML Properties PBG=HP:
)HMB<> MA:M (BG MABL <:L>) MA> Download Security Updates .<A>=NE>= /:LD BL L>M MH I>K?HKF : .><NKBMR 0I=:M>
>O>KR=:R :M 19:25.
If you don't have a Download Security Updates Scheduled Task in your list, you can create one
by clicking on New on the Scheduled Task page menu bar and following the instructions in the
New Scheduled Task wizard.
Note:
101
Set up email notification of important events
D>>I .><NKBMR AE>KML :K> K:BL>= PA>G LBMN:MBHGL H<<NK MA:M K>JNBK> LI><B:E :MM>GMBHG. AE>KML <:G ;> K:BL>= =N> MH
L><NKBMR O>GML LN<A :L MA> =>M><MBHG H? F:EP:K> HK :G :;GHKF:E K>LM:KM HG : IKHM><M>= <HFINM>K, HK MA>R <:G ;>
LRLM>F >O>GML EBD> MA> D>>I .><NKBMR (:G:@>K KNGGBG@ EHP HG =BLD LI:<>. D>>I .><NKBMR <:G ;> <HG?B@NK>= MH
L>G= >F:BE GHMB?B<:MBHGL PA>G LI><B?B< AE>KML :K> K:BL>=.
/H <HG?B@NK> PAB<A AE>KML PBEE @>G>K:M> :G >F:BE GHMB?B<:MBHG, @H MH MA> Alerts I:@> :G= <EB<D Configure
Alerts... MH =BLIE:R MA> EBLM H? D>>I .><NKBMR AE>KML:
DHN;E>-<EB<D HG :G AE>KM L>> BML Properties PBG=HP PA>K> RHN <:G RHN <:G L>M MA> AE>KM HIMBHGL ?HK >F:BE
GHMB?B<:MBHG:
102
)HP RHN G>>= MH <HG?B@NK> RHNK 0L>K :<<HNGM MH K><>BO> MA> >F:BE GHMB?B<:MBHGL D>>I .><NKBMR PBEE L>G= HNM.
"H MH Administration > Roles, Users, and Contacts :G= =HN;E>-<EB<D HG RHNK 0L>K :<<HNGM MH =BLIE:R BML
Properties PBG=HP. "H MH MA> Contact Information M:; :G= >GM>K :G >F:BE :==K>LL :G= L>E><M MA> Receive
Alert Emails HIMBHG:
$G HK=>K ?HK D>>I .><NKBMR MH L>G= >F:BE GHMB?B<:MBHG BM A:L MH ;> :;E> MH <HFFNGB<:M> PBMA :G .(/+ L>KO>K
(:<<>LL MH :G .(/+ L>KO>K BL : K>JNBK>F>GM ?HK >F:BE GHMB?B<:MBHGL). /H <HGG><M MA> D>>I .><NKBMR (:G:@>K MH
RHNK .(/+ L>KO>K, @H MH MA> Administration > System Settings > SMTP M:;:
103
CHFIE>M> MA> K>JNBK>= ?B>E=L BG MA> SMTP :K>: IK>LL M>LM .(/+ .>MMBG@L :M MA> ;HMMHF H? MA> I:@> PA>G RHN'K>
=HG>. RHN LAHNE= L>> : Test connection to SMTP server succeeded F>LL:@>:
If you unable to connect with your SMTP server, make sure the the Manager can connect with the
SMTP server on port 25.
Basic Configuration is complete
/ABL <HFIE>M>L MA> ;:LB< D>>I .><NKBMR LRLM>F <HG?B@NK:MBHG. D>>I .><NKBMR BL GHP <HG?B@NK>= MH K>@NE:KER
<HGM:<M /K>G= (B<KH ?HK L><NKBMR 0I=:M>L :G= =BLMKB;NM> MAHL> 0I=:M>L HG K>@NE:K ;:LBL, :G= BM PBEE L>G= RHN
>F:BE GHMB?B<:MBHGL PA>G AE>KML :K> K:BL>=. )HP RHN G>>= MH :IIER D>>I .><NKBMR IKHM><MBHG MH RHNK <HFINM>KL.
Note:
104
.>> QuickStart: Protecting a Server (page 106) HK QuickStart: Protecting a Mobile Laptop BG MA> HGEBG>
A>EI HK MA> A=FBGBLMK:MHK'L "NB=> ?HK : JNB<D @NB=> MH IKHM><MBG@ MAHL> MPH DBG=L H? <HFINM>K K>LHNK<>L.
105
Quick Start: Protecting a Server
/A> ?HEEHPBG@ =>L<KB;>L MA> LM>IL BGOHEO>= BG NLBG@ D>>I .><NKBMR MH IKHM><M : 2BG=HPL .>KO>K 2008 <HFINM>K.
$M PBEE BGOHEO> MA> ?HEEHPBG@ LM>IL:
1. A==BG@ MA> <HFINM>K MH MA> D>>I .><NKBMR (:G:@>K.
2. CHG?B@NKBG@ :G= KNGGBG@ : -><HFF>G=:MBHG .<:G
3. ANMHF:MB<:EER BFIE>F>GM L<:G K><HFF>G=:MBHGL
4. CK>:M> : .<A>=NE>= M:LD MH I>K?HKF K>@NE:K -><HFF>G=:MBHG .<:GL
5. (HGBMHK A<MBOBMR 0LBG@ MA> D>>I .><NKBMR (:G:@>K
We will assume that you have already installed the Deep Security Manager on the computer from
which you intend to manage the Deep Security Agents/Appliances throughout your network. We
will also assume that you have installed (but not activated) Deep Security Agent on the
computer you wish to protect or that you have deployed and activated Deep Security Appliances
on the ESXi hosts on which are running the VMs you intend to protect. And finally, we will
assume that you have a Deep Security Relay installed from which Deep Security can download
the latest Security Updates. If any of these requirements are not in place, consult the Installation
Guide for instructions to get to this stage.
Adding the computer to the Deep Security Manager
/A>K> :K> L>O>K:E P:RL H? :==BG@ <HFINM>KL MH MA> D>>I .><NKBMR (:G:@>K'L Computers I:@>. 4HN <:G :==
<HFINM>KL ;R:
V A==BG@ <HFINM>KL BG=BOB=N:EER ?KHF : EH<:E G>MPHKD ;R LI><B?RBG@ MA>BK $+ :==K>LL>L HK AHLMG:F>L
V DBL<HO>KBG@ <HFINM>KL HG : EH<:E G>MPHKD ;R L<:GGBG@ MA> G>MPHKD
V CHGG><MBG@ MH : (B<KHLH?M A<MBO> DBK><MHKR :G= BFIHKMBG@ : EBLM H? <HFINM>KL
V CHGG><MBG@ MH : 1(P:K> OC>GM>K :G= BFIHKMBG@ : EBLM H? <HFINM>KL
V CHGG><MBG@ MH <HFINMBG@ K>LHNK<>L ?KHF MA> ?HEEHPBG@ CEHN= +KHOB=>K L>KOB<>L:
Z AF:SHG C2
Z 1(P:K> OCEHN=
!HK MA> INKIHL>L H? MABL >Q>K<BL>, P> PBEE :== : <HFINM>K ?KHF : EH<:E G>MPHKD ;NM HG<> : <HFINM>K BL :==>= MH
MA> (:G:@>K, MA> IKHM><MBHG IKH<>=NK>L :K> MA> L:F> K>@:K=E>LL H? PA>K> MA> <HFINM>K BL EH<:M>=.
To add a computer from a local network:
1. $G MA> D>>I .><NKBMR (:G:@>K <HGLHE>, @H MH MA> Computers I:@> :G= <EB<D New BG MA> MHHE;:K :G=
L>E><M New Computer... ?KHF MA> =KHI-=HPG F>GN.
Note:
Deep Security 9 Installation Guide Quick Start: Protecting a Server
106
2. $G MA> New Computer PBS:K=, >GM>K MA> AHLMG:F> HK $+ :==K>LL H? MA> <HFINM>K :G= L>E><M :G
:IIKHIKB:M> L><NKBMR +HEB<R MH :IIER ?KHF MA> +HEB<R MK>> BG MA> =KHI-=HPG F>GN. ($G MABL <:L> P> PBEE
L>E><M MA> Windows Server 2008 +HEB<R.) CEB<D Next.
3. /A> PBS:K= PBEE <HGM:<M MA> <HFINM>K, :== BM MH MA> CHFINM>KL I:@>, =>M><M MA> NG:<MBO:M>= A@>GM,
:<MBO:M> BM, :G= :IIER MA> L>E><M>= +HEB<R. CEB<D Finish.
An Agent can be configured to automatically initiate its own activation upon
installation. For details, see Command-Line Instructions in the online help of the
Administrator's Guide.
4. 2A>G MA> <HFINM>K A:L ;>>G :==>= MA> PBS:K= PBEE =BLIE:R : <HG?BKF:MBHG F>LL:@>:
Note:
107
5. '>:O> MA> Open Computer Details on 'Close' HIMBHG NGL>E><M>= :G= <EB<D Close.
/A> <HFINM>K GHP :II>:KL BG MA> D>>I .><NKBMR (:G:@>K'L EBLM H? F:G:@>= <HFINM>KL HG MA> Computers I:@>.
D>>I .><NKBMR PBEE :NMHF:MB<:EER =HPGEH:= MA> E:M>LM .><NKBMR 0I=:M>L MH MA> <HFINM>K :?M>K :<MBO:MBHG. AL
P>EE, /A> Windows Server 2008 +HEB<R MA:M P:L :LLB@G>= MH MA> <HFINM>K A:= MA> P> :LLB@G>= MH MA>
<HFINM>K A:L $GM>@KBMR (HGBMHKBG@ >G:;E>= :G= LH BM PBEE LM:KM MH BNBE= :G $GM>@KBMR (HGBMHKBG@ ;:L>EBG> ?HK MA>
<HFINM>K. 4HN <:G L>> :<MBOBMB>L <NKK>GMER ;>BG@ <:KKB>= HNM BG MA> LM:MNL ;:K H? MA> F:G:@>K PBG=HP:
*G<> D>>I .><NKBMR (:G:@>K A:L <HFIE>M>= BML BGBMB:E IHLM-:<MBO:MBHG M:LDL MA> <HFINM>K'L Status LAHNE=
=BLIE:R :L F:G:@>= (*GEBG>):
More information is available for each page in the Deep Security Manager by clicking the Help
button in the menu bar.
Configuring and Running a Recommendation Scan
/A> L><NKBMR +HEB<R MA:M P> :LLB@G>= MH MA> <HFINM>K BL F:=> NI H? : <HEE><MBHG H? -NE>L :G= L>MMBG@L =>LB@G>=
?HK : <HFINM>K KNGGBG@ MA> 2BG=HPL .>KO>K 2008 HI>K:MBG@ LRLM>F. #HP>O>K, : LM:MB< +HEB<R <:G LHHG ?:EE HNM
H? =:M>. /ABL <:G ;> ;><:NL> H? G>P LH?MP:K> ;>BG@ BGLM:EE>= HG MA> <HFINM>K, G>P HI>K:MBG@ LRLM>F
Note:
108
ONEG>K:;BEBMB>L ;>BG@ =BL<HO>K>= ?HK PAB<A /K>G= (B<KH A:L <K>:M>= G>P IKHM><MBHG -NE>L, HK >O>G ;><:NL> :
IK>OBHNL ONEG>K:;BEBMR P:L <HKK><M>= ;R :G HI>K:MBG@ LRLM>F HK LH?MP:K> L>KOB<> I:<D. B><:NL> H? MA> =RG:FB<
G:MNK> H? MA> L><NKBMR K>JNBK>F>GML HG : <HFINM>K, RHN LAHNE= K>@NE:KER KNG -><HFF>G=:MBHG .<:GL PAB<A PBEE
:LL>LL MA> <NKK>GM LM:M> H? MA> <HFINM>K :G= <HFI:K> BM :@:BGLM MA> E:M>LM D>>I .><NKBMR IKHM><MBHG FH=NE>
NI=:M>L MH L>> B? MA> <NKK>GM L><NKBMR +HEB<R G>>=L MH ;> NI=:M>=.
-><HFF>G=:MBHG .<:GL F:D> K><HFF>G=:MBHGL ?HK MA> ?HEEHPBG@ IKHM><MBHG FH=NE>L:
V Intrusion Prevention
V Integrity Monitoring
V Log Inspection
To run a Recommendation Scan on your computer:
1. "H MH MA> CHFINM>KL I:@> BG MA> F:BG D>>I .><NKBMR F:G:@>K <HGLHE> PBG=HP.
2. KB@AM-<EB<D HG RHNK <HFINM>K :G= L>E><M Actions > Scan for Recommendations:
DNKBG@ MA> -><HFF>G=:MBHG .<:G, RHNK <HFINM>K'L .M:MNL PBEE =BLIE:R Scanning for Recommendations.
2A>G MA> L<:G BL ?BGBLA>=, B? =>>I .><NKBMR A:L :GR K><HFF>G=:MBHGL MH F:D>, RHN PBEE L>> :G AE>KM HG MA>
AE>KML L<K>>G:
109
To see the results of the Recommendation Scan:
1. *I>G MA> <HFINM>K >=BMHK ?HK RHNK <HFINM>K (Details... BG MA> Computers I:@> F>GN ;:K HK ?KHF MA>
KB@AM-<EB<D F>GN.)
2. $G MA> <HFINM>K >=BMHK PBG=HP, @H MH MA> Intrusion Prevention FH=NE> I:@>.
$G MA> Recommendations :K>: H? MA> General M:;, RHN'EE L>> MA> K>LNEML H? MA> L<:G:
/A> Current Status M>EEL NL MA:M MA>K> :K> <NKK>GMER 179 $GMKNLBHG +K>O>GMBHG -NE>L :LLB@G>= MH MABL <HFINM>K.
Last Scan for Recommendations M>EEL NL MA:M MA> E:LM L<:G MHHD IE:<> HG D><>F;>K 18MA, 2012, :M 09:14.
