This article describes the Edge Relay for Apex One, and the changes made from the version in OfficeScan XG.
- Apex One requires Edge Relay be upgraded to the new version.
- The new version of Edge Relay is NOT backwards compatible. If older XG servers will remain, they will need a second Edge Relay to support both versions.
- In-place upgrade for Edge Relay is supported. Copy the \PCCSRV\Admin\Utility\EdgeServer folder to the Edge Relay server and run setup.exe to upgrade.
- Changes to a Reverse Proxy method using IIS rewrite modules.
- Apex One Server does not connect to the Edge Relay Server. All communication is traffic forwarding based on ReWrite rules from Edge Relay-to-Apex One server.
- No longer requires a database – Edge Relay forwards all traffic to the relevant Apex One Server.
- On upgrade, it will no longer use the SQL database from the previous version.
- Edge Relay now supports:
- Uploading of detection logs
- Sample Submissions
- Configuration
- Hot fix or patch upgrades
Engine and pattern updates will be retrieved from AU servers. - Still supports multiple Apex One servers, but registration is command line from the Edge Relay Server.
- No Trend Micro running services on the machine for the Edge Relay.
- Determines on-premise/off-premise on IP Change.
- Server 2012 or later
- .NET Framework 4.6.1
- VC 2017 Update 3 Redistribution (x86 and x64)
- Installer – Path:
- %ProgramFiles%\Trend Micro\Apex One Edge Relay\
- Installer – Website:
- Input or Select certificate for Website
- IP address: Select a binding IP
- Port: web server port ( Default: 443)
- No longer requires to specify two IP Addresses and ports as the Apex One Server will not connect to Edge Relay. Need an external FQDN and IP.
- Fresh Install uses Default Website
- Upgrade – Keeps OfficeScanEdge site
- Website Certificate
- LOCAL_MACHINE\Web Hosting
- Can be replaced with customer’s own CA provided certificate
- LOCAL_MACHINE\Web Hosting
- Client Certificate
- LOCAL_MACHINE\OfcEdge
- Subject: OsceOPA
- Issuer: Must be in the Trusted Root CA
- Agent cannot updated certificate while off-premise. Must be on intranet and able to connect to the Apex One server to update.
- <EdgeRelay Dir>\OfcEdgeSrv\Private\OfcEdge.ini
- OPA – The password to protect OsceOPA.pfx
- OPAThumprint – The checksum of the OsceOPA certificate in the certificate store
| Register | Register Edge Relay Service to Apex One server: ofcedgecfg.exe --cmd reg --server <server address> --port <port> --pwd <root password> |
| Unregister | Unregister Edge Relay Service to Apex One server: ofcedgecfg.exe --cmd unreg --server <server address> --port <port> --pwd <root password> |
| Renew certificate | Renew self-signed certificate includes OsceEdgeRoot CA, web host and OsceOPA certificates: ofcedgecfg.exe --cmd renewcert --opacertpwd <OsceOPA certificate password> [--keeprootca] |
| Delete rule | Delete all IIS rules after unregistering from all Apex One servers: ofcedgecfg.exe --cmd delrule |
Commands:
--cmd reg Register to an Apex One server
--cmd unreg Unregister from an Apex One server
Parameters:
--server <VALUE> Apex One server IP address
--port <VALUE> Apex One server port number
--pwd <VALUE> Apex One server 'root' account password
Example:
ofcedgecfg.exe --cmd reg --server <server address> --port <port> --pwd <root password>
ofcedgecfg.exe --cmd unreg --server <server address> --port <port> --pwd <root password>
