Implementation Architecture Doubts
This is a major implementation project for one of our very valuable client.
The security environment right now is made up of Symantec Antivirus and Sygate Protection Agent.
Details:
Symantec Antivirus:
1 Primary server and 40 Secondary servers.
Server Version: 10.1.8.8000
Client Version: 9.x – 10.2
~40,000 clients.
Sygate Environment:
2 servers, one primary and one failover
Remediation server on the primary server
Oracle database with Oracle replication.
~40,000 clients.
We have been making different implementation plans and have been scrapping them over and over.
This is where we are right now. Need your validation at this.
There are large numbers of clients at two major sites where we will have SEPM with a failover SEPM each on SQL Cluster database. Thus four servers in total (for the SEPM) at these two sites. For the other sites we have distributed number of clients like ~1000, ~2000. We have thought of having a SEPM with Sybase database at every site where the client count exceeds 500 and for locations where the client count is less, we will implement the GUP’s and also publish the LUA Defs to the same GUP server from the LUA server at the primary site. All the sites will replicate one way with the primary site from where the administration will be done.
Doubts:
1) Since Sybase is less reliable than SQL, Would it be a good idea to have that?
2) If we don’t have SEPM with Sybase at sites for other locations, Can it not choke the bandwidth at some point of time irrespective of the GUP and LUA Defs being published when they connect to the primary site. Some of these locations are extremely remote from the main site? Also is there a definite number of clients that a GUP can support though the documentation says the recommended as 100?
3) Has anyone noticed replication issues that have large number of replication partners?
4) The version of Sygate is 4.1 which is not supported for migration. Tech support recommends us to upgrade to at least 5.1 for the managers and clients and then start the migration. This is not feasible for us considering that we have to get to SEP quickly with the allocated resources and costing factor. We have decided to create a single package that will uninstall the existing SPA client, Reboot the machine, Install the SEP client, and Reboot the machine. We are ready to rebuild our existing policies. This looks risky at first glance, though I have implemented a package like that before and know it would not be too tough to implement it but we wouldn’t be in a position to deploy it through our tools but will have to use the GPO considering the user productivity. Is there any known issue with the GPO install with SEP that we should beware of?
5) The location switching is one thing and the complete quarantine zone is another. We would not like the user’s to get inside the network if they fail the HI check. Has anyone got any review for the gateway enforcers for SNAC? We would really appreciate the ground figures before we decide the costing involved. Also without the enforcers how well does the DHCP plug-in work http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008101315503848
6) Should we be going horizontal or vertical? Install all the SEPM and then start installing the clients or implement the entire architecture site by site. Installing all the SEPM and then the clients would give us the advantage of automating the entire client install package by creating the Sylink.xml on the fly with a script as we would already have the pre-requisites for it and a single client install package will be sufficient for all the sites across the globe but has anyone tried this before. If yes, what are the risks involved?
Any advice on it will be highly appreciated.
1. If you go with SQL I would
1. If you go with SQL I would stick with SQL. No embedded SEPMs on remote sites - GUP can handle easily up to 500 nodes so with few (5-10) LUA and GUPS you can easily manage those 1-2k sites
2. The recommended clients for GUPs has changed in MR3 or MR4 don't remember exactly.
Do those extremely remote sites have their own Internet link or are they going through VPN/WAN to some kind of HQ to go to Internet?
You can set up 1 GUP on remote site and configure LU to go directly to Internet if GUP doesn't serve them updates for set duration.
3. Yes. Symantec recommends up to 4-5 replication partners (that's max) with around 10-15 replication partners you may see a lot of replications failed because during replication database is locked so if one replication doesn't finish then the others can't kick in.
4. Don't know or heard of any.
5. Don't know
6. I would go with SEPMs and replication first so the db will be small and initial replication (which is full db copy) will go faster.
Sharp
Thank you so much, Pretty much what I was looking for.
These remote sites have their own internet link but ideally we are trying to avoid to configue the LU but schedule as a backup once a week. We can setup the LUA here(at the GUP) for the clients though.
