Administrator's Guide to replicating Symantec Mail Security 4.x for Domino or Symantec AntiVirus/Filtering for Lotus Domino

Article:TECH79702  |  Created: 2002-01-14  |  Updated: 2013-10-22  |  Article URL http://www.symantec.com/docs/TECH79702
Article Type
Technical Solution


Environment

Issue



You are using Symantec Mail Security 4.x for Domino or Symantec AntiVirus/Filtering for Lotus Domino (AV/F Domino). You want to know how to set up replication settings,definitions, and Log databases.



Solution



This document discusses the following topics:
  • Reasons to replicate the Symantec Mail Security or AV/F Domino databases
  • Preparing to replicate the Symantec Mail Security or AV/F Domino databases
  • Replication of Symantec product Settings and the Symantec product Log when the Symantec product is already installed on replica servers
  • Preparing the AV/F Domino Definitions database for replication
  • Controlling replication through Access Control Lists
  • Controlling replication through Advanced Replication Settings

This document assumes a high level of working knowledge of the Domino platform. You should know how to:
  • Create and edit Connection Documents for the purpose of managing replication.
  • Edit Access Control Lists and Execution Control Lists.
  • Manage applicable user rights on the Security tab of Server Documents.

If you are not familiar with the steps required to perform these actions, you should consult your Lotus Domino server documentation before installation and configuration of Symantec Mail Security 4.x for Domino or Symantec AntiVirus/Filtering for Lotus Domino.

For additional information, see the Symantec AntiVirus/Filtering for Lotus Domino Installation Guide or the online help.

Symantec strongly recommends that you follow the steps outlined in the document Best practices for Symantec products in the Lotus Domino environment - Installation before proceeding.

Reasons to replicate the Symantec Domino product databases
To facilitate enterprise-wide management of the Symantec Domino product databases can be replicated to other servers running the Symantec product.

With replication from a single Domino server, centralization of Symantec settings, virus incidents and statistics, and virus definitions will maintain current protection for all servers.

The Symantec Domino product settings database is called Sav.nsf. The Symantec Domino product log database is called Savlog.nsf. The Symantec Domino product definitions database is called Savdefs.nsf.

The Symantec Domino product Quarantine database is called Savquar.nsf. Replication of this database is not recommended. However, if you need to centralize all quarantined documents, it is possible to replicate the Savquar.nsf using the same settings as the Savlog.nsf.

Preparing to replicate the Symantec Domino product databases


Note: This section assumes that none of your current Connection documents are configured to replicate everything in the Data directory. If any of your Connection documents do not specify which databases or directories are replicated, skip to Section 5 or Section 6.


Symantec Domino product Settings and Domino Log
Preparation to replicate the Symantec Domino product settings and log databases should be done at the same time.

The Symantec Domino product settings and log databases, Sav.nsf and Savlog.nsf respectively, can be replicated to other Domino servers running the Symantec Domino product. The Symantec Domino product server task, NNTASK, monitors Sav.nsf for changes to the Symantec Domino product settings through replication and reloads the settings on the local server.

Generally, a specific computer is selected to host the master the Symantec Domino product databases, a so-called "Hub" server. The rest of the servers in the environment act as "Spoke" servers, which replicate to and from this Hub server.


Note: The rest of this document will assume that the Hub server has the first installation of Symantec Domino product in your environment.


The Symantec Domino product settings database can use Pull-Push replication among all servers running the Symantec Domino product. In this scenario, there is no single Hub server for the Sav.nsf. Be aware that this type of replication will mean that any administrator with sufficient access control privileges can change settings in the Sav.nsf from any server, increasing the possibility of replication save conflicts. For this reason, we recommend that the Settings database be replicated with Push-Only replication.

The Symantec Domino product log database stores server messages, reports of virus incidents, scan summaries, custom reports, and Product Information. Using Pull Only replication, you can maintain a master Log that automatically includes virus incidents and reports from other Domino servers running the Symantec Domino product. You may also use Pull Push replication if you do not want to centralize this information.