110
Unresolved Recommendations M>EEL NL MA:M :L : K>LNEM H? MA> L<:G, D>>I .><NKBMR K><HFF>G=L :LLB@GBG@ :G
:==BMBHG:E 28 $GMKNLBHG +K>O>GMBHG -NE>L :G= NG:LLB@GBG@ 111 <NKK>GMER :LLB@G>= -NE>L.
/A> Note BG?HKFL NL MA:M 111 H? MA> -NE>L K><HFF>G=>= ?HK NG:LLB@GF>GM (:EE H? MA>F :L BM MNKG HNM) A:O>
;>>G :LLB@G>= :M MA> +HEB<R E>O>E (K:MA>K MA:G =BK><MER A>K> HG MA> <HFINM>K E>O>E). -NE>L MA:M A:O> ;>>G
:LLB@G>= :M : E>O>E AB@A>K NI MA> +HEB<R MK>> <:G HGER ;> NG:LLB@G>= BG MA> +HEB<R PA>K> MA>R P>K> :LLB@G>= --
BG MABL <:L>, MA> Windows Server 2008 +HEB<R. ($? P> A:= HI>G>= MA> Windows Server 2008 +HEB<R >=BMHK, P>
PHNE= A:O> L>>G MA> L:F> K><HFF>G=:MBHGL :G= P> <HNE= A:O> NG:LLB@G>= MA>F ?KHF MA>K>.)
2> :K> :ELH MHE= MA:M 7 H? MA> -NE>L MA:M :K> K><HFF>G=>= ?HK :LLB@GF>GM <:G'M ;> :NMHF:MB<:EER :LLB@G>=.
0LN:EER MA>L> :K> >BMA>K -NE>L MA:M K>JNBK> <HG?B@NK:MBHG HK -NE>L MA:M :K> IKHG> MH ?:EL> IHLBMBO>L :G= PAHL>
;>A:OBHK LAHNE= ;> H;L>KO>= BG =>M><M-HGER FH=> ;>BG@ ;>BG@ >G?HK<>= BG IK>O>GM FH=>. /H L>> PAB<A -NE>L
A:O> ;>>G K><HFF>G=>= ?HK :LLB@GF>GM, <EB<D Assign/Unassign... MH =BLIE:R MA> IPS Rules KNE> :LLB@GF>GM
FH=:E PBG=HP. /A>G L>E><M -><HFF>G=>= ?HK ALLB@GF>GM ?KHF MA> L><HG= =KHI-=HPG ?BEM>K EBLM:
-NE>L MA:M K>JNBK> <HG?B@NK:MBHG :K> B=>GMB?B>= ;R :G B<HG PBMA : LF:EE <HG?B@NK:MBHG ;:=@> ( ). /H L>> MA>
<HG?B@NK:;E> HIMBHGL ?HK : -NE>, =HN;E>-<EB<D MA> -NE> MH HI>G BML Properties PBG=HP (BG EH<:E >=BMBG@ FH=>)
:G= @H MH MA> Configuration M:;. /H ALLB@G : -NE>, L>E><M MA> <A><D;HQ G>QM MH BML G:F>.
/H OB>P -NE>L MA:M :K> K><HFF>G=>= ?HK unassignment, ?BEM>K MA> EBLM H? -NE>L ;R L>E><MBG@ Recommended for
Unassignment ?KHF MA> L:F> =KHI-=HPG EBLM. /H NG:LLB@G : -NE>, =>L>E><M MA> <A><D;HQ G>QM MH BML G:F>.
111
Rules that are in effect on a computer because they have been assigned in a Policy higher up the
policy tree can't be unassigned locally. The only way to unassign such Rules is to edit the Policy
where they were originally assigned and unassign them from there. For more information on this
kind of Rule inheritance, see Policies, Inheritance and Overrides in the online help or the
Administrator's Guide.
Automatically implement scan recommendations
4HN <:G <HG?B@NK> D>>I .><NKBMR MH :NMHF:MB<:EER :LLB@G :G= NG:LLB@G -NE>L :?M>K : -><HFF>G=:MBHG .<:G. /H
=H LH, HI>G MA> <HFINM>K HK +HEB<R >=BMHK :G= @H MH MA> BG=BOB=N:E IKHM><MBHG FH=NE> I:@>L MA:M LNIIHKM
-><HFF>G=:MBHG .<:GL ($GMKNLBHG, +K>O>GMBHG, $GM>@KBMR (HGBMHKBG@, :G= 'H@ $GLI><MBHG). $G MA>
-><HFF>G=:MBHG :K>: HG MA> ">G>K:E M:;, L>M Automatically implement Intrusion Prevention Rule
Recommendations: MH 4>L.
Create a Scheduled task to perform regular Recommendation Scans
+>K?HKFBG@ K>@NE:K -><HFF>G=:MBHG .<:GL >GLNK>L MA:M RHNK <HFINM>KL :K> IKHM><M>= ;R MA> E:M>LM K>E>O:GM
-NE> L>ML :G= MA:M MAHL> MA:M :K> GH EHG@>K K>JNBK>= :K> K>FHO>=. 4HN <:G <K>:M> : .<A>=NE>= /:LD MH <:KKR HNM
MABL M:LD :NMHF:MB<:EER.
To create a Scheduled Task:
1. $G MA> F:BG D>>I .><NKBMR (:G:@>K PBG=HP, @H MH Administration > Scheduled Tasks
2. $G MA> F>GN ;:K, <EB<D New MH =BLIE:R MA> New Scheduled Task PBS:K=.
3. .>E><M Scan Computers for Recommendations :L MA> L<:G MRI> :G= L>E><M Weekly K><NKK>G<>. CEB<D
Next.
Note:
112
4. .>E><M : LM:KM MBF>, L>E><M >O>KR 1 P>>D, :G= L>E><M : =:R H? MA> P>>D. CEB<D Next.
5. 2A>G LI><B?RBG@ PAB<A <HFINM>KL MH .<:G, L>E><M MA> E:LM HIMBHG (Computer) :G= L>E><M MA>
2BG=HPL .>KO>K 2008 <HFINM>K P> :K> IKHM><MBG@. CEB<D Next.
6. /RI> : G:F> ?HK MA> G>P .<A>=NE>= /:LD. '>:O> MA> Run task on 'Finish' NG<A><D>= (;><:NL> P>
CNLM K:G : -><HFF>G=:MBHG .<:G). CEB<D Finish.
/A> G>P .<A>=NE>= M:LD GHP :II>:KL BG MA> EBLM H? .<A>=NE>= /:LDL. $M PBEE KNG HG<> : P>>D MH L<:G RHNK
<HFINM>K :G= F:D> K><HFF>G=:MBHGL ?HK RHN <HFINM>K. $? RHN A:O> L>M Automatically implement
Recommendations ?HK >:<A H? MA> MAK>> IKHM><MBHG FH=NE>L MA:M LNIIHKM BM, D>>I .><NKBMR PBEE :LLB@G :G=
NG:LLB@G -NE>L :K> K>JNBK>=. $? -NE>L :K> B=>GMB?B>= MA:M K>JNBK> LI><B:E :MM>GMBHG, :G AE>KM PBEE ;> K:BL>= MH
GHMB?R RHN.
Schedule Regular Security Updates
$? RHN ?HEEHP MA> LM>IL =>L<KB;>= BG Quick Start: System Configuration (page 98), RHNK <HFINM>K PBEE GHP ;>
K>@NE:KER NI=:M>= PBMA MA> E:M>LM IKHM><MBHG ?KHF /K>G= (B<KH.
Monitor Activity Using the Deep Security Manager
The Dashboard
A?M>K MA> <HFINM>K A:L ;>>G :LLB@G>= : +HEB<R :G= A:L ;>>G KNGGBG@ ?HK : PABE>, RHN PBEE P:GM MH K>OB>P MA>
:<MBOBMR HG MA:M <HFINM>K. /A> ?BKLM IE:<> MH @H MH K>OB>P :<MBOBMR BL MA> D:LA;H:K=. /A> D:LA;H:K= A:L F:GR
BG?HKF:MBHG I:G>EL ("PB=@>ML") MA:M =BLIE:R =B??>K>GM MRI>L H? BG?HKF:MBHG I>KM:BGBG@ MH MA> LM:M> H? MA> D>>I
.><NKBMR (:G:@>K :G= MA> <HFINM>KL MA:M BM BL F:G:@BG@.
AM MA> MHI KB@AM H? MA> D:LA;H:K= I:@>, <EB<D Add/Remove Widgets MH OB>P MA> EBLM H? PB=@>ML :O:BE:;E> ?HK
=BLIE:R.
!HK GHP, P> PBEE :== MA> ?HEEHPBG@ PB=@>ML ?KHF MA> Firewall L><MBHG:
V !BK>P:EE A<MBOBMR (+K>O>GM>=)
V !BK>P:EE $+ A<MBOBMR (+K>O>GM>=)
V !BK>P:EE O>GM #BLMHKR (2Q1)
.>E><M MA> <A><D;HQ ;>LB=> >:<A H? MA> MAK>> PB=@>ML, :G= <EB<D OK. /A> PB=@>ML PBEE :II>:K HG MA> =:LA;H:K=.
($M F:R M:D> : ;BM H? MBF> MH @>G>K:M> MA> =:M:.)
V /A> Firewall Activity (Prevented) PB=@>M =BLIE:RL : EBLM H? MA> FHLM <HFFHG K>:LHGL ?HK I:<D>ML MH
;> =>GB>= (MA:M BL, ;EH<D>= ?KHF K>:<ABG@ : <HFINM>K ;R MA> A@>GM HG MA:M <HFINM>K) :EHG@ PBMA MA>
GNF;>K H? I:<D>ML MA:M P>K> =>GB>=. $M>FL BG MABL EBLM PBEE ;> >BMA>K MRI>L H? +:<D>M ->C><MBHGL HK
!BK>P:EE -NE>L. :<A "K>:LHG" BL : EBGD MH MA> <HKK>LIHG=BG@ EH@L ?HK MA:M =>GB>= I:<D>M.
113
V /A> Firewall IP Activity (Prevented) PB=@>M =BLIE:RL : EBLM H? MA> FHLM <HFFHG LHNK<> $+L H?
=>GB>= I:<D>ML. .BFBE:K MH MA> Firewall Activity (Prevented) PB=@>M, >:<A LHNK<> $+ BL : EBGD MH MA>
<HKK>LIHG=BG@ EH@L.
V /A> Firewall Event History (2x1) PB=@>M =BLIE:RL : ;:K @K:IA BG=B<:MBG@ AHP F:GR I:<D>ML P>K>
;EH<D>= BG MA> E:LM 24 AHNK I>KBH= HK L>O>G =:R I>KBH= (=>I>G=BG@ HG MA> OB>P L>E><M>=). CEB<DBG@ :
;:K PBEE =BLIE:R MA> <HKK>LIHG=BG@ EH@L ?HK MA> I>KBH= K>IK>L>GM>= ;R MA> ;:K.
Note the trend indicators next to the numeric values in the Firewall Activity (Prevented) and
Firewall IP Activity (Prevented) widgets. An upward or downward pointing triangle indicates an
overall increase or decrease over the specified time period, and a flat line indicates no significant
change.
Logs of Firewall and Intrusion Prevention Events
)HP =KBEE-=HPG MH MA> EH@L <HKK>LIHG=BG@ MH MA> MHI K>:LHG ?HK D>GB>= +:<D>ML: BG MA> Firewall Activity
(Prevented) widget, <EB<D MA> ?BKLM K>:LHG ?HK =>GB>= I:<D>ML (BG MA> IB<MNK> :;HO>, MA> MHI K>:LHG BL "*NM H?
AEEHP>= +HEB<R"). /ABL PBEE M:D> RHN MH MA> Firewall Events I:@>.
/A> Firewall Events I:@> PBEE =BLIE:R :EE !BK>P:EE O>GML PA>K> MA> Reason <HENFG >GMKR <HKK>LIHG=L MH MA>
?BKLM K>:LHG ?KHF MA> Firewall Activity (Prevented) widget ("*NM H? AEEHP>= +HEB<R"). /A> EH@L :K> ?BEM>K>= MH
=BLIE:R HGER MAHL> >O>GML MA:M H<<NKK>= =NKBG@ MA> OB>P I>KBH= H? MA> D:LA;H:K= (':LM 24 AHNKL HK E:LM L>O>G
=:RL). !NKMA>K BG?HKF:MBHG :;HNM MA> Firewall Events :G= Intrusion Prevention Events I:@> <:G ;> ?HNG= BG
MA> A>EI I:@>L ?HK MAHL> I:@>L.
For the meaning of the different packet rejection reasons, see Firewall Events and Intrusion
Prevention Events in the online help or the Administrator's Guide .
Reports
*?M>G, : AB@A>K-E>O>E OB>P H? MA> EH@ =:M: BL =>LBK>=, PA>K> MA> BG?HKF:MBHG BL LNFF:KBS>=, :G= IK>L>GM>= BG :
FHK> >:LBER NG=>KLMHH= ?HKF:M. /A> Reports ?BEE MABL -HE>, :EEHPBG@ RHN MH =BLIE:R =>M:BE>= LNFF:KB>L HG
<HFINM>KL, !BK>P:EE :G= $GMKNLBHG +K>O>GMBHG O>GM 'H@L, O>GML, AE>KML, >M<. $G MA> Reports I:@>, RHN <:G
L>E><M O:KBHNL HIMBHGL ?HK MA> K>IHKM MH ;> @>G>K:M>=.
2> PBEE @>G>K:M> : Firewall Report, PAB<A =BLIE:RL : K><HK= H? !BK>P:EE -NE> :G= !BK>P:EE .M:M>?NE
CHG?B@NK:MBHG :<MBOBMR HO>K : <HG?B@NK:;E> =:M> K:G@>. .>E><M Firewall Report ?KHF MA> ->IHKM =KHI-=HPG.
CEB<D Generate MH E:NG<A MA> K>IHKM BG : G>P PBG=HP.
