Trend Micro Deep Discovery Web Inspector Readme

Trend Micro, Inc.

January 2020

Trend Micro™ Deep Discovery Web Inspector™

Version 2.5

This Readme was current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates at: http://docs.trendmicro.com/

Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://olr.trendmicro.com/registration/

About Trend Micro Deep Discovery Web Inspector
What's New
Documentation
System Requirements
Installation
Configuration
Known Issues
Contact Information
About Trend Micro
License Agreement

1. About Trend Micro Deep Discovery Web Inspector

Deep Discovery Web Inspector inspects and eliminates cyber threats and attacks that could threaten your network. Designed to be integrated into your existing network topology to monitor your network traffic, Deep Discovery Web Inspector acts as either a transparent bridge or a forward proxy.

2. What's New

2.1 New Features

1. Configure Whether to Bypass Scanning Of Traffic From iOS and Android Mobile Devices

Deep Discovery Web Inspector has adopted the Trend Micro DPI Turnkey Solution to classify network traffic from iOS or Android devices. The default is to scan traffic from these devices. You can now configure Deep Discovery Web Inspector to bypass scanning of traffic from iOS and Android devices.

2. Adds Support for Integration with Deep Discovery Director

Trend Micro Deep Discovery Director is an on-premises management solution that enables centralized management of certain Deep Discovery Web Inspector tasks, as well as configuration replication for Deep Discovery Web Inspector appliances.

By registering the appliance to Deep Discovery Director, you can enable the bi-directional synchronization of synchronized suspicious objects and suspicious object exceptions. Additionally, Deep Discovery Director synchronization scheduling tasks provides synchronization services to Deep Discovery Web Inspector node pairs operating in Transparent HA mode.

3. Support for Transparent HA Mode

Transparent HA mode supports a multi-Internet connection network environment with asymmetric routing. For each connection link, there will be one Deep Discovery Web Inspector node. The difference between Transparent HA mode and Transparent Bridge mode is that under Transparent HA mode, each Deep Discovery Web Inspector appliance sets an IP address on the bridge egress interface (br0), and each appliance rewrites the source IP address to access real web servers, which solves the asymmetric routing issue.

You can use Transparent HA mode in network environments with asymmetric routing. If there is no asymmetric routing scenario in the network, you do not need to use this mode. You can implement a Transparent HA deployment with or without LACP trunks.

4. Support for LACP

Deep Discovery Web Inspector supports LACP (Link Aggregation Control Protocol, 802.3ad standard) for configuring trunked data egress/data ingress interfaces in Transparent Bridge and Transparent HA modes.

When LACP is enabled, Deep Discovery Web Inspector automatically creates a two-port aggregate for data ingress and a two-port aggregate for data egress. LACP trunk links provide link redundancy.

5. Support for Multi-Bridge Mode

Multi-Bridge mode is variation of Transparent Bridge mode where Deep Discovery Web Inspector is equipped with two bypass cards and connects to the Internet through two WAN lines. The appliance acts as a layer 2 bridge between network devices (core switches and routers) and is transparent on the network.

6. Support for Synchronized Suspicious Objects

Adds support for displaying detections for synchronized suspicious objects acquired from either Deep Discovery Director or Apex Central (formerly known as Control Manager). Supported synchronized suspicious object types include: Domain, URL, IP address, and File SHA1. You can conveniently select one or more synchronized suspicious objects from the detection page and add them to either the Approved List or Blocked List.

7. Support for TLS 1.3

Adds support to decrypt HTTPS traffic with TLS 1.3.

8. Support for the Mitre Report

Deep Discovery Web Inspector supports displaying the Mitre Report from the sandbox in the Virtual Analyzer report.

2.2 Enhancements

1. Enhancements to HTTPS Inspection

The Policy menu has been expanded with new sub-menus for HTTPS Inspection:

Decryption Rules: Menu item formerly known as HTTPS Inspection where you can configure decryption rules.
Digital Certificates: Manage digital certificates in Trusted, Untrusted, Invalid certificates stores and manage the exception list.
HTTPS Tunnel: Manage HTTPS tunnels, which allow the tunneling of HTTPS traffic without decryption.
Intelligent Decryption: Manage fingerprint patterns used to determine whether traffic should be decrypted or not decrypted based on the fingerprint signature of the browser.

2. Enhancement to Apex Central Integration

Adds support for synchronization of suspicious objects and suspicious object exceptions between Deep Discovery Web Inspector and Apex Central (formerly known as Trend Micro Control Manager). You can upload suspicious objects and view synchronized suspicious objects from the Detections > Suspicious Objects screen.

Deep Discovery Web Inspector can be registered from the Apex Central web console. Deep Discovery Web Inspector can upload suspicious objects and suspicious object detection logs to Apex Central.

3. Enhancement to Transparent Bridge Mode

Transparent Bridge mode has been enhanced to include support for LACP link aggregation. As part of the deployment, you can enable LACP and use trunked interfaces for data ingress and data egress.

