External Endpoint Policy Servers

In This Section: Overview of Endpoint Policy Servers Installing and Configuring an Endpoint Policy Server How do Endpoint Policy Servers Work? Configuring Policy Server Settings Configuring an Alert for a Non-Synchronized Policy Server Monitoring Endpoint Policy Server Activity

Overview of Endpoint Policy Servers

If no external Endpoint Policy Servers are configured, the Endpoint Security Management Server, which contains an Endpoint Policy Server, manages all client requests and communication.

If you install more Endpoint Policy Servers, they manage most communication with the Endpoint Security clients. This keeps the Endpoint Security Management Server more available for other tasks. If you configure the Endpoint Security Management Server to behave as an Endpoint Policy Server in addition to other Endpoint Policy Servers, the work of communication with the clients is distributed to them all.

Installing and Configuring an Endpoint Policy Server

We recommend that you use a distributed deployment that contains external Endpoint Policy Servers on dedicated computers.

• Install at least one Endpoint Policy Server for each remote site.
• For larger sites, install many Endpoint Policy Servers to improve performance.

An Endpoint Policy Server is a Log Server that you configure as an Endpoint Policy Server.

To install an Endpoint Policy Server:

To install Endpoint Policy Server, install a Log Server and configure it as Endpoint Policy Server. Use the instructions in the R80.30 Installation and Upgrade Guide.

Configuring an Endpoint Policy Server

To define a new Endpoint Policy Server:

1. In SmartEndpoint, go to Manage > Endpoint Servers.

   The Endpoint Server window opens.

2. Click New.

   To edit an existing server, select it from the list and click Edit.

3. Enter Server Name and IP Address.
4. Select Endpoint Policy Server
5. Click Next.
6. Select an option to initiate secure trusted communication now or later:
   • Initiate trusted communication (If the servers are up and able to communicate)
     • Enter and confirm an Activation Key. You will enter this same key on the other servers.
     • Click Initialize.
   • Skip and initiate trusted communication later (If the servers are not ready to communicate)
7. Click Next.

   A warning pop-up window shows.

8. Click OK.
9. Click Finish.

   The Install Database window opens.

10. Wait for the database installation to finish.

    The Close button becomes available.

How do Endpoint Policy Servers Work?

External Endpoint Policy Servers decrease the load of the Endpoint Security Management Server and reduce the bandwidth required between sites. By default, the Endpoint Security Management Server also acts as an Endpoint Policy Server, in addition to the other Endpoint Policy Servers. The work of communication with the Endpoint Security clients is distributed among all of them.

The Endpoint Policy Servers are located between the Endpoint Security clients and the Endpoint Security Management Server. For most tasks, Endpoint Security clients communicate with the Endpoint Policy Servers and the Endpoint Policy Servers communicate with the Endpoint Security Management Server.

If there are multiple Endpoint Policy Servers in an environment, each Endpoint Security client does an analysis to find which Endpoint Policy Server is "closest" (will be fastest for communication) and automatically communicates with that server.

Item	Description
1	Active Directory Domains
2	Endpoint Security Management Server
3	External Endpoint Policy Server
4	Enterprise workstations with Endpoint Security clients installed

The Endpoint Policy Server handles the most frequent and bandwidth-consuming communication. The Endpoint Policy Server handles these requests without forwarding them to the Endpoint Security Management Server:

• All heartbeat and synchronization requests.
• Policy downloads
• Anti-Malware updates
• All Endpoint Security client logs (the Endpoint Policy Server is configured as Log Server by default).

The Endpoint Policy Server sends this data to the Endpoint Security Management Server:

• All component-specific messages (which require information to be stored in the database). For example, Full Disk Encryption recovery data.
• Monitoring data. This includes the connection state and other monitoring data for connected clients.
• Policy Server generated messages.

Configuring Policy Server Settings

The primary aspects of working with Endpoint Policy Servers that you can configure are:

• The interval after which the clients do an analysis to choose which Endpoint Policy Server to connect to.
• If the Endpoint Security Management Server also behaves as an Endpoint Policy Server or not.

