Table of contents
Topics on this page
How relays distribute updates
When to deploy your own relays
Improvements to the relay
Information about older relays

How relays work

A relay is an agent that is configured to redistribute software and security updates to other agents. Relays help your deployment perform well as it grows and scales.

Default relays are available inside Workload Security. Agents should be able to use them if they can connect to Workload Security. You might need more relays for performance or cost reasons.

Alternatively, software updates — but not security updates — can be distributed by a local mirror web server.

How relays distribute updates

This section details relay update functionality for versions earlier than 20.0.0-3445. See also Improvements to the relay.

Diagram of relay architecture

Relays are organized into relay groups. The relays provided by Workload Security are in a relay group named "Primary Tenant Relay Group." If you decide to deploy your own relays, you will need to create at least one more relay group.

Agents get a randomly ordered list of relays for their assigned relay group. When an agent needs to download an update, it tries the first relay. If there's no response, the agent tries the next in the list until it can successfully download the update. Because the list is random for each agent, this distributes load evenly across relays in a group.

When to deploy your own relays

If you need to reduce bandwidth and costs on your Internet or WAN connection, deploy a relay inside your own network. This reduces how much external traffic occurs when protected computers need to download updates. Deploying your own relays is also useful if you have network segments with limited bandwidth.

For instructions on how to deploy your own relays, see Deploy more relays.

Improvements to the relay

The following relay improvements are in preview and only available to specific customers at this time. If you'd like more information about accessing the latest relay improvements, please contact Trend Micro Support.

Major improvements to customer-deployed relays were introduced with agent version 20.0.0-3445. Earlier versions of the relay download every supported agent software package (all versions, all platforms) from Workload Security, and every security update from their primary security update source. This takes approximately 400 GB of disk space and downloads can take several hours to complete. The new relay is a reverse proxy which only downloads and caches agent software packages and security updates that are requested by agents, rather than downloading all released updates. Also, the new relay downloads both agent software packages and security updates directly from Workload Security relays.

When you deploy a new relay or upgrade an existing relay to version 20.0.0-3445+ and you have opted into the relay improvements preview (see note above), you will get the new and improved relay functionality and, if upgrading, will notice an immediate decrease in the amount of disk space required. There are some key differences to be aware of with the new relay functionality:

  • New relays can’t be arranged in a hierarchy. If you have older relays arranged in a hierarchy and upgrade them to agent version 20.0.0-3445+, those relays will each get their updates directly from the relays provided by the Workload Security service.
  • New relays for agent version 20.0.0-3771 and earlier cannot connect to Workload Security relays via proxy. This support is added in version 20.0.0-3964.

Information about older relays

This section applies only to older relays whose agent version is earlier than 20.0.0-3964.

Relay groups for older agents can be organized in a hierarchy: one or more first-level ("parent") relay groups download updates directly from Workload Security and the Primary Security Update Source (usually via their Internet/WAN connection), and then second-level ("child") relay groups download updates indirectly via the first-level group, and so on. If you put a child relay on each local network, then agent updates usually use the local network connection — not remote connections to the Internet. This saves external connection bandwidth (a typical performance bottleneck) and makes updates faster, especially for large deployments with many networks or data centers.

Performance and bandwidth usage can be affected by relay group hierarchy. Hierarchy can specify:

  • Update order — Child relay sub-groups download from their parent group, which must finish its own download first. So a chain of sub-groups can be useful if you want a delay, so that all updates aren't occurring at the exact same time.
  • Cost — If large distances or regions are between your parent and child relay groups, it might be cheaper for them to download directly instead of via parent relay groups.
  • Speed — If many or low-bandwidth subnets are between your parent and child relay groups, it might be faster for them to download directly or via a grandparent instead of via parent relay groups. However if too many relays do this, it will consume external connection bandwidth and eventually decrease speed.

Your relay group hierarchy could minimize Internet and internal network bandwidth usage. Only one "parent" relay group might use the Internet connection; sub-groups would download from the parent, over their local network connection. Agents would download from their local relay group.

Large scale deployments might have many agents connect to each relay. This requires relays on more powerful, dedicated servers (instead of more relays on shared servers). See Deep Security Agent and Relay sizing.

Hierarchies are set up during relay group creation.