BR K>OB>PBG@ L<A>=NE>= K>IHKML MA:M A:O> ;>>G >F:BE>= ;R MA> D>>I .><NKBMR (:G:@>K MH 0L>KL, ;R EH@@BG@
BGMH MA> LRLM>F :G= <HGLNEMBG@ MA> =:LA;H:K=, ;R I>K?HKFBG@ =>M:BE>= BGO>LMB@:MBHGL ;R =KBEEBG@-=HPG MH
LI><B?B< EH@L, :G= ;R <HG?B@NKBG@ AE>KML MH GHMB?R 0L>KL H? <KBMB<:E >O>GML, RHN <:G K>F:BG :IIKBL>= H? MA> A>:EMA
:G= LM:MNL H? RHNK G>MPHKD.
Note:
Note:
114
Import Deep Security Software
Import Deep Security Software packages into the Deep Security Manager
Import Deep Security Agents
To import Agent software into the Deep Security Manager:
1. $G MA> D>>I .><NKBMR (:G:@>K, @H MH MA> Administration > Updates > Software Updates M:;.
2. AM MA> ;HMMHF H? MA> I:@>, <EB<D HG Open Download Center... MH HI>G : ;KHPL>K PBG=HP MH MA>
/K>G= (B<KH DHPGEH:= C>GM>K P>; LBM>.
3. DHPGEH:= MA> A@>GM LH?MP:K> ?HK IE:M?HKFL RHN K>JNBK> MH : EH<:MBHG :<<>LLB;E> ?KHF MA> L>KO>K
AHLMBG@ MA> D>>I .><NKBMR (:G:@>K.
4. CEHL> MA> DHPGEH:= C>GM>K ;KHPL>K PBG=HP.
5. B:<D BG MA> D>>I .><NKBMR (:G:@>K HG MA> Software Updates M:;, <EB<D Import Software... MH LM:KM
MA> Import Software PBS:K=.
6. 0L> MA> PBS:K= MH G:OB@:M> MH MA> EH<:MBHG PA>K> RHN =HPGEH:=>= MA> A@>GML :G= BFIHKM MA>F BGMH
MA> D>>I .><NKBMR (:G:@>K.
/A> A@>GM LH?MP:K> BL GHP BFIHKM>= BGMH MA> D>>I .><NKBMR (:G:@>K.
Import Deep Security Filter Driver (DSFD) and Deep Security Virtual Appliance (DSVA)
into Deep Security Manager
!NEE A<<>LL KB@AML.
1. !KHF MA> D>>I .><NKBMR (:G:@>K @H MH Administration > Updates
2. CEB<D Import Software... ?KHF .H?MP:K> 0I=:M>L M:;. BKHPL> :G= .>E><M !BEM>KDKBO>K-
.395.0-9.0.0-QQQQ.Q86964.SBI. CEB<D )>QM :G= !BGBLA HG MA> G>QM L<K>>G.
3. CEB<D Import Software... ?KHF .H?MP:K> 0I=:M>L M:;. BKHPL> :G= .>E><M AIIEB:G<>-
.3-9.0.0-QQQQ.Q86964.SBI CEB<D )>QM :G= P:BM ?HK .H?MP:K> +KHI>KMB>L PBG=HP :G= L>E><M !BGBLA.
The package upload may take 5-10 minutes depending on network bandwidth.
4. CEB<D MA> 1B>P $FIHKM>= .H?MP:K> :G= F:D> LNK> ;HMA MA> !BEM>K DKBO>K :G= D.1A :K> BFIHKM>=.
Note:
Deep Security 9 Installation Guide Import Deep Security Software
115
Configuring the Deep Security Relay
The Deep Security Relay contains a Deep Security Agent which must be activated by the Deep
Security Manager before it can be configured.
Activate the Deep Security Relay
$G MA> D>>I .><NKBMR (:G:@>K:
1. !KHF MA> Computers L<K>>G, NL> MA> )>P HIMBHG MH :== MA> <HFINM>K HG PAB<A MA> D>>I .><NKBMR
->E:R BL BGLM:EE>=, :G= A<MBO:M> BM.
2. CA><D MA:M MA> ->E:R A@>GM LM:MNL BL Managed (Online).
3. *G MA> D>>I .><NKBMR ->E:R <HFINM>K, HI>G MA> D>>I .><NKBMR )HMB?B>K :G= <A><D MA> LM:MNL BL *&.
Configure Updates via the Relay
$G MA> D>>I .><NKBMR (:G:@>K:
1. "H MH Administration > System Settings > Updates.
2. CEB<D MA> View Relay Groups ;NMMHG.
3. *G MA> ->E:R "KHNIL PBG=HP, <EB<D New, :G= <K>:M> : G>P K>E:R @KHNI, <A><DBG@ MA> G>PER :==>=
->E:R A@>GM <HFINM>K BG MA> (>F;>KL L><MBHG. CEB<D OK.
4. "H MH Administration > System Settings > Updates. 4HN LAHNE= L>> MA> G>PER :==>= ->E:R :L :
F>F;>K H? MA> ->E:R "KHNI BG MA> ->E:RL L><MBHG.
5. $G MA> .><NKBMR 0I=:M>L L><MBHG, MA> EBLM H? CHFIHG>GML PBEE :EE LAHP Not updated yet. CEB<D
Download Security Updates..., :G= MA>G BG MA> Security Update PBS:K=, <EB<D !BGBLA.
6. DHPGEH:=BG@ MA> 0I=:M>L MH MA> D>>I .><NKBMR ->E:R F:R M:D> : ?>P FBGNM>L.
7. 2A>G MA> Security Update PBS:K= LAHPL MA:M MA> NI=:M> A:L <HFIE>M>=, <EB<D !BGBLA.
8. ->MNKG MH Administration > System Settings > Updates. $G MA> .><NKBMR 0I=:M>L L><MBHG, MA> EBLM H?
CHFIHG>GML PBEE :EE LAHP 100% Updated.
9. *G MA> D>>I .><NKBMR ->E:R <HFINM>K, HI>G MA> D>>I .><NKBMR )HMB?B>K :G= RHN PBEE L>> MA:M MA>
CHFIHG>GML EBLM A:L ;>>G NI=:M>=.
D>>I .><NKBMR A@>GML :G= AIIEB:G<>L <:G ;> <HG?B@NK>= MH >BMA>K INEE MA> NI=:M>L ?KHF D>>I .><NKBMR ->E:RL
HK =BK><MER ?KHF MA> /K>G= (B<KH 0I=:M> .>KO>K.
0L> MA> Administration > System Settings > Updates L<K>>G MH <HG?B@NK> D>>I .><NKBMR ->E:RL.
/H :LLB@G : ->E:R MH :G A@>GM/AIIEB:G<>, @H MH MA> Computers L<K>>G, KB@AM-<EB<D MA> CHFINM>K :G= ?KHF MA>
A<MBHGL F>GN, L>E><M Assign Relay Group.
Note:
Deep Security 9 Installation Guide Configuring the Deep Security Relay
116
Appendices
Supported Features by Platform
/A> ?HEEHPBG@ M:;E>L EBLM PAB<A D>>I .><NKBMR 9 ?>:MNK>L :K> LNIIHKM>= HG PAB<A IE:M?HKFL ;R MA> E:LM ?HNK
O>KLBHGL H? MA> D>>I .><NKBMR A@>GML/1BKMN:E AIIEB:G<>L: 9, 8.0 (.+1), 7.5, :G= 7.0. /A> BG?HKF:MBHG BG MA>L>
M:;E>L BL IK>L>GM>= PBMA MA> :LLNFIMBHG MA:M RHN :K> KNGGBG@ D>>I .><NKBMR (:G:@>K 9.
The features listed in the Virtual Appliance column represent those functions that the Virtual
Appliance can perform on agentless virtual machines.
Deep Security 9.0
Modules Features Agents (9) Virtual Appliance (9)
Windows Linux Solaris AIX HP-UX ESXi 5.x
!BE> .<:G
->@BLMKR .<:G
(>FHKR .<:G
.F:KM .<:G
AGMB-(:EP:K>
->:E /BF>
2>; ->INM:MBHG .>KOB<> AEE !NG<MBHGL
!BK>P:EE AEE !NG<MBHGL
2BG=HPL 'BGNQ .HE:KBL A$3 #+-03 .3B 5.Q
$GMKNLBHG +K>O>GMBHG
AIIEB<:MBHG CHGMKHE
2>; AIIEB<:MBHG +KHM><MBHG
$GMKNLBHG +K>O>GMBHG
..'
!BE>L
->@BLMKR
*MA>KL
$GM>@KBMR (HGBMHKBG@
->:E /BF> !BE>L
Note:
Deep Security 9 Installation Guide Supported Features by Platform
118
Modules Features Agents (9) Virtual Appliance (9)
->:E /BF> *MA>K
'H@ $GLI><MBHG AEE !NG<MBHGL
Windows Linux Solaris AIX HP-UX ESXi 5.1
-><HFF>G=:MBHG .<:G AEE !NG<MBHGL
0L>K )HMB?B<:MBHG AEE !NG<MBHGL (PBMA )HMB?B>K)
Notes:
V /A> 'BGNQ A@>GML LNIIHKM AGMB-(:EP:K> HG 64-;BM, GHG-0;NGMN, O>KLBHGL HGER.
Deep Security 9 Installation Guide Supported Features by Platform
119
Deep Security Manager Settings Properties File
/ABL L><MBHG <HGM:BGL BG?HKF:MBHG :;HNM MA> <HGM>GML H? MA> +KHI>KMR ?BE> MA:M <:G ;> NL>= BG : <HFF:G=-EBG>
BGLM:EE:MBHG H? MA> D>>I .><NKBMR (:G:@>K, LN<A :L : 2BG=HPL LBE>GM BGLM:EE.
Settings Properties File
/A> ?HKF:M H? >:<A >GMKR BG MA> L>MMBG@L IKHI>KMR ?BE> BL:
<Screen Name>.<Property Name>=<Property Value>
/A> L>MMBG@L IKHI>KMB>L ?BE> A:L K>JNBK>= :G= HIMBHG:E O:EN>L.
For optional entries, supplying an invalid value will result in the default value being used.
Required Settings
LicenseScreen
Property Possible Values Default Value Notes
'B<>GL>.<K>>G.'B<>GL>.-1=<O:EN>> <AC ?HK :EE FH=NE>L> ;E:GD
OR
'B<>GL>.<K>>G.'B<>GL>.0=<O:EN>> <AC ?HK AGMB-(:EP:K>> ;E:GD
'B<>GL>.<K>>G.'B<>GL>.1=<O:EN>> <AC ?HK !BK>P:EE/D+$> ;E:GD
'B<>GL>.<K>>G.'B<>GL>.2=<O:EN>> <AC ?HK $GM>@KBMR (HGBMHKBG@> ;E:GD
'B<>GL>.<K>>G.'B<>GL>.3=<O:EN>> <AC ?HK 'H@ $GLI><MBHG> ;E:GD
CredentialsScreen
CK>=>GMB:EL.<K>>G.A=FBGBLMK:MHK.0L>KG:F>=<O:EN>> <NL>KG:F> ?HK F:LM>K :=FBGBLMK:MHK> ;E:GD
CK>=>GMB:EL.<K>>G.A=FBGBLMK:MHK.+:LLPHK==<O:EN>> <I:LLPHK= ?HK MA> F:LM>K :=FBGBLMK:MHK> ;E:GD
Note:
Deep Security 9 Installation Guide Deep Security Manager Settings Properties File
120
Optional Settings
UpgradeVerificationScreen
This screen/setting is not referenced unless an existing installation is detected.
0I@K:=>1>KB?B<:MBHG.<K>>G.*O>KPKBM>=<O:EN>>
/KN>
!:EL>
!:EL>
Setting this value to True will overwrite any existing data in the database. It will do this without
any further prompts.
DatabaseScreen
/ABL L<K>>G =>?BG>L MA> =:M:;:L> MRI> :G= HIMBHG:EER MA> I:K:F>M>KL G>>=>= MH :<<>LL <>KM:BG =:M:;:L> MRI>L.
The interactive install provides an "Advanced" dialog to define the instance name and domain of
a Microsoft SQL server, but because the unattended install does not support dialogs these
arguments are included in the DatabaseScreen settings below.
Property Possible Values
Default
Value
Notes
D:M:;:L>.<K>>G.D:M:;:L>/RI>=<O:EN>>
F;>==>=
(B<KHLH?M .,' .>KO>K
*K:<E>
(B<KHLH?M
.,'
.>KO>K
D:M:;:L>.<K>>G.#HLMG:F>=<O:EN>>
/A> G:F> HK $+ :==K>LL H? MA>
=:M:;:L> AHLM CNKK>GM AHLM
G:F>
CNKK>GM
AHLM G:F>
D:M:;:L>.<K>>G.D:M:;:L>):F>=<O:EN>> AGR LMKBG@ =LF )HM K>JNBK>= ?HK >F;>==>=
D:M:;:L>.<K>>G./K:GLIHKM=<O:EN>>
):F>= +BI>L
/C+
):F>=
+BI>L
->JNBK>= ?HK .,' .>KO>K HGER
D:M:;:L>.<K>>G.0L>KG:F>=<O:EN>> )HM K>JNBK>= ?HK F;>==>=
D:M:;:L>.<K>>G.+:LLPHK==<O:EN>> ;E:GD )HM K>JNBK>= ?HK F;>==>=
D:M:;:L>.<K>>G..,'.>KO>K.$GLM:G<>=<O:EN>>
BE:GD BFIEB>L =>?:NEM BGLM:G<>.
*IMBHG:E, K>JNBK>= ?HK .,' .>KO>K
HGER
D:M:;:L>.<K>>G..,'.>KO>K.DHF:BG=<O:EN>>
HGER
Note:
Note:
Note:
121
Default
Value
Notes
D:M:;:L>.<K>>G..,'.>KO>K.0L>D>?:NEMCHEE:MBHG=<O:EN>>
/KN>
!:EL>
!:EL>
HGER
AddressAndPortsScreen
/ABL L<K>>G =>?BG>L MA> AHLMG:F>, 0-', HK $+ :==K>LL H? MABL <HFINM>K :G= =>?BG>L IHKML ?HK MA> (:G:@>K. $G
MA> BGM>K:<MBO> BGLM:EE>K MABL L<K>>G :ELH LNIIHKML MA> :==BMBHG H? : G>P (:G:@>K MH :G >QBLMBG@ =:M:;:L>, ;NM MABL
HIMBHG BL GHM LNIIHKM>= BG MA> NG:MM>G=>= BGLM:EE.
Property
Possible
Values
Default
Value
Notes
A==K>LLAG=+HKML.<K>>G.(:G:@>KA==K>LL=<O:EN>>
<AHLMG:F>,
0-' HK $+
:==K>LL H?
MA>
(:G:@>K
AHLM>
<<NKK>GM
AHLM
G:F>>
A==K>LLAG=+HKML.<K>>G.(:G:@>K+HKM=<O:EN>>
<O:EB= IHKM
GNF;>K>
4119
A==K>LLAG=+HKML.<K>>G.#>:KM;>:M+HKM=<O:EN>>
<O:EB= IHKM
GNF;>K>
4120
A==K>LLAG=+HKML.<K>>G.)>P)H=>=<O:EN>>
/KN>
!:EL>
!:EL>
/KN> BG=B<:M>L MA:M MA> <NKK>GM BGLM:EE BL : G>P GH=>. $? MA>
BGLM:EE>K ?BG=L >QBLMBG@ =:M: BG MA> =:M:;:L>, BM PBEE :== MABL
BGLM:EE:MBHG :L : G>P GH=>. ((NEMB-GH=> L>MNI BL :EP:RL : LBE>GM
BGLM:EE). )HM>: /A> ")>P )H=>" BGLM:EE:MBHG BG?HKF:MBHG :;HNM MA>
>QBLMBG@ =:M:;:L> MH ;> IKHOB=>= OB: MA> D:M:;:L>.<K>>G
IKHI>KMB>L.
Credentials Screen
Property
Possible
Values
Default
Value
Notes
CK>=>GMB:EL.<K>>G.0L>.MKHG@+:LLPHK=L=<O:EN>>
MKN>
!:EL>
!:EL>
/KN> BG=B<:M>L MA> D.( LAHNE= ;> L>M NI MH >G?HK<> LMKHG@
I:LLPHK=L
122
SecurityUpdateScreen
Property
Possible
Values
Default
Value
Notes
.><NKBMR0I=:M>.<K>>G.0I=:M>CHFIHG>GML=<O:EN>>
/KN>
!:EL>
/KN>
/KN> BG=B<:M>L MA:M RHN P:GM D>>I .><NKBMR (:G:@>K MH
:NMHF:MB<:EER K>MKB>O> MA> E:M>LM CHFIHG>GML
.><NKBMR0I=:M>.<K>>G.0I=:M>.H?MP:K>=<O:EN>>
/KN>
!:EL>
/KN>
/KN> BG=B<:M>L MA:M RHN P:GM MH L>MNI : M:LD MH :NMHF:MB<:EER
<A><D ?HK G>P LH?MP:K>.
RelayScreen
/ABL O:EN> <HGMKHEL MA> BGLM:EE:MBHG H? : <H-EH<:M>= D>>I .><NKBMR ->E:R .>KO>K.
Property
Possible
Values
Default
Value
Notes
->E:R.<K>>G.$GLM:EE=<O:EN>>
/KN>
!:EL>
!:EL>
$? :G :IIKHIKB:M> D>>I .><NKBMR ->E:R BGLM:EE I:<D:@> BL ?HNG= (BG MA> L:F> EH<:MBHG :L MA>
D.( BGLM:EE>K) :G= MABL ?E:@ BL L>M /KN> MA>G MA> ->E:R .>KO>K PBEE ;> BGLM:EE>=
:NMHF:MB<:EER.
SmartProtectionNetworkScreen
/ABL L<K>>G =>?BG>L PA>MA>K RHN P:GM MH >G:;E> /K>G= (B<KH .F:KM !>>=;:<D :G= HIMBHG:EER RHNK BG=NLMKR.
Default
Value
Notes
.F:KM+KHM><MBHG)>MPHKD.<K>>G.G:;E>!>>=;:<D=<O:EN>>
/KN>
!:EL>
!:EL>
/KN> >G:;E>L /K>G= (B<KH .F:KM
!>>=;:<D.
.F:KM+KHM><MBHG)>MPHKD.<K>>G.$G=NLMKR/RI>=<O:EN>>
)HM LI><B?B>=
B:GDBG@
CHFFNGB<:MBHGL :G= F>=B:
=N<:MBHG
G>K@R
!:LM-FHOBG@ <HGLNF>K @HH=L
(!(C")
!BG:G<B:E
!HH= :G= ;>O>K:@>
"HO>KGF>GM
#>:EMA<:K>
$GLNK:G<>
(:GN?:<MNKBG@
;E:GD ;E:GD <HKK>LIHG=L MH )HM LI><B?B>=
123
Default
Value
Notes
(:M>KB:EL
(>=B:
*BE :G= @:L
->:E >LM:M>
->M:BE
/><AGHEH@R
/>E><HFFNGB<:MBHGL
/K:GLIHKM:MBHG
0MBEBMB>L
*MA>K
Installation Output
/A> ?HEEHPBG@ BL : L:FIE> HNMINM ?KHF : LN<<>LL?NE BGLM:EE, ?HEEHP>= ;R :G >Q:FIE> HNMINM ?KHF : ?:BE>= BGLM:EE
(BGO:EB= EB<>GL>). /A> 6KKHK8 M:@ BG MA> MK:<> BG=B<:M>L : ?:BENK>.
Successful Install
.MHIIBG@ /K>G= (B<KH D>>I .><NKBMR (:G:@>K .>KOB<>...
D>M><MBG@ IK>OBHNL O>KLBHGL H? /K>G= (B<KH D>>I .><NKBMR (:G:@>K...
0I@K:=> 1>KB?B<:MBHG .<K>>G L>MMBG@L :<<>IM>=...
D:M:;:L> .<K>>G L>MMBG@L :<<>IM>=...
'B<>GL> .<K>>G L>MMBG@L :<<>IM>=...
A==K>LL AG= +HKML .<K>>G L>MMBG@L :<<>IM>=...
CK>=>GMB:EL .<K>>G L>MMBG@L :<<>IM>=...
AEE L>MMBG@L :<<>IM>=, K>:=R MH >Q><NM>...
0GBGLM:EEBG@ IK>OBHNL O>KLBHG
.MHIIBG@ .>KOB<>L
QMK:<MBG@ ?BE>L...
.>MMBG@ 0I...
CHGG><MBG@ MH MA> D:M:;:L>...
CK>:MBG@ MA> D:M:;:L> .<A>F:...
0I=:MBG@ MA> D:M:;:L> D:M:...
CK>:MBG@ (:LM>KA=FBG A<<HNGM...
-><HK=BG@ .>MMBG@L...
CK>:MBG@ />FIHK:KR DBK><MHKR...
$GLM:EEBG@ ->IHKML...
CK>:MBG@ #>EI .RLM>F...
124
.>MMBG@ D>?:NEM +:LLPHK= +HEB<R...
$FIHKMBG@ Q:FIE> .><NKBMR +KH?BE>L...
AIIERBG@ .><NKBMR 0I=:M>...
ALLB@GBG@ $+. !BEM>KL MH Q:FIE> .><NKBMR +KH?BE>L...
CHKK><MBG@ MA> +HKM ?HK MA> (:G:@>K .><NKBMR +KH?BE>...
CHKK><MBG@ MA> +HKM 'BLM ?HK MA> (:G:@>K...
CK>:MBG@ $+ 'BLM MH $@GHK>...
CK>:MBG@ .<A>=NE>= /:LDL...
CK>:MBG@ ALL>M $FIHKM:G<> GMKB>L...
CK>:MBG@ AN=BMHK -HE>...
AN=BMBG@...
*IMBFBSBG@...
-><HK=BG@ $GLM:EE:MBHG...
CK>:MBG@ +KHI>KMB>L !BE>...
CK>:MBG@ .AHKM<NM...
CHG?B@NKBG@ ..'...
CHG?B@NKBG@ .>KOB<>...
CHG?B@NKBG@ %:O: .><NKBMR...
CHG?B@NKBG@ %:O: 'H@@BG@...
CE>:GBG@ 0I...
.M:KMBG@ D>>I .><NKBMR (:G:@>K...
!BGBLABG@ BGLM:EE:MBHG...
Failed Install
/ABL >Q:FIE> LAHPL MA> HNMINM @>G>K:M>= PA>G MA> IKHI>KMB>L ?BE> <HGM:BG>= :G BGO:EB= EB<>GL> LMKBG@:
.MHIIBG@ /K>G= (B<KH D>>I .><NKBMR (:G:@>K .>KOB<>...
D>M><MBG@ IK>OBHNL O>KLBHGL H? /K>G= (B<KH D>>I .><NKBMR (:G:@>K...
0I@K:=> 1>KB?B<:MBHG .<K>>G L>MMBG@L :<<>IM>=...
D:M:;:L> .<K>>G L>MMBG@L :<<>IM>=...
D:M:;:L> *IMBHGL .<K>>G L>MMBG@L :<<>IM>=...
6--*-8 /A> EB<>GL> <H=> RHN A:O> >GM>K>= BL BGO:EB=.
6--*-8 'B<>GL> .<K>>G L>MMBG@L K>C><M>=...
-HEEBG@ ;:<D <A:G@>L...
125
Deep Security Manager Memory Usage
Configuring the Installer's Maximum Memory Usage
/A> BGLM:EE>K BL <HG?B@NK>= MH NL> 1"B H? <HGMB@NHNL F>FHKR ;R =>?:NEM. $? MA> BGLM:EE>K ?:BEL MH KNG RHN <:G MKR
<HG?B@NKBG@ MA> BGLM:EE>K MH NL> E>LL F>FHKR.
To configure the amount of RAM available to the installer:
1. "H MH MA> =BK><MHKR PA>K> MA> BGLM:EE>K BL EH<:M>=.
2. CK>:M> : G>P M>QM ?BE> <:EE>= "(:G:@>K-2BG=HPL-9.0.QQQQ.QQQ.OFHIMBHGL" HK "(:G:@>K-
'BGNQ-9.0.QQQQ.QQQ.OFHIMBHGL", =>I>G=BG@ HG RHNK BGLM:EE:MBHG IE:M?HKF (PA>K> "QQQQ.QQQ" BL MA>
;NBE= GNF;>K H? MA> BGLM:EE>K :G= IE:M?HKF).
3. =BM MA> ?BE> ;R :==BG@ MA> EBG>: "-3FQ800F" (BG MABL >Q:FIE>, 800(B H? F>FHKR PBEE ;> F:=>
:O:BE:;E> MH MA> BGLM:EE>K.)
4. .:O> MA> ?BE> :G= E:NG<A MA> BGLM:EE>K.
Configuring the Deep Security Manager's Maximum Memory Usage
/A> D>>I .><NKBMR (:G:@>K =>?:NEM L>MMBG@ ?HK A>:I F>FHKR NL:@> BL 4"B. $M BL IHLLB;E> MH <A:G@> MABL L>MMBG@.
To configure the amount of RAM available to the Deep Security Manager:
1. "H MH MA> D>>I .><NKBMR (:G:@>K =BK><MHKR (MA> L:F> =BK><MHKR :L D>>I .><NKBMR (:G:@>K.>Q>), >.@.
C:7+KH@K:F !BE>L7/K>G= (B<KH7D>>I .><NKBMR (:G:@>K.
2. CK>:M> : G>P ?BE> <:EE>= "D>>I .><NKBMR (:G:@>K.OFHIMBHGL".
3. =BM MA> ?BE> ;R :==BG@ MA> EBG>: " -Xmx10g " (BG MABL >Q:FIE>, "8@" PBEE F:D> 8"B F>FHKR
:O:BE:;E> MH MA> D.(.)
4. .:O> MA> ?BE> :G= K>LM:KM MA> D>>I .><NKBMR (:G:@>K.
5. 4HN <:G O>KB?R MA> G>P L>MMBG@ ;R @HBG@ MH Administration > System Information :G= BG MA> .RLM>F
D>M:BEL :K>:, >QI:G= Manager Node > Memory. /A> (:QBFNF (>FHKR O:EN> LAHNE= GHP BG=B<:M>
MA> G>P <HG?B@NK:MBHG L>MMBG@.
Deep Security 9 Installation Guide Deep Security Manager Memory Usage
126
Deep Security Virtual Appliance Memory Usage
/A> ?HEEHPBG@ M:;E> EBLML FBGBFNF K><HFF>G=>= D>>I .><NKBMR 1BKMN:E AIIEB:G<> F>FHKR :EEH<:MBHG ;:L>=
HG MA> GNF;>K H? 1(L ;>BG@ IKHM><M>=:
Number of virtual machines being protected by the Deep Security Virtual Appliance Recommended memory allocation
1 - 32 1(L 2"B
33 - 64 1(L 4"B
65+ 1(L 8"B
Configuring the Deep Security Virtual Appliance's Memory Allocation
Changing the Deep Security Virtual Appliance's memory allocation settings requires powering off
the DSVA virtual machine. Virtual machines being protected by the Virtual Appliance will be
unprotected until it is powered back on.
To configure the Deep Security Virtual Appliance's memory allocation:
1. $G RHNK 1(P:K> O.IA>K> CEB>GM, KB@AM-<EB<D HG MA> D.1A :G= L>E><M Power > Shut Down Guest.
2. -B@AM-<EB<D HG MA> D.1A :@:BG :G= L>E><M Edit Settings... /A> 1BKMN:E (:<ABG> Properties L<K>>G
=BLIE:RL.
3. *G MA> Hardware M:;, L>E><M Memory :G= <A:G@> MA> F>FHKR :EEH<:MBHG MH MA> =>LBK>= O:EN>.
