Pls check my previous blogs for the DSM , Relay Server , vShield End Point , Filter Driver ,DSVA, DSA , SSP Server , Policies and Exclusions , Events and Monitoring and VMtools . In this blog we can see the Trend DPM with Pure Citrix VDI Enivronment.
Deep Security Virtual Appliance (Agentless) does not work with a pure Citrix environment (ie. VMs running on Citrix XenServer).
For these environments, the physical agent based solution is recommended. Install the Agents in the Master Golden Image (deactivated mode) and then perform Agent based activation in the provisioning process. We can mention the policy in the script or use an Event Based Task to assign the correct policy based on the attributes available (I.e. Computer Name).
Steps to setup the Master Golden Image.
We need to install an un-activated Deep Security Agent on the Golden Image in the Citrix Xen Server environment and uninstall any other 3rd party anti-malware software from the Golden Image as this will cause scan contentions and Trend will take care of the Anti-Virus Windows Notification.
In the Golden Image set the Environment Variables so that dsa_control will consider as the internal command.
Once the Master Golden Image is setup and ready , We need to create the New VM using the Machine Catalog in the Citrix Studio .
Pls check how to enable the activation for the new vm using the Active Directory integration in Trend DSM . We have the option called Event-Based Tasks and look the Activating the Event-Based Tasks blog for the steps.
If we dont have the AD integration with the OU folder structure in Trend DSM then we can get the command to activate the agent from the DPM – Help – Deployment Script option by selecting the appropriate Policy , Computer Group and the Relay Group. By having the BAT file in the GPO logon script , agent can be activated .
Before configuring it in the login script we can test the activation using the below command.
Pls note command have to be run in CMD prompt with runas Administrator.
c:\Program Files\Trend Micro\Deep Security Agent > dsa_control -a dsm:// (DSM IP address or hostname). “policyid:NO”
To Automate the same we can use a login script and copy the command in to the batch file and apply it to the appropriate OU in the Group Policy as the user logon script or use SCCM and target the service installed to run the command so that it wont be applied to the other VMs.
In case if the user doesn’t have the administrator rights on the new VMs and there is no SCCM is used in the environment then we can use the tool called CPAU to activate the agent. This eliminates the need to grant administrator privileges to users who need to activate DSAs on their machines but are being prompted for a username and password.
To create a login script, use a third-party program called CPAU. This tool can encrypt the user’s credentials.
- Download CPAU.
- Extract CPAU.exe to the desired folder. Take note of the location.
- Open the command prompt and go to the location of CPAU.exe.
- Run the following command to create an encrypted profile to be used for the login script:
cpau -u <domain\username> -p <password> -ex <“…installation directory\dsa_control.cmd /a dsm://<IP address / hostname>:4120/” -file <filename.txt> -enc
cpau -u dc4esxi \Administrator -p P@ssw0rd -ex “C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.exe /a dsm://192.168.12.50:4120/” -file dsa_init.txt –enc
In the example above:
- ‘dc4esxi\administrator’ is the user which has Domain administrator privilege
- ‘P@ssw0rd‘ is the password
- ‘C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.exe /a dsm://192.168.12.50:4120/’ is the DSM IP address or hostname
- ‘dsa_init.txt’ is the encrypted file to be used for the login script
5. Create a login script based on the information below and save it as a BAT file. For example: dsa_logon.bat.
\\ad-dsm\SYSVOL\DC4ESXI.com\cpau -dec -file “\\ad-dsm\SYSVOL\DC4ESXI.com\dsa_init.txt” -hide
- ad-dsm is the Active Directory server
- com is the domain
- txt is the encrypted file
- Add the login script by following the procedure in these articles:
- For Windows 2008: Setting up a Logon Script through GPO in Windows Server 2008
- For Windows 2003: How to setup a logon script on your Windows 2000/2003 Active Directory Network
- Copy the CPAU.exe and dsa_init.txt file to the Active directory location:
\\<active directory server>\sysvol\<domain>
For example: \\ad-dsm\SYSVOL\DC4ESXI.com\
DSA activation will initiate once users log on to their machines.
Once the Login Script is set , When user login in to the New VM , It will initiate the agent activation and in the Trend Console we can notice the New computer is activated with the appropriate policy .
Deep Security Agent and the Citrix target device driver
On Citrix PVS 6.0 Environment, if you plan on installing (In-Guest) Deep Security Agent, the Citrix Target device driver may not be able to connect successfully to the Provisioning Server due to a possible conflict.
Pls note on Machine creation services environment no need to do the below steps.
If you plan on installing Deep Security Agent on a Windows operating system that is connected to a PVS server using disk provisioning, the temporary workaround is to change the tbimdsa driver loading order during system startup from PNP_TDI to NDIS.
To do so, manually change the loading order of tbimdsa driver used by Deep Security Agent.
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tbimdsa
Add or modify String “Group” Value to: NDIS
Add or modify DWORD “Start” Value to: 0
By changing the (Group) from PNP_TDI to NDIS and Start value from 3 to 0, it allows tbimdsa driver to load after Citrix driver has loaded.
Reboot the machine and the PVS Target Device will be able to connect to the vDisk upon boot-up.
Pls check for my Next Blog VDI in ESX Environment ( Agentless)