Table of contents
Topics on this page
Plan the number and location of relays
Create relay groups
Enable relays
Assign agents to a relay group
Connect agents to a relay's private IP address

Deploy more relays

If you need to deploy more relays, you must:

  1. Plan the best number and location of relays
  2. Create relay groups
  3. Enable relays
  4. Assign agents to a relay group
  5. Connect agents to a relay's private IP address

Plan the number and location of relays

The optimal number and placement of relays depends on the following factors:

  • Geographic region and distance: If you are deploying your own relays, each geographic region should have its own relay group with at least two relays and agents should use relays in their same geographic region. Long distance and network latency can slow down update redistribution. Downloading from other geographic regions can also increase network bandwidth and/or cloud costs.
  • Network architecture and bandwidth limits: If you have network segments with limited bandwidth, those segments should each have their own relay group with at least two relays. Low bandwidth Internet or WAN connections, routers, firewalls, VPNs, VPCs, or proxy devices (which can all define a network segment) can be bottlenecks when large traffic volumes travel between the networks. Bottlenecks slow down update redistribution. Agents therefore usually should use local relays inside the same network segment, as opposed to relays outside on bottlenecked external networks.
  • Use of Application Control shared rulesets through a proxy connection: If you will use shared Application Control rulesets and agents connect through a proxy, you might want to add more relays to handle large rulesets and improve performance. See Deploy Application Control rulesets via relays and Deep Security Agent and Relay sizing.

Create relay groups

Relays must be organized into relay groups. The default, relays provided by the Workload Security service are in a relay group named Primary Tenant Relay Group. If you want to add your own relays, add a new relay group:

  1. Go to Administration > Updates > Relay Management.
  2. Select New Relay Group.
  3. In the Relay Group Properties in the right pane, type a Name for the relay group.
  4. Leave the Update Source and Update Source Proxy settings as-is.
  5. Under Update Content, select either Security and software updates or Security updates only. If you select Security updates only, you must configure an alternative software update source. For details, see Configure the update source.

To minimize latency and external or Internet bandwidth usage, create groups for each geographic region and network segment.

Enable relays

  1. Make sure the relay computer meets the requirements. See Agent and relay sizing and Relay requirements.

  2. Make sure you allow inbound and outbound communication to and from the relay on the appropriate port numbers. See Workload Security port numbers.

  3. Deploy an agent on the chosen computer. See Get Deep Security Agent software and Install the agent.

  4. Enable the agent as a relay:

    1. Go to Administration > Updates > Relay Management.

    2. Select the relay group into which to place the relay.

      If you are using Linux, create a user nobody and a relay group nogroup.

    3. Click Add Relay.

    4. In Available Computers, select the agent you just deployed.

      Use the search field to filter the list of computers.

  5. Click Enable Relay and Add to Group.

The agent is enabled as a relay and is displayed with a relay icon (relay icon).

Assign agents to a relay group

You must indicate which relay group each agent should use. Either assign each agent to a relay group manually, or set up an event-based task to assign new agents automatically.

To manually assign a computer to a relay group:

  1. Go to Computers.

  2. Right-click the computer and select Actions > Assign Relay Group.

    To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions > Assign Relay Group.

  3. Select the relay group that computer should use.

    To minimize latency and external or Internet bandwidth usage, assign agents to relays that are in the same geographic region and network segment.

Connect agents to a relay's private IP address

If your relay has an elastic IP address, agents within an AWS VPC may not be able to reach the relay via that IP address. Instead, they must use the private IP address of the relay group.

  1. Go to Administration > System Settings > Updates.

  2. Under Software Updates, in Alternate software update distribution server(s) to replace Deep Security Relays, type:

    https://<IP>:<port>/

    where <IP> is the private network IP address of the relay, and <port> is the relay port number

  3. Select Add.

  4. Select Save.

If your relay group’s private IP changes, you must manually update this setting. It cannot be updated automatically.