Similar to the Log database, you can replicate the Quarantine database, Savquar.nsf, to create a central repository of quarantined documents, although you may find it unnecessary. The Quarantine database provides access to quarantined documents and documents that the Symantec Domino product backs up before eliminating viruses.

Before replication
There are two considerations to take into account before actually initiating replication of the Symantec Domino product databases. The first is database signing. The second is the Purge Agent.

Symantec highly recommends that you sign any database you are planning to replicate before replication to ensure workstation security. The Symantec Domino product does include databases with embedded LotusScript code, which needs to be signed by a trusted ID before use.

To sign the Symantec databases:
  1. Open the Domino Administrator client using a trusted account.
  2. Navigate to the Files tab, and then to the Sav folder.
  3. Right-click Sav.nsf, and click Sign.
  4. Verify that the correct ID is selected - "Active User’s ID" or "Active Server's ID," depending on which ID you prefer.
  5. Verify that "All design documents" is selected, and then click OK.
  6. Repeat steps 4-6 for the Savlog.nsf, Savquar.nsf and any other Symantec Domino databases created.

Note: We recommend that you sign the Savquar.nsf, even if you are not planning to replicate it.


Enabling the Purge Agent:
There is an optional Purge Agent available for the Symantec Domino product log database. It is used to clear old statistics and events from the database at regular intervals. If you are planning on using Pull-Push replication for this database, you will only need to enable it on one server, which is generally the Hub. If you are maintaining a master log using Pull Only replication, you need to enable it on each server.

To operate the Purge Agent, the ID that signed the Symantec Domino product log database needs the right to run unrestricted LotusScript/Java agents. For information read the document Best practices for Symantec products in the Lotus Domino environment - Installation for instructions.

To activate the Purge Agent, read the document How to enable the Purge Agent for Norton AntiVirus for Lotus Notes 2.0 or Symantec AntiVirus/Filtering 3.0 for Domino on Windows NT/2000. Once you have configured the Purge Agent, proceed to the next section.

Common steps
Before installing Symantec AntiVirus/Filtering on your Spoke servers, it is recommended that you create the initial replicas of the Symantec Domino product Settings and Log databases. Make sure that each replica goes into the \data\SAV path on the Spoke servers. When you install Symantec AntiVirus/Filtering on the Spokes, the installation process will automatically detect the presence of the replicated databases, but only if they are in the correct subdirectory.

Symantec Domino product Settings database only
You need to create a Connection Document for this database. Schedule replication to occur at whatever interval meets your needs. The type of replication you choose determines whether you are using centralized or decentralized management of the Symantec Domino product settings.

If you cannot manage replication through Connection Documents (that is, you already have one or more Connection Document using Pull-Push replication for all databases), then skip to Section 5 or Section 6.

Decentralized management (Pull-Push replication):
  1. Open the Domino Administrator.
  2. Go to the Configuration Tab.
  3. Choose Connections in the Server section in the left pane, .
  4. Click Add Connection.
  5. Do the following on the Basics tab:
    1. Configure the Connection Type, Usage Priority, and network port or ports appropriately for your Domain.
    2. Configure the Source server as your Symantec AntiVirus/Filtering Hub.
    3. Configure the Destination server as your Symantec AntiVirus/Filtering Spoke. If there is more than one Spoke server, you can create a new Group for all Spoke servers and set the group name as your Destination server. If you do not, you need to create a new Connection document for each Spoke server.
  6. Do the following on the Replication/Routing tab:
    1. Set the Replication task to Enabled.
    2. Configure the Replication Type for "Pull Push."
    3. In the field labelled "Files/Directories to Replicate:" Type sav\Sav.nsf in the field.
  7. Configure all other settings appropriately for your Domain. Save the new Connection document.
  8. Ensure that Notes Administrator or Administrators and LocalDomainServers are in the Access Control List of Sav.nsf, with Manager access and Delete Documents enabled.

    Any changes done on any replica propagates to all replicas.
    WARNING:
    Replication save conflicts will occur if fields are updated in more than one replica of the database at the same time. Symantec does not recommend using this method unless only one person in charge of security policy is allowed to make changes.