4. Enhancement to the Approved/Blocked Lists

Deep Discovery Web Inspector supports adding a new type, Server IP address, to the Approved/Blocked lists. Additionally, you can use the automatic method to add entries for all object types (Domain, URL, Server IP address, or File SHA1) to the Approved/Blocked Lists and Deep Discovery Web Inspector will automatically determine the entry type as the entry is added to a list. If desired, under advanced settings you can still specify whether you want an entry to be added as a domain, a URL, a Server IP address, or a file SHA1.

5. Enhanced X-Header Handling

Options have been added to the Deep Discovery Web Inspector web console to enable or disable parsing XFF headers. When Deep Discovery Web Inspector receives an HTTP request with an XFF header, it parses the XFF header to obtain the original client IP address and uses the IP address when evaluating whether traffic matches a policy.

Deep Discovery Web Inspector does not support parsing XFF headers for HTTPS traffic if the traffic is not decrypted.

3. Documentation

Electronic versions of the printed manuals are available at: http://www.docs.trendmicro.com

In addition to this readme, the documentation set for Deep Discovery Web Inspector includes the following:

Quick Start Card: Provides user-friendly instructions on connecting Deep Discovery Web Inspector to your network and on performing the initial configuration.
Installation and Deployment Guide: PDF Document that discusses requirements and procedures for installing and deploying Deep Discovery Web Inspector.
Administrator's Guide: PDF Document that contains detailed instructions on how to deploy, configure, and manage Deep Discovery Web Inspector, and provides explanations on Deep Discovery Web Inspector concepts and features.
Online Help: Online HTML pages that contain explanations of Deep Discovery Web Inspector components and features, as well as procedures needed to configure Deep Discovery Web Inspector.
Syslog Content Mapping Guide: This guide contains information on event logging formats supported by Deep Discovery Web Inspector.
Support Portal: Contains information on troubleshooting and resolving known issues. It provides the latest information about known product issues. To access the Support Portal, go to the following website: http://esupport.trendmicro.com
Trend Community: Get help, share your experiences, ask questions, and discuss security concerns in the forums with fellow users, enthusiasts, and security experts.
http://community.trendmicro.com/

4. System Requirements

Trend Micro provides the Deep Discovery Web Inspector appliance hardware. No other hardware is supported.

Command Line Interface:

1. VGA connection

Monitor with a VGA port
VGA cable

2. SSH connection

Computer with an Ethernet port
Ethernet cable
SSH client (example: PuTTY)

Management Console

Microsoft Internet Explorer 11
Microsoft Edge Windows 10
Mozilla Firefox 70 or later
Google Chrome 78 or later
Mac(R) Safari(R) Mac OS 12.0.3 or higher

Note: Trend Micro recommends a 1280x1024 resolution.

5. Installation or Upgrade

5.1. Fresh Installation

See the Quick Start Card and the Installation and Deployment Guide for fresh installation and deployment instructions at: http://docs.trendmicro.com/en-us/enterprise/deep-discovery-web-inspector.aspx

5.2. Upgrade

Upgrade to Deep Discovery Web Inspector version 2.5 if you are currently running the following version:

Deep Discovery Web Inspector 2.2

Considerations Before Upgrading

Trend Micro recommends rebooting Deep Discovery Web Inspector manually after upgrading.
Trend Micro recommends updating the scan engine and pattern files immediately after installation.
The upgrade process may take some time to complete, and upgrading from Deep Discovery Web Inspector 2.2 to Deep Discovery Web Inspector 2.5 may take an hour or more.
Trend Micro recommends starting the upgrade during off-peak office hours. Installing the update restarts Deep Discovery Web Inspector.
Before installing the upgrade, suggest enabling Bypass Mode if Deep Discovery Web Inspector is deployed in transparent bridge mode.
Firmware installation package size is more than 3 GB, and it takes some time to complete the file uploading. It is recommendation that do not limit the uploading speed to Deep Discovery Web Inspector.

Prerequisites for Upgrade

Perform the following steps before installing this upgrade:

Install the hotfix ddwi_22_lx_en_hfb2044.tgz in Deep Discovery Web Inspector 2.2. For details, please contact with Trend Micro Support.
Clear your web browser's cache after hotfix is applied.
Back up your Deep Discovery Web Inspector configuration file from the management console. For details, see the Administrator's Guide.

Steps to Upgrade

You can install this upgrade only by manually using the Deep Discovery Web Inspector management console. Deep Discovery Web Inspector 2.2 does not support integrating with Deep Discovery Director. Perform the following steps to install this upgrade manually on Deep Discovery Web Inspector:

Log on to the Deep Discovery Web Inspector management console.
Go to Administration > Product Updates > Firmware.
Click Browse to locate the firmware installation package.
Click Install.
Wait for the package to upload and install.
Clear your web browser's cache before logging on the management console.
After installation completes, the user should re-open the management console logon screen.
Go to Administration > System Maintenance > Power Off/Restart, reboot Deep Discovery Web Inspector manually after upgrading.

5.3. Uninstall

The upgrade cannot be uninstalled. Contact Trend Micro Support for assistance.

6. Configuration

For detailed instructions about setting up the appliance hardware and performing the initial configurations, see the Quick Start Guide for your Deep Discovery Web Inspector appliance hardware.

