Video Screencast Help

Failover and Load Balancing

Created: 03 Jul 2008 • Updated: 21 May 2010 | 5 comments

Recently, our company has started to implement SEP in a testing environment. We have setup 2 servers: SEP1 and SEP2 with a SQL database sitting in a third box exclusively created to house all corporate databases.

 

Question 1

How does the load balancing feature work in Symantec Endpoint Protection 11.x MR2 MP1?

 

Question 2

Has anyone tested this feature in an established corporate environment?

 

Question 3

How can I put our load balanced environment to the test (I allready know the obvious which is to shut down one box and allow the other to pick up all duties)?

 

I would appreciate all friendly posts. Thank You.

Comments 5 CommentsJump to latest comment

dgallardo's picture

Taken directly from Symantec's Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control (Page 82):

 

Failover and load balancing configurations are supported in Microsoft SQL Server installations only. Failover configurations are used to maintain communications if one Symantec Endpoint Protection Manager Fails. Load balancing configurations are used to balance communications if one or more Symantec Endpoint Protection Managers begin to maximize CPU usage.

 

Note: When you install a server for failover or load balancing, you also install a management console.

 

Installing and configuring servers for failover and load balancing is a two-part process. First, you install Symantec Endpoint Protection Manager on a computer and add it to an existing site. Second, you log on to the Symantec Endpoint Protection Manager Console, and configure the new Symantec Endpoint Protection Manager.

DM_infinity's picture

Hi.

Load balancing and failover uses the "Management server lists"

There is always one default (in your case with both your servers includen and in load balancing mode)

You can create new lists (policy -> policy components ->Management Server Lists)

If you set up load balancing you use both the servers in the same priority.

For fail over you use different prioroties for the different servers.

 

You can read more about this here:

http://service1.symantec.com/support/ent-security....

 

/David

DM_infinity's picture

Hi, i forgott.

Of course you have to apply these settings to one or more groups.

If you chose clients on the left, mark your group, policys on the right and the click "communication settings" you can change lists.

/David

dgallardo's picture

About load balancing and roaming in Symantec Endpoint Protection 11.0

 

Question/Issue:
This document describes how load balancing and roaming works in Symantec Endpoint Protection 11.0.


Solution:
Clients and Enforcers must be able to connect to management servers to download security policies and settings. The Symantec Endpoint Protection Manager includes a file that helps manage the traffic between clients, management servers, and optional Enforcers. The file specifies to which management server a client or Enforcer connects. It can also specify to which management server a client or Enforcer connects in case of a management server's failure. This file is referred to as a "Management server list." A "Management server list" includes the management server's IP addresses or host names to which clients and optional Enforcers can connect after the initial installation. You can customize the management server list before you deploy any clients or optional Enforcers. When the Symantec Endpoint Protection Manager is installed, a default "Management server list" is created to allow for HTTP communication between clients, Enforcers, and management servers. The default "Management server list" includes the IP addresses for all of the connected network interface cards (NICs) on all of the management servers at the site. You may want to include only the external NICs in the list. Although you cannot edit the default "Management server list", you can create a customized "Management server list." A custom "Management server list" includes the exact management servers and the correct NICs to which you want clients to connect. In a customized list, you can also use HTTPS protocol, verify the server certificate, and customize the HTTP or HTTPS port numbers.

 

You should not set up multiple sites to try to balance the Symantec Endpoint Protection client load. A better practice is to add management servers to a site and use the "Management server list" feature to automatically distribute the load among them. In a custom "Management server list", each server is assigned to a priority level. A client that comes onto the network selects a priority one server to connect to at random. If the first server it tries is unavailable and there are other priority one servers in the list, it randomly tries to connect to another. If no priority one servers are available, then the client tries to connect to one of the priority two servers in the list. This method of distributing client connections randomly distributes the client load among your management servers.

 

The following options are available for load balancing and roaming:

- To provide both load balancing and roaming, enable DNS and put a domain name as the only entry in a custom management server list.

- To provide both load balancing and roaming, enable the Symantec Endpoint Protection location awareness feature and use a custom management server list for each location. Create at least one location for each of your sites.

- Use a hardware device that provides failover or load balancing. Many of these devices also offer a setup for roaming.


Failover and load balancing configurations are supported in Microsoft SQL Server installations only. Failover configurations are used to maintain communication when clients are unable to communicate with a Symantec Endpoint Protection Manager. Load balancing is used to distribute client management between Symantec Endpoint Protection Manager servers. You can configure failover and load balancing by assigning priorities to management servers in "Management Server lists." Load balancing occurs between the servers assigned to Priority 1 in a "Management Server list." If more than one server is assigned to Priority 1, the clients randomly choose one of the servers and establish communication with it. If all Priority 1 servers fail, clients connect with the server assigned to Priority 2.

 

Note: When you install a server for failover or load balancing, you also install a management console. Installing and configuring servers for failover and load balancing is a two-part process. Install a Symantec Endpoint Protection Manager on a computer and add it to an existing site. Login to the Symantec Endpoint Protection Manager Console, and configure the new Symantec Endpoint Protection Manager.

Message Edited by dgallardo on 07-03-2008 08:56 AM
dgallardo's picture

Hey, David... thanks for the reply! Much appreciated! :smileyhappy: