7 Replies Latest reply on May 23, 2012 10:08 AM by JoeBidgood

    How many Agent Handlers are supported?

    Troja

      Hi all,

      today we are discussing how many Agent Handlers are supported by EPO 4.6.2. There is an older discussion where up to 90 Agent Handlers in one environment are working fine.

       

      Is this true?

      Does anyone know if there is any limit??

       

      This is the link to the original diskussion. 'AH - How many AHs aresupported?'

       

      Cheers,

      Thorsten

       

      Nachricht geändert durch Troja on 22.05.12 11:11:53 MESZ
        • 1. Re: How many Agent Handlers are supported?
          JoeBidgood

          It's not really a case of whether or not it's supported, but whether or not it is practical and good design. As Jon says in the other discussion "agent handlers were *explicitly* implemented for performance and scalability reasons -- not topology."

           

          Why would you want to have so many agent handlers?

           

          Regards -

           

          Joe

          • 2. Re: How many Agent Handlers are supported?
            Troja

            Hi Joe,

            this installation design is for a big company with several sub companies. But in fact, there will never be 90 Agent Handlers installed. i think we will need up to 20 AH.

             

            The network is designed in this way.

            - the epo server is located in the head office

            - there are several branch offices where no direct IP communication is allowed, just the AH communication to epo server.

             

            Therefore a AH is needed for any branch office.

             

            Today the we have the following questions.

            - Could there by any perfomance problem or is there any limit for AH installations?

            - Is there a difference when using just VSE or several products with AH?

             

            Today i don´t know which McAfee products will be managed by EPO/AH. The managed McAfee products can be different at the branch offices.

             

            Regards,

            Thorsten

            • 3. Re: How many Agent Handlers are supported?
              JoeBidgood

              Troja wrote:

               

              Hi Joe,

              this installation design is for a big company with several sub companies. But in fact, there will never be 90 Agent Handlers installed. i think we will need up to 20 AH.

               

              The network is designed in this way.

              - the epo server is located in the head office

              - there are several branch offices where no direct IP communication is allowed, just the AH communication to epo server.

               

              Therefore a AH is needed for any branch office.


               

              This isn't strictly correct - you don't need an AH in this environment: in fact it's a bad idea. There will be more traffic, over more ports, using an AH as opposed to simply allowing the agents to communicate directly with the ePO server. (The AH needs to be able to talk to SQL directly, as well as the ePO server.)

               

              Today the we have the following questions.

              - Could there by any perfomance problem

               

              Definitely. AHs require high-speed, low-latency connections to the SQL server: an AH at the end of a slow or saturated network link can absolutely kill ePO's performance, since the slow AH will be locking the database while it works, preventing the other AHs from working.

               

               

              - Is there a difference when using just VSE or several products with AH?

               

              Certain products, for example EEPC and DLP, are more intensive than others, but it all depends on how many clients are in use and how things are configured - it's a bit difficult to give you a simple answer, I'm afraid.

               

              From what you've described here I don't think you need any remote agent handlers at all - instead a "normal" ePO design is more applicable, where the client machines talk to a single ePO server, and (if necessary) a distributed repository is placed at the branch sites to help with updating. (I would recommend superagent repositories with the lazy caching function enabled, to reduce WAN traffic as much as possible.) I would strongly recommend against agent handlers in this environment - I think you'll simply cause yourself a lot of problems for no benefit.

               

              HTH -

               

              Joe

              • 4. Re: How many Agent Handlers are supported?
                Troja

                Hi Joe,

                thanks for the technical explanation. Designing epo environment is not always based on technical standards. In this case...

                - the epo admin is located at the head office. There is no admin in the branch offices. Therefore one epo server should be used

                - the epo admin is not allowed to connect remotely to any system in the branch office. McAfee Agent is installed by an local admin. Anythin else should be done automatically then.

                - the branch offices must be separated (political requirement)

                - AH to epo server is defined as a 1:1 connection between two systems and this is the only way. It is okay for customer when if there are several ports opened on firewall, because it is a "1:1" connection.

                 

                The connections to the branch offices are quite fast and there is a real small latency. The SQL Server ist a cluster system with 16CPUs and about 32GB RAM.

                 

                The only question is, unaccounted for the clients and network connections, if there is any limitation how many AH are connecting to the epo server.

                 

                Best Regards,

                Thorsten

                • 5. Re: How many Agent Handlers are supported?
                  JoeBidgood

                  That's unfortunate. I genuinely believe this is a bad idea and it's a question of when, not if, you'll run into problems.

                   

                  - AH to epo server is defined as a 1:1 connection between two systems and this is the only way.

                   

                  This requirement is that one that is locking you into a bad design decision.What is the logic behind this choice? What benefit is supposedly gained by doing things this way?

                   

                  Also - I was wondering how many branch offices we're talking about, and how many client machines in total?

                   

                  Thanks -

                   

                  Joe

                  • 6. Re: How many Agent Handlers are supported?
                    Troja

                    Hi Joe,

                    we have no impact to the network logic or political dependencies. The condition for us are:

                    - Any branch office must be separated because there are non company members located there.

                    - Multiple connections between epo server and AH are selected as a 1 to 1 connection by security team *lol*

                    - There is no chance to change this in any way.

                     

                    There are only two options for us. We get this work or there will be Symantec or TrendMicro installed. :-/

                    There is a POC installed at the customer where all is working fine today.

                     

                    Also - I was wondering how many branch offices we're talking about, and how many client machines in total?

                     

                    There will be up to 20 Offices. Each office has a least a 100MBit connection to the head office. The IP latency is negigible. The amount of endnodes can be from 50 clients up to approx. 2500 clients.

                     

                    Btw, if the epo sever and AH are located in the same subnet on the same switch is there any limitation regarding the amount of AHs?

                     

                    Regards,

                    Thorsten

                     

                    Nachricht geändert durch Troja on 23.05.12 16:39:27 MESZ
                    • 7. Re: How many Agent Handlers are supported?
                      JoeBidgood

                      Btw, if the epo sever and AH are located in the same subnet on the same switch is there any limitation regarding the amount of AHs?

                       

                      Sorry, should have said earlier - as far as I know there is no limit to the number of AHs that you can have. The only practical limit is when you start to have problems, which depends entirely on the environment.

                       

                      I realise you don't have any control over this environment - I wish you luck with the project. As an aside, I'm not familiar with Symantec or Trend - I wonder how their products will work in this environment?

                       

                      Regards -

                       

                      Joe