Manage Multiple ESM Servers

After installing each ESM Server (see Install the Endpoint Security Manager Server Software), the ESM Console displays identifying information about each server on the
Settings
ESM
Multi ESM
page.
multi-esm-settings.png
You can modify the settings and status for an ESM Server at any time.
  • Configure proxy communication.
    This step is required only for ESM Servers that do not have access to the internet. See Manage Proxy Communication with the Endpoint Security Manager.
  • (
    ESM 4.1.2 and later releases
    ) Configure an ESM Server for deployment in a perimeter network such as a DMZ.
    If you deploy an ESM Server in a perimeter network and plan to use Active Directory objects as target objects for policy rules, you must ensure the server has connectivity to your LDAP server and perform additional configuration from the ESM Console. This ensures your remote endpoints will receive the latest security policy.
    1. Select
      Settings
      ESM
      Multi ESM
      .
    2. Select the row for the ESM Server deployed in the perimeter network.
      The ESM Console displays the settings associated with the server.
    3. Edit
      the settings for the ESM Server in the perimeter network.
      esm-dmz.png
      1. Enter the primary
        Internal Address
        and an optional secondary
        External Address
        for the server.
        To use a load balancer to manage traffic from your Traps agents, see Load Balance Traffic to ESM Servers.
      2. Enable
        DMZ AD Configuration
        and enter the Fully-Qualified
        Domain Name
        (FQDN) of the LDAP server in the format
        <domain>
        .local
        (for example,
        st2.local
        ).
      3. To use Active Directory objects in rules, enable
        LDAP Authentication
        and provide the
        Username
        in the format
        <domain>
        \
        <Username>
        and the associated user
        Password
        . Do not use the FQDN domain name in the
        Username
        . For example, instead of
        st2.local\administrator
        , use
        st2\administrator
        .
      4. Save
        your changes.
    4. Prioritize the ESM Server deployed in the perimeter network as a secondary ESM Server to which your agents can connect.
      1. Identify and copy the external address for the ESM Server deployed in the perimeter network.
      2. Select the row for an internal ESM Server and
        Edit
        the server settings.
      3. Enter the address of the ESM Server deployed in the perimeter network as the External Address for the internal ESM Server.
      4. Save
        your changes.
      5. Select the checkbox of the ESM Server deployed in the perimeter network.
      6. From the manage-hidden-menu-icon.png menu at the top of the page,
        Disable Selected
        .
      This enables the Traps agents to prioritize the internal ESM Servers ahead of the ESM Server deployed in the perimeter network. For more information, see What Logic Does the Agent Use When Selecting an ESM Server?
    5. On the ESM Server deployed in the perimeter network, restart the Endpoint Security Manager Service.
  • (
    ESM 4.1.3 and later releases
    ) Secure an external forensic folder.
    In ESM 4.1.3, the ESM Console automatically secures the forensic (BITSUpload) folder that your Traps agents use to upload forensic data when you install the ESM Console software. However, if you set up your forensic folder on an external server such as in a perimeter network, you must manually secure the folder to allow the TrapsDownloader account to access it. To secure the external forensic folder:
    1. On the server on which you host the forensic folder, create local user named
      TrapsDownloader
      .
    2. Assign the user the following password:
      Traps!D0wnload
    3. In the IIS settings, open the BitsUploads Application.
    4. Open
      Authentication
      and enable
      Windows Authentication
      .
    5. Open
      Authorization Rules
      and set
      All users
      to have the following verbs:
      BITS_POST
      ,
      HEAD
      .
    6. Add the
      TrapsDownloader
      user account and do not add any specific verbs.
  • Change the status of an ESM Server.
    1. Select
      Settings
      ESM
      Multi ESM
      .
    2. Select the checkbox for the ESM Server whose status you want to change.
    3. Select an action from the manage-hidden-menu-icon.png menu at the top of the page.
      • Disable Selected
        —Temporarily remove the ESM Server from the available server pool of ESM Servers to which the Traps agents can connect; However, if the ESM Server was specified during the Traps installation, the agent retains the ESM Server on its list of available servers. After you select this action, the ESM Console changes the status of the server to
        Disabled
        . At a later date, you can reactivate the ESM Server.
      • Delete Selected
        —Permanently remove the ESM Server from the available server pool of ESM Servers to which the Traps agents can connect; As with the
        Disable Selected
        option, if the ESM Server was specified during the Traps installation, the agent retains the ESM Server on its list of available servers. After you select this action, you cannot reactive a deleted ESM Server unless you first reinstall the ESM Server software.
      • Activate Selected
        —Return a disabled ESM Server to service and add it back to the available servers pool. After you select this action, the ESM Console changes the status of the server to
        Active
        .

Recommended For You