Video Screencast Help

DLP Prevent won't work with load balancing?

Created: 22 Apr 2010 | 4 comments
Sot's picture

I'm routing outbound email from a Lotus Notes network through DLP Prevent to several internet email appliances that are on different subnets around the company. In order to balance the outbound message load, we've put the appliances into a 3DNS pool - call it "outbound.example.com". For those not familiar, this means that whenever a system such as DLP is configured to use the mailhost outbound.example.com to send messages, it resolves that name in DNS and gets a different IP address each time.

Sending directly from Lotus Notes to that pool works fine - mail traffic is distributed across all of the appliances. Unfortunately, when sending through DLP, it seems to latch on to one IP and never uses any of the others. Is there any way to change this behavior?

Discussion Filed Under:

Comments 4 CommentsJump to latest comment

Naor Penso's picture

Symantec DLP Prevent for Mail does support load balancing.
This is taken from the MTA integration guide Symantec supplies with the product (Symantec_DLP_10.5_Email_Prevent_MTA_Integration_Guide):

About IP load balancer-based clusters:

When you use an IP load balancer to implement clusters of MTAs and Network
Prevent Servers (Email), make sure that every Network Prevent Server (Email)
can connect back to theMTA cluster. The particular architecture you implement
depends on the capabilities of your load balancer and the available routes in your
network.
If the load balancer is bi-directional, you can operate theNetwork Prevent Servers
(Email) in either reflecting mode or forwarding mode. If the load balancer is
uni-directional, you must operate the server in forwarding mode.
See “Example of bi-directional load balancing” on page 43.
See “Example of uni-directional load balancing” on page 45.

There are also diagrams on the PDF,
Please refer to the guide for further help, It is on page 43.

Kind Regards,
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

jgt10's picture

Prevent was not designed with load balancing in mind.  As you noticed it does not resolve the MTA hostname every time it make a connection.  It resolves it once and uses that IP address.  There is no way to change this behavior. 

You could do load distribution by pointing the Prevent servers at different appliances and have Lotus notes use the 3DNS to select which Prevent it uses.

JGT

--
John G. Thompson
JOAT(MON)

DHaag's picture

I have multiple SMTP Prevents load balanced and sending to multiple MTA's that are load balanced without any issues or problems. The Prevents themselves cannot do it alone, you have to use a load balancer and proper VIP configurations.
This setup also provides full DR and automatic failover.

DLP - Jon's picture

Sot,

Were you ever able to get your DNS load-balancing to work with DLP Prevent?

Thanks,