Distribute security and software updates with relays

To ensure maximum protection for your Deep Security deployment, there are two components that you must periodically update. Software updates add new features and improvements to the Deep Security Agent, while security updates provide immediate protection against emerging threats.

Deep Security relays help to optimize the distribution of these updates. A relay is an agent that is capable of distributing the software and security updates to other agents . By using relays, you can:

  • Reduce WAN bandwidth costs by shaping update traffic.
  • Provide redundancy to update distribution.

First learn about How relays work, then how to Determine the number of relays to use, and finally how to Configure one or more relays.

You can also Remove relay functionality from an agent if needed.

How relays work

Relays download security updates from the Trend Micro Active Update servers directly through your WAN connection, and software updates from the Deep Security Manager. When you use relays, security and software updates only need to be downloaded once through your WAN connection. Relays then function as update distribution centers and the security and software updates are downloaded by other agents when they are directed to do so by the Deep Security Manager. For more detailed information on security updates and how relays distribute them, see Get and distribute security updates.

Relays are organized into relay groups. Organizing relays into groups ensures that the update load is distributed across multiple relays, and also adds redundancy to your Deep Security deployment.

Relay groups can also be part of a distribution hierarchy. By creating distribution hierarchies for your relay groups, you can further improve performance and bandwidth usage by specifying:

  • Which relay groups an agent should download security and software updates from.
  • The order that relay groups should download security and software updates from each other.

Determine the number of relays to use

Relays are already provided as part of Deep Security as a Service. Trend Micro strongly recommends that you do not create any additional relays. However, you may need to use additional relays depending on:

Geographic region of agents

Trend Micro recommends that agents download updates from a relay group in the same geographic region. If you have agents in multiple regions, each region should have its own relay group with at least one relay.

Network configuration

Your network configuration may include a low bandwidth WAN connection, routers, firewalls, or proxies between the network segments of agents and a remote Deep Security Manager or Trend Micro Active Update server. These configurations may cause bottlenecks that slow down the distribution of software and security updates. To reduce the impact of these configurations, you should place a relay inside each network segment.

Network bandwidth usage

The download of security and software updates to the agents can be network intensive. You can use relays to shape how your network bandwidth is used to distribute updates. By placing a relay inside a network segment, it becomes the single download source for security and software updates for that segment. Agents will then update from the local relay, reducing the overall bandwidth required to download updates from the WAN connection to the local internal connection.

Usage of application control shared rulesets through a proxy connection

If your deployment uses application control rulesets and agents connect through a proxy, deploying additional relays may help with the distribution of new or updated application control rulesets to the agents. For more information see Deploy application control rulesets via relays.

Sizing recommendations

Before you enable more relays, check that the computers that you want to enable as relays meet the requirements in Deep Security Agent and Relay sizing. Also check that the agent you are using supported the relay feature (see Supported features by platform).

You should only use as many relays as is necessary, because deploying unneeded relays on your network will actually decrease performance. A relay requires more system resources than an ordinary agent.

Configure one or more relays

Relays for Deep Security as a Service are in a relay group named "Primary Tenant Relay Group." To use the "Primary Tenant Relay Group," verify that your computers can connect to the listening port number on Deep Security as a Service.

To configure a relay, you need to:

  1. Create one or more relay groups.
  2. Enable one or more relays.
  3. Assign agents to a relay group.
  4. Configure relay settings for security and software updates.

Create one or more relay groups

Every relay must belong to a relay group. If you installed the Deep Security Relay during the Deep Security Manager installation, a default relay group will have been automatically created. You can also create additional relay groups.

Each agent will try to download updates from a randomly arranged list of the relays in the group it is assigned to. If there's no response from a particular relay, the agent will try another from the list until it can successfully download the update. The list is random for each agent so that the update load is shared evenly across relays in a group.

  1. Go to Administration > Updates > Relay Management.
  2. On the Relay Management window, click New Relay Group. In the Relay Group Properties pane that appears, configure the settings for the relay group:
    • Enter a Name for the relay group.
    • Select an Update Source. The update source determines where the relay group will download and distribute security updates from. The update source can be either:
      • The Primary Security Update Source
        By default, the Primary Security Update Source is the Trend Micro Active Update servers, but you can configure it to be a local mirror instead. A default relay group will always use the Primary Security Update Source. For more information, see Configure a security update source and settings.
      • A parent relay group
        If you have already created other relay groups, you can configure a relay group to use one of them as the update source.

      When selecting an update download source for a relay group, you should select the source that best matches your cost and speed requirements. Even if a relay group is part of a distribution hierarchy, it does not necessarily need to download updates from a relay in a parent group if downloading updates from the Primary Security Update Source would be cheaper or faster.

