If we have multiple clusters in ESX, will we need to create a policy for each one of the Offload Scan servers that point the clients to the right server?
I have read through the deployment guide, but it seems to be very vague on how to actually "deploy" MOVE within a virtual environment.
Any help you can provide would be great.
Yes, the product guide doesn`t provide best practices, but you`ll want to keep the av scanning on the hypervisor. You can create groups in EPO and sort the machines based on the hypervisor they`re hosted on and assign them throgh different policies.
Typically you will stand up the Offload servers in pairs. A pair can probably service a lot of hypervisors. The fact that it is on/off hypervisor isn't as relevant as the switches between the hypervisors themselves.
You know you need more when the queue length increases or the average delay timer starts to be non-zero for any length of time.
I do agree that the guide is good at the mechanics of it but is sparse on what our customers SHOULD be doing.
From my experience I can tell you, that you can manage quite a lot of numbers with one offload server. But what I really recommend is a load-balancer in front of two offload servers. This is the most basic setup I recommend for a production environment, especially if you have servers running with MOVE-AV.
Just to give you some more insight, here are some real life numbers:
Hardware Loadbalancer with GBit-connection between MOVE client and offload server
2 offload servers with quad core cpu and 4 GB RAM
the virtual desktops and the server are in seperate networks, but the switch-backbone is GBit and the link is not even saturated to around 10%-30% (depending on the time of the day)
If the networkconnection is not the bottleneck in this configuration, you can easily add more offload servers if needed, until gbit network is completely full.
Hope this helps you
This is some great info, so thank you for the replies.
I think my next question to you CPT would be:
What, if any, disk latency are you seeing on the VM's themselves during the scans? If the majority of the work is done over the network, then we should be good to go.