About Load Balancing and Failover Clustering in Symantec Endpoint Protection 11.0

Article:TECH104519  |  Created: 2008-01-28  |  Updated: 2010-01-17  |  Article URL http://www.symantec.com/docs/TECH104519
Article Type
Technical Solution

Product(s)

Environment

Issue



This document describes how load balancing and failover clustering works in Symantec Endpoint Protection 11.0.


Solution



The Management Server List
Clients and Enforcers must be able to connect to management servers to download security policies and settings. The Symantec Endpoint Protection Manager includes a file that helps manage the traffic between clients, management servers, and Enforcers. This file specifies the management servers to which clients or Enforcers connect. It can also specify the management servers to which clients or Enforcers connect in case the default management server is not available. This file is referred to as a Management Server List.

A Management Server List includes the IP addresses or host names of management servers to which clients and Enforcers can connect. You can customize the Management Server List before you deploy any clients or Enforcers.

When the Symantec Endpoint Protection Manager is installed, it creates a default Management Server List, in order to allow HTTP communication between clients, Enforcers, and management servers. The default Management Server List includes the IP addresses for all of the connected network interface cards (NICs) on all of the management servers at the site.

Although you cannot edit the default Management Server List, you can create a custom Management Server List. A custom Management Server List includes the exact management servers and the correct NICs to which you want clients to connect. In a customized list, you can also specify HTTPS protocol, verify the server certificate, and customize the HTTP or HTTPS port numbers.

The Management Server List can also be used in conjunction with Location Awareness to ensure that clients connect to the most appropriate server for their location. For example, an "Out of Office" location may have a Management Server List that points the clients to connect to a redirected HTTPS port on the enterprise firewall.


Load balancing and failover
You should not set up multiple sites to try to balance the Symantec Endpoint Protection client load. Instead, use the Management Server List to designate failover and load balancing servers. Failover and load balancing configurations are supported in Microsoft SQL Server installations only.

Failover servers
Failover configurations are used to maintain communication when clients are unable to communicate with a Symantec Endpoint Protection Manager. When all management servers at a higher priority level become unavailable, clients switch to failover servers, which are defined by their lower priority level in the Management Server List. At every heartbeat, clients check to see whether there is a higher priority server available. If there is, the clients switch to it immediately.

Whenever possible, failover servers should be at the same site as the management servers that they back up. All management servers at the same site share one database, so that data consistency is guaranteed. It is possible to configure management servers that are replication partners as failover servers, but there is a risk of data inconsistency between replication partners because replication does not always take place frequently enough.

Load balancing servers
Load balancing is used to distribute client management between management servers.

Servers in the Management Server List that have the same priority are load balancing servers. When clients connect to the servers, they are distributed between the available servers with the same priority in order to distribute the load evenly. For example, if there are two servers with priority 1, the clients will be distributed between those two servers.

Only servers at the same site should be configured with the same priority level in the Management Server List. If management servers from different sites have the same priority, they are treated as load balancing servers. This causes clients to switch between different sites, and incurs the risk of data inconsistency.

Combining failover and load balancing
You can configure failover and load balancing by assigning priorities to management servers in Management Server Lists. Load balancing occurs between the servers assigned to the highest priority in a Management Server List. Servers with lower priority are failover servers. If more than one server is assigned to Priority 1, each client randomly chooses one of the servers and establishes communication with it. If all Priority 1 servers are unavailable, clients connect with the failover servers that are assigned to Priority 2.

If you use the Embedded DB instead of Microsoft SQL, only one manager can be added to each site. In this case, only replication partners are available to use as failover and load balancing servers. Note that this does incur the risk of data inconsistency.

Other options
In addition to the functionality provided by the Management Server List, the following third-party options are available for implementing load balancing or failover clustering:
  • Configure a DNS round-robin, where the IP addresses of your Management Servers are all linked to the same DNS name; Add that DNS name as the only entry in a custom Management Server List.
  • Use a hardware device that provides failover or load balancing.






Legacy ID



2008032810341548


Article URL http://www.symantec.com/docs/TECH104519


Terms of use for this information are found in Legal Notices