This Knowledge Base article provides information on the best practices for planning and executing a successful Disaster Recovery program for the Symantec Endpoint Encryption product.
For Best Practices and Disaster recovery for the PGP Server (Symantec Encryption Management Server/SEMS) product line, see the following article:
Use the information in this article to help prepare the Symantec Endpoint Encryption environment and data in an event of a disaster or an unplanned interruption, such as a natural disaster or power outage.
Preparing for disaster recovery:
You prepare for disaster recovery by backing up the following information:
Item 1: Management Password
Item 2: Database files
Item 3: Server certificate (Keypair of SEE MS TLS cert, with Root and Intermediate certificates)
Item 4: Server installation files
Item 5: Database settings
Item 6: Web Server Confirmation pages with passwords
Item 7: Active Directory settings, port numbers, and the domain name, IP address, and host name of the management server.
TIP: For Items 5 through 7, if you take a screenshot of each of the pages for the SEEMS Configuration Files page, this will help to easily re-create these pages during a new installation of the SEE Management Server if needed:
Once you have screenshots of all your SEEMS Configuration Manager pages, this will help you to quickly set this backup up if needed.
Item 8: You should also back up all client installation files As a best practice, you should store the backed-up data off-site at a secure location.
IMPORTANT TIP! Ask us about our Check Roles Tool that will make the installation of Symantec Endpoint Encryption Management Server simple and seamless! This is an excellent tool that will both check if the features are enabled and tell you what is missing, and then **install them for you** (When run as administrator). Please contact our Symantec Encryption Support team and we will be happy to provide the tool for you. This tool makes it extremely easy to get all these features installed and enabled. The name of this tool is called "CheckRolesFor_11_3_1_Plus.exe".
Item 9: Know how to do a new installation of the SEE Management Server if necessary. For more information on this process, see the following article:
Item 10: Always know the version and build number of your current setup.
High-level tasks to prepare for disaster recovery
The following sections describe recommended practices to help you prepare and manage disaster recovery in your enterprise. Although, an administrator can perform the following recommendations, you can contact Symantec Technical Support for any assistance with the process.
|Step 1: Back up the database often||Back up your database immediately following the successful installation and configuration of the Symantec Endpoint Encryption Management Server. At scheduled, frequent intervals, you should manually backup your database or perform automatic backups. For more information on backing up your Microsoft SQL Server database, see the Microsoft MSDN Library or your database owner.|
|Step 2: Back up important files or save information that you will require when you start the disaster recovery process||The files or information that you must back up or save and use during the disaster recovery process are:
|Step 3: Copy the files you backed up off-site||
Store the backed-up data off-site at a secure location.
Caution: When you backup files to a secure, off-site location, be sure that the files are copied properly. If the copied files are corrupted, you cannot restore your data.
|Step 4: Test your backup strategy||Simulate a mock-disaster situation and try to restore all backed up files, database, and re-establish communication between server and clients.
Caution: To minimize the associated risks of simulating a mock-disaster situation, carefully review your organization’s policies and procedures.
Recovering after an interruption - disaster recovery sequence
Symantec recommends that you adhere to a recommended disaster recovery preparation and strategies. If you do encounter an interruption and need to recover, follow this recovery sequence:
Redundancy for SEE Management Server
In addition to the above, it is beneficial to have multiple SEE Management Servers so that you can failover to another node if that particular Windows server goes down.
For example, you may have a server called "seems1.example.com" and another server called "seems2.example.com". Each of these servers will be configured with the same database and will share all the same data. If one server goes down, then the other can be used.
It is important to note that when the SEE Clients are build, they are built using a "Load Balancer" hostname, so the clients will automatically check in with the other nodes. This means that when you create the client, you will need to have a DNS entry for an alias that will resolve to both "seems1" and "seems2". For example, you may have the load balancer host called "seems.example.com", and that host will be resolved to either seems1 or seems2. If seems1 goes down, the Load Balancer can redirect to "seems2" until seems1 can be brought back up.
Having the TLS certificates configured for "seems.example.com" is critical. The Load Balancer can then do a TLS termination and simply pass traffic along to the next SEE Management Server.
Note: It may also be beneficial to have a "regional" hostname configured so that SEE Clients will always reach out to the closest SEE Management Server. This is something that could be configured on your own internal network for this resolution to occur within DNS.
Currently the SEE Management Server does not have any automatic failover built in. If you would like this functionality, reach out to Symantec Encryption Support for further guidance and reference the ID in the Additional Information section below.