How to set up replication of the Symantec Mail Security for Domino - Multiplatform Edition databases
|Article:TECH97823|||||Created: 2009-01-01|||||Updated: 2010-08-26|||||Article URL http://www.symantec.com/docs/TECH97823|
You are installing or you have already installed Symantec Mail Security for Domino - Multiplatform Edition version 3.2 or 8.0.x (for AIX). You're seeking additional information on how to setup replication if it's databases.
This document explains how to set up replication of the Symantec Mail Security for Domino - Multiplatform Edition Settings, Log, and AV Definitions databases.
The following topics are discussed:
- Minimum Lotus Notes versions
- About SMSDOM-MPE databases
- Initial replication settings in Domino 7
- Specifying replica path names in a mixed-platform environment
- Preparing the SMSDOM-MPE Settings or SMSDOM-MPE Log databases for replication
- Replication of SMSDOM-MPE Settings when Symantec Mail Security for Domino - Multiplatform Edition is already installed on replica servers
- Preparing the SMSDOM-MPE AV Definitions database for replication
- Excluding SMSDOM-MPE template files from replication
For additional information, see the Symantec Mail Security for Domino - Multiplatform Edition Installation Guide or the online help.
Minimum Lotus Notes versions
Signing databases using some versions of Lotus Notes will corrupt the selective replication settings.
You must sign your SMSDOM-MPE databases using Lotus Notes version 6.0.4 or 6.5.2 and higher. (Refer to Domino SPR JMAZ5WVV7U)
About SMSDOM-MPE databases
To facilitate enterprise-wide management of Symantec Mail Security for Domino - Multiplatform Edition, the Symantec databases can be replicated to other servers running SMSDOM-MPE.
Replication of the SMSDOM-MPE databases allows the centralization of configuration settings, security risk incidents and statistics, and virus definitions.
The SMSDOM-MPE Settings database, savmpe.nsf, can be replicated to other Domino servers running SMSDOM-MPE. The SMSDOM-MPE server task (nntask) monitors savmpe.nsf for changes to the SMSDOM-MPE settings through replication, and reloads the settings on the local server.
The following subset of settings in the SMSDOM-MPE Settings database are replicated between Domino servers:
- Real Time Scanning settings
- Global Security Risk Options settings
- All scheduled scans
- Content Options
- Content Filtering Rules
The SMSDOM-MPE Log database, savmpelog.nsf, stores server messages, reports of security risk incidents, and scan summaries. It also provides access to both quarantined and original documents that SMSDOM-MPE backs up before eliminating security risks.
Through replication, you can maintain a master SMSDOM-MPE Log that automatically includes security risk incidents and statistics reports from other Domino servers running SMSDOM-MPE.
The SMSDOM-MPE AV Definitions database, savmpedefs.nsf, stores updated virus definitions. The database can be replicated to other Domino servers running SMSDOM-MPE so that only a single LiveUpdate is required to maintain current protection on all servers.
- Note: Use of the SMSDOM-MPE AV Definitions database is only required if you plan to replicate updated virus definitions. If you do not intend to replicate virus definitions, you do not need to create the SMSDOM-MPE AV Definitions database.
WARNING: Definitions should not be replicated to Domino servers running on a different operating system.
Definitions are operating system-specific. Replication of the definitions for the wrong platform could cause SMSDOM-MPE and/or the Domino server to cease functioning.
Initial replication settings in Domino 6 and Domino 7
The Notes/Domino 6.x and 7.x environments do not correctly populate replicas containing selective replication formulas when manual replication is used.
The Symantec Mail Security for Domino - MPE Settings and Log databases use selective replication formulas.
To create replicas of these databases onto another server, the Domino Administration Process (AdminP) MUST be used.
When creating replicas with AdminP, push-only replication must be used to initially populate the replica.
Once the replica has been initially populated, you may use whatever replication topology you choose.
To create replicas using AdminP:
- Ensure that your replication connections between the source and target servers are set to push-only replication from the source to the target.
- Open the Domino Administrator and ensure that the server you are administering is the source server.
