Configuring Symantec Endpoint Protection Managers to connect to a database running on SQL Always On Availability Group (AOAG)

book

Article ID: 222648

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The SEPM database was moved to or installed on a SQL server Availability group and some performance issues (slowness) or errors are observed.

Cause

The SEPM server uses three independent database connectors that are used for different part of the product. Due to the way SQL Availability groups function, it is necessary to configure each of these connectors appropriately so that they connect successfully when using the availability group listener alias in the connection string.

Environment

Symantec Endpoint Protection Manger 14.3 RU1 MP1 and above connecting to a SQL 2012 or above Always On Availability Group.

Resolution

SEPM version needs to be 14.3 RU1 MP1 or above since some of these configuration options are not implemented in prior versions.

Configuration changes need to be made for each connector as follows:

* JDBC - (Optional) This is the main database connector used by the Tomcat instance. No configuration change should be required.
   However, if there is apparent slowness in case of a failover to another node, it may beneficial to add multiSubnetFailover=true to the connection string in the "url" parameter of root.xml in tomcat\conf\Catalina\localhost
   Reference: https://docs.microsoft.com/en-us/sql/connect/jdbc/jdbc-driver-support-for-high-availability-disaster-recovery?view=sql-server-ver15

* BCP - Microsoft Bulk copy utility, this is used for replication and client log insertion / processing.
   For BCP to connect consistently successfully, the SEPM need to add it to the connection string in the BCP command line when calling it. This requires the line "scm.bcp.multisubnetfailover.enabled=true" be added to the conf.properties file in the SEPM's /tomcat/etc folder.

* ODBC - This is he system data source that is used by Apache / PHP for the SEPM reporting website (first 3 tabs of the SEPM console).
   Here, it is necessary to run ODBC Data Source (32 bit) - configure the SymantecEndpointSecurityDSN and check the Multi-Subnet failover checkbox when it appears.

   Then complete the configuration, no further changes should be required.

When all of the above changes have been made, restart the Symantec Endpoint Protection Manager service for them to take effect.

Attachments