You can configure proxies between various Trend Micro servers and services.
In this topic:

Register a proxy in the manager

  1. In Deep Security Manager, go to Administration > System Settings > Proxies.
  2. In the Proxy Servers area, click New > New Proxy Server.
  3. In the Name and Description fields, enter a friendly name and description for your proxy.
  4. For the Proxy Protocol, select either HTTP, SOCKS4, or SOCKS5. Not all protocols are supported by all components. See Supported proxy protocols for details.
  5. In the Address and Port fields, enter the IP address or URL of the proxy as well its port. The default values are 8080 or 80 for HTTP, 3128 for the Squid HTTP proxy, and 1080 for SOCKS 4 and 5.
  6. Enable Proxy requires authentication credentials if you previously set up your HTTP or SOCKS 5 proxy to require authentication from connecting components. Enter those credentials in the User Name and Password fields.

Supported proxy protocols

The following table lists the proxy protocols supported by the Trend Micro services and clients. You need this information to register and configure a proxy through dsa_control.
Service
Origin (client)
HTTP Support
SOCKS4 Support
SOCKS5 Support
Deep Security Manager
Agents/Relays
Yes
No
No
Deep Security Relays
Agents/Relays
Yes
Yes
Yes
Deep Security Software Updates, Certified Safe Software Service (CSSS), News Updates, Product Registration and Licensing
Manager
Yes
No
No
Deep Security Protected Product Usage Data Collection
Manager
Yes
No
No
Cloud accounts (AWS, Azure, Google Cloud Platform, VMware vCloud)
Manager
Yes
No
No
Smart Protection Network - Census, Good File Reputation, and Predictive Machine Learning
Agents
Yes
No
No
Smart Protection Network - Global Smart Protection Service
Agents
Yes
No
No
Smart Protection Network - Smart Feedback
Manager
Yes
No
Yes

Connect to the Primary Security Update Source via proxy

You can connect your agents and relays to your primary security update source via a proxy. By default, the primary security update source is the Trend Micro Update Server (also known as Active Update).
Note that the agents and appliances only use the proxy if their assigned relay is not available and they have been granted explicit permission to access the primary update source.
  1. Make sure that you are using Deep Security Agent 10.0 or later, as connections through a proxy are not suppored in earlier versions.
  2. Register a proxy in the manager.
  3. If you are setting the security update proxy for the default relay group, perform the following:
    • In Deep Security Manager, select the Administration > System Settings > Proxies tab.
    • In the Proxy Server Use area, change the Primary Security Update Proxy used by Agents, Appliances, and Relays setting to point to the new proxy.
  4. If you are setting the security update proxy for a non-default relay group, perform the following:
    • In Deep Security Manager, select the Administration > Updates > Relay Management tab.
    • Select the target relay group. In the Relay Group Properties area, change the Update Source Proxy setting to point to the new proxy.
  5. Click Save.
  6. Restart the agents.
Note
Note
The proxy should not replace the TLS certificate used to communicate with the primary security update source, as this can cause the security update to fail.

Connect to Deep Security Manager via proxy

Agents connect to their manager during agent activation and heartbeats. There are two ways to connect an agent to its manager via a proxy:

Connect an agent to the manager via a proxy using a deployment script

  1. Make sure you are using Deep Security Agent 10.0 or later, as connections through a proxy are not suppored in earlier versions.
  2. Register a proxy in the manager.
  3. In the top right of Deep Security Manager, click Support > Deployment Scripts.
  4. From Proxy to contact Deep Security Manager, select a proxy.
  5. Copy the script or save it.
  6. Run the script on the computer. The script installs the agent and configures it to connect to the manager through the specified proxy.

Connect an agent to the manager via a proxy using dsa_control

On a Windows agent:
  • Open a command prompt (cmd.exe) as Administrator and enter the following:
    cd C:\Program Files\Trend Micro\Deep Security Agent\
    dsa_control -u myUserName:MTPassw0rd
    dsa_control -x dsm_proxy://squid.example.com:443
On a Linux agent:
  • Enter the following:
    /opt/ds_agent/dsa_control -u myUserName:MTPassw0rd
    /opt/ds_agent/dsa_control -x dsm_proxy://squid.example.com:443
Regardless of the agent platform:
  • Make sure the proxy uses one of the supported proxy protocols.
  • For details on dsa_control and its -u and -x options, see dsa_control.
  • Repeat these commands on each agent that needs to connect through a proxy to the manager.
  • Run commands to update the agent's local configuration. No policy or configuration changes are made in the manager as a result of running these commands.

Connect to Deep Security Relays via proxy

Agents connect to their relay to obtain software and security updates. There are two ways to connect an agent to a relay via a proxy:

Connect an agent to relays via a proxy using a deployment script

  1. Make sure you are using Deep Security Agent 10.0 or later, as connections through a proxy are not suppored in earlier versions.
  2. Register a proxy in the manager.
  3. In the top right of Deep Security Manager, click Support > Deployment Scripts.
  4. From Proxy to contact Relay(s), select a proxy.
  5. Copy the script or save it.
  6. Run the script on the computer. The script installs the agent and configures it to connect to the relay through the specified proxy.