Centralized management (Push Only replication)
Follow all the instructions above until step 6b. For step 6b, set the Replication Type to "Push Only." Only changes made on the Hub server will persist and replicate to the Spoke servers.

Symantec Domino product log only
Similar to the Sav.nsf, the Savlog.nsf may be replicated Pull-Push. If you are using Pull-Push replication, follow the steps for decentralized management above. However, be aware that using Pull-Push replication will result in all data being replicated to all servers, which may impact network performance.

If you want to use a master log database, follow the instructions below.

To implement Pull Only replication from the Spokes to the Hub:
  1. Open the Domino Administrator.
  2. Go to the Configuration Tab.
  3. Choose Connections in the Server section in the left pane.
  4. Click Add Connection.
    1. Do the following on the Basics tab, configure the Connection Type, Usage Priority, and network port or ports appropriately for your Domain. Configure the Source server as your Symantec AntiVirus/Filtering Hub. Configure the Destination server as your Symantec AntiVirus/Filtering Spoke. If there is more than one Spoke server, you can create a new Group for all Spoke servers and set the group name as your Destination server. If you do not, you will need to create a new Connection document for each Spoke server.
    2. Do the following on the Replication/Routing tab, set the Replication task to Enabled. Configure the Replication Type for "Pull Only."
    3. Type sav\Savlog.nsf in the field in the field labelled "Files/Directories to Replicate:".
    4. Configure all other settings appropriately for your Domain. Save the new Connection document.
  5. Ensure that Notes Administrator or Administrators and LocalDomainServers are in the Access Control List of Savlog.nsf, with Manager access and Delete Documents enabled.
    The Hub server will collect statistics from the Spoke servers. Changes on the Hub server will not replicate to the Spokes.

    If you are upgrading from a prior version of Norton AntiVirus, you may want to retain your old information. After replication has been configured, you may merge data from your old logs to your new ones with the command TELL SAV MERGELOGDB at the Domino Console.

The Quarantine database
As explained in the previous section, it is not necessarily desirable to replicate the Quarantine database. It is possible, but it may generate high network traffic. However, if you need a central location to view quarantined items, you can replicate it by using the instructions for replication of the Log database.

Replication of the Symantec Domino settings and Domino log when the Symantec Domino product is already installed on replica servers
Under some circumstances, the Symantec Domino product may already be installed on a server that you want to implement replication of the Symantec Domino product Log and Settings on. Since the database replication IDs will not match in this situation, it is necessary to replace the log and settings databases that already exist on the new Spoke server with new replicas from the Hub server. You will need to stop the Symantec Domino product task in Domino to do so.

To stop the Symantec Domino product server task on the Spoke server or servers:
  1. Type tell sav quit in the server console window on the Spoke.
  2. Create new replicas of the Symantec Domino settings and Symantec Domino log databases from the Hub server to the Spoke server. If you are prompted to overwrite an existing Sav.nsf or Savlog.nsf, then respond Yes. This overwrites the existing databases with the new replicas.
  3. Type load ntask to restart AV/F Domino on Windows NT/2000 Domino servers. Type load nntask to restart Symantec Domino product on other operating systems.
  4. Configure replication per Section 2 (or skip to Section 5 or Section 6 if Section 2 does not apply to your environment).

Preparing the Symantec Domino product definitions database for replication
The Symantec Domino product definitions database, Savdefs.nsf, stores updated virus definitions. The database can be replicated to other Domino servers running Symantec AntiVirus/Filtering for Lotus Domino so that only a single LiveUpdate is required to maintain current protection on all servers. The Domino server on which the master Savdefs.nsf is created should be the computer that downloads new virus definition updates through a scheduled LiveUpdate.


Note: Use of the Symantec Domino product Definitions database is required only if you plan to replicate updated virus definitions. If you do not intend to replicate virus definitions, then you do not need to create the Symantec Domino product definitions database. Other methods of updating definitions include LiveUpdate on all servers, using the Intelligent Updater package to update virus definitions, or using a desktop version of Symantec AntiVirus/Filtering to perform updates.


If you cannot manage replication through Connection Documents (that is, you already have one or more Connection Document using Pull-Push replication for all databases), then skip to Section 5 or Section 6.

