Trend Deep Security – Agentless Deployment with NSX – Issues with Web Reputation Service

So I’ve just had the pleasure of deploying Trend Deep Security via the Agent-less method, utilizing the NSX free license which allows guest introspection, but no other features.

Starting in NSX 6.2.3, the default license upon install will be NSX for vShield Endpoint. This license enables use of NSX for deploying and managing vShield Endpoint for anti-virus offload capability only, and has hard enforcement to restrict usage of VXLAN, firewall, and Edge services, by blocking host preparation and creation of NSX Edges.

The Issue

With the basic Deep Security License you get the following coverage;

  • Anti-Malware
  • Web Reputation Service

However upon deploying Trend and jumping through the various hoops. (flakey support for NSX free license). You will find that you have multiple errors showing against your VM’s.

Trend-Agentless-Issue-1

The Cause

After speaking with Trend, I received the following response, which seems kind of obvious;

Please disable WRS (Web Reputation Service) on the policy level. This should resolve your issue. The reason behind this is that WRS /FW and IPS are all in the network module and the error is caused by WRS .
If you want to use WRS , you will need to install an agent

If you are using the free version of NSX , then it is only AM that is provided agentless. No other modules function agentless with the free version

This is a limitation placed by VMware not Trend Micro.

To prove that advice is correct , please disable WRS temporarily on the policy.

If so , then you will need to install an agent to use WRS on these machines.

If you want to use WRS, then you must install the agent on your image, see below;

Creating a Deep Security Agent (DSA) gold image for re-provisioning

If the issue doesn’t fully resolve itself

The Trend documentation recommends deploying version 9.5 of the ESXi trend agent to your hosts, then upgrading them to 9.6, therefore you need to make sure you have upgraded them to the latest version.

First, go to Administration > Updates > Software > Download Center

And ensure that you have the latest Agent-RedHat update downloaded to your security manager, as this is the file that is used to update the Trend Micro Appliance.trend-agentless-issue-4

Go back to one of your machines showing errors still, click to open up the full details, then select the appliance which it is attached to.

trend-agentless-issue-2

This will open up the appliance information dialog box, confirming the version number, which we can see is below the necessary version for the NSX version we have deployed.

trend-agentless-issue-3

Click the actions tab at the top, then select the update the appliance to the latest version, in the new dialog box, select the appropriate version, and click to schedule the upgrade.

trend-agentless-issue-3-1

trend-agentless-issue-5

From here you will see the upgrade taking place.

trend-agentless-issue-6

trend-agentless-issue-7

Once completed, you may need to manually clear the errors showing against your virtual machines, however the errors will not show any more.

Regards
Dean

Leave a Reply