      To improve performance in very large deployments, create multiple relay groups and arrange relays in a hierarchy: one or more first-level relay groups download updates directly from the Trend Micro Active Update servers, and then second-level relay groups download updates from the first-level group, and so on. However, each group level adds latency, and if there are too many levels of relay groups, the total latency can be greater than the bandwidth optimization provided by relays, resulting in decreased performance.
    • Select the Update Source Proxy (if any) that relays must use to access the primary security update source.

      Deep Security as a Service uses the relays in the Primary Tenant Relay Group by default. Because the Primary Tenant Relay Group acts as the Default Relay Group and Default Relay Group uses the update source of the primary tenant's Deep Security Manager, you cannot configure an Update Source Proxy for Deep Security as a Service.

      Every relay group can be configured to download security updates through a proxy server, except the Default Relay Group. The Default Relay Group uses the same proxy as Deep Security Manager. See Connect agents behind a proxy and Configure a proxy for anti-malware and rule updates (CLI).

      If the relay group is configured to use the Primary Security Update Source, relays will use this proxy. Otherwise, if this relay group is configured to download security updates from another relay group, relays won't use the proxy unless they can't connect to the parent relay group, and therefore are trying to connect to the Primary Security Update Source.

      Deep Security Agents version 10.0 and earlier do not have support for connections through a proxy to relays. If an application control ruleset download fails due to a proxy, and if your agents require a proxy to access the relay or manager (this includes Deep Security as a Service), then you must either:
  3. Repeat the above steps if you need to create more relay groups.

Enable one or more relays

  1. Go to Administration > Updates > Relay Management.
  2. Click on a relay group to select it.
  3. Click Add Relay.

  4. Select a computer from the Available Agents list and click Enable Relay and Add to Group. You can use the search field to filter the list of computers.

    The computer is added to the relay group, and displays a relay icon ().

  5. If Windows Firewall or iptables is enabled on the computer, add a firewall rule that allows incoming connections to the relay's listening port number.
  6. If relays must connect through a proxy, see Connect agents, appliances, and relays to security updates via proxy.

    Newly activated relays will be automatically notified by the Manager to update their security update content.

Assign agents to a relay group

You can either assign an agent to a relay group manually, or you can set up an event-based task to assign agents automatically.

  1. In Deep Security Manager, go to Computers.
  2. Right click the computer and select Actions > Assign Relay Group.

    To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions > Assign Relay Group.

  3. Select the relay group to use from the list, or from the Computer Details window, use Download Updates From to select the relay group.

Configure relay settings for security and software updates

Deep Security Manager provides additional settings on the Administration > System Settings > Updates page that affect how relays are used to perform security updates.

Security updates

  • Download Patterns for all Regions: If you are operating in multi-tenancy mode and any of your tenants are in other regions, select this option. If this option is deselected, a relay will only download and distribute patterns for the region (locale) that Deep Security Manager was installed in.
  • Use the Primary Tenant Relay Group as my Default Relay Group: Use the Primary Tenant Relay group. By default, the primary tenant gives other tenants access to its relays. This way, tenants don't need to set up their own relays. If you don't want other tenants to share the primary tenant's relays, deselect this option and create separate relays for other tenants.
    If this option is deselected, when you click Administration > Updates > Relay Groups, the relay group name will be "Default Relay Group" rather than "Primary Tenant Relay Group".
    This setting appears only if you have enabled multi-tenant mode.

For information about other security update settings, see Get and distribute security updates.

Remove relay functionality from an agent

You might want to remove the relay functionality from a relay-enabled agent if:

  • You are noticing communication delays because there are too many relay-enabled agents in your environment.
  • The computer where the agent is installed does not meet the minimum system requirements for relay functionality.

Deep Security uses relays to store data when a virtual machine protected by a Deep Security Virtual Appliance is being migrated by vMotion. If your deployment uses vMotion to migrate virtual machines, removing the relay functionality from a given agent may result in a loss of protection to the migrated virtual machine as well as loss of the security events of the virtual appliance .

  1. Go to Administration > Updates > Relay Management.
  2. Click the arrow next to the relay group with the computer you want to remove relay functionality from.
  3. Click on the computer, and then click Remove Relay.

    The agent status will change to "Disabling" and the relay functionality will be removed from the agent.

    It may take up to 15 minutes for the relay functionality to be removed from the agent. If the agent is in the "disabling" state for significantly longer than this, deactivate and reactivate the agent to finish removing relay functionality from the agent.