Many customers use multiple MEG appliances for mail processing.  In most of those cases, the customers are using individual appliances due to load.  In other cases, they are using the multiple appliances for physical separation and disaster recovery purposes.  Regardless of the reason for their use, multiple appliances can become a problem when quarantining mail, especially if the MEG appliances are clustered or there are multiple appliances quarantining mail. 

 

There are two issues here which can become a problem.  First, if the MEG appliances aren't clustered, mail will be quarantined on each of those appliances.  The result of that will be that users will receive a digest message for each appliance.  This may not be a problem if digest messages are sent infrequently or if there is just a small number (1-3) appliances, but if there are multiple appliances and/or multiple digests per day, users may end up complaining about receiving massive numbers of notifications per day.

 

In the case of a cluster of appliances, the MEG uses the SWM service to handle quarantine.  However, unlike the SWM service data, the quarantine data isn't (at this time) clustered between the master and failover appliances.  What this means is that if, for some reason, a quarantine release attempt comes in and gets handed off to the Failover appliance, the user will receive an error that their message could not be released.  If they they try again, they can usually release the message just fine.

 

It's thus a best practice to use the McAfee Quarantine Manager for off-box quarantine.  This allows you to have mail being quarantined to that box instead of the individual MEGs.  The result is that users won't get individual quarantine digests.  Also, this allows for more granular quarantine release of mail on the MQM.