Relays redistribute both software updates and security updates to your agents to help your deployment perform well at scale. (Alternatively, software updates — but not security updates — can be distributed by a local mirror web server.) Relays can:
  • Reduce WAN bandwidth costs by reducing external update traffic
  • Speed up update distribution in large scale deployments
  • Provide update distribution redundancy
Update sources are different for relays and agents, depending on their parent relay group and the type of update.
Deep Security update diagram
Agents get a randomly ordered list of relays for their assigned relay group. When an agent needs to download an update, they try the first relay. If there's no response, the agent tries the next in the list until it can successfully download the update. Because the list is random for each agent, this distributes update load evenly across relays in a group.
Note
Note
If relays/agents can't connect to their the manager/relay, they will use their fallback update sources. For best performance, network connectivity between Deep Security components should be reliable.
Unlike other rule updates, Application Control rules are not downloaded from Trend Micro. However relays can similarly redistribute shared (not local) Application Control rulesets. See Deploy application control rulesets via relays.

Relay hierarchy, cost, and performance

Relay groups can be organized in a hierarchy: one or more first-level ("parent") relay groups download updates directly from the manager and Primary Security Update Source (usually via their Internet/WAN connection), and then second-level ("child") relay groups download updates indirectly via the first-level group, and so on. If you put a child relay on each local network, then agent updates usually use the local network connection — not remote connections to the Internet. This saves external connection bandwidth (a typical performance bottleneck) and makes updates faster, especially for large deployments with many networks or data centers.
Performance and bandwidth usage can be affected by relay group hierarchy. Hierarchy can specify:
  • Update order — Child relay sub-groups download from their parent group, which must finish its own download first. So a chain of sub-groups can be useful if you want a delay, so that all updates aren't at the exact same time.
  • Cost — If large distances or regions are between your parent and child relay groups, it might be cheaper for them to download directly instead of via parent relay groups.
  • Speed — If many or low-bandwidth subnets are between your parent and child relay groups, it might be faster for them to download directly or via a grandparent instead of via parent relay groups. However if too many relays do this, it will consume external connection bandwidth and eventually decrease speed.
Hierarchies are set up during relay group creation. For details, see Create more relay groups.