Deploy Deep Security Relay
When deploying Deep Security, you should:
Relays are already provided as part of Deep Security as a Service. Don't create more relays unless necessary due to:
- Geographic region and distance
- Network architecture and bandwidth limits
- Usage of Application Control shared rulesets through a proxy connection
- Air-gapped environments
Ideally, each geographic region should have its own relay group with at least 2 relays.
Agents should use local relays in their same geographic region. Long distance and network latency can slow down update redistribution. Downloading from other geographic regions can also increase network bandwidth and/or cloud costs.
Ideally, each network segment of agents with limited bandwidth should have its own relay group with at least 2 relays.
Low bandwidth Internet/WAN connections, routers, firewalls, VPNs, VPCs, or proxy devices (which can all define a network segment) can be bottlenecks when large traffic volumes travel between the networks. Bottlenecks slow down update redistribution. Agents therefore usually should use local relays inside the same network segment — not relays outside on bottlenecked external networks.
For example, your relay group hierarchy could minimize Internet and internal network bandwidth usage. Only 1 "parent" relay group might use the Internet connection; sub-groups would download from the parent, over their local network connection. Agents would download from their local relay group.
Large scale deployments might have many agents connect to each relay. This requires relays on more powerful, dedicated servers (instead of more relays on shared servers). See Deep Security Agent and Relay sizing.
If you will use shared Application Control rulesets and agents connect through a proxy, you might want to add more relays to handle large rulesets and improve performance. See Deploy Application Control rulesets via relays and Deep Security Agent and Relay sizing.
Before you set up relays, you should define the source of updates, and when to bypass the usual relay hierarchy to get updates.
- Go to Administration > System Settings > Updates.
By default, the primary source is Trend Micro Update Server which is accessed via the Internet. Don't change the setting, unless your support provider has told you to configure Other update source. Alternative update source URLs must include "http://" or "https://".
Usually, agents connect to a relay to get security updates when Deep Security Manager tells them to. But if computers cannot always connect with the manager or relays (such as during scheduled maintenance times) and enough Internet/WAN bandwidth is available, you can select:
- Allow Agents/Appliances to download security updates directly from Primary Security Update Source if Relays are not accessible
- Allow Agents/Appliances to download security updates when Deep Security Manager is not accessible
If you protect laptops and portable computers, they might sometimes be far from support services. To avoid risk of a potentially problematic security update while they travel, deselect these options.
- If you require security updates for older agents, select Allow supported 8.0 and 9.0 Agents to be updated. By default, Deep Security Manager does not download updates for Deep Security Agent 9.0 and earlier because most of these agents are no longer supported. For details on which older agents are still supported, see Deep Security LTS life cycle dates.
- If you use multi-tenancy:
- Usually, a relay will only download and distribute patterns for the region (locale) that Deep Security Manager was installed in. This minimizes disk space usage. But if you have tenants in other regions, select Download Patterns for all Regions.
Usually, Deep Security as a Service provides relays. But if you don't want to use them, deselect Use the Primary Tenant Relay Group as my Default Relay Group.If this option is deselected, when you click Administration > Updates > Relay Groups, then the relay group name will be "Default Relay Group", not "Primary Tenant Relay Group".
- If you'd like Deep Security Manager to auto-import agent update builds to your local inventory, select Automatically download updates to imported software.
- Usually, relays connect to Deep Security Manager to get software updates to redistribute. But if relays cannot always connect with the manager (such as during scheduled maintenance times, or if an enterprise firewall is between the manager and relays), you can select Allow Relays to download software updates from Trend Micro Download Center when Deep Security Manager is not accessible. Relays will get software updates directly from the Download Center instead.
- Configure an Alternate software update distribution server(s) to replace Deep Security Relays to specify an alternative source for software updates, noting that security updates will still need to come from a relay. Consider an alternative server if your relay has an elastic IP address, if you plan on configuring your relays to only receive security updates (not software updates), or if you want to host software on a web server for efficiency and availability reasons. Enter
https://<IP_or_hostname>:<port>/replacing <IP_or_hostname>:<port> with one of the following:
- the private network IP address and port of the relay that has an elastic IP address
- the web server and port where you plan to host the Deep Security software
- the address and port of the relays hosted by Deep Security as a Service, namely https://relay.deepsecurity.trendmicro.com:443. These relays will act as your software update source, while your own relays must act as the security update source.
