Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Upgrading Deep Security 9.0 Service Pack (SP) 1 to version 9.5 on VMsafe environment

    • Updated:
    • 4 Feb 2016
    • Product/Version:
    • Deep Security 9.0
    • Deep Security 9.5
    • Platform:
    • Linux - Red Hat RHEL 5 64-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Windows 2008 Server R2 Enterprise
Summary

Follow this procedure to upgrade to Deep Security 9.5 on a VMsafe environment.

Details
Public

Get the latest version (9.5) of the following installation packages from Trend Micro Download Center:

 
Make sure you are using the latest version of the vShield Manager and the VMtools and that you have done a complete install of VMtools. Review the VMware compatibility matrix.
  • Deep Security Manager (DSM)
  • Deep Security Agent (DSA)/Relay
  • Deep Security Filter Driver
  • Deep Security Virtual Appliance (DSVA)
  • Deep Security Notifier

Place the install/upgrade packages for DSM, Deep Security Relay, Deep Security Filter Driver, and DSVA, in the same folder from which you will run the DSM installer. This way the DSM will automatically import the Relays, Agents, Virtual Appliance, and the Filter Driver during installation. If the DSM finds a Relay in the folder, it will offer you the option of installing a Relay along with the DSM. Please confirm the install of the Deep Security Relay as it will cause multiple issues later on.

Below is the recommended upgrade path:

DSM > Deep Security Filter Driver > Deep Security Relay (Agent) > DSVA > Deep Security Notifier

Review product documentation before proceeding to the upgrade process:

 

Before upgrading the DSM, make a full backup of the DSM database. In the rare event that you have difficulty with the upgrade this will allow you to roll back by installing the previous manager (with a temp database) then re-pointing it at the restored database (in dsm.properties).

Upgrading the DSM will stop the DSM service during the operation, and the service will be started after successfully upgraded.

This process does not need to be during maintenance mode as the DSM upgrade does not cause any security gaps or network interruptions. The only effected machine is the server on which the DSM resides.

To upgrade the DSM:

  1. Run the DSM install package on the machine.
  2. When prompt with the Update Verification message, choose Update the existing installation (maintains current configuration).

    Update the existing installation (maintains current configuration)

  3. Click Next and follow the guide until the installation completes.

To upgrade a Multi-node Manager:

 
Upgrading a Multi-node Manager requires no special preparation.
 
  1. Run the DSM install package on any node.

    The installer will instruct the other nodes to shut down (there is no need to manually shut down the services). Then, the installer will upgrade the local DSM and update the database.

  2. Run the DSM installer on the remaining nodes. As each node is upgraded, the service will restart and the node will rejoin the network of Managers.
  1. Open the DSM console.
  2. Go to Administration > Updates > Software Local.
  3. Click Import and follow the guide to import the software downloaded. For example, downloading DSVA and Deep Security Filter Driver:

    Importing DSVA and Deep Security Filter Driver

 
You may need to delete the old imported software to reduce the DB space.
 
 

The Deep Security Filter Driver and the DSVA must always be upgraded to the same version. Upgrading one without the other will leave both in a nonfunctional state. We recommend upgrading both the Filter Driver and the DSVA at the same time.

The upgrade of the filter driver will request a reboot of ESXi host.

 
  1. Open the DSM console.
  2. Go to the Computers menu.
  3. Look for the ESXi host which filter driver needs to be upgraded.
  4. Right-click the host and click Action > Upgrade Filter Driver.
  5. Wait until the host shows a green “Prepared” status.
 
  • Deep Security Agents and Relays must be of the same version or less than the DSM being used to manage it. The DSM must always be upgraded first before the Agents and Relays.
  • When planning the upgrade of your Agents and Relays from 9.0 to 9.5, ensure that your 9.5 Agents are assigned to Relay Groups that contain only 9.5 Relays. You should upgrade all Relays in a Group to 9.5 (or create a new 9.5 Group) before configuring any 9.5 Agents to receive updates from the group.
 

Deep Security 9.0 Agents and Windows Relays can be both upgraded using the DSM interface or by manual local upgrade. Just make sure that the Agent and Relay software must first be imported into the DSM.

To Upgrade Deep Security Agents and Windows Deep Security Relays using the DSM:

  1. From the DSM console, go to Computers.
  2. Find the computer on which you want to upgrade the Agent or Relay.
  3. Right-click the computer and select Actions > Upgrade Agent software.
  4. The new Agent software will be sent to the computer and the Agent or Relay will be upgraded.

To manually upgrade Agents or Relays locally on a computer, follow the instructions in the Installation Guide.

On the other hand, Deep Security 9.0 Linux Relays cannot be upgraded to version 9.5. They must be uninstalled and replaced with a fresh install of a 9.5 Linux Agent.

 
When upgrading a Relay from 9.0 SP1 TO 9.5 on Linux, you cannot use the command on the Actions menu.
 

To upgrade a 9.0 SP1 Relay to 9.5 on Linux:

  1. Upgrade the DSM to version 9.5.
  2. Import Agent-Core-RedHat_EL6-9.5.2-XXX.zip into the DSM.
  3. Deactivate the Relay you want to upgrade, and then uninstall it.
  4. Install Agent-Core-RedHat_EL6-9.5.2-XXX.rpm on the Agent computer.
  5. Enable the Relay.

To convert a 9.0 SP1 Relay to 9.5 Agent on Linux:

  1. Upgrade the DSM to version 9.5.
  2. Import Agent-Core-RedHat_EL6-9.5.2-XXX.zip into the DSM.
  3. Deactivate the Relay you want to upgrade.
  4. Delete the Relay from the DSM.
  5. Uninstall the Relay.
  6. Install Agent-Core-RedHat_EL6-9.5.2-XXX.rpm on the Agent computer.
  7. On the DSM console, add the computer by going to Computers > New > New Computer.

After upgrading to version 9.5 not all protection modules enabled in 9.0 Agent will remain enabled on a 9.5 Agent. The following table shows which modules are affected by an upgrade:

FeatureWindowsLinux
AMNo changeUninstalled
IMUninstalledUninstalled
WRS/FW/IPSUninstalledUninstalled

Currently, upgrading directly from DSVA 9.0 to 9.5 is not supported. Customer needs to delete or power off the old virtual appliance and deploy the new one with version 9.5.

To delete or power off the old virtual appliance:

  1. Open the DSM console.
  2. Deactivate all virtual machines protected by the virtual appliance.
  3. Deactivate the virtual appliance.
  4. From the vSphere client, look for the virtual machine.
  5. Power off this virtual appliance, then delete it from the disk.

    This step is very important as we have changed the OS on the DSVA from 9.0 to 9.5. If the customer does not want to delete the old DSVA from the vCenter, keep it power off.

To deploy the new virtual appliance:

  1. Open the DSM console.
  2. Go to Computers and find out the ESXi host that needs to be deployed with the new DSVA.
  3. Click Action > Deploy Appliance.
  4. Activate the new virtual appliance and the virtual machines.

Upgrading the Deep Security Notifier is only required on virtual machines being protected Agentless by a DSVA. On machines with an in-guest Agent, the Notifier will be upgraded along with the DSA.

To upgrade the Deep Security Notifier, follow the procedure in the Deep Security 9.5 Installation Guide.

Premium
Internal
Rating:
Category:
Update
Solution Id:
1105528
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.