Views:

Plan the number and location of relays Parent topic

The optimal number and placement of relays depends on the following factors:
  • Geographic region and distance: If you are deploying your own relays, each geographic region should have its own relay group with at least two relays and agents should use relays in their same geographic region. Long distance and network latency can slow down update redistribution. Downloading from other geographic regions can also increase network bandwidth and/or cloud costs.
  • Network architecture and bandwidth limits: If you have network segments with limited bandwidth, those segments should each have their own relay group with at least two relays. Low bandwidth Internet or WAN connections, routers, firewalls, VPNs, VPCs, or proxy devices (which can all define a network segment) can be bottlenecks when large traffic volumes travel between the networks. Bottlenecks slow down update redistribution. Agents therefore usually should use local relays inside the same network segment, as opposed to relays outside on bottlenecked external networks.

Create relay groups Parent topic

Relays must be organized into relay groups. By default, relays provided by the Workload Security service are in a relay group named Primary Tenant Relay Group. If you want to add your own relays, add a new relay group:
  1. Go to Administration Updates Relay Management.
  2. Select New Relay Group.
  3. In the Relay Group Properties in the right pane, type a Name for the relay group.
  4. Leave the Update Source Proxy settings as-is.
To minimize latency and external or Internet bandwidth usage, create groups for each geographic region and network segment.

Enable relays Parent topic

Procedure

  1. Make sure the relay computer meets the requirements. See Agent and relay sizing and Relay requirements.
  2. Make sure you allow inbound and outbound communication to and from the relay on the appropriate port numbers. See Workload Security port numbers.
  3. Deploy an agent on the chosen computer. See Get Deep Security Agent software and Install the agent.
  4. Enable the agent as a relay:
    1. Go to Administration Updates Relay Management.
    2. Select the relay group into which to place the relay.
      If you are using Linux, create a user nobody and a relay group nogroup.
    3. Click Add Relay.
    4. In Available Computers, select the agent you just deployed.
      Use the search field to filter the list of computers.
  5. Click Enable Relay and Add to Group.
The agent is enabled as a relay and is displayed with a relay icon (relay_server=b47ebdfc-b640-4f69-b4a2-5af41ba309c8.png).

Assign agents to a relay group Parent topic

You must indicate which relay group each agent should use. Either assign each agent to a relay group manually, or set up an event-based task to assign new agents automatically.
To manually assign a computer to a relay group:
  1. Go to Computers.
  2. Right-click the computer and select Actions Assign Relay Group.
    To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions Assign Relay Group.
  3. Select the relay group that computer should use.
To minimize latency and external or Internet bandwidth usage, assign agents to relays that are in the same geographic region and network segment.

Connect agents to a relay's private IP address Parent topic

If your relay has an elastic IP address, agents within an AWS VPC may not be able to reach the relay via that IP address. Instead, they must use the private IP address of the relay group.
  • Go to Administration System Settings Updates.
  • Under Software Updates, in Alternate software update distribution server(s) to replace Deep Security Relays, type https://<IP>:<port>/
    where <IP> is the private network IP address of the relay, and <port> is the relay port number
  • Select Add.
  • Click Save.
If your relay group’s private IP changes, you must manually update this setting. It cannot be updated automatically.