Tuesday, July 6, 2021

Deep Security and Citrix Provisioning Services (PVS) targets

 We wanted to protect our Citrix PVS targets with the Deep Security agent in our organization and didn't find documentation on how to do it. You can read about Citrix Provisioning services here to get a better understanding of how a vdsik works and why it is not just a VM clone - https://deptive.co.nz/blog/what-is-citrix-pvs-and-why-should-you-use-it/

Our Deep Security environment:

  • Two Deep security managers
  • Deep Security manager version 12
  • Sync with virtual center

Since these are not clones, the setting below did not seem to resolve our activation issues.  We would get errors about duplicate computers until it sorted itself out some 20 minutes later.

What we found worked:

  • Boot the vdisk in read/write mode on a server you wish to use as your template box
  • Install Deep Security, assign the correct policy, get everything updated and drivers loaded on the server and reboot to make sure no additional reboot will be requested on the PVS targets.
  • Deactivate the template box in Deep Security console
  • Change the 3 or 4 Deep Security services to manual.
  • Edit the local logon script to include a check for whether the server is in read/write mode or read only mode.  This can be a scheduled task running a batch file at startup.
  • If read/write mode, do not start the 4 TrendMicro Deep Security services
  • If in read mode, start the 4 TrendMicro Deep Security services
  • If in read mode, activate the agent and assign the correct policy  

This method prevents the template box from needing to be de-activated every time its booted to make changes to things on the vdisk other than DS.  When you are ready to add updates to the vdisk image you can start the services and let everything update and then deactivate the agent before saving the vdisk image. 

You can place batch files on the desktop for activation and de-activation of the template box.  So bring up template box with vdsik you want to update in read/write mode and then run the batch file to activate the agent and start the services.  Do all required DS updates.  Then run the deactivation command right before you are sealing the image that deactivates and stops the services.

 This is the stanza we used for Deep Security in our local startup script.

********* Trend Deep Security Activation *****************

find "_DiskMode=S" C:\Personality.ini >nul 2>&1
if %errorlevel%==0 (
net start "ds_agent"
net start "ds_monitor"
net start "ds_notifier"
net start "Amsp"
cd \
cd "C:\Program Files\Trend Micro\Deep Security Agent"
dsa_control -a dsm://yourserverhere:4120 "policyid:xxx"
)