As with any virtual operating system/appliance, Encryption Management Server requires a virtual machine to be created on the host VMware vSphere server. To do this, use the New Virtual Machine Wizard and select the Custom option.
Guest Operating System
The Guest operating system for Encryption Management Server should be set to Linux and the Version set to CentOS 4/5/6 (32-bit).
Symantec recommends a minimum of 2 virtual CPUs for small environments, 4 CPUs for medium environments and 8 CPUs for large environments. It may be necessary to use 16 CPUs in very large environments. Note that each virtual CPU equates to a physical CPU core on the VMware host. Therefore a physical quad core processor in a VMware host has 4 virtual CPUs. Symantec recommends that in the Virtual Machine settings, the Number of virtual sockets setting matches the number of virtual CPUs required and the Number of cores per socket setting remains at its default of 1.
VMware Tools enhances performance and improves management. Not only is it required by vMotion, it also enables paravirtual network adapters to be installed and allows quiesced snapshots to be taken. Installing VMware Tools is highly recommended.
Symantec recommends 4 GB to 8 GB RAM for small/medium environments such as Whole Disk Encryption only environments and 8 GB to 16 GB for larger environments. The RAM requirements depend on the use of Encryption Management Server (Email, Drive Encryption, FileShare Encryption, Web Email Protection) and the number of users being managed by the server. If there are any doubts as to what will be sufficient please ask Symantec Support.
Memory Resource Allocation
Encryption Management Server runs Java. VMware recommends that all the configured memory for Virtual Machines running Java is reserved. This is recommended because any type of memory swapping is detrimental to the performance of the JVM heap, especially for Garbage Collection. To reserve all the memory, edit the Virtual Machine settings and under the Resources tab click on the Memory setting. Enable the option Reserve all guest memory (All locked). If the memory is not reserved, VMware may swap to disk and this will degrade performance very significantly.
Symantec recommends a minimum of 50 GB but there are many factors to consider. For Whole Disk Encryption only environments, 100 GB would be sufficient for 50,000 users providing backups were not stored on the local disk. If seven days of backups were stored on the local disk (not recommended) around 200 GB would need to be allocated. If thousands of Web Email Protection mailboxes were hosted on the server then disk space requirements could exceed 1 TB. Thin provisioning of disk space can be used to minimize the physical disk requirements if your organization's policy supports it (clearly, thin provisioning runs the risk of exceeding the physical storage space).
In a virtual environment, expanding the virtual disk will result in additional unpartitioned space which is unusable by Encryption Management Server unless the product is reinstalled. Therefore, under provisioning disk space will cause considerable inconvenience.
At the core of Encryption Management Server is a relational database and therefore random disk write speed is very important. RAID 10 arrays provide the best random write speed, as does SSD. In a virtual environment, the VMware DataStore may be hosted on SAN storage so it may be challenging to discover whether the disk speed is sufficient. Ensure that the team responsible for provisioning the virtual disk is aware that it is being used by a database server.
It is vital that the DataStore on which the virtual disk is stored is not overloaded with disk intensive Virtual Machines because this can severely degrade the performance of Encryption Management Server. If the Virtual Machine does not have reserved memory and is swapping to disk, this will also degrade disk performance very significantly. Please contact Symantec Support if you wish to test the random write speed of your virtual disk.
At installation time, only the E1000 or Flexible adapters will work and of these, the E1000 is fastest. Once VMware Tools is installed, the VMXNET 3 adapter, a paravirtualized NIC designed for performance, should give the best results.
Encryption Management Server requires the LSI Logic Parallel SCSI Controller to be used; this is the default. Please do not select any other controller.
VMware vMotion is supported with Encryption Management Server.
Once VMware Tools is installed, a Synchronize guest time with host checkbox appears in the Options tab of the Virtual Machine properties. This is disabled by default and enabling it is not recommended. Instead, for better accuracy, configure NTP in Encryption Management Server. Never enable both NTP and the time synchronization option in VMware Tools because it will result in highly inaccurate timekeeping.
Please consult the relevant Release Notes for the latest system requirements.