Architecture best practices for deploying DLP Endpoint Prevent Detection Servers
Last Updated April 29, 2019
You need to deploy Symantec Data Loss Prevention (DLP) Endpoint Prevent and need architecture best practice information for the deployment.
You also have the following questions:
Can DNS-based load balancing be used?
Can Endpoint Servers be on different subnets?
Failovers to the original server - what is the nature of this and any considerations for timing or configuration?
Using DNS-based Load Balancing
Servers in DMZ and also internal datacenter
This information is provided as general guide. For support implementing this design please contact professional services.
General Architecture and configuration recommendations:
Here is an example that shows two Endpoint servers in the corporate LAN and two in the DMZ. Agents on the corporate LAN (including those connected by VPN) are configured to communicate with one of the LAN Endpoint servers first and to fail over to the second, if necessary. Agents connecting from outside the corporate network are directed to the DMZ Endpoint servers by a load balancer. All Endpoint servers are connected to the Enforce server.
The communication is secured with SSL certificate-based authentication so v12.5+ Endpoint servers can be deployed in DMZ for Agents to connect over the internet.
DNAT should be configured to hide the identity of the Endpoint Server.
You don’t need to stick with using port 10443. Rather it will be better to configure Endpoint servers to use 443 which is a standard SSL port and is more firewall friendly.
If you decide you want to use a load balancer, it is recommended to enable SSL session affinity.
It is recommended you give some thought on how you plan to configure the agent for server connectivity, e.g. are you planning to use a single DNS name that gets resolved in the corp environment and also on the internet?
Be aware that “On/Off” corporate network policy rules are based on Endpoint server connectivity.
In general, policies should be tuned to reduce false positive detections and to avoid two-tier Detection.
"Also known as simple persistence, source address affinity persistence supports TCP and UDP protocols and directs session requests to the same server based solely on the source IP address of a packet.
The DNS-based load balancing is going to essentially send agents to their servers in a round-robin fashion: Agent 1 => Server 1, Agent 2 => Server 2, etc. If Server 1 isn't available, Agent 1 goes to Server 2, etc. If all but one Server fails, all Agents will go over to the available Server - 3, 4, 5, etc., until previous Servers are back online. After which, DNS will again assign Agent 1, 2, etc., to servers in order available => Server 1, 2, etc.
Ping times (via Load Balancer like F5) can determine how quickly new connections can go to the newly available servers.
Presumably Endpoints will have a choice of 2 Servers (internal vs external), but otherwise - as noted above, all the "work" of load balancing is done by the LB implementation (e.g., F5, etc.)
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe