Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 2180 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sizing Enterprise Console

mbro

Hi There,

Just looking for a bit of advice. We will need to build a server to support 1000 Windows endpoints. Are there any guides available to help size this server? Would it require a SQL database rather than SQL Express?

Thanks

:6525


This thread was automatically locked due to age.
  • 0

    Hi,

    SQL Express will be fine for that size installation, the main things to think about are disk I/O and memory.  SQL will consume both but mainly I/O and the RouterNT.exe process will consume quite a bit of memory for that number of clients, I would imagine somewhere in the order of 200-250MB.  SUM will also consume quite a bit of disk I/O when updating.

    I would advise if starting from scratch you might want a dedicated physical drive to store the databases on. In an ideal world separate drives for SQL data (mdf) and logs (ldf) but for this size installation a dedicated drive for SQL express "data" will be better than putting it all on the OS drive.  

    I would suggest 4GB of RAM as a minimum and either Win 2k3R2 or 2K9R2 as the OS.  SQL Express 2K8 SP1 will be installed by default.   SQL 2008 R2 is not currently supported until 4.7 I think.

    If you find that the server you have in mind is not powerful enough, things you can consider to lighten the load off one machine are:

    1. Write the CIDs/Distribution points to a file server/filer, so the clients update from there.

    2. Remove/Move other roles to different servers.

    3. Move the database to a remote machine, can still be SQL Express.

    As these can all be done at any time, you can monitor the resources used and make these decisions later.

    Here are a couple of other posts I've made along these lines:

    Jak

    :6527
  • 0

    That's great, thanks Jak. I was actually on site today and had a look at the proposed server. It seems it could do with a bit more RAM but otherwise it is fairly ok. I am concerned however by the environment it is going into and would like some advice on the best way to procede.

    The clients are all based in remote sites with between 1 and 10 clients on each site. Each of these sites is connected back to head office via a MPLS network. They are all members of a workgroup and there is no name resolution. The names of the clients are not unique so the same name appears multiple times throughout the network. Currently these clients have Sophos AV version 7 installed in standalone mode.

    What is required is for these clients to manageable from a central location. I don't believe it will be possible until we sort out the name resolution and naming issues but maybe you could confirm that? Is it possible for Sophos to work on an IP level so it doesnt care about names? Changing the names of the clients is an option we made need to take and possibly setting up a central hosts file or similar. Could you offer any more advice?

    Thanks!

    :6559
  • 0

    You might be ok...  I assume the SEC server has a static IP address and accessible from all clients?  That way, when you install SEC, the mrinit.conf file will have an IP address as the parent address.  All the clients will need to be able to resolve this to find the server for RMS communication.  You could configure a message relay at each site but for the numbers per site it doesn't quite make it worth it.  Either way, if you've already installed the server side components, you should have the mrinit.conf files in the root of the CIDs/distribution points to check this parent address is going to be resolvable for all the clients.

    I would then suggest:

    1. Create the necessary groups in SEC to house all the machines, constructing the structure as required.  Maybe a top level group per site.

    2. Define all the policies you require at least to start and link them to the groups.

    3. I would then protect them by running a batch file, as you can see from:

    http://www.sophos.com/support/knowledgebase/article/12570.html

    setup.exe (the file in the root of the CIDs/distribution point, often called the bootstrap.exe takes:

    -compname <computername> as a switch.  This can override the name that appears in SEC, thus you can make them all unique.

    For your case it might be possible to work into the command line:

    -G \<nameofserver>\<Groupname>

    so the machines appear in the right group as they are protected.

    Essentially I would try and construct a batch file per location/per SEC group, that you can use to protect the machine with which can insert a relevant machine name switch.  E.g. "SiteName-%computername%".  I would probably choose a scripting language such as vbscript as this would be easier to construct the parameters needed on a machine/site basis.

    I guess AD start-up scripts would be the typical deployment method from here with a few additional checks.  As this is not available to you.  I would perhaps look to use psexec (Sysineternals) to create the tasks on the remote machines,  maybe a batch file per site, which executes the per site VBScript/batch file to install.

    I hope that helps,

    Jak

    :6571
Unfiltered HTML