Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Information about the Edge Relay Server for Apex One

    • Updated:
    • 14 Oct 2021
    • Product/Version:
    • Apex One All.All
    • Platform:

This article describes the Edge Relay for Apex One, and the changes made from the version in OfficeScan XG.

  • Apex One requires Edge Relay be upgraded to the new version.
    • The new version of Edge Relay is NOT backwards compatible. If older XG servers will remain, they will need a second Edge Relay to support both versions.
    • In-place upgrade for Edge Relay is supported. Copy the \PCCSRV\Admin\Utility\EdgeServer folder to the Edge Relay server and run setup.exe to upgrade.
  • Changes to a Reverse Proxy method using IIS rewrite modules.
  • Apex One Server does not connect to the Edge Relay Server. All communication is traffic forwarding based on ReWrite rules from Edge Relay-to-Apex One server.
    • No longer requires a database – Edge Relay forwards all traffic to the relevant Apex One Server.
    • On upgrade, it will no longer use the SQL database from the previous version.
  • Edge Relay now supports:
    • Uploading of detection logs
    • Sample Submissions
    • Configuration
    • Hot fix or patch upgrades
    Engine and pattern updates will be retrieved from AU servers.
  • Still supports multiple Apex One servers, but registration is command line from the Edge Relay Server.
  • No Trend Micro running services on the machine for the Edge Relay.
  • Determines on-premise/off-premise on IP Change.
  • The Off-Premise endpoint report backs up logs, submits samples, and updates the Suspicious Object (SO) List to the Edge server. The port information is shown below:
    Web Server and SettingsHTTPS Listen PortDirection
    External (Agent to Edge)443 (configurable)Inbound
    Internal (Edge server to Apex One server)4343 (default)Inbound

    Edge Relay Server Off-Premise management

    Refer to this article for more information about the ports and protocols used by OfficeScan/Apex One that should be allowed through a firewall or router.
  • Server 2012 or later
  • .NET Framework 4.6.1
  • VC 2017 Update 3 Redistribution (x86 and x64)
  • Installer – Path:
    • %ProgramFiles%\Trend Micro\Apex One Edge Relay\
  • Installer – Website:
    • Input or Select certificate for Website
    • IP address: Select a binding IP
    • Port: web server port ( Default: 443)
    • No longer requires to specify two IP Addresses and ports as the Apex One Server will not connect to Edge Relay. Need an external FQDN and IP.
  • Fresh Install uses Default Website
  • Upgrade – Keeps OfficeScanEdge site
  • Website Certificate
    • LOCAL_MACHINE\Web Hosting

      Edge Relay Server

    • Can be replaced with customer’s own CA provided certificate
  • Client Certificate
      • LOCAL_MACHINE\OfcEdge
      • Subject: OsceOPA
      • Issuer: Must be in the Trusted Root CA

    Edge Relay Server

  • Agent cannot updated certificate while off-premise. Must be on intranet and able to connect to the Apex One server to update.
  • <EdgeRelay Dir>\OfcEdgeSrv\Private\OfcEdge.ini
  • OPA – The password to protect OsceOPA.pfx
  • OPAThumprint – The checksum of the OsceOPA certificate in the certificate store

Register Edge Relay Service to Apex One server:

ofcedgecfg.exe --cmd reg --server <server address> --port <port> --pwd <root password>


Unregister Edge Relay Service to Apex One server:

ofcedgecfg.exe --cmd unreg --server <server address> --port <port> --pwd <root password>

Renew certificate

Renew self-signed certificate includes OsceEdgeRoot CA, web host and OsceOPA certificates:

ofcedgecfg.exe --cmd renewcert --opacertpwd <OsceOPA certificate password> [--keeprootca]

Delete rule

Delete all IIS rules after unregistering from all Apex One servers:

ofcedgecfg.exe --cmd delrule


--cmd reg Register to an Apex One server
--cmd unreg Unregister from an Apex One server


--server <VALUE> Apex One server IP address
--port <VALUE> Apex One server port number
--pwd <VALUE> Apex One server 'root' account password


ofcedgecfg.exe --cmd reg --server <server address> --port <port> --pwd <root password>
ofcedgecfg.exe --cmd unreg --server <server address> --port <port> --pwd <root password>

For information applicable to off-premise agents, refer to Information sent to Edge Relay Server from off-premise agents in OfficeScan.

Configure; Install
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.