VMware Horizon Community
sconley
Enthusiast
Enthusiast
Jump to solution

Trend Micro Deep Security with Instant Clone Desktops

We are in the process of upgrading to an environment like that in the subject.  I have had an active SR with Trend Micro for three weeks now with little progress.  We have issues either with desktop VMs activating and throwing duplicate computer errors, or the desktop VMs show as "offline" in the Deep Security manager after some period of time.  The piece that is problematic seems to be the agent as we are running in combined mode (agentless anti-malware with agent based web reputation).  These issues do not exist in our production linked clone environment, so they seem to be unique to instant clones.  Does anybody have any experience with this sort of setup?

Reply
0 Kudos
1 Solution

Accepted Solutions
benswygart
Contributor
Contributor
Jump to solution

Here is how we had to configure out Instant Clones on v10.3

Deactivate golden image before pushing out.

On the policy communication - "Manager Initiated"

Screen Shot 2018-08-24 at 9.25.29 AM.png

On the System Settings uncheck "Allow Agent-Initiated Activation"

Screen Shot 2018-08-24 at 9.25.54 AM.png

On Event-Based tasks create one to run when a computer is created after 3 minutes - activate agent - apply policy.

Screen Shot 2018-08-24 at 9.28.05 AM.png

Hope this helps.

View solution in original post

11 Replies
HussamRabaya
VMware Employee
VMware Employee
Jump to solution

how do you use gentleness AV and what sphere version exactly you are using?

Reply
0 Kudos
amr12
Enthusiast
Enthusiast
Jump to solution

Hmm, we have this exact set up with no issues.  Are you resetting the agent on the parent image before taking a snapshot and recomposing?

Cd "C:\Program Files\Trend Micro\Deep Security Agent"

dsa_control -r

Reply
0 Kudos
sconley
Enthusiast
Enthusiast
Jump to solution

We have real time anti malware enabled only, no scheduled scans as it would be pointless in a non-persistent environment and only impact performance.  I have not been resetting the agent prior to a recompose.  I will try that this morning.

Versions are as follows:

Deep Security: 9.6.4168

vSphere: 6.5 Update 1

Horizon: 7.4

Reply
0 Kudos
sconley
Enthusiast
Enthusiast
Jump to solution

Out of curiosity, in your system settings for agent initiated activation, do you have "reactivate unknown agents" enabled?  One issue I have seems to come when the clone prep parent gets activated.  When this happens I end up with duplicate computer errors.

I pushed a new image after resetting the agent on the parent and taking a new snapshot.  After some period of time the agent shows as offline, if I re-activate the VM it comes back online again.

Reply
0 Kudos
amr12
Enthusiast
Enthusiast
Jump to solution

Yes, that is enabled....not sure what should could be going on.  Maybe something is wonky with the DSVA/NSX/vShield?

Reply
0 Kudos
sconley
Enthusiast
Enthusiast
Jump to solution

Out of curiosity, what version of DSM are you running?  I'm still on 9.6.  I may be at the point of spinning up a new Deep Security manager on 10 to test with given the lack of responsiveness from Trend Micro support.

Reply
0 Kudos
jwininger
Enthusiast
Enthusiast
Jump to solution

Did you get a resolution to this issue?  I'm seeing the same thing with instant clones and Deep Security 11.

Reply
0 Kudos
sconley
Enthusiast
Enthusiast
Jump to solution

I did not get a resolution for this.  I had a case open for 40+ days with the final resolution being "wait for version 11" since it has the "powered on" event based task.  I have upgraded to 11 and have the same issue.  I am considering if I want to pursue this further with support or look into a different product at this point.

Reply
0 Kudos
benswygart
Contributor
Contributor
Jump to solution

Here is how we had to configure out Instant Clones on v10.3

Deactivate golden image before pushing out.

On the policy communication - "Manager Initiated"

Screen Shot 2018-08-24 at 9.25.29 AM.png

On the System Settings uncheck "Allow Agent-Initiated Activation"

Screen Shot 2018-08-24 at 9.25.54 AM.png

On Event-Based tasks create one to run when a computer is created after 3 minutes - activate agent - apply policy.

Screen Shot 2018-08-24 at 9.28.05 AM.png

Hope this helps.

KyleQu
Contributor
Contributor
Jump to solution

Make sure the DSVA's are upgraded to the latest version. Usually you have to download the RHEL6 or 7 (depends on your Deep Security version) x64 agent. Then you will have an option to upgrade the DSVA's from their Overview screen under actions.

If the DSVA version looks different than all the other agent versions in your software update screen, this is most likely the cause. Check the readme for your DSVA version to see what type of RHELx64 flavor it wants....Deep Security 11 is RHEL7x64

Reply
0 Kudos
sconley
Enthusiast
Enthusiast
Jump to solution

So this seems to be fixed now (finally).  I think the issue was the communication settings in the policy.  The issue all along was that when the agent initiated a heartbeat it didn't actually seem to do anything, however if you did it from the manager the VMs would show online again until the next heartbeat interval.  So, the key I think was setting the communication direction to be manager initiated, which I didn't realize was there and I'm unsure why support didn't point this out.  We are now running version 11 update 1 without issue.  The only difference in my settings vs. what was proposed is that my event based task happens on "computer powered on (by system)", which is new in version 11.  I will keep watching this, but things have been showing online for 12+ hours.  Thank you for the suggestion.

Reply
0 Kudos