Video Screencast Help

DLP Custom Tiering

Created: 13 Dec 2012 • Updated: 13 Dec 2012 | 12 comments
Mohammad Ashkaibi's picture
This issue has been solved. See solution.

Hello. It is urgent and I need to know. Can I install Enforce Platform and Endpoint Prevent detection server on one server, and Oracle DB on another server (this is what I'm referring to as "custom tiering")? Meaning that only two servers are required.


- Moh

Comments 12 CommentsJump to latest comment

stumunro's picture


yes you can do that it is a 2 tier install, dont forget to install the oracle client on the enfrorce server to it can talk to oracle db.

Mohammad Ashkaibi's picture

Hi and thanks! I've seen many posts of yours and I could benefit from them - whether you were asking or answering yes

This means that I can have the Oracle DB on one PHYSICAL server, and both Enforce and Endpoint Prevent together on a VIRTUAL server (VMware). Is it correct?

- Moh

stumunro's picture

iyes you can put everything in vmware except netowrk monitor and the oracle db... I have done this on installs previoulsy

Mohammad Ashkaibi's picture

My concern is answered now. Thanks a million!

stumunro's picture

if you have questions as you go please post here as we can answer them for you

Stephen Heider's picture

Don't want to retract the solution necessarily, but the only supported install where Enforce and Endpoint are on the same server is for DLP customers with Standard licenses (i.e., those that are only for Endpoint and have no future plans to add Detection servers).

The only supported "two-tier" setup for DLP Enterprise customers is where you have Enforce and Oracle on the same server, and their Detection Server is on a separate box. As noted above, however, the Oracle database does have to be on a physical box and not a VM.

If you confirm to DLP support that your Enforce and Endpoint share the same server, you should be told that this is not supported.

Mohammad Ashkaibi's picture

Thanks for replying. Actually I started this thread with DLP Standard in my mind. So your post double confirms the selected answer above. cool

So as mentioned above, what I'm proposing to my customer is the following: Oracle DB on one PHYSICAL server, and both Enforce and Endpoint Prevent together on a VIRTUAL server (VMware).

Will DLP Tech Support praise this setup?

Stephen Heider's picture

Praise may be hard to come by from support, but we will certainly honor the setup on a DLP Standard license! I would also note the requirements for Endpoint on VM are stricter than for physical boxes. Much less Agents per server (5000 max instead of 10K for instance). But the documentation covers that fairly well.

Mohammad Ashkaibi's picture

No worries, the customer will purchase only 100 of DLP Standard licenses so they can do with a humble server for both Enforce and Endpoint Prevent. Though, I'll send them a revised list of requirements for both servers in my Two-Tier plan.


stumunro's picture

Here is the skinny on Oracle as a VM, i have spent lots of time on this issue.

Symantec does not officially support oracle as a vm, this is due to a clause the oracle is using that if oracle cant resolve the issue and it is a virtual you MUST revert it back to physical hardware.

also under endpoint best practices

"Do not combine an Endpoint Prevent: Notify or Block response rule with
two-tier detection methods, including Exact Data Matching, Indexed Document
Matching, or profiled (static) Directory Group Matching. If you do, the system
displays a warning for both the policy detection and the response rule."

 3 tier system "You can perform a two-tier or single-tier Symantec Data Loss Prevention installation. In both of these cases, the database runs on the same computer as
the Enforce Server."

if you implement a three-tier installation, you must install the Oracle Client
(SQL*Plus and Database Utilities) on the Enforce Server.

stumunro's picture


have you looked at the netork sizing guide also? i have posted it here

Symantec_DLP_Oracle_11g_Installation_Upgrade_Guide.pdf 1.05 MB
Symantec_DLP_11.6_Network_Sizing_Guide.pdf 418.22 KB
Symantec_DLP_11.6_Install_Guide_Win.pdf 1.34 MB
Mohammad Ashkaibi's picture

I've already had a look into both the Oracle guide and DLP Installation guide, but that Sizing Guide is new and seems filled with lots of hints that will really take care of my concerns.

Honestly, the name "Network Sizing..."  implied the Network Discover/Prevent to me at first frown

Thanks for the assistance!