Video Screencast Help

SEPM Failover/Loadbalancing - Embeded Database

Created: 26 Nov 2011 • Updated: 17 Apr 2012 | 24 comments
sandgang's picture
This issue has been solved. See solution.

We are having a network of 200 servers. We have recently built a SEPM 11.0.7 with embeded database. We are planning to build another SEPM with embeded database for a failover solution. The main requirement is if First SEPM goes down, the machines pointing to First SEPM should take updates from Second SEPM. I am aware that SQL is usually recommeded but as the client did not want to purchase SQL we are going with embeded database.

Comments 24 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

Install Second SEPM as replication partner for the first.

In Replication option Select to Replicate Logs and Content (Definiton)

You can also configure your Management server List to point client of particular location to particular group.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

SOLUTION
sandgang's picture

how do in install as replication, Which option do i need to choose while installing

sandgang's picture

I will be getting the option to make it as a replication partner when am installing the Second SEPM , is that correct. So, when i login to my sond SEPM, will i be able to see the machines pointing to first SEPMI am going to use Embeded database for the second SEPM too, so the option which u mentioned works with embeded database too..? correct

Is failover possible option possible when using embeded database

Beppe's picture

Yes, failover is possible with the embedded DB

Regards,

Giuseppe

Simpson Homer's picture

 

 
 
 
 
 
 
 
 
 

About failover and load balancing

You can install two or more management servers that communicate with one Microsoft SQL Server and configure them for failover or load balancing. Failover configuration causes one server to pick up the client communications load if another server becomes unavailable. Load balancing configuration causes servers to share the client communications load and automatically implements failover if one of the servers goes offline.

 

Figure: Failover and load balancing

 

Failover and load balancing

Note: 
This illustration shows components on different subnets. Management servers and database servers can be on the same subnets.

In this illustration, the servers are identified with the numbers 1 and 2, which signify a failover configuration. In a failover configuration, all clients send traffic to and receive traffic from server 1. If server 1 goes offline, all clients send traffic to and receive traffic from server 2 until server 1 comes back online. The database is illustrated as a remote installation, but it also can be installed on a computer that runs the Symantec Endpoint Protection Manager.

Simpson Homer's picture

 

Configuring failover and load balancing for Symantec Endpoint Protection Manager

 

 

Configuring failover and load balancing for Symantec Endpoint Protection Manager

By default, the Symantec Endpoint Protection Manager servers are assigned the same priority when configured for failover and load balancing. If you want to change the default priority after installation, you can do so by using the Symantec Endpoint Protection Manager console. Failover and load balancing can be configured only when a site includes more than one management server.

 

To configure failover and load balancing for Symantec Endpoint Protection Manager

  1. In the Symantec Endpoint Protection Manager console, click Policies.

  2. In the View Policies pane, to the right of Policy Components, click the up arrow so that it becomes a down arrow, and then clickManagement Server Lists.

  3. In the Tasks pane, click Add a Management Server List.

  4. In the Management Server Lists dialog box, under Management Servers, click Add > New Priority once per priority you want to add.

  5. Under Management Servers, click Priority 1.

  6. Click Add > New Server.

  7. In the Add Management Server dialog box, in the Server Address box, type the fully qualified domain name or IP address of a Symantec Endpoint Protection Manager.

    If you type an IP address, be sure that it is static, and that all clients can resolve the IP address.

  8. Click OK.

  9. Do one of the following:

    • To configure load balancing with the other server, click Priority 1.

    • To configure failover with the other server, click Priority 2.

  10. Click Add > New Server.

  11. In the Add Management Server dialog box, in the Server Address box, type the fully qualified domain name or IP address of a Symantec Endpoint Protection Manager.

    If you type an IP address, be sure that it is static, and that all clients can resolve it.

  12. lick OK.

  13. Optionally change the priority of a server to adjust the configuration for load balancing or failover. Select a server, and then do one of the following:

    • Click Move Up.

    • Click Move Down.

  14. In the Management Server Lists dialog box, click OK.

    You must then apply the Management Server List to a group.

To apply the Management Server List

  1. In the Management Server Lists pane, under Management Server Lists, under Name, highlight the Management Server List that you created.

  2. In the lower-left Tasks pane, click Assign the list.

  3. In the Apply Management Server List dialog box, check the groups to which to apply the list.

  4. Click Assign.

  5. In the Assign Management Server List dialog box, click Yes.

     
karinjo's picture

What is the better solution for two installed sepm in one company, failover and load balancing OR replication partners, and what are the differences between this two install solutions ?

pete_4u2002's picture

replication with the failover (Management server list).

Replication: will replicate logs between the SEPM's and Failover: set Management server list, if 1 SEPM  goes down, the other SEPM will handle the client's request.

karinjo's picture

replication with failover? maybe you mean failover with load balancing ?

I only know two solutions, 1. replication, 2. failover with load balancing

 

pete_4u2002's picture

sorry i misunderstood your question. How many clients will be in the environment? If SEPM is overburdened then loadbalance with failover, else replication will be good.

karinjo's picture

I currently have 50 clients, one server with embedded database. My SEPM server is hyper-v client, and I plan to install second sepm server on second hyper-v host. I need two servers because my first hyper-v host is not so stable.

pete_4u2002's picture

with emdedded DB you cannot have load balance. What you can do is install SEPM on stable system and take DB backup regularly.

You cannot provide failover or load balancing for an embedded database.

http://www.symantec.com/business/support/index?page=content&id=HOWTO55415

karinjo's picture

Only solution is two replication partners ?

sandgang's picture

I did  run the replication but ran into many troubles. The requirement is the machines when unable to reach first SEPM should take updates from another SEPM. All machines are in one site. I have installed embded database in one server, second SEPM will also be embeded database.

 

How do i install SEPM so that, when machines fail to take updates from first SEPM, it has to take updates from Second SEPM...

I choose the second option while installing " Load balancing and failover" it was asking for SQL server credentials, so that option will not work. Can i create a new site and add that site as a failover to first SEPM.

Reply required at the earliest.

 

pete_4u2002's picture

the second option is for only SQL.

the clients will take update from SEPM , it will not fall to other SEPM for updates ( only) unless the client starts communicating with the other SEPM.

sandgang's picture

I am getting little confused. My requirement is if First SEPm goes down, machines should get updates..it might be secomd SEPM, Gup etc. How do i configure....

pete_4u2002's picture

You can set MSL to the client group, if the primary SEPM goes down, the clients hsould report and get the updates from second priority SEPM.

check these articles

What is a Management Server List ( MSL ) in Symantec Endpoint Protection Manager (SEPM) ?
http://symantec.com/docs/TECH90839

How can I specify a Management Server List (MSL) to connect for a group of clients and optional Enforcers ?
http://www.symantec.com/business/support/index?page=content&id=TECH90841

Beppe's picture

Hi,

I can understand you are a bit confused, let me clarify some things:

when you have two SEPMs (regardless if they are connected to the same DB or not), both should be in the Management Servers List (only IP addresses, host names, ports and priority), this is the only thing the clients see, they are not aware of the real infrastructure;

the clients connect to a random SEPM from those with the same priority in the MSL;

once the SEP client connects to a SEPM, it checks for policies and updates only with that SEPM and taking what is newer there, it is not aware of what Symantec or other SEPMs are publishing, hence it is not able to detect that it is not updated and then actively switch to Symantec servers or other SEPMs of yours.

So, when you have two SEPMs, you have the following advantages:

- load balancing: clients are randomly distributed over the two SEPMs

- fail over between the SEPMs: if the clients are not able to connect to a SEPM (it is down or unreachable), they will try to connect to another SEPM in the list, hoping it is OK.

So, the product does not allow you to force the clients to fail over to other SEPMs under custom conditions (like "when definitions are older than ... try to connect to ...), clients are just taking in consideration the MSL, the priorities there and the connectivity to the SEPMs.

Hence, you have to:

- set a notification to know when more than X% of clients are out-of-date for  > Y days

- investigate on the content distribution to isolate the issue

- if you really have one updated SEPM and one not updated, clients should get the definitions from the other SEPM just because they might randomly connect to it. If you isolate the non-working SEPM for the network, you will force the clients to connect to the working one and get the definitions.

 

Regards,

Giuseppe

sandgang's picture

I was able to do the failover with two SEPMS using embeded database. When i disabled the service of SEPM on First server, the machines moved to second server and showed online there and also got updates. But when i started the SEPM service on First server, the machines did come back to First SEPM but was showing as offline in second server. I thought it will show that red arrow which indicates that it is pointing to First server..

 

Also when i do replication the First server sep client did not move to Second server, It went offline and never came online till no.w I have uninstalled and resinstalled the SEP client but no use.

Chetan Savade's picture

Hi,

As you know Symantec does not recommend to use Embedded database for failove-loadbalancing and replication.

It would be great if you could check other available options for SEPM backup.

If you could provide some more details about your environment we may guide you in correct direction.

I hope it will help you !!!

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Vikram Kumar-SAV to SEP's picture

Just Make sure your Management server list is configured properly and the updated MSL policy is assigned to all the groups

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

sandgang's picture

Vikram,

As mentioned, i configured the MSL and servers did move to secondary SEPM when primary SEPM service was stopped. But when did this process, the SEP client on the primary server stopped communcating and now showing offline in both Primary and Secondary SEPM. I have also uninstalled and reinstallaed as unmanaged and then pyt the sylink file but still offline.

Vikram Kumar-SAV to SEP's picture

Can you check the sylink file of any such client which is not falling back ?

 if possible upload the sylink debug log

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.