Deploy additional relays

After deploying your first Deep Security Relay, you should deploy at least one more for redundancy and load-balancing reasons. You may even need to deploy more depending on the size and scope of your deployment.

When deploying relays, you must:

  1. Plan the best number and location of relays
  2. Configure the update source
  3. Configure relays
Too many relays on your network will decrease performance — not improve it. A relay requires more system resources than an ordinary agent. Extra relays might be competing for bandwidth, too, instead of minimizing external connections. If required, you can convert a relay back to a normal Deep Security Agent. See Remove relay functionality from an agent.

Plan the best number and location of relays

The optimal number and placement of relays depends on:

Deep Security update diagram

Geographic region and distance

Ideally, each geographic region should have its own relay group with at least 2 relays.

Agents should use local relays in their same geographic region. Long distance and network latency can slow down update redistribution. Downloading from other geographic regions can also increase network bandwidth and/or cloud costs.

Network architecture and bandwidth limits

Ideally, each network segment of agents with limited bandwidth should have its own relay group with at least 2 relays.

Low bandwidth Internet/WAN connections, routers, firewalls, VPNs, VPCs, or proxy devices (which can all define a network segment) can be bottlenecks when large traffic volumes travel between the networks. Bottlenecks slow down update redistribution. Agents therefore usually should use local relays inside the same network segmentnot relays outside on bottlenecked external networks.

For example, your relay group hierarchy could minimize Internet and internal network bandwidth usage. Only 1 "parent" relay group might use the Internet connection; sub-groups would download from the parent, over their local network connection. Agents would download from their local relay group.

Large scale deployments might have many agents connect to each relay. This requires relays on more powerful, dedicated servers (instead of more relays on shared servers). See Deep Security Agent and Relay sizing.

Air-gapped environments

Most deployments can connect to the Internet. But if your relays cannot connect to the Trend Micro ActiveUpdate server on the Internet because they are on an isolated network (an "air-gapped" deployment), then you must:

  1. Add a separate relay in a demilitarized zone (DMZ) (which can connect to the Internet) to get the security updates.
  2. Copy updates from the DMZ relay to your other, air-gapped relays.

For details, see Configure agents that have no internet access.

Configure the update source

Before you set up relays, you should define the source of updates, and when to bypass the usual relay hierarchy to get updates.

  1. Go to Administration > System Settings > Updates.
  2. Optionally, configure Primary Security Update Source and Secondary Source.

    By default, the primary source is Trend Micro Update Server which is accessed via the Internet. Don't change the setting, unless your support provider has told you to configure Other update source. Alternative update source URLs must include "http://" or "https://".

  3. Usually, agents connect to a relay to get security updates when Deep Security Manager tells them to. But if computers cannot always connect with the manager or relays (such as during scheduled maintenance times) and enough Internet/WAN bandwidth is available, you can select:

    • Allow Agents/Appliances to download security updates directly from Primary Security Update Source if Relays are not accessible
    • Allow Agents/Appliances to download security updates when Deep Security Manager is not accessible

    If you protect laptops and portable computers, they might sometimes be far from support services. To avoid risk of a potentially problematic security update while they travel, deselect these options.

  4. If you require security updates for older agents, select Allow supported 8.0 and 9.0 Agents to be updated. By default, Deep Security Manager does not download updates for Deep Security Agent 9.0 and earlier because most of these agents are no longer supported. For details on which older agents are still supported, see Deep Security LTS life cycle dates.
  5. If you'd like Deep Security Manager to auto-import agent update builds to your local inventory, select Automatically download updates to imported software.
  6. This setting imports the software to Deep Security Manager but will not automatically update your agent or appliance software. See Upgrade Deep Security Agent for more information.

  7. Usually, relays connect to Deep Security Manager to get software updates to redistribute. But if relays cannot always connect with the manager (such as during scheduled maintenance times, or if an enterprise firewall is between the manager and relays), you can select Allow Relays to download software updates from Trend Micro Download Center when Deep Security Manager is not accessible. Relays will get software updates directly from the Download Center instead.
  8. Hybrid cloud environments often have some agents and relays in a public cloud, while others (and the manager) are inside your private network. To avoid the risk of opening port numbers on your private network firewall, or manually copying software packages to your relays in the cloud, select this option.

