Deep Security 10.2 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.

Deploy application control rulesets via relays

For an overview of the application control module, see Lock down software with application control.

Each time you create an application control ruleset or change it, it must be distributed to all computers that use it. Shared rulesets are bigger than local rulesets. Shared rulesets are also often applied to many servers. If they all downloaded the ruleset directly from the manager at the same time, high load could cause slower performance. Global rulesets have the same considerations.

Using Deep Security Relays can solve this problem.

Steps vary by whether or not you have a multi-tenant deployment.

Single tenant deployments

Go to Administration > System Settings > Advanced and then select Serve application control rulesets from relays.

Multi-tenant deployments

The primary tenant (t0) can't access other tenants' (tN) configurations, so t0 relays don't have tN application control rulesets. (Other features like IPS don't have this consideration, because their rules come from Trend Micro, not a tenant.)

Other tenants (Tn) must create their own relay group, then select Serve application control rulesets from relays.

Verify compatibility with your deployment before using relays. If the agent doesn't have any previously downloaded ruleset currently in effect, and if it doesn't receive new application control rules, then the computer won't be protected by application control. If application control ruleset download fails, a ruleset download failure event will be recorded on the manager and on the agent.

Relays might either change performance, break application control ruleset downloads, or be required; it varies by proxy location, multi-tenancy, and global/shared vs. local rulesets.

Required for...	Faster performance for...	Slower performance for...	Don't enable for...
Agent > Proxy > Manager In Deep Security Agent 10.0 GA and earlier, agents didn't have support for connections through a proxy to relays. If a ruleset download fails due to a proxy, and if your agents require a proxy to access the relay or manager (including Deep Security as a Service), then you must either: update agents' software, then configure the proxy bypass the proxy add a relay and then select Serve application control rulesets from relays	Shared rulesets Global ruleset	Local rulesets	Multi-tenant configurations when non-primary tenants (tN) use the default, primary (t0) relay group: Agent (tN) > DSR (t0) > DSM (tN) Agent (tN) > Proxy > DSR (t0) > DSM (tN)

Required for...

Faster performance for...

Slower performance for...

Don't enable for...

Agent > Proxy > Manager

In Deep Security Agent 10.0 GA and earlier, agents didn't have support for connections through a proxy to relays. If a ruleset download fails due to a proxy, and if your agents require a proxy to access the relay or manager (including Deep Security as a Service), then you must either:

update agents' software, then configure the proxy
bypass the proxy
add a relay and then select Serve application control rulesets from relays

Shared rulesets

Global ruleset

Local rulesets

Multi-tenant configurations when non-primary tenants (tN) use the default, primary (t0) relay group:

Agent (tN) > DSR (t0) > DSM (tN)
Agent (tN) > Proxy > DSR (t0) > DSM (tN)