Over the course of the past week I have been at a customer site upgrading a fairly good size vSphere and View environment to the latest releases, 5.5 U1a and View 5.3.1. When I complete upgrades, typically I try to build net new vCenters along with fresh installs of ESXi. In this particular case, our customer was running Trend Micro Deep Security Endpoint Protection for both their Server and View Infrastructure and Desktops.
*This is NOT a guide on upgrading vSphere, this only pertains to what is required to Trend Micro Deep Security with Endpoint Protection.
**This guide also assumes that there is already an understanding of the vSphere upgrade process.
While Trend Micro provides a guide on upgrading, what’s missing is if a choice is made to either:
1. Upgrade and roll-out a new vCenter Appliance
2. Upgrade and roll-out a net new Windows instance for a fresh vCenter installation.
During our plan and design session with the customer, we worked through the installation steps and all interoperability validations. For any upgrades, you should visit the VMware Compatibility Guide as well as the VMware Interoperability Matrix. Along with the VMware Documentation Page, these are bookmarked on my browser at all times.
In this case, our Customer was upgrading from vSphere 5.1 U2 and View 5.2 to the latest. We first turned to the above Interoperability Matrix to validate the current vCloud Networking and Security Appliance and it’s interoperability with vSphere 5.5 U1. The customer was running version 5.1.2. We see here that vCNS must be upgraded prior to upgrading vCenter.
We also must determine which vCNS appliance is compatible with Trend Micro Deep Security. This can be found on Trend Micro Deep Security Compatibility page. ***At the time of the upgrade, only vShield 5.5a was listed. Since my engagement they have add they have validated up to the latest vCNS Versions, 5.5.2.
During my research, I also found that Trend Micro had just provided a Patch to upgrade Trend Micro Deep Security and provide vSphere 5.5 Compatibility. This required upgrades to Deep Security Manager,Relay, ESXi Filter Driver, and Appliance(s).
Here are the required versions:
We then mapped out the flow first and then validated with call to Trend Micro Support, which I might add, was very helpful and responsive.
Let’s walk through the steps, shall we?
1. Upgrade Deep Security Manager
2. Deactivate Relay and uninstall relay.
3. Install upgraded Relay
4. Evacuate one host at a time or as many hosts as HA allows.
5. Deactivate the Appliance.
6. Delete Appliance.
7. Run the Restore ESX to remove the Filter Driver.
8. Remove vCenter instance within DSM.
9. Remove vShield Endpoint from all hosts and disassociate vCNS with vCenter.
10. Install new vCenter or vCenter Appliance and upgrade (vSphere upgrade and run VUM updates)
11. Upgrade vCNS to latest supported in the Deep Security Matrix listed above, in my case at the time it was 5.5.0a but you can see the latest now is 5.5.2.
12. Install vShield Endpoint on newly upgraded ESXi Hosts.
13. Add vCenter to DSM
14. Prepare Hosts (Installs Filter Driver)
15. Deploy DS Appliance(s) to each ESXi Host
16. Activate Appliance(s)
*Note when you install the latest VMware tools, don’t forget to include the vShield Endpoint Thin Agent.
There ya have it. This is the guide to bring Deep Security up to the correct versions for vSphere 5.5 +. I will update this post later with screenshots of each step, however I thought this would be beneficial to some if I posted this sooner than later.
As always, I welcome comments.