  9. Configure an Alternate software update distribution server(s) to replace Deep Security Relays to specify an alternative source for software updates, noting that security updates will still need to come from a relay. Consider an alternative server if your relay has an elastic IP address, if you plan on configuring your relays to only receive security updates (not software updates), or if you want to host software on a web server for efficiency and availability reasons. Enter https://<IP_or_hostname>:<port>/ replacing <IP_or_hostname>:<port> with one of the following:
    • the private network IP address and port of the relay that has an elastic IP address
    • the web server and port where you plan to host the Deep Security software

Configure relays

After determining where and how many relays you should have, and what update sources they should use, you can:

  1. Create relay groups
  2. Enable relays
  3. Assign agents to a relay group
  4. Connect agents to a relay's private IP address

Create relay groups

Relays must be organized into relay groups. The relay groups themselves can be further organized into hierarchies.

If you installed a co-located relay during the Deep Security Manager installation, then it automatically created a default relay group. But if you need more groups for other locations (see Plan the best number and location of relays), you can create more.

To minimize latency and external/Internet bandwidth usage, create a relay group for each geographic region and/or network segment.

  1. Go to Administration > Updates > Relay Management. A Relay Group Properties pane appears on the right.
  2. Click New Relay Group.
  3. Type a Name for the relay group.
  4. In Update Source, select either Primary Security Update Source or, if this will be a sub-group (child), the name of the parent relay group.

    The Default Relay Group is not included in the list of update sources, and therefore cannot be configured as a parent.

    Select the update source with the best cost and speed. Even if a relay group is part of a hierarchy, sometimes it might be cheaper and faster to download updates from the Primary Security Update Source instead — not the parent relay group.

  5. If this relay group must use a proxy when connecting to the Primary Security Update Source, select the Update Source Proxy. For details, see Connect to the 'primary security update source' via proxy.

    Unlike other relay groups, "Default Relay Group" uses the same proxy as Deep Security Manager, and cannot be configured.

    If this relay group usually connects to a parent relay group, then the sub-group won't use the proxy unless the parent relay group is unavailable and it is configured to fall back to using the "Primary Security Update Source".

  6. Under Update Content, select either Security and software updates or Security updates only. If you select Security updates only, you must configure an alternative software update source. For details, see Configure the update source.

Enable relays

  1. Make sure the relay computer meets the requirements. See Deep Security Agent and Relay sizing and Deep Security Relay requirements.
  2. Make sure you allow inbound and outbound communication to and from the relay on the appropriate port numbers. See Deep Security port numbers.
  3. If the relay must connect through a proxy, see Connect to the 'primary security update source' via proxy.
  4. Deploy an agent on the chosen computer. See Get Deep Security Agent software and Install the agent.
  5. Enable the agent as a relay:
    1. Log in to Deep Security Manager.
    2. Click Administration at the top.
    3. Click Relay Management in the left navigation pane.
    4. Select the relay group into which the relay will be placed. If a relay group does not exist, create one.
    5. Click Add Relay.
    6. In Available Computers, select the agent you just deployed.
    7. Click Enable Relay and Add to Group.

    The agent is enabled as a relay and is displayed with a relay icon ().

  1. To minimize latency and external/Internet bandwidth usage, group together relays that are in the same geographic region and/or network segment.

    You can use the search field to filter the list of computers.

Assign agents to a relay group

You must indicate which relay group each agent should use. Either assign each agent to a relay group manually, or set up an event-based task to assign new agents automatically.

  1. Go to Computers.
  2. Right-click the computer and select Actions > Assign Relay Group.

    To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions > Assign Relay Group.

  3. Select the relay group that computer should use.

    To minimize latency and external/Internet bandwidth usage, assign agents to relays that are in the same geographic region and/or network segment.

Connect agents to a relay's private IP address

If your relay has an elastic IP address, agents within an AWS VPC may not be able to reach the relay via that IP address. Instead, they must use the private IP address of the relay group.

  1. Go to Administration > System Settings.
  2. In the System Settings area, click the Updates tab.
  3. Under Software Updates, in the window Alternate software update distribution server(s) to replace Deep Security Relays , type:


    where <IP> is the private network IP address of the relay, and <port> is the relay port number

  4. Click Add.
  5. Click Save.
If your relay group’s private IP changes, you must manually update this setting. It will not be updated automatically.