Endpoint Security Sizing

The purpose of this document is to help you plan your Endpoint Security environment. It describes the best practices for server deployment and sizing the Endpoint Security servers.

Hardware requirements depend on:

  • The total numbers of deployed Endpoint Security clients.

  • The Endpoint Security Blades that are installed on the Endpoint Security clients.

  • The size of the portion of the Active Directory that is scanned by the Directory Scanner.

Below are tables with minimum requirements per number of Endpoint Security clients and AD size.

Notes on the sizing information:

  • All clients shown in the tables have all Endpoint Security blades (SandBlast Agent complete) installed, unless individual blades are listed.

  • The Directory Scanner does not scan all objects in the AD. It scans Users, Computers, Groups, and Organizational Units (OUs). For example, printers are not scanned.

  • You can configure the Directory Scanner to scan only relevant parts of the AD. For example, scan only one OU if all deployed Endpoint Security clients reside in the OU.

Endpoint Security Management Server

This table shows the minimum requirements per number of Endpoint Security clients and AD size for Endpoint Security servers.

Note - Between the values of "Number of Clients" and "Number of AD Objects Scanned" the higher number should dictate the required appliance.

Row #

Number of Endpoint Security Clients

AD Objects Scanned

Endpoint Security Management Server

Policy Servers

1

2,500

12,500

Smart-1 410

none

2

5,000

25,000

Smart-1 625

none

3

10,000

50,000

Smart-1 625

1 Smart-1 410

4

20,000

100,000

Smart-1 5050

1 Smart-1 625

5

50,000

250,000

Smart-1 5050

2 Smart-1 625

6

80,000

400,000

Smart-1 5050

3 Smart-1 625

7

100,000 and more

500,000 or more*

Smart-1 5150

1 Smart-1 625 for each 25,000 clients.

* AD objects scan are certified for 2,000,000 AD objects, however, the number of scanned AD objects is not limited.

In addition to recommended number of Endpoint Policy Servers, you can add more Endpoint Policy Servers for redundancy. If one Endpoint Policy Server is down, clients will connect to a different Endpoint Policy Server and not the Endpoint Security Management Server.

For better Client to Server performance consider adding more Endpoint Policy Servers based on the geographical location of the Endpoint Security clients.

 

Note - The maximum number of supported Endpoint Policy Servers in an environment is 25.

Calculating minimum hardware requirements

  1. Find the row that has a Number of Endpoint Security Clients that is closest to but no less than the number in your environment . For example, if you have 52,000 clients, look at row 6.

  2. In the same row, look at the number of AD Objects Scanned. for more information see Active Directory Size Estimation

    • If the number of AD Objects Scanned is equal to or more than the number in your environment, the hardware requirements in that row apply to your environment.

    • If the number of AD Objects Scanned is less than the number in your environment, find the row that has the number of AD Objects Scanned that is closest to but no less than the number in your environment . The hardware requirements in that row apply to your environment.

For example, row 3 shows that an Endpoint Security Management Server on Smart-1 625 with one Endpoint Policy Server on Smart-1 410 supports up to 10,000 clients and up to 50,000 scanned AD objects. If you are deploying more than 10,000 clients or intend to scan more than 50,000 AD objects, then the requirements of row 3 are not enough for your environment. Look in the lower rows to find a better match.

If you have 15,000 clients but 350,000 scanned AD objects, the requirements of row 6 apply to your environment. However, each Endpoint Policy Server can handle 27,000 clients, so only 1 Smart-1 625 Endpoint Policy Server is required.

 

Note - You can configure the Directory Scanner to scan only relevant parts of the AD. For example, scan only one OU if all deployed Endpoint Security clients reside in the OU.

Open Server Hardware Requirements

Component

Smart-1 410 Equivalent

Smart-1 625 Equivalent

Smart-1 5050 Equivalent

Smart-1 5150 Equivalent

Total CPU Cores

4

6

16

24

Memory

8

16 GB

32 GB

64 GB

Free Disk Space

845 GB

1 TB

2 TB

4 TB

Best Practices for environments with 20K clients or more

In environments that include 20,000 clients or more, we recommend these configurations:

  1. Do not configure the Endpoint Security Management Server as an Endpoint Policy Server. See Enabling the Management Server to be an Endpoint Policy Server in the Endpoint Security E80.30 Administration Guide.

    Install external Endpoint Policy Servers to handle requests from Endpoint Security clients.

    Explanation: This makes the Endpoint Security Management Server resources available for other tasks and reduces bandwidth between sites.

  2. If more than 80,000 Endpoint Security clients are deployed, increase the Client Heartbeat Interval to 2 minutes.

    Explanation: This reduces the database activity rate.

  3. Do not configure Log forwarding (transferring logs from one Log Server to another).

    Explanation: This distributes the load of log handling between the various servers.

Disk Space Requirements

The Endpoint Security Management Server contains a database that stores all rules, configurations, Endpoint Security client information, monitoring data, and Endpoint Security client logs.

The size of the database depends on these factors:

  • The size of the monitoring data and for how long the monitoring history is saved.

  • The number of endpoint events in the system and for how long they are saved.

  • The Endpoint Security Blades that are installed on the Endpoint Security clients. This affects the amount of data that is saved for each Endpoint Security client

  • The amount of AD objects that are scanned by the Directory Scanner.

Database Purging

There is a scheduled purge task that runs on the database and deletes monitoring data that is out of date. This prevents the database from growing too big and helps to reduce database response times. By default the purge task runs every 24 hours and purges monitoring data older than 30 days.

Note - It is important to pay attention to available disk space on the Endpoint Security Management Server.

Calculating Minimum Disk Space

Minimum Disk Space for the Database

You can calculate the minimum disk requirements for the database by using the table below. The Database growth is approximately linear, so to calculate minimum disk requirements multiply the minimum disk requirement by the number of clients.

  • The Active Directory size is assumed to be 5 times the number of Endpoint Security clients.

  • All clients shown in the tables have all Endpoint Security blades (Total Security) installed.

Number of Clients

Minimum disk requirements for the database

2,500

1.2GB

5,000

2.4GB

10,000

4.2GB

80,000

30GB

Minimum Disk Space for Storing Logs

Endpoint Security servers are configured as Log servers by default, therefore additional disk space is required for storing logs.

On average, each Endpoint Security client sends 50 logs per hour. 200 bytes of disk space is required per log. Therefore 240KB is required to store one day of logs from one Endpoint Security client.