To prepare for the Symantec Domino product definitions replication:
  1. Select a Domino server in your organization that will be used as the Hub to download updated virus definitions.
  2. Go to the "LiveUpdate" tab of your server group after installing Symantec AntiVirus/Filtering on the server.
  3. Click "Create SAV Definitions Database" in the LiveUpdate form.

As with other Symantec databases, it is necessary to sign the Definitions database. Follow the steps in the previous section "To sign the Symantec databases:" to sign the database. Furthermore, the Definitions database also has a Purge agent. Follow the steps in the previous section "Enabling the Purge Agent" to activate the Purge agent. Then continue with the following steps.
  1. Enable and schedule the LiveUpdate.
  2. Enable "Save Downloaded Virus Definitions In The SAV Definitions Database."
  3. Create new replicas of the master Savdefs.nsf database and replicate onto the other Notes servers running Symantec AntiVirus/Filtering. Be sure to create the new replicas in the \data\sav folder.
  4. Open the Domino Administrator.
  5. Go to the Configuration Tab.
  6. Choose Connections in the Server section in the left pane.
  7. Click Add Connection.
  8. Do the following on the Basics tab:
    1. Configure the Connection Type, Usage Priority, and network port or ports appropriately for your Domain.
    2. Configure the Source server as your Symantec AntiVirus/Filtering Hub.
    3. Configure the Destination server as your Symantec AntiVirus/Filtering Spoke. If there is more than one Spoke server, you can create a new Group for all Spoke servers and set the group name as your Destination server. If you do not, you will need to create a new Connection document for each Spoke server.
  9. Do the following on the Replication/Routing tab:
    1. Set the Replication task to Enabled.
    2. Configure the Replication Type for "Push Only."
    3. Type sav\Savdefs.nsf in the field labelled "Files/Directories to Replicate:".
  10. Configure all other settings appropriately for your Domain.
  11. Ensure that Notes Administrator or Administrators and LocalDomainServers are in the Access Control List of Savdefs.nsf, with Manager access and Delete Documents enabled.

After the next scheduled LiveUpdate, any updated virus definitions are downloaded and a new document is created in the Savdefs.nsf at the Hub. The updated definitions are distributed to the other replicas when a manual or scheduled replication occurs. The Symantec Domino product server task checks for a new virus definition set at ten minute intervals.


CAUTION: Definitions should not be replicated to Domino servers running on a different operating system. Definitions are operating system specific. Replication of the definitions for the wrong platform could cause AV/F Domino for Domino or the Domino server to cease functioning.


Controlling replication through Access Control Lists
Many Symantec customers have expressed an interest in alternative methods of managing the replication of the Symantec Domino product databases through the use of Access Control Lists (ACLs). The use of ACLs to manage replication can effectively duplicate the various types of replication without the use of a Connection document.

If Domino is configured with any Connection documents that do not specify which databases and directories to replicate, then Domino replicates all databases that have replicas in all of the directories. Since the AV/F Domino databases require one-way replication in some cases, proper management of ACLs can prevent replication save conflicts.

Note that the following instructions assume that your Domino environment has at least one Connection document that replicates all databases. They also assume that you are using Pull-Push replication originating from the Hub server. If the Domino server that controls domain-wide replication is not also the central Symantec Domino product server, or you are using another method of replication (such as Pull-Pull), then you will need to adjust these instructions accordingly.

If you would prefer to control replication of the Symantec AntiVirus/Filtering databases through Advanced Replication Settings, skip to Section 6.

The Symantec Domino product settings
The Symantec Domino product settings database, as discussed in Section 2, can be replicated in two different ways:

Decentralized: If you are using Pull-Push replication for all databases, you are already decentralizing management of the Symantec Domino product settings. This makes it possible to enact changes to the Symantec Domino product settings at any Spoke server or the Hub server, and have them affect all servers. The benefit is that it lets you make changes at whatever server you happen to be working from. The drawback is that there are no possible changes to the ACL that will eliminate the possibility of replication save conflicts. A conflict can occur if a change is made at one server and then at another before the replication process has a chance to update the second server.

