This article describes the Edge Relay for Apex One, and the changes made from the version in OfficeScan XG.
- Apex One requires Edge Relay be upgraded to the new version.
- The new version of Edge Relay is NOT backwards compatible. If older XG servers will remain, they will need a second Edge Relay to support both versions.
- In-place upgrade for Edge Relay is supported. Copy the \PCCSRV\Admin\Utility\EdgeServer folder to the Edge Relay server and run setup.exe to upgrade.
- Changes to a Reverse Proxy method using IIS rewrite modules.
- Apex One Server does not connect to the Edge Relay Server. All communication is traffic forwarding based on ReWrite rules from Edge Relay-to-Apex One server.
- No longer requires a database – Edge Relay forwards all traffic to the relevant Apex One Server.
- On upgrade, it will no longer use the SQL database from the previous version.
- Edge Relay now supports:
- Uploading of detection logs
- Sample Submissions
- Configuration
- Hot fix or patch upgrades
Engine and pattern updates will be retrieved from AU servers. - Still supports multiple Apex One servers, but registration is command line from the Edge Relay Server.
- No Trend Micro running services on the machine for the Edge Relay.
- Determines on-premise/off-premise on IP Change.
- The Off-Premise endpoint report backs up logs, submits samples, and updates the Suspicious Object (SO) List to the Edge server. The port information is shown below:
Web Server and Settings HTTPS Listen Port Direction External (Agent to Edge) 443 (configurable) Inbound Internal (Edge server to Apex One server) 4343 (default) Inbound Refer to this article for more information about the ports and protocols used by OfficeScan/Apex One that should be allowed through a firewall or router.
- Server 2012 or later
- .NET Framework 4.6.1
- VC 2017 Update 3 Redistribution (x86 and x64)
- Installer – Path:
- %ProgramFiles%\Trend Micro\Apex One Edge Relay\
- Installer – Website:
- Input or Select certificate for Website
- IP address: Select a binding IP
- Port: web server port ( Default: 443)
- No longer requires to specify two IP Addresses and ports as the Apex One Server will not connect to Edge Relay. Need an external FQDN and IP.
- Fresh Install uses Default Website
- Upgrade – Keeps OfficeScanEdge site
- Website Certificate
- LOCAL_MACHINE\Web Hosting
- Can be replaced with customer’s own CA provided certificate
- LOCAL_MACHINE\Web Hosting
- Client Certificate
-
- LOCAL_MACHINE\OfcEdge
- Subject: OsceOPA
- Issuer: Must be in the Trusted Root CA
-
- Agent cannot updated certificate while off-premise. Must be on intranet and able to connect to the Apex One server to update.
- <EdgeRelay Dir>\OfcEdgeSrv\Private\OfcEdge.ini
- OPA – The password to protect OsceOPA.pfx
- OPAThumprint – The checksum of the OsceOPA certificate in the certificate store
| Register |
Register Edge Relay Service to Apex One server: ofcedgecfg.exe --cmd reg --server <server address> --port <port> --pwd <root password> |
| Unregister |
Unregister Edge Relay Service to Apex One server: ofcedgecfg.exe --cmd unreg --server <server address> --port <port> --pwd <root password> |
| Renew certificate |
Renew self-signed certificate includes OsceEdgeRoot CA, web host and OsceOPA certificates: ofcedgecfg.exe --cmd renewcert --opacertpwd <OsceOPA certificate password> [--keeprootca] |
| Delete rule |
Delete all IIS rules after unregistering from all Apex One servers: ofcedgecfg.exe --cmd delrule |
Commands:
--cmd reg Register to an Apex One server
--cmd unreg Unregister from an Apex One server
Parameters:
--server <VALUE> Apex One server IP address
--port <VALUE> Apex One server port number
--pwd <VALUE> Apex One server 'root' account password
Example:
ofcedgecfg.exe --cmd reg --server <server address> --port <port> --pwd <root password>
ofcedgecfg.exe --cmd unreg --server <server address> --port <port> --pwd <root password>
For information applicable to off-premise agents, refer to Information sent to Edge Relay Server from off-premise agents in OfficeScan.
