Endpoint Protection

Hey

I would like to know what is the best practice/procedure for installing 2 SEPM and 130 clients

Servers are running 2003 R2, most is x86 and some are x64, clients are running windows 7 and a few windows XP.

There is 2 server room's, each with a SAN that is replicating between the 2 server rooms.

So it is possible for the 2 SEPM to share SQL database if needed.

I was thinking of installing 1 SEPM configure all the policy's and pushing out all the clients from the first SEPM, and then install the second SEPM for failover and create a new mangement list ?

Replication Best Practices:

  1. For more than 3 sites or 1,000 clients: No more frequent replication than once per day  

  2. Versions of the Policy Manager have to be the same.

  3.  Replication schedules should not overlap.

  4.  If replicating over WAN, only replicate the logs.

  5.  Number of replicated sites should ideally be kept below 5. Ratio will be 1:4 ( i.e 1 primary : 4 seconday )

  6. The value of  “Content revisions to keep” should be set to a  lower value.

  7. If you have configured multiple replication partner then always make sure that the replication schedules won't overlap .This situation can lead to Database Deadlock issues. 

   8. Delete Replication Partners when

            1.Upgrading the Policy Manager.

            2.If any CRT Approved tools need to executed.

            3.Software / Hardware maintenance on the Policy Manager.

            4.Backing up database manually.

Reference: 

Fourms.

https://www-secure.symantec.com/connect/forums/sep-replication-best-practice

So when i have installed both SEPM i create a mangement server list and setup a replication between the two SEPM.

will these two SEPM using the same SQL db or use will they be using their own placed locally ?

Edit: I have read the link and im not sure i will be needing replication.

What i am looking for is to have 1 SEPM installed with all clients and then if that server is dead the clients will need get update etc, from a backup SEPM. so i was thinking i only needed to add another SEPM to and existing site and add it to the management server list ? but not sure if this is the right thing to do or not.

Hi,

It's using own placed database.

Replication enables data to be duplicated between databases one separate sites so that both databases contain the same information. If one database fails, you can manage the entire site by using the information on the database from another site.

So under the installation of the second SEPM i select "install new site", and then i set up replication between the 2 sites and create a new management server list set prioty different between the 2 sites for failover ?

hi,

The changes that you make on any partner are duplicated to all other partners. For example, you may want to set up one site at your main office (site 1) and a second site (site 2). Site 2 is a partner to site 1. The databases on site 1 and site 2 are reconciled by using the replication schedule. If a change is made on site 1, it automatically appears on site 2 after replication occurs. If a change is made on site 2, it automatically appears on site 1 after replication occurs.

okay, but the thing im looking for is for Failover, so the clients automatically detects that the primary server is down and now begins to talk with the failover server. both SEPM need to control the same clients.

In a failover configuration, all clients send traffic to and receive traffic from server 1. If server 1 goes offline, all clients send traffic to and receive traffic from server 2 until server 1 comes back online.

Load balancing occurs between the servers assigned to Priority 1 in a Management Server list. If more than one server is assigned to Priority 1, the clients randomly choose one of the servers and establish communication with it. If all Priority 1 servers fail, clients connect with the server assigned to Priority 2

Failover configurations are used to maintain communication when clients are unable to communicate with a Symantec Endpoint Protection Manager. When all management servers at a higher priority level become unavailable, clients switch to failover servers, which are defined by their lower priority level in the Management Server List. At every heartbeat, clients check to see whether there is a higher priority server available. If there is, the clients switch to it immediately.

Whenever possible, failover servers should be at the same site as the management servers that they back up. All management servers at the same site share one database, so that data consistency is guaranteed. It is possible to configure management servers that are replication partners as failover servers, but there is a risk of data inconsistency between replication partners because replication does not always take place frequently enough.

Failover and load balancing installations are supported only when the original Symantec Endpoint Protection Manager uses Microsoft SQL Server. The SQL Server Native Client files also must be installed on the computer on which you install a site for failover or load balancing.

You do not install servers for failover or load balancing when the first Symantec Endpoint Protection Manager site is configured to use the embedded database.

These are 2 different Concept.

To explain, I would suggest you to check these Articles below:

For  Failover and Load Balancing

1) About failover and load balancing

http://www.symantec.com/docs/HOWTO26809

2) About Load Balancing and Failover Clustering in Symantec Endpoint Protection 11.0

http://www.symantec.com/docs/TECH104519

3) About installing and configuring the Symantec Endpoint Protection Manager for failover or load balancing

http://www.symantec.com/docs/HOWTO26808

4) Installing a management server for failover or load balancing

http://www.symantec.com/docs/HOWTO26807

Check this Thread:

https://www-secure.symantec.com/connect/forums/failover-concept

https://www-secure.symantec.com/connect/forums/difference-between-replication-and-failover

Just curious how often can i set 2 servers to replicate if i wantet to use replication.

you said only once a day if it was 3 sites or 1000 clients, i only have around 130 clients.

