Known Limitations with Multi-ESM Deployments

In a multi-ESM deployment, each ESM Server must meet the requirements specified in ESM Server Software Requirements. Multi-ESM deployments also have the following limitations:
  • Load balancing—To use a load balancer to manage traffic between multiple ESM Servers, you must specify the IP address of the load balancer—instead of the ESM Server—when you install the Traps agent. The Traps agents can then establish connections through the load balancer instead of attempting to connect directly to an ESM Server.
  • IP addressing—Each ESM Server must have a static IP address.
  • Scaling—You can install a maximum of five ESM Servers. To install additional servers, contact your Sales Engineer.
  • LDAP—To use Active Directory (AD) objects as targets for security, agent, or agent settings rules, all ESM Servers (both local and remote) must have connectivity to your LDAP server.
    In addition, to ensure your remote endpoints receive the latest security policy, follow the guidelines for your ESM version:
    • ESM 4.1.2 and later releases—To use AD objects as targets for security, agent, and agent settings rules, you must identify the ESM Server deployed in a perimeter network as a DMZ deployment and specify the LDAP domain name in the server settings. For more information on configuring an ESM Server for deployment in a perimeter network, see Manage ESM Server Settings.
    • ESM 4.1.0 and ESM 4.1.1—In a multi-ESM deployment where an ESM Server cannot query the LDAP server—for example an ESM Server deployed in a perimeter network such as a DMZ—and rules specify AD objects, the Traps agents which connect to the ESM Server will not be able to obtain the security policy and will display a disconnected status. This means that if you install Traps agents to communicate with the external ESM Server and specify AD objects in your rules, the Traps agents will not receive any security policy until they connect to an internal ESM Server which can communicate with your LDAP server. To apply rules to a specific group of endpoints when an ESM Server cannot query your LDAP server, we recommend that you remove any AD objects from your security policy and instead define match conditions and apply them to your rules as needed.

Related Documentation