I am hoping that the community can give me some pointers and starting ideas for the design and implementation of ePO in our environment.
The environment contains approximately 200 windows servers, the vast majority of which run 2008R2
We have 2 forests, a "frontend" forest that serves the DMZ and a "backend" forest that serves hosts without direct internet connectivity.
Security is a serious consideration within this environment, the windows domains are locked down (all hosts run windows firewall, all 3rd party services and applications run under least privillege service accounts) and the different tiers are seperated by firewalls.
Currently ePO has been setup by a colleague and it consists of a VM that runs both SQL express and ePO server. Due to bandwidth constraints the DB filled up and became unresponsive. In addition the server and DB reside in the DMZ, something we are not particularly keen on.
I have now been tasked with coming up with a more robust design and implementation, getting ePO running and achieving stability and potential for growth will then allow us to implement additional products (FIM being high on the agenda)
So with this background I have some specific questions:
- I plan on moving the DB to a SQL 2008 server. This is hardware (rather than VM) and is clustered so we should have much better performance and stabiity. From my reading this is relatively straight forward, does anyone have any thoughts/suggestions on how to minimise impact from this?
- The ePO server will likely remain in the DMZ and the DB moved to a backend database server. Does this follow suggested best practices? The installation was done in this way to enable connectivity to McAfee for updates. Are there any alternative methods of doing this (ie can I move the ePO server out of the DMZ as well? Is it possible to proxy updates in so fashion? Any other thoughts on best practice around this?
- I plan on full AD integration for user authentication and synchorise with the system tree to AD. I assume that the user account that is required for this simply requires the ability to read LDAP? I have also been unable to find detailed documentation on what service accounts are required for McAfee to run, does anyone have a definitive document?
- Any other general tips? I have seen the best practices documentation and plan on following as best I can. Any input on "deal breakers" and others that don't offer much value?
Appreciate any info you might have, I am new to this product and getting it right is very important to me.