4. CEB<D OK.
5. -B@AM-<EB<D MA> D.1A :@:BG :G= L>E><M Power > Power On.
Note:
Deep Security 9 Installation Guide Deep Security Virtual Appliance Memory Usage
127
Performance Features
Performance Profiles
AL H? D>>I .><NKBMR (:G:@>K 7.5 .+1, : G>P LRLM>F ?HK HIMBFBSBG@ MA> I>K?HKF:G<> H? (:G:@>K-BGBMB:M>= :G=
A@>GM/AIIEB:G<>-BGBMB:M>= HI>K:MBHGL BL :O:BE:;E>. +K>OBHNLER MA> (:G:@>K IKH<>LL>= :EE HI>K:MBHGL BG : ?BQ>=
:FHNGM H? <HG<NKK>GM CH;L NLBG@ : ?BKLM-BG ?BKLM-HNM LRLM>F. /ABL A:L ;>>G K>IE:<>= PBMA :G HIMBFBS>=
<HG<NKK>GM L<A>=NE>K MA:M <HGLB=>KL MA> BFI:<ML H? >:<A CH; HG C+0, D:M:;:L> :G= A@>GM/AIIEB:G<>L. BR
=>?:NEM, G>P BGLM:EE:MBHGL NL> MA> "A@@K>LLBO>" I>K?HKF:G<> IKH?BE> PAB<A BL HIMBFBS>= ?HK : =>=B<:M>=
(:G:@>K. $? MA> D.( BL BGLM:EE>= HG : LRLM>F PBMA HMA>K K>LHNK<>-BGM>GLBO> LH?MP:K> BM F:R ;> IK>?>K:;E> MH NL>
MA> ".M:G=:K=" I>K?HKF:G<> IKH?BE>. /A> I>K?HKF:G<> IKH?BE> <:G ;> <A:G@>= ;R G:OB@:MBG@ MH Administration
> System Information :G= <EB<DBG@ MA> Managers... ;NMMHG BG MA> MHHE;:K. !KHF MABL L<K>>G L>E><M MA> =>LBK>=
(:G:@>K GH=> :G= HI>G MA> +KHI>KMB>L PBG=HP. !KHF A>K> MA> +>K?HKF:G<> +KH?BE> <:G ;> <A:G@>= OB: MA>
=KHI-=HPG F>GN.
/A> +>K?HKF:G<> +KH?BE> :ELH <HGMKHEL MA> :FHNGM H? A@>GM/AIIEB:G<>-BGBMB:M>= <HGG><MBHGL MA:M MA> (:G:@>K
PBEE :<<>IM. /A> =>?:NEM H? >:<A H? MA> I>K?HKF:G<> IKH?BE>L >??><MBO>ER ;:E:G<>L MA> :FHNGM H? :<<>IM>=,
=>E:R>= :G= K>C><M>= A>:KM;>:ML.
Low Disk Space Alerts
Low Disk Space on the Database Host
$? MA> D>>I .><NKBMR (:G:@>K K><>BO>L : "=BLD ?NEE" >KKHK F>LL:@> ?KHF MA> =:M:;:L>, BM PBEE LM:KM MH PKBM> >O>GML
MH BML HPG A:K= =KBO> :G= PBEE L>G= :G >F:BE F>LL:@> MH :EE 0L>KL BG?HKFBG@ MA>F H? MA> LBMN:MBHG. /ABL
;>A:OBHK BL GHM <HG?B@NK:;E>.
$? RHN :K> KNGGBG@ FNEMBIE> (:G:@>K GH=>L, MA> O>GML PBEE ;> PKBMM>G MH PAB<A>O>K GH=> BL A:G=EBG@ MA> O>GM.
(!HK FHK> BG?HKF:MBHG HG KNGGBG@ FNEMBIE> GH=>L, L>> (NEMB-)H=> (:G:@>K BG MA> ->?>K>G<> L><MBHG H? MA>
HGEBG> A>EI HK MA> A=FBGBLMK:MHK'L "NB=>.)
*G<> MA> =BLD LI:<> BLLN> HG MA> =:M:;:L> A:L ;>>G K>LHEO>=, MA> (:G:@>K PBEE PKBM> MA> EH<:EER LMHK>= =:M: MH
MA> =:M:;:L>.
Low Disk Space on the Manager Host
$? MA> :O:BE:;E> =BLD LI:<> HG MA> (:G:@>K ?:EEL ;>EHP 10%, MA> (:G:@>K @>G>K:M>L : 'HP DBLD .I:<> AE>KM.
/ABL AE>KM BL I:KM H? MA> GHKF:E AE>KM LRLM>F :G= BL <HG?B@NK:;E> EBD> :GR HMA>K. (!HK FHK> BG?HKF:MBHG HG
AE>KML, L>> Alert Configuration BG MA> Configuration and Management L><MBHG H? MA> HGEBG> A>EI HK MA>
A=FBGBLMK:MHK'L "NB=>.)
Deep Security 9 Installation Guide Performance Features
128
$? RHN :K> KNGGBG@ FNEMBIE> (:G:@>K GH=>L, MA> GH=> PBEE ;> B=>GMB?B>= BG MA> AE>KM.
2A>G MA> (:G:@>K'L :O:BE:;E> =BLD LI:<> ?:EEL ;>EHP 5(B, MA> (:G:@>K PBEE L>G= :G >F:BE F>LL:@> MH :EE
0L>KL :G= MA> (:G:@>K PBEE LANM =HPG. /A> (:G:@>K PBEE GHM K>LM:KM NGMBE MA> :O:BE:;E> =BLD LI:<> BL @K>:M>K
MA:G 5(B.
4HN FNLM K>LM:KM MA> (:G:@>K F:GN:EER.
$? RHN :K> KNGGBG@ FNEMBIE> GH=>L, HGER MA> GH=> MA:M A:L KNG HNM H? =BLD LI:<> PBEE LANM =HPG. /A> HMA>K
(:G:@>K GH=>L PBEE <HGMBGN> HI>K:MBG@.
Deep Security 9 Installation Guide Performance Features
129
Creating an SSL Authentication Certificate
/A> D>>I .><NKBMR (:G:@>K <K>:M>L : 10-R>:K L>E?-LB@G>= <>KMB?B<:M> ?HK MA> 2>; ;KHPL>K-MH-(:G:@>K
<HGG><MBHGL. $? K>JNBK>=, MABL <>KMB?B<:M> <:G ;> K>IE:<>= PBMA : K>:E <>KMB?B<:M>. (/A> <>KMB?B<:M> BL F:BGM:BG>= HG
D>>I .><NKBMR (:G:@>K NI@K:=>L.)
(HK> BG?HKF:MBHG HG @>G>K:MBG@ MA> <>KMB?B<:M> <:G ;> ?HNG= :M /A:PM> /HF<:M .NIIHKM.
*G<> @>G>K:M>=, MA> <>KMB?B<:M> LAHNE= ;> BFIHKM>= BGMH MA> .D>RLMHK> BG MA> KHHM H? MA> D>>I .><NKBMR (:G:@>K
BGLM:EE:MBHG =BK><MHKR :G= A:O> :G :EB:L H? "MHF<:M". /A> (:G:@>K PBEE MA>G NL> MA:M <>KMB?B<:M>.
To create your SSL authentication certificate:
1. "H MH MA> D>>I .><NKBMR (:G:@>K BGLM:EE:MBHG =BK><MHKR (C:7+KH@K:F !BE>L7/K>G= (B<KH7D>>I .><NKBMR
(:G:@>K ) :G= <K>:M> : G>P ?HE=>K <:EE>= Backupkeystore
2. CHIR .keystore :G= configuration.properties MH MA> G>PER <K>:M>= ?HE=>K Backupkeystore
3. *I>G <HFF:G= IKHFIM :G= @H MH MA> ?HEEHPBG@ EH<:MBHG: C:\Program Files\ Trend Micro \Deep
Security Manager\jre\bin
4. -NG MA> ?HEEHPBG@ <HFF:G= PAB<A PBEE <K>:M> : L>E? LB@G>= <>KMB?B<:M>:
C:\Program Files\ Trend Micro \Deep Security Manager\jre\bin>keytool
-genkey -alias tomcat -keyalg RSA -dname cn=dsmserver
5. CAHHL> I:LLPHK=: changeit
NOTE: -dname is the common name of the certificate your CA will sign. Some CAs
require a particular cn to sign the Certificate Signing Request (CSR). Please consult
your CA Admin to see if you have that particular requirement.
6. /A>K> BL : G>P D>RLMHK> ?BE> <K>:M>= NG=>K MA> NL>K AHF> =BK><MHKR. $? RHN :K> EH@@>= BG :L
"A=FBGBLMK:MHK", 4HN PBEE L>> MA> .keystore ?BE> NG=>K C:\Documents and Settings\Administrator
7. 1B>P MA> G>PER @>G>K:M>= <>KMB?B<:M> NLBG@ MA> ?HEEHPBG@ <HFF:G=:
-list -v
8. -NG MA> ?HEEHPBG@ <HFF:G= MH <K>:M> : C.- ?HK RHNK CA MH LB@G:
-certreq -keyalg RSA -alias tomcat -file certrequest.csr
Note:
Deep Security 9 Installation Guide Creating an SSL Authentication Certificate
130
9. .>G= MA> certrequest.csr MH RHNK CA MH LB@G. $G K>MNKG RHN PBEE @>M MPH ?BE>L. *G> BL : <>KMB?B<:M>
K>LIHGL> :G= MA> L><HG= BL MA> CA <>KMB?B<:M> BML>E?.
10. -NG MA> ?HEEHPBG@ <HFF:G= MH BFIHKM MA> CA <>KM BG %A1A MKNLM>= D>RLMHK>:
C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -
import -alias root -trustcacerts -file cacert.crt -keystore
"C:/Program Files/ Trend Micro /Deep Security Manager/jre/lib/
security/cacerts"
11. -NG MA> ?HEEHPBG@ <HFF:G= MH BFIHKM MA> CA <>KM BG RHNK D>RLMHK>:
-import -alias root -trustcacerts -file cacert.crt
(L:R R>L MH P:KGBG@ F>LL:@>)
12. -NG MA> ?HEEHPBG@ <HFF:G= MH BFIHKM MA> <>KMB?B<:M> K>LIHGL> MH RHNK D>RLMHK>:
-import -alias tomcat -file certresponse.txt
13. -NG MA> ?HEEHPBG@ <HFF:G= MH OB>P MA> <>KMB?B<:M> <A:BG BG RHN D>RLMHK>:
C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -
list -v
14. CHIR MA> .D>RLMHK> ?BE> ?KHF RHNK NL>K AHF> =BK><MHKR C:\Documents and Settings\Administrator
MH C:\Program Files\ Trend Micro \Deep Security Manager\
15. *I>G MA> <HG?B@NK:MBHG.IKHI>KMB>L ?BE> BG ?HE=>K C:\Program Files\Trend Micro\Deep Security
Manager. $M PBEE EHHD LHF>MABG@ EBD>: keystoreFile=C\:\\\\Program Files\\\\Trend Micro\\\\Deep
Security Manager\\\\.keystore port=4119
keystorePass=$1$85ef650a5c40bb0f914993ac1ad855f48216fd0664ed2544bbec6de80160b2fe9800f79f913f28e80381c8e71f2fed96a2aa522ada039a7abfa01542d42dbe36
installed=true serviceName= Trend Micro Deep Security Manager
16. ->IE:<> MA> I:LLPHK= BG MA> ?HEEHPBG@ LMKBG@:
keystorePass=xxxx
PA>K> "xxxx" BL MA> I:LLPHK= RHN LNIIEB>= BG LM>I ?BO>
17. .:O> :G= <EHL> MA> ?BE>
18. ->LM:KM MA> D>>I .><NKBMR (:G:@>K L>KOB<>
131
19. CHGG><M MH MA> D>>I .><NKBMR (:G:@>K PBMA RHNK ;KHPL>K :G= RHN PBEE GHMB<> MA:M MA> G>P ..'
<>KMB?B<:M> BL LB@G>= ;R RHNK CA.
132
Minimum VMware Privileges for DSVA Deployment
/A> ?HEEHPBG@ M:;E>L EBLM MA> 1(P:K> >GOBKHGF>GM IKBOBE>@>L K>JNBK>= ;R MA> 1(P:K> KHE> :LLB@G>= MH MA>
:<<HNGM NL>= ;R MA> D>>I .><NKBMR (:G:@>K MH =>IEHR MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<>. (/A> :<<HNGM NL>=
MH <HGG><M MH MA> OC>GM>K PA>G BFIHKMBG@ MA> OC>GM>K BGMH MA> D>>I .><NKBMR (:G:@>K.)
/A>L> IKBOBE>@>L FNLM ;> :IIEB>= :M MA> =:M: <>GM>K E>O>E BG MA> #HLML :G= CENLM>KL OB>P. $GLM:EE:MBHG K>JNBK>L
MA> :;BEBMR MH ?>M<A MA> I:K>GM $DL H? O:KBHNL >GMBMB>L. AIIERBG@ MA> IKBOBE>@>L :M MA> <ENLM>K E>O>E HGER PBEE
@>G>K:M> >KKHKL.
/A> M:;E>L :K> =BOB=>= BGMH MA> ?HEEHPBG@ ?HNK LM:@>L:
1. Preparing the ESXi host. A D>KG>E =KBO>K BL EH:=>= HG MA> .3B AHLM, :G= : L>I:K:M> O.PBM<A BL
<HG?B@NK>= MH ?:<BEBM:M> BGM>KG:E <HGG><MBOBMR ?HK MA> D.1A.
2. Deploying the Virtual Appliance. /A> OBKMN:E :IIEB:G<> BML>E? BL =>IEHR>= ?KHF :G *1! ?BE>.
3. Using the Deep Security Manager to activate the Virtual Machine. /A> <HFINM>K ;>BG@ IKHM><M>=
;R MA> 1BKMN:E AIIEB:G<> BL K>@BLM>K>= PBMA MA> D>>I .><NKBMR (:G:@>K :G= L><NK> <HFFNGB<:MBHGL
:K> >LM:;EBLA>=.