To reduce the possibility of a replication save conflict, we recommend that only one individual be allowed Manager access to the database. If you have several Domino administrators as members of an administrative group, we recommend that you do not use this group for the purposes of administration of the Symantec Domino product settings. Instead, select a single AV/F Domino administrator. Give this administrator Manager access with Delete Documents enabled. Give all other administrators Reader access if you want them to view current settings. If more than one person is capable of making a change to the Symantec Domino product settings database, the chances of accidentally creating a replication save conflict are very high.

Centralized: To achieve centralized management of the Symantec Domino product settings, you must simulate Push Only replication through the use of ACLs. This makes it possible to enact changes only on the Hub server. The Spoke servers will never be able to push settings back to the Hub server. The benefit of this is that it prevents possible "rogue administrators" from enacting changes in Spoke replicas of the Symantec Domino product settings without approval. The drawback is that you must use the Hub server to enact any changes.

To centralize management:
  1. Open the original Sav.nsf on the Hub server.
  2. Go to File, choose Replication, and select Settings.
  3. Click Advanced.
  4. Clear the box labelled "Access control list." Click OK.
  5. Do the following on the Hub: Ensure that the Notes Administrator or Administrators and LocalDomainServers are in the Access Control List of Sav.nsf, with Manager access and Delete Documents enabled. Again, we recommend that only one Notes Administrator account be granted this access.
  6. Do the following on the Spokes: Ensure that the Notes Administrator or Administrators are in the Access Control List of the Sav.nsf, with Reader access only. Ensure that no user account has Manager access; this prevents accidental changes to the wrong replica of the database. Ensure that the LocalDomainServers group is in the Access Control List with Manager access and Delete Documents enabled.

    Changes will only be possible on the Hub. The Spokes will receive all changes from the Hub.

Symantec Domino product log
To create a central database to store all log information, you must use Pull Only replication. However, simulating Pull Only replication with Access Control List changes is problematic.

If your environment currently has Connection documents performing Pull-Push replication and you want to simulate Pull Only replication, you must essentially make the Spoke replicas of the Savlog.nsf read-only for the Hub. However, the Domino environment does not allow the server that created the original copy of a database to have just Reader access to any replicas of it.

Currently, Symantec recommends consulting your Lotus Domino documentation for more information.

Symantec Domino product definitions
Of all the databases, the Savdefs.nsf is the one with the greatest likelihood of developing replication save conflicts without changes to its Access Control List. While replication will work without these changes, the chances are very high that at some point, LiveUpdate will be run directly from one of the Spoke servers in most environments. If this is ever a possibility in your environment, it is imperative that the following changes be made to prevent LiveUpdate from interfering with the functionality of a replica database.


Note: These changes are recommended even if you are using Connection documents to manage the Symantec Domino product database replication.


To prevent LiveUpdate from interfering:
  1. Open the Savdefs.nsf on the Hub.
  2. Go to File, select Replication, and choose Settings
  3. Click Advanced.
  4. Clear the box labelled "Access control list." Click OK.
  5. Do the following on the Hub: Ensure that Notes Administrator or Administrators and LocalDomainServers are in the Access Control List of Savdefs.nsf, with Manager access and Delete Documents enabled.
  6. Do the following on the Spokes: Ensure that the Notes Administrator or Administrators are in the Access Control List of the Savdefs.nsf, with Reader access only. This ensures that even if someone runs LiveUpdate locally at a Spoke server, those changes do not go into the Savdefs.nsf and generate replication save conflicts in the local replica. Ensure that the LocalDomainServers group is in the Access Control List with Manager access and Delete Documents enabled.

Controlling replication through Advanced Replication Settings
It is possible to control replication of databases on a field-by-field basis, controlling precisely what happens when any given server attempts to replicate a field to any other server in a Domino domain. If it is impossible to manage replication through Connection Documents or Access Control Lists, building a replication scheme through Advanced settings is possible.

These settings assume that you have already created the initial replicas of the AV/F Domino databases on the Spoke servers.

