<> Trend Micro Incorporated December 2019 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Deep Discovery Web Inspector Version 2.5, Build Number 1369 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Notes: This Readme was current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates at: http://docs.trendmicro.com/ Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation, or online at: https://olr.trendmicro.com/registration/ Contents ===================================================================== 1. About Deep Discovery Web Inspector 2. What's New 3. Documentation 4. System Requirements 5. Installation 6. Configuration 7. Known Issues 8. Contact Information 9. About Trend Micro 10. License Agreement ===================================================================== 1. About Deep Discovery Web Inspector ======================================================================== Deep Discovery Web Inspector inspects and eliminates cyber threats and attacks that could threaten your network. Designed to be integrated into your existing network topology to monitor your network traffic, Deep Discovery Web Inspector acts as either a transparent bridge or a forward proxy. 2. What's New ======================================================================== 2.1 New Features ==================================================================== New Feature 1: Configure Whether to Bypass Scanning Of Traffic From iOS and Android Mobile Devices Deep Discovery Web Inspector has adopted the Trend Micro DPI Turnkey Solution to classify network traffic from iOS or Android devices. The default is to scan traffic from these devices. You can now configure Deep Discovery Web Inspector to bypass scanning of traffic from iOS and Android devices. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New Feature 2: Adds Support for Integration with Deep Discovery Director Trend Micro Deep Discovery Director is an on-premises management solution that enables centralized management of certain Deep Discovery Web Inspector tasks, as well as configuration replication for Deep Discovery Web Inspector appliances. By registering the appliance to Deep Discovery Director, you can enable the bi-directional synchronization of synchronized suspicious objects and suspicious object exceptions. Additionally, Deep Discovery Director synchronization scheduling tasks provides synchronization services to Deep Discovery Web Inspector node pairs operating in Transparent HA mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New Feature 3: Support for Transparent HA Mode Transparent HA mode supports a multi-Internet connection network environment with asymmetric routing. For each connection link, there will be one Deep Discovery Web Inspector node. The difference between Transparent HA mode and Transparent Bridge mode is that under Transparent HA mode, each Deep Discovery Web Inspector appliance sets an IP address on the bridge egress interface (br0), and each appliance rewrites the source IP address to access real web servers, which solves the asymmetric routing issue. You can use Transparent HA mode in network environments with asymmetric routing. If there is no asymmetric routing scenario in the network, you do not need to use this mode. You can implement a Transparent HA deployment with or without LACP trunks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New Feature 4: Support for LACP Deep Discovery Web Inspector supports LACP (Link Aggregation Control Protocol, 802.3ad standard) for configuring trunked data egress/data ingress interfaces in Transparent Bridge and Transparent HA modes. When LACP is enabled, Deep Discovery Web Inspector automatically creates a two-port aggregate for data ingress and a two-port aggregate for data egress. LACP trunk links provide link redundancy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New Feature 5: Support for Multi-Bridge Mode Multi-Bridge mode is variation of Transparent Bridge mode where Deep Discovery Web Inspector is equipped with two bypass cards and connects to the Internet through two WAN lines. The appliance acts as a layer 2 bridge between network devices (core switches and routers) and is transparent on the network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New Feature 6: Support for Synchronized Suspicious Objects Adds support for displaying detections for synchronized suspicious objects acquired from either Deep Discovery Director or Apex Central (formerly known as Control Manager). Supported synchronized suspicious object types include: Domain, URL, IP address, and File SHA1. You can conveniently select one or more synchronized suspicious objects from the detection page and add them to either the Approved List or Blocked List. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New Feature 7: Support for TLS 1.3 Adds support to decrypt HTTPS traffic with TLS 1.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New Feature 8: Support for the Mitre Report Deep Discovery Web Inspector supports displaying the Mitre report from the sandbox in the Virtual Analyzer report. 