Distribute security and software updates with relays

To ensure maximum protection for your Deep Security deployment, there are two components that you must periodically update. Software updates add new features and improvements to the Deep Security Agent, while security updates provide immediate protection against emerging threats.

Deep Security relays help to optimize the distribution of these updates. A relay is an agent that is capable of distributing the software and security updates to other agents and virtual appliances. Relays can:

  • Reduce WAN bandwidth costs by shaping update traffic.
  • Provide redundancy to update distribution.

Relays are a mandatory part of aDeep Security deployment. Your deployment must include at least 1 relay.

First learn about How relays work, then how to Determine the number of relays to use, and finally how to Configure one or more relays.

You can also Remove relay functionality from an agent if needed.

How relays work

Relays download security updates from the Trend Micro Active Update servers directly through your WAN connection, and software updates from the Deep Security Manager. When you use relays, security and software updates only need to be downloaded once through your WAN connection. Relays then function as update distribution centers and the security and software updates are downloaded by other agents when they are directed to do so by the Deep Security Manager.

If a relay cannot connect to a Deep Security Manager to download updates, it will download them directly from the Deep Security Download Center.

For more detailed information on security updates and how relays distribute them, see Get and distribute security updates.

Relays are organized into relay groups. Organizing relays into groups ensures that the update load is distributed across multiple relays, and also adds redundancy to your Deep Security deployment.

Relay groups can also be part of a distribution hierarchy. By creating distribution hierarchies for your relay groups, you can further improve performance and bandwidth usage by specifying:

  • Which relay groups an agent should download security and software updates from.
  • The order that relay groups should download security and software updates from each other.

Determine the number of relays to use

Although a Deep Security deployment requires a minimum of 1 relay, as a baseline Trend Micro recommends using at least 2 relays for your deployment. However, you may need to use additional relays depending on:

Geographic region of agents

Trend Micro recommends that agents download updates from a relay group in the same geographic region. If you have agents in multiple regions, each region should have its own relay group with at least one relay.

Network configuration

Your network configuration may include a low bandwidth WAN connection, routers, firewalls, or proxies between the network segments of agents and a remote Deep Security Manager or Trend Micro Active Update server. These configurations may cause bottlenecks that slow down the distribution of software and security updates. To reduce the impact of these configurations, you should place a relay inside each network segment.

Network bandwidth usage

The download of security and software updates to the agents can be network intensive. You can use relays to shape how your network bandwidth is used to distribute updates. By placing a relay inside a network segment, it becomes the single download source for security and software updates for that segment. Agents will then update from the local relay, reducing the overall bandwidth required to download updates from the WAN connection to the local internal connection.

Sizing recommendations

Before you enable more relays, check that the computers that you want to enable as relays meet the requirements in Deep Security Agent and Relay sizing. Also check that the agent you are using supported the relay feature (see Supported features by platform).

In most deployments, Trend Micro recommends deploying a minimum of 2 relays for redundancy, which can be co-located with a Deep Security Manager. However, as noted above, you should also consider factors such as geographical location, network configuration and network bandwidth when determining how many relays to deploy. If your deployment has a large number of agents (more than 10,000), relays should be deployed on a dedicated system.

You might also want to add more relays if:

  • The network configuration of your environment has changed.
  • You want to provide additional redundancy to update distribution.
You should only use as many relays as is necessary, because deploying unneeded relays on your network will actually decrease performance. A relay requires more system resources than an ordinary agent.

Configure one or more relays

To configure a relay, you need to:

  1. Create one or more relay groups.
  2. Enable one or more relays.
  3. Assign agents to a relay group.
  4. Configure relay settings for security and software updates.

Create one or more relay groups

Every relay must belong to a relay group. If you installed the Deep Security Relay during the Deep Security Manager installation, a default relay group will have been automatically created. You can also create additional relay groups.

Each agent will try to download updates from a randomly arranged list of the relays in the group it is assigned to. If there's no response from a particular relay, the agent will try another from the list until it can successfully download the update. The list is random for each agent so that the update load is shared evenly across relays in a group.

  1. Go to Administration > Updates > Relay Management.
  2. On the Relay Management window, click New Relay Group. In the Relay Group Properties pane that appears, configure the settings for the relay group:
    • Enter a Name for the relay group.
    • Select an Update Source. The update source determines where the relay group will download and distribute security updates from. The update source can be either:
      • The Primary Security Update Source
        By default, the Primary Security Update Source is the Trend Micro Active Update servers, but you can configure it to be a local mirror instead. A default relay group will always use the Primary Security Update Source. For more information, see Configure a security update source and settings.
      • A parent relay group
        If you have already created other relay groups, you can configure a relay group to use one of them as the update source.

      When selecting an update download source for a relay group, you should select the source that best matches your cost and speed requirements. Even if a relay group is part of a distribution hierarchy, it does not necessarily need to download updates from a relay in a parent group if downloading updates from the Primary Security Update Source would be cheaper or faster.

      To improve performance in very large deployments, create multiple relay groups and arrange relays in a hierarchy: one or more first-level relay groups download updates directly from the Trend Micro Active Update servers, and then second-level relay groups download updates from the first-level group, and so on. However, each group level adds latency, and if there are too many levels of relay groups, the total latency can be greater than the bandwidth optimization provided by relays, resulting in decreased performance.
    • Select the Update Source Proxy (if any) that relays must use to access the primary security update source.

      Every relay group can be configured to download security updates through a proxy server, except the Default Relay Group. The Default Relay Group uses the same proxy as Deep Security Manager. See Connect agents behind a proxy and Configure a proxy for anti-malware and rule updates (CLI).

