We're impementing Trend Micro's Deep Security.
The problem I'm having (and I've logged a call with TM) is that I cannot get the Anti_malware component to work.
So, if anyone has already been down this path I'm just trying to determine if what I see at the VMWare vShield EndPoint level matches what they see. Plus a query on one of the vShield docs.
The vShield 410U1 QuickStart has an "Important" note on pg 27 that states that by default when creating a VM that a SCSI Controller is not created. Now either I'm missing something here or that's wrong. I just created a test server accepting all defaults (except OS changes to W2K3) and it created a server with a SCSI Controller showing as an LSI Logic Parallel controller. So that leads to the first question, is there something that needs to be done to a standard server?
What I'm seeing is that from the vShield manager perspective the Endpoint has been deployed to the ESXi host.
So after drilling down to the server, under Summary it shows Endpoint 3.0.8-308978 has been installed. When you then go to the Endpoint Tab it shows "0" for all entries. Is that what others see?
I've installed the TM Deep Security Manager and deployed the TM Deep Security Appliance to an ESXi host. The TM deep Security Manager shows the ESXi host as "Prepared" , but Anti-Malware Ready as "No".
I've migrated guests to this prepared host, installed the VMWare ThinAgent, and the drivers seem to be there (using cmd driverquery), rebooted etc. but I cannot get the Anti-Malware to be recognised. The VMs show as Anti-Malware Not Capable.
Anyone been here, done that and done anything that triggered anything?
All SW the very latest except for vCenter - doesn't have U1 installed yet.
vCenter - 4.1.0
VMWare Thin Agents - 1.0.0-402356 - checked that the 64bit version was installed on the 64 bit server etc.
VMware vShield Manager - 4.1.0-310451
TM DS Mgr - 7.5.6323 x64
TM Filter Driver - 7.5.0-5435
TM Appliance - 7.5.0-5534 (7.5 SP2 versions)
ESXi - 4.1.0 Build 348481
A few items to check:
1. Ensure DNS resolution between all components: ESX, Trendmicro Deep Security Manager, vshield manager; no firewalls blocking ports 4118/4119/4120.
2. SCSI controller is required, note Buslogic is not supported. See VMware Endpoint docs for more info
3. Login to vshield manager and endpoint status should show 100% green. Each VM with the thin agent installed should show up under endpoint status as "normal"
4. Use a SQLServer or Oracle database
Thanks for the response.
1 The host is ESXi, not ESX. There doesn't seem to be any options to enable ports 4118, 4119 or 4120 on the ESXi host, but I've not seen anything that suggests that. Otherwise no firewalls are involved. Not sure what firewall ports are on the vShield Manager as it's just an appliance and I can't see any commands to check that.
2 I understand a SCSI Controller is required, what confused me is the statement that they're not created by default, which I think they are. That's what's leading me to think I need something. There is a SCSI Controller on the servers that have the ThinAgent installed. It's an LSI not BusLogic.
3 That's the main thing I'm not seeing, there are no Hosts or VMs listed under the Endpoint Tab, all categories show zero.
Did you install vShield Zones? I was told that was not required for EndPoint, but it's placement in the Installation guide almost suggests it is a pre-requisite.
4. Yep - we have an external SQL Database.
5. Thanks, I've got the TM Guide.
Zones is not required for Endpoint
Looks like the thin agent driver on the VM is not communicating with the Endpoint installed on ESx nor the DeepSecurity Virtual Appliance (DSVA).... Check all networking, do ping and telnet tests
From VM with thin agent
ping esx, vshield manager; telnet deep security manager on port 4120
from DeepSecurity Manager:
ping VM, vshield manager, telnet dsva on port 4118
Try the TM forums: http://community.trendmicro.com/t5/Business-Security-Forum/bd-p/businessprod
I can do most of the tests above, just not sure what kind of response I should see from the telnet commands.
Telnet to the DSM produces some unreadable text, Telnet to the DSVA seems to connect and then get dropped.
In both cases there seems to be a connection rather than getting denied.
I've been asked by support if I can ping the DSVA. I can't, from anywhere.
Thanks for the link to the TM Forum, I've joined that and found someone with the same issue.
But no solution was listed on the thread.
Thanks, just confirmed, that is the behaviour, I was being a bit quick on hitting a key to generate a response.
If I just telnet and leave it, it behaves as you've described.
Thanks for the feedback on ping. It does look as though the dsva is very restricted on what it will reply to.
That's not a criticism, just an observation, and it's probably a good thing.
To investigate further via this forum is not really practical, I have provided several general troubleshooting guidelines which I hope have helped.
I suggest your local sales support or the general Trend support team
(4 months to the rugby world cup !)
Finally resolved it, user error!
I was pointing the TM DS Manager back at itself and not to the Vmware vShield Manager.
I did a complete reinstall and then realised the earlier mistake.
All working now, just need to plan the roll out to live.
Thanks for you advice.