Install Trend Micro Deep Security Agent with Citrix Provisioning services
Today I want to write a short blog to show, how to install Trend Micro Deep Security agent on Citrix PVS target devices the proper way.
First make sure that you already set up a policy in Deep Security Manager (DSM) with the latest AV exclusions recommended by Citrix:
https://www.citrix.com/blogs/2016/12/02/citrix-recommended-antivirus-exclusions/
The configuration is pretty straight forward.
You just have to install the Deep Security Agent (DSA), do some configuration (see below) and make sure the agent will (re-)register itself during boot.
Below you will find the process with the scripts Iam actually using. Nevertheless when you copy&paste make sure you change the variables 🙂
1. Agent installation & configuration
Put your vDisk in maintenance mode (or use versioning if you’re brave) and install the DSA according to Trend Micros suggestions (here):
- Install DSA
- Stop the ‘ds_agent’ service and set the startup type to ‘manual’
- Set the ‘ds_agent’ service to manual
(you have to check in DSM that the machine you’re using for DSA installation have the rights to set the service to manual!) - Remove the files with the following extensions from $Env:ProgramData\Trend Micro\Deep Security Agent\ subdirs:
- *.db
- *.crt
- *.ini
- *.config
- *.bin
B/C we are lazy guys, you can use the following Powershell script to execute all the steps mentioned above.
The script is based on the deployment script you can export in DSM. I slightly modified it according to my needs, make sure you change the variables accordingly…
# This code was created via DSM console, I just modified the code slightly to suit my needs (correct DSM server, x64 windows client, delete the files, etc): # https://help.deepsecurity.trendmicro.com/Add-Computers/ug-add-dep-scripts.html # Attention: Make sure to change the variables according to your environment... # FQDN to your Trend Micro Deep Security Manager $DSMserver = "dsmserver.domain.tld:4119" # Download x64 client from DSM server: $DSAUrl="https://$DSMServer/software/agent/Windows/x86_64/" # Path for logfile $env:LogPath = "$env:appdata\Trend Micro\Deep Security Agent\installer" # InstallDir for DSA $DSAInstallDir = "C:\Program Files (x86)\Trend Micro" # Policy ID for your Citrix policy: $DSAPolicyID = "34" # Name of DS agent service $DSAServiceName = "ds_agent" New-Item -path $env:LogPath -type directory Start-Transcript -path "$env:LogPath\dsa_deploy.log" -append echo "$(Get-Date -format T) - DSA download started" echo "$(Get-Date -format T) - Download Deep Security Agent Package" $DSAUrl [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} (New-Object System.Net.WebClient).DownloadFile($DSAUrl, "$env:temp\agent.msi") if ( (Get-Item "$env:temp\agent.msi").length -eq 0 ) { echo "Failed to download the Deep Security Agent. Please check if the package is imported into the Deep Security Manager. " exit 1 } echo "$(Get-Date -format T) - Downloaded File Size:" (Get-Item "$env:temp\agent.msi").length echo "$(Get-Date -format T) - DSA install started, please be patient..." echo "$(Get-Date -format T) - Installer Exit Code:" (Start-Process -FilePath msiexec -ArgumentList "/i $env:temp\agent.msi /qn TARGETDIR=<code>"$DSAInstallDir</code>" ADDLOCAL=ALL /l*v <code>"$env:LogPath\dsa_install.log</code>"" -Wait -PassThru).ExitCode echo "$(Get-Date -format T) - DSA activation started, this is going to take some time, please be patient" Start-Sleep -s 50 & $DSAInstallDir"\Deep Security Agent\dsa_control.cmd" -r & $DSAInstallDir"\Deep Security Agent\dsa_control.cmd" -a dsm://$DSMServer/ "policyid:$DSAPolicyID" Stop-Transcript echo "$(Get-Date -format T) - DSA Deployment Finished" echo "$(Get-Date -format T) - Stopping $DSAServiceName service and setting startup type to manual" While ((Get-Service -Name $DSAServiceName).Status -ne 'Stopped') { echo "$(Get-Date -format T) - $DSAServiceName service stopped, going to set startup type..." Set-Service $DSAServiceName -StartupType Manual Start-Sleep 5 } echo "$(Get-Date -format T) - Removing some files according to manual..." Get-ChildItem "$Env:ProgramData\Trend Micro\Deep Security Agent\" -include *.db,*.crt,*.ini,*.config,*.bin -recurse | foreach ($_) {remove-item $_.fullname} echo "$(Get-Date -format T) - Script finished, good to go..."
