Video Screencast Help

Creating Sylink.XML for multiple SEP talking to SEPM in different zones ?

Created: 30 Jan 2013 • Updated: 03 Feb 2013 | 17 comments
This issue has been solved. See solution.

Hi All,

In order to reduce my confusion, can I actually create one single SYLINK.XML for all of my server with the below settings:

Internal Servers SEP Client reporting and managed by Internal SEPM server
DMZ Servers SEP Client reporting and managed by DMZ SEPM server

so irrespective whichever the server is deployed and installed with the SEP client, it can automatically report to the correct DMZ or internal SEPM respecitvely. 

Comments 17 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

Are your SEPM AD integrate?

 

if no may be you can create sylink.xml all sep client showing that particular group

Thanks In Advance

Ashish Sharma

 

 

John Santana's picture

Yes the SEPM in the internal is of course AD integrated as can be evidence from the account that I'm logged in to, it is using my AD account password.

 

but the DMZ servers andthe SEPM in the DMZ is not AD integrated.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

zafar1907's picture

Hi,

As per my knowledge,
Your Internal SEPM server and DMZ SEPM server has differnt IP,so you have to create two sylink because sylink contain IP address and client will communicate with that IP Address which is in sylink.XML

Regards,
Zafar

Thanks and Regards,

Mohammad zafar

Please Mark as solution if this comment solved your Issue....

John Santana's picture

Many thanks for the response Zafar,

I don't know who set it up before me (my predecessors), I see that in one of the Sylink. XML it has multiple SEPM and has a priority 1 2 and 3 in the XML element ?

are they rotated in round robin style ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

JS@support's picture

Hello John,

It may possible if failover/loadbalancing or replication is configured between SEPM's.

Check the MSL configuration at both the SEPM's.

Or else need to create two Sylink.xml files.

 

pete_4u2002's picture

i do not think it can be done. the SEPM's have to be replicating. then ylink can be used. However again, the Management Server List needs to be set so that client report to the priorites defined in that. so it will be different sylink.

John Santana's picture

Thank you for your clarification Pete, so in this case it is not possible to create one Sylink.XML which contains all SEPM servers in all different domain ?

 

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

pete_4u2002's picture

you have all the SEPM's certificate in one sylink file if they are replicating or in load balance.however as per your requirement you want to have client connects to respective location SEPM. if thats the case, the sylink has to be different withe the priorites defined.

do you have SNAC?

John Santana's picture

Hi Pete,

Replication: Yes I have set both SEPM to replicate each other between Internal and DMZ

SNAC: not yet implemented, but soon to be for the Internal only, not DMZ

I've seen that the SYLINK.XML in my DMZ servers got

Priority 1: connect to SEPM Internal FQDN

Priority 2: connect to SEPM DMZ IP address

Priority 3: connect to SEPM Internal IP address 

 

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

JS@support's picture

Hi John,

So irrespective whichever the server is deployed and installed with the SEP client, it can automatically report to the correct DMZ or internal SEPM respecitvely --> Yes it's correct with given info above.

You can change the MSL if required.

pete_4u2002's picture

you may need to edit/add MSL accordingly and appky to the clients so that they know which SEPM to communicate. Also when exporting new package you use the policy from the said group so that client know which group to communicate and policy to be taken. Hope this helps.

John Santana's picture

Pete,

May I know how and where can I edit the MSL list ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

John Santana's picture

Many thanks for the clarification Pete,

Now I know that MSL is the way to priorituze / load balance the SEP client connecting with the SEPM in the same subnet without any firewall in place.

But in my case both SEPM servers are in the different subnet and there is a firewall in between the Intenral and the DMZ, so I guess creating one MSL to be used by the DMZ SEP client is impossible to do because the next available SEPM in the list is on different network zone protected with firewall.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

pete_4u2002's picture

in that case you need to allow port(SEPM) on firewall,be default 8014.if you don't client won't connect to other location SEPM

SOLUTION
zafar1907's picture

Hi,

Agreed with pete,
could you please tell me architecture of ur environment?

If you have installed SEPM with AD integration,the client will automatically
move to respective OU.

Thanks and Regards,

Mohammad zafar

Please Mark as solution if this comment solved your Issue....

John Santana's picture

Hi Zafar,

Yes the AD integration is just for the Login authentication, once the SEP client reports in, I have to manually MOVE it by right clicking into the correct group.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.