SEPM Failover/Loadbalancing - Embeded Database
Updated: 17 Apr 2012 | 24 comments
This issue has been solved. See solution.
We are having a network of 200 servers. We have recently built a SEPM 11.0.7 with embeded database. We are planning to build another SEPM with embeded database for a failover solution. The main requirement is if First SEPM goes down, the machines pointing to First SEPM should take updates from Second SEPM. I am aware that SQL is usually recommeded but as the client did not want to purchase SQL we are going with embeded database.
Discussion Filed Under:
Group Ownership:
Comments
Install Second SEPM as
Install Second SEPM as replication partner for the first.
In Replication option Select to Replicate Logs and Content (Definiton)
You can also configure your Management server List to point client of particular location to particular group.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
how do in install as
how do in install as replication, Which option do i need to choose while installing
I will be getting the option
I will be getting the option to make it as a replication partner when am installing the Second SEPM , is that correct. So, when i login to my sond SEPM, will i be able to see the machines pointing to first SEPMI am going to use Embeded database for the second SEPM too, so the option which u mentioned works with embeded database too..? correct
Is failover possible option possible when using embeded database
Yes, it is
Yes, failover is possible with the embedded DB
Regards,
Giuseppe
About failover and load
About failover and load balancing
You can install two or more management servers that communicate with one Microsoft SQL Server and configure them for failover or load balancing. Failover configuration causes one server to pick up the client communications load if another server becomes unavailable. Load balancing configuration causes servers to share the client communications load and automatically implements failover if one of the servers goes offline.
Figure: Failover and load balancing
Note:
This illustration shows components on different subnets. Management servers and database servers can be on the same subnets.
In this illustration, the servers are identified with the numbers 1 and 2, which signify a failover configuration. In a failover configuration, all clients send traffic to and receive traffic from server 1. If server 1 goes offline, all clients send traffic to and receive traffic from server 2 until server 1 comes back online. The database is illustrated as a remote installation, but it also can be installed on a computer that runs the Symantec Endpoint Protection Manager.
Configuring failover and
Configuring failover and load balancing for Symantec Endpoint Protection Manager
Configuring failover and load balancing for Symantec Endpoint Protection Manager
By default, the Symantec Endpoint Protection Manager servers are assigned the same priority when configured for failover and load balancing. If you want to change the default priority after installation, you can do so by using the Symantec Endpoint Protection Manager console. Failover and load balancing can be configured only when a site includes more than one management server.
To configure failover and load balancing for Symantec Endpoint Protection Manager
In the Symantec Endpoint Protection Manager console, click Policies.
In the View Policies pane, to the right of Policy Components, click the up arrow so that it becomes a down arrow, and then clickManagement Server Lists.
In the Tasks pane, click Add a Management Server List.
In the Management Server Lists dialog box, under Management Servers, click Add > New Priority once per priority you want to add.
Under Management Servers, click Priority 1.
Click Add > New Server.
In the Add Management Server dialog box, in the Server Address box, type the fully qualified domain name or IP address of a Symantec Endpoint Protection Manager.
If you type an IP address, be sure that it is static, and that all clients can resolve the IP address.
Click OK.
Do one of the following:
To configure load balancing with the other server, click Priority 1.
To configure failover with the other server, click Priority 2.
Click Add > New Server.
In the Add Management Server dialog box, in the Server Address box, type the fully qualified domain name or IP address of a Symantec Endpoint Protection Manager.
If you type an IP address, be sure that it is static, and that all clients can resolve it.
lick OK.
Optionally change the priority of a server to adjust the configuration for load balancing or failover. Select a server, and then do one of the following:
Click Move Up.
Click Move Down.
In the Management Server Lists dialog box, click OK.
You must then apply the Management Server List to a group.
To apply the Management Server List
In the Management Server Lists pane, under Management Server Lists, under Name, highlight the Management Server List that you created.
In the lower-left Tasks pane, click Assign the list.
In the Apply Management Server List dialog box, check the groups to which to apply the list.
Click Assign.
In the Assign Management Server List dialog box, click Yes.
What is the better solution
What is the better solution for two installed sepm in one company, failover and load balancing OR replication partners, and what are the differences between this two install solutions ?
replication with the failover
replication with the failover (Management server list).
Replication: will replicate logs between the SEPM's and Failover: set Management server list, if 1 SEPM goes down, the other SEPM will handle the client's request.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
replication with failover?
replication with failover? maybe you mean failover with load balancing ?
