Configure relays

Deep Security Relays are agents where you have enabled the relay feature, which is available in Deep Security Agent 9.5 or newer for Windows and Linux [64-bit only].

Relays update your agents more quickly, reduce manager load, and save internet connection or WAN bandwidth. For more information, see How do relays work?.

Every Deep Security deployment needs at least one relay group so that your agents and appliances can download security updates and software, but to optimize performance, usually you should have more relays. For sizing information, see Sizing for Deep Security Relays

Currently, once you have enabled the relay feature, you can't use Deep Security Manager to disable it. However, you can either delete and re-install the agent, or disable it using a separate tool. See Disable the relay feature on an agent.

To configure Deep Security Relays, you will need to do the following:

  1. Determine if you should enable more relays.
  2. Enable a relay.
  3. Create relay groups.

Determine if you should enable more relays

Enable a relay if:

If you use Deep Security as a Service, Trend Micro provides relays with the service. These are in a relay group named "Primary Tenant Relay Group." You don't need to create your own relay, unless:

To use "Primary Tenant Relay Group," verify that your computers can connect to the listening port number on Deep Security as a Service .

Trend Micro recommends using at least two relays for redundancy. The exact number of relays you should have varies by:

  • Redundancy requirements
  • Geographic locations

    Trend Micro recommends that agents download updates from a relay group in the same geographic region, preferably the same local network.
  • Number of protected computers (deployment scale)
  • Number of network bottlenecks or maximum bandwidth

    A bottleneck occurs when all agents cannot quickly download updates through the same connection, such as a low bandwidth WAN connection between the agents' local network segment and a remote Deep Security Manager or Trend Micro update server. Alerts can occur if this happens. Routers, firewalls, or proxies with high system resource usage between agents and the update source can also be performance bottlenecks. To alleviate bottlenecks, put a relay inside each bottlenecked network segment.

Don't convert all of your agents to be relays because too many relays can cause a delay. A relay requires more system resources than an ordinary agent. Also, a primary relay must transmit the update to the next relay and so on before the other agents can finally download an update from their relay; each hop adds some latency. If there are too many layers of relay groups, total latency can add more time than the relays' bandwidth optimization saves. Both can decrease performance instead of improving it.

Sizing for Deep Security Relays

Number of agents Recommended number of relays
1 to 10 000 1 to 2
10 000 to 20 000 2 to 3
More than 20 000 3 to 5

The recommended number of relays depends on how many agents will need updates within a period of time. The size of the download for initial agent activation is usually between 50 to 100 MB; updates after that are usually less, between 1 and 10 MB.

For example, 50 agents might need updates in 1 hour. If there were no relay on that subnet, the maximum update bandwidth would be about 5 GB/hour, but most updates would need 50 - 500 MB/hour. By adding 1 relay on that subnet, the required bandwidth would be reduced to 100 MB/hour maximum, and 1 - 10 MB/hour usually.

In most cases, adding more relays provides faster updates. For example 2 relays are required to provide a 10 MB update to 20,000 agents in 1-2 hours, but 4 relays provides the same update in 30 minutes.

Enable a relay

Currently, once you have enabled relay functionality for an agent, you can't disable it from the Deep Security Manager. However, you can either delete and re-install the agent, or disable the relay feature using a separate tool. See Disable the relay feature on an agent.
  1. Install and activate agents.
  2. Go to Computers.
  3. Double-click a computer that meets Deep Security Relay system requirements.
  4. Go to Overview > Actions > Software.
  5. Click Enable Relay.

    If the Enable Relay button is not visible:
    1. Verify that the agent is activated.
    2. Verify that the agent is not already a relay.
    3. Go to Administration > Updates > Software > Local and verify that the corresponding package has been imported.
    4. Verify that the computer is running a 64-bit version of the agent software.

    The computer's icon will change from an ordinary computer to a computer with a relay . To view the number of updates that the relay is ready to distribute, click the Preview icon to display the preview pane.

  6. If Windows Firewall or iptables is enabled on the computer, add a firewall rule that allows incoming connections to the relay's listening port number.
  7. If relays must connect through a proxy, see Configuring relay groups to use a proxy server.

    When you enable a relay, initially it is assigned to the default relay group. Continue with Create relay groups if you want to arrange relays in multiple relay groups.

Create relay groups

By default, agents retrieve updates from the default relay group. See View relay groups.

To improve performance, optimize bandwidth, and have redundancy, you can create more relay groups and arrange them in hierarchies. Relay groups provide redundancy and distribute load for updates. When the agent tries to download updates, if the initial relay doesn't respond, then the agent randomly selects another member relay from the group to update from. Each agent's relay list is randomized, so each agent tries its relays in a different order. Because of that, each relay provides updates for some of the group's assigned agents.

Newly activated relays will be automatically notified by the Manager to update their Security Update content.
  1. Enable the relay feature on agents that you want to act as relays.
  2. Go to Administration > Updates > Relay Groups.
  3. Click New. Follow the wizard to create and name your relay group, and to assign relays to it.

    Trend Micro recommends that agents download updates from a relay group in the same geographic region, preferably the same local network.
  4. Select the relay group's parent relay group to create the relay group hierarchy. This relay group will download updates from its parent group, if any.

    For the primary relay group, in the Download Updates From section, from Primary Security Update Source, select an update source URL. (These are configured in the relays section on Administration > System Settings > Updates.)

    To improve performance in very large deployments, create multiple relay groups and arrange relays in a hierarchy: one or few first-level relays download updates directly from the Trend Micro Active Update servers, and then second-level relay groups download updates from the first-level group, and so on.
  5. Repeat these steps if you need to create more relay groups.

Assign an agent to relay group

If you didn't assign the agent when you created relay groups, you can either assign an agent to a relay group manually, or you can set up a scheduled task to do this.

  1. Create relay groups if needed to optimize bandwidth and update speed.
  2. Go to Computers.
  3. Right click the computer and select Actions > Assign Relay Group.

    To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions > Assign Relay Group.

  4. Select the relay group to use from the list, or from the Computer Details window, use Download Updates From to select the relay group.

Configuring relay groups to use a proxy server

Every relay group can be configured to download security updates through a proxy server, except the default relay group. The default relay group uses the same proxy as Deep Security Manager. See Connect agents behind a proxy and Configure a proxy for anti-malware and rule updates (CLI).

In Deep Security Agent 10.0 GA and earlier, agents didn't have support for connections through a proxy to relays. If the ruleset download fails due to a proxy, and if either your agents require a proxy to access the relay or manager (including Deep Security as a Service), then you must either:
  1. In Deep Security Manager, go to Administration > System Settings > Proxies and then click New to define the proxy.
  2. Go to Administration > Updates > Relay Groups.
  3. Double-click a relay group to display its Properties window.
  4. On the Proxies tab, select the proxy server from the Primary Security Update Proxy list.
  5. Click OK.
  6. Restart agents that will use the proxy.