Deploy additional relays

Under most circumstances, the Workload Security-provided relays should be enough; however, there are some circumstances that might require you to install additional ones.

When deploying relays, you must:

  1. Plan the best number and location of relays
  2. Configure the update source
  3. Configure relays
Too many relays on your network will decrease performance — not improve it. A relay requires more system resources than an ordinary agent. Extra relays might be competing for bandwidth, too, instead of minimizing external connections. If required, you can convert a relay back to a normal Deep Security Agent. See Remove relay functionality from an agent.

Plan the best number and location of relays

The optimal number and placement of relays depends on:

Workload Security update diagram

Geographic region and distance

Ideally, each geographic region should have its own relay group with at least 2 relays.

Agents should use local relays in their same geographic region. Long distance and network latency can slow down update redistribution. Downloading from other geographic regions can also increase network bandwidth and/or cloud costs.

Network architecture and bandwidth limits

Ideally, each network segment of agents with limited bandwidth should have its own relay group with at least 2 relays.

Low bandwidth Internet/WAN connections, routers, firewalls, VPNs, VPCs, or proxy devices (which can all define a network segment) can be bottlenecks when large traffic volumes travel between the networks. Bottlenecks slow down update redistribution. Agents therefore usually should use local relays inside the same network segmentnot relays outside on bottlenecked external networks.

For example, your relay group hierarchy could minimize Internet and internal network bandwidth usage. Only 1 "parent" relay group might use the Internet connection; sub-groups would download from the parent, over their local network connection. Agents would download from their local relay group.

Large scale deployments might have many agents connect to each relay. This requires relays on more powerful, dedicated servers (instead of more relays on shared servers). See Deep Security Agent and Relay sizing.

Usage of Application Control shared rulesets through a proxy connection

If you will use shared Application Control rulesets and agents connect through a proxy, you might want to add more relays to handle large rulesets and improve performance. See Deploy Application Control rulesets via relays and Deep Security Agent and Relay sizing.

Configure the update source

Before you set up relays, you should define the source of updates, and when to bypass the usual relay hierarchy to get updates.

  1. Go to Administration > System Settings > Updates.
  2. Optionally, configure Primary Security Update Source and Secondary Source.

    By default, the primary source is Trend Micro Update Server which is accessed via the Internet. Don't change the setting, unless your support provider has told you to configure Other update source. Alternative update source URLs must include "http://" or "https://".

  3. Usually, agents connect to a relay to get security updates when Workload Security tells them to. But if computers cannot always connect with Workload Security or relays (such as during scheduled maintenance times) and enough Internet/WAN bandwidth is available, you can select:

    • Allow Agents/Appliances to download security updates directly from Primary Security Update Source if Relays are not accessible
    • Allow Agents/Appliances to download security updates when Workload Security is not accessible

    If you protect laptops and portable computers, they might sometimes be far from support services. To avoid risk of a potentially problematic security update while they travel, deselect these options.

  4. Usually, Workload Security provides relays. But if you don't want to use them, deselect Use the Primary Tenant Relay Group as my Default Relay Group.

    If this option is deselected, when you click Administration > Updates > Relay Groups, then the relay group name will be "Default Relay Group", not "Primary Tenant Relay Group".

  5. Configure an Alternate software update distribution server(s) to replace Deep Security Relays to specify an alternative source for software updates, noting that security updates will still need to come from a relay. Consider an alternative server if your relay has an elastic IP address, if you plan on configuring your relays to only receive security updates (not software updates), or if you want to host software on a web server for efficiency and availability reasons. Enter https://<IP_or_hostname>:<port>/ replacing <IP_or_hostname>:<port> with one of the following:
    • the private network IP address and port of the relay that has an elastic IP address
    • the web server and port where you plan to host the Deep Security software
    • the address and port of the relays hosted by Workload Security, namely These relays will act as your software update source, while your own relays must act as the security update source.

