This article will provide the high-level steps to configure an environment that uses combined mode protection for computers (Agent and Appliance).
VDI golden image preparation
- Install the Guest Introspection Thin Agent with the Golden Image.
When using either the traditional installation method or Microsoft Deployment Toolkit (MDT), and preparing the Golden Master Image(s), install the necessary VMware Guest Introspection Thin Agent, which is a part of VMware Tools.
- Persistent and Non-Persistent VMs
Both persistent and non-persistent view desktops need antivirus protection. Agentless protection is recommended for both scenarios. Install VMware Tools in the virtual machine before it is converted into a parent virtual machine for linked clones.
If agent-based protection is required, install an unactivated Deep Security Agent (DSA) on the VM before it becomes the parent virtual machine.
For reference, refer to Step 1-2, Page 81 of the Deep Security 12 Best Practice Guide.
DSA installation and post-installation depending on some considerations
Choose if Anti-Malware protection source when in Combined Mode will be appliance preferred or appliance only.
- Appliance preferred
Perform the following steps only if you prefer to make the switch to Anti-Malware to agent faster in case the appliance goes down since the Anti-Malware module will be pre-installed.
On the VDI Golden Image, install DSA. Activate it first and enable Anti-Malware so succeeding clones will already have the Anti-Malware module pre-installed. After installing Anti-Malware the first time, it will require a reboot. After reboot, deactivate the DSA.
- Appliance only
No need to do further action.
Note that the only drawback is that if the appliance goes down, there will be no Anti-Malware protection.
Scheduled Task PowerShell Script for System Startup Agent Activation
Create a Scheduled Task / Startup Script for the Agent Activation. Refer to this KB article.
Below is a sample script: C:\data\scripts\dsaActivate.ps1
Write-Host "Starting DSA Scripts..." cd "C:\Program Files\Trend Micro\Deep Security Agent" cmd /c "dsa_control.cmd -r" Write-Host "Waiting for 5 seconds before attempting to activate agent..." sleep 5 cmd /c "dsa_control -a dsm://dsm01.lab.local:4120" Write-Host "Waiting for 5 seconds before attempting heartbeat to manager.." sleep 5 cmd /c "dsa_control.cmd -m" Write-Host "Completed..." Write-Host "Setting Powershell execution policy to Restricted..." Set-ExecutionPolicy Restricted
Note that the above script is already a modified sample. Make sure that the VDI machine can resolve the Deep Security Manager Activation URL via DNS.
Below is a sample command to create a scheduled task based on the above script.
schtasks.exe /Create /tn "Trend DS Agent Activate" /sc ONSTART /delay 0000:00 /ru "DOMAIN\SERVICE_ACCOUNT" /rp "PASSWORD" /tr "powershell.exe -f C:\data\scripts\dsaActivate.ps1"
Note that the command above is just a template. Modify it as needed or manually create a Scheduled Task using Administrative Tools > Scheduled Task GUI.
Configure VDI template for any other configuration you may need
Complete anything else you need on the VDI Golden Image Template.
Configuring Deep Security Manager (DSM) Event Based Task (EBT)
- On the DSM console, go to > Administration > Event-Based Tasks.
- Click New.
- Event: Choose "Computer Powered On (by System)".
- Click Next.
- Choose an Action to perform:
- Activate Computer (add a delay of your choice, e.g. delay of 5 minutes. This delay needs to be longer than the time it takes for the Task Scheduler-based activation configured earlier since that does not have a policy assignment, and this EBT does have a policy assignment)
- Assign Policy: your choice of policy for VDI Machines
- Click Next.
- Specify any match condition. For example, Computer Name matches ProtectedVDI.*
- Click Next.
- Ensure Task Enabled is ticked.
- Click Finish.
Below are sample screenshots:
Example of Event Based Task (Note: Computer Name is the Hostname, not the VM Name)
Example of a new computer, Activating (Delayed)
Example of Agent Initiated Activation (via Task Scheduler Script) and Appliance originated Activation (Event Based Task)
Visit this Help Center article https://help.deepsecurity.trendmicro.com/20_0/on-premise/appliance-combined-mode.html for more references.
Appliance Preferred: If there is an activated appliance on the ESXi server, it will provide the protection. But if the appliance is deactivated or removed, then the agent will provide protection instead.