2.2 Enhancements ==================================================================== Enhancement 1: Enhancement to HTTPS Inspection Enhancements have been made to HTTPS Inspection functionality. The Policy menu has been expanded with new sub-menus for HTTPS Inspection: * Decryption Rules Menu item formerly known as HTTPS Inspection where you can configure decryption rules. * Digital Certificates Manage digital certificates in Trusted, Untrusted, Invalid certificates stores and manage the exception list. * HTTPS Tunnels Manage HTTPS tunnels, which allow the tunneling of HTTPS traffic without decryption. * Intelligent Decryption Manage fingerprint patterns used to determine whether traffic should be decrypted or not decrypted based on the fingerprint signature of the browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: Enhancement to Apex Central Integration Adds support for synchronization of suspicious objects and suspicious object exceptions between Deep Discovery Web Inspector and Apex Central (formerly known as Trend Micro Control Manager). You can upload suspicious objects and view synchronized suspicious objects from the "Detections > Suspicious Objects" screen. Deep Discovery Web Inspector can be registered from the Apex Central web console. Deep Discovery Web Inspector can upload suspicious objects and suspicious object detection logs to Apex Central. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 3: Enhancement to Transparent Bridge Mode Transparent Bridge mode has been enhanced to include support for LACP link aggregation. As part of the deployment, you can enable LACP and use trunked interfaces for data ingress and data egress. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 4: Enhancement to the Approved/Blocked Lists Deep Discovery Web Inspector supports adding a new type, Server IP address, to the Approved/Blocked lists. Additionally, you can use the automatic method to add entries for all object types (Domain, URL, Server IP address, or File SHA1) to the Approved/Blocked Lists and Deep Discovery Web Inspector will automatically determine the entry type as the entry is added to a list. If desired, under advanced settings you can still specify whether you want an entry to be added as a domain, a URL, a Server IP address, or a file SHA1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 5: Enhanced X-Header Handling Options have been added to the Deep Discovery Web Inspector web console to enable or disable parsing XFF headers. When Deep Discovery Web Inspector receives an HTTP request with an XFF header, it parses the XFF header to obtain the original client IP address and uses the IP address when evaluating whether traffic matches a policy. Deep Discovery Web Inspector does not support parsing XFF headers for HTTPS traffic if the traffic is not decrypted. 3. Documentation ======================================================================== Electronic versions of the printed manuals are available at: http://www.docs.trendmicro.com In addition to this Readme, the documentation set for this product includes the following: * Quick Start Guide -- The Quick Start Guide provides user-friendly instructions on connecting Deep Discovery Web Inspector to your network and on performing the initial configuration. * Installation and Deployment Guide -- The Installation and Deployment Guide discusses requirements and procedures for installing and deploying Deep Discovery Web Inspector. * Administrator's Guide -- The Administrator's Guide contains detailed instructions on how to deploy, configure, and manage Deep Discovery Web Inspector, and provides explanations on Deep Discovery Web Inspector concepts and features. * Online Help -- The Online Help contains explanations of Deep Discovery Web Inspector components and features, as well as procedures needed to configure Deep Discovery Web Inspector. To access Help, open the product console and click the Help icon. * Syslog and Content Mapping Guide -- The Syslog Content Mapping Guide contains information on event logging formats supported by Deep Discovery Web Inspector. * Support Portal -- The Support Portal contains information on troubleshooting and resolving known issues. It provides the latest information about known product issues. To access the Support Portal, go to the following website: http://esupport.trendmicro.com * Trend Community -- Get help, share your experiences, ask questions, and discuss security concerns in the forums with fellow users, enthusiasts, and security experts. http://community.trendmicro.com/ 4. System Requirements ======================================================================== Trend Micro provides the Deep Discovery Web Inspector appliance hardware. No other hardware is supported. ------------------------ Command Line Interface ------------------------ * VGA connection: - Monitor with a VGA port - VGA cable * SSH connection: - Computer with an Ethernet port - Ethernet cable - SSH client (example: PuTTY) ----------- Management Console ----------- * Microsoft Internet Explorer 11 * Microsoft Edge Windows 10 * Mozilla(R) Firefox(R) 70 or higher * Google Chrome(TM) 78 or higher * Mac(R) Safari(R) Mac OS 12.0.3 or higher NOTE: Trend Micro recommends a 1280x1024 resolution. 5. Installation or Upgrade ======================================================================== See the Installation and Deployment Guide for installation instructions. 6. Configuration ======================================================================== For detailed instructions about setting up the appliance hardware and performing the initial configurations, see the Quick Start Guide for your Deep Discovery Web Inspector appliance hardware. After installation, configure the network parameters with the Command Line Interface (CLI). The following network settings are required: * Hostname * Management IP address and subnet mask * Gateway * DNS Note: The appliance automatically restarts after saving the network configuration changes. 1. Power up the appliance if it is not already up. 2. Connect a VGA monitor and USB keyboard to the appliance Deep Discovery Web Inspector. The appliance's command line interface is displayed on the monitor. 3. Log on to the Command Line Interface with the default credentials. - User name: admin - Password: ddwi 4. At the prompt, type "enable" (no quotes) and then press ENTER. 5. Type the default password, "trend#1" (no quotes), and then press ENTER. The prompt changes from > to #. 