Hi There,
We are on a pre-sales EDR project next and currently i'm looking for some suggestions about the design of TIE/DXL architecture/topology.
Customer Environment:
About 1000 nodes will have ENSTP/ATP/MAR client installed; have a mini office in another city with less than 100 clients. both of the TIE/MAR/DXL Brokers are going to be installed on virtual machines (VMware ESX).
I'm going to implement two TIE servers for HA, and enable MAR Server on the Secondary TIE server. currently my major concern is should i enable DXL brokers when installing TIE Servers on both Primary TIE and Secondary TIE or is it best to prepare 2 separate server machines to install DXL Brokers?
I have gone through TIE sizing guide/DXL architecture guide/MAR server sizing guide etc... but still not sure the best practice suggestions when installing DXL Brokers under this scenario.
Thanks in advance.
Solved! Go to Solution.
Good question. One single DXL broker is capable of handling 50k nodes. Since TIE 2.3 comes as a combo box, you can enable DXL broker on same box. We McAfee recommend to have two DXL broker incase if Primary goes down, secondary would take care your environment.
In conclusion, enable one broker on Primary TIE server and another one on Secondary TIE. No need to have separate appliance for broker.
Good question. One single DXL broker is capable of handling 50k nodes. Since TIE 2.3 comes as a combo box, you can enable DXL broker on same box. We McAfee recommend to have two DXL broker incase if Primary goes down, secondary would take care your environment.
In conclusion, enable one broker on Primary TIE server and another one on Secondary TIE. No need to have separate appliance for broker.
Thanks @LKS , btw does McAfee MAR Server has high availability features? Seems i was unable to find any information on MAR Server HA..
No there is no such concept in MAR nor TIE.
So if the MAR Server is down or broken, we have to re-image the appliance?
The Active Response Threat Workspace, installed as a mcafee ePO extension directly retrieves the data stored in the cloud and enables visualization of threats that are seen across the endpoints. All the data's are stored in cloud, so you won't loose any data in general. PostgreSQL to save capabilities, collectors, traps, responses/reactions, search expressions and all related objects of MAR's data model.
In worst case scenario if you are going to rebuild your MAR server, then from ePO just export all custom collectors/triggers and any customization.
Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!
Thanks @LKS , appreciated for your information.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA