Overlay Transport Zone is requirement when deploying Trend Micro Deep Security with NSX-T

Product / Version includes:

Deep Security20.0

Last updated: 2024/07/23

Solution ID: KA-0011028

Category: Deploy , Install

Summary

Support for the Network Service Insertion feature (SI) at NSX-T was implemented from Deep Security 12.0 FR 2020-06-17 (Build 12.5.985) and Deep Security 20.0. This enhancement has enabled the GI and SI to co-exist when Deep Security registers to NSX-T.

Refer to the Deep Security 20.- release notes.

When GI+SI co-exist, the "overlay transport zone" will be required because deploying the Deep Security Virtual Appliance (DSVA) will need to have a service segment, and the service segment requires the "overlay transport zone".

This requirement is for DSVA deployment with NSX-T since GI+SI co-exist during registration. If you will use the Anti-Malware function only, this setting is still required even if you will not use the network feature, the DSVA deployment will need it. For reference, look at this article.

The Service Segment is required to deploy the Trend Micro Deep Security Service in NSX-T:

Click Action and then click ADD SERVICE SEGMENT.
Under Name, enter a name e.g. service-segment.
Under Transport Zone (Overlay), select "transport-zone-overlay" or whichever overlay transport zone you are using.
Leave "Connected To" empty.
Click SAVE and then CLOSE.
A service segment should be created.
From the Service Segments dropdown list, select the service segment you just created.

The service segment needs to have a transport zone.

Below is the LSW limitation:

Click here view the LSW limitation table

Situation No	Machine	NIC		Features of DSVA, which VDI or Virtual Machine use							Auto isolation by DFW	Type of LSW in ESXi						Limitation about LSW
		No.	Purpose									LSW		LSW installed by NSX-T
												vSS	vDS			N-VDS
				AM	WRS	FW	IPS	IM	LI	AC		vSS	-	Overlay	VLAN	Overlay	VLAN
1	DSVA	eth0	Management. To connect DSM.	-	-	-	-	-	-	-	-	Available	Available	Available	Available	Available	Available	It is OK if DSVA can connect DSM and DSR.
2		eth1	Can not set value by user. For GI service.	-	-	-	-	-	-	-	-	Available	-	-	-	-	-	Automatically created and set vSS.
3		eth2	Can not set value by user. For NI service.	-	-	-	-	-	-	-	-	-	-	Available	-	Available	-	It is required to set a LSW that is Overlay-backend network. The LSW is created automatically when DSVA be deployed.
4	VDI or Virtual machine	ethX	Service for VDI or Virtual Machine	ON	-	-	-	ON	-	-	-	Available	Available	Available	Available	Available	Available	-
5				ON	-	-	-	ON	-	-	Using	-	-	Available	Available	Available	Available	If Customer wants to use auto isolation by NSX-T DFW, VDI or Virtual Machine need to belong LSW installed by NSX-T. However if do not use Network features at DSVA, the machine can use LSW which created by VLAN-backend and Overlay-backend.
6				-	ON	ON	ON	-	-	-	-	-	-	Available	Available¹	Available	Available¹	If Customer wants to use WRS, IPS or FW feature by DSVA, there are 2 limitations: VDI or Virtual Machine NIC connect to Overlay-backend or VLAN-backend LSW are supported. The overlay network is designed as service segment used for DSVA deployed . ¹- Support NSX-T 3.1.5 above and 3.2.1 above build
7				-	ON	ON	ON	-	-	-	Using	-	-	Available	Available¹	Available	Available¹
8				ON	ON	ON	ON	ON	-	-	-	-	-	Available	Available¹	Available	Available¹
9				ON	ON	ON	ON	ON	-	-	Using	-	-	Available	Available¹	Available	Available¹

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Overlay Transport Zone is requirement when deploying Trend Micro Deep Security with NSX-T

Overlay Transport Zone is requirement when deploying Trend Micro Deep Security with NSX-T

Product / Version includes:

Summary