6. Configure network settings with the following command: Syntax: configure network basic 7. Configure the following network settings and press Enter after typing each setting. * Host name * IPv4 address * Subnet mask * IPv4 gateway * Preferred IPv4 DNS * Alternate IPv4 DNS 8. Type "Y" (no quotes) to confirm settings and restart. Deep Discovery Web Inspector implements the specified network settings and then restarts network services. You can now access the Deep Discovery Web Inspector management console using a supported Web browser by accessing https://. For configuration procedures, see the Getting Started chapter in the Administrator's Guide. Note: Trend Micro recommends updating the scan engine and pattern files immediately after installation. 7. Known Issues ======================================================================== 7.1 Deep Discovery Web Inspector cannot successfully install if an IP conflict exists. The Deep Discovery Web Inspector appliance has a default IP address (192.168.252.1). If another endpoint uses the same IP address, Deep Discovery Web Inspector cannot start services. Trend Micro recommends not connecting the appliance to the network until after the default IP address has been changed to a unique IP address on the network. 7.2 Deep Discovery Web Inspector is unable to import Virtual Analyzer images from an FTP server in active mode. Deep Discovery Web Inspector security does not allow this type of connection. Trend Micro recommends using FTP servers in passive mode, or importing the Virtual Analyzer images through another method, such as from a UNC path. 7.3 If you enable global authentication for Active Directory Services, Deep Discovery Web Inspector must be assigned a valid management port IP address that can be accessed by all clients. If authentication of web traffic is required, web traffic is redirected to Authentication Portal using the management port for Kerberos/NTLM/Captive Portal authentication. If authentication fails or the authentication certificate is not trusted by the client, the continuing authentication traffic might increase throughput of the management port. To work around this issue, perform any one of the following: * Install the authentication certificate (see Administration > System Settings) on clients whose traffic traverses the Deep Discovery Web Inspector appliance and make the certificate trusted by the browser and client OS. * Exclude clients who are not joined to Active Directory domains from authentication policies. * Increase maximal throughput of the Deep Discovery Web Inspector management port. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 7.4 In some scenarios, if the IP User Cache that is used for authentication is disabled, authentication might fail. The following might occur: * Using Safari, after several successful NTLM authentications, the authentication required window will keep popping up (Deep Discovery Web Inspector proxy mode). Apply workaround #1 or #3. * Using Edge/Safari, after authentication, not all contents or pictures can be loaded completely in a web page. * Using a specific Chrome version (70.0.3538.110), after several successful NTLM authentications, NTLM authentication subsequently fails. Apply workaround #1 or #2. * Some backend services or applications might not work because of authentication failure. This can happen because some services or applications do not accept Deep Discovery Web Inspector's authentication cookie, or they can't handle Captive Portal authentication. Apply workaround #1. Workarounds include: #1 Enable IP User Cache for all authentication policies listed on the Administration > Active Directory Services > Authentication Policy page. #2 Use the latest Chrome version. #3 Disable Safari's 'prevent cross-site tracking' function if contents or pictures are not loading completely in a web page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 7.5 In some scenarios, applications will not authenticate automatically. In these scenarios, when the IP User Cache that is used for authentication is expired, some applications or services might lose their connection to the Internet. Workaround: Open a browser and visit the HTTP web site manually. Authentication might be passed automatically. If not, enter the user name and password in the pop up authentication window or Captive Portal page. Once authentication is finished, the affected applications or services will recover. 8. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at the Trend Micro Website: http://www.trendmicro.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Evaluation copies of Trend Micro products can be downloaded from our Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Worldwide Offices and Phone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.trendmicro.com/en/about/overview.htm The Trend Micro 'About Us' screen displays. Click the appropriate link in the 'Contact Us' section of the screen. Note: This information is subject to change without notice. 9. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers¡¯ needs, stops new threats faster, and protects data in physical, virtual and cloud environments. Powered by the Trend Micro(TM) Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, go to http://www.trendmicro.com. Copyright 2019 Trend Micro Incorporated. All Rights Reserved. Trend Micro, the Trend Micro t-ball logo, Deep Discovery, and Trend Micro Control Manager are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. 10. License Agreement ======================================================================== Information about your license agreement for this product can be viewed by selecting the "About" option in the management console.