Understanding Control Manager Security Levels

Control Manager has three security levels used for the communication between the server and managed products and child servers for both older agents and MCP agents. For MCP agents, Security Level applies to the virtual folders of IIS, comprising of three different levels: high, medium, and normal.

  • High: Specifies Control Manager communicates only using HTTPS

  • Medium: Specifies Control Manager uses HTTPS to communicate when available, but uses HTTP when HTTPS is not available

  • Normal: Specifies Control Manager uses HTTP to communicate

The security behavior corresponds to each security level listed below:


Security Level
High Medium Normal

Supports only HTTPS UI access


Supports HTTPS and HTTP UI access


Supports redirect to HTTPS or HTTP product UI

Only integrates with HTTPS supported products (MCP)


Integrates with both HTTP and HTTPS supported products


Allow products to download updates from Control Manager through either HTTP or HTTPS

Depending on the security level of older agents, Control Manager provides the following encryption and authentication:

  • SSL packet-level encryption: Control Manager applies Secure Socket Layer (SSL) packet-level encryption to all security levels. SSL packet-level encryption is a protocol developed by Netscape for secure transactions across the web. SSL uses a form of public key encryption, where the information can be encoded by the browser using a publicly available public key, but can only be decoded by a party who knows the corresponding private key.

    The Control Manager agents can encrypt their communication using the public key. In return, the Control Manager server uses a private key to decrypt the agent message.

  • Trend Micro authentication: Control Manager applies Trend Micro authentication 5 (High) security level.

    When using High level, Control Manager first applies the SSL packet-level encryption and then further strengthens the encryption through Trend Micro authentication.


You can modify the Control Manager security level through TMI.cfg. However, doing so requires the modification of all TMI.cfg present in the Control Manager network. This includes the TMI.cfg of the Control Manager server and all managed products and child servers. Otherwise, the server and agent communication will not work.

Table 1. Security Level Behavior for Older Agents

Security Level (found in TMI.cfg)

Security Level Selection (During Installation)

End-to-End Authentication

Message-level Encryption




40-bit (RC4)




128-bit (RC4)



Trend Micro authentication

128-bit (RC4 + 3DES)