This setting imports the software to Deep Security Manager but will not automatically update your agent or appliance software. See Upgrade Deep Security Agent for more information.
After determining where and how many relays you should have, and what update sources they should use, you can:
- Create more relay groups
- Enable more relays
- Assign agents to a relay group
- Connect agents to a relay's private IP address
Relays must be organized into relay groups in order to use them.
Relays for Deep Security as a Service are in a relay group named "Primary Tenant Relay Group." To use it, verify that your computers can connect to the listening port number on Deep Security as a Service. If you need more relay groups (see Plan the best number and location of relays), you can create more.
To minimize latency and external/Internet bandwidth usage, create a relay group for each geographic region and/or network segment.
- Go to Administration > Updates > Relay Management. A Relay Group Properties pane appears on the right.
- Click New Relay Group.
- Type a Name for the relay group.
In Update Source, select either Primary Security Update Source or (if this will be a sub-group) Parent relay group.
Select the update source with the best cost and speed. Even if a relay group is part of a hierarchy, sometimes it might be cheaper and faster to download updates from the Primary Security Update Source instead — not the parent relay group.
If this relay group must use a proxy when connecting to the Primary Security Update Source, select the Update Source Proxy. For details, see Connect to the 'primary security update source' via proxy.
Unlike other relay groups, "Default Relay Group" uses the same proxy as Deep Security Manager, and cannot be configured.
Deep Security as a Service provides relays in the "Primary Tenant Relay Group" which acts as your default relay group. You cannot configure an update source proxy for the relays provided by Deep Security as a Service.
If this relay group usually connects to a parent relay group, then the sub-group won't use the proxy unless the parent relay group is unavailable and it is configured to fall back to using the "Primary Security Update Source".
- Under Update Content, select either Security and software updates or Security updates only. If you select Security updates only, you must configure an alternative software update source. For details, see Configure the update source.
Deep Security as a Service provides relays. To use them, verify that your computers can connect to the listening port number on Deep Security as a Service. However if you need more relays in other locations (see Plan the best number and location of relays), you can use some agents as relays.
- If Windows Firewall or iptables is enabled on the relay computer, add a firewall rule that allows incoming connections to the relay's listening port number.
- If relays must connect through a proxy, see Connect to the 'primary security update source' via proxy.
- Go to Administration > Updates > Relay Management.
- Click on a relay group to select it.
Click Add Relay.
From Available Agents, select a computer and click Enable Relay and Add to Group.
To minimize latency and external/Internet bandwidth usage, group together relays that are in the same geographic region and/or network segment.
You can use the search field to filter the list of computers.
The computer is added to the relay group, and displays a relay icon (). The manager tells the new relay to get security updates.
You must indicate which relay group each agent should use. Either assign each agent to a relay group manually, or set up an event-based task to assign new agents automatically.
- Go to Computers.
Right-click the computer and select Actions > Assign Relay Group.
To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions > Assign Relay Group.
Select the relay group that computer should use.
To minimize latency and external/Internet bandwidth usage, assign agents to relays that are in the same geographic region and/or network segment.
If your relay has an elastic IP address, agents within an AWS VPC may not be able to reach the relay via that IP address. Instead, they must use the private IP address of the relay group.
- Go to Administration > System Settings.
- In the System Settings area, click the Updates tab.
- Under Software Updates, in the window Alternate software update distribution server(s) to replace Deep Security Relays , type:
<IP>is the private network IP address of the relay, and
<port>is the relay port number
- Click Add.
- Click Save.
You might want to convert a relay back to being an ordinary Deep Security Agent if:
- Too many relays are causing communication delays
- Relays don't meet minimum system requirements to be a Deep Security Relay anymore
Deep Security Relays store data when a virtual machine (VM) protected by a Deep Security Virtual Appliance is being migrated by VMware vMotion. If your deployment uses vMotion, converting a relay back to a normal agent might cause the migrated VM to lose protection, and the virtual appliance to lose security events.
- Go to Administration > Updates > Relay Management.
- Click the arrow next to the relay group whose relay you want to convert back to an agent.
- Click the computer.
Click Remove Relay.
The agent status will change to "Disabling" and the relay functionality will be removed from the agent.
It can take up to 15 minutes. If the agent is in the "Disabling" state for longer than this, you can deactivate and reactivate the agent to finish removing the relay feature.