3 Replies Latest reply on Oct 7, 2013 9:48 AM by andrep1

    The best ePO multi-site design

    dmoore

      Hello,

       

      I am new to McAfee ePO and i would like to know what are the best design approach that i can use to achieve the following goals in a multisite network (HQ and 2 branches):

       

      1) Fault tolerance.

      2) Minimize traffic on slow connections. (WAN)

      3) Perfect updating.

       

      Having components such as Distributed Repositories and Agent Handlers, how can i utilize them to achieve the above mentioned goals?

       

      I've been advised to have the following setup in each location:

       

      a) Two ePO servers.

      b) Two Distributed Repos.

      c) Two Agent Handlers.

       

      However, i find that it is too much in terms of cost and managability.

       

      Suggestions are appreciated.

       

      Thanks

        • 1. Re: The best ePO multi-site design
          andrep1

          Good morning.

           

          A few questions to get  the ball rolling on this discussion.

           

          1. What is your SQL server setup? ePO is totally dependent on the database that hosts the ePO data and is a key component of redundancy. This should be your most solid component.

          2. What are you trying to make fault tolerant? dat file updates, event collection fromt he agent, management console.

          3. Are you trying to minimize total traffic or peak traffic? Is this about cost or about keeping off the WAN for user experience ?

          4. Will you be using ePO to do product deployments or just to manage the products?

          5. When you say perfect updating, do you mean updating asap (that is as soon as McAfee makes an update available?)

           

          You mention two epo server and two agent handlers in each site. As an example, I have 100+ sites and 50000+ devices with one ePO server and one agent handler. It is very solid. So I do agree it sounds too much in terms of cost and manageability.

          • 2. Re: The best ePO multi-site design
            dmoore

            Hi Andre,

             

            Thanks for your reply.

             

            Please see the answers below:

             

            1) SQL server Express that is built-in to the ePO.

            2) Fault tolerance for the McAfee data traffic which includes both DAT updates and Event collection from agent in all sites. In other words, updates should be available 24x7 to managed systems in case if the master and distributed repos. are unavailable (Fallback site is a last resort). Also, agent-to-server communications should be available 24x7 in case if one of the handlers goes offline.

            3) Yes, i want the managed systems traffic in remote sites to stay local. I beleive Agent Handlers and Distributed repos. is meant for this goal.

            4) Both.

            5) No, i mean updates should reach the managed systems 24x7 in general. Of course, it is also good to update the systems as soon as McAfee makes an update available. So, i will consider this as well.

             

             

            You mention two epo server and two agent handlers in each site. As an example, I have 100+ sites and 50000+ devices with one ePO server and one agent handler. It is very solid. So I do agree it sounds too much in terms of cost and manageability.

             

            I wonder what will be your response if that one ePO (and its built-in database) goes offline. Unless you host the DB in a different server, the death of an ePO server is not an issue. However, it is still an issue for the managed systems and repos.

             

            Thanks

            • 3. Re: The best ePO multi-site design
              andrep1

              Hi dmoore.

               

              I'm not sure how your setup would work....

              But in regards to the question on our setup, our database server if a full SQL server clustered and replicated. So, our database doesn't go down.

               

              So, an ePO server can be connected to one DB and it is one DB per ePO server. The ePO server can be clustered in active/passive but I'm not sure if SQL express can. It would surprise me.

              An agent can talk to one ePO server, many handlers

              An agent handler is a mini ePO server without the console, it needs to connect to your SQL express server on a high speed low latency link. An agent handler works best on a lan connection to the database server.

              Once you have an agent handler, your agents will recognize this as a way to communicate with the database and get updates. The handler IP and name will be communicated to the agents in the framepackage sitelist/epo agent policy.

              If you database is down, like when your epo server is down or when you are doing database maintenance, your agent handler and ePO servers are useless. But your agents would still run the task and apply the policies, that doesn't go away with ePO down.Also, if your policy has McAfee has a fallback they can update from there.

              So this brings me back to the database, it needs to be solid and ideally independent of your ePO server.

               

              Super agent repositories can be setup in each site if required and can be setup as a software source/repolication point. The super agent will answer the agents for software requests, and take care of the wake up traffic from ePO. What you will have on the WAN wll be agent check in (polcies, events) and master repository replication to the super agents. Your agent policy can be setup as such that your agents use the "network closest" repository.

               

              There is a feature called global update that, for example,  will replicate the dat files to all the super agents and then wake up all the agent to do a dat file update. It is very efficient.

               

              So what I would see for your setup would be a Super agent in each branch, a file and print server works well for that. In HQ, an ePO server+agent handler server. Dedicate a box to SQL Express or reuse an existing SQL server.