About relay-enabled agents

To decide if you should enable relay functionality for an agent or not, you should consider a few criteria.

What are relay-enabled Deep Security Agents?

Relays are activated Deep Security Agents that have extra functionality so that they can relay data to other agents. Relays play a key role in transmitting security and software updates from Trend Micro to your protected computers. They download the update from a Trend Micro Update Server, and then allow both Deep Security Manager and the Deep Security Agents on your protected resources to download the update information from them.

Every Deep Security deployment must have at least one relay-enabled agent so that your agents can download security and software updates. Trend Micro recommends that you enable relay functionality for multiple agents to achieve redundancy and optimize bandwidth usage. However, this does not mean that all agents should be a relay. The reason is that the relay functionality consumes a lot of resources so you should only enable enough to provide redundancy for the retrieval of updates. Redundancy is provided for through the use of relay groups. The following sections discuss these points.

Should you enable a relay?

Currently, once you have enabled relay functionality for an agent you can't disable it from the Deep Security Manager. However, you can disable it using a separate tool. For more information, see Disable relay functionality for an agent.

Should you convert an agent to be a relay?

The answer is yes if both are true:

  • There are no relays.
  • The computer is 64-bit and has at least 30 GB of free disk space and 8 GB of memory.

If you already have one relay, you might need more. You can have multiple Deep Security relays.

Don't convert all of your agents to be relays. Too many relays can introduce a delay.  A primary relay must transmit the update to the next relay and so on before the other agents can finally download an update from their relay. Also, a Relay uses more system resources than an Agent. Both can decrease performance instead of improving it.

Number of relays should vary by

  • Redundancy requirements
  • Number of protected computers (deployment scale)
  • Number of network bottlenecks
    A bottleneck occurs when all agents cannot quickly download updates through the same connection, such as a low bandwidth WAN connection between the agents' local network segment and a remote Deep Security Manager / Trend Micro update server. Routers / firewalls / proxies with high system resource usage between them can also be performance bottlenecks. To alleviate bottlenecks, put a Relay inside each bottlenecked network segment.

If you are using Deep Security as a Service, Trend Micro provides and maintains your relays. These relays are in a relay group called the Primary Tenant Relay Group. You might need your own relay only if your environment requires a proxy to access the Internet.

How many relay-enabled agents do I need for my environment?

To achieve redundancy and optimize bandwidth usage in large networks, Trend Micro recommends that you have more than one relay. You can use these guidelines.

Number of agents Number of relay-enabled agents
1 to 10 000 1 to 2
10 000 to 20 000 2 to 3
More than 20 000 3 to 5

The number of relay-enabled agents you need for your environment depends on how many agents will be trying to download update information and how many will need to updated with an certain period of time (for example, 50 agents need to get updates in an hour). The download package size for the initial activation of an agent will be between 50 to 100 MB but typical updates after that will be less than this (usually between 1 and 10 MB).

More relay-enabled agents are needed to roll out updates to endpoints as fast as possible. For example, four relay-enabled agents are needed to roll out a 10 MB update to 20 000 endpoints in 30 minutes but only two are needed to roll out a 10 MB update to 20 000 endpoints in 1-2 hours.

Ensure redundancy with relay groups

Deep Security Agents don't download updates from only one specific relay. Instead, you assign an agent to a relay group. Agents retrieve updates from any relay-enabled agent in that group. As soon as an agent is elevated to a relay role, it is assigned to the Default Relay Group and agents retrieve updates from the Default Relay Group unless configured otherwise. Trend Micro recommends that agents on computers in a particular geographic region or office be configured to download updates from a relay group in the same region.

To improve performance and redundancy, you can create additional relay groups and arrange them in hierarchies to optimize bandwidth. Although there must always be at least one relay group in your environment that downloads security updates from the Trend Micro Update Server, a relay group can also download updates from another relay group. If all contact with an assigned relay group fails, the agent will switch to the parent relay group. From then on, the agent will attempt to contact a member relay-enabled agent from the parent relay group to obtain updates.

For more information on relay groups, see Ensure redundancy with relay groups.

For configuration information, see Configure relays.