Endpoint Protection

 View Only
  • 1.  Load Balancing Console Access for Admins

    Posted May 26, 2016 03:17 PM

    I know there is the load balancing/failover solution for clients checking into SEPM but I am looking to implement load balancning for my admins logging into the SEPM console. We have over 100 administrators and I do not want at any point one of our 3 management hosts to become overloaded because they are all logging into one directly at the same time. I would like to implement load balancing this access through an F5. Or if one host is down, when an admin logs into the load balancer name they will be redirected to available hosts. 

    Example:

    server1.domain.com:8443
    server2.domain.com:8443
    server3.domain.com:8443

    Users typically log into any of the above 3 server names to the manager console.

    I would like them to log into sepmserver.domain.com:8443 instead. Which this would hit the F5 load balancer and their session would be directed to any of those 3 hosts. 

    Again, this is for Console log in to administrer policies and clients not clients checking into SEPM. We already have that set up with Management Lists. 

    My environment does have AD authenication and SQL setup. 

    Is anyone doing this or with round robin in DNS? Symantec support said it isn't supported but just curious from the community.

    Thanks!



  • 2.  RE: Load Balancing Console Access for Admins

    Posted May 26, 2016 05:01 PM

    I've not heard of this being done and was sure it wasn't possible.



  • 3.  RE: Load Balancing Console Access for Admins

    Trusted Advisor
    Posted May 26, 2016 11:01 PM

    Hello,

    That's a Brilliant way to load balance the administrator users.

    Unfortunately, I don't think there is a way to integrate SEPM with F5 Loadbalancers.

    Here are 2 options as what I think you can choose from - 

    1) In SEPM, there is a concept of Domains, which you can use to delegate administrative authority, physically separate security data, or have greater flexibility in how users, computers, and policies are organized. - 

    A domain is a structural container in the Symantec Endpoint Protection Manager Console that you use to organize a hierarchy of groups, clients, computers, and policies. You set up domains to manage your network resources. The domains in Symantec Endpoint Protection Manager do not relate to Microsoft domains.

    If your company is large, with sites in multiple regions, you may need to have a single view of management information. Yet, you can delegate administrative authority, physically separate security data, or have greater flexibility in how users, computers, and policies are organized. If you are a managed service provider (MSP), you may need to manage multiple independent companies, as well as Internet service providers. To meet these needs, you can create multiple domains. For example, you can create a separate domain for each country, region, or company.

    When you install a management server, the console includes one domain. Each domain that you add shares the same management server and database. Each domain provides an additional instance of the console. All data in each domain is completely separate. This separation prevents administrators in one domain from viewing data in other domains. You can add an administrator account so that each domain has its own administrator. These administrators can view and manage the contents of their own domain, but they cannot view and manage the content of other domains.

    https://support.symantec.com/en_US/article.HOWTO80764.html

    OR

     

    2) Try using SEPM Java Console, which will have Administrators choose their own Servers - 

    http://<computer_name>:9090
    http://<computer_IP_address>:9090

    Regards,



  • 4.  RE: Load Balancing Console Access for Admins

    Posted May 27, 2016 03:43 AM

    I see no reason why a load-balancer or round-robin wouldn't work.  The SEPM itself doesn't care how you address it when connecting to it (hostname, fqdn, IP address, random-name-you-pop-in-your-hosts-file-to-point-at-its-IP-address, DNS alias, etc), as long as you authenticate and stick to the same SEPM for the entire session, it should just work.

    Support are correct however, in that this is not something Symantec test for, and so is not supported.  Therefore the first thing Support will ask you to do in troubleshooting Management issues is to connect directly rather than via the shared name.



  • 5.  RE: Load Balancing Console Access for Admins

    Posted May 27, 2016 10:24 AM

    Thank you all.

    Mithun Sanghavi --In our environment we are currently using domains to organizae the security for each department's access. Which works great, but rather than giving each department a specific management host name to log into through the web console or locally installed console and hoping they don't overload one host, a load balanced name through the F5 to balance the traffic is ideal.

    SMLatCST - It does work initially. I can succesfully log into the load balanced name with the local admin creds or our AD authenicated admin accounts. But the issue is that the first 3 tabs (home, monitor, and reports) are blank. The bottom 3 (policies, clients, and admin) do populate properly but then my session drops. I receive the following errors. THe first as soon as I log in but all the content on the last 3 tabs does load and I can review my admins, policies, host groups, etc. Then after about a minute I recieve the last 2 erros. Then my session ends. So I am not sure why isn't maintaining the session. 

    unexpectedservererror.png

    youarenolongerconnected1.png

    youarenolongerconnected2.png



  • 6.  RE: Load Balancing Console Access for Admins

    Posted May 27, 2016 11:04 AM

    Have you tested using the web console?

    The issue you're seeing is the f5 device diverting the SEPM Console's call to the apache side of the SEPM (which serves the HOME, MONITORS and REPORTING pages), to a different SEPM than it used when connecting up the tomcat side (the rest of the SEPM Console).

    You need to find a way to get the f5 device to stick to a SEPM in the event a source <-> destination pair has already been established in another session.



  • 7.  RE: Load Balancing Console Access for Admins

    Posted May 27, 2016 12:02 PM

    I have tried the web console and receive the same results. I will look at the F5 configuration to see if it can be configured to "stick" to one host after the connection is established. Thank you. 



  • 8.  RE: Load Balancing Console Access for Admins

    Posted May 27, 2016 03:13 PM

    I was successfully able to get the F5 connection to have a persisent connection and I no longer receive the time out error; my session is maintained. But the first 3 menus still are unable to load. You said that was the apache side so by logging into my loadbalancername:8443, that isn't connecting. Do you have a suggestion as to what I may be missing? 



  • 9.  RE: Load Balancing Console Access for Admins

    Posted May 31, 2016 04:01 AM

    You need to look for connections to the reporting component of the SEPM on 8445.  It's that bit that serves the first 3 tabs.