Relay Groups

A Relay is a module within a Deep Security Agent that is responsible for the download and distribution of Security and Software updates. The Manager instructs the Relays to get the latest updates and when new updates are available, and Agents and Appliances are automatically directed to pull their updates from the Relays. The Relay module is available on 64-bit Windows and Linux Agents only. It is turned off by default. To enable the Relay module in an Agent, open the Computer Editor window of a computer running an activated 64-bit Windows or Linux Agent and go to Overview > Actions > Software and click Enable Relay.

A Relay is a module within a Vulnerability Protection Agent that is responsible for the distribution of Software updates. Agents are automatically directed to pull their updates from the Relays. The Relay module is available on 64-bit Windows Agents only. It is turned off by default. To enable the Relay module in an Agent, open the Computer Editor window of a computer running an activated 64-bit Windows Agent and go to Overview > Actions > Software and click Enable Relay.

Relays are organized into Relay Groups. Newly enabled Relays are assigned to the Default Relay Group. Agents/Appliances retrieve updates from the Default Relay Group unless configured otherwise. Trend Micro recommends that Agents on computers in a particular geographic region or office be configured to download updates from a Relay Group in the same region.

A Relay Group may contain as few as a single member Relay. However to improve performance and redundancy, a Relay Group can be configured to contain more than one member Relay. In order to distribute load and fault impact, Relays in a group are not prioritized - each Agent/Appliance assigned to a Relay Group automatically chooses a member Relay at random to connect to. When the Agent/Appliance attempts to download updates, if the initial Relay fails to respond, then the Agent/Appliance randomly selects another member Relay from the Group to update from. Since the list is shuffled by each Agent/Appliance, they each contact the Relays in a different order.

A Relay can obtain security updates from another Relay Group, but not from another Relay (even if they are both part of the same Relay Group). A Relay must obtain updates from another Relay Group further up the hierarchy or another configured security update source.

Note that when a Relay is busy with an update to an Agent/Appliance, it will reject new connections from other Agents/Appliances.

Relay Groups may be arranged in hierarchies to optimize bandwidth and provide further redundancy. Although there must always be at least one Relay Group in your environment that downloads Security Updates from the Trend Micro Update Server, a Relay Group can alternatively download updates from another Relay Group. If all contact with an assigned Relay Group fails, the Agent/Appliance will switch to the parent Relay Group. From then on, the Agent/Appliance will attempt to contact a member Relay from the parent Relay Group to obtain updates.

Relay Groups may be arranged in hierarchies to optimize bandwidth and provide further redundancy. A Relay Group can download updates from another Relay Group. If all contact with an assigned Relay Group fails, the Agent will switch to the parent Relay Group. From then on, the Agent will attempt to contact a member Relay from the parent Relay Group to obtain updates.

Relays always retrieve Updates from the next Group up the Relay Group Hierarchy or from the Trend Micro Update Servers. They never retrieve Updates from other Relays in the same Relay Group.

You can specify whether the Agents/Appliances can download Pattern updates from the Primary Security Update Source if the Relay-enabled Agent is not accessible. To change the settings, go to System Settings > Updates and change the Patterns settings located in the Security Updates area.

Create Relay Groups

  1. After installing and activating your Relays, from Administration > Update > Relay Groups.
  2. Click New, and use the Relay Groups wizard to create and name your Relay Group and to select the Relays that are members of this group.
  3. For the primary Relay Group, in the Download Updates FromSoftware Updates section, select Primary Security Update Source. This setting will download updates from the Update source URL configured in the Relays section on the Administration > System Settings > Updates tab.
  4. Repeat step 2 to create more Relay Groups. To create a hierarchy, in Download Updates FromSoftware Updates, select the source for your new Relay Group to be an existing Relay Group.
Relays not yet configured into any Relay Group are automatically configured as members of the "Default Relay Group".

Newly activated Relays will be automatically notified by the Manager to update their Security Update content.

Assign Agents/Appliances to Relay Groups

  1. From the Computers page, right click the selected Computer and select Actions > Assign Relay Group. Select the Relay Group to use from the drop-down list, or from the Computer Details window, use Download Updates From: to select the Relay Group.
  2. To assign multiple computers, from the Computers page, shift-click or ctrl-click on selected Computers in the list. Select Actions > Assign Relay Group. Select the Relay Group that you want all the selected computers to use from the drop-down list.
    When selecting multiple computers, the action Assign Relay Group will only be available for selection if this action is available for all computers you selected.
  3. To review all the Relay Group assignments, from Administration > System Settings > Updates, click the View Relay Groups... button. For each Relay Group in the list, right-click and select Properties. Go to the Assigned to tab to review the list of Agents/Appliances assigned to this Relay Group. (To quickly change the assignment for an Agent/Appliance, clicking the link on the Assigned to list opens the Computer Details page for that Agent/Appliance, from where you can select another Relay Group assignment).
Agents/Appliances not yet assigned to a specific Relay Group are automatically assigned to the "Default Relay Group".

When Relay Groups are modified, the configuration is automatically updated on computers that are already assigned to them (including child Relay Groups).

You can also create an Event-Based Task which will automatically assign a Relay Group to computers after they have been added to the Manager's Computers page. See Event-Based Tasks for more information.

Updating Anti-Malware Patterns Only

This option is available when your Relay Group contains only pre-9.5 versions of the Deep Security Relay.

In some circumstances, you may wish to only apply Anti-Malware pattern updates, and exclude Anti-Malware engine updates. To do so,

  1. Go to Administration > Updates > Relay Groups.
  2. Double-click on a Relay Group to open its Properties window.
  3. In the Updates area of the Relay Group Properties tab, select Only Update Patterns. Click OK.
Because Relays operate in Groups, this option can only be set on Relays Groups, and not on individual Relays.
If your Relays Groups are organized in a hierarchical structure and one of your Relay Groups has this setting enabled, Relay Groups below it will not receive or distribute Engine updates either, whether or not the setting is checked for that Group.
If you enable this option, the Administration > Updates > Security Updates tab may indicate that some of your computers are "Out-of-Date". This is because the Manager makes an assessment by comparing the state of the updates on a computer with all the updates available for distribution (including pattern updates).

Initiate Security Updates

For a system-wide update, go to Administration > Updates > Security, and click the Check For Updates and Download... button.

To perform Security Updates on specific Agents/Appliances, select the Agent/Appliance from the list of computers on the Computers page, then right-click and select Actions > Download Security Update.

To schedule a regular Check For Security Updates task , go to Administration > Scheduled Tasks, and create a new Scheduled Task of the Check For Security Updates type.

Update Source

Relays in the Relay Group at the top of the Relay Group Hierarchy connect to the Primary Security Update Source. The Primary Update Source is configured in the Deep Security Manager on the Administration > System Settings > Updates tab:

Relay Groups can be configured to download their Security Updates from the Primary Update Source or from another Relay Group. To configure a Relay Group's download source, go to the Administration > Updates > Relays Groups page and open the Properties window of a Relay Group.

Proxies

Each Relay Group (except the Default Relay Group) can be configured to use a separate proxy server to connect to Trend Micro to retrieve Security Updates. The default Relay Group uses the same proxy to connect to the internet as Vulnerability ProtectionDeep Security.

To configure a Relay Group to use a proxy server:

  1. In Vulnerability ProtectionDeep Security Manager, go to Administration > Updates > Relay Groups and double-click a Relay Group to display its Properties window.
  2. On the Proxies tab, select the proxy server from the Primary Security Update Proxy drop-down list.
  3. Click OK.

The list of available proxy servers is maintained on the Administration > System Settings > Proxies tab.