Endpoint Protection

I have 2 SEPMs but no SQL db so I have to go with the embedded database. Is it possible to configure both for failover/load balancing or should I just make each one separate since there is no SQL db to utilize? I should also mention they are located on a different continent.

Hi,

Failover and load balancing installations are supported only when the original Symantec Endpoint Protection Manager uses Microsoft SQL Server

Hello,

It could be a concern when you have sites across Continents with Embedded Database. 

I agree with Chetan above.

Failover and load balancing configurations are supported in Microsoft SQL Server installations only. Failover configurations are used to maintain communication when clients cannot communicate with a Symantec Endpoint Protection Manager. Load balancing is used to distribute client management between management servers. You can configure failover and load balancing by assigning priorities to management servers in Management Server lists.

See About failover and load balancing.

Infact, Replication in your case could help with 2 SEPM's on Embeddded Database.

Also, Check these 2 threads:

https://www-secure.symantec.com/connect/forums/replication-between-2-sites-embedded-databases

https://www-secure.symantec.com/connect/forums/sepm-failoverloadbalancing-embeded-database

Again, since they are in 2 different Continents, make sure you have enough Bandwidth between sites.

Hope this helps!!

So replication will work but not failover/load balancing?

Yes, Replication will work but not failover/load balancing.

While setting up replication follow best practice.

Is there a KB on setting up replication?

Do I need to create 2 different install packages? One from each SEPM? Or Can I use 1?

Hello,

Check this Article: (This Article gives you Indepth Knowledge)

Hi Brian81,

For replication base rule is both the SEPM's must have same version.

If they have same version they would have same packages.

However When you do replication you have an option whether you want to replicate packages or not.

How to install the Symantec Endpoint Protection Manager(s) for replication                                                           http://www.symantec.com/docs/TECH105928

How to configure the replication schedule for Symantec Endpoint Protection Manager (SEPM)                                        http://www.symantec.com/docs/TECH104454

How to add an additional site to configure replication for Symantec Endpoint Protection Manager (SEPM) using an Embedded Database      http://www.symantec.com/docs/TECH104455

Thanks, this helps.

What abt install packages? Do I need a separate one for each SEPM?

Thanks that helps. Ill report back when I get this straightened out.

Hello,

Incase, of Installation package for SEPM, you could use the same Installation.

However, in terms of Client Packages, you would have to create custom packages on each Site as the SEPM's would differ and it also depends where you would like to have the clients report to.

MSL (in replication) also plays a major role for these clients to report to the Correct SEPM.

I would recommend a must Read to the Above Article provided.

You could also, watch Video's on Replication and LoadBalancing / Failover. (Note: These video's are for SEP v. 11.x. However, the Principle's remain same in 11.x and SEP 12.1 versions)

Load Balancing and Fail Over

https://www-secure.symantec.com/connect/videos/load-balancing-and-fail-over

Replication Concepts and Configuration

https://www-secure.symantec.com/connect/videos/replication-concepts-and-configuration

Hope that helps!!

Hello,

To

Configuring 2 SEPMs with embedded DB is possibel

Follow the steps below to add a replication partner

1. On the machine you wish to be a replication partner, install Symantec Endpoint Protection Manager.
2. In the Management Server Configuration Wizard panel, choose Advanced rather than Simple.
3. Select the number of clients you expect the server to manage, and then click Next.
   Note: This panel is displayed only when installing the Symantec Endpoint Protection Manager on the computer for the first time.
4. Check Install an additional site, and then click Next.
5. In the Server Information panel, accept or change the default values, and then click Next.
6. Accept or change the name in the Site Name box, and then click Next.
7. In the Replication Information panel, type values in the following boxes:
   
   Replication Server Name The name or IP address of the remote Symantec Endpoint Protection Manager
   Replication Server Port The default value is 8443
   Administrator Name The account name that is used to log on to the console with administrator user rights
   Password Provide a password that is associated with the Administrator Name that is specified
    
8. Click Next.
9. In the Certificate Warning dialog box, click Yes.
10. In the Database Server Choice panel, choose one of the following and click Next
    
    Embedded Database
    Microsoft SQL Server
     
11. If you chose Embedded Databasein the above step, then continue with these steps, if you chose Microsoft SQL Server, move to step 14.
12. In the admin user panel, provide and confirm a password for the admin account. Optionally, provide an administrator email address.
13. Move to step 19
14. Do one of the following:
    
    If the database does not exist, check Create a new database (recommended).
    If the database exists, check Use an existing database.
    
