DLP Prevent won't work with load balancing?

Created: 22 Apr 2010 | 4 comments
I'm routing outbound email from a Lotus Notes network through DLP Prevent to several internet email appliances that are on different subnets around the company. In order to balance the outbound message load, we've put the appliances into a 3DNS pool - call it "". For those not familiar, this means that whenever a system such as DLP is configured to use the mailhost to send messages, it resolves that name in DNS and gets a different IP address each time.

Sending directly from Lotus Notes to that pool works fine - mail traffic is distributed across all of the appliances. Unfortunately, when sending through DLP, it seems to latch on to one IP and never uses any of the others. Is there any way to change this behavior?

Symantec DLP Prevent for Mail does support load balancing.
This is taken from the MTA integration guide Symantec supplies with the product (Symantec_DLP_10.5_Email_Prevent_MTA_Integration_Guide):

About IP load balancer-based clusters:

When you use an IP load balancer to implement clusters of MTAs and Network
Prevent Servers (Email), make sure that every Network Prevent Server (Email)
can connect back to theMTA cluster. The particular architecture you implement
depends on the capabilities of your load balancer and the available routes in your
If the load balancer is bi-directional, you can operate theNetwork Prevent Servers
(Email) in either reflecting mode or forwarding mode. If the load balancer is
uni-directional, you must operate the server in forwarding mode.
See “Example of bi-directional load balancing” on page 43.
See “Example of uni-directional load balancing” on page 45.

There are also diagrams on the PDF,
Please refer to the guide for further help, It is on page 43.

Prevent was not designed with load balancing in mind.  As you noticed it does not resolve the MTA hostname every time it make a connection.  It resolves it once and uses that IP address.  There is no way to change this behavior. 

You could do load distribution by pointing the Prevent servers at different appliances and have Lotus notes use the 3DNS to select which Prevent it uses.


I have multiple SMTP Prevents load balanced and sending to multiple MTA's that are load balanced without any issues or problems. The Prevents themselves cannot do it alone, you have to use a load balancer and proper VIP configurations.
This setup also provides full DR and automatic failover.

Were you ever able to get your DNS load-balancing to work with DLP Prevent?