Now you can go ahead and seal the image like you always do (of course with the great BIS-F).
2. Deep Security Manager configuration
Doublecheck in DSM that you already configured the re-registration of the client, otherwise the agent registration will not work.
Go to “Administration > System Settings > Agents” and make sure the “Agent-initiated Activation” is configured like shown below:
3. GPO to start service and (re-)register agent
Because we have to start the service during boot I decided to use a GPO which will start the service and execute a Powershell script which is doing the (re-)registration of the agent.
Create a GPO (in my case “CTX_VDA_StartAndRegisterTMDSAgent”) with the following settings and link it to the OU with the VDAs:
To (re-)register the DSA against DSM you can use “RegisterDSAWithPolicy.ps1” I created:
<# .SYNOPSIS (Re-)Registers Trend Micro Deep Security Agent (DSA) against Trend Micro Deep Security Manager (DSM) .DESCRIPTION This script will be fired up by a GPO called "CTX_VDA_StartAndRegisterTMDSAgent" and will (re-)register the DSA against the DSM. It will automatically assign the correct policy to the computer object .EXAMPLE .\RegisterDSAWithPolicy.ps1 .INPUTS None. .OUTPUTS Logfile, see $LogFile variable .NOTES Double check that the variables suits your needs. Make sure the log file will be on a persistent drive. NAME: RegisterDSAWithPolicy.ps1 VERSION: 1.00 AUTHOR: Markus Zehnle LASTEDIT: 19.07.2017 #> #region: variables # Path to dsa_control.cmd $DSAControl = '${env:ProgramFiles(x86)}\Trend Micro\Deep Security Agent\dsa_control.cmd' # DeepSecurity Citrix Policy $PolicyID = 'policyid:34' # DeepSecurity Server $DSServer = 'dsmserver.domain.tld:4120' # ServiceName: $ServiceName = "ds_agent" # Local Logfile $LogFile = "D:\LOG\tmdsaregistration.log" # Computername $ComputerName = $Env:computername #endregion: variables #region: magic Write-Output "$(Get-Date): Start TrendMicro DeepSecurity Agent registration on $ComputerName" > $LogFile Write-Output "$(Get-Date): --------------------------------------------------------------------" >> $LogFile Write-Output "$(Get-Date):" >> $LogFile Write-Output "$(Get-Date): Check if $ServiceName service is running:" >> $LogFile While ((Get-Service -Name $ServiceName).Status -ne 'Running') { Write-Output "$(Get-Date): $ServiceName service is not running, waiting until it starts..." >> $LogFile Start-Sleep 5 } Write-Output "$(Get-Date): $ServiceName service is running, go ahead" >> $LogFile Write-Output "$(Get-Date): " >> $LogFile Write-Output "$(Get-Date): Check if $DSAControl exists:" >> $LogFile If (Test-Path $DSAControl) { Write-Output "$(Get-Date): $DSAControl exists, lets fire up registration!" >> $LogFile Write-Output "$(Get-Date):" >> $LogFile Write-Output "$(Get-Date): $DSAControl -a dsm://$DSServer/ $PolicyID" >> $LogFile & $DSAControl -a dsm://$DSServer/ $PolicyID >> $LogFile } else { Write-Output "$(Get-Date):" >> $LogFile Write-Output "$(Get-Date): No $DSAControl found! Script will Exit" >> $LogFile Exit } Write-Output "$(Get-Date):" >> $LogFile Write-Output "$(Get-Date): TrendMicro DeepSecurity Agent registration finished" >> $LogFile #endregion: magic
As usual: Use your brain before putting my scripts in your environment!