vCloud

Hi,

        I've been reading through Trend Doco and forum posts here:

Installation Guide: 

http://support.trendmicro.com.cn/TM-Product/Product/Deep%20Security/7.5_SP2/7.5_SP2_Documents/Deep%20Security%207.5%20SP2%20Installation%20Guide.pdf

User Guide:

http://support.trendmicro.com.cn/TM-Product/Product/Deep%20Security/7.5_SP2/7.5_SP2_Documents/Deep%20Security%207.5%20SP2%20Users%20Guide.pdf

I've come to the conclustion that I want to trial the software, but was hoping to clarify some architectural requirements:

These are the requirements as I see them, please comment with your feedback.

-------------------------------------------------

Lab environment:

- 4 ESX hosts

     + 2 hosts for server infrastructure (VMHOST01, VMHOST02)

     + 2 hosts for VDIs (VMHOST03, VMHOST04)

Therefore, to support a/v scanning I would require the following infrastructure to be configured:

(VMHOST01)

1 * vSphere Server (managing all hosts)

1 * vShield Manager Server

1 * Deep Security Manager

1 *Deep Security Virtual Appliance (pushed out via the Deep Security Manager server)

n * Deep Security Agent (Install to each VM)

n * vShield Endpoint Agent/VMware Thin Agent (Install to each VM)

(VMHOST02)

1 *Deep Security Virtual Appliance (pushed out via the Deep Security Manager server)

n * Deep Security Agent (Install to each VM)

n * vShield Endpoint Agent/VMware Thin Agent (Install to each VM)

(VMHOST03)

1 *Deep Security Virtual Appliance (pushed out via the Deep Security Manager server)

n * Deep Security Agent (Install to each VDI)

n * vShield Endpoint Agent/VMware Thin Agent (Install to each VDI)

(VMHOST04)

1 *Deep Security Virtual Appliance (pushed out via the Deep Security Manager server)

n * Deep Security Agent (Install to each VDI)

n * vShield Endpoint Agent/VMware Thin Agent (Install to each VDI)

-------------------------------------------------

In our environment we have implemented VLANS to segregate network traffic, so I'm not particularly interested in any zoning/firewall capabilities - I'm only installing the vShield components as I understand that they are required to leverage the vSafe API for 'Deep Security' to work?

   - Is anyone aware of any minimum VMWare licensing requirements that I need to achieve this?

     + We have 'enterprise' licensing, which seems to cover vSphere Zones.

Thanks, Chris.

Hi Chris,

your supposed configuration is correct.

About your doubts:

- minimum licensing is 25 VMs for Vshield Endpoin

- Deep Security is licensed by CPU (socket), remember it has different modules (dsm, antimalware, fw/ips, im, li), you need only antimalware for vm antivirus

- minimum vsphere edition to support vmsafe libraries is Advanced, so you are ok with enterprise.

Regards,

Luca.

Depends what Deep Security modules you want to evaulate:

• Firewall, Deep Packet Inspection, Anti-virus: do not require the "Deep Security Agent (Install to each VM/VDI)"
• Log inspection and File Integrity Monitoring: require the "Deep Security Agent (Install to each VM/VDI)"

You could have a simpler setup by combining VHOST01 and 02 into one host; similarly VHOST 03 and 04 into one host.

Depends how many hosts you have and how many VMs you want to trial

You also need to install vShield Virtual Appliance

and

Oracle or MS SQL server backend for Deep Security (embedded database option is not recommended for virtual environments).

http://forms.trendmicro.com/index.php?dom=us&productID=123

Hi Luca and JonathanG,

   Thanks for the comments/feedback :smileyhappy:

Hi Luca,
- Thanks for the confirmation on licensing, I was thinking at the time of writing that the enterprise licensing would cover all components, i'll talk to our vmware licensing provider to work out how this will work for us as we use SPLA.

Hi JonathanG,
- I picked 4 ESXi hosts as I though that would clarify the model/requirements, i'll probably implement the trial with two hosts as you have suggested :smileywink:

Regarding the vShield virtual appliance, is this installed once per environment (such as the vShield manager) or is there a requirement to have this installed onto each ESX host?

Regarding MS SQL backend, are you aware if this is ok to be virtualised (I'd be keen to leverage one of our existing HA setups) - or if this should be standalone (phys or virt)?
- What is the 'importance' of the SQL db?
  + I'd imagine that it is used purely for storing configuragion/topology of the environment so if it were offline (scheduled or otherwise) the solution would still protect (a/v scans etc) the VMs?

As always, please feel free to point me in the direction of any doco that I should have read, but maybe have not 'found' yet.

I greatly appreciate your feedback.

Cheers, Chris.

Chris,

1. You need one Deep Security Virtual Appliance per ESX host

2. The Database is a requirement for the Deep Security Manager and can be physical, virtual, stand-alone or in a cluster. Initial database size should be about 120MB with space to grow.

Got an update on this.

I talked today with Trend Micro Italy, and they told me from a month ago, now also Deep Security is licensed on a per-VM basis, and they also told me you can license the exact number of VMs ,and not by 25 increments.

Regards,

Luca.

I am curious about this as well. We have a 4 host cluster for VDI. All hosts run ESX 4.1 Enterprise. We would like to run Trend Deep Security. Our Trend sales rep said Advanced Edition ESX and above has everything needed already included in it to run the DS a/v on the virtual desktops.

Is this true or do I need to buy additional vShield pieces from VMware?

Does this help?

http://www.virtualizationteam.com/virtualization-vmware/vshield/vshield-zone-vshield-app-vshield-edge-vshield-endpoint-required-vsphere-version.html

Not really. That just tells me that I can run the "paid for" vShield products on my ESX.

I would like to know if I need to buy anything additional from VMware to get DS to work.

oh I thought you needed to knwo what versions of ESX license Endpoint

to run Deep Security you only need to license:

• Vsphere 4.1
• vCenter 4.1
• Vshield Manager
• vShield Endpoint

(you don't need vShield Edge, vApp or Zones)

<full disclosure, I work for Trend Micro>

Can anyone please clarify how Deep Security licensing works? Is it per VM or per CPU or per Server? To make it more confusing, I read per seat license some where. Is there a minimum quantity? Does it need renewing every year or is there a perpetual license?

I am just trying to get some clarity in terms what I need before I start taking to vendor.

Thanks

There are two licensing models, this forum is not really appropriate for discussing product pricing.

Please contact Trend Micro for specific answers

Just to clarify

Deep Security can be licensed based upon (physical) CPU or VM's

Vshield for endpoints is currenltly licensed based upon VM's

other licensing can be acquired by the partner or vendor.