4. Ongoing operations. D:R MH =:R D>>I .><NKBMR HI>K:MBHGL.
/A> M:;E>L EBLM MA> K>JNBK>= IKBOBE>@> :G= MA> ?NG<MBHG ?HK PAB<A MA> IKBOBE>@> BL K>JNBK>=. /H L>M MA> IKBOBE>@>,
NL> MA> O.IA>K> CEB>GM MH >=BM MA> IKHI>KMB>L H? MA> KHE> NL>= ;R MA> D>>I .><NKBMR (:G:@>K MH :<<>LL MA>
OC>GM>K. /A> K>JNBK>= IKBOBE>@>L <:G ;> ?HNG= BG MA> +KBOBE>@>L MK>> H? MA> 1(P:K> -HE> =BMHK. !HK >Q:FIE>,
MA> ?HEEHPBG@ L<K>>G LAHM LAHPL MA> EH<:MBHG H? MA> Host > Configuration > Change Settings IKBOBE>@>:
Deep Security 9 Installation Guide Minimum VMware Privileges for DSVA Deployment
133
Preparing the ESXi Host
Privilege Function
#HLM > CHG?B@NK:MBHG > CA:G@> .>MMBG@L ,N>KR (H=NE>L HG .3B
#HLM > CHG?B@NK:MBHG > (:BGM>G:G<> GM>K :G= QBM (:BGM>G:G<> (H=>
#HLM > CHG?B@NK:MBHG > )>MPHKD CHG?B@NK:MBHG A== G>P OBKMN:E LPBM<A, IHKM @KHNI, OBKMN:E )$C >M<.
#HLM > CHG?B@NK:MBHG > A=O:G<>= .>MMBG@L .>MNI G>MPHKDBG@ ?HK =O?BEM>K <HFFNGB<:MBHG HG .3B
#HLM > CHG?B@NK:MBHG > ,N>KR +:M<A $GLM:EE !BEM>K DKBO>K
#HLM > CHG?B@NK:MBHG > CHGG><MBHG DBL<HGG><M/K><HGG><M : AHLM
#HLM > CHG?B@NK:MBHG > .><NKBMR IKH?BE> :G=
?BK>P:EE
-><HG?B@NK:MBHG HNM@HBG@ !2 <HGG><MBHGL MH :EEHP K>MKB>O:E H? !BEM>K DKBO>K I:<D:@> ?KHF
D.(
"EH;:E > C:G<>E /:LD ->JNBK>= MH <:G<>E : M:LD B? K>JNBK>=
134
Deploying the Virtual Appliance
Privilege Function
OAII > $FIHKM D>IEHR D.1A ?KHF *1! ?BE>
D:M:LMHK> > AEEH<:M> .I:<> AEEH<:M> LI:<> ?HK D.1A HG =:M:LMHK>.
#HLM > CHG?B@NK:MBHG > 1BKMN:E F:<ABG> :NMHLM:KM <HG?B@NK:MBHG .>M D.1A MH :NMHLM:KM HG .3B
)>MPHKD > ALLB@G )>MPHKD ALLB@G D.1A MH G>MPHKDL
1BKMN:E (:<ABG> > CHG?B@NK:MBHG > A== G>P =BLD A== =BLDL MH D.1A
1BKMN:E (:<ABG> > $GM>K:<MBHG > +HP>K *G +HP>K HG D.1A
1BKMN:E (:<ABG> > $GM>K:<MBHG > +HP>K *?? +HP>K H?? D.1A
Activating the Virtual Machine (the protected computer)
Privilege Function
1BKMN:E (:<ABG> > CHG?B@NK:MBHG > A=O:G<>= -><HG?B@NK> OBKMN:E F:<ABG> ?HK =O?BEM>K
Ongoing Operations
Privilege Function
#HLM > CHG?B@NK:MBHG > CA:G@> .>MMBG@L ,N>KR (H=NE>L HG .3B
1BKMN:E (:<ABG> > CHG?B@NK:MBHG > A=O:G<>= -><HG?B@NK> OBKMN:E F:<ABG> ?HK =O?BEM>K
135
Uninstalling Deep Security
When you uninstall an activated Agent or a Relay from a managed computer, the Deep Security
Manager does not know that the software has been uninstalled. The computer will remain listed
in the Computers list and its status will be listed as "Managed (Offline)" or something equivalent
depending on the context. To avoid this, either deactivate the Agent or Relay from the Manager
before uninstallation, or simply delete the computer from the list.
To remove the Deep Security Virtual Appliance
To remove the Virtual Appliance:
1. 0L> MA> D>>I .><NKBMR (:G:@>K MH "=>:<MBO:M>" MA> 1BKMN:E AIIEB:G<>.
2. 'H@ BG MH OC>GM>K.
3. .MHI MA> AIIEB:G<>.
4. D>E>M> ?KHF =BLD.
To remove the Deep Security Filter Driver from a prepared ESXi
To restore the ESXi to its "un-prepared" state:
1. !KHF MA> D>>I .><NKBMR (:G:@>K CHFINM>KL EBLM, L>E><M MA> 1BKMN:E C>GM>K. CAHHL> MA> +K>I:K>=
CHFINM>K ?HK NG-=>IEHRF>GM, KB@AM-<EB<D MA> CHFINM>K :G= L>E><M ->LMHK> .3.
2. !HEEHP MA> PBS:K= LM>IL, :<<>IMBG@ MA> =>?:NEML.
3. CAHHL> "Yes" MH A:O> MA> D.( A:G=E> MA> .3B =KBO>K NG-BGLM:EE:MBHG :NMHF:MB<:EER.
The Deep Security Manager will attempt to bring the ESXi into and out of maintenance
mode automatically. Any running virtual machines will need to be manually shutdown.
At the end of the uninstallation process, the ESXi will be automatically rebooted and
brought out of maintenance mode.
*K
4. CAHHL> "No" MH F:GN:EER INM MA> .3B BGMH /HNM H? F:BGM>G:G<> FH=>.
The Deep Security Manager wizard will start the uninstallation of the Filter Driver automatically
once the ESXi has been put into maintenance mode. At the end of the uninstallation process, the
ESXi will be automatically re-booted but remain in maintenance mode.
Note:
Note:
Note:
Deep Security 9 Installation Guide Uninstalling Deep Security
136
To uninstall the Deep Security Relay
Remember that before uninstalling a Deep Security Relay, you will need to remove the Agent Self
Protection. You can do this from the Computer Editor in the Deep Security Manager. Go to
Settings > Computer. In Agent Self Protection, either un-check the setting Prevent local end-
users from uninstalling, stopping, or otherwise modifying the Agent or select a password for
local override.
To uninstall the Deep Security Relay (Windows)
!KHF MA> 2BG=HPL CHGMKHE +:G>E, L>E><M A==/->FHO> +KH@K:FL. DHN;E>-<EB<D /K>G= (B<KH D>>I .><NKBMR
->E:R ?KHF MA> EBLM, :G= <EB<D CA:G@>/->FHO>.
To uninstall from the command line:
msiexec /x <package name including extension>
(!HK : LBE>GM NGBGLM:EE, :== "/quiet")
To uninstall the Deep Security Relay (Linux)
/H <HFIE>M>ER K>FHO> MA> ->E:R :G= :GR <HG?B@NK:MBHG ?BE>L BM <K>:M>=, NL> "KIF ->":
# rpm -ev ds_relay
Stopping ds_agent: [ OK ]
Unloading dsa_filter module [ OK ]
$? BIM:;E>L P:L >G:;E>= IKBHK MH MA> BGLM:EE:MBHG H? MA> D>>I .><NKBMR ->E:R, BM PBEE ;> K>->G:;E>= PA>G MA> ->E:R
BL NGBGLM:EE>=.
Remember to remove the Relay from Deep Security Manager's list of managed Computers, and to
remove it from the Relay Group (see Basic Deep Security Configuration).
To uninstall the Deep Security Agent
Remember that before uninstalling a Deep Security Agent, you will need to remove the Agent Self
Protection. You can do this from the Computer Editor in the Deep Security Manager. Go to
Settings > Computer. In Agent Self Protection, either un-check the setting Prevent local end-
users from uninstalling, stopping, or otherwise modifying the Agent or select a password for
local override.
Note:
Note:
Note:
137
To uninstall the Deep Security Agent (Windows)
A@>GM ?KHF MA> EBLM, :G= <EB<D CA:G@>/->FHO>.
To uninstall the Deep Security Agent (Linux)
To completely remove the Agent and any configuration files it created, use "rpm -e":
# rpm -ev ds_agent
Stopping ds_agent: [ OK ]
Unloading dsa_filter module [ OK ]
$? BIM:;E>L P:L >G:;E>= IKBHK MH MA> BGLM:EE:MBHG H? MA> D>>I .><NKBMR A@>GM, BM PBEE ;> K>->G:;E>= PA>G MA>
A@>GM BL NGBGLM:EE>=.
For Ubuntu:
$ sudo dpkg -r ds-agent
Removing ds-agent...
Stopping ds_agent: .[OK]
To uninstall the Deep Security Agent (Solaris)
Enter the following:
pkgrm ds-agent
()HM> MA:M NGBGLM:EE F:R K>JNBK> : K>;HHM.)
To uninstall the Deep Security Agent (AIX)
installp -u ds_agent
138
To uninstall the Deep Security Agent (HP-UX)
swremove ds_agent
To uninstall the Deep Security Notifier
To uninstall the Deep Security Notifier (Windows)
)HMB?B>K ?KHF MA> EBLM, :G= <EB<D ->FHO>.
To uninstall the Deep Security Manager
To uninstall the Deep Security Manager (Windows)
!KHF MA> 2BG=HPL .M:KM (>GN, L>E><M Trend Micro > Trend Micro Deep Security Manager Uninstaller,
:G= ?HEEHP MA> PBS:K= LM>IL MH <HFIE>M> MA> NGBGLM:EE:MBHG.
To uninstall from the command line, @H MH MA> BGLM:EE:MBHG ?HE=>K :G= >GM>K:
Uninstall.exe
(!HK : LBE>GM NGBGLM:EE, :== "-q")
During a command line uninstallation, the uninstaller always saves the configuration files so that
future installations can offer the repair / upgrade option.
To uninstall the Deep Security Manager (Linux)
To uninstall from the command line, @H MH MA> BGLM:EE:MBHG ?HE=>K :G= >GM>K:
Uninstall.exe
(!HK : LBE>GM NGBGLM:EE, :== "-q")
Note:
139
During a command line uninstallation, the uninstaller always saves the configuration files so that
future installations can offer the repair / upgrade option.
$? RHN L>E><M>= "GH" MH D>>IBG@ MA> <HG?B@NK:MBHG ?BE>L =NKBG@ MA> NGBGLM:EE:MBHG :G= P:GM MH K>BGLM:EE MA> D.(,
RHN LAHNE= I>K?HKF : F:GN:E <E>:G-NI ;>?HK> K>BGLM:EEBG@. /H K>FHO> MA> D.( BGLM:EE:MBHG =BK><MHKR >GM>K MA>
<HFF:G=:
rm -rf <installation location>
(/A> =>?:NEM BGLM:EE:MBHG EH<:MBHG BL "/opt/dsm").
Note:
140
Frequently Asked Questions
Please consult the Deep Security Deep Security Manager, Deep Security Virtual Appliance, or
Deep Security Agent readme files for any issues not addressed in the Troubleshooting or FAQs
sections.
Where can I download the installer packages for Deep Security 9.0?
/A> /K>G= (B<KH DHPGEH:= C>GM>K: AMMI://=HPGEH:=<>GM>K.MK>G=FB<KH.<HF
Where can I download the technical documents for Deep Security 9.0?
/A> /K>G= (B<KH DHPGEH:= C>GM>K: AMMI://=HPGEH:=<>GM>K.MK>G=FB<KH.<HF. *G MA> DHPGEH:= C>GM>K I:@>,
<EB<D HG MA> G:F> H? MA> D>>I .><NKBMR LH?MP:K> RHN :K> BGM>K>LM>= BG :G= MA>G <EB<D MA> "+More Details" EBGD
MH L>> MA> =H<NF>GM:MBHG :O:BE:;E>.
What is the default username and password to log into the Deep Security Manager console?
4HN :K> IKHFIM>= ?HK : NL>KG:F> :G= I:LLPHK= =NKBG@ BGLM:EE:MBHG. /A> =>?:NEM NL>KG:F> MH EH@ BG MH MA>
(:G:@>K CHGLHE> BL "(:LM>KA=FBG" (GH JNHM>L). /A>K> BL GH =>?:NEM I:LLPHK=. BHMA MABL :G= MA> I:LLPHK= :K>
L>M =NKBG@ MA> BGLM:EE:MBHG. /A> NL>KG:F> $. )*/ <:L>-L>GLBMBO>. #HP>O>K, MA> I:LLPHK= $. <:L>-L>GLBMBO>.
Can I reset the Manager console login password?
4>L. 4HN <:G K>L>M HK <A:G@> MA> (:G:@>K <HGLHE> EH@BG I:LLPHK=. "H MH Administration > User
Management >Users, KB@AM-<EB<D HG MA> 0L>K :G= L>E><M Set Password....
How can I unlock a locked out User?
$G MA> (:G:@>K, @H MH Administration > User Management >Users, KB@AM-<EB<D HG MA> 0L>K :G= L>E><M Unlock
User(s).
/H NGEH<D : 0L>K ?KHF MA> (:G:@>K AHLM <HFF:G= EBG>, >GM>K MA> ?HEEHPBG@ ?KHF MA> D>>I .><NKBMR (:G:@>K'L
BGLM:EE =BK><MHKR:
dsm_c -action unlockout -username USERNAME [-newpassword NEWPASSWORD]
PA>K> USERNAME BL MA> 0L>K'L NL>KG:F>. *IMBHG:EER, NL> "-G>PI:LLPHK=" MH L>M : G>P I:LLPHK= ?HK MA>
0L>K.
Note:
Deep Security 9 Installation Guide Frequently Asked Questions
141
Can I use my domain account credentials when logging on to the Manager console?
