Trend Micro Deep Security and NSX 6.2.3 issue

Last week I had the pleasure of upgrading vCNS 5.5.4 to NSX 6.2.3 at a customer that also was running Trend Micro Deep Security 9.6 SP1. Before the upgrade I checked the compatibility matrices here, here, here and here and it looked like everything checked out. So I went ahead with the upgrade and the upgrade went super smooth and ran without any issues. After the upgrade was completed I linked the Trend Micro Deep Security Manager to the NSX Manager and we protected the VMs and again all looked good. But then… I ran into the most annoying error know to man (with Trend Micro Deep Security) “Anti-Malware Engine Offline” and “Web Reputation Engine Offline”.

NSX 6.2.3

Oh Joy!

Let the troubleshooting begin!

  • Filter Drivers ESXi hosts
    • Check, all ESXi hosts have the Filter Driver Removed.
  • Guest Introspection Drivers VMware Tools
    • Check, all VMs have an updated version of the VMware Tools with the Guest Introspection option enabled.
  • Licensing NSX
    • Check, NSX 6.2.3 is licensed as “NSX for vSphere”.
  • Licensing Trend Micro Deep Security
    • Check, Anti-Malware and Web Reputation is licensed.
  • NSX Security Policy
    • Check, the correct NSX Security Policy is in place and applied on all VMs.
  • NSX Guest Introspection Service VMs
    • Check, the NSX Guest Introspection Service VMs are deployed and service is up and running.
  • Trend Micro Deep Security Service VMs
    • Check, the Trend Micro Deep Security Service VMs are deployed and service is up and running.
  • Trend Micro Deep Security Policy
    • Bingo! Disabling the Web Reputation solved also the “Anti-Malware Engine Offline” error. We have a lead!


The issue

So what was the problem then?

During troubleshooting we disabled the Web Reputation in the Trend Micro Deep Security Policy and the error messages disappeared, so we had a lead where to look.

Sven Huisman had send me earlier that week the article mentioned in the beginning of this post : “Compatibility between VMware NSX 6.2.3 and Deep Security“. In one of the last lines of that article it is stated : “When you need to use Deep Security Firewall/DPI/WRS/Log Inspection function, it is recommended to implement Combined Mode.”

“recommended” riiiight I think somebody made a typo and meant “required”…

The bottom line

After some tests it looked like Trend Micro Deep Security Agentless scanning for all features (Firewall, DPI, Web Reputation and Log Inspection) only works if you have a paid license (Standard, Advanced or Enterprise) of NSX. That means if you are using the NSX for vSphere license aka the “Free NSX” you also need to install the Trend Micro Deep Security Agent on the Guest VM to get all the features to work.

I really hope that Trend Micro is going to update the “List of Deep Security 9.6 features in Agentless and Combined Modes” article with some more information about this topic to avoid misunderstandings and difficult conversations with their customers.

Update 20-07-2016

I got a lot of questions about this post so to be more specific these are the supported features.

Module vCNS NSX for vSphere NSX Std/Adv/Ent
Anti Malware Agentless / Agent Agentless / Agent Agentless / Agent
Web Reputation Agentless / Agent Agent Only Agentless / Agent
Firewall Agentless / Agent Agent Only Agentless / Agent
Intrusion Prevention Agentless / Agent Agent Only Agentless / Agent
Integrity Monitoring Agentless / Agent Agentless / Agent Agentless / Agent
Log Inspection Agentless / Agent Agent Only Agentless / Agent


Agent installation

OK now we have a workaround by installing the agent on the guest VMs. But also here we had a small challenge.

The Trend Micro Deep Security Agent can be installed through the MSI installer, the only issue then is that you can’t select the components you want to install and in our case we didn’t needed the notifier.

The article “Performing silent installation or selecting a Deep Security Agent (DSA) feature to install using MSI parameters” describes how to select the components you want to installed. But if you pass the options listed in the article the installer stops with a warning.

We opened the MSI installer in SuperOrca and searched for the features that we can pass as an property to the installer and the only feature listed was the “MainApplication”. So if you run the following command the installer will only install the necessary components without the notifier.

Marco van Baggum

Marco works as a Staff Consulting Architect at VMware. Want to learn more about Marco? Check out Marco's About page.

7 thoughts to “Trend Micro Deep Security and NSX 6.2.3 issue”

  1. Your screenshot shows the errors FW and IPS engine offline but in your text you are talking about the error AM engine offline. Which errors where you getting?

    We are having the same issues but are getting the FW and IPS Engine offline errors even when we disabled WRS in the policy.

    We have a support case open with Trend Micro to address this issue. According to them the errors FW/IPS Engine offline are caused because you cannot deploy the network introspection service with the free NSX vShield Endpoint license, which seems logical.

    1. Exactly the same issue: FW and IPS engines are off and not licensed but still getting the error that they are offline in the Appliance status for every VM.

      Did you manage to remove these errors (actually they are not errors in our configuration!)

    2. Did you ever get this resolved? I am experiencing the same. FW and IPS unlicensed but showing offline false positive alerts. Thanks!

  2. Trend Micro KB has changed:

    o If you are using the NSX 6.2.3 is activated by NSX for vShield Endpoint license key you can only do hypervisor-based Antimalware and Integrity Monitoring. If you need to use Deep Security FireWall/DPI/WRS/Log Inspection function, it is required to implement Combined Mode by installing an agent on the VM being protected.

  3. I think the middle column should just be labeled vShield, or NSX for vShield, or something like that, for clarity. NSX for vSphere is the name of the licensed product as well. And Standard license does not include network introspection either, so the 3rd column should just say Advanced/Enterprise.

    But this is a great post. It was complicated before, when still using vShield Manager, but now that everything is managed from NSX, I think there is definitely some confusion about what functionality works with which security solutions and which licenses.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.