1

MODULE 17: CONFIGURING REPLICATION AND FAILOVER

AND LOAD BALANCING

2

ABOUT SITES AND REPLICATION A site consists of one database, one or more management servers, and clients. By

default, you deploy Symantec Endpoint Protection with a single site. Organizations

with more than one datacenter or physical location generally use multiple sites.

3

ABOUT SITES AND REPLICATION Before you set up multiple sites and replication, make sure that it is necessary.

Symantec recommends that you set up replication only in specific circumstances.

If you do add an additional site, decide which site design works for your organization.

4

ABOUT SITES AND REPLICATION When you install Symantec Endpoint Protection for the first time, by default you have installed the first site, or the local site.

You install the management server for the second site by using the Management Server Configuration wizard. In the wizard, click the Install an additional site option and following the instructions in the wizard.

5

ABOUT SITES AND REPLICATION The second management server is classified as a remote site and called a replication partner. When you add the second site as a replication partner, you perform the following tasks:

■ By default, replication is scheduled to occur automatically. However, you can change the replication schedule, based on the amount of disk space that is available.

■ Choose whether to replicate logs, client installation packages, or LiveUpdate content.

6

ABOUT SITES AND REPLICATION The first time that the databases between the two sites replicate, let the replication finish completely. The replication may take a long time because the entire database gets replicated.

You may want to replicate the data immediately, rather than waiting until the database are scheduled to replicate. You can also change the replication schedule to occur earlier or later.

7

HOW REPLICATION WORKS Replication is the process of sharing information between databases to ensure that the content is consistent.

You can use replication to increase the number of database servers that are available to clients and thereby reduce the load on each.

Replication is typically set up during the initial installation.

8

ABOUT SITES AND REPLICATION

9

HOW REPLICATION WORKS A replication partner is another site with one database server. It also has a connection to the site that you designate as a main site or a local site.

A site may have as many replication partners as needed. All replication partners share a common license key.

The changes that you made on any replication partner are duplicated to all other replication partners whenever Symantec Endpoint Protection Manager is scheduled to replicate data.

10

HOW REPLICATION WORKS Replication partners are listed on the Admin page.

You can display information about replication partners by selecting the partner in the tree.

All sites typically have the same type of database.

You can, however, set up replication between sites by using different types of databases. In addition, you can also set up replication between an embedded database and an MS SQL database.

11

HOW REPLICATION WORKS If you use an embedded database, you can only connect one Symantec Endpoint Protection Manager to it because of configuration requirements.

If you use anMS SQL database, you can connect multiple management servers or share one database.

Only the first management server needs to be set up as a replication partner.

12

HOW REPLICATION WORKS All sites that are set up as replication partners are considered to be on the same site farm.

Initially, you install the first site, then install a second site as a replication partner.

A third site can be installed and set up to connect to either of the first two sites.

You can add as many sites as needed to the site farm.

You can delete replication partners to stop the replication.

Later you can add that replication partner back to make the databases consistent. However, some changes may collide.

13

HOW REPLICATION WORKS You can set up data replication during the initial installation or at a later time.

When you set up replication during the initial installation, you can also set up a schedule for the synchronization of the replication partners.

14

SYMANTEC ENDPOINT PROTECTION REPLICATION SCENARIOS If administrators make changes on at each replication site simultaneously, some changes may get lost.

If you change the same setting on both sites and a conflict arises, the last change is the one that takes effect when replication occurs.

For example, site 1 (New York) replicates with site 2 (Tokyo) and site 2 replicates with site 3 (London).

You want the clients that connect to the network in New York to also connect with the Symantec Endpoint Protection Manager in New York.

However, you do not want them to connect to the management server in either Tokyo or London.

15

SYMANTEC ENDPOINT PROTECTION REPLICATION SCENARIOS When you set up replication, client communication settings are also replicated. Therefore, you need to make sure that the communication settings are correct for all sites on the site farm in the following manner:

■ Create generic communication settings so that a client's connection is based on the type of connection. For example, you can use a generic DNS name, such as symantec.com for all sites on a site farm. Whenever clients connect, the DNS server resolves the name and connects the client to the local Symantec Endpoint Protection Manager.

■ Create specific communication settings by assigning groups to sites so that all clients in a group connect to a designated management server.

16

SYMANTEC ENDPOINT PROTECTION REPLICATION SCENARIOS For example, you can create two groups for clients at site 1, two different groups for site 2, and two other groups for site 3.

You can apply the communication settings at the group level so clients connect to the designated management server.

You may want to set up guidelines for managing location settings for groups.

Guidelines may help prevent conflicts from occurring on the same locations.

You may also help prevent conflicts from occurring for any groups that are located at different sites.

17

SYMANTEC ENDPOINT PROTECTION REPLICATION SCENARIOS After replication occurs, the database on site 1 and the database on site 2 are the same.

Only computer identification information for the servers differs.

If administrators change settings on all sites on a site farm, conflicts can occur.

For example, administrators on site 1 and site 2 can both add a group with the same name.

If you want to resolve this conflict, both groups then exist after replication. However, one of them is renamed with a tilde and the numeral 1 (~1).

18

SYMANTEC ENDPOINT PROTECTION REPLICATION SCENARIOS If both sites added a group that is called Sales, after replication you can see two groups at both sites.

One group is called Sales and the other is called Sales 1.

This duplication occurs whenever a policy with the same name is added to the same place at two sites.

If duplicate network adapters are created at different sites with the same name, a tilde and the numeral 1 (~1) is added. The two symbols are added to one of the names.

