Showing results for 
Search instead for 
Did you mean: 

Adding an Agent Handler to environment

We have approximately 1000 nodes in our environment with one virtualized ePO server with a SQL Express database on the same host as ePO. We currenty have VSE, Site Advisor, and EEFF. In the future we may implement HDLP as well. I understand that perhaps adding 1 or 2 agent handlers in a load balanced situation would not necessarily improve performance, but in terms of availability of user based encryption policies, would the agent handlers continue communicating with the agents in the event that the ePO is offline, and generally speaking does this make any sense? We would move the database off to a separate dedicated SQL server. The last time our ePO had issues, users were not getting the policies and could not access encrypted files. What would be  some advisable things to do to ensure encryption policies are delivered during an ePO "outage" and also possibly to boost performance?  Thanks.

8 Replies
Level 14
Report Inappropriate Content
Message 2 of 9

Re: Adding an Agent Handler to environment

In ePo outage if DB on same server, AH would not be helpful to update your clients.

In ePo outage if DB server is on different machine, AH will be helpful to push policies to your clients.It will increase scalbility, Failover and reliability and no doubt Saving alot of your bandwidth.

If your SQL express is on same server and you want failover for it,Creating Repository to another machine and directing your half clients there would be great, in this case if your ePo is DC, your clients will be getting updates from Repository.

Re: Adding an Agent Handler to environment

Would it make any sense to have 2 agent handlers, or is one sufficient in this case?

Level 14
Report Inappropriate Content
Message 4 of 9

Re: Adding an Agent Handler to environment

AH typical actions include agent wake-ups, deployments, and data channel messages. This is one of the reasons that each agent handler needs a relativelyhigh speed, low latency connection to the database.

So in your case if you have a plan to setup a seprate SQl, One agent handler would be smart enough, to share many requests from clients.

For 1000 nodes, I think you must have an AH.

You may also assign a machine a SA and make a Repository there as well, if in case epo goes down your SA will be updating your clients as well.

Message was edited by: alexn on 2/8/13 3:01:50 PM CST

Re: Adding an Agent Handler to environment

It's been almost a year now, but we have migrated the SQL database off of the ePO. So if we add an additional agent handler into the same AH group as the ePO, would this load balance?


Re: Adding an Agent Handler to environment

A laptop is sufficient to manage 1000 nodes. No one needs an Agent Handler for scalability reasons until at least 25K nodes and I typically don't start suggesting them until 50K nodes. If you add one below this you are just adding complexity without actually improving performance.

Re: Adding an Agent Handler to environment

A single ePO server should definitely handle about 1000 nodes. But at the same time we plan to add more managed products that may have more frequent agent to server communications and above all, we want to have some degree of high availability without clustering. As long as clients can retrieve existing policies while the ePO is down.

Reliable Contributor SCtbe
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Adding an Agent Handler to environment

The sizing guide for ePO scalability state about one managed product - VSE, which is one of the lightest in term of ePO workload. Some products (like EEPC, DLPe) ma double on even triple this workload. Nevertheless assuming server class hardware (virtual or not) configuration with saparated DB and one ePO 4.6.x (4GB RAM and 4x2GHz) should manage VSE,SA,EEFF,DLPe, and EEPC on 1000 machines without any problems.

Re: Adding an Agent Handler to environment

This is good to hear. So our additional agent handler will mostly be there in case the ePO goes down. And we may also use it to handle remote laptops if we put it in the DMZ. Thanks for all the input.

Message was edited by: eeffuser on 1/17/14 7:25:03 AM CST
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community