Symantec Domino product settings
The Symantec Domino product settings database, as discussed previously, can be replicated in two different ways:

Decentralized: If you are using Pull-Push replication for all databases, you are already decentralizing management of the Symantec Domino product settings. This makes it possible to enact changes to the Symantec Domino product settings at any Spoke server or the Hub server and have them affect all servers. The benefit is that it lets you make changes at whatever server you happen to be working from. The drawback is that there are no possible changes to the ACL that will eliminate the possibility of replication save conflicts. A conflict can occur if a change is made at one server and then at another before the replication process has a chance to update the second server.

To reduce the possibility of a replication save conflict, we recommend that only one individual be allowed Manager access to the database. If you have several Domino administrators as members of an administrative group, we recommend that you do not use this group for the purposes of administration of the Symantec Domino product settings. Instead, select a single AV/F Domino administrator. Give this administrator Manager access with Delete Documents enabled. Give all other administrators Reader access if you want them to view current settings. If more than one person is capable of making a change to the Symantec Domino product settings database, the chances of accidentally creating a replication save conflict are very high.

No changes need to be made to this database's Replication Settings.

Centralized: To achieve centralized management of the Symantec Domino product settings, you must simulate Push Only replication through the use of Advanced settings. This makes it possible to enact changes only on the Hub server. The Spoke cannot push settings back to the Hub server. The benefit is that it prevents possible "rogue administrators" from enacting changes in Spoke replicas of the Symantec Domino product settings without approval. The drawback is that you must use the Hub server to enact any changes.

To centralize management:
  1. Open the Sav.nsf on any server.
  2. Go to File, choose Replication, and select Settings.
  3. Click Advanced.
  4. Select the Hub server in the "When Computer:" drop-down menu.
  5. Select the "Any Server" option in the "Receives from:" drop-down menu.
  6. Clear the boxes labelled "Forms, Views, etc. ," "Agents ," and "Deletions." Ensure that the box labeled "Fields" is cleared. Ensure that the box labeled "Access Control List" is selected, unless you are not replicating ACLs per the instructions in Section 5.
  7. Click OK. When replication of the Settings database occurs, the Hub will not accept any data from the Spokes.

Symantec Domino product log
The primary purpose of preventing Pull-Push replication of the Symantec Domino product log is to prevent all servers from sending and receiving all entries in the database. The only replica that needs all Spoke entries is the Hub. There are only limited possibilities for replication save conflicts in the Symantec Domino product log database. However, it is still possible under some circumstances, and the following steps ensure that these circumstances are minimized.

To minimize replication save conflicts:
  1. Open the Savlog.nsf on any server.
  2. Go to File, choose Replication, and select Settings.
  3. Click Advanced.
  4. Select the "Any Server" option in the "When Computer:" drop-down menu.
  5. Select the Hub server in the "Receives from:" drop-down menu.
  6. Clear the boxes labelled "Forms, Views, etc. ," "Agents ," and "Deletions." Ensure that the box labelled "Fields" is cleared. Ensure that the box labeled "Access Control List" is selected, unless you are not replicating ACLs per the instructions in Section 5.
  7. Click OK. When replication of the Log database occurs, the Spokes will not accept any data from the Hub.

Symantec Domino product definitions
The Symantec Domino product definitions database is likely to develop replication save conflicts and multiple sets of the same definition set if the Spoke servers are allowed to replicate anything back to the Hub.. These steps will prevent that from occurring:

To prevent replication back to the Hub:
  1. Open the Savdefs.nsf on any server.
  2. Go to File, choose Replication, and select Settings.
  3. Click the Advanced button.
  4. Select the Hub server on the "When Computer:" drop-down menu.
  5. Select the Hub server in the "Receives from:" drop-down menu.
  6. Clear the boxes labelled "Forms, Views, etc. ," "Agents ," and "Deletions." Ensure that the box labeled "Fields" is cleared. Ensure that the box labeled "Access Control List" is selected, unless you are not replicating ACLs per the instructions in Section 5.
  7. Click OK. When replication of the definitions database occurs, the Hub will not accept any data from the Spokes.






Legacy ID



2002031411542854


Article URL http://www.symantec.com/docs/TECH79702


Terms of use for this information are found in Legal Notices