Best Practices for creating a Virtual Machine for Encryption Management Server

book

Article ID: 156207

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption Encryption Management Server Powered by PGP Technology Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

Encryption Management Server can be installed as a VMware Virtual Machine. There are many benefits to doing this.

This article contains recommendations for creating virtual machines that are suitable for Encryption Management Server releases 10.5 and 3.4.2. Note that release 10.5 is 64-bit and release 3.4.2 is 32-bit.

Environment

  • Symantec Encryption Management Server 3.4.2 and above.
  • vSphere ESXi 6.5

Resolution

Guest Operating System

The Guest operating system for Encryption Management Server should be set to Linux and the Guest OS version set to CentOS 7 (64-bit). For Encryption Management Server 3.4.2, select CentOS 6 (32-bit). Selecting the correct operating system results in the selection of suitable defaults for components such as network adapters.

Virtual CPUs

Broadcom recommends a minimum of 2 virtual CPUs for small environments, 4 CPUs for medium environments and 8 CPUs for large environments. Note that each virtual CPU equates to a physical CPU core on the ESXi host. For example, a physical quad core processor in an ESXi host has 4 virtual CPUs. Broadcom recommends that in the Virtual Machine settings, the CPU setting matches the number of virtual CPUs required and the Cores per socket setting remains at its default of 1.

CPU Resource Allocation

CPU resources can be reserved. This means that the Virtual Machine will be guaranteed a specific level of cpu cycles, measured in MHz, whether or not it needs the resources. Generally, a reservation should not be required. A Limit should also not be imposed; the default setting of Unlimited should be retained. 

VMware Tools

VMware Tools enhances performance and improves management. Not only is it required by vMotion, it also enables paravirtual network adapters to be installed and allows quiesced snapshots to be taken. Installing VMware Tools is highly recommended. Encryption Management Server 10.5 installs VMware Tools by default. With Encryption Management Server 3.4.2, VMware Tools needs to be installed separately.

Memory

Broadcom recommends 8 GB RAM for small/medium environments such as drive encryption only environments and 16 GB to 32 GB for larger environments. Note that release 3.4.2 supports a maximum of 16 GB. The RAM requirements depend on the use of Encryption Management Server (Email, Drive Encryption, FileShare Encryption, Web Email Protection) and the number of users being managed by the server. If there are any doubts as to what will be sufficient please ask Broadcom Support.

Disk Space

Symantec recommends a minimum of 50 GB but there are many factors to consider. For drive encryption only environments, 100 GB would be sufficient for 50,000 users providing backups were not stored on the local disk. If seven days of backups were stored on the local disk (not recommended) around 200 GB would need to be allocated. If thousands of Web Email Protection mailboxes were hosted on the server then disk space requirements could exceed 1 TB. Thin provisioning of disk space can be used to minimize the physical disk requirements if your organization's policy supports it (clearly, thin provisioning runs the risk of exceeding the physical storage space).

Note that if Encryption Management Server is configured to store backups on a remote server, it still creates and stores each backup on the local disk before uploading it to the remote host. When creating backups, files are compressed several times. Therefore the minimum unused disk space needs to be at least twice the size of each backup. 

It is not possible to expand the virtual disk after Encryption Management Server has been installed. Therefore, if disk space is under provisioned, it will cause considerable inconvenience in future.

Storage Speed

At the core of Encryption Management Server is a relational database and therefore random disk write speed is very important. In terms of overall performance, disk speed is the most important factor. RAID 10 arrays provide the best random write speed, as does SSD. In a virtual environment, the VMware DataStore may be hosted on SAN storage. Ensure that the team responsible for provisioning the virtual disk is aware that it is being used by a database server.

It is vital that the DataStore on which the virtual disk is stored is not overloaded with disk intensive Virtual Machines because this can severely degrade the performance of Encryption Management Server. Please contact Broadcom Support if you wish to test the random write speed of your virtual disk.

Ethernet Adapter

By default, ESXi will use the VMXNET 3 adapter, a paravirtualized NIC designed for performance. This is recommended.

If, for some reason, you wish to choose another adapter type, use the E1000.

SCSI Controller

By default, ESXi will use the VMware Paravirtual controller which can result in greater throughput and lower CPU utilization because the virtualization platform does not have to emulate another device. This controller is recommended.

If, for some reason, you wish to use another controller type, choose either the LSI Logic Parallel or LSI Logic SAS. Each will provide the same performance.

VMware VMotion

VMware vMotion is supported with Encryption Management Server.

NTP

With VMware Tools installed, a Synchronize guest time with host checkbox appears in the Options tab of the Virtual Machine properties. This is disabled by default and enabling it is not recommended. Instead, for better accuracy, configure NTP in  Encryption Management Server. Never enable both NTP and the time synchronization option in VMware Tools because it will result in highly inaccurate timekeeping.