4>L. "H MH Administration > User Management >Users :G= L>E><M Synchronize with Directory.
How can I mass-deploy the Agents to the computers being protected?
*K@:GBS:MBHGL MRIB<:EER NL> >QBLMBG@ >GM>KIKBL> LH?MP:K> =BLMKB;NMBHG LRLM>FL LN<A :L (B<KHLH?M .RLM>F C>GM>K
HK )HO>EE 5)PHKDL MH BGLM:EE A@>GML.
Can I still use my existing license or activation code when upgrading to version 9.0?
4>L, RHNK >QBLMBG@ IKHM><MBHG FH=NE>L PBEE ;> LMBEE ;> :<MBO:M>=. $? NI@K:=BG@ ?KHF D>>I .><NKBMR 7.0 HK >:KEB>K,
RHN PBEE G>>= <HGM:<M : L:E>L K>IK>L>GM:MBO> ?HK : G>P A<MBO:MBHG CH=> MH >GM>K =NKBG@ MA> NI@K:=> IKH<>LL.
C:G $ NGBGLM:EE MA> D. A@>GML ?KHF MA> (:G:@>K <HGLHE>?
)H. 4HN <:G =>-:<MBO:M> :G A@>GM/AIIEB:G<> ?KHF MA> D.(, ;NM RHN FNLM NGBGLM:EE EH<:EER.
2A:M BL MA> >G= H? EB?> HK LNIIHKM IHEB<R ?HK D>>I .><NKBMR?
V +KH=N<M LNIIHKM BL IKHOB=>= 2 R>:KL :?M>K : K>E>:L>, HK
V +KH=N<M LNIIHKM BL IKHOB=>= ?HK 18 FHGMAL :?M>K : LN;L>JN>GM K>E>:L>, PAB<A>O>K MBF> I>KBH= BL EHG@>K
How do I deactivate the DS Agent from the command line?
.>> MA> A=FBGBLMK:MHK'L "NB=> HK HGEBG> A>EI L><MBHG Manually Deactivate/Stop/Start the Agent/Appliance.
$M BL IE:M?HKF =>I>G=>GM.
How can I manually update the DS Agent that has no connection with the DS Manager?
0I=:MBG@ MA> A@>GM BL GHM IHLLB;E> PBMAHNM <HGG><MBHG MH MA> (:G:@>K, LBG<> MA> (:G:@>K FNLM L>G= MA>
L><NKBMR <HG?B@NK:MBHG =>M:BEL MH MA> A@>GM.
Deep Security 9 Installation Guide Frequently Asked Questions
142
Troubleshooting
Please consult the Deep Security Manager, Deep Security Agent and Deep Security Virtual
Appliance "readme" files for any issues not addressed in the Troubleshooting or FAQs sections.
Installation
Problem
QI>KB>G<BG@ IKH;E>FL BGLM:EEBG@ MPH D>>I .><NKBMR (:G:@>KL HG MA> L:F> F:<ABG>.
Solution
*GER HG> BGLM:G<> H? MA> D>>I .><NKBMR (:G:@>K <:G ;> BGLM:EE>= HG :GR @BO>G F:<ABG>.
Problem
0G:;E> MH BGLM:EE HK NI@K:=> MA> D>>I .><NKBMR (:G:@>K.
Solution
DNKBG@ BGLM:EE:MBHG HK NI@K:=> H? MA> D>>I .><NKBMR (:G:@>K MA> L>KOB<> F:R ?:BE MH BGLM:EE IKHI>KER B? MA>
.>KOB<>L L<K>>G BL HI>G HG LHF> IE:M?HKFL. CEHL> MA> L>KOB<>L L<K>>G IKBHK MH BGLM:EE:MBHG HK NI@K:=> H? D>>I
.><NKBMR (:G:@>K.
$? MA> IKH;E>F I>KLBLML, K>;HHM MA> <HFINM>K.
Communications
Problem
/A> A@>GM IKHM><MBG@ MA> D>>I .><NKBMR (:G:@>K BL @>G>K:MBG@ "->G>P:E" >KKHKL, :G=/HK RHN <:GGHM <HGG><M
K>FHM>ER MH MA> D>>I .><NKBMR (:G:@>K.
Note:
Deep Security 9 Installation Guide Troubleshooting
143
Solution
A?M>K :IIERBG@ MA> "D>>I .><NKBMR (:G:@>K" .><NKBMR +KH?BE>, RHN F:R GHMB<> MA:M MA> D>>I .><NKBMR A@>GM
PBEE K>MNKG GNF>KHNL "->G>P:E KKHK" D+$ O>GML. /ABL BL ;><:NL> MA> A@>GM <:GGHM BGLI><M MA> ..' /K:??B<
MA:M >QBLM>= ;>?HK> MA> "D>>I .><NKBMR (:G:@>K" .><NKBMR +KH?BE> :G= BML ..' #HLM CHG?B@NK:MBHG P:L :IIEB>=.
$M BL K><HFF>G=>= MA:M :EE ;KHPL>K L>LLBHGL MH MA> D>>I .><NKBMR (:G:@>K ;> K>LM:KM>= :?M>K :IIERBG@ MA> "D>>I
.><NKBMR (:G:@>K" .><NKBMR +KH?BE>.
Problem
"CHFFNGB<:MBHGL +KH;E>F D>M><M>=" AE>KM HG : <HFINM>K F:G:@>= ;R MA> D>>I .><NKBMR (:G:@>K.
HK
*??EBG> BNG=E>.SBI >KKHK PA>G IK>I:KBG@ MA> .3B.
HK
*??EBG> BNG=E>.SBI >KKHK PA>G =>IEHRBG@ MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<>.
HK
+KHMH<HE KKHK PA>G :<MBO:MBG@ MA> D>>I .><NKBMR AIIEB:G<>.
Solution
$? RHN >G<HNGM>K :GR H? MA> :;HO> LBMN:MBHGL BM F:R ;> MA:M : <HFINM>K ;>BG@ F:G:@>= ;R MA> D>>I .><NKBMR
(:G:@>K BL NG:;E> MH K>LHEO> MA> AHLMG:F> H? MA> <HFINM>K AHLMBG@ MA> D>>I .><NKBMR (:G:@>K.
To ensure the Deep Security Manager is able to resolve the hostname of the computer hosting the Deep
Security Manager:
1. 'H@ BG MH MA> D>>I .><NKBMR (:G:@>K MA:M BL F:G:@BG@ MA> A@>GM
2. "H MH Administration > System Information :G= BG MA> System Details, OB>P MA> (:G:@>K )H=>
>GMKR :G= GHM> MA> AHLMG:F>
3. 'H@ BG MH MA> <HFINM>K MA:M BL A:OBG@ <HFFNGB<:MBHG IKH;E>FL
4. +>K?HKF :G GLEHHDNI NLBG@ MA> G:F> ?KHF LM>I 2
5. $? MA> GLEHHDNI ?:BEL RHN FNLM FH=B?R MA> AHLML ?BE> HG MA> <HFINM>K MH NL> MA> D.( AHLMG:F> PBMA
MA> <HKK><M $+ :==K>LL HK NI=:M> MA> D). >GMKR ?HK MA> D>>I .><NKBMR (:G:@>K F:<ABG> HG MA>
LI><B?B>= D). L>KO>K
144
Configuration
To change the hosts file on the Virtual Appliance you must log in via vCenter. Once in the console
press ALT+F2 to get to the console login screen. Then type: sudo vi /etc/hosts
Problem
/K:??B< AG:ERLBL BL GHM PHKDBG@.
Solution
.M:M>?NE CHG?B@NK:MBHG FNLM ;> HG, PBMA /C+ :G= 0D+ EH@@BG@ >G:;E>=.
Problem
(:GR D+$ KNE>L :K> ;>BG@ MKB@@>K>= HG MA> A@>GM IKHM><MBG@ MA> =:M:;:L> NL>= ;R D>>I .><NKBMR (:G:@>K.
Solution
2A>G NLBG@ D>>I .><NKBMR (:G:@>K PBMA : =:M:;:L> HG : K>FHM> <HFINM>K MA:M BL KNGGBG@ : D>>I .><NKBMR
A@>GM (D.A) MA>K> BL : IHLLB;BEBMR H? D+$ ?:EL> IHLBMBO>L. /A> ?:EL> IHLBMBO>L :K> <:NL>= ;R MA> <HGM>GML H? MA>
D+$ -NE>L (PA>G L:OBG@ MH MA> =:M:;:L>) MKB@@>KBG@ MA> D+$ -NE>L KNGGBG@ HG MA> D.A. /A> PHKD:KHNG= BL MH
>BMA>K <K>:M> : ;RI:LL !BK>P:EE -NE> MH :IIER MH MA> =:M:;:L> L>KO>K PBMA MA> LHNK<> $+ ;>BG@ MA> LM:MB< $+ H?
D>>I .><NKBMR (:G:@>K HK MH >G:;E> >G<KRIMBHG HG MA> =:M:;:L> <A:GG>E. .,' .>KO>K <:G ;> >G<KRIM>= ;R
:==BG@:
database.SqlServer.ssl=require
MH \webclient\webapps\ROOT\WEB-INF\dsm.properties :G= K>LM:KM MA> D>>I .><NKBMR (:G:@>K L>KOB<>.
Problem
+HKM L<:GL LAHP IHKML 25 :G= 110 :K> HI>G K>@:K=E>LL H? PAB<A !BK>P:EE -NE>L $ BFIE>F>GM MH <EHL> MA>F.
Solution
/A> IK>L>G<> H? )HKMHG AGMBOBKNL F:R BGM>K?>K> PBMA L<:G K>LNEML. )HKMHG A1 ?BEM>KL IHKML 25 :G= 110 MH <A><D
BG<HFBG@ :G= HNM@HBG@ >F:BE ?HK OBKNL>L. /ABL <:G <:NL> >KKHG>HNL L<:G K>LNEML B? MA> (:G:@>K BL BGLM:EE>= HG :
F:<ABG> PBMA >F:BE L<:GGBG@ >G:;E>= LBG<> IHKML 25 :G= 110 PBEE :EP:RL :II>:K MH ;> HI>G K>@:K=E>LL H? :GR
?BEM>KL IE:<>= HG MA> AHLM.
Note:
145
Problem
+HKM L<:GL LAHP IHKML 21, 389, 1002, :G= 1720 :K> HI>G K>@:K=E>LL H? PAB<A !BK>P:EE -NE>L $ BFIE>F>GM MH
<EHL> MA>F.
Solution
$? 2BG=HPL !BK>P:EE BL >G:;E>= HG MA> D>>I .><NKBMR (:G:@>K BM F:R BGM>K?>K> PBMA IHKM L<:GL <:NLBG@ ?:EL>
IHKM L<:G K>LNEML. 2BG=HPL !BK>P:EE F:R IKHQR IHKML 21, 389, 1002, :G= 1720 K>LNEMBG@ BG MA>L> IHKML :EP:RL
:II>:KBG@ HI>G K>@:K=E>LL H? :GR ?BEM>KL IE:<>= HG MA> AHLM.
Deployment
Problem
/BF>HNM PA>G IK>I:KBG@ MA> .3B.
Solution
$G HK=>K ?HK MA> !BEM>K DKBO>K MH ;> LN<<>LL?NEER BGLM:EE>=, MA> .3B BM BL ;>BG@ =>IEHR>= MH FNLM ;> K>;HHM>=.
/A> D>>I .><NKBMR (:G:@>K H??>KL MA> HIMBHG MH :NMHF:MB<:EER K>;HHM MA> L>KO>K. $? MABL L>E><MBHG BL <AHL>G :EE
OBKMN:E F:<ABG>L HG MA> .3B AHLM FNLM ;> I:NL>=/LMHII>= HK O(HMBHG>= H?? H? MA> ;HQ. $? MABL BL GHM =HG> MA>
.3B <:GGHM ;> INM BG MH F:BGM>G:G<> FH=> :G= <:GGHM ;> K>;HHM>=. /A> D>>I .><NKBMR (:G:@>K PBEE K>IHKM :
MBF>HNM BLLN> B? MA> .3B <:GGHM ;> INM BG MH F:BGM>G:G<> FH=>.
Problem
C:GGHM <HGM:<M MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<>.
Solution
BR =>?:NEM MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<> NL>L D#C+ MH :<JNBK> :G $+ :==K>LL PA>G BM BL =>IEHR>=. $?
RHN :K> =>IEHRBG@ BG :G >GOBKHGF>GM MA:M =H>L GHM A:O> : D#C+ L>KO>K MA>G RHN FNLM :LLB@G : LM:MB< $+
:==K>LL MH MA> AIIEB:G<>.
To assign a static IP address to the Virtual Appliance:
1. 'H@ BG MH MA> 1BKMN:E C>GM>K AHLMBG@ MA> D>>I .><NKBMR 1BKMN:E AIIEB:G<> NLBG@ O.IA>K> CEB>GM
2. .>E><M MA> AIIEB:G<> :G= <EB<D MA> <HGLHE> M:;
146
3. 'H@ BG MH MA> AIIEB:G<> ;R IK>LLBG@ !2 :G= NLBG@ MA> =>?:NEM NL>KG:F> :G= I:LLPHK= (=LO::=LO:)
4. .>E><M CHG?B@NK> (:G:@>F>GM )>MPHKD ?KHF MA> F>GN :G= IK>LL GM>K
5. CA:G@> MA> #HLMG:F>, $+ A==K>LL, )>MF:LD, ":M>P:R :G= D). >GMKB>L MH F:M<A MA:M H? RHNK
G>MPHKD
6. +K>LL GM>K MH L:O> MA> <A:G@>L
7. ->;HHM MA> AIIEB:G<> ;R L>E><MBG@ ->;HHM .RLM>F ?KHF MA> F:BG F>GN CHG?B@NK:MBHG
Problem
AGMB-(:EP:K> L<:G M>KFBG:M>= :;GHKF:EER.
