Configure relays

Instead of directly connecting to Trend Micro Active Update servers, Deep Security Agent can connect to a Deep Security Relay or relay group. This has multiple benefits, such as saving bandwidth on the WAN interface that connects to your ISP and updating all of your agents more quickly. (The relay will download updates over your Internet connection once, then redistribute files to agents on your internal network. In comparison, without a relay, thousands of computers might be trying to download their updates over your Internet connection at the same time. This can cause slow Internet access, and delay how quickly agents receive their updates.)

If you use Deep Security as a Service, your agents usually won't require you to configure a relay, unless they connect through a proxy, or you want to optimize performance by reducing network utilization.

In this article:

For more general information on relays, see About relay-enabled agents.

Enable a relay

Currently, once you have enabled relay functionality for an agent you can't disable it from the Deep Security Manager. However, you can disable it using a separate tool. For more information, see Disable relay functionality for an agent.

Relays are activated Deep Security Agents that have extra functionality so that they can relay data to other agents. Relays play a key role in transmitting security and software updates from Trend Micro to your protected computers. They download the update from a Trend Micro Update Server, and then allow both Deep Security Manager and the Deep Security Agents on your protected resources to download the update information from them.

Every Deep Security deployment must have at least one relay-enabled agent so that your agents can download security and software updates. You might already have a Relay, or you might need more Relays. For details, see Should you enable a relay?.

  1. Go to Computers.
  2. Double-click a computer that is running an activated 64-bit Windows or Linux agent and has at least 30 GB of free disk space and 8 GB of memory.
  3. Go to Overview > Actions > Software.
  4. Click Enable Relay.
  5. In the Deep Security Manager, on the Computers page, the computer's icon will change from ordinary computer to computer with Relay-enabled Agent . Click the Preview icon to display the Preview Pane where you can see the number of Update components the Relay Module is ready to distribute.
  6. If you cannot see the Enable Relay button:
    1. Check whether the agent is activated. It must be activated before the relay functionality is enabled.
    2. Check whether the agent is already relay-enabled. If the agent is already relay enabled, the button will also not be visible.
    3. Go to Administration > Updates > Software > Local and check whether the corresponding package has been imported
    4. Check that the computer is running a 64-bit version of the agent software.

If you are running Windows Firewall or iptables, you also need to add a firewall rule that allows incoming connections to the relay's listening port number.

If you are using Deep Security as a Service (DSaaS), relay-enabled agents are provided for you as part of the service and maintained by Trend Micro. These relay-enabled DSaaS agents are in a relay group called the "Primary Tenant Relay Group". To ensure connection with the Primary Tenant Relay Group, make sure your instances can connect to the listening port number onDeep Security as a Service .

This means that as a DSaaS user, you only have to enable relay functionality for an agent if your environment requires a proxy to access the internet. See Protect workloads requiring a proxy for outbound connection.

Ensuring redundancy with relay groups

Newly enabled relays are assigned to the Default relay group until they have been assigned to a relay group. Agents retrieve updates from the Default relay group unless configured otherwise. To improve performance and redundancy, you can create additional relay groups and arrange them in hierarchies to optimize bandwidth.

Create relay groups

Relay groups allow the load to be automatically distributed and provides redundancy. When the agent attempts to download updates, if the initial relay fails to respond, then the agent randomly selects another member relay from the group to update from. Since the list is shuffled by each agent, they each contact the relays in a different order.

Newly activated relays will be automatically notified by the Manager to update their Security Update content.

  1. After installing and activating your Relays, go to Administration > Updates > Relay Groups.
  2. Click New, and use the relay groups wizard to create and name your relay group and to select the relays that are members of this group.
  3. For the primary relay group, in the Download Updates From section, select Primary Security Update Source. This setting will download updates from the Update source URL configured in the relays section on the Administration > System Settings > Updates tab.
  4. Repeat step 2 to create more relay groups.

Create a relay group hierarchy

relays always retrieve updates from the next group up the relay group hierarchy or from the Trend Micro update servers. They never retrieve updates from other relays in the same relay group.

To create a hierarchy, in Download Updates From, select the source for your new relay group to be an existing relay group.

Assign an agent to relay group

You can assign an agent to a relay group manually or you can set up a scheduled task to do this.

  1. From the Computers page, right click the selected computer and select Actions > Assign Relay Group. Select the relay group to use from the list, or from the Computer Details window, use Download Updates From to select the relay group.
  2. To assign multiple computers, from the Computers page, shift-click or ctrl-click on selected computers in the list. Select Actions > Assign Relay Group. Select the relay group that you want all the selected computers to use from the list.

Configuring relays to use a proxy server

Each relay group (except the Default relay group) can be configured to use a separate proxy server to connect to Trend Micro to retrieve security updates. The default relay group uses the same proxy to connect to the Internet as Deep Security.

  1. Add a new proxy server by going to Administration > System Settings > Proxies in Deep Security Manager and clicking New.
  2. Go to Administration > Updates > Relay Groups and double-click a relay group to display its Properties window.
  3. On the Proxies tab, select the proxy server from the Primary Security Update Proxy list.
  4. Click OK.

For more information, refer to Protect workloads requiring a proxy for outbound connection.