Video Screencast Help

How many Discover servers?

Created: 15 Nov 2012 | 6 comments

I'd appreciate any feedback and pitfalls to avoid as I increase the number of our Discover servers.   What is the largest number of Discover servers you have seen in an environment, and what are the dangers/risks/bottlenecks?

Does anyone have more than 100 Discover servers deployed?  Think about businesses that have a lot of "branch locations" on the far side of WAN links... where scanning across the WAN is not desirable.

Thanks for your thoughts.

Bob.

Comments 6 CommentsJump to latest comment

kishorilal1986's picture

Hi Bob,

 

The All Discover Servers entry is not configurable because Symantec Data Loss Prevention automatically assigns all policy groups to all Network Discover Servers . This feature lets you assign policy groups to individual Discover targets.Policies for Discover servers only get loaded when you run a scan. And the only policies that are loaded, are the ones that belong to the policy groups selected in the "Discover Target" configuration. After a scan completes, the policies are unloaded. 
 
In the policy group configuration, the check mark for "All Discover Servers" means that this policy group is available for "Discover Targets".If you don't want to use a specific policy during the Discover scan, you should configure the "Discover Targets" setting.
bob_b's picture

Kishorilal,  Thanks for the reply but it does not answer the question I was asking. What is the maximum number of Discover Servers someone has deployed?  The question isn't about assinging policies to Discover Servers.

Does anyone have 1000+ Discover Servers deployed in a single Symantec DLP environment?  If so... what special tricks are you using to mange them?

Thanks,

Bob Blank

John_Gruhn's picture

We have a nation wide implementation and we have 64 servers. If you get to the point where you would have 1000+ I would think that you would resort to endpoint (assuming Windows based servers). We have done this for our most scattered assets far and away from our regional offices. As you increase the number of servers you would need to keep an eye on the PollingInterval in the servers advanced settings to keep the UI responsive but as you exapnd more its less and less of a tech question and more of an overhead one. Managing that many servers (even with virtuals) becomes a major amount of work.

bob_b's picture

Thanks John.  So your recommendation would be to attack the problem with more endpoints and less Discover Servers.  Must admit... I didn't think of solving the problem that way.  Would you stick with your answer if that meant 50,000+ more endpoints in the environment?  Each branch location could have 50 clients in it.  Thanks again for the thoughtful response.

Bob.

John_Gruhn's picture

I have 50,000+ Endpoints already. When you reach that scale adding more isnt that much extra work. While you might have branch locations that remeidate at that level from a scanning perspective you ought to be able to roll up into larger formations. As long as you can filter incidents down to the level of your remediation then you should be set. That part comes down to a naming scheme for your endpoints. Assuming that part has been done how you manage scans should be easier to run and reduce the number of endpoint servers you need.

fivelakes's picture

What are your target systems?  Are they servers or clients?  I have seen over 100 discover servers deployed in a very large environment and some of the bottlenecks that I can share are that writing a good policy is very important, setting your discover servers as close to the target systems as you can will improve scanning performance.  If you can't scan all day, use the scheduled scan times and file throttling with exceptions.  

As another user mentioned using the agents is also an option if you are scanning actual clients.  Keep in mind that scanning an agent is completely different than scanning a file system with network discover.   When you scan endpoints it scans ALL endpoints which means they ALL have to complete in order for the scan to finish.  This can be configured however you can also scan endpoint systems with network discover IF they are connected to the network.  

It sounds like you have a very large environment and I would highly suggest talking to someone (contact your symantec rep) and getting a very experienced person to architect your environment and do some onsite knowledge transfer for you and your team managing the DLP product.  Getting the product installed and architected properly is extremely important.