Distribute security and software updates with relays

A relay is an agent that capable of distributing software and security updates to other agents on your network. By using relays, you can:

  • Reduce WAN bandwidth costs by shifting update traffic from your WAN to your LAN.
  • Ensure that the speed of updates keeps pace with the growth of your deployment.
  • Increase the speed of agent updates.
  • Reduce CPU and bandwidth load on the Deep Security Manager.
  • Provide redundancy to update distribution.

First learn about How relays work, then how to Determine the number of relays to use, and finally how to Configure one or more relays.

You can also Remove relay functionality from an agent if needed.

How relays work

Relays download security updates from the Trend Micro Active Update servers directly through your WAN connection, and software updates from the Deep Security Manager. When you use relays, security and software updates only need to be downloaded once through your WAN connection. Relays then function as update distribution centers on your LAN, sending the security and software updates to other agents when they request them.

For more detailed information on how relays distribute updates, see Get and distribute security updates.

Relay groups

Relays are organized into relay groups. Organizing relays into groups ensures that the update load is distributed across multiple relays, and also adds redundancy to your Deep Security deployment.

A Deep Security deployment needs at least one relay group. Every relay belongs to a relay group, even if it is the only relay in the group. Agents download updates from a default relay group, but you can create additional relay groups.

Each agent will try to download updates from a randomly arranged list of the relays in the group it is assigned to. If there's no response from the relay, the agent will try another from the list until it can successfully download the update. The list is random for each agent so that the update load is shared evenly across relays in a group.

Determine the number of relays to use

The number of relays you need depends on the:

Number of agents

The following table shows how many relays you should use for a given agent deployment size:

Number of agents Recommended number of relays
1 to 10 000 1 to 2
10 000 to 20 000 2 to 3
More than 20 000 3 to 5

Geographic region of agents

Trend Micro recommends that agents download updates from a relay group in the same geographic region, preferably the same local network. If you have agents in multiple regions, you should have at least one relay group for each region.

Network configuration and bandwidth

Your network configuration may contain performance bottlenecks such as a low bandwidth WAN connection, or high system resource usage in routers, firewalls, or proxies that sit between local network segments of agents and a remote Deep Security Manager or Trend Micro Active Update server. To alleviate bottlenecks, put a relay inside each bottlenecked network segment.

Frequency of agent updates

If you update your agents frequently, adding additional relays may help improve the speed of update distribution.

The size of the download for initial agent activation is usually between 50 to 100 MB; updates after that are usually smaller, between 1 and 10 MB. For example, 50 agents might need updates in 1 hour. If there were no relay on that subnet, the maximum update bandwidth would be about 5 GB/hour, but most updates would need 50 - 500 MB/hour. By adding 1 relay on that subnet, the required bandwidth would be reduced to 100 MB/hour maximum, and 1 - 10 MB/hour usually.

In most cases, adding more relays provides faster updates, but make sure that you only use as many relays as is necessary. For example 2 relays are required to provide a 10 MB update to 20,000 agents in 1-2 hours, but 4 relays provides the same update in 30 minutes.

Sizing recommendations

Before you enable more relays, check that the computers that you want to enable as relays meet the Deep Security Relay system requirements.

The Deep Security Manager requires at least one relay per deployment. However, Trend Micro recommends that you:

  • Install one relay locally with the Deep Security Manager to ensure availability.
  • Add an additional relay for redundancy.

You might also want to add more relays if:

  • The number of protected computers in your environment has increased.
  • The network configuration of your environment has changed.
  • You want to provide additional redundancy to update distribution.
You should only use as many relays as is necessary, because deploying unneeded relays on your network will actually decrease performance. A relay requires more system resources than an ordinary agent.

Configure one or more relays

To configure a relay, you need to:

  1. Create one or more relay groups.
  2. Enable one or more relays.
  3. Assign agents to a relay group.
  4. Configure relay settings for security and software updates.

Create one or more relay groups

  1. Go to Administration > Updates > Relay Management.
  2. On the Relay Management window, click New Relay Group. In the Relay Group Properties pane that appears, configure the settings for the relay group:
    • Enter a Name for the relay group.
    • Select an Update Source from which this relay group will download and distribute security updates: either "Primary Security Update Source", or a parent relay group.

      The Default Relay Group will always use the "Primary Security Update Source", which is usually the Trend Micro Active Update servers but can be configured to download security updates from a local mirror. (See Configure a security update source and settings.)

      To create a relay group hierarchy, select a parent relay group. This relay group will download updates from its parent group.

      To improve performance in very large deployments, create multiple relay groups and arrange relays in a hierarchy: one or more first-level relays download updates directly from the Trend Micro Active Update servers, and then second-level relay groups download updates from the first-level group, and so on. However, each group level adds latency, and If there are too many levels of relay groups, the total latency can be greater than the bandwidth optimization provided by relays, resulting in decreased performance.
    • Select the Update Source Proxy (if any) that relays must use to access the primary security update source.

      Every relay group can be configured to download security updates through a proxy server, except the Default Relay Group. The Default Relay Group uses the same proxy as Deep Security Manager. See Connect agents behind a proxy and Configure a proxy for anti-malware and rule updates (CLI).

      If the relay group is configured to use the Primary Security Update Source, relays will use this proxy. Otherwise, if this relay group is configured to download security updates from another relay group, relays won't use the proxy unless they can't connect to the parent relay group, and therefore are trying to connect to the Primary Security Update Source.

      Deep Security Agents version 10.0 and earlier do not have support for connections through a proxy to relays. If an application control ruleset download fails due to a proxy, and if your agents require a proxy to access the relay or manager (this includes Deep Security as a Service), then you must either:
  3. Repeat the above steps if you need to create more relay groups.

