Multiple agent-protected VDIs show as a single entry on Deep Security Manager (DSM)

Product / Version includes:

Deep Security20.0 , Deep Security9.6 , Deep Security12.0

Last updated: 2021/08/28

Solution ID: KA-0007390

Category: Configure

Summary

After activating several computers on VDI infrastructure, all those machines seem to be managed by a single entry on the DSM with different IP addresses.

It is not clear how a proper configuration and deployment is usually set up for VDI clones of the Master Image. Citrix Xen App and VMware View are some examples of such infrastructure. These computers are protected by Deep Security Agent (DSA), but not by Deep Security Virtual Appliance (DSVA). Also, these machines may also be non-persistent causing a need for re-activation every startup.

In such cases, you can use agent-initiated activation with specific settings on the DSM to perform an automatic deployment. A PowerShell startup script will be used to install the agent on the machine, which can also function on non-persistent computers.

To enable the agent-initiated activation:

Before deploying this procedure in a production environment, please test the settings first in your test environment and make sure it helps you achieve your goal.

Keep the Golden Image (Master Image) template without any Deep Security Agent installed. If needed, clean up the uninstallation as well to ensure that no drivers are left. For the list of files to check, refer to this article: Manually uninstalling Deep Security Agent, Relay, and Notifier from Windows.
Set up the DSM to allow re-activation from known computers.
1. On the DSM console, navigate to Administration > System Settings.
2. Click the Agents tab.
3. Tick Allow Agent-Initiated Activation checkbox and select For Any Computers radio button.
4. Enable Allow Agent to specify hostname checkbox.
5. For the section If a computer with the same name already exists, choose Re-activate the existing computer.
6. Tick Allow reactivation of cloned VMs checkbox.
Create a deployment script for your machines.
1. At the upper-right corner of the DSM console, click Support > Deployment Scripts.
2. Select the appropriate platform (e.g. Microsoft Windows 64-bit).
3. Tick the Activate Agent automatically after installation checkbox.
4. Select the Security Policy you need for Citrix machines (e.g. Base Policy > Windows).
5. Choose the target Computer Group.
6. Select the Relay Group.
The PowerShell script will be generated as seen below:
Copy all contents of generated PowerShell script and save it as .ps1 file in the startup scripts folder. Afterwards, set it as a startup script.

The script downloads the DSA MSI package, then installs and activates it. This will always generate a different ID while keeping the deployment automatic. While re-activating the hosts based on their hostname, this procedure ensures that a new entry will be created for each new computer you deploy from your VDI.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Multiple agent-protected VDIs show as a single entry on Deep Security Manager (DSM)

Multiple agent-protected VDIs show as a single entry on Deep Security Manager (DSM)

Product / Version includes:

Summary