    An existing database must define file groups PRIMARY, FG_CONTENT, FG_LOGINFO, FG_RPTINFO, and FG_INDEX. The user account for database access must have privileges db_ddladmin, db_datareader, and db_datawriter.
    
    If these requirements are not met, your installation fails. A best practice is to define a new database.
     
15. Click Next
16. In the Microsoft SQL Server Information panel, type your values for the following boxes:
    
    Database server
    
    If you created a new instance, the format is servername_or_IPaddress\instance_name.
    
    SQL server port
    Database name
    User
    Password
    Confirm password (only when creating a new database)
    SQL Client folder
    DBA user (only when creating a new database)
    DBA password (only when creating a new database)
    Database data folder
     
17. Click Next
18. Provide and confirm a password for the admin account. Optionally, provide an administrator email address.
19. ClickNext

Configuring the Symantec Endpoint Protection Manager for replication

You use the Symantec Endpoint Protection Manager Console to configure servers for replication. The administrator logon credentials are the credentials that are used at the first site that you specify for replication.

To configure the Symantec Endpoint Protection Manager for replication
 

1. On the computer on which you installed the Symantec Endpoint Protection Manager as an additional site, log on to the Symantec Endpoint Protection Manager console.
2. In the console, click Admin, and then click Servers.
3. Under View Server, expand Local Site, expand Replication Partner, right-click Site <remote_host>, and then click Edit Properties.
4. In the Replication Partner Properties dialog box, set the options that you want for logs, packages, and replication frequency, and then click OK.
   
   Refer to context-sensitive Help and the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control for details about these settings.
    
5. Right-click Site <remote_host>, and then click Replicate Now.
6. Click Yes.
7. Click OK.

To add a replication partner when a site has already been replicated using the above steps

1. Loginto Symantec Endpoint Protection Manager console.
2. Click theAdmin tab. Under "View Servers", select a site.
3. Under "Tasks", click Add Replication Partner. The Add Replication Partner wizard appears.
4. Click Next on the "Welcome panel", and then enter the <ip address> or <host name> of the server that you wish to add as a replication partner.
5. Enter the <port number>  and the administrator's user name and password for the remote server on which you installed the SEPM.
   Note: The default setting for the remote server port is 8443.
   
    
6. Click Next to invoke the "Schedule Replication" dialog box
7. Disable "Autoreplicate" to set up a custom schedule for replication:
   • Select the hourly, daily, or weekly Replication Frequency.
   • Select the specific day during which you want replication to occur in the Day of Week list to set up a weekly schedule.
      
8. Click Next when the replication schedule is configured as desired.
9. Click Yes or No depending on whether or not you want to replicate logs.
   Note: The default setting is No.
   
    
10. Click Next and then click Finish. The replication partner site is added under Replication Partners on the Admin page.

for more details check symantec KB.

Hello Brian,

Please note that replication cannot be done between two set SEPMs. Replication creates a mirror image of the Primary SEPM to the secondary, Hence in your case, the clients on one of the SEPM would not report to any SEPM.

Procedure that you could follow are :

1. Have all the clients reporting to 1 SEPM (note that the bandwidth usage would be very high if no GUPS are used)

2. Uninstall 2nd SEPM and reinstall it as a replication partner

3. Have the MSL pointing to the correct groups so that the clients reports accordingly.

Option 2.

1. Uninstall 2nd SEPM and reinstall it as a replication partner

2. Have the MSL pointing to the correct groups so that the clients reports accordingly.

3. Reconnect the clients to the 2nd SEPM

After a replication is done, the install packages need to be created only from one SEPM, for a perticular group (group A would have the clients reporting to SEPM A and Group B would have the clients reporting to SEPM B)