Enable one or more relays

  1. Go to Administration > Updates > Relay Management.
  2. Click on a relay group to select it.
  3. Click Add Relay.

  4. Select a computer from the Available Agents list and click Enable Relay and Add to Group. You can use the search field to filter the list of computers.

    The computer is added to the relay group, and displays a relay icon ().

  5. If Windows Firewall or iptables is enabled on the computer, add a firewall rule that allows incoming connections to the relay's listening port number.
  6. If relays must connect through a proxy, see Connect agents, appliances, and relays to security updates via proxy.

    Newly activated relays will be automatically notified by the Manager to update their security update content.

Assign agents to a relay group

You can either assign an agent to a relay group manually, or you can set up a scheduled task to do assign agents automatically.

  1. In Deep Security Manager, go to Computers.
  2. Right click the computer and select Actions > Assign Relay Group.

    To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions > Assign Relay Group.

  3. Select the relay group to use from the list, or from the Computer Details window, use Download Updates From to select the relay group.

Configure relay settings for security and software updates

Deep Security Manager provides additional settings on the Administration > System Settings > Updates page that affect how relays are used to perform security and software updates.

Security updates

  • Allow supported 8.0 and 9.0 Agents to be updated: Select this option if you require support for agents on Windows 2000, AIX, HP-UX, or Solaris. By default, Deep Security Manager does not download updates for Deep Security Agent 9.0 and earlier, because for most platforms, Deep Security Manager 10.3 does not support them (see System requirements). This reduces disk usage because older agents and appliances have a different update package format. However, those platforms do not have newer agent versions, and therefore require the older package format.
  • Download Patterns for all Regions: If you are operating in multi-tenancy mode and any of your tenants are in other regions, select this option. If this option is deselected, a relay will only download and distribute patterns for the region (locale) that Deep Security Manager was installed in.
  • Use the Primary Tenant Relay Group as my Default Relay Group (for unassigned Relays): By default, the primary tenant gives other tenants access to the its relays. This way, tenants don't need to set up their own relays. If you don't want other tenants to share the primary tenant's relays, deselect this option and create separate relays for other tenants.
    If this option is deselected, when you click Administration > Updates > Relay Groups, the relay group name will be "Default Relay Group" rather than "Primary Tenant Relay Group".
    This setting appears only if you have enabled multi-tenant mode.

For information about other security update settings, see Get and distribute security updates.

Software updates

  • The Allow Relays to download software updates from Trend Micro Download Center when Deep Security Manager is not accessible option is useful when your Deep Security Manager is in an enterprise environment and you are managing computers in a cloud environment. If you enable this option and configure a relay in the cloud, the relay will be able to get software updates directly from the Download Center, removing the need for manual software upgrades or opening port numbers into your enterprise environment from the cloud.

For information about other software update settings, see Update Deep Security software.

Remove relay functionality from an agent

You might want to remove the relay functionality from a relay-enabled agent if:

  • You are noticing communication delays because there are too many relay-enabled agents in your environment.
  • The computer where the agent is installed does not meet the minimum system requirements for relay functionality.

Deep Security uses relays to store VMotion data. If your deployment uses VMotion to migrate virtual machines, removing the relay functionality from a given agent or virtual appliance may disrupt the migration process.

Deep Security uses relays to store data when a virtual machine protected by a Deep Security virtual appliance is being migrated by VMotion. If your deployment uses VMotion to migrate virtual machines, removing the relay functionality from a given agent may result in a loss of protection to the migrated virtual machine as well as loss of the security events of the virtual appliance .

The procedure for removing relay functionality differs depending on if the agent version is 10.2 or later or 10.1 or earlier.

10.2 or later

  1. Go to Administration > Updates > Relay Management.
  2. Click on the arrow next to the relay group with the computer you want to remove relay functionality from.
  3. Click on the computer, and then click Remove Relay.

    The agent status will change to "Disabling" and the relay functionality will be removed from the agent.

    It may take up to 15 minutes for the relay functionality to be removed from the agent. If the agent is in the "disabling" state for significantly longer than this, deactivate and reactivate the agent to finish removing relay functionality from the agent.

10.1 or earlier

If you use multi-factor authentication with Deep Security Manager, you will need to temporarily disable it before proceeding. For information on how to do this, see Set up multi-factor authentication.
  1. Go to Administration > System Settings > Advanced in the Deep Security Manager, click Enabled - Access the WSDL at: in the SOAP Web Service API section, and click Save.

  2. Download the Disable Relay Tool: https://s3.amazonaws.com/customerscripts/Deep-Security-Disable-Relays.exe.
  3. Run the tool on any Windows computer that can communicate with the computer where the Deep Security Manager is installed.
  4. Enter the IP address and port of the Deep Security Manager and your administrator user name and password when prompted.
  5. If you are using Deep Security as a Service or a multi-tenant Deep Security Manager, you also have to enter the tenant name.
  6. Click OK when you have finished entering the information required for the tool to communicate with the Deep Security Manager.

  7. Select all of the servers with relay-enabled agents that you want to downgrade from the list retrieved by the Disable Relay Tool and click Disable Relay On Select Hosts in the lower left corner.
  8. Leave the tool open and click Refresh Relay List to monitor the progress of the downgrade. It can take up to 15 minutes to downgrade the agents on the servers you selected.
  9. After a relay-enabled agent has been downgraded to a normal agent and no longer appears in the list of servers in the Disable Relay Tool, you should remove the relay files in the following locations for that agent:
    • Windows: C:\ProgramData\Trend Micro\Deep Security Agent\relay
    • Linux: /var/opt/ds_agent/relay