Relays redistribute both software updates and security updates to your agents to help your
deployment perform well at scale. (Alternatively, software updates — but not security
updates — can be distributed by a local mirror web server.) Relays can:
-
Reduce WAN bandwidth costs by reducing external update traffic
-
Speed up update distribution in large scale deployments
-
Provide update distribution redundancy
Update sources are different for relays and agents, depending on their parent relay
group and the type of update.

Agents get a randomly ordered list of relays for their assigned relay group. When
an agent needs to download an update, they try the first relay. If there's no response,
the agent tries the next in the list until it can successfully download the update.
Because the list is random for each agent, this distributes update load evenly across
relays in a group.
![]() |
NoteIf relays/agents can't connect to their the manager/relay, they will use their fallback update sources. For best performance, network connectivity between Deep Security components should
be reliable.
|
Unlike other rule updates, Application Control rules are not downloaded from Trend
Micro.
However relays can similarly redistribute shared (not local) Application Control rulesets.
See
Deploy application control rulesets via relays.
Relay hierarchy, cost, and performance
Relay groups can be organized in a hierarchy: one or more first-level ("parent") relay
groups download updates directly from the manager and Primary Security Update Source (usually via their Internet/WAN connection), and
then second-level ("child") relay groups download updates indirectly via the first-level
group, and so on. If you put a child relay on each local network, then agent updates
usually
use the local network connection — not remote connections to the Internet. This saves
external connection bandwidth (a typical performance bottleneck) and makes updates
faster,
especially for large deployments with many networks or data centers.
Performance and bandwidth usage can be affected by relay group hierarchy. Hierarchy
can specify:
-
Update order — Child relay sub-groups download from their parent group, which must finish its own download first. So a chain of sub-groups can be useful if you want a delay, so that all updates aren't at the exact same time.
-
Cost — If large distances or regions are between your parent and child relay groups, it might be cheaper for them to download directly instead of via parent relay groups.
-
Speed — If many or low-bandwidth subnets are between your parent and child relay groups, it might be faster for them to download directly or via a grandparent instead of via parent relay groups. However if too many relays do this, it will consume external connection bandwidth and eventually decrease speed.
Hierarchies are set up during relay group creation. For details, see Create more relay groups.