- Find the database you wish to replicate under the "Files" tab.
- Highlight the database and select "Create Replica(s)..." from the tools menu on the right.
- Choose the servers where the replicas will be created, and then click "OK" to create the replicas.
- Wait until the first replication occurs, which must be a push-only replication.
- Reconfigure replication connections as desired.
When using AdminP, the activities are carried out by the server, as opposed to by the user ID you are logged into when setting up the request.
However, the user ID is also evaluated to make sure that you are allowed to trigger the replication. This means that both your server AND logged on user must be allowed to "Create New Replicas" on the target server.
If the file already exists when you tell the server to create a replica, the server cannot delete the already-existing file. You must first delete the database using the Domino Administrator.
For more details on the AdminP process, see the Domino Administrator Client Help Topics. The help topics database is typically located in the data\help\ directory of your Notes client.
Specifying replica path names in a mixed-platform environment
When replicating SMSDOM-MPE databases in a mixed-platform environment, care must be taken to specify the correct database directory name when defining the replica path in the Domino Administrator.
When replicating to AIX, Linux, and Solaris, the replica path should be specified using the forward slash character ("/"), and the database directory name should be "sav".
When replicating to OS/400, the replica path should be specified using the forward slash ("/") character, and the database directory name should be "SAV".
If you do not use the correct syntax for the replica path name, SMSDOM-MPE database replication will not function correctly in a mixed-platform environment.
Preparing databases for replication (SMSDOM - MPE Settings and SMSDOM - MPE Log)
Generally, a specific machine is selected to host the master SMSDOM-MPE Settings and SMSDOM-MPE Log databases.
If desired, you do not have to select a machine to host a master SMSDOM-MPE database. With push-pull replication, SMSDOM - MPE Settings can be replicated among all servers
running the same version of SMSDOM-MPE. For the SMSDOM - MPE Log, however, you must select a machine to host the master log.
- When using Push-Pull replication scheme, Symantec recommends you make changes to SMSDOM - MPE settings ONLY on a single server, then let Domino replication pass these changes to all other Domino Servers running Symantec Mail security for Domino - Multiplatform Edition. (i.e., avoid changing the same field in two or more replicas, as the behavior when the replicas are merged is not defined by Domino)
- It is essential that all replicas are initially populated using push-only replication.
To prepare for SMSDOM - MPE Settings or SMSDOM - MPE Log replication:
- Select a Domino server in your organization to be the master Symantec Mail Security for Domino - Multiplatform Edition server.
- Install SMSDOM-MPE on the master server and start the Domino server.
- Before installing SMSDOM-MPE on other servers, create a 'sav' folder in the Notes Server Data Directory. Using AdminP only, then make replicas of the newly-installed savmpe.nsf and savmpelog.nsf databases (from the master server) into the "<Notes server data directory>
/sav" directory of the other Domino servers. Be sure to set the ownership and permissions of the target 'sav' folders to grant the Domino server access to them, while appropriately restricting other users.
You MUST use AdminP to create your initial replicas.
- Install SMSDOM-MPE on the other servers, but keep the already-replicated savmpe.nsf and savmpelog.nsf databases. This is an option of the SMSDOM-MPE installation program.
- Ensure that Domino Administrator(s) and LocalDomainServers are in the Access Control List of savmpe.nsf and savmpelog.nsf, with Manager access and Delete Documents enabled.
The LocalDomainServers group should contain all of the servers to which you plan to replicate.
Any changes made to SMSDOM-MPE settings on any of the Notes servers are distributed to the other replicas when a manual or scheduled replication occurs.
After replication, the new SMSDOM-MPE settings are reloaded automatically.
- Tip: Avoid unexpected behavior by permitting only the Notes Administrator(s) in charge of security risk policy to edit the edit the SMSDOM-MPE databases on a single Domino server, and allow Domino Replication to make the necessary changes to all other SMSDOM-MPE servers.
For the SMSDOM - MPE Log, initiate push replication from the SMSDOM - MPE Log replicas to the master savmpelog.nsf. This will allow for centralized logging of security risk incidents across multiple Domino servers.
