Table of contents

Deploy additional relays

Under most circumstances, the default Workload Security-provided relays should be enough; however, there are some circumstances that might require you to install additional ones. For details about when to install your own relays, see How relays work.

When deploying relays, you must:

  1. Plan the best number and location of relays
  2. Create relay groups
  3. Enable relays
  4. Assign agents to a relay group
  5. Connect agents to a relay's private IP address

Plan the best number and location of relays

The optimal number and placement of relays depends on:

  • Geographic region and distance: If you're deploying your own relays, each geographic region should have its own relay group with at least 2 relays and agents should use relays in their same geographic region. Long distance and network latency can slow down update redistribution. Downloading from other geographic regions can also increase network bandwidth and/or cloud costs.
  • Network architecture and bandwidth limits: If you have network segments with limited bandwidth, those segments should each have their own relay group with at least 2 relays. Low bandwidth Internet/WAN connections, routers, firewalls, VPNs, VPCs, or proxy devices (which can all define a network segment) can be bottlenecks when large traffic volumes travel between the networks. Bottlenecks slow down update redistribution. Agents therefore usually should use local relays inside the same network segment — not relays outside on bottlenecked external networks.
  • Use of Application Control shared rulesets through a proxy connection: If you will use shared Application Control rulesets and agents connect through a proxy, you might want to add more relays to handle large rulesets and improve performance. See Deploy Application Control rulesets via relays and Deep Security Agent and Relay sizing.

Create relay groups

Relays must be organized into relay groups. The default relays provided by the Workload Security service are in a relay group named "Primary Tenant Relay Group". If you want to add your own relays, add a new relay group.

  1. Go to Administration > Updates > Relay Management.
  2. Select New Relay Group.
  3. In the Relay Group Properties in the right pane, type a Name for the relay group.
  4. Leave the Update Source and Update Source Proxy settings as-is.
  5. Under Update Content, select either Security and software updates or Security updates only. If you select Security updates only, you must configure an alternative software update source. For details, see Configure the update source.

To minimize latency and external/Internet bandwidth usage, create groups for each geographic region and/or network segment.

Enable relays

  1. Make sure the relay computer meets the requirements. See Agent and relay sizing and Relay requirements.
  2. Make sure you allow inbound and outbound communication to and from the relay on the appropriate port numbers. See Workload Security port numbers.
  3. Deploy an agent on the chosen computer. See Get Deep Security Agent software and Install the agent.
  4. Enable the agent as a relay:

    1. Go to Administration > Updates > Relay Management.
    2. Select the relay group into which the relay will be placed.
    3. Select Add Relay.
    4. In Available Computers, select the agent you just deployed.

      Use the search field to filter the list of computers.

    5. Select Enable Relay and Add to Group. The agent is enabled as a relay and is displayed with a relay icon (relay icon).

Assign agents to a relay group

You must indicate which relay group each agent should use. Either assign each agent to a relay group manually, or set up an event-based task to assign new agents automatically.

To manually assign a computer to a relay group:

  1. Go to Computers.
  2. Right-click the computer and select Actions > Assign Relay Group.

    To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions > Assign Relay Group.

  3. Select the relay group that computer should use.

    To minimize latency and external/Internet bandwidth usage, assign agents to relays that are in the same geographic region and/or network segment.

Connect agents to a relay's private IP address

If your relay has an elastic IP address, agents within an AWS VPC may not be able to reach the relay via that IP address. Instead, they must use the private IP address of the relay group.

  1. Go to Administration > System Settings > Updates.
  2. Under Software Updates, in Alternate software update distribution server(s) to replace Deep Security Relays, type:

    https://<IP>:<port>/

    where <IP> is the private network IP address of the relay, and <port> is the relay port number

  3. Select Add.

  4. Select Save.

If your relay group’s private IP changes, you must manually update this setting. It will not be updated automatically.