Configure relays

After determining where and how many relays you should have, and what update sources they should use, you can:

  1. Create relay groups
  2. Enable relays
  3. Assign agents to a relay group
  4. Connect agents to a relay's private IP address

Create relay groups

Relays must be organized into relay groups. The relay groups themselves can be further organized into hierarchies.

Relays for Workload Security are in a relay group named "Primary Tenant Relay Group." To use it, verify that your computers can connect to the listening port number on Workload Security. If you need more relay groups (see Plan the best number and location of relays), you can create more.

To minimize latency and external/Internet bandwidth usage, create a relay group for each geographic region and/or network segment.

  1. Go to Administration > Updates > Relay Management. A Relay Group Properties pane appears on the right.
  2. Click New Relay Group.
  3. Type a Name for the relay group.
  4. In Update Source, select either Primary Security Update Source or, if this will be a sub-group (child), the name of the parent relay group.

    The Default Relay Group is not included in the list of update sources, and therefore cannot be configured as a parent.

    Select the update source with the best cost and speed. Even if a relay group is part of a hierarchy, sometimes it might be cheaper and faster to download updates from the Primary Security Update Source instead — not the parent relay group.

  5. If this relay group must use a proxy when connecting to the Primary Security Update Source, select the Update Source Proxy. For details, see Connect to the 'primary security update source' via proxy.

    Unlike other relay groups, "Default Relay Group" uses the same proxy as Workload Security, and cannot be configured. Workload Security provides relays in the "Primary Tenant Relay Group" which acts as your default relay group. You cannot configure an update source proxy for the relays provided by Workload Security.

    If this relay group usually connects to a parent relay group, then the sub-group won't use the proxy unless the parent relay group is unavailable and it is configured to fall back to using the "Primary Security Update Source".

  6. Under Update Content, select either Security and software updates or Security updates only. If you select Security updates only, you must configure an alternative software update source. For details, see Select the update source.

Enable relays

  1. Make sure the relay computer meets the requirements. See Deep Security Agent and Relay sizing and Deep Security Relay requirements.
  2. Make sure you allow inbound and outbound communication to and from the relay on the appropriate port numbers. See Workload Security port numbers.
  3. If the relay must connect through a proxy, see Connect agents, appliances, and relays to security updates via proxy.
  4. Deploy an agent on the chosen computer. See Get Deep Security Agent software and Install the agent.
  5. Enable the agent as a relay:
    1. Log in to the Workload Security console.
    2. Click Administration at the top.
    3. Click Relay Management in the left navigation pane.
    4. Select the relay group into which the relay will be placed. If a relay group does not exist, create one.
    5. Click Add Relay.
    6. In Available Computers, select the agent you just deployed.
    7. Click Enable Relay and Add to Group.

    The agent is enabled as a relay and is displayed with a relay icon ().

  1. To minimize latency and external/Internet bandwidth usage, group together relays that are in the same geographic region and/or network segment.

    You can use the search field to filter the list of computers.

Assign agents to a relay group

You must indicate which relay group each agent should use. Either assign each agent to a relay group manually, or set up an event-based task to assign new agents automatically.

  1. Go to Computers.
  2. Right-click the computer and select Actions > Assign Relay Group.

    To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions > Assign Relay Group.

  3. Select the relay group that computer should use.

    To minimize latency and external/Internet bandwidth usage, assign agents to relays that are in the same geographic region and/or network segment.

Connect agents to a relay's private IP address

If your relay has an elastic IP address, agents within an AWS VPC may not be able to reach the relay via that IP address. Instead, they must use the private IP address of the relay group.

  1. Go to Administration > System Settings.
  2. In the System Settings area, click the Updates tab.
  3. Under Software Updates, in the window Alternate software update distribution server(s) to replace Deep Security Relays , type:


    where <IP> is the private network IP address of the relay, and <port> is the relay port number

  4. Click Add.
  5. Click Save.
If your relay group’s private IP changes, you must manually update this setting. It will not be updated automatically.