Remember that all replicas must be populated initially from the source server using push-only replication.
Replication of SMSDOM - MPE Settings when SMSDOM-MPE is already installed on replica servers
If SMSDOM-MPE is already installed on a Domino server to which the SMSDOM - MPE Settings or SMSDOM - MPE Log databases are being replicated, you must stop the SAV server task on that server before replicating the database.
- To stop the SAV server task on a replica Domino server: Type "TELL SAV QUIT" in the server console window.
- Use the Domino administrator to delete the SMSDOM - MPE Settings and SMSDOM - MPE Log databases from the sav directory on the replica server.
- Create new replicas and replicate the SMSDOM - MPE Settings and SMSDOM - MPE Log databases from the master server to the replica servers. Remember that you MUST create the replicas using AdminP, and populate them with push-only replication.
- Type "load nntask" to restart the SAV server task.
Preparing the SMSDOM - MPE AV definitions database for replication
The Domino server on which the master savmpedefs.nsf is created should be the machine that downloads new virus definition updates through a scheduled LiveUpdate.
Use of the SMSDOM - MPE AV Defs database is only required if you plan to replicate updated virus definitions to separate physical servers.
Partitioned servers on the same physical server will share a single SMSDOM - MPE AV Defs database. Definitions will be updated within ten minutes of a new LiveUpdate download.
If you do not intend to replicate virus definitions, you do not need to create the definitions database.
To prepare for SMSDOM - MPE AV Definitions replication:
- Select a Domino server in your organization that will be used to download updated virus definitions.
- After installing Symantec Mail Security for Domino - Multiplatform Edition, click LiveUpdate in the SMSDOM-MPE main window.
- In the LiveUpdate form, click "Create SMSDOM - MPE Definitions Database".
- Enable and schedule the LiveUpdate;
- Enable "Save Downloaded Virus Definitions In The SMSDOM - MPE Definitions Database";
- Ensure that Notes Administrator(s) and LocalDomainServers are in the Access Control List of savdefs.nsf, with Manager access and Delete Documents enabled. The LocalDomainServers group should contain all of the servers to which you plan to replicate.
- Using AdminP, create new replicas of the master savmpedefs.nsf database (only one per physical computer) and replicate onto the other Notes servers running SMSDOM-MPE.
- The definitions database must reside in the <Notes server data directory>
- The replicas must be initially populated from the master server using AdminP and push-only replication.
After the next scheduled LiveUpdate, any updated virus definitions are downloaded and a new savmpedefs.nsf document is created.
The updated definitions are distributed to the other replicas when a manual or scheduled replication occurs. The SMSDOM-MPE server task checks for a new virus definition set at 10-minute intervals.
- Never replicate savmpedefs.nsf to different operating systems. The definitions and processing engines are platform-specific.
- Never replicate savmpedefs.nsf to more than one partition of a multi-partition Domino server. Only one LiveUpdate per physical computer is required to update definitions on all partitions of that computer.
- Only one savmpedefs.nsf should exist on a single computer, regardless of the number of Notes partitions that have Symantec Mail Security for Domino - MPE installed.
Excluding Symantec template files from replication
SMSDOM-MPE template files are installed to the data directory, and are named savmpe.ntf, savmpelog.ntf, and savmpedefs.ntf.
If the SMSDOM-MPE template files (savmpe.ntf, savmpelog.ntf, and savmpedefs.ntf) are allowed to replicate to the master server, databases created from the replicated templates will appear to be replicas. If this occurs, SMSDOM-MPE will not operate properly.
For example, if the savmpedefs.ntf template is allowed to replicate to the master server, any definitions databases created from the replicated template will appear to be replicas. In this case, SMSDOM-MPE will not allow updated virus definitions to be attached to it.
To prevent the SMSDOM-MPE templates from being replicated:
- Make sure that the Files/Directories to Replicate field in the Routing and Replication sections of your Server Connections documents specify which databases and directories to replicate between servers.
If the Files/Directories to Replicate field is left blank, all database templates will be replicated between servers.
Article URL http://www.symantec.com/docs/TECH97823