Plan the best number and location of relays
The best number and placement of relays depends on:
- Geographic region and distance: If you're deploying your own relays, each geographic region should have its own relay group with at least 2 relays and agents should use relays in their same geographic region. Long distance and network latency can slow down update redistribution. Downloading from other geographic regions can also increase network bandwidth and/or cloud costs.
- Network architecture and bandwidth limits: If you have network segments with limited bandwidth, those segments should each have their own relay group with at least 2 relays. Low bandwidth Internet/WAN connections, routers, firewalls, VPNs, VPCs, or proxy devices (which can all define a network segment) can be bottlenecks when large traffic volumes travel between the networks. Bottlenecks slow down update redistribution. Agents therefore usually should use local relays inside the same network segment — not relays outside on bottlenecked external networks.
- Use of Application Control shared rulesets through a proxy connection: If you will use shared Application Control rulesets and agents connect through a proxy, you might want to add more relays to handle large rulesets and improve performance. See Deploy Application Control rulesets via relays and Server & Workload Protection Sizing.
Create relay groups
Relays must be organized into relay groups. The default relays provided by the
Server & Workload Protection service are in a relay group
named "Primary Tenant Relay Group". If you want to add your own relays, add a
new relay group.
Procedure
- Go to .
- Select New Relay Group.
- In the Relay Group Properties in the right pane, type a Name for the relay group.
- Leave the Update Source Proxy settings as-is.
What to do next
TipTo minimize latency and external/Internet bandwidth usage,
create groups for each geographic region and/or network segment.
|
Enable relays
Procedure
- Make sure the relay computer meets the requirements.
- Make sure you allow inbound and outbound communication to and from the
relay on the appropriate port numbers. See Server & Workload Protection port numbers.
- Deploy an agent on the chosen computer. See Get Deep Security Agent software and Install the agent.
- Enable the agent as a relay:
-
Go to.
-
Select the relay group into which the relay will be placed.
-
Select Add Relay.
-
In Available Computers, select the agent you just deployed.
Tip
Use the search field to filter the list of computers. -
Select Enable Relay and Add to Group. The agent is enabled as a relay and is displayed with a relay icon ( {:}).
-
Assign agents to a relay group
You must indicate which relay group each agent should use. Either assign each
agent to a relay group manually, or set up an event-based task to assign new agents automatically.
To manually assign a computer to a relay group:
Procedure
- Go to Computers.
- Right-click the computer and select .To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select.
- Select the relay group that computer should use.
Tip
To minimize latency and external/Internet bandwidth usage, assign agents to relays that are in the same geographic region and/or network segment.
What to do next
Connect agents to a relay's private IP address
If your relay has an elastic IP address, agents within an AWS VPC may not be able
to reach the relay via that IP address. Instead, they must use the private IP
address of the relay group.
Procedure
- Go to .
- Under Software Updates, in Alternate software update
distribution server(s) to replace Deep Security Relays,
type:
https://<IP>:<port>/
- Select Add.
- Select Save.
What to do next
NoteIf your relay group’s private IP changes, you must manually update this
setting. It will not be updated automatically.
|