Sandeep, From my experience
Sandeep,
From my experience with a corrupt embedded database and two replicated servers, I would suggest using SQL instead of the embedded database as you will be able to edit the tables easily if you have problems like I experienced (long story).
GUP's should prevent bandwidth problems, ensure you dedicate enough storage space for updates so clients don't hammer the GUP for delta/full definition updates. You can define the amount of simultaneous connections to the GUP. Also note that when you setup GUP's, the default setting to bypass the GUP is NO - not good if the GUP is a user's workstation that will not be turned on 100% of the time. This setting is good in the sense that you can prevent remote clients from bypassing the GUP and eating up your bandwidth. Just make sure the GUP is operational so your remote clients are up to date.
I had experienced replication issues. What I learned was to enable "one way" replication. This means to replicate logs from remote sites to the primary server and disable replicating logs from the primary to the replicated servers. Two technicians cautioned me about this as it can cause replication errors (like creating an endless loop of replicating bad data).
Don't know of any GPO installation issues, but I manually push the installation or use the auto upgrade feature.
Gateway enforcers? No clue.
I agree with pgobu, install all SEPM's and then clients if possible. What I did when I had to rebuild all SEPM servers was to use one sylink.xml file that put all clients into "My Company" and later used the sylink replacer to push out the proper sylink.xml. My priority was to get all clients functional and then get them into the proper groups. Also, ensure you have edited all of your management server lists to include secondary (or more) SEPM's for clients to communicate in case their primary SEPM goes down for whatever reason (this was a life saver for me to ensure clients could communicate with a SEPM if I had problems with a server).
Very well. So, It's all
Very well. So, It's all almost certain that we should use less of SEPM's and more of GUP's.
We plan to make our existing SAV secondory servers as the GUP's. We will try and see if we can fit in an addtional GUP where required if the costing permits.
One way replication sounds like it as we would be centrally managing the environment from the primary site.
We havent gone into the QA with the environment yet but have the logic in place for creating the Sylink.Xml on the fly with a script.
We have the clients distributed as per the regional laptops and desktops for the SAV client groups. This structure will be migrated. The script will check for the registry key, extract the group name, populate that into the Sylink.Xml, Based on the region from the group name, It would populate the SEPM(read from predefined xls), then populate the settings(predefined), The failover, and then the certificate(Predfined in a file.) Once this is prepared, It would put the SyLink.Xml into the package where the non-single extracted package is and start the install. For new clients or clients where it fails for some reason to get the group name we would have a Temp group from where we would manually move the clients with the SylinkReplacer.
You are right. The embedded db isnt very realiable , Thus I created the SylinkReplacer out of neccessity while at tech support. Let me know in case it doesnt work well for you and I will fix it :)
The only question left unanswered is the HI check for the clients that connect via the VPN. If possible we want to avoid the enforcers but guess that's not really major as we dont have enforcers right now as well just that we were thinking of improving the architecture.
Gateway Enforcer
Gateway enforcer is most secure but it does not allow remidiation.So you can check for LAN Enforcer. DHCP Pluggins works fine but when you connect using static ip address it might be of no use.Still you can test it once.
Symantec Network Access Control 11.0 DHCP Enforcement Overview
http://service1.symantec.com/SUPPORT/ent-security....
Install and configure the Symantec Network Access Control (NAC) integrated enforcer plug-in for Microsoft DHCP servers
http://service1.symantec.com/SUPPORT/ent-security....
Symantec Network Access Control 11.0 LAN Enforcement Overview
http://service1.symantec.com/SUPPORT/ent-security....
How a LAN Enforcer appliance works
http://service1.symantec.com/SUPPORT/ent-security....
Installation planning for a LAN Enforcer appliance
http://service1.symantec.com/SUPPORT/ent-security....
Symantec Network Access Control 11.0 Gateway Enforcement Overview
http://service1.symantec.com/SUPPORT/ent-security....
How a Gateway Enforcer appliance works
http://service1.symantec.com/SUPPORT/ent-security....
Celebrating 2 years as a community member....
Would you like to reply?
Login or Register to post your comment.