cancel
Showing results for 
Search instead for 
Did you mean: 
tesdall
Level 9
Report Inappropriate Content
Message 1 of 10

Help WIth Repositories

Our organization has a few servers over at different locations. Each location has a different subnet.

Lets say HQ has 10.0.1.0

Texas has 10.0.2.0

MO has 10.0.3.0

They are on a Ethernet Backbone so I have HOPs. I just did a trace route from 10.0.1 to 10.0.2 and it was 8 hops away.

How can I keep the people in Texas from going to MO's server? Since this is a virtual star network I don't want double the traffic on my wan. Or haw can I make them come back to HQ or go to the Internet if they don't find a repository on their subnet?

Names and Places have been made up to protecte the inocent.

9 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: Help WIth Repositories

The best way to guarantee that agents will not attempt to update from undesirable repositories is to modify your agent policy to use a User Defined repository list. This will only be practal if your EPO server's system tree is organized by geographic location.

So lets assume that all machines in Texas are in a group inside EPO called Texas. To make the change do this:

  1. Logon to the EPO console
  2. Navigate to the Texas group | Assigned Policies
  3. Create a new agent policy for this group and edit it
  4. Click on the Repositories tab of the agent policy. This section of the agent policy controls what repositories the agent can use and how it selects them.
  5. Select Use order in repository list.
  6. Order the repositories in the list appropriatly.
  7. Disable any repository that you do not want the agents in the Texas group to use under any circumstance and save the policy.
tesdall
Level 9
Report Inappropriate Content
Message 3 of 10

Re: Help WIth Repositories

what your saying is i need to make 13 different list for 13 different groups to use the correct repository? kind of seems silly.

Sk1dMARK
Level 11
Report Inappropriate Content
Message 4 of 10

Re: Help WIth Repositories

Using your case, I think you would only need 3.  You need one policy per repository assignment.

For example, you could create an HQ repository policy that has a list of the repositories that client machines in HQ could use, and then apply the policy to all of the clients that you want to use that repository or repository order.  And so on for the rest.

Regards,

Mark

tesdall
Level 9
Report Inappropriate Content
Message 5 of 10

Re: Help WIth Repositories

that was an example of my network. Its much larger than that.

I have 13 different plants with 5 repoistories.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: Help WIth Repositories

You can use the default "ping time" where the agents will attempt to connect to the repository that responds with the lowest ping time if you like that works fine in most cases. The above instructions are mostly if you want to ensure that under no circumstances a client goes to the wrong repository. If you rely on ping time and the local repository is either down or not up to date the clients may end up going to the wrong repository causing congestion on the wan.

Sk1dMARK
Level 11
Report Inappropriate Content
Message 7 of 10

Re: Help WIth Repositories

Regardless.  With your updated figures, you will need 5 policies for what you want to accomplish.

Here's what I have done in my environment.

I have hundreds of sites, over 3 thousand IP subnets, and 8 Distributed Repositories (2 on the east coast, 2 in central, 2 on west coast, and 2 that serve large offices).  Using the subnets in ePO, I have divided up the number of client machines in half per region.  The policies below are what I have applied to clients in each of the geographic areas (half use Policy 1 and the other half use Policy 2, but still only one policy per distributed repository is needed).

If things are right with the ePO infrastructure; half of the machines will update from their regional DR_1 and the other half from their regional DR_2 in each of the geographic areas.  If something is wrong, they will run down the list, which I listed in order based on physical distance, until they find one that works.

EAST Policy 1

East_DR_1
East_DR_2
Central_DR1
Central_DR2
West_DR_1
West_DR_2
Large_DR_1
Large_DR_2

EAST Policy 2

East_DR_2
East_DR_1
Central_DR_2
Central_DR_1
West_DR_2
West_DR_1
Large_DR_2
Large_DR_1

Central Policy 1

Central_DR_1
Central_DR_2
East_DR_1
East_DR_2
West_DR_1
West_DR_2
Large_DR_1
Large_DR_2

Central Policy 2

Central_DR_2
Central_DR_1
East_DR_2
East_DR_1
West_DR_2
West_DR_1
Large_DR_2
Large_DR_1

West Policy 1

West_DR_1
West_DR_2
Central_DR_1
Central_DR_2
East_DR_1
East_DR_2
Large_DR_1
Large_DR_2

West Policy 2

West_DR_2
West_DR_1
Central_DR_2
Central_DR_1
East_DR_2
East_DR_1
Large_DR_2
Large_DR_1

Large Policy 1

Large_DR_1
Large_DR_2
West_DR_1
West_DR_2
Central_DR_1
Central_DR_2
East_DR_1
East_DR_2


Large Policy 2

Large_DR_2
Large_DR_1
West_DR_2
West_DR_1
Central_DR_2
Central_DR_1
East_DR_2
East_DR_1

Hope this helps.

Regards,

Mark

on 12/15/09 3:40:56 PM EST
mrpg
Level 7
Report Inappropriate Content
Message 8 of 10

Re: Help WIth Repositories

I'm in the same boat- dealing with multiple segmented wans in almost every state-  I''ve setup the default agent policy to use ping time, but i also see the option for by network hops were you can specify a maximum number of hops.   I may try this with a max of 3.

To the question though,  I am using ping time and I would give it a success rate of 7 out of 10- mint the 3 times it misses the closest options- its usually not a very drastic reach.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 10

Re: Help WIth Repositories

Perhaps some clarification on how ping time works would assist.

So when a client is set to use ping time and it wants to determine what repository it will update from it does not actually ping all of the repositories (unless you have less than 5 sites) rather it finds the 5 repositories with the closest subnet value to the client and pings those. Then it attempts to update from whichever of those 5 repositories returns the lowest ping time.

Also we did not discuss the other options which is to use Subnet distance to determine the repository. In this scenario a client machine simply calculates which repository has a subnet closest to its own and uses that repository. This is only helpful if your subnets are setup based on geographic region.

Re: Help WIth Repositories

I eneded up making the 5 repositories and making the 5 policies and then deploying the policies at those locations. Since I have a virtual star network all the traffic would come to HQ before it would go to another repository.

All the locations that have a repository received policies and all the ones that did not have one would just come back to HQ to get the update (or the Internet). But heck, even if they go to the Internet they have to come back to HQ first.

I didn't design the network, i just make sure it works.