After preparing a cluster of two members of Symantec Encryption Management Server (formerly known as PGP Universal Server), what needs to be put in place to make Symantec Encryption Desktop (formerly known as PGP Desktop) clients to point to both servers for high availability and redundancy?
The Symantec Encryption Desktop clients point to a single Symantec Encryption Management Server as is configured during the enrollment process. The FQDN of the Symantec Encryption Management Server is not changed at any time afterwards and will continue to attempt communications to the single server. If that single server is unavailable for any reason, the client will not be able to get policy, which can cause other issues with the client.
In an environment where only Symantec Drive Encryption is being used, not having communication with the server for a certain amount of time may not have any negative consequences. In a messaging environment where email encryption is required, not having communication to the server could have significant consequences. It is a best practice to have a clustered environment available at all times if one server does become unavailable.
For High Availability, the recommendation is to use Load Balancers, which have logic to detect if a host is down and will subsequently redirect all traffic to the other host that is still up.
A requirement to use Load Balancers is to ensure a "sticky bit" is being used, such that when a Symantec Encryption Desktop client communicates with one Symantec Encryption Server, the connection stays with that one server for the entire session, and will not switch to another Symantec Encryption Management Server for the same transaction.
In the case of a Load Balancer, the clients would connect to a common DNS entry, such as keys.domain.tld. In an environment with two cluster nodes, the Load Balancer would then redirect to keys1.domain.tld or keys2.domain.tld, depending on which server has availability. If one server is not available, the Load Balancer would redirect to the other server what is available.
Warning: DNS Round Robin is not a supported configuration as this can cause some unanticipated problems with keys and\or recovery tokens. For more information on DNS Round Robin as it relates to clustering for Symantec Encryption Management Server, please see article TECH232699.
Important in cluster environment is to have another interface on a separate subnet that handles clustering and whose certificate matches the hostname. For more information on general guidelines for clustering health and performance, please follow TECH157115.