A site consists of one database, one or more management servers, and clients. By default, you deploy Symantec Endpoint Protection with a single site. Organizations with more than one datacenter or physical location generally use multiple sites.

1. MODULE 17: CONFIGURING
REPLICATION AND FAILOVER AND
LOAD BALANCING
1

2. ABOUT SITES AND REPLICATION
A site consists of one database, one or more management servers,
and clients. By
default, you deploy Symantec Endpoint Protection with a single site.
Organizations
with more than one datacenter or physical location generally use
multiple sites.
2

3. ABOUT SITES AND REPLICATION
Before you set up multiple sites and replication, make sure that it is
necessary.
Symantec recommends that you set up replication only in specific
circumstances.
If you do add an additional site, decide which site design works for
your organization.
3

4. ABOUT SITES AND REPLICATION
When you install Symantec Endpoint Protection for the first time, by
default you have installed the first site, or the local site.
You install the management server for the second site by using the
Management Server Configuration wizard. In the wizard, click the
Install an additional site option and following the instructions in the
wizard.
4

5. ABOUT SITES AND REPLICATION
The second management server is classified as a remote site and
called a replication partner. When you add the second site as a
replication partner, you perform the following tasks:
■ By default, replication is scheduled to occur automatically. However,
you can change the replication schedule, based on the amount of disk
space that is available.
■ Choose whether to replicate logs, client installation packages, or
LiveUpdate content.
5

6. ABOUT SITES AND REPLICATION
The first time that the databases between the two sites replicate, let
the replication finish completely. The replication may take a long time
because the entire database gets replicated.
You may want to replicate the data immediately, rather than waiting
until the database are scheduled to replicate. You can also change the
replication schedule to occur earlier or later.
6

7. HOW REPLICATION WORKS
Replication is the process of sharing information between databases
to ensure that the content is consistent.
You can use replication to increase the number of database servers
that are available to clients and thereby reduce the load on each.
Replication is typically set up during the initial installation.
7

8. ABOUT SITES AND REPLICATION
8

9. HOW REPLICATION WORKS
A replication partner is another site with one database server. It also
has a connection to the site that you designate as a main site or a
local site.
A site may have as many replication partners as needed. All
replication partners share a common license key.
The changes that you made on any replication partner are duplicated
to all other replication partners whenever Symantec Endpoint
Protection Manager is scheduled to replicate data.
9

10. HOW REPLICATION WORKS
Replication partners are listed on the Admin page.
You can display information about replication partners by selecting
the partner in the tree.
All sites typically have the same type of database.
You can, however, set up replication between sites by using different
types of databases. In addition, you can also set up replication
between an embedded database and an MS SQL database.
10

11. HOW REPLICATION WORKS
If you use an embedded database, you can only connect one
Symantec Endpoint Protection Manager to it because of configuration
requirements.
If you use anMS SQL database, you can connect multiple management
servers or share one database.
Only the first management server needs to be set up as a replication
partner.
11

12. HOW REPLICATION WORKS
All sites that are set up as replication partners are considered to be
on the same site farm.
Initially, you install the first site, then install a second site as a
replication partner.
A third site can be installed and set up to connect to either of the first
two sites.
You can add as many sites as needed to the site farm.
You can delete replication partners to stop the replication.
Later you can add that replication partner back to make the
databases consistent. However, some changes may collide.
12

13. HOW REPLICATION WORKS
You can set up data replication during the initial installation or at a
later time.
When you set up replication during the initial installation, you can also
set up a schedule for the synchronization of the replication partners.
13

14. SYMANTEC ENDPOINT PROTECTION
REPLICATION SCENARIOS
If administrators make changes on at each replication site
simultaneously, some changes may get lost.
If you change the same setting on both sites and a conflict arises, the
last change is the one that takes effect when replication occurs.
For example, site 1 (New York) replicates with site 2 (Tokyo) and site
2 replicates with site 3 (London).
You want the clients that connect to the network in New York to also
connect with the Symantec Endpoint Protection Manager in New York.
However, you do not want them to connect to the management server
in either Tokyo or London.
14

15. SYMANTEC ENDPOINT PROTECTION
REPLICATION SCENARIOS
When you set up replication, client communication settings are also
replicated. Therefore, you need to make sure that the communication
settings are correct for all sites on the site farm in the following
manner:
■ Create generic communication settings so that a client's connection is
based on the type of connection. For example, you can use a generic
DNS name, such as symantec.com for all sites on a site farm.
Whenever clients connect, the DNS server resolves the name and
connects the client to the local Symantec Endpoint Protection Manager.
■ Create specific communication settings by assigning groups to sites
so that all clients in a group connect to a designated management
server.
15

16. SYMANTEC ENDPOINT PROTECTION
REPLICATION SCENARIOS
For example, you can create two groups for clients at site 1, two
different groups for site 2, and two other groups for site 3.
You can apply the communication settings at the group level so clients
connect to the designated management server.
You may want to set up guidelines for managing location settings for
groups.
Guidelines may help prevent conflicts from occurring on the same
locations.
You may also help prevent conflicts from occurring for any groups that
are located at different sites.
16

17. SYMANTEC ENDPOINT PROTECTION
REPLICATION SCENARIOS
After replication occurs, the database on site 1 and the database on
site 2 are the same.
Only computer identification information for the servers differs.
If administrators change settings on all sites on a site farm, conflicts
can occur.
For example, administrators on site 1 and site 2 can both add a group
with the same name.
If you want to resolve this conflict, both groups then exist after
replication. However, one of them is renamed with a tilde and the
numeral 1 (~1).
17

18. SYMANTEC ENDPOINT PROTECTION
REPLICATION SCENARIOS
If both sites added a group that is called Sales, after replication you
can see two groups at both sites.
One group is called Sales and the other is called Sales 1.
This duplication occurs whenever a policy with the same name is
added to the same place at two sites.
If duplicate network adapters are created at different sites with the
same name, a tilde and the numeral 1 (~1) is added. The two symbols
are added to one of the names.
18

19. SYMANTEC ENDPOINT PROTECTION
REPLICATION SCENARIOS
If different settings are changed at both sites, the changes are
merged after replication.
For example, if you change Client Security Settings on site 1 and
Password Protection on site 2, both sets of changes appear after
replication.
Whenever possible, changes are merged between the two sites.
If policies are added at both sites, new policies appear on both sites
after replication.
Conflicts can occur when one policy is changed at two different sites.
If a policy is changed at multiple sites, the last update of any change
is then maintained after replication.
19

20. SYMANTEC ENDPOINT PROTECTION
REPLICATION SCENARIOS
If you perform the following tasks with the replication that is scheduled
to occur every hour on the hour:
■ You edit the AvAsPolicy1 on site 1 at 2:00 P.M.
■ You edit the same policy on site 2 at 2:30 P.M.
Then only the changes that have been completed on site 2 appear
after replication is complete when replication occurs at 3:00 P.M.
If one of the replication partners is taken offline, the remote site may
still indicate the status as online.
20

21. CONFIGURING REPLICATION
Adding and disconnecting a replication partner
If you want to replicate data with another site, you may have already
set it up during the initial installation.
If you did not set up replication during the initial installation, you can
do so now by adding a replication partner.
Multiple sites are called a site farm whenever they are set up as
replication partners.
You can add any site on the site farm as a replication partner.
21

22. CONFIGURING REPLICATION
Disconnecting replication partners
Deleting a replication partner merely disconnects a replication
partner from Symantec Endpoint Protection Manager.
It does not delete the site.
You can add the site back later if you need to do so by adding a
replication partner.
22

23. CONFIGURING REPLICATION
Replicating data on demand
Replication normally occurs according to the schedule that you set up
when you added a replication partner during installation.
The site with the smaller ID number initiates the scheduled replication.
At times, you may want replication to occur immediately.
23