Connect an agent to relays via a proxy using dsa_control

On a Windows agent:
  • Open a command prompt (cmd.exe) as Administrator and enter the following commands:
    cd C:\Program Files\Trend Micro\Deep Security Agent\
    dsa_control -w myUserName:MTPassw0rd
    dsa_control -y relay_proxy://squid.example.com:443
On a Linux agent:
  • Enter the following:
    /opt/ds_agent/dsa_control -w myUserName:MTPassw0rd
    /opt/ds_agent/dsa_control -y relay_proxy://squid.example.com:443
Regardless of the agent platform:
  • Make sure the proxy uses one of the supported proxy protocols.
  • For details on dsa_control and its -w and -y options, see dsa_control.
  • Repeat these commands on each agent that needs to connect through a proxy to the manager.
  • Run commands to update the agent's local configuration. No policy or configuration changes are made in the manager as a result of running these commands.

Connect to Deep Security Software Updates, CSSS, and more via proxy

You can connect your agents to the following Deep Security cloud-based servers and services via a proxy:
  • Software Update server (also known as the Download Center)
  • Certified Safe Software Service (CSSS), which is a feature of the Integrity Monitoring module
  • Product Registration service
  • Licensing service
  • Deep Security Protected Product Usage Data Collection service (also known as the Telemetry service)
  1. Register a proxy in the manager.
  2. In Deep Security Manager, click Administration at the top.
  3. In the main pane, select the Proxies tab.
  4. Next to (Connection to Trend Micro services), select your proxy.
  5. Click Save.
  6. Restart the Deep Security Manager and all manager nodes so that the CSSS proxy settings take effect.

Connect to cloud accounts via proxy

You can connect the manager to an AWS, Azure, or GCP cloud account via a proxy. For more on these accounts, see Add an AWS cloud account, Add a Microsoft Azure account to Deep Security, and Add a Google Cloud Platform account.
  1. Register a proxy in the manager.
  2. In Deep Security Manager, click Administration at the top.
  3. In the main pane, select the Proxies tab.
  4. Next to Deep Security Manager (Cloud Accounts - HTTP Protocol Only), select your proxy.
  5. Click Save.

Connect to the Smart Protection Network via proxy

Use the following procedure to configure a proxy between agents and the following services in the Smart Protection Network -  Global Census, Good File Reputation, Predictive Machine Learning, and the Smart Protection Network itself:
  1. Register a proxy in the manager.
  2. In Deep Security Manager, click Policies at the top.
  3. In the main pane, double-click the policy that you use to protect computers that are behind the proxy.
  4. Set up a proxy to the Global Census, Good File Reputation, and Predictive Machine Learning Services as follows:
    1. Click Settings on the left.
    2. In the main pane, click the General tab.
    3. In the main pane, look for the Network Setting for Census and Good File Reputation Service, and Predictive Machine Learning section.
    4. If the Inherited check box is selected, the proxy settings are inherited from the parent policy. To change the settings for this policy or computer, clear the check box.
    5. Select When accessing Global Server, use proxy and in the list, select your proxy, or select New to specify another proxy.
    6. Save your settings.
  5. Set up a proxy to the Smart Protection Network for use with Anti-Malware:
    1. Click Anti-Malware on the left.
    2. In the main pane, click the Smart Protection tab.
    3. Under Smart Protection Server for File Reputation Service, if the Inherited check box is selected, the proxy settings are inherited from the parent policy. To change the settings for this policy or computer, clear the check box.
    4. Select Connect directly to Global Smart Protection Service.
    5. Select When accessing Global Smart Protection Service, use proxy and in the list, select your proxy or select New to specify another proxy.
    6. Specify your proxy settings and click OK.
    7. Save your settings.
  6. Set up a proxy to the Smart Protection Network for use with Web Reputation:
    1. Click Web Reputation on the left.
    2. In the main pane, click the Smart Protection tab.
    3. Under Smart Protection Server for Web Reputation Service, set up your proxy, the same way you did under Anti-Malware in a previous step.
    4. With Web Reputation still selected on the left, click the Advanced tab.
    5. In the Ports section, select a group of port numbers that includes your proxy's listening port number, and then click Save. For example, if you’re using a Squid proxy server, you would select the Port List Squid Web Server. If you don’t see an appropriate group of port numbers, go to Policies > Common Objects > Lists > Port Lists and then click New to set up your ports.
    6. Save your settings.
  7. Send the new policy to your agents. See Send policy changes manually.
Your agents now connect to the Smart Protection Network through a proxy.

Connect to Workload Security via proxy

  1. Register a proxy in the manager.
  2. In Deep Security Manager, go to Administration > Proxies.
  3. Next to Trend Vision One Endpoint Security Link (HTTP Protocol Only), select your proxy.
  4. Click Save.

Remove a proxy

To remove a proxy between agent and manager, or agent and relay

  • Redeploy agents using new deployment scripts that no longer contain proxy settings. For details, see Use deployment scripts to add and protect computers.
    or
  • Run the following dsa_control commands on the agents: 
    dsa_control -x ""
    dsa_control -y ""
    These commands remove the proxy settings from the agent's local configuration. No policy or configuration changes are made in the manager as a result of running these commands.
    For details on dsa_control and its -x and -y options, see dsa_control.

To remove a proxy between any other components

Run through the instructions on connecting through a proxy, but complete them in reverse, so that you remove the proxy.