Jump to content

Archived

This topic is now archived and is closed to further replies.

TonyK

ESMC 7.1 Proxy and Loadbalancing

Recommended Posts

Hey gang, I have a question on placing ESET HTTP Proxies behind a load balancer for distributive/regional workloads. I might have missed it but would the Proxy solution be able to accommodate usage of a load balancers. Our use case is that we operate the ESMC console in a MSP role with clients concentrated around the entire North American region, currently we are hosting around 3000 endpoints with 95% of them located statically in North American region, and the remainder 5% could be potentially roaming globally.

My concern is that we are needing to balance communications intervals responsiveness (granted I know from defaults that recommendations were to have communications intervals slated to 20-60 minutes for heartbeat) - but due to our customer base and needs, I would like to maintain a 10-20 minute interval at maximum for endpoints that report 'healthy' status and devices with warning flags in ESMC have 1-2 minute intervals (to allow for 'rapid' configuration changes/commands)

SO TLDR - Would ESET Apache HTTP proxy work behind a loadbalancer

Share this post


Link to post
Share on other sites

Just out of curiosity, what is primary purpose of HTTP proxy in this scenario? Asking, because in case of ESMC with 3000 clients, there should be no problem with clients connecting each minute (= default interval), and in case of MSP, client are mostly distributed and thus they are using their own connectivity to download installers of updates. Or you are hosting caching proxy for customers in their environments? Regardless of that, there is actually no need to use ESET proxies in case customer has it's own HTTP proxy, able to cache ESET updates and installers.

HTTP proxy has no loadbalancing feature when used to transfer AGENT-to-ESMC communication, it just forwards this kind of  communication...

Share this post


Link to post
Share on other sites

Not all our customers will be allowing 'public' internet access (compliance reasons), those who do have internet access will not be using the proxy

This is for those who do not - we are trying to limit the number of firewall rules we have to make on customers (again, compliance reasons)

I am aware that HTTP Proxy doesn't have it built in - I am talking about deploying 2-3 regional HTTP Proxies that have a loadbalancer in front with one DNS name

Customers cannot host proxies on their sites (once more, they will not be allowing public internet access over port 80/443)

 

What i am asking, is this scenario:

can I use multiple proxies that are behind a virtual/hardware loadbalancer; 

 

So the overall purpose is to only allow agent communications AND product updates/content be distributed from our whitelisted environments; no I already tried to say that KB332 is a requirement however, our management is determined to use proxies

 

The load balancer is to also make sure that the ESMC console is NOT overloaded, as we are seeing considerable performance hits with the MSSQL Express built in

 

 

Share this post


Link to post
Share on other sites

Also bear in mind, while today we have 3k endpoints, however those numbers will be increasing drasticlally over the next year or so; our organization is pushing hard a security as a service in our portfolio; we could be looking around doubling or even tripling these numbers in the near future...

So this is also long term architecture I am looking at (and yes I'll be moving from SQL Express to full SQL)

Share this post


Link to post
Share on other sites

Ok now I think I understand. In case of DNS-based loadbalancing, I think it should work, at it is transparent to our components. ESMC Agents are using persistent connections with ESMC, but even in case it is not possible (due to timeouts triggered by longer connection interval), it should work as AGENT will just open new connection through different "path".

I asked to confirm as sometimes proxy is misunderstood as something that caches or balances communication between AGENT and ESMC, but that is not true -> all AGENT will still connect to one ESMC. But in this case use of proxy makes sense as it will serve as "router" from customers network to ESMC.

Regarding performance issues with SQL Express, I am little surprised it happens even in such small environment. I would recommend to check disk performance, as it is crucial for ESMC performance, and once there is enough resources and powerful SSD disk available, it should not be a problem to host one ESMC even for >100000 devices.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...