cancel
Showing results for 
Search instead for 
Did you mean: 

ESM High Available

Jump to solution

Hi All,

Do you have any documents and ideas about ESM high available and how to configure? I didn't see anything about this on McAfee. Don't know about ESM standalone or HA or Combo... and how it works!

Thanks,

Smalldog

1 Solution

Accepted Solutions
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: ESM High Available

Jump to solution

ESM Redundancy can be configured under System Properties | Backup and Restore | Redundancy. Enter the IP(s) of the other ESMs and indicate which should be primary. Do this on each ESM and they will start synchronizing. This is documented on page 180 of the 9.5 Product Guide. ESM Redundancy is only supported to standalone ESMs.

pic1.PNG

Capture.PNG

5 Replies
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: ESM High Available

Jump to solution

ESM Redundancy can be configured under System Properties | Backup and Restore | Redundancy. Enter the IP(s) of the other ESMs and indicate which should be primary. Do this on each ESM and they will start synchronizing. This is documented on page 180 of the 9.5 Product Guide. ESM Redundancy is only supported to standalone ESMs.

pic1.PNG

Capture.PNG

Re: ESM High Available

Jump to solution

Thanks Andy!

Smalldog,

minki
Level 9
Report Inappropriate Content
Message 4 of 6

Re: ESM High Available

Jump to solution

Hi Andy,

Please help me to understand ESM HA concept - after configuring ESM in HA (after finalization) when I log into secondary ESM it show me the message that its a redundant ESM do not make any changes as it will be over right by the primary ESM.

what I want to understand -

1> How the secondary will become primary as I tested if I switch off the Primary ESM - Secondary still show the same message which should not be the case as Primary is no more available.

2> Since clustering IP is not the concept in ESM HA configuration - How the receivers will send logs to secondary ESM in case of Primary failure as they were connected to Primary ESM IP.

Thanks,

Mink

kmc
Level 12
Report Inappropriate Content
Message 5 of 6

Re: ESM High Available

Jump to solution

you got answer for this?

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: ESM High Available

Jump to solution

1) Fail-over is not 'automatic' as it is with receiver HA. It is more of a manual process. During a failure, the primary will not be available to retrieve logs from the receivers and/or correlation engines, when the secondary is promoted to a primary it will go back and collect any logs that were not collected by the primary.

2) The primary sends updates to the secondary. As you identified, the devices are 'keyed' to the primary, this is one of the reasons why fail over is not automatic. Failing over an ESM is not a trivial task, a ticket should be opened with support prior to doing so.

Brent
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center