Endpoint Policy Server Proximity Analysis

In a large network, multiple Endpoint Policy Servers can be available for an endpoint client. In such an environment, the client does an analysis from a list of Endpoint Policy Servers to find the server closest to it. The client sends a specified HTTP request to all Endpoint Policy Servers on the list. The server that replies the fastest is considered to be closest.

The server list is an XML file named epsNetwork.xml. It is located at $UEPMDIR/engine/conf/ on the Endpoint Security Management Server. It contains:

• The topology of Endpoint Policy Servers on the network that Endpoint Security clients can connect to.
• Protocols, authentication schemes, and ports for each message passed between client and server.

How the proximity analysis works:

1. The Endpoint Security Management Server creates a list of Endpoint Policy Servers based on the servers configured in the SmartEndpoint.
2. The Endpoint Security Management Server pushes the list to the clients.
3. The Device Agent on the client does a proximity analysis after a specified interval to find the Endpoint Policy Server 'closest' to it. Some events in the system can also cause a new proximity analysis. Proximity is based on the response time of a specified HTTP request sent to all servers on the list.

Note - Proximity is not based on the physical location of the server. A client in New York will connect to the California Endpoint Policy Server if the California Endpoint Policy Server replies before the New York Endpoint Policy Server.

1. The client tries to connect to the closest Endpoint Policy Server.
2. If a server is unavailable, the Device Agent tries the next closest server on the list until it makes a connection.
3. Based on data contained in the shared list, the client and Endpoint Policy Server create connection URLs.

Clients continue to connect to the closest Endpoint Policy Server until the next proximity analysis.

Note - You cannot figure which particular Endpoint Policy Servers a client should use, only a list of servers for the client to choose from.

Configuring Endpoint Policy Server Connections

To configure Endpoint Policy Server connections:

1. From SmartEndpoint menu, select Manage > Endpoint Connection Settings.
2. Enter or select the Interval between client heartbeats value (Default = 60 seconds).
3. Enter or select the Client will re-evaluate the nearest Policy Server after value (default = 120 minutes).

   This value is the interval, in minutes, after which endpoint clients search for the closest available Endpoint Policy Server.

4. Optional: Select Enable Endpoint Security Management Server to be the Endpoint Policy Server.

   This option includes Endpoint Security Management Servers in the search for the closest Endpoint Policy Server.

5. Enter or select the Client will restrict non-compliant endpoint after value (default = 5 heartbeats).
6. Click OK.
7. Install policies to endpoint computers.

Enabling the Management Server to be an Endpoint Policy Server

Configure if the Endpoint Security Management Server behaves as an Endpoint Policy Server along with the other Endpoint Policy Servers.

The default is that the Endpoint Security Management Server does behave as an Endpoint Policy Server.

Note - If you do not explicitly enable the Endpoint Security Management Server to behave as an Endpoint Policy Server, it is still in the proximity analysis list. If no other Endpoint Policy Servers can reply to a client, the Endpoint Security Management Server replies.

To configure the Endpoint Security Management Server to behave as an Endpoint Policy Server only if all Endpoint Policy Servers do not respond:

1. In SmartEndpoint, select Manage > Endpoint Connection Settings.
2. Clear Enable Endpoint Management Server to be Endpoint Policy Server.
3. Click OK.
4. Select File > Install Policies or click the Install Policies icon.

Policy Server and Management Server Communication

The communication between the Endpoint Security Management Server and the Endpoint Policy Servers includes:

• Endpoint Policy Servers get from the Endpoint Security Management Server:
  • Policies and installation packages.
  • All files that it needs for synchronization.
• Endpoint Policy Servers send a heartbeat message to the Endpoint Security Management Server at 60 second intervals.

  You can change this in the $UEPMDIR/engine/conf/global.properties file on the Endpoint Security Management Server. The property name is connectionpoint.hb.interval.secs.