19

SYMANTEC ENDPOINT PROTECTION REPLICATION SCENARIOS If different settings are changed at both sites, the changes are merged after replication.

For example, if you change Client Security Settings on site 1 and Password Protection on site 2, both sets of changes appear after replication.

Whenever possible, changes are merged between the two sites.

If policies are added at both sites, new policies appear on both sites after replication.

Conflicts can occur when one policy is changed at two different sites.

If a policy is changed at multiple sites, the last update of any change is then maintained after replication.

20

SYMANTEC ENDPOINT PROTECTION REPLICATION SCENARIOS If you perform the following tasks with the replication that is scheduled to occur every hour on the hour:

■ You edit the AvAsPolicy1 on site 1 at 2:00 P.M.

■ You edit the same policy on site 2 at 2:30 P.M.

Then only the changes that have been completed on site 2 appear after replication is complete when replication occurs at 3:00 P.M.

If one of the replication partners is taken offline, the remote site may still indicate the status as online.

21

CONFIGURING REPLICATION Adding and disconnecting a replication partner

If you want to replicate data with another site, you may have already set it up during the initial installation.

If you did not set up replication during the initial installation, you can do so now by adding a replication partner.

Multiple sites are called a site farm whenever they are set up as replication partners.

You can add any site on the site farm as a replication partner.

22

CONFIGURING REPLICATION Disconnecting replication partners

Deleting a replication partner merely disconnects a replication partner from Symantec Endpoint Protection Manager.

It does not delete the site.

You can add the site back later if you need to do so by adding a replication partner.

23

CONFIGURING REPLICATION Replicating data on demand

Replication normally occurs according to the schedule that you set up when you added a replication partner during installation.

The site with the smaller ID number initiates the scheduled replication.

At times, you may want replication to occur immediately.

24

CONFIGURING REPLICATION Changing replication frequencies

Replication normally occurs according to the schedule that you set up when you added a replication partner during the initial installation.

The site with the smaller ID number initiates the scheduled replication.

When a replication partner has been established, you can change the replication schedule.

When you change the schedule on a replication partner, the schedule on both sides is the same after the next replication.

25

CONFIGURING REPLICATION Replicating client packages and LiveUpdate content

You can replicate or duplicate client packages and LiveUpdate content between the local site and this partner at a remote site.

You may want to copy the latest version of a client package or LiveUpdate content from a local site to a remote site.

The administrator at the remote site can then deploy the client package and LiveUpdate content.

26

CONFIGURING REPLICATION If you decide to replicate client packages and LiveUpdate content, you may duplicate a large volume of data.

Should you replicate many packages, the data may be as large as 5 GB.

Both Symantec Endpoint Protection and Symantec Network Access Control 32- bit and 64-bit installation packages may require as much as 500 MB of disk space.

27

CONFIGURING REPLICATION Replicating logs

You can specify that you want to replicate or duplicate logs as well as the database of a replication partner.

You can specify the replication of logs when adding replication partners or by editing the replication partner properties.

If you plan to replicate logs, make sure that you have sufficient disk space for the additional logs on all the replication partner computers.

28

FAILOVER AND LOAD BALANCING The client computers must be able to connect to a management server at all times to download the security policy and to receive log events.

Failover is used to maintain communication with a Symantec Endpoint Protection Manager when the management server becomes unavailable.

Load balancing is used to distribute client management between multiple management servers.

29

FAILOVER AND LOAD BALANCING You can set up failover and load balancing if you use a Microsoft SQL Server database.

You can set up failover with the embedded database, but only if you use replication.

When you use replication with an embedded database, Symantec recommends that you do not configure load balancing, as data inconsistency and loss may result.

To set up failover and load balancing, you add multiple management servers or Enforcers to a management server list.

30

FAILOVER AND LOAD BALANCING You can install two or more management servers that communicate with one Microsoft SQL Server database and configure them for failover or load balancing.

Since you can install only one Symantec Endpoint Protection Manager to communicate with the embedded database, you can set up failover only if you replicate with another site.

When you use replication with an embedded database, Symantec recommends that you do not configure load balancing, as data inconsistency and loss may result.

31

FAILOVER AND LOAD BALANCING A management server list is a prioritized list of management servers that is assigned to a group.

You should add at least two management servers to a site to automatically distribute the load among them.

You can install more management servers than are required to handle your clients to protect against the failure of an individual management server. In a custom management server list, each server is assigned to a priority level

32

FAILOVER AND LOAD BALANCING A client that comes onto the network selects a priority one server to connect to at random.

If the first server it tries is unavailable and there are other priority one servers in the list, it randomly tries to connect to another.

If no priority one servers are available, then the client tries to connect to one of the priority two servers in the list.

This method of distributing client connections randomly distributes the client load among your management servers.

33

FAILOVER AND LOAD BALANCING

34

FAILOVER AND LOAD BALANCING In a failover configuration, all clients send traffic to and receive traffic from server 1.

If server 1 goes offline, all clients send traffic to and receive traffic from server 2 until server 1 comes back online.

The database is illustrated as a remote installation, but it also can be installed on a computer that runs the Symantec Endpoint Protection Manager.

35

FAILOVER AND LOAD BALANCING You may also want to consider failover for content updates, if you intend to use local servers.

All the components that run LiveUpdate can also use a prioritized list of update sources.

Your management servers can use a local LiveUpdate server and failover to LiveUpdate servers in other physical locations.