Last week I had the pleasure of upgrading vCNS 5.5.4 to NSX 6.2.3 at a customer that also was running Trend Micro Deep Security 9.6 SP1. Before the upgrade I checked the compatibility matrices here, here, here and here and it looked like everything checked out. So I went ahead with the upgrade and the upgrade went super smooth and ran without any issues. After the upgrade was completed I linked the Trend Micro Deep Security Manager to the NSX Manager and we protected the VMs and again all looked good. But then… I ran into the most annoying error know to man (with Trend Micro Deep Security) “Anti-Malware Engine Offline” and “Web Reputation Engine Offline”.
Let the troubleshooting begin!
- Filter Drivers ESXi hosts
- Check, all ESXi hosts have the Filter Driver Removed.
- Guest Introspection Drivers VMware Tools
- Check, all VMs have an updated version of the VMware Tools with the Guest Introspection option enabled.
- Licensing NSX
- Check, NSX 6.2.3 is licensed as “NSX for vSphere”.
- Licensing Trend Micro Deep Security
- Check, Anti-Malware and Web Reputation is licensed.
- NSX Security Policy
- Check, the correct NSX Security Policy is in place and applied on all VMs.
- NSX Guest Introspection Service VMs
- Check, the NSX Guest Introspection Service VMs are deployed and service is up and running.
- Trend Micro Deep Security Service VMs
- Check, the Trend Micro Deep Security Service VMs are deployed and service is up and running.
- Trend Micro Deep Security Policy
- Bingo! Disabling the Web Reputation solved also the “Anti-Malware Engine Offline” error. We have a lead!
So what was the problem then?
During troubleshooting we disabled the Web Reputation in the Trend Micro Deep Security Policy and the error messages disappeared, so we had a lead where to look.
Sven Huisman had send me earlier that week the article mentioned in the beginning of this post : “Compatibility between VMware NSX 6.2.3 and Deep Security“. In one of the last lines of that article it is stated : “When you need to use Deep Security Firewall/DPI/WRS/Log Inspection function, it is recommended to implement Combined Mode.”
“recommended” riiiight I think somebody made a typo and meant “required”…
The bottom line
After some tests it looked like Trend Micro Deep Security Agentless scanning for all features (Firewall, DPI, Web Reputation and Log Inspection) only works if you have a paid license (Standard, Advanced or Enterprise) of NSX. That means if you are using the NSX for vSphere license aka the “Free NSX” you also need to install the Trend Micro Deep Security Agent on the Guest VM to get all the features to work.
I really hope that Trend Micro is going to update the “List of Deep Security 9.6 features in Agentless and Combined Modes” article with some more information about this topic to avoid misunderstandings and difficult conversations with their customers.
I got a lot of questions about this post so to be more specific these are the supported features.
|Module||vCNS||NSX for vSphere||NSX Std/Adv/Ent|
|Anti Malware||Agentless / Agent||Agentless / Agent||Agentless / Agent|
|Web Reputation||Agentless / Agent||Agent Only||Agentless / Agent|
|Firewall||Agentless / Agent||Agent Only||Agentless / Agent|
|Intrusion Prevention||Agentless / Agent||Agent Only||Agentless / Agent|
|Integrity Monitoring||Agentless / Agent||Agentless / Agent||Agentless / Agent|
|Log Inspection||Agentless / Agent||Agent Only||Agentless / Agent|
OK now we have a workaround by installing the agent on the guest VMs. But also here we had a small challenge.
The Trend Micro Deep Security Agent can be installed through the MSI installer, the only issue then is that you can’t select the components you want to install and in our case we didn’t needed the notifier.
The article “Performing silent installation or selecting a Deep Security Agent (DSA) feature to install using MSI parameters” describes how to select the components you want to installed. But if you pass the options listed in the article the installer stops with a warning.
We opened the MSI installer in SuperOrca and searched for the features that we can pass as an property to the installer and the only feature listed was the “MainApplication”. So if you run the following command the installer will only install the necessary components without the notifier.
msiexec.exe /q /i DSA_Agent_Installer.msi ADDDEFAULT=MainApplication