Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How many computers per update relay

Zatol

I was just curious how many computers can update from the same update relay/server?

In our environment, we have over 20,000 computers updating. We have a large number of relays, and I'd really like to keep that number to a minimum to help us from a maintenance standpoint.

I wasn't in this position for the initial set up and installation of Sophos, so I'm not sure on the reasoning behind the relays. We do have a large number of locations where these computers are, over 50. If we have a gig connection to every location, is there a reason we can't centralize our update server and have them all pull from the same one? 

:21239


This thread was automatically locked due to age.
  • 0

    Hi,

    Updating and RMS requirements are two different things in terms of limits/recommendations with regards to scalability.

    In terms of what's supported by RMS, the bottom line is 25K managed machines from a single management server.  I asked the number of relays Sophos test with during testing and they told me 4, so 6250 clients per relay would be the absolute maximum I would suggest before you go out of the tested scenario. I'm sure this isn't the limit but I find it's best to stay within supported limits to avoid problems later.  10K tests are run without relays so in this case the SEC server's router is handling 10K machines and it's also the SEC server. 

    The operating system you run the relay on (same rules apply to a SEC server) is also is a factor.  Please see:

    http://www.sophos.com/support/knowledgebase/article/112950.html and

    http://www.sophos.com/support/knowledgebase/article/113945.html#RunningOnWindows2008 .

    Based on these two articles I would suggest avoiding Windows 2008 (not R2) where possible for this role unless you have to and even then 4000 would be the maximum.  If you use Windows 2003 with more than 3000 managed machines (and factoring in other roles of the machine), remember the maxuserport key: http://www.sophos.com/support/knowledgebase/article/14243.html .

    So if I had a single site with 25K machines, I would probably go with 6 relays running on 2008R2 or 2003 R2.  The load would be split at around 4000 clients per relay for expansion. 2GB RAM per machine would probably do for just a message relay.  If I was going to add a SUM to those machines as well so the relay was sharing out an update location locally, I would probably double the RAM to 4GB to enable clients to update and SUM to work ok.  

    In an ideal world, I would however probably keep updating and messaging separate and have SUM push the distributions to a dedicated file server/filer for better performance.  This way, you might loose management but updating keeps working (most important I would say) and visa versa.  The files could be hosted on Apache/IIS and would probably give better performance than UNC.

    If I had 50 sites, with an even number of machines per site, I would probably install SUM and a relay on the same machine at each site.  I find it just gives more control and it's a better overall topology.  If there is a virus outbreak for example at "site x" where it is flooding the management server to the point where it is causing system wide problems, it might be then wise to just stop the message router at that problem site temporarily to isolate it.  Clean up and then start it.  This is what I like about relays so reducing them because you can based on the supported numbers may not always be the best thing.

    50 SUMs in SEC is fine and they can typically all have the same subscription, plus, I would probably configure them to update from Sophos, if that was a "cheaper" local update route.  

    Hope that offers some useful thoughts.

    Regards,

    Jak

    :21243
    • 0

      That is some interesting insight. What happens when we break the 25k threshold? I have no doubt we will surpass that in the next few years as we continue to grow out our 1:1 initiative in our schools.

      Am I going to need two separate management consoles on separate servers? I can see an easy way to separate that, so it doesn't seem like a massive deal, just kind of a headache to manage it from two different virtual locations.

      I appreciate your insight on the relays. I suppose I'll keep our setup similar to how it is now going forward. We probably have around 20 relays set up, all at our schools that will be using the 1:1 initiative. Other buildings/schools/facilities update back to our central location.

      Thanks for your help. 

      :21245
      • 0

        Hi,

        There is no "hard" limit to the system regarding the 25K number, the console will cope with 100K if all conditions are good on the latest spec hardware but, in a virus outbreak scenario for example would the system cope, would it even be manageable, who knows? I odn't feel I need to find out :) The 25K value is really a statement by Sophos to say, we will support you on this and we expect it to work from our testing without too much manual tuning.  

        Maybe if you set up a management server with aggressive alert and event purging, i.e.. Every 2 weeks, it would scale much higher as I suspect, the amount of data required to be processed (read to and written from the DB) by the management service would become the bottleneck.

        So having said that. If there is a logical partition where you can make the management server split and I would expect there to be once you get up to 25K machines, I suggest that to future proof the system you have multiple management servers. Even if the number of managed machines isn't increasing per console the amount of alerts/events per client will be up so a bit of breathing space can only be a good thing.  

        Regards,

        Jak

        :21249
        • 0

          Certainly insightful, thanks.

          I don't entirely want to find out, but we will in the not-so-distant future here!

          I already do have some automated purging going on as the database can get quite large with what we currently have.  

          :21369