Reporting from the Field Special Edition: Trendmicro Deep Security & vSphere 5.5u1 Upgrade Guide – New vCenter Instance

Over the course of the past week I have been at a customer site upgrading a fairly good size vSphere and View environment to the latest releases, 5.5 U1a and View 5.3.1.   When I complete upgrades, typically I try to build net new vCenters along with fresh installs of ESXi.  In this particular case, our customer was running Trend Micro Deep Security Endpoint Protection for both their Server and View Infrastructure and Desktops.

*This is NOT a guide on upgrading vSphere, this only pertains to what is required to Trend Micro Deep Security with Endpoint Protection.  

**This guide also assumes that there is already an understanding of the vSphere upgrade process.

While Trend Micro provides a guide on upgrading, what’s missing is if a choice is made to either:

1. Upgrade and roll-out a new vCenter Appliance


2. Upgrade and roll-out a net new Windows instance for a fresh vCenter installation.

During our plan and design session with the customer, we worked through the installation steps and all interoperability validations. For any upgrades, you should visit the VMware Compatibility Guide as well as the VMware Interoperability Matrix.  Along with the VMware Documentation Page, these are bookmarked on my browser at all times.

In this case, our Customer was upgrading from vSphere 5.1 U2 and View 5.2 to the latest.  We first turned to the above Interoperability Matrix to validate the current vCloud Networking and Security Appliance and it’s interoperability with vSphere 5.5 U1. The customer was running version 5.1.2.  We see here that vCNS must be upgraded prior to upgrading vCenter.



We also must determine which vCNS appliance is compatible with Trend Micro Deep Security.  This can be found on Trend Micro Deep Security Compatibility page.  ***At the time of the upgrade, only vShield 5.5a was listed.  Since my engagement they have add they have validated up to the latest vCNS Versions, 5.5.2.


During my research, I also found that Trend Micro had just provided a Patch to upgrade Trend Micro Deep Security and provide vSphere 5.5 Compatibility.  This required upgrades to Deep Security Manager,Relay, ESXi Filter Driver, and Appliance(s).

Here are the required versions:



We then mapped out the flow first and then validated with call to Trend Micro Support, which I might add, was very helpful and responsive.

Let’s walk through the steps, shall we?

1. Upgrade Deep Security Manager

2. Deactivate Relay and uninstall relay.

3. Install upgraded Relay

4. Evacuate one host at a time or as many hosts as HA allows.

5. Deactivate the Appliance.

6. Delete Appliance.

7. Run the Restore ESX to remove the Filter Driver.

8. Remove vCenter instance within DSM.

9.  Remove vShield Endpoint from all hosts and disassociate vCNS with vCenter.

10. Install new vCenter or vCenter Appliance and upgrade (vSphere upgrade and run VUM updates)

11. Upgrade vCNS to latest supported in the Deep Security Matrix listed above, in my case at the time it was 5.5.0a but you can see the latest now is 5.5.2.

12. Install vShield Endpoint on newly upgraded ESXi Hosts.

13. Add vCenter to DSM

14. Prepare Hosts (Installs Filter Driver)

15. Deploy DS Appliance(s) to each ESXi Host

16. Activate Appliance(s)

*Note when you install the latest VMware tools, don’t forget to include the vShield Endpoint Thin Agent.

There ya have it.  This is the guide to bring Deep Security up to the correct versions for vSphere 5.5 +.  I will update this post later with screenshots of each step, however I thought this would be beneficial to some if I posted this sooner than later.

As always, I welcome comments.



4 thoughts on “Reporting from the Field Special Edition: Trendmicro Deep Security & vSphere 5.5u1 Upgrade Guide – New vCenter Instance

  1. Today or somewere this week Trend Micro seems to release Deep Security 9.0 SP1 Patch 3 with support for ESXi 5.5 U1. The compatibility matrix says you need Patch 2, but the ReadMe tells Patch 3 adds support for ESXi5.5 U1.
    The downloads are already published on downloadcenter, but the files are not available yet. The previous Patch 2 added support for ESXi 5.5, but we have some problems since 5.5 U1 (No I/O possible after a couple of days with RealTime scan enabled). Not sure if these problems will be solved with Patch 3.

  2. Thanks for posting.

    We’re just about to go through with this process. Can you expand what you mean by “Run the Restore ESX to remove the Filter Driver.”?

    • Hi Justin,

      When you are in the Trend Micro Deep Security Management Console looking at your hosts, you right-click on the host and you will see “Restore ESX.” What this actually does is uninstall the filter driver from the host and reboot the host. I don’t like how they word that, but that’s what it does and that’s what you need to do. I’ve heard, that it’s a pain to manually uninstall that driver yourself so use Deep Security Manager to do it for you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s