HOW TO: Upgrade vShield Manager, vShield Endpoint and don’t break Trend Micro DSVA

We are currently in a process of upgrading out VMware environment to 5.0 Update 1 and therefore need to upgrade vShiled Manager and Vmware Endpoint. We managed to get Trend Micro Deep Security Virtual Appliances under control (See my “Trend Micro Deep Security: Anti-Malware Engine Offline” post) and did not want vShield Manager upgrade to break them.

Here are the steps I performed to get it all upgraded:

Before you start, please make sure all components are compatible with each other. Check VMware Product Interoperability Matrixes to confirm vShield Manager is compatible with the version of vCenter Server you are running or planning to upgrade to:

It does not matter what application, vCenter Server or vShield Manager / Endpoint, you are going to upgrade first, works either way.

Here is how you do upgrade vShield Manager and Endpoint:

1. Download VMware vShield Manager upgrade bundle from VMware:
   My VMware > Product & Downloads > All Downloads > VMware vSphere > VMware vShield Endpoint 5.0.2:
   VMware-vShield-Manager-upgrade-bundle-5.0.2-791471.tar.gz (828Mb);
2. Connect vSphere Client to a vCenter, navigate to Home > Product and Applications > vShield > Your_vCenter;
3. Login to vShield Manager if needed and navigate to Settings and Reports, Updates, Upload Settings, Browse for tar.gz, click on Upload File;
4. Click on Update Status, Install;
   
5. Confirm Install;
   
6. After installation finished, login to vShield Manager and confirm it has been upgraded;
   
7. Verify Trend Micro Deep Security Manager connection to upgraded vShield Manager:
   1. Login to Trend Micro Deep Security Manager, navigate to Your_vCenter, right click and select Properties;
   2. Select vShield Manager tab. If you click on Test Connection it will most likely fail;
   3. Click Add/Update Certificate, click Accept. Confirm that Certificate updated, click Close;
   4. Click on Test Connection and confirm the connectivity.
8. vShield Endpoint upgrade:
   1. vMotion all VMs to another host(s);
   2. Deactivate DSVA (Trend Micro Deep Security Virtual Appliance) in TMDS Manager. This will remove A/V protection from any guest that are running on the host, this is the reason we vMotion all VM off in step 1;
   3. Go to Home > Inventory > Host and Clusters, highlight host, click on vShield tab,  General tab. Click Update;
      
   4. Click Install;
      
   5. Wait for the update to finish (you may need to click Refresh) and confirm it has been upgraded:
      
   6. Reactivate DSVA (Trend Micro Deep Security Virtual Appliance) in TMDS Manager.

All DSVAs did not report any problems and virtual machines got protected as soon as they were vmotioned back to the upgraded host.
I also checked that Endpoint configuration did not have duplicated values.

Hope this will help to keep your TM DS implementation healthy…