I only know two solutions, 1. replication, 2. failover with load balancing
sorry i misunderstood your
sorry i misunderstood your question. How many clients will be in the environment? If SEPM is overburdened then loadbalance with failover, else replication will be good.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
I currently have 50 clients,
I currently have 50 clients, one server with embedded database. My SEPM server is hyper-v client, and I plan to install second sepm server on second hyper-v host. I need two servers because my first hyper-v host is not so stable.
with emdedded DB you cannot
with emdedded DB you cannot have load balance. What you can do is install SEPM on stable system and take DB backup regularly.
You cannot provide failover or load balancing for an embedded database.
http://www.symantec.com/business/support/index?page=content&id=HOWTO55415
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Only solution is two
Only solution is two replication partners ?
Replication will do!
Replication will do!
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
I did run the replication
I did run the replication but ran into many troubles. The requirement is the machines when unable to reach first SEPM should take updates from another SEPM. All machines are in one site. I have installed embded database in one server, second SEPM will also be embeded database.
How do i install SEPM so that, when machines fail to take updates from first SEPM, it has to take updates from Second SEPM...
I choose the second option while installing " Load balancing and failover" it was asking for SQL server credentials, so that option will not work. Can i create a new site and add that site as a failover to first SEPM.
Reply required at the earliest.
the second option is for only
the second option is for only SQL.
the clients will take update from SEPM , it will not fall to other SEPM for updates ( only) unless the client starts communicating with the other SEPM.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
I am getting little confused.
I am getting little confused. My requirement is if First SEPm goes down, machines should get updates..it might be secomd SEPM, Gup etc. How do i configure....
You can set MSL to the client
You can set MSL to the client group, if the primary SEPM goes down, the clients hsould report and get the updates from second priority SEPM.
check these articles
What is a Management Server List ( MSL ) in Symantec Endpoint Protection Manager (SEPM) ?
http://symantec.com/docs/TECH90839
How can I specify a Management Server List (MSL) to connect for a group of clients and optional Enforcers ?
http://www.symantec.com/business/support/index?page=content&id=TECH90841
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
it is not possible
Hi,
I can understand you are a bit confused, let me clarify some things:
when you have two SEPMs (regardless if they are connected to the same DB or not), both should be in the Management Servers List (only IP addresses, host names, ports and priority), this is the only thing the clients see, they are not aware of the real infrastructure;
the clients connect to a random SEPM from those with the same priority in the MSL;
once the SEP client connects to a SEPM, it checks for policies and updates only with that SEPM and taking what is newer there, it is not aware of what Symantec or other SEPMs are publishing, hence it is not able to detect that it is not updated and then actively switch to Symantec servers or other SEPMs of yours.
So, when you have two SEPMs, you have the following advantages:
- load balancing: clients are randomly distributed over the two SEPMs
- fail over between the SEPMs: if the clients are not able to connect to a SEPM (it is down or unreachable), they will try to connect to another SEPM in the list, hoping it is OK.
So, the product does not allow you to force the clients to fail over to other SEPMs under custom conditions (like "when definitions are older than ... try to connect to ...), clients are just taking in consideration the MSL, the priorities there and the connectivity to the SEPMs.
Hence, you have to:
- set a notification to know when more than X% of clients are out-of-date for > Y days
- investigate on the content distribution to isolate the issue
- if you really have one updated SEPM and one not updated, clients should get the definitions from the other SEPM just because they might randomly connect to it. If you isolate the non-working SEPM for the network, you will force the clients to connect to the working one and get the definitions.
Regards,
Giuseppe
I was able to do the failover
I was able to do the failover with two SEPMS using embeded database. When i disabled the service of SEPM on First server, the machines moved to second server and showed online there and also got updates. But when i started the SEPM service on First server, the machines did come back to First SEPM but was showing as offline in second server. I thought it will show that red arrow which indicates that it is pointing to First server..
Also when i do replication the First server sep client did not move to Second server, It went offline and never came online till no.w I have uninstalled and resinstalled the SEP client but no use.
Hi,As you know already
Hi,
As you know Symantec does not recommend to use Embedded database for failove-loadbalancing and replication.
It would be great if you could check other available options for SEPM backup.
If you could provide some more details about your environment we may guide you in correct direction.
I hope it will help you !!!
Thanks and Regards,
Chetan Savade
Technical Support Analyst,
End Point Security, Enterprise Technical Support
Just Make sure your
Just Make sure your Management server list is configured properly and the updated MSL policy is assigned to all the groups
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Vikram, As mentioned, i
Vikram,
As mentioned, i configured the MSL and servers did move to secondary SEPM when primary SEPM service was stopped. But when did this process, the SEP client on the primary server stopped communcating and now showing offline in both Primary and Secondary SEPM. I have also uninstalled and reinstallaed as unmanaged and then pyt the sylink file but still offline.
Can you check the sylink file
Can you check the sylink file of any such client which is not falling back ?
if possible upload the sylink debug log
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Would you like to reply?
Login or Register to post your comment.