Print Download PDF Send Feedback

Previous

Next

External Endpoint Policy Servers

In This Section:

Overview of Endpoint Policy Servers

Installing and Configuring an Endpoint Policy Server

How do Endpoint Policy Servers Work?

Configuring Policy Server Settings

Monitoring Endpoint Policy Server Activity

Overview of Endpoint Policy Servers

If no external Endpoint Policy Servers are configured, the Endpoint Security Management Server, which contains an Endpoint Policy Server, manages all client requests and communication.

If you install more Endpoint Policy Servers, they manage most communication with the Endpoint Security clients. This keeps the Endpoint Security Management Server more available for other tasks. If you configure the Endpoint Security Management Server to behave as an Endpoint Policy Server in addition to other Endpoint Policy Servers, the work of communication with the clients is distributed to them all.

Installing and Configuring an Endpoint Policy Server

We recommend that you use a distributed deployment that contains external Endpoint Policy Servers on dedicated computers.

An Endpoint Policy Server is a Log Server that you configure as an Endpoint Policy Server.

To install an Endpoint Policy Server:

To install Endpoint Policy Server, install a Log Server and configure it as Endpoint Policy Server. Use the instructions in the R80.20 Installation and Upgrade Guide.

Configuring an Endpoint Policy Server

To define a new Endpoint Policy Server:

  1. In SmartEndpoint, go to Manage > Endpoint Servers.

    The Endpoint Server window opens.

  2. Click New.

    To edit an existing server, select it from the list and click Edit.

  3. Enter Server Name and IP Address.
  4. Select Endpoint Policy Server
  5. Click Next.
  6. Select an option to initiate secure trusted communication now or later:
    • Initiate trusted communication (If the servers are up and able to communicate)
      • Enter and confirm an Activation Key. You will enter this same key on the other servers.
      • Click Initialize.
    • Skip and initiate trusted communication later (If the servers are not ready to communicate)
  7. Click Next.

    A warning pop-up window shows.

  8. Click OK.
  9. Click Finish.

    The Install Database window opens.

  10. Wait for the database installation to finish.

    The Close button becomes available.

How do Endpoint Policy Servers Work?

External Endpoint Policy Servers decrease the load of the Endpoint Security Management Server and reduce the bandwidth required between sites. By default, the Endpoint Security Management Server also acts as an Endpoint Policy Server, in addition to the other Endpoint Policy Servers. The work of communication with the Endpoint Security clients is distributed among all of them.

The Endpoint Policy Servers are located between the Endpoint Security clients and the Endpoint Security Management Server. For most tasks, Endpoint Security clients communicate with the Endpoint Policy Servers and the Endpoint Policy Servers communicate with the Endpoint Security Management Server.

If there are multiple Endpoint Policy Servers in an environment, each Endpoint Security client does an analysis to find which Endpoint Policy Server is "closest" (will be fastest for communication) and automatically communicates with that server.

Item

Description

1

Active Directory Domains

2

Endpoint Security Management Server

3

External Endpoint Policy Server

4

Enterprise workstations with Endpoint Security clients installed

The Endpoint Policy Server handles the most frequent and bandwidth-consuming communication. The Endpoint Policy Server handles these requests without forwarding them to the Endpoint Security Management Server:

The Endpoint Policy Server sends this data to the Endpoint Security Management Server:

Configuring Policy Server Settings

The primary aspects of working with Endpoint Policy Servers that you can configure are:

Endpoint Policy Server Proximity Analysis

In a large network, multiple Endpoint Policy Servers can be available for an endpoint client. In such an environment, the client does an analysis from a list of Endpoint Policy Servers to find the server closest to it. The client sends a specified HTTP request to all Endpoint Policy Servers on the list. The server that replies the fastest is considered to be closest.

The server list is an XML file named epsNetwork.xml. It is located at $UEPMDIR/engine/conf/ on the Endpoint Security Management Server. It contains:

How the proximity analysis works:

  1. The Endpoint Security Management Server creates a list of Endpoint Policy Servers based on the servers configured in the SmartEndpoint.
  2. The Endpoint Security Management Server pushes the list to the clients.
  3. The Device Agent on the client does a proximity analysis after a specified interval to find the Endpoint Policy Server 'closest' to it. Some events in the system can also cause a new proximity analysis. Proximity is based on the response time of a specified HTTP request sent to all servers on the list.

Note - Proximity is not based on the physical location of the server. A client in New York will connect to the California Endpoint Policy Server if the California Endpoint Policy Server replies before the New York Endpoint Policy Server.

  1. The client tries to connect to the closest Endpoint Policy Server.
  2. If a server is unavailable, the Device Agent tries the next closest server on the list until it makes a connection.
  3. Based on data contained in the shared list, the client and Endpoint Policy Server create connection URLs.

Clients continue to connect to the closest Endpoint Policy Server until the next proximity analysis.

Note - You cannot figure which particular Endpoint Policy Servers a client should use, only a list of servers for the client to choose from.

Configuring Endpoint Policy Server Connections

To configure Endpoint Policy Server connections:

  1. From SmartEndpoint menu, select Manage > Endpoint Connection Settings.
  2. Enter or select the Interval between client heartbeats value (Default = 60 seconds).
  3. Enter or select the Client will re-evaluate the nearest Policy Server after value (default = 120 minutes).

    This value is the interval, in minutes, after which endpoint clients search for the closest available Endpoint Policy Server.

  4. Optional: Select Enable Endpoint Security Management Server to be the Endpoint Policy Server.

    This option includes Endpoint Security Management Servers in the search for the closest Endpoint Policy Server.

  5. Enter or select the Client will restrict non-compliant endpoint after value (default = 5 heartbeats).
  6. Click OK.
  7. Install policies to endpoint computers.

Enabling the Management Server to be an Endpoint Policy Server

Configure if the Endpoint Security Management Server behaves as an Endpoint Policy Server along with the other Endpoint Policy Servers.

The default is that the Endpoint Security Management Server does behave as an Endpoint Policy Server.

Note - If you do not explicitly enable the Endpoint Security Management Server to behave as an Endpoint Policy Server, it is still in the proximity analysis list. If no other Endpoint Policy Servers can reply to a client, the Endpoint Security Management Server replies.

To configure the Endpoint Security Management Server to behave as an Endpoint Policy Server only if all Endpoint Policy Servers do not respond:

  1. In SmartEndpoint, select Manage > Endpoint Connection Settings.
  2. Clear Enable Endpoint Management Server to be Endpoint Policy Server.
  3. Click OK.
  4. Select File > Install Policies or click the Install Policies icon.

Policy Server and Management Server Communication

The communication between the Endpoint Security Management Server and the Endpoint Policy Servers includes:

Notes on the First Synchronization

After you create the Endpoint Policy Server and install the policy in SmartEndpoint, the first synchronization between the Endpoint Policy Server and Endpoint Security Management Server occurs. During the first synchronization, the Endpoint Policy Server does not handle endpoint requests and shows as Not Active in the Reporting tab.

The first synchronization can take a long time, based on the amount of policies and installation packages that the Endpoint Policy Server must download from the Endpoint Security Management Server.

When the first synchronization is complete, the Endpoint Policy Server will show as Active in the Reporting tab.

Monitoring Endpoint Policy Server Activity

You can see the status of Endpoint Policy Servers in the Reporting tab of SmartEndpoint.

In the Reporting tab, select Endpoint Policy Servers Status.

For more detailed information, you can look at the log messages on the Endpoint Policy Server. They are in: $UEPMDIR/logs

You can see if there are errors in the logs and resolve them if necessary.