Buy Deep Security from the Azure Marketplace

Note To buy Deep Security Manager (BYOL) , you need to have already obtained a license for Deep Security. If you need a license, contact azure@trendmicro.com for help with obtaining one.

1. Log in to your Azure portal and click All Services > General > Marketplace.
2. Search for Deep Security Manager (BYOL).
3. In the search results, click Deep Security Manager (BYOL).
4. Review the information provided and click Create.
5. Follow the steps of the Create Deep Security Manager journey to create a Deep Security virtual machine.
   1. Specify the name of the Deep Security Manager VM and configure other general settings on the Basics blade and then click OK.
      • The credentials you specify in this blade are what you will use to log on to the Deep Security Manager virtual machine.
      • Depending on the type of authentication you select, you have to enter a strong password or an SSH public key.
      • Type in a name into Resource group to create a new Resource group.

        Note Azure does not allow Deep Security Manager VM to be deployed on existing resource groups. A new resource group must be created.

      • Select an Azure region from the Location list.
   2. Select a virtual machine size, configure the Deep Security Manager URL and port numbers on the Deep Security Manager VM blade, and then click OK.
      • Use the DNS name you enter in Deep Security Manager URL such as azurevmdemo01.
      • Enter the port number for the Deep Security Manager console port to access and log into Deep Security Manager, such as https://azurevmdemo01.eastus.cloudapp.azure.com:443.
      • Enter the heartbeat port number used by the Deep Security Agents to communicate with Deep Security Manager.
   3. Create a new database or enter the name of an existing one on the Database Settings blade and then click OK.
      • Do not type anything into Database Hostname if you create a new database. However, if you click Use Existing, then the database hostname is required.
      • You can view the names of existing Azure SQL databases by going to the SQL databases blade and viewing the properties of a database (Settings blade > Properties blade > Server name).
   4. Enter the name of the administrator account that you will use to sign in to Deep Security Manager on the Deep Security Credentials blade and enter and confirm the password for that account and click OK.
   5. Click the arrows to review the settings for the new virtual network and the subnet for the Deep Security Manager VM on the Network Settings blade and click OK twice.
   6. Review the information on the Summary blade and click OK when "Validation passed" appears at the top of the summary to finish creating the virtual machine.
      
   7. Click Terms of use, privacy policy, and Azure Marketplace Terms on the Buy blade to review them and then click Create.
   It will take approximately 30-40 minutes before your new virtual machine is running.
6. When installation is complete, open a browser and go to:
   https://<DNS name>:8443
   where the DNS name is the name you specified on the Deep Security Manager blade (for example, azurevmdemo01.eastus.cloudapp.azure.com). To view the DNS name for your Deep Security virtual machine, select the virtual machine in the Public IP address blade, and then click Overview. It will be in the DNS name field.
7. Enter the Subscription ID for the virtual machine and click Sign in.
   If the installation succeeded, you will be redirected to Deep Security Manager. If the installation failed you will see an error message. If this happens, click Install Deep Security Manager again and verify all settings as you step through the installation again.

Allow the inbound SSH port of the DSM virtual machine

1. Go to the Deep Security Manager deployed resource group.
2. Select the type of the Network security group.
3. Select the Inbound security rules from the left navigation pane.
4. Select + Add > Add inbound security rules.
5. Select the Source from the drop-down.
6. Enter the Source IP addresses or CIDR ranges, as needed.
   Provide an address range using CIDR notation (for example, 192.168.99.0/24 or 2001:1234::/64), or an IP address (for example, 192.168.99.0 or 2001:1234::) . You can also provide a comma-separated list of IP addresses or address ranges using either IPv4 or IPv6.
7. Enter the Source port range.
   Provide a single port, such as 80; a port range, such as 1024-65535; or a comma-separated list of single ports and/or port ranges, such as 80,1024-65535. This specifies on which ports traffic will be allowed or denied by this rule. Use an asterisk to allow traffic on any port.
8. Use the Destination drop-down to limit the Destination as required. We recommend you use the default of Any.
9. On the Service drop-down, select SSH.
10. Enter the Destination port ranges.
    Provide a single port, such as 80; a port range, such as 1024-65535; or a comma-separated list of single ports and/or port ranges, such as 80,1024-65535. This specifies on which ports traffic will be allowed or denied by this rule. Use an asterisk to allow traffic on any port.
11. You can change the Priority or Name of the rule. (Optional)
12. Add a Description of the rule. (Optional)
13. Select Add to create the rule.

Add a Microsoft Azure account to Deep Security

Create a policy

• You can make a duplicate copy of one of the server policies that comes with Deep Security and modify it as required.
• You can build your own policy using the Base Policy as your starting point.

Deploy Deep Security Agents