Solution
1BKMN:E F:<ABG>L FNLM ;> BG MA> KNGGBG@ LM:M> ?HK L<:GL MH <HFIE>M> LN<<>LL?NEER. /ABL M>KFBG:MBHG F:R ;> =N>
MH MA> 1BKMN:E (:<ABG> ;>BG@ LANM=HPG HK LNLI>G=>= =NKBG@ MA> L<:G. CA><D HG MA> LM:MNL H? MA> 1BKMN:E
(:<ABG>, :G= MKR :@:BG.
/ABL A:II>GL PA>G MA> @N>LM 1( P:L K>;HHM>=, HK >GM>KL BGMH : LE>>I HK LM:G=;R FH=>.
Deep Security Agent
Installation
Problem
/A> ?HEEHPBG@ >KKHK BL L>>G =NKBG@ : .HE:KBL A@>GM BGLM:EE:MBHG:
## Executing postinstall script.
devfsadm: driver failed to attach: dsa_filter
Warning: Driver (dsa_filter) successfully added to system but failed to
attach
Starting Trend Micro Deep Security Drivers
can't load module: Invalid argument
Solution
.HF> .HE:KBL I:M<A>L <A:G@> MA> O>KLBHG H? G>MBG?H KNGGBG@ HG : LRLM>F. $M BL MA> O>KLBHG H? G>MBG?H MA:M
=>M>KFBG>L PAB<A A@>GM BGLM:EE I:<D:@> BL K>JNBK>= ?HK : I:KMB<NE:K LRLM>F.
To identify the netinfo version on a system, run the following command:
modinfo | grep neti
147
/A> ?BE>LBS> =>M>KFBG>L PAB<A BGLM:EE I:<D:@> MH NL>:
Filesize Install Package
74< N5LI:K<
1:;< N7LI:K<
><8 N5Q86
2600 N7Q86
!HK FHK> =>M:BE RHN <:G OB>P /var/adm/messages
/A> ?HEEHPBG@ >GMKB>L BG=B<:M> MA:M RHN :K> :MM>FIMBG@ MH BGLM:EE : 07 A@>GM HG : F:<ABG> MA:M K>JNBK>L MA> 05
A@>GM:
Feb 19 11:14:58 Sparc-v210-2 unix: [ID 819705 kern.notice] /usr/kernel/
drv/sparcv9/dsa_filter: undefined symbol
Feb 19 11:14:58 Sparc-v210-2 unix: [ID 826211 kern.notice]
'net_protocol_release'
Feb 19 11:14:58 Sparc-v210-2 unix: [ID 826211 kern.notice] 'hook_alloc'
'net_hook_register'
Feb 19 11:14:58 Sparc-v210-2 unix: [ID 826211 kern.notice] 'hook_free'
'net_protocol_lookup'
'net_hook_unregister'
Feb 19 11:14:58 Sparc-v210-2 unix: [ID 472681 kern.notice] WARNING:
mod_load: cannot load module 'dsa_filter'
/A> ?HEEHPBG@ >GMKB>L BG=B<:M> MA:M RHN :K> :MM>FIMBG@ MH BGLM:EE : 05 A@>GM HG : F:<ABG> MA:M K>JNBK>L MA> 07
A@>GM:
148
'net_unregister_hook'
'net_register_hook'
Feb 19 11:19:36 Sparc-v210-1 unix: [ID 826211 kern.notice] 'net_lookup'
Feb 19 11:19:36 Sparc-v210-1 unix: [ID 826211 kern.notice] 'net_release'
Feb 19 11:19:36 Sparc-v210-1 unix: [ID 472681 kern.notice] WARNING:
mod_load: cannot load module 'dsa_filter'
Problem
D>>I .><NKBMR A@>GM BL NG:;E> MH LM:KM.
Solution
/A>K> :K> L>O>K:E <HG=BMBHGL MA:M <:G IK>O>GM MA> =L9:@>GM L>KOB<> ?KHF ;>BG@ :;E> MH LM:KM. ->:LHGL BG<EN=>:
$GO:EB= <K>=>GMB:EL (GHM O:EB= R>M, <HKKNIM, >QIBK>=, ;:= =B@BM:E LB@G:MNK>), NG:;E> MH K>:= MA> IKBO:M> D>R
(<HKKNIM, A:K=P:K> <A:G@>= K:=B<:EER), EBLM>G IHKM :EK>:=R BG NL>.
$G <:L>L PA>K> MA> D.A BL NG:;E> MH LM:KM, BM BL GHM :;E> MH K>IHKM MH MA> D.(, LH BM PKBM>L MH MA> 2BG=HPL O>GM
'H@. 4HN LAHNE= <A><D MA> 2BG=HPL O>GM EH@ MH =B:@GHL> MA> IKH;E>F.
Activation
Problem
D>>I .><NKBMR A@>GM BL BGLM:EE>=, ;NM MA> A@>GM 0$ =BLIE:RL ;E:GD ?B>E=L.
Solution
$? MA> "(:G:@>K 0-'", "(:G:@>K <>KMB?B<:M> G:F>", :G= "(:G:@>K <>KMB?B<:M> ?BG@>KIKBGM" ?B>E=L :K> ;E:GD, MA>
A@>GM A:L GHM ;>>G :<MBO:M>=. /A>L> ?B>E=L :K> ;E:GD NGMBE MA> A@>GM A:L ;>>G :<MBO:M>= ;R D>>I .><NKBMR
149
(:G:@>K. !BG= MA> CHFINM>K BG MA> D.('L CHFINM>KL EBLM, KB@AM-<EB<D HG BM :G= L>E><M A<MBHGL > A<MBO:M>/
->:<MBO:M>.
Problem
">MMBG@ MA> ?HEEHPBG@ >KKHK F>LL:@> BG :G "A@>GM A<MBO:M> !:BE>=" LRLM>F >O>GM: "A <EB>GM >KKHK H<<NKK>= BG MA>
D.( MH D.A IKHMH<HE: #//+ <EB>GM >KKHK K><>BO>=: <>KMB?B<:M> BL GHM R>M O:EB=".
Solution
/A> <EH<D HG : D>>I .><NKBMR A@>GM F:<ABG> FNLM ;> LRG<AKHGBS>= PBMA MA> D>>I .><NKBMR (:G:@>K MH PBMABG
24 AHNKL. $? MA> D.A <EH<D BL ;>ABG= MA> D.( <EH<D MA>G :G A@>GM A<MBO:M> HI>K:MBHG PBEE ?:BE ;><:NL> MA>
<>KMB?B<:M> @>G>K:M>= ?HK MA> A@>GM ;R MA> D>>I .><NKBMR (:G:@>K PBEE GHM R>M ;> O:EB=.
CHG?B@NK:MBHG
Problem
4HN L>> : DSA_IOCTL_SET_FILTER_CONFIG >KKHK HG : <HFINM>K PBMA MA> =>L<KBIMBHG:
Engine command code DSA_IOCTL_SET_FILTER_CONFIG failed with error:
0x0005aa
(insufficient system resources exist to complete the requested service.).
Solution
/ABL F:R ;> <:NL>= ;R HG> H? MPH K>:LHGL:
The system is running with the /3GB boot option.
/A> /3"B ?E:@ K>=N<>L MA> :FHNGM H? F>FHKR :O:BE:;E> MH MA> D>KG>E, PAB<A BG MNKG K>=N<>L MA> :FHNGM H? GHG-
I:@>:;E> F>FHKR BG MA> D>KG>E. /A> >Q:<M :FHNGM <:G ;> BG?EN>G<>= ;R F:GR ?:<MHKL LN<A :L /C+ <ABFG>R
H??EH:=BG@, NL> H? E:K@> :FHNGML F>FHKR HO>K MA> 4"B :==K>LLBG@ LI:<>, >QM>KG:E =>OB<> =KBO>KL LN<A :L :N=BH,
OB=>H, >M<.
Too many rules are applied on the computer for the amount of kernel memory available to the driver.
$G MA>L> LBMN:MBHGL BM PBEE ;> G><>LL:KR MH K>=N<> MA> GNF;>K H? !BK>P:EE :G= D+$ KNE>L :IIEB>= MH RHNK
CHFINM>K BG HK=>K MH K>=N<> MA> F>FHKR ?HHMIKBGM, :L P>EE :L BFIKHO> I>K?HKF:G<>. /A> -><HFF>G=:MBHG
.<:G ?>:MNK> H? D>>I .><NKBMR <:G A>EI PBMA MABL. BR .<:GGBG@ RHNK <HFINM>KL ?HK -><HFF>G=:MBHGL RHN <:G
NL> MA> ".AHP -><HFF>G=>= ?HK 0G:LLB@GF>GM" OB>P H? MA> "D+$ -NE>L" I:@> ?HK <HFINM>K :G= NG:LLB@G D+$
150
-NE>L MA:M =H GHM G>>= MH ;> :IIEB>= MH F:BGM:BG :IIKHIKB:M> L><NKBMR. $? RHN F:G:@> RHNK <HFINM>KL OB:
.><NKBMR +KH?BE>L RHN <:G NL> MA> L:F> ".AHP -><HFF>G=>= ?HK 0G:LLB@GF>GM" D+$ -NE>L OB>P ;NM GHM> MA:M
BM PBEE HGER LAHP D+$ -NE>L MA:M :K> GHM K><HFF>G=>= HG :GR H? MA> CHFINM>KL MH PAB<A MA> .><NKBMR +KH?BE> BL
:LLB@G>=, :G= F:R LMBEE E>:O> RHN PBMA : L>M H? D+$ -NE>L MA:M A:L : ?HHMIKBGM MA:M BL MHH E:K@> ?HK LHF>
CHFINM>KL. $? MA> .><NKBMR +KH?BE> BML>E? LMBEE A:L MHH F:GR D+$ -NE>L :LLB@G>= BM F:R ;> G><>LL:KR MH F:D>
:==BMBHG:E .><NKBMR +KH?BE>L :G= =BOB=> MA> CHFINM>KL :FHG@LM MA>F LN<A MA:M MA> .><NKBMR +KH?BE>L :K> ;>MM>K
K>IK>L>GM:MBHGL H? PA:M D+$ -NE>L :K> :<MN:EER K><HFF>G=>= MH ;> :IIEB>= MH MA> O:KBHNL CHFINM>KL. /ABL
LAHNE= :EEHP RHN MH K>=N<> MA> GNF;>K H? D+$ -NE>L :LLB@G>= MH :EE RHNK CHFINM>KL.
Diagnostics Collection
Problem
4HNK LNIIHKM IKHOB=>K A:L :LD>= ?HK : =B:@GHLMB<L I:<D:@>.
Solution
$G D>>I .><NKBMR (:G:@>K, @H MH Administration > System Information :G= <EB<D Create Diagnostics
Package... BG MA> MHHE;:K. /ABL =BLIE:RL MA> Diagnostic Package 2BS:K= PAB<A PBEE <K>:M> : SBI ?BE> <HGM:BGBG@
$GLM:EE/0GBGLM:EE :G= D>;N@ 'H@L, .RLM>F $G?HKF:MBHG, D:M:;:L> CHGM>GML (E:LM AHNK HGER ?HK MBF>-L>GLBMBO>
BM>FL), :G= : !BE> 'BLMBG@. /ABL BG?HKF:MBHG <:G ;> @BO>G MH RHNK LNIIHKM IKHOB=>K MH A>EI MKHN;E>LAHHM :GR
IKH;E>FL.
Problem
4HNK LNIIHKM IKHOB=>K A:L :LD>= RHN MH BG<K>:L> MA> LBS> H? MA> =B:@GHLMB<L I:<D:@>.
Solution
/A> =>?:NEM F:QBFNF LBS> H? : =B:@GHLMB< I:<D:@> BL :IIKHQBF:M>ER 200(B. A <HFF:G= EBG> BGLMKN<MBHG BL
:O:BE:;E> MH BG<K>:L> MA> LBS> H? MA> =B:@GHLMB< I:<D:@>: =LF9< -:<MBHG <A:G@>L>MMBG@ -G:F>
<HG?B@NK:MBHG.=B:@GHLMB<(:QBFNF!BE>.BS> -O:EN> #### /A> ?HEEHPBG@ >Q:FIE> BG<K>:L>L MA> LBS> H? MA>
I:<D:@> MH 1"B (1000(B): =LF9< -:<MBHG <A:G@>L>MMBG@ -G:F> <HG?B@NK:MBHG.=B:@GHLMB<(:QBFNF!BE>.BS> -
O:EN> 1000 DH GHM <A:G@> MA> LBS> H? MA> =B:@GHLMB< I:<D:@> NGE>LL BGLMKN<M>= MH =H LH ;R RHNK LNIIHKM
IKHOB=>K.
Problem
C:GGHM <K>:M> : =B:@GHLMB<L I:<D:@> PBMA $GM>KG>M QIEHK>K 7.
151
Solution
2A>G >QIHKMBG@ ?BE>L (C1., 3(', LH?MP:K>, HK NI=:M>L) HK <K>:MBG@ : =B:@GHLMB< I:<D:@>, $GM>KG>M QIEHK>K'L
"$G?HKF:MBHG B:K" F:R BG?HKF RHN MA:M ?BE> =HPGEH:=L :K> ;>BG@ ;EH<D>= :G= D>>I .><NKBMR (:G:@>K PBEE
BGLMKN<M RHN MH "<A><D MA> L>KO>K0.EH@". /H I>KFBM ?BE> =HPGEH:=L, <EB<D HG "(HK> BG?HKF:MBHG" BG MA>
$G?HKF:MBHG B:K :G= ?HEEHP MA> BGLMKN<MBHGL MH :EEHP ?BE> :G= LH?MP:K> =HPGEH:=L.
152

Deep Security 9 Install Guide en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deep Security 9 Install Guide en

Uploaded by

Copyright:

Available Formats

/K>G= (B<KH $G<HKIHK:M>= K>L>KO>L MA> KB@AM MH F:D> <A:G@>L MH MABL =H<NF>GM :G= MH MA> IKH=N<ML =>L<KB;>= A>K>BG

PBMAHNM GHMB<>. B>?HK>

You might also like