About relays

A relay is an agent that is configured to redistribute software and security updates to other agents. Relays help your deployment perform well as it grows and scales.

Default relays are available inside Workload Security. Agents should be able to use them if they can connect to Workload Security. You might need more relays for performance or cost reasons.

Alternatively, software updates (but not security updates) can be distributed by a local mirror web server.

Relays are organized into relay groups. The relays provided by Workload Security are in a relay group named Primary Tenant Relay Group. If you decide to deploy your own relays, you need to create at least one more relay group.

Agents receive a randomly ordered list of relays for their assigned relay group. When an agent needs to download an update, it tries the first relay. If there is no response, the agent tries the next in the list until it can successfully download the update. Because the list is random for each agent, this distributes load evenly across relays in a group.

The following diagram depicts the distribution of updates.

Major improvements to self-deployed relays were introduced with the Deep Security Agent version 20.0.0-3445. Earlier versions of the relay downloaded every supported agent software package (all versions, all platforms) from Workload Security, as well as every security update from their primary security update source. This took approximately 400 GB of disk space and downloads could take several hours to complete. The new relay is a reverse proxy which only downloads and caches agent software packages and security updates that are requested by agents, rather than downloading all released updates. Also, the new relay downloads both the agent software packages and security updates directly from Workload Security relays.

When you deploy a new relay or upgrade an existing relay to version 20.0.0-3445 or later, you get the improved relay functionality and, if upgrading, should notice an immediate decrease in the required disk space.

Consider the following when using relays:

• New relays for Deep Security Agent version 20.0.0-3771 or earlier cannot connect to Workload Security relays via proxy. This support was added in the agent version 20.0.0-3964.
• To avoid known issues related to the upgrade, consider deploying the agent version 20.0.1-12510 or later.
• The Secondary Source setting (Administration > System Settings > Updates > Security Updates > Secondary Source) includes a new option: Allow Agents/Appliances to download security and software updates from Primary Tenant Relay Group if user-deployed Relays are not accessible. This option is disabled by default, so it does not affect any existing settings. When enabled, you can download security and software updates from the Primary Tenant Relay Group to help resolve any issues arising from relays you have deployed.

Deploy your own relays

If you need to reduce bandwidth and costs on your Internet or WAN connection, deploy a relay inside your own network. This reduces how much external traffic occurs when protected computers need to download updates. Deploying your own relays is also useful if you have network segments with limited bandwidth.

For instructions on how to deploy your own relays, see Deploy more relays.