With the growing adoption of VMware View, as well as vCloud, the vShield line of products is gaining in popularity. In particular, the bundling of vShield Endpoint licenses with View Premier has given many customers who would otherwise install a full (and typically bloated) anti-virus package into their virtual desktops a viable alternative. In this article, I will focus on Trend Micro’s implementation of vShield Endpoint technology in securing both virtual desktop and server workloads on vSphere. Please note that this is not meant to be a complete review of the product. I’m not going to walk you through the complete installation process, nor am I going to cover operations extensively. I prefer to simply share my experiences, thoughts, and conclusions from my dealings with the product.
Trend Micro was the only launch partner for vShield Endpoint back at VMworld 2010, and unless something has been announced recently that I haven’t seen, Trend Micro has the only functional, production-ready vShield Endpoint solution. This is great for me, since the agency for which I work already uses Trend Micro Office Scan in their production environment.
I acquired the bits from Trend Micro and immediately went to push it out to my lab environment where both VMware View and Citrix XenDesktop were being evaluated. I went about following steps I read in both Trend Micro’s supplied materials, as well as some excellent blog posts at GeekSilver’s Blog.
VMware vSphere vShield 4.1 Understanding Part 1
VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 2
VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 3
As a note, I’ve already done all the boring stuff that nobody cares about but are prerequisites. If you want or need a step-by-step how-to, go ahead and read the blog links above. Don’t worry, I can wait. The boring stuff includes:
- Set up vSphere 4.1u1 hosts
- Set up vCenter Server 4.1u1
- Enabled licenses for vShield Endpoint in vCenter Server
- Deployed vShield Manager
- Enabled vShield Endpoint on all hosts which Deep Security would be used
- Created a database for Deep Security Manager on my SQL 2008 R2 platform
- Spun up a Windows 2008 R2 VM and installed Deep Security Manager
After performing the steps above, I immediately encountered issues which, after much wailing and gnashing of teeth (read: a couple of hours worth of troubleshooting with my excellent Trend Micro technical account manager and a very astute support engineer with VMware Federal Support in Colorado), it became evident there was an issue with the default ESXi embedded image that IBM shipped with our HS22V blades which causes DVfilter to think that it’s not licensed properly, even with vSphere Enterprise Plus licenses applied.
After applying the requisite patches to my blades for what seemed like forever (a total of around 15 hours for 10 blades… seriously), I was ready to prepare my vSphere hosts. The process for this is quite simple, but I’ll outline it here.
- Right-click the host you wish to prepare, choose Actions -> Prepare ESX.
I told you it was simple.
There are, of course, a couple of Next buttons to click, but I don’t want to bore you with that. Others have outlined the installation process very well, and I don’t want to reinvent the wheel.
After this, you deploy the Trend Micro virtual appliance to the host you’ve just prepared. The process is similar to those before, i.e. right click, Deploy Appliance, so I won’t delve into it further here. There’s some configuration of the virtual appliance required, but it’s really just plugging in IP/ hostname info, along with DNS servers.
At this point, you’re ready to deploy some guests and have Deep Security Manager keep them in line. If you’re like me, you’ve probably already got hundreds (or thousands) of servers and desktops deployed in production, so moving from an in-guest anti-virus to an offloaded, virtual appliance-based solution where you have to install not one, but two agents (one Trend Micro, one VMware) within the guest operating system, is daunting. I’m not going to sugar coat this at all: migrating a ton of servers to this solution is not going to be easy. It’s going to be a long and arduous process. My best suggestion is to use something like Microsoft System Center Configuration Manager (SCCM) to package up the installers and push them out that way. When my agency moves to this type of solution in the future (if you’re reading this, coworkers, the writing’s on the wall), that’s probably the tack we’ll take. If you have a better solution, please respond in the comments section below (I’m reserving judgment on whether deploying this via ThinApp or the like is a good idea or not). Virtual desktops, on the other hand, are a different story.
You’ve by no doubt deployed your virtual desktops with VMware View using Linked Clones, which makes this kind of process about as painless as can be.
- Power on your parent VM.
- Uninstall whatever anti-virus solution you currently use.
- Install vShield Endpoint thin agent.
- Install Trend Micro Deep Security Agent.
- Shut down, create a new snapshot of the parent VM, and recompose your pool(s).
All of your recomposed pools will now have desktops managed by Trend Micro Deep Security. Your scan times should roughly halve, plus you get the added bonus of hypervisor-level IPS/IDS, firewall, et cetera, et cetera.
Overall, I really like the idea of offloading ancillary tasks or duties that were traditionally in guest, be it backup with vStorage APIs for Data Protection or anti-virus with vShield Endpoint. I think Trend Micro and VMware have a really good set of complementary products in Deep Security and vShield Endpoint, and I hope both vendors continue to innovate in this arena. I would like to see some competing products from Symantec or the like to keep driving the industry in this area, but that we shall see.
Jason
Further reading:
Trend Micro and VMware Virtualization
Deep Security – Enterprise Virtualization Security
VMware vShield Endpoint
Jason,
Might I suggest using a group policy to detect a vm and if it has the agent installed?
As a matter of fact, I think I setup that up for your environment already to update VMware tools on a reboot, a simple addition to install the agent in the script would probably take around 15 mins, and you can just let it do it on a reboot
That’s a great idea, Alan! Thanks for the suggestion!
We setup Deep Security in our View environment briefly. It seemed to work pretty well until just before the demo expired, when we found out it was causing our thin-apped IE6 to bluescreen our Windows 7 View desktops. (yes I know, and my response is that I work in the healthcare industry which is insanely slow at updating apps)
Anyway, as soon as we removed DS, the thin-apped IE6 started working again.
I think the products (vShield and DS) need a little more time to mature. For now we’re going to stick with Officescan 10.5 with VDI support which only scans files in the delta disk.
Thanks for the info, Jared. We’re still on XP, so we didn’t run in to that particular issue.
I definitely agree there are some issues with the current iteration of both endpoint and deep security. I’ll cut both trend and VMware a bit of slack since they’re both essentially 1.0 releases.
For clarity you did not need to install the Deep Security Agent in your guests in order to use the Antivirus protection. Only the VShield endpoint driver. The Deep security agent is only needed if you plan to use other features like vulnerability scanning, log management and integrity monitoring. AV can be done without it. The virtual appliance is all thats needed for AV, Firewall, IDS/IPS
Tom,
Understood, but thanks for the point of clarification.
I have also run into this issue, do you remember the patch/update that you applied to correct the issue with the HS22V blades (which causes DVfilter to think that it’s not licensed properly, even with vSphere Enterprise Plus licenses applied). I have spoken with IBM and they were not able to find the correct patch/update.
Thanks
I have the update on my work machine. I’ll be able to post some info on it when I get back to the office next week.
Thanks.
If you could share that information that would be great.
Hi Josh,
Did you have time to check on the name upgrade/patches for the HS22V?
Sorry about that. I just checked and the fix is contained in an updated ESXi image from IBM which we obtained from their support group. You should be able to request it directly from IBM.
The file name, if it helps, is VMware-VMvisor-Installer-ibm-cust-nolicense-4.1.0-260247.iso