Can i replicate let's say 5 times aday ?

Hi,

You can set replication Schedule .

Check this artical it may be help.

Changing the automatic replication schedule

http://www.symantec.com/docs/HOWTO55469

Can you explain to better that the links how replication work.

If i have one server with all my clients, and i then install SEPM on a different server as replication partner the database is replicated.

But what do i do when the first server dies, can i control (send updates, scan etc) the clients from the secondary server ? as there nothing have happend ?

Check this fourms.

https://www-secure.symantec.com/connect/forums/sepm-failoverloadbalancing-embeded-database

Configuring failover and load balancing for Symantec Endpoint Protection Manager

By default, the Symantec Endpoint Protection Manager servers are assigned the same priority when configured for failover and load balancing. If you want to change the default priority after installation, you can do so by using the Symantec Endpoint Protection Manager console. Failover and load balancing can be configured only when a site includes more than one management server.

To configure failover and load balancing for Symantec Endpoint Protection Manager

1. In the Symantec Endpoint Protection Manager console, click Policies.

2. In the View Policies pane, to the right of Policy Components, click the up arrow so that it becomes a down arrow, and then clickManagement Server Lists.

3. In the Tasks pane, click Add a Management Server List.

4. In the Management Server Lists dialog box, under Management Servers, click Add > New Priority once per priority you want to add.

5. Under Management Servers, click Priority 1.

6. Click Add > New Server.

7. In the Add Management Server dialog box, in the Server Address box, type the fully qualified domain name or IP address of a Symantec Endpoint Protection Manager.

   If you type an IP address, be sure that it is static, and that all clients can resolve the IP address.

8. Click OK.

9. Do one of the following:

   • To configure load balancing with the other server, click Priority 1.

   • To configure failover with the other server, click Priority 2.

10. Click Add > New Server.

11. In the Add Management Server dialog box, in the Server Address box, type the fully qualified domain name or IP address of a Symantec Endpoint Protection Manager.

    If you type an IP address, be sure that it is static, and that all clients can resolve it.

12. lick OK.

13. Optionally change the priority of a server to adjust the configuration for load balancing or failover. Select a server, and then do one of the following:

    • Click Move Up.

    • Click Move Down.

14. In the Management Server Lists dialog box, click OK.

    You must then apply the Management Server List to a group.

To apply the Management Server List

1. In the Management Server Lists pane, under Management Server Lists, under Name, highlight the Management Server List that you created.

2. In the lower-left Tasks pane, click Assign the list.

3. In the Apply Management Server List dialog box, check the groups to which to apply the list.

4. Click Assign.

5. In the Assign Management Server List dialog box, click Yes.

does the SEPM database can be hosted in the SQL Server cluster ?

In failover, do they need to use the same DB or can they use the one installed locally or does it need to be on a shared drive ?

when you have two SEPMs (regardless if they are connected to the same DB or not), both should be in the Management Servers List (only IP addresses, host names, ports and priority), this is the only thing the clients see, they are not aware of the real infrastructure;

the clients connect to a random SEPM from those with the same priority in the MSL;

once the SEP client connects to a SEPM, it checks for policies and updates only with that SEPM and taking what is newer there, it is not aware of what Symantec or other SEPMs are publishing, hence it is not able to detect that it is not updated and then actively switch to Symantec servers or other SEPMs of yours.

So, when you have two SEPMs, you have the following advantages:

- load balancing: clients are randomly distributed over the two SEPMs

- fail over between the SEPMs: if the clients are not able to connect to a SEPM (it is down or unreachable), they will try to connect to another SEPM in the list, hoping it is OK.

So, the product does not allow you to force the clients to fail over to other SEPMs under custom conditions (like "when definitions are older than ... try to connect to ...), clients are just taking in consideration the MSL, the priorities there and the connectivity to the SEPMs.

Hence, you have to:

- set a notification to know when more than X% of clients are out-of-date for  > Y days

- investigate on the content distribution to isolate the issue

- if you really have one updated SEPM and one not updated, clients should get the definitions from the other SEPM just because they might randomly connect to it. If you isolate the non-working SEPM for the network, you will force the clients to connect to the working one and get the definitions.

Thanks this helps alot.

So can i just install 1 SEPM and push out all clients from there and configure policy's etc. and when all thats done, i then install the second SEPM and use it as failover ?

I will make sure every SEPM will be updated at the same time with virus definitions.

yes,

If One SEPM server goes down sep Client will be update second server.

Note:If issue is resolved then please mark this thread as a solved.

Thanks for help!