Key DLP agent and Endpoint Server communications settings

Products

Data Loss Prevention Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite

Issue/Introduction

You are looking for the recommended relationships between key DLP agent and Endpoint Server communications settings.

Environment

DLP 15.+

Resolution

In order to maintain stable communications between DLP agents and Endpoint Servers, the following setting relationships should be observed:

Setting A	Applies To	Default	Relationship To	Setting B	Applies To	Default
ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int	Endpoint Agent	900 seconds	>	EndpointCommunications.IDLE_TIMEOUT_IN_SECONDS.int	Endpoint Agent	30 seconds
Enforce "Agent Not Reporting After" setting	Endpoint Server (Enforce System > Settings > General)	18hr	>	ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int	Endpoint Agent	900 seconds
Load Balancer IP Source Persistence - aka ‘stickiness’, aka 'affinity'	Load Balancer	Varies by vendor	=	Transport.MAX_SSL_SESSION_LIFETIME_SECONDS.int / EndpointCommunications.SSLSessionCacheTimeoutInSeconds	Endpoint Agent / Endpoint Server	86400 seconds
Load Balancer IP Source Persistence - aka ‘stickiness’, aka 'affinity'	Load Balancer	Varies by vendor	>	ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int	Endpoint Agent	900 seconds
CommLayer.NO_TRAFFIC_TIMEOUT_IN_SECONDS.int	Endpoint Agent and Endpoint Server	300 seconds	>	EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int	Endpoint Agent	270 seconds
EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int	Endpoint Server	270 seconds	<	Load Balancer connection idle timeout	Load Balancer	Varies by vendor
EndpointCommunications.IDLE_TIMEOUT_IN_SECONDS.int	Endpoint Server	30 seconds	<	Load Balancer connection idle timeout	Load Balancer	Varies by vendor

Refer to 15.8 Advanced agent settings & 16.0 Advanced agent settings:

EndpointCommunications.IDLE_TIMEOUT_ IN_SECONDS.int (default 30) The maximum time to keep an idle connection open. The connection is closed when the specified number of seconds has passed. This timeout only applies during the normal operation phase of a connection. This occurs after the SSL handshake and application handshake phases. Enter a value between 0 and 1000000000. Enter 0 to prevent idle connections from closing.

ServerCommunicator.CONNECT_ POLLING_INTERVAL_SECONDS.int (900) The amount of time, in seconds, that the agent waits before it initiates connections. The minimum value you enter depends on the minimum time difference between when the Enforce Server and Endpoint Server communicate. Entering 10 is the minimum value you can enter to maintain a persistent connection. You can enter a value between 60 and 86400 seconds to maintain a non-persistent connection.

EndpointCommunications.HEARTBEAT_INTERVAL_IN_ SECONDS.int (default 270) Time interval in seconds between heartbeat messages. The Endpoint Server sends heartbeat messages to detect dead connections to individual agents when no other traffic is being sent or received. The Endpoint Server measures the time between when the last data traffic was sent to or received by the agent until the current time.Data traffic is defined as any bytes sent or received by the Endpoint Server, including heartbeat message bytes. When the specified duration is exceeded, the Endpoint Server sends a heartbeat message to the agent. If the value of the setting in the agent configuration changes, the new value is applied immediately to any connections that are open to agents for which the configuration applies, and to any subsequent connections. Application-defined heartbeat messages are treated by network appliances as actual traffic and, unlike TCP keepalives, are never ignored. Heartbeat messages do not count as normal messages for determining whether the connection is idle. Sending or receiving a heartbeat message does not reset the idle timer. Enter a value between 0 and 1000000000. Enter 0 to disable the agent heartbeat.

Transport.MAX_SSL_SESSION_ LIFETIME_SECONDS.int (default 86,400) The time duration in seconds for which agent re-uses an SSL session ID. When the duration equal to the configured value elapses, the SSL session ID is discarded by the agent and a new SSL session is established on the subsequent connection with the Endpoint Server. This setting applies to new agent connections. Enter 0 to disable SSL re-use.

CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS.int (default 300 seconds - 5 minutes) The application level heartbeat interval. To detect idle dead connections the agent uses an application-level heartbeat message. Data Loss Prevention closes the connection for which a heartbeat has not been received in the specified timeout interval. The agent does not send heartbeats and relies on the TCP keepalive instead. A 0 value indicates that the heartbeat should be disabled. This value is also used as an application handshake timeout value. Changes to this setting apply to existing and new connections. You can enter a value between 60 and 86400 seconds.

Refer to 15.8 Advanced Server Settings & 16.0 Advanced Server Settings:

EndpointCommunications.SSLSessionCacheTimeoutInSeconds (default 86400) Sets the maximum SSL session entry lifetime in the SSL session cache. The default settings equal one day. This setting is implemented after the next Endpoint Prevent Server restart.

Additional Information

If you are using Load Balancer in your organization, please follow Load Balancer best practices with DLP Endpoint Prevent in Article ID: 173959

You might want to review also below articles: