https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/integration-of-trend-micro-control-manager-solution-with-extreme/m-p/36746#M4252 The simplest way to test it is uning the C&amp;C botnet callback (as I used).<BR /> <BR /> Once configured, you can simple using a web browser to go to a C&amp;C server like<BR /> <BR /> <A href="http://www.antibasic.ga/" target="_blank" rel="nofollow noreferrer noopener">http://www.antibasic.ga/</A><BR /> <BR /> This will cause the event triggering<BR /> <BR /> Have a nice day<BR /> <BR /> Mon, 11 Dec 2017 14:56:00 GMT Luca_Messori 2017-12-11T14:56:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/integration-of-trend-micro-control-manager-solution-with-extreme/m-p/36744#M4250 I've done a lab on the integration between the TMMC and the Extreme Networks solution using the Distributed IPS connect module present on the EMC server.<BR /> <BR /> <B>Lab environment</B><BR /> Extreme Management Center (EMC) version 8.0.4<BR /> ExtremeControl version 8.0.4<BR /> Trend Micro Control Manager version 6.0 Build 1327<BR /> Trend Micro Officescan version 12.1<BR /> <BR /> <B>Lab network: actors and data flows</B><BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-89672-m7nq6m-Schema_inline.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/5990iEBF00AF35816AE51/image-size/large?v=v2&amp;px=999" role="button" title="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-89672-m7nq6m-Schema_inline.png" alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-89672-m7nq6m-Schema_inline.png" /></span></P><BR /> <BR /> All conversations beetween different vendor are done using standard protocols: Trend Micro TMCM speaks with EMC using syslog and EMC speaks with switches using Radius or SNMP.<BR /> <BR /> <B>Lab configurations</B><BR /> <BR /> First of all I have configured TMCM to export via syslog the relevant security events to EMC server:<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-78418-1f5zcf-TMCM_Syslog_inline.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/5868i4AE62D6F16614284/image-size/large?v=v2&amp;px=999" role="button" title="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-78418-1f5zcf-TMCM_Syslog_inline.png" alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-78418-1f5zcf-TMCM_Syslog_inline.png" /></span></P><BR /> <BR /> This is a global configuration. After that I have configured TMCM to send only some kind of syslog messages to the EMC (for example C&amp;C botnet callback):<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-70483-1t9vtu8-TMCM_Syslog_events_inline.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/1182i21F5E99D225928FD/image-size/large?v=v2&amp;px=999" role="button" title="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-70483-1t9vtu8-TMCM_Syslog_events_inline.png" alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-70483-1t9vtu8-TMCM_Syslog_events_inline.png" /></span></P><BR /> <BR /> In my lab I have configured TMCM in order to not send messages related to blocked malware.<BR /> <BR /> This is all for TMCM.<BR /> <BR /> After that I have configured EMC Distributed IPS Connect module. I have enabled the module:<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-125897-1qsrvjr-EMC_IPS_inline.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/5744iA95D067B155D67E4/image-size/large?v=v2&amp;px=999" role="button" title="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-125897-1qsrvjr-EMC_IPS_inline.png" alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-125897-1qsrvjr-EMC_IPS_inline.png" /></span></P><BR /> <BR /> and then I have configured the rules to add infected or hacked host to the Quarantine_MAC group:<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-54337-1o7xcf-EMC_IPS_rules_inline.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/4271i1199D9037AB45AE6/image-size/large?v=v2&amp;px=999" role="button" title="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-54337-1o7xcf-EMC_IPS_rules_inline.png" alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-54337-1o7xcf-EMC_IPS_rules_inline.png" /></span></P><BR /> <BR /> And finally, I have created a NAC rule to move the hosts in Quarantine_MAC Group in a quarantine VLAN. This rule should be placed before other client rules:<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-28316-16u8tol-NAC_Rule_inline.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/373iF2147DF9AC418F23/image-size/large?v=v2&amp;px=999" role="button" title="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-28316-16u8tol-NAC_Rule_inline.png" alt="81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-28316-16u8tol-NAC_Rule_inline.png" /></span></P><BR /> <BR /> Thu, 07 Dec 2017 22:44:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/integration-of-trend-micro-control-manager-solution-with-extreme/m-p/36744#M4250 Luca_Messori 2017-12-07T22:44:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/integration-of-trend-micro-control-manager-solution-with-extreme/m-p/36745#M4251 Hi Luca,<BR /> <BR /> Were you able to simulate any TMCM events to test? Fri, 08 Dec 2017 04:56:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/integration-of-trend-micro-control-manager-solution-with-extreme/m-p/36745#M4251 Dorian_Perry 2017-12-08T04:56:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/integration-of-trend-micro-control-manager-solution-with-extreme/m-p/36746#M4252 The simplest way to test it is uning the C&amp;C botnet callback (as I used).<BR /> <BR /> Once configured, you can simple using a web browser to go to a C&amp;C server like<BR /> <BR /> <A href="http://www.antibasic.ga/" target="_blank" rel="nofollow noreferrer noopener">http://www.antibasic.ga/</A><BR /> <BR /> This will cause the event triggering<BR /> <BR /> Have a nice day<BR /> <BR /> Mon, 11 Dec 2017 14:56:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/integration-of-trend-micro-control-manager-solution-with-extreme/m-p/36746#M4252 Luca_Messori 2017-12-11T14:56:00Z