New York Data Loss Prevention User Group

What is the best practice to create the DLP Endpoint Agent instalation package when it comes to specifying the Endpoint Prevent server for the agents?  If one installation package is created with hardcoded Endpoint servers names, does it mean all agents will try to connect to the 1st server on the list? Are there any best practices for load balancing and management for server-agent relationship?  We are deploying the Endpoint DLP in a very large environment (over 50,000 clients) and need to be able to manage and load balance the agent communication with the Endpoint Servers.

There is no load balancing function built into the DLP software. So yes, if you tell the clients to connect to server a, then b, etc. they will attempt to connect in that manner. If server a is up all clients configured to connect to it first will, regardless of load.

 We are using F5 Big IP to load balance these accross our endpoint servers and one hostname in the package pointed to the Vitrual IP. Symantec frowns upon this configuration but it is working in our environment (30000+ endpoints). The only other solution is to create multiple packages/install scripts and round robin the server names/IPs so that you do not over load one server. This is was not acceptable in our environment with the amount of endpoints we have.

multiple packages\scripts are not acceptable in our environment either.  We are planning to use the F5 to load balance, but having a hard time to figure out how to configure the load balancer to distribute the load without creating much overhead on the endpoint.  Symantec doesn't recommend too frequent jumps between the endpoint servers (KB Article ID: 54056).  So if I create a F5 pool for several Endpoint Prevent servers with sticky connection, how can I control which agent talks to which Endpoint server?  My understanding is that if I use a virtual IP in installation script for 50K agents, all 50 of them will try to connect to the 1st endpoint server in the pool and if capacity of the 1st server is maxed out, the next agents will connect to the next server on the list. But I cannot think of a way to control\manage which agent connects to which endpoint server

Would it not make sense to round-robin endpoint agent connections across available endpoint servers, with stickiness based on source IP address?

What is your software deployment tool?  You could easily use the Software Deployment tool to execute a different MSI install command based on the location they were at.

Example:  My computers in Grand Rapids execute the MSI command w/ the server in Grand Rapids, my computers in Atlanta execute the MSI command w/ the server in Atlanta, etc.

That would then help ease both the deployment of the agent and help balance out to different servers

Brett,

Have you expereinced any issues with your F5 since this post?  I am looking to use an F5 for load balancing but am experiencing challenges with identifying the right set up.  In particular, how did you address the need for DLP to have a persistent connection between the client and endpoint server?  Our concern is that if we can't get stickyness or persistence in our load balancing that we may have a lot of extra network overhead with connections being dropped and re-established.

Thanks

There is no load balancing for Endpoint DLP using a load balancer will not work since there are persistent connections.

If you are trying to load balance agents that are all in 1 site you will need to have more than one installation script with the servers in opposite order to help balance the agents between the servers.

If you are trying to make the agents connect to the CLOSEST server if they are roaming between locations that have their own Endpoint Server. Then try using location based DNS: Have 1 single DNS name be the same across the corporate network and then have that DNS name point to a different locally based IP Address of the closets server.

We have not experience any issues with this configuration. I believe the persistence is between 2-8 hours. I can find out the actual numbers as I do not administer the F5's.

Depending on how your network is layed out you may want to look at using I-rules to break up the traffic so that machines on submet 10.10.x.x get sent to endpoint monitor1 and machines on subnet 10.20.x.x get sent to endpoint monitor2 and so on.

The load blancing issue something that Symantec needs to spend some time on resolving.