Skip to main content

Understanding GravityZone architecture

The GravityZone console is just one component of a comprehensive security solution, which uses multiple components to provide you will well-rounded security. The other components are as follows:

GravityZone virtual appliance

GravityZone on-premises solution is delivered as a Linux Ubuntu self-configuring hardened virtual appliance, embedded into a virtual machine image, easy to install and configure through a menu-based interface. The virtual appliance is available in several formats, compatible with the main virtualization platforms (OVA, XVA, VHD, OVF, RAW).

Web console (GravityZone Control Center)

Bitdefender security solutions are managed within GravityZone from a single point of management, Control Center web console, which provides easier management and access to overall security posture, global security threats, and control over all security modules protecting virtual or physical desktops and servers. Powered by a Gravity Architecture, Control Center is capable of addressing the needs of even the largest organizations.

Control Center, a web-based interface, integrates with the existing system management and monitoring systems to make it simple to apply protection to unmanaged workstations and servers.

Security agents

To protect your network with BitdefenderGravityZone, you must install Bitdefender Endpoint Security Tools on Windows, Linux and macOS endpoints, and GravityZone Mobile Client on iOS and Android devices.

Security agent Roles

When deploying the security agent on an endpoint, you can choose to assign it a specific role, to help with the functionality and deployment of specific feature. Currently, you can assign a security agent the following roles:

Power User

Control Center administrators can grant Power User rights to endpoint users via policy settings. The Power User module enables administration rights at user level, allowing the endpoint user to access and modify security settings via a local console. Control Center is being notified when an endpoint is in Power User mode and the Control Center administrator can always overwrite local security settings.


This module is available only for supported Windows desktop and server operating systems.


Endpoint agents using the Bitdefender Endpoint Security Tools Relay role serve as a communication proxy and update servers for other endpoints in the network. Endpoint agents with relay role are especially required in organizations with isolated networks, where all traffic is made through a single access point.

In companies with distributed networks, the relay agents help lowering the bandwidth usage, by preventing protected endpoints and security servers to connect directly to the GravityZone appliance.

Once a Bitdefender Endpoint Security Tools Relay agent is installed in the network, other endpoints can be configured via policy to communicate with the Control Center through the relay agent.

Bitdefender Endpoint Security Tools Relay agents serve for the following purposes:

  • Discovering all unprotected endpoints in the network.

  • Deploying the endpoint agent inside the local network.

  • Updating protected endpoints in the network.

  • Ensuring the communication between Control Center and connected endpoints.

  • Acting as proxy server for protected endpoints.

  • Optimizing the network traffic during updates, deployments, scanning and other resource-consuming tasks.

Patch Caching Server

Endpoints with the Relay role may also act as a Patch Caching Server. With this role enabled, Relays servers store software patches downloaded from the vendor's websites, and distributes them to target endpoints in your network. Whenever a connected endpoint has software with missing patches, it takes them from the server and not from the vendor's website, optimizing the traffic generated and the network bandwidth load.


This additional role is available with a registered Patch Management add-on.

Exchange Protection

Bitdefender Endpoint Security Tools with an Exchange role can be installed on Microsoft Exchange Servers with the purpose of protecting the Exchange users from email-borne threats.

Bitdefender Endpoint Security Tools with an Exchange role protects both the server machine and the Microsoft Exchange solution.

Security Server

The Security Server is a dedicated virtual machine that deduplicates and centralizes most of the antimalware functionality of antimalware agents, acting as a scan server.


Your product license may not include this feature.

There are three Security Server versions, for each type of virtualization environments:

  • Security Server for VMware NSX. This version automatically installs on each host in the cluster where the Bitdefender has been deployed.

  • Security Server Multi-Platform. This version is for various other virtualized environments and it must be installed on one or more hosts so as to accommodate the number of protected virtual machines.

The Security Server must be installed on one or several hosts to accommodate the number of protected virtual machines.