After installation, configure the network parameters with the Command Line Interface (CLI). The following network settings are required:

Host name
Management IP address and subnet mask
Gateway
DNS

The appliance automatically restarts after saving the network configuration changes.

Perform the following steps:

Power up the appliance if it is not already up.
Connect a VGA monitor and USB keyboard to the appliance Deep Discovery Web Inspector.
The appliance's command line interface is displayed on the monitor.
Log on to the Command Line Interface with the default credentials.
- User name: admin
- Password: ddwi
At the prompt, type "enable" (no quotes) and then press ENTER.
Type the default password, "trend#1" (no quotes), and then press ENTER.
The prompt changes from > to #.
Configure network settings with the following command:
Syntax: configure network basic
Configure the following network settings and press Enter after typing each setting.
- Host name
- IPv4 address
- Subnet mask
- IPv4 gateway
- Preferred IPv4 DNS
- Alternate IPv4 DNS
Type "Y" (no quotes) to confirm settings and restart.

Deep Discovery Web Inspector implements the specified network settings and then restarts network services. You can now access the Deep Discovery Web Inspector management console using a supported Web browser by accessing https://<management_IP_address>.

For configuration procedures, see the Getting Started chapter in the Administrator's Guide.

Note: Trend Micro recommends updating the scan engine and pattern files immediately after installation.

7. Known Issues

Issue 7.1: Discovery Web Inspector cannot successfully install if an IP conflict exists. The Deep Discovery Web Inspector appliance has a default IP address (192.168.252.1). If another endpoint uses the same IP address, Deep Discovery Web Inspector cannot start services.

Trend Micro recommends not connecting the appliance to the network until after the default IP address has been changed to a unique IP address on the network.

Issue 7.2: Discovery Web Inspector is unable to import Virtual Analyzer images from an FTP server in active mode. Deep Discovery Web Inspector security does not allow this type of connection.

Trend Micro recommends using FTP servers in passive mode, or importing the Virtual Analyzer images through another method, such as from a UNC path.

Issue 7.3: If you enable global authentication for Active Directory Services, Deep Discovery Web Inspector must be assigned a valid management port IP address that can be accessed by all clients.

If authentication of web traffic is required, web traffic is redirected to Authentication Portal using the management port for Kerberos/NTLM/Captive Portal authentication. If authentication fails or the authentication certificate is not trusted by the client, the continuing authentication traffic might increase throughput of the management port.

To work around this issue, perform any one of the following:

Install the authentication certificate (see Administration > System Settings) on clients whose traffic traverses the Deep Discovery Web Inspector appliance and make the certificate trusted by the browser and client OS.
Exclude clients who are not joined to Active Directory domains from authentication policies.
Increase maximal throughput of the Deep Discovery Web Inspector management port.

Issue 7.4: In some scenarios, if the IP User Cache that is used for authentication is disabled, authentication might fail.

The following might occur:

Using Safari, after several successful NTLM authentications, the authentication required window will keep popping up (Deep Discovery Web Inspector proxy mode).
Apply workaround #1 or #3.
Using Edge/Safari, after authentication, not all contents or pictures can be loaded completely in a web page.
Apply workaround #1 or #2
Using a specific Chrome version (70.0.3538.110), after several successful NTLM authentications, NTLM authentication subsequently fails.
Apply workaround #1 or #2.
Some backend services or applications might not work because of authentication failure. This can happen because some services or applications do not accept Deep Discovery Web Inspector's authentication cookie, or they can't handle Captive Portal authentication.
Apply workaround #1.

Workarounds include:

#1 Enable IP User Cache for all authentication policies listed on the Administration > Active Directory Services > Authentication Policy page.
#2 Use the latest Chrome version.
#3 Disable Safari's 'prevent cross-site tracking' function if contents or pictures are not loading completely in a web page.

Issue 7.5: In some scenarios, applications will not authenticate automatically. In these scenarios, when the IP User Cache that is used for authentication is expired, some applications or services might lose their connection to the Internet.

To work around this issue, open a browser and visit the HTTP web site manually.

Authentication might be passed automatically. If not, enter the user name and password in the pop up authentication window or Captive Portal page. Once authentication is finished, the affected applications or services will recover.

8. Contact Information

A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.

You can contact Trend Micro via fax, phone, and email, or visit us at http://www.trendmicro.com.

Evaluation copies of Trend Micro products can be downloaded from our Web site.

Worldwide Offices and Phone Numbers numbers

http://www.trendmicro.com/en/contact.html

The Trend Micro 'Contact Locations' screen displays. Click the appropriate link in the 'Worldwide Offices' section of the screen.

Note: This information is subject to change without notice.

9. About Trend Micro

Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers.

A pioneer in server-based antivirus with over 20 years’ experience, we deliver top-ranked security that fits our customers¡¯ needs, stops new threats faster, and protects data in physical, virtual and cloud environments. Powered by the Trend Micro(TM) Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe.

For additional information, go to http://www.trendmicro.com.

Copyright 2020, Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, Deep Discovery, Trend Micro Apex Central, and Control Manager are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

10. License Agreement

Information about your license agreement for this product can viewed by selecting the "About" option in the management console.

Contents