Trend Micro, Inc.

January 2020

Trend Micro™ Deep Discovery Web Inspector™

Version 2.5

This Readme was current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates at:

Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at:


  1. About Trend Micro Deep Discovery Web Inspector
  2. What's New
  3. Documentation
  4. System Requirements
  5. Installation
  6. Configuration
  7. Known Issues
  8. Contact Information
  9. About Trend Micro
  10. License Agreement

1. About Trend Micro Deep Discovery Web Inspector

Deep Discovery Web Inspector inspects and eliminates cyber threats and attacks that could threaten your network. Designed to be integrated into your existing network topology to monitor your network traffic, Deep Discovery Web Inspector acts as either a transparent bridge or a forward proxy.

Back to top

2. What's New

2.1 New Features

1. Configure Whether to Bypass Scanning Of Traffic From iOS and Android Mobile Devices

Deep Discovery Web Inspector has adopted the Trend Micro DPI Turnkey Solution to classify network traffic from iOS or Android devices. The default is to scan traffic from these devices. You can now configure Deep Discovery Web Inspector to bypass scanning of traffic from iOS and Android devices.

2. Adds Support for Integration with Deep Discovery Director

Trend Micro Deep Discovery Director is an on-premises management solution that enables centralized management of certain Deep Discovery Web Inspector tasks, as well as configuration replication for Deep Discovery Web Inspector appliances.

By registering the appliance to Deep Discovery Director, you can enable the bi-directional synchronization of synchronized suspicious objects and suspicious object exceptions. Additionally, Deep Discovery Director synchronization scheduling tasks provides synchronization services to Deep Discovery Web Inspector node pairs operating in Transparent HA mode.

3. Support for Transparent HA Mode

Transparent HA mode supports a multi-Internet connection network environment with asymmetric routing. For each connection link, there will be one Deep Discovery Web Inspector node. The difference between Transparent HA mode and Transparent Bridge mode is that under Transparent HA mode, each Deep Discovery Web Inspector appliance sets an IP address on the bridge egress interface (br0), and each appliance rewrites the source IP address to access real web servers, which solves the asymmetric routing issue.

You can use Transparent HA mode in network environments with asymmetric routing. If there is no asymmetric routing scenario in the network, you do not need to use this mode. You can implement a Transparent HA deployment with or without LACP trunks.

4. Support for LACP

Deep Discovery Web Inspector supports LACP (Link Aggregation Control Protocol, 802.3ad standard) for configuring trunked data egress/data ingress interfaces in Transparent Bridge and Transparent HA modes.

When LACP is enabled, Deep Discovery Web Inspector automatically creates a two-port aggregate for data ingress and a two-port aggregate for data egress. LACP trunk links provide link redundancy.

5. Support for Multi-Bridge Mode

Multi-Bridge mode is variation of Transparent Bridge mode where Deep Discovery Web Inspector is equipped with two bypass cards and connects to the Internet through two WAN lines. The appliance acts as a layer 2 bridge between network devices (core switches and routers) and is transparent on the network.

6. Support for Synchronized Suspicious Objects

Adds support for displaying detections for synchronized suspicious objects acquired from either Deep Discovery Director or Apex Central (formerly known as Control Manager). Supported synchronized suspicious object types include: Domain, URL, IP address, and File SHA1. You can conveniently select one or more synchronized suspicious objects from the detection page and add them to either the Approved List or Blocked List.

7. Support for TLS 1.3

Adds support to decrypt HTTPS traffic with TLS 1.3.

8. Support for the Mitre Report

Deep Discovery Web Inspector supports displaying the Mitre Report from the sandbox in the Virtual Analyzer report.

2.2 Enhancements

1. Enhancements to HTTPS Inspection

The Policy menu has been expanded with new sub-menus for HTTPS Inspection:

2. Enhancement to Apex Central Integration

Adds support for synchronization of suspicious objects and suspicious object exceptions between Deep Discovery Web Inspector and Apex Central (formerly known as Trend Micro Control Manager). You can upload suspicious objects and view synchronized suspicious objects from the Detections > Suspicious Objects screen.

Deep Discovery Web Inspector can be registered from the Apex Central web console. Deep Discovery Web Inspector can upload suspicious objects and suspicious object detection logs to Apex Central.

3. Enhancement to Transparent Bridge Mode

Transparent Bridge mode has been enhanced to include support for LACP link aggregation. As part of the deployment, you can enable LACP and use trunked interfaces for data ingress and data egress.

4. Enhancement to the Approved/Blocked Lists

Deep Discovery Web Inspector supports adding a new type, Server IP address, to the Approved/Blocked lists. Additionally, you can use the automatic method to add entries for all object types (Domain, URL, Server IP address, or File SHA1) to the Approved/Blocked Lists and Deep Discovery Web Inspector will automatically determine the entry type as the entry is added to a list. If desired, under advanced settings you can still specify whether you want an entry to be added as a domain, a URL, a Server IP address, or a file SHA1.

5. Enhanced X-Header Handling

Options have been added to the Deep Discovery Web Inspector web console to enable or disable parsing XFF headers. When Deep Discovery Web Inspector receives an HTTP request with an XFF header, it parses the XFF header to obtain the original client IP address and uses the IP address when evaluating whether traffic matches a policy.

Deep Discovery Web Inspector does not support parsing XFF headers for HTTPS traffic if the traffic is not decrypted.

Back to top

3. Documentation

Electronic versions of the printed manuals are available at:

In addition to this readme, the documentation set for Deep Discovery Web Inspector includes the following:

Back to top

4. System Requirements

Trend Micro provides the Deep Discovery Web Inspector appliance hardware. No other hardware is supported.

