Managed Load Balancing: Setting up Management Server Lists based on locations in Symantec Endpoint Protection Manager.
|Article:TECH104582|||||Created: 2008-01-03|||||Updated: 2012-01-24|||||Article URL http://www.symantec.com/docs/TECH104582|
Management Server Lists are primarily used for failover scenarios, where Symantec Endpoint Protection Manager (SEPM) servers are assigned a priority so that if the primary SEPM goes down, the clients know to contact a secondary SEPM. When the preferred SEPM comes back online, the clients will move back to it since it has a higher priority. However, when configured in conjunction with Location Awareness, "managed" load balancing of Symantec Endpoint Protection (SEP) clients can be achieved. In other words, one can control which SEPM a client connects to based on the client's proximity to the nearest SEPM server.
The reason this is considered "managed" load balancing is because the control over where the clients report is based on configured polices rather than allowing SEPM to automatically load balance based on numbers of clients. By default, multiple SEPMs will balance all of the clients between themselves.
This configuration allows for more control over where the clients report.
The following procedure first describes how to set up Location Awareness and Management Server Lists. Then, once those are set up, it explains how to assign a Management Server List to a specific Location.
This procedure involves 3 general tasks:
- Setting up Location Awareness.
- Creating a Management Server List.
- Linking the Management Server List to the location.
Setting up Location Awareness.
- In the SEPM (SEPM) console, click Clients.
- On the "Clients" page, under "View Clients", expand My Company.
- Select the group for which you want to implement Location Awareness.
Note: You can only modify location independent settings for those groups that have not inherited their policies and setting from a parent group.
- Uncheck "Inherit policies and settings from parent group" to enable Location Awareness functionality.
- On the "Clients" page, click the Policies tab.
- On the "Policies" tab, in the "Location-independent Policies and Settings" area, click General Settings.
- On the "General Settings" tab, in the Location Awareness section, check Enable Location Awareness (default).
Note: By default, "Remember the last location" is enabled. Clients will assume their last active location before checking to see if they are in a new location when this option is enabled.
- To force the client to verify its location first, uncheck the option, Remember the last location.
- In the SEPM console, click Clients.
- On the "Clients" page, under "View Clients", click the group for which you want to add one or more locations, such as Office, Home, or Hotel.
- On the "Clients" page, click Policies.
- Verify that "Inherit policies and settings from parent group for
" <My Company>"is not checked.
- On the "Client" page, under "Tasks", click Manage Locations.
- In the "Manage Locations" dialog box, under "Locations", click Add.
- In the "Add Location" dialog, type the name of the new location in the "Name" text box and any information that will help you to identify this location in the "Description" text box, then click OK.
- On the right, in the "Switch to this location when" box, click Add.
- In the "Specify Location Criteria" box, choose a criteria type and then choose the options for that criteria type, then click OK.
- Above the "Switch to this Location" box, verify that "Enable this location" is checked.
- Examine the "Set this location as the default location in case of conflict" option and decide if this should be enabled for this location.
- Repeat Steps 6 through 11 to add additional locations, and click OK when done.
Defining Management Server Lists
- In the SEPM console, click Policies.
- On the "Policies" page, under "View Policies", click Policy Components and choose Management Server Lists.
- On the "Policies" page, under "Tasks", click Add a Management Server List.
- Type the name of the management server list that you want to add in the "Name" text box and add any information that will help you to identify this location in the "Description" text box.
- Select the type of protocol that you want to use for communication between the clients, optional Enforcers, and the Symantec Endpoint Protection Managers:
- Use HTTP protocol
- The default setting is Use HTTP protocol
- Use HTTPS protocol
- Use this option if you want SEPMs to communicate by using HTTPS and if the server is running Secure Sockets Layer (SSL)
- If a verification of a certificate with a trusted third-party certificate authority is required, check Verify certificate when using HTTPS protocol.
- Use HTTP protocol
- In the "Management Servers" dialog, click Add and select New Server.
- In the "Add Management Server" dialog, enter the IP address or name of a management server.
- If using a custom HTTP or HTTPS port, check the appropriate box and enter the custom port number.
- Click OK and the server is added under the Priority 1 tree.
- Repeat steps 6 through 9 to add additional servers.
- In the "Management Servers" dialog, click Add and select New Priority. A new priority is created. Repeat this step to add additional Priorities.
- Assign the servers to priorities by clicking the server name and clicking Move Up or Move Down.
- In the "Add Management Server" dialog, click OK.
- In the Management Server Lists dialog, click OK.
Repeat these steps to add additional lists with different servers, or with the same servers with different priorities.
Linking Locations with Server Lists
- In the SEPM console, click Clients.
- On the "Clients" page, under "View", expand My Company.
- Select the group where Location Awareness was enabled.
- On the right, under "Location Specific Policies and Settings" each location is displayed with a list of policies that apply to that location.
- Click the plus "+" symbol next to Location Specific Settings to expand that section.
- Listed there is "Client User Interface Control Settings" and "Communications Settings". To the right of each of those is "Tasks".
- Click Tasks to the right of "Communications Settings"
- Click "Use Group Communications Settings" to deselect the option. Click "Tasks" again to verify it is now unchecked.
- Disabling this setting is what allows the assignment of individual Management Server Lists to Locations.
- Click Tasks again and choose Edit Settings.
- In the Management Server List section, use the drop down box to select the Management Server List to be assigned to this location.
- Configure other options relative to this location if desired.
- Click Ok.
"About load balancing and roaming in Symantec Endpoint Protection 11.0." at:
"Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control" at:
- Managing a group's locations
- Setting up connections between management servers and clients or optional enforcers
About management servers, failover, and load balancing
- Adding a management server list
"Symantec Endpoint Protection Installation Guide" at:
- Installing and configuring Symantec Endpoint Protection Manager for replication at: http://www.symantec.com/business/support/index?page=content&id=HOWTO26796
Article URL http://www.symantec.com/docs/TECH104582