Server & Workload Protection and the agent communicate using the
latest mutually-supported version of TLS.
Topics in this article:
Configure the heartbeat
NoteAll agents no longer support setting the heart beat interval and the number
of heartbeats that can be missed before sending an alert.
|
A 'heartbeat' is a periodic communication between Server & Workload Protection and agent. During a heartbeat, Server & Workload Protection collects this information:
- the status of the drivers (on- or off-line)
- the status of the agent (including clock time)
- agent logs since the last heartbeat
- data to update counters
- a fingerprint of the agent security configuration (used to determine if it is up to date)
The heartbeat can be configured on a base or parent policy, on a sub-policy, or
on an individual computer.
The time between heartbeats is 10 minutes and the number of heartbeats that can
be missed before an alert is raised is two. These two properties are
non-configurable.
You can configure the following properties of the heartbeat:
- Raise Offline Errors For Inactive Virtual Machines: Sets whether an offline error is raised if the virtual machine is stopped.
Procedure
- Open the Policy editor or the Computer editor for the policy or computer to configure. (From the Computers or Policies menu, select a table row, then click the Details button.)
- Go to .
- Change the properties as required.
- Click Save.
What to do next
Configure communication directionality
NoteFor Server & Workload Protection, agent-initiated communication is enabled by
default and we strongly recommend that you do not change this setting.
|
NoteFor macOS agents, only Agent Initiated communication is
supported.
|
Configure whether the agent or Server & Workload Protection
initiates communication. 'Communication' includes the heartbeat and all other
communications. The following options are available:
- Bidirectional: The agent normally initiates the heartbeat and also listens on the agent's listening port number for connections from Server & Workload Protection. (See Server & Workload Protection port numbers.) Server & Workload Protection can contact the agent to perform required operations. Server & Workload Protection can apply changes to the security configuration of the agent.
- Manager Initiated: Server & Workload Protection (the manager) initiates all communication with the agent. These communications include security configuration updates, heartbeat operations, and requests for event logs.
- Agent Initiated: The agent does not listen for connections from Server & Workload Protection. Instead they contact Server & Workload Protection on the port number where Server & Workload Protection listens for agent heartbeats. (See Server & Workload Protection port numbers.) Once the agent has established a TCP connection with Server & Workload Protection, all normal communication takes place: Server & Workload Protection first asks the agent for its status and for any events. (This is the heartbeat operation.) If there are outstanding operations that need to be performed on the computer (for example, the policy needs to be updated), these operations are performed before the connection is closed. Communications between Server & Workload Protection and the agent only occur on every heartbeat. If an agent's security configuration has changed, it is not updated until the next heartbeat. For instructions on how to configure agent-initiated activation and use deployments scripts to activate agents, see Activate and protect agents using agent-initiated activation and communication.
Procedure
- Open the Policy editor or the Computer editor for the policy or computer to configure.
- Go to
- In the Direction of Workload Security Manager to Agent/Appliance communication menu, select one of the three options ("Manager Initiated", "agent/appliance Initiated", or "Bidirectional"), or choose "Inherited". If you select "Inherited", the policy or computer inherits the setting from its parent policy. Selecting one of the other options overrides the inherited setting.
- Click Save to apply the changes.
What to do next
To enable communications between Server & Workload Protection and
the agents, Server & Workload Protection automatically
implements a (hidden) firewall rule (priority four, Bypass) that opens the
listening port number for heartbeats on the agents to incoming TCP/IP traffic.
By default, it will accept connection attempts from any IP address and any MAC
address. You can restrict incoming traffic on this port by creating a new
priority 4, Force Allow or Bypass firewall rule that only allows incoming TCP/IP
traffic from specific IP or MAC addresses, or both. This new firewall rule would
replace the hidden firewall rule if the settings match these settings:
action: force allow or bypass priority: 4 - highest
packet's direction: incoming frame type: IP
protocol: TCP packet's destination port: agent's
listening port number for heartbeat connections from Server & Workload Protection, or a list that includes the port
number. (See agent listening
port number.)
While these settings are in effect, the new rule will replace the hidden rule.
You can then type packet source information for IP or MAC addresses, or both, to
restrict traffic to the computer.
NoteAgents look for Server & Workload Protection on the network by the Server & Workload Protection hostname. Therefore the Server & Workload Protection hostname must be
in your local DNS for agent--initiated or bidirectional communication to
work.
|
Supported cipher suites for communication
Server & Workload Protection and the agent communicate using the
latest mutually-supported version of TLS.
The agent supports the following cipher suites for communication with Server & Workload Protection. If you need to know the cipher
suites supported by Server & Workload Protection, contact Trend
Micro.
The cipher suites consist of a key exchange asymmetric algorithm, a symmetric
data encryption algorithm and a hash function.
Agent version 9.5 cipher suites
Deep Security Agent 9.5 (without SPs, patches, or updates) supports these TLS 1.0
cipher suites:
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Deep Security Agent 9.5 SP1 - 9.5 SP1 Patch 3 Update 2 supports these cipher
suites:
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Deep Security Agent 9.5 SP1 Patch 3 Update 3 - 8 supports these cipher
suites:
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Agent version 9.6 cipher suites
Deep Security Agent 9.6 (without SPs, patches, or updates) - 9.6 Patch 1 supports
these TLS 1.0 cipher suites:
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Deep Security Agent 9.6 Patch 2 - 9.6 SP1 Patch 1 Update 4 supports these cipher
suites:
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Deep Security Agent 9.6 SP1 Patch 1 Updates 5 - 21 supports these cipher
suites:
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Agent version 10.0 cipher suites
Deep Security Agent 10.0 up to Update 15 supports these TLS 1.2 cipher
suites:
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
Deep Security Agent 10.0 Update 16 and later updates supports these TLS 1.2
cipher suites, out-of-box:
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
Agent version 11.0 cipher suites
Deep Security Agent 11.0 up to Update 4 supports these cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
Deep Security Agent 11.0 Update 6 and later updates supports these TLS 1.2 cipher
suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Agent version 12.0 and Agent version 20 cipher suites
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256