As with any virtual operating system/appliance, Encryption Management Server requires a virtual machine to be created on the host VMware vSphere server. To do this, use the New Virtual Machine Wizard and select the Custom option.
The Guest operating system for Encryption Management Server should be set to Linux and the Version set to CentOS 4/5/6 (32-bit).
Symantec recommends a minimum of 2 virtual CPUs for small environments, 4 CPUs for medium environments and 8 CPUs for large environments. It may be necessary to use 16 CPUs in very large environments. Note that each virtual CPU equates to a physical CPU core on the VMware host. Therefore a physical quad core processor in a VMware host has 4 virtual CPUs. Symantec recommends that in the Virtual Machine settings, the Number of virtual sockets setting matches the number of virtual CPUs required and the Number of cores per socket setting remains at its default of 1.
CPU resources can be reserved. This means that the Virtual Machine will be guaranteed a specific level of cpu cycles, measured in MHz, whether or not it needs the resources. Generally, a reservation should not be required but note that if a reservation is not set, there is nothing to prevent a VMware host reducing the cpu cycles available to some Virtual Machines and allocating them to others. Sharing resources is, after all, one of the major benefits of a virtual environment. A Limit can also be imposed but the default is Unlimited. If CPU resources on the VMware host are heavily contended, the VMware administrator may impose a limit on CPU resources. Setting a limit should be avoided if at all possible. To reserve CPU resources, edit the Virtual Machine settings and under the Resources tab click on the CPU setting. Enter the value in MHz to reserve.
VMware Tools enhances performance and improves management. Not only is it required by vMotion, it also enables paravirtual network adapters to be installed and allows quiesced snapshots to be taken. Installing VMware Tools is highly recommended.
Symantec recommends 4 GB to 8 GB RAM for small/medium environments such as Whole Disk Encryption only environments and 8 GB to 16 GB for larger environments. The RAM requirements depend on the use of Encryption Management Server (Email, Drive Encryption, FileShare Encryption, Web Email Protection) and the number of users being managed by the server. If there are any doubts as to what will be sufficient please ask Symantec Support.
Encryption Management Server runs Java. VMware recommends that all the configured memory for Virtual Machines running Java is reserved. This is recommended because any type of memory swapping is detrimental to the performance of the JVM heap, especially for Garbage Collection. To reserve all the memory, edit the Virtual Machine settings and under the Resources tab click on the Memory setting. Enable the option Reserve all guest memory (All locked). If the memory is not reserved, VMware may swap to disk and this will degrade performance very significantly. If it is not possible to reserve all the memory, you can at least reserve some. At a minimum, ensure that there is no Limit set (the default is Unlimited).
Please note that the maximum amount of memory supported by the Encryption Management Server is 16 GB. Memory should be limited to this amount. For more details, please refer to article TECH203682.
Symantec recommends a minimum of 50 GB but there are many factors to consider. For Whole Disk Encryption only environments, 100 GB would be sufficient for 50,000 users providing backups were not stored on the local disk. If seven days of backups were stored on the local disk (not recommended) around 200 GB would need to be allocated. If thousands of Web Email Protection mailboxes were hosted on the server then disk space requirements could exceed 1 TB. Thin provisioning of disk space can be used to minimize the physical disk requirements if your organization's policy supports it (clearly, thin provisioning runs the risk of exceeding the physical storage space).
In a virtual environment, expanding the virtual disk will result in additional unpartitioned space which is unusable by Encryption Management Server unless the product is reinstalled. Therefore, under provisioning disk space will cause considerable inconvenience.
At the core of Encryption Management Server is a relational database and therefore random disk write speed is very important. RAID 10 arrays provide the best random write speed, as does SSD. In a virtual environment, the VMware DataStore may be hosted on SAN storage so it may be challenging to discover whether the disk speed is sufficient. Ensure that the team responsible for provisioning the virtual disk is aware that it is being used by a database server.
It is vital that the DataStore on which the virtual disk is stored is not overloaded with disk intensive Virtual Machines because this can severely degrade the performance of Encryption Management Server. If the Virtual Machine does not have reserved memory and is swapping to disk, this will also degrade disk performance very significantly. Please contact Symantec Support if you wish to test the random write speed of your virtual disk.
At installation time, only the E1000 or Flexible adapters may work. The Flexible adapter emulates a 10 Mbps Vlance adapter until VMware Tools is installed, after which it automatically behaves as the faster VMXNET adapter (not to be confused with the VMXNET 3 adapter). The E1000 emulates an Intel Gigabit adapter whether or not VMware Tools is installed.
Encryption Management Server 3.4.2 and above allows the VMXNET 3 adapter, a paravirtualized NIC designed for performance, to be used at installation time. This should provide significantly better performance but this will only be discernible in very busy environments. Only use this adapter if you intend installing VMware Tools.
The default SCSI controller for the CentOS 4/5/6 32-bit Operating System is the LSI Logic Parallel. The LSI Logic SAS can also be used but there is no performance benefit. The VMware Paravirtual controller can result in greater throughput and lower CPU utilization because the virtualization platform does not have to emulate another device, but this will only be discernible in very busy environments. Only use this controller if you intend installing VMware Tools.
VMware vMotion is supported with Encryption Management Server.
Once VMware Tools is installed, a Synchronize guest time with host checkbox appears in the Options tab of the Virtual Machine properties. This is disabled by default and enabling it is not recommended. Instead, for better accuracy, configure NTP in Encryption Management Server. Never enable both NTP and the time synchronization option in VMware Tools because it will result in highly inaccurate timekeeping.
Please consult the relevant Release Notes for the latest system requirements. The VMware Compatibility Guide lists all supported components: