Menu
Trend Micro Deep Security on AWS
Quick Start Reference Deployment Guide

Appendix: Updating the Load Balancer Certificate

The Elastic Load Balancing (ELB) load balancer used by the Deep Security Manager is initially configured to use a self-signed certificate for HTTPS connections. Your browser may give you an error when you try to access the console. This is expected until you update the load balancer certificate. You can proceed through to the management console.


      Browser error when accessing console with self-signed certificate

      Proceeding with self-signed certificate

      Accessing the Deep Security Management Console

Figure 5: Accessing the Deep Security Management console

Deep Security is meant to run as part of your core infrastructure. As a result, its attack surface should be minimized. The Quick Start helps reduce this attack service by:

  • Using security groups to restrict traffic to only what’s needed.

  • Deploying a Deep Security Agent on the manager instance to protect it from attack.

  • Using the robust role-based access controls available within the platform to ensure that only valid users have access to the platform.

The Deep Security Manager is initially configured to use a public load balancer so it can easily protect instances in AWS Regions and AWS accounts outside where it’s deployed. If you do not require this functionality and do not require the Deep Security Manager console to be accessible from the Internet, we recommend that you reconfigure the Deep Security Manager to use a private load balancer to further reduce the attack surface. You can also set up VPC peering if you’d like to use a private load balancer and still protect instances outside the VPC where the Deep Security Manager is deployed.

If you are using the Quick Start as the basis of a production deployment and not as a proof of concept, we strongly recommend that you update the self-signed certificate to a certificate that is signed by a trusted Certificate Authority.

Note

In order to obtain a signed certificate, you will be required by the Certificate Authority to specify a formal subdomain (for example, deepsecurityconsole.mycompany.com) and use this to access the Deep Security load balancer.

To update the security certificate of the load balancer, follow these steps:

  1. Register a domain name that you will use to access the Deep Security Manager console.

  2. Obtain a certificate for this domain from a trusted Certificate Authority.

  3. Update the DNS settings of the load balancer to use the new domain name. Detailed instructions on how to do that can be found in the Elastic Load Balancing documentation.

  4. Replace the SSL certificate of the load balancer. Detailed instructions on how to do that can be found in the Elastic Load Balancing documentation.