By default, DSA installation will disable Windows Firewall. However, if Windows Firewall is enabled via GPO, then Deep Security will not be able to turn off Windows Firewall.
In some cases, Deep Security may not turn off Windows Firewall, but will modify its port and process exclusions and cause legitimate applications to be blocked by Windows Firewall.
To resolve this issue:
- Download the DSA MSI package transform file for your Deep Security version. This file can be instructed not to modify the port in the firewall.
The password to open the file is "trend".
- Use the following command to install the MSI package:
msiexec /i <path to Agent.msi> TRANSFORMS=<path to Leave_Firewall.mst> /L*v c:\dsa_install.log
In some environments running Deep Security 9.0, the TRANSFORMSSECURE setting may need to be used along with the MST file. The command would then be:
msiexec /i <path to Agent.msi> TRANSFORMS=<path to Leave_Firewall.mst> TRANSFORMSSECURE=0 /L*v c:\dsa_install.log
Setting the TRANSFORMSSECURE property to "0" informs the installer that transforms are not to be cached locally on the user's computer in a location where the user does not have write access.
If the above steps did not resolve the issue, send the following information to Trend Micro Technical Support:
- MSI install log file that will be created (C:\dsa_install.log)
- Screenshot of the firewall "show state" command before and after the DSA installation:
netsh firewall> show state