Command Line Interface:

1. VGA connection

2. SSH connection

Management Console

Note: Trend Micro recommends a 1280x1024 resolution.

Back to top

5. Installation or Upgrade

5.1. Fresh Installation

See the Quick Start Card and the Installation and Deployment Guide for fresh installation and deployment instructions at:

5.2. Upgrade

Upgrade to Deep Discovery Web Inspector version 2.5 if you are currently running the following version:

Considerations Before Upgrading

Prerequisites for Upgrade

Perform the following steps before installing this upgrade:

  1. Install the hotfix ddwi_22_lx_en_hfb2044.tgz in Deep Discovery Web Inspector 2.2. For details, please contact with Trend Micro Support.
  2. Clear your web browser's cache after hotfix is applied.
  3. Back up your Deep Discovery Web Inspector configuration file from the management console. For details, see the Administrator's Guide.

Steps to Upgrade

You can install this upgrade only by manually using the Deep Discovery Web Inspector management console. Deep Discovery Web Inspector 2.2 does not support integrating with Deep Discovery Director. Perform the following steps to install this upgrade manually on Deep Discovery Web Inspector:

  1. Log on to the Deep Discovery Web Inspector management console.
  2. Go to Administration > Product Updates > Firmware.
  3. Click Browse to locate the firmware installation package.
  4. Click Install.
  5. Wait for the package to upload and install.
  6. Clear your web browser's cache before logging on the management console.
  7. After installation completes, the user should re-open the management console logon screen.

5.3. Uninstall

The upgrade cannot be uninstalled. Contact Trend Micro Support for assistance.

Back to top

6. Configuration

For detailed instructions about setting up the appliance hardware and performing the initial configurations, see the Quick Start Guide for your Deep Discovery Web Inspector appliance hardware.

After installation, configure the network parameters with the Command Line Interface (CLI). The following network settings are required:

The appliance automatically restarts after saving the network configuration changes.

Perform the following steps:

  1. Power up the appliance if it is not already up.

  2. Connect a VGA monitor and USB keyboard to the appliance Deep Discovery Web Inspector.

    The appliance's command line interface is displayed on the monitor.

  3. Log on to the Command Line Interface with the default credentials.
  4. At the prompt, type "enable" (no quotes) and then press ENTER.
  5. Type the default password, "trend#1" (no quotes), and then press ENTER.

    The prompt changes from > to #.

  6. Configure network settings with the following command:

    Syntax: configure network basic

  7. Configure the following network settings and press Enter after typing each setting.
  8. Type "Y" (no quotes) to confirm settings and restart.

Deep Discovery Web Inspector implements the specified network settings and then restarts network services. You can now access the Deep Discovery Web Inspector management console using a supported Web browser by accessing https://<management_IP_address>.

For configuration procedures, see the Getting Started chapter in the Administrator's Guide.

Note: Trend Micro recommends updating the scan engine and pattern files immediately after installation.

Back to top

7. Known Issues

Issue 7.1: Discovery Web Inspector cannot successfully install if an IP conflict exists. The Deep Discovery Web Inspector appliance has a default IP address ( If another endpoint uses the same IP address, Deep Discovery Web Inspector cannot start services.

Trend Micro recommends not connecting the appliance to the network until after the default IP address has been changed to a unique IP address on the network.

Issue 7.2: Discovery Web Inspector is unable to import Virtual Analyzer images from an FTP server in active mode. Deep Discovery Web Inspector security does not allow this type of connection.

Trend Micro recommends using FTP servers in passive mode, or importing the Virtual Analyzer images through another method, such as from a UNC path.

Issue 7.3: If you enable global authentication for Active Directory Services, Deep Discovery Web Inspector must be assigned a valid management port IP address that can be accessed by all clients.

If authentication of web traffic is required, web traffic is redirected to Authentication Portal using the management port for Kerberos/NTLM/Captive Portal authentication. If authentication fails or the authentication certificate is not trusted by the client, the continuing authentication traffic might increase throughput of the management port.

To work around this issue, perform any one of the following:

Issue 7.4: In some scenarios, if the IP User Cache that is used for authentication is disabled, authentication might fail.

The following might occur:

Workarounds include:

  1. #1 Enable IP User Cache for all authentication policies listed on the Administration > Active Directory Services > Authentication Policy page.
  2. #2 Use the latest Chrome version.
  3. #3 Disable Safari's 'prevent cross-site tracking' function if contents or pictures are not loading completely in a web page.

Issue 7.5: In some scenarios, applications will not authenticate automatically. In these scenarios, when the IP User Cache that is used for authentication is expired, some applications or services might lose their connection to the Internet.

To work around this issue, open a browser and visit the HTTP web site manually.

Authentication might be passed automatically. If not, enter the user name and password in the pop up authentication window or Captive Portal page. Once authentication is finished, the affected applications or services will recover.

Back to top

8. Contact Information

A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.

You can contact Trend Micro via fax, phone, and email, or visit us at

Evaluation copies of Trend Micro products can be downloaded from our Web site.

Worldwide Offices and Phone Numbers numbers

The Trend Micro 'Contact Locations' screen displays. Click the appropriate link in the 'Worldwide Offices' section of the screen.

Note: This information is subject to change without notice.

Back to top

9. About Trend Micro

Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers.

A pioneer in server-based antivirus with over 20 years’ experience, we deliver top-ranked security that fits our customers¡¯ needs, stops new threats faster, and protects data in physical, virtual and cloud environments. Powered by the Trend Micro(TM) Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe.

For additional information, go to

Copyright 2020, Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, Deep Discovery, Trend Micro Apex Central, and Control Manager are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

Back to top

10. License Agreement

Information about your license agreement for this product can viewed by selecting the "About" option in the management console.

Back to top