Views:

The Apex One Edge Relay Server provides administrators visibility and increased protection of endpoints that users take outside of the company's intranet. By installing the Edge Relay Server in the Demilitarized Zone (DMZ), off-premises Security Agents that cannot establish a direct connection to the Apex One server can still poll the server in order to receive updated policy settings.

The Edge Relay Server supports the following:

  • Detection log upload

  • Sample submission

  • Configuration policy update

  • Hotfix or patch update

    Note:

    The Edge Relay Server downloads updates from the ActiveUpdate server for scan engine and pattern updates.

After configuring the Edge Relay Server, Security Agents receive the settings and automatically begin to connect to the Edge Relay Server once connection to the Apex One server is unavailable.

Apex One applies the following rules and conditions to secure agent-server communication and prevent malicious users from using the Edge Relay Server as an entry point for network infiltration:

  • The Edge Relay Server does not initiate any connections to off-premises Security Agents.

  • Communication between the Edge Relay Server, Apex One server, and Security Agents is encrypted using certificate authentication.

    For more information, see Managing Edge Relay Server Certificates.

  • Off-premises Security Agents communicate with the Edge Relay Server using HTTPS.

  • During Edge Relay Server installation, you specify the public IP address and FQDN of the Edge Relay Server that you want the off-premises Security Agents to connect to.

  • An off-premises Security Agent only sends data to the Edge Relay Server when the following conditions are met:

    • The Security Agent location is "Out of Office"

    • The required certificates for communication with the Edge Relay Server are available on the Security Agent endpoint

    • The required Edge Relay Server information (for example, public IP address and FQDN) is available in the system register on the Security Agent endpoint