Trend Micro Smart Protection Server Deployment

Trend Micro products leverage the ‘Smart Protection Network’ (SPN) which is essentially Trend Micros cloud network providing analysis and protection against malware and other malicious threats. The enterprise protection products have the ability to talk direct to the SPN or you can install a local appliance and configure your systems to talk to that and only go to the SPN if they do not have communication to your local appliance.

For reference here are some links for the SPN that may be of interest –

Next I have some useful links for the Trend Micro ‘Smart Protection Server’ (SPS) appliance – this is a locally installed appliance which your Trend Micro products connect to and forward URLs or file hashes for verification.

If you are interested in replacing the default self-signed SSL/TLS certificate after deployment then I have created a post on this here – https://www.bytesizedalex.com/trend-micro-smart-protection-server-ssl-tls-certificate-replacement/

In a production environment I strongly recommend the deployment of multiple SPS appliances for load balancing and high availability. Trend Micro products which can be configured to use SPS appliances typically give you the option to either direct traffic to a collection of SPS appliances in order or randomly. When running multiple SPS appliances I would suggest targeting them randomly to balance the load though of course a lot depends on your setup and networking.

 

System Requirements

I’m going to deploy to my home lab running on VMware ESXi, you can deploy the SPS appliance on other hypervisors – check the installation guide link above for full details.

The minimum hardware requirements are as follows –

  • 2 vCPU – 2Ghz frequency recommended
  • 2GB RAM
  • 30GB hard drive – 35GB is recommended and I would suggest you consider it as the minimum value
  • SCSI Controller – LSI Logic SAS
  • 1 vNIC – note only the E1000 and VMXNET3 NICs are supported on ESXi

Note the following from the installation guide –

  • Smart Protection Server is a CPU-bound application. This means that increasing CPU resources increases the number of simultaneous requests handled
  • Network bandwidth may become a bottleneck depending on network infrastructure and the number of simultaneous update requests or connections
  • Additional memory might be required if there is a large number of concurrent connections between Smart Protection Servers and endpoints

 

Installation

I created a virtual machine in ESXi, the summary settings are displayed below for reference.

SPS Virtual Machine Summary

 

Now it is time to power on the machine with the CD ISO image attached and run through the installation. If you feel the need you can run a memory test using option 2 though I don’t feel there is much need for this on a virtual machine install. Selecting option 1 proceeds with the installation.

Install Smart Protection Server Option 1

 

The installer will jump between a few screens as it loads drivers and other components, once complete it will return to the installation menu where the option to select an appropriate language is presented.

Select Language

 

Next we need to accept the end user license agreement (EULA).

Accept End User License Agreement (EULA)

 

Time to select the appropriate keyboard layout.

Select Keyboard Layout

 

The installer provides a summary of the hardware configuration, at this point it would also identify any issues in terms of hardware configuration, e.g lack of resource.

Hardware Summary

 

Now we need to configure the appliance hostname and network settings. Obviously this configuration is dependent on your own network setup. In my case I’m going to set everything manually for this appliance. Clicking on the ‘Edit’ button will provide access to the IP address assignment and will then unlock the ‘Miscellaneous Settings’.

Hostname and Network Settings Configuration

Hostname and Network Settings Configuration

Hostname and Network Settings Configuration

 

This screen presents a world map with yellow icons denoting various regions to aid in time zone configuration.

Select World Map Region

 

It is very important to configure a strong password for the appliance root and admin accounts. As always using a lengthy combination of alpha, numeric and special symbols is the best approach.

image

 

Finally we are presented with a summary of our settings, clicking to install presents a warning to indicate any data on the disk will be erased as part of the installation.

Installation Summary

Installation Summary - Disk Erase Warning

Installation Progress

Installation Complete

 

The virtual machine can now be rebooted and we can then move on to the web configuration. If you check the VM status you will notice that the VMware tools do not show as installed, Trend Micro include the VMXNET3 driver but nothing else. Personally I’ve always installed the tools to benefit from the other features they provide and I’ve never had an issue on my production systems so I always install them at this point.

 

Install VMware Tools

To install the tools it is necessary to logon to the SPS appliance as the root user, the following commands can then be executed once the VMware tools installation has been launched.

-bash-3.2# mkdir /mnt/cdrom
-bash-3.2# mount /dev/cdrom /mnt/cdrom
-bash-3.2# cp /mnt/cdrom/VMwareTools-*.tar.gz /tmp
-bash-3.2# tar -zxf /tmp/VMwareTools-*.tar.gz -C /tmp
-bash-3.2# cd /
-bash-3.2# ./tmp/vmware-tools-distrib/vmware-install.pl --default
-bash-3.2# rm -f /tmp/VMwareTools-*.tar.gz
-bash-3.2# rm -rf /tmp/vmware-tools-distrib

VMware Tools Installation

VMware Tools Installation

VMware Tools Installation

 

 

Web Interface Configuration

Once the VM has loaded the console will show a screen similar to the one below. It provides us with the information we need to configure other Trend Micro products to use this SPS appliance as well as giving us the link to the web configuration page.

Console Screen

 

You will notice that the secure page presents a certificate error, this is due to the fact it is running a self signed certificate. I will create a separate post on how to change the SPS appliance certificate. (Update – here is the link to my post on certificate replacement https://www.bytesizedalex.com/trend-micro-smart-protection-server-ssl-tls-certificate-replacement/)

Logon using the admin credentials created during the installation process.

Web Interface Configuration Logon Page

 

On first logon the system will walk us through a short setup wizard. There isn’t really much need to change any of these settings, the only two you might consider are the feedback and proxy settings.

Web Interface Configuration Wizard

Web Interface Configuration Wizard

Web Interface Configuration Wizard Smart Protection Network Feedback

Web Interface Configuration Wizard Proxy Settings

 

Once the wizard is finished the home page is displayed.

SPS Appliance Web Dashboard

 

It’s now time to configure the last few options – they are highly dependent on the environment so I will simply present them and where necessary provide advice.

First we have the URL block list menu, if you need to specify your own rules you can do so here. –

Approved/Blocked URL List

 

If you have a Deep Discovery Advisor you can register the SPS to it.

image

 

In my production environment I configure SPS appliances to update every 15 minutes – this helps to ensure rapid deployment of definitions etc to help prevent zero hour/day exploits.

Pattern Update Schedule Every 15 Minutes

 

I also leave the system to automatically check for program updates as this reduces management overheard and also keeps the appliance up to date with important patches.

Program Updates Every Week

 

Depending on your requirements you can configure log management.

Log Management Settings

 

The appliance can be configured for SNMP and to forward notifications via e-mail.

SNMP Configuration

Configure Notifications

 

Diagnostics can be generated from the Support menu.

Support Menu Collect Diagnostics

 

 


 

There are other options and settings that I’m not going to discuss in this post – suffice to say at this point the SPS appliance is ready to service requests from Trend Micro products. As I said at the beginning I recommend multiple SPS appliances be deployed to balance load and provide high availability.

4 thoughts on “Trend Micro Smart Protection Server Deployment”

  1. Hi Alex,

    Great guide, thank you. Just checking to see if you ever created the post for “How to change the SPS appliance certificate”? I have searched high and low about this topic but cannot find anything specific about it even on the Trend site. Your help would be greatly appreciated!

    Reply
    • Hi Brian,

      That’s a great reminder! I just found a starting draft in my backlog that I never got round to finishing. It was rather easy once I got onto the appliance so I will write this up ASAP and hopefully it will help you out. I’ve had fun replacing certificates on other Trend products and to be honest with all sorts of systems so much so that now I see them as a fun challenge to figure out.

      Alex

      Reply
  2. Thanks for this guide Alex, We been running SPS for about a year now but noticed the VMware tools were not installed in our environment and I found it wasn’t as easy just installing through vCentre. Your guide on the tools install really helped. Thanks. Very useful blog, one to add to my favourites!

    Reply

Leave a Reply to isotonic uk (@ranjbassi)Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.