      If the relay group is configured to use the Primary Security Update Source, relays will use this proxy. Otherwise, if this relay group is configured to download security updates from another relay group, relays won't use the proxy unless they can't connect to the parent relay group, and therefore are trying to connect to the Primary Security Update Source.

      Deep Security Agents version 10.0 and earlier do not have support for connections through a proxy to relays. If an application control ruleset download fails due to a proxy, and if your agents require a proxy to access the relay or manager (this includes Deep Security as a Service), then you must either:
  3. Repeat the above steps if you need to create more relay groups.

Enable one or more relays

  1. Go to Administration > Updates > Relay Management.
  2. Click on a relay group to select it.
  3. Click Add Relay.

  4. Select a computer from the Available Agents list and click Enable Relay and Add to Group. You can use the search field to filter the list of computers.

    The computer is added to the relay group, and displays a relay icon ().

  5. If Windows Firewall or iptables is enabled on the computer, add a firewall rule that allows incoming connections to the relay's listening port number.
  6. If relays must connect through a proxy, see Connect agents, appliances, and relays to security updates via proxy.

    Newly activated relays will be automatically notified by the Manager to update their security update content.

Assign agents to a relay group

You can either assign an agent to a relay group manually, or you can set up an event-based task to assign agents automatically.

  1. In Deep Security Manager, go to Computers.
  2. Right click the computer and select Actions > Assign Relay Group.

    To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions > Assign Relay Group.

  3. Select the relay group to use from the list, or from the Computer Details window, use Download Updates From to select the relay group.

Configure relay settings for security and software updates

Deep Security Manager provides additional settings on the Administration > System Settings > Updates page that affect how relays are used to perform security and software updates.

Security updates

  • Download Patterns for all Regions: If you are operating in multi-tenancy mode and any of your tenants are in other regions, select this option. If this option is deselected, a relay will only download and distribute patterns for the region (locale) that Deep Security Manager was installed in.
  • Use the Primary Tenant Relay Group as my Default Relay Group (for unassigned Relays): Use the Primary Tenant Relay group. By default, the primary tenant gives other tenants access to its relays. This way, tenants don't need to set up their own relays. If you don't want other tenants to share the primary tenant's relays, deselect this option and create separate relays for other tenants.
    If this option is deselected, when you click Administration > Updates > Relay Groups, the relay group name will be "Default Relay Group" rather than "Primary Tenant Relay Group".
    This setting appears only if you have enabled multi-tenant mode.

For information about other security update settings, see Get and distribute security updates.

Software updates

  • The Allow Relays to download software updates from Trend Micro Download Center when Deep Security Manager is not accessible option is useful when your Deep Security Manager is in an enterprise environment and you are managing computers in a cloud environment. If you enable this option and configure a relay in the cloud, the relay will be able to get software updates directly from the Download Center, removing the need for manual software upgrades or opening port numbers into your enterprise environment from the cloud.

For information about other software update settings, see About upgrades.

Remove relay functionality from an agent

You might want to remove the relay functionality from a relay-enabled agent if:

  • You are noticing communication delays because there are too many relay-enabled agents in your environment.
  • The computer where the agent is installed does not meet the minimum system requirements for relay functionality.

Deep Security uses relays to store data when a virtual machine protected by a Deep Security Virtual Appliance is being migrated by vMotion. If your deployment uses vMotion to migrate virtual machines, removing the relay functionality from a given agent may result in a loss of protection to the migrated virtual machine as well as loss of the security events of the virtual appliance .

The procedure for removing relay functionality differs depending on if the agent version is 10.2 or later or 10.1 or earlier.

10.2 or later

  1. Go to Administration > Updates > Relay Management.
  2. Click the arrow next to the relay group with the computer you want to remove relay functionality from.
  3. Click on the computer, and then click Remove Relay.

    The agent status will change to "Disabling" and the relay functionality will be removed from the agent.

    It may take up to 15 minutes for the relay functionality to be removed from the agent. If the agent is in the "disabling" state for significantly longer than this, deactivate and reactivate the agent to finish removing relay functionality from the agent.

10.1 or earlier

If you use multi-factor authentication with Deep Security Manager, you will need to temporarily disable it before proceeding. For information on how to do this, see Set up multi-factor authentication.
  1. Go to Administration > System Settings > Advanced in the Deep Security Manager, click Enabled - Access the WSDL at: in the SOAP Web Service API section, and click Save.

  2. Download the Disable Relay Tool: https://s3.amazonaws.com/customerscripts/Deep-Security-Disable-Relays.exe.
  3. Run the tool on any Windows computer that can communicate with the computer where the Deep Security Manager is installed.
  4. Enter the IP address and port of the Deep Security Manager and your administrator user name and password when prompted.
  5. If you are using Deep Security as a Service or a multi-tenant Deep Security Manager, you also have to enter the tenant name.
  6. Click OK when you have finished entering the information required for the tool to communicate with the Deep Security Manager.

  7. Select all of the servers with relay-enabled agents that you want to downgrade from the list retrieved by the Disable Relay Tool and click Disable Relay On Select Hosts in the lower left corner.
  8. Leave the tool open and click Refresh Relay List to monitor the progress of the downgrade. It can take up to 15 minutes to downgrade the agents on the servers you selected.
  9. After a relay-enabled agent has been downgraded to a normal agent and no longer appears in the list of servers in the Disable Relay Tool, you should remove the relay files in the following locations for that agent:
    • Windows: C:\ProgramData\Trend Micro\Deep Security Agent\relay
    • Linux: /var/opt/ds_agent/relay