• Endpoint Policy Servers send sync messages to the Endpoint Security Management Server when synchronization is necessary.
• Endpoint Policy Servers send Reporting events to the Endpoint Security Management Server at 60 second intervals or when there are more than 1000 events in the queue.

  You can change this in the $UEPMDIR/engine/conf/global.properties file on the Endpoint Security Management Server. The property names are:

  • connectionpoint.emon.events.until.flush=1000
  • connectionpoint.emon.seconds.until.flush=60
• Endpoint Policy Servers send all database related messages directly to the Endpoint Security Management Server.

Notes on the First Synchronization

After you create the Endpoint Policy Server and install the policy in SmartEndpoint, the first synchronization between the Endpoint Policy Server and Endpoint Security Management Server occurs. During the first synchronization, the Endpoint Policy Server does not handle endpoint requests and shows as Not Active in the Reporting tab.

The first synchronization can take a long time, based on the amount of policies and installation packages that the Endpoint Policy Server must download from the Endpoint Security Management Server.

When the first synchronization is complete, the Endpoint Policy Server will show as Active in the Reporting tab.

Configuring an Alert for a Non-Synchronized Policy Server

You can configure the Endpoint Security Management Server to send an email alert to one or more people if one or more of the Policy Servers are not synchronized with the Endpoint Security Management Server.

It is important for all the Endpoint Policy Servers to have the same information about the Endpoint Security Management Server, because if they are not synchronized, the environment may be in a non-stable state.

You can configure how often the Endpoint Security Management Server sends the Policy Server out-of-sync alert, and whether it sends an alert when the Policy Server is back in sync.

Before Configuring a Policy Server Out-of-Sync Alert

Configure an email server.

To Configure a Policy Server Out-of-Sync Alert:

1. In SmartEndpoint, go to the Reporting tab.
2. In the Alerts section, click Policy Server out of sync.
3. Enable the alert so that it is ON.
4. Click Configure.

   The Alert Configuration window opens.

5. Add one or more people who will get an email about the alert. In Add New Recipient, for each person you want to add, type an email address and click Add.
6. Configure when an alert is sent. Select one or two of:
   • Notify on alert activation - Email alert is sent when the Policy Server is out of sync.
   • Notify on alert resolution - Email alert is sent when the Policy Server is back in sync.
7. Set how often the alert will be sent. In Remind every, select one of these time periods:

   1 Day

   1 Hour

   6 Hours

   3 Days

   1 Week

   None

8. Click OK.

Example Alert Email About Policy Server Out-of-Sync

This is an example of an alert mail that the Endpoint Security Management Server sends when an Endpoint Policy Server becomes out-of-sync.

This is an automated message about Active Alerts from the Endpoint Security Management server. This alert is active: Policy Server Out of Sync Alert   Number of inactive Policy servers: 1 out of 1   The list of inactive Policy servers: [ps3 (192.0.2.17) ]   For more information, see the Endpoint Security Management console in Reporting > Activity Reports > Endpoint Policy Servers Status.

Monitoring Endpoint Policy Server Activity

You can see the status of Endpoint Policy Servers in the Reporting tab of SmartEndpoint.

In the Reporting tab, select Endpoint Policy Servers Status.

• In the Status list, select which Endpoint Policy Servers to see:
  • All.
  • Only Active.
  • Only Not Active.
• In the table see:
  • Name - The name of the server in SmartEndpoint.
  • IP Address - The IP Address entered for the server.
  • DN - Its full DN name, taken from SmartConsole.
  • Active - If the server is Active or Not Active. Active means that the server recently sent a heartbeat message.
  • Last Contact - When the Endpoint Security Management Server last received a heartbeat message from it.
  • Comments - Comments written for that server in Properties window.

For more detailed information, you can look at the log messages on the Endpoint Policy Server. They are in: $UEPMDIR/logs

You can see if there are errors in the logs and resolve them if necessary.