What are the deployment requirements for Endpoint Agents?

book

Article ID: 160568

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

What are the deployment requirements for the Endpoint Agents (EPA) and Endpoint Server regarding the network topology ?

Environment

Please note: Details in this TECHNOTE do not apply to default setup for versions of DLP 12.5 and after.

All content regarding persistent or "sticky" connections in this TECHNOTE apply only to DLP versions 12.0.1 and earlier.

Resolution

 

The communication between the Symantec Endpoint Server and Endpoint Agent has specific and important requirements:

 

·         As part of regular operation, a persistent connection is established between server and agent.  This connection may be idle for long periods of time.  Any network interfaces between the server and agent must support this type of connection and not sever it.  A severed connection will be reestablished, but with a significant overhead (including retransmission of policies to the agent) and therefore any regular severing of connections will result in performance /quality of service problems. 

·         The Symantec DLP product does not provide any load balancing capability in between servers and agents.  However, an agent may be configured to failover to another server.  Whenever possible, the same agent should remain connected to the same server. 

o   An agent connecting to a different server will result in the same overhead described above (for a reestablished connection to the same server).  In addition, related resources on the original server will not be released immediately.

o   An agent connecting to a different server will also result in a loss of state for an Endpoint Discover (EDAR) scan:  EDAR scans are *not* usable if agents will regularly connect to different servers.

·         A server will transmit the same policies to all the agents that are connected to it.  For a deployment where policies are expected to vary across the population of Endpoint agents (in practice, any large deployment), policies can and should be deployed only to the required servers (for the required agents).

 

If a load balancing device is utilized between agents and servers, the following must exist:

 

·         The network must support inactive and active persistent connections (see above)

·         The load balancer must maintain a “sticky connection” (route traffic from the same agent to the same server and vice versa)

·         The distribution algorithm for the load balancer may need to be changed from round robin to connection or load-based prioritization in order to properly balance load.

·         The load balancer must act as a gateway and utilize static NAT over long periods of time.  All communication between server and agent must retain its respective IP even if there is no communication or a dropped connection between them.

 

 

 

See also as a case study and example problem if these are not met KB TECH219005