24. CONFIGURING REPLICATION
Changing replication frequencies
Replication normally occurs according to the schedule that you set up
when you added a replication partner during the initial installation.
The site with the smaller ID number initiates the scheduled replication.
When a replication partner has been established, you can change the
replication schedule.
When you change the schedule on a replication partner, the schedule
on both sides is the same after the next replication.
24

25. CONFIGURING REPLICATION
Replicating client packages and LiveUpdate content
You can replicate or duplicate client packages and LiveUpdate
content between the local site and this partner at a remote site.
You may want to copy the latest version of a client package or
LiveUpdate content from a local site to a remote site.
The administrator at the remote site can then deploy the client
package and LiveUpdate content.
25

26. CONFIGURING REPLICATION
If you decide to replicate client packages and LiveUpdate content,
you may duplicate a large volume of data.
Should you replicate many packages, the data may be as large as 5
GB.
Both Symantec Endpoint Protection and Symantec Network Access
Control 32- bit and 64-bit installation packages may require as much
as 500 MB of disk space.
26

27. CONFIGURING REPLICATION
Replicating logs
You can specify that you want to replicate or duplicate logs as well as
the database of a replication partner.
You can specify the replication of logs when adding replication
partners or by editing the replication partner properties.
If you plan to replicate logs, make sure that you have sufficient disk
space for the additional logs on all the replication partner computers.
27

28. FAILOVER AND LOAD BALANCING
The client computers must be able to connect to a management server
at all times to download the security policy and to receive log events.
Failover is used to maintain communication with a Symantec Endpoint
Protection Manager when the management server becomes
unavailable.
Load balancing is used to distribute client management between
multiple management servers.
28

29. FAILOVER AND LOAD BALANCING
You can set up failover and load balancing if you use a Microsoft SQL
Server database.
You can set up failover with the embedded database, but only if you
use replication.
When you use replication with an embedded database, Symantec
recommends that you do not configure load balancing, as data
inconsistency and loss may result.
To set up failover and load balancing, you add multiple management
servers or Enforcers to a management server list.
29

30. FAILOVER AND LOAD BALANCING
You can install two or more management servers that communicate
with one Microsoft SQL Server database and configure them for
failover or load balancing.
Since you can install only one Symantec Endpoint Protection Manager
to communicate with the embedded database, you can set up failover
only if you replicate with another site.
When you use replication with an embedded database, Symantec
recommends that you do not configure load balancing, as data
inconsistency and loss may result.
30

31. FAILOVER AND LOAD BALANCING
A management server list is a prioritized list of management servers
that is assigned to a group.
You should add at least two management servers to a site to
automatically distribute the load among them.
You can install more management servers than are required to handle
your clients to protect against the failure of an individual management
server. In a custom management server list, each server is assigned to
a priority level
31

32. FAILOVER AND LOAD BALANCING
A client that comes onto the network selects a priority one server to
connect to at random.
If the first server it tries is unavailable and there are other priority
one servers in the list, it randomly tries to connect to another.
If no priority one servers are available, then the client tries to connect
to one of the priority two servers in the list.
This method of distributing client connections randomly distributes the
client load among your management servers.
32

33. FAILOVER AND LOAD BALANCING
33

34. FAILOVER AND LOAD BALANCING
In a failover configuration, all clients send traffic to and receive traffic
from server 1.
If server 1 goes offline, all clients send traffic to and receive traffic
from server 2 until server 1 comes back online.
The database is illustrated as a remote installation, but it also can be
installed on a computer that runs the Symantec Endpoint Protection
Manager.
34

35. FAILOVER AND LOAD BALANCING
You may also want to consider failover for content updates, if you
intend to use local servers.
All the components that run LiveUpdate can also use a prioritized list
of update sources.
Your management servers can use a local LiveUpdate server and
failover to LiveUpdate servers in other physical locations.
35