What Logic Does the Agent Use When Selecting an ESM Server?
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
What Logic Does the Agent Use When Selecting an ESM Server?
At regular heartbeat intervals, the Traps agent receives
a list of all known ESM Servers. To evaluate the ESM Server to which
the agent will connect, Traps considers the priority and TTL (in
terms of number of hops) for each server. Traps prioritizes the
list of ESM Servers by internal IP address (priority 1), external
IP address (priority 2), followed by the ESM Server specified during
the agent installation (priority 3). For example, consider the following
scenario with four ESM Servers:
ESM Server | Internal Address TTL | External Address TTL |
|---|---|---|
A | 2 | 3 |
B | 1 | 4 |
C | 2 | 5 |
D (default install) | 2 | 5 |
After evaluating the TTL value for each ESM Server, Traps builds
an ordered list:
Priority=1, TTL=1, Latency=10.00ms, Address=https://esmserverB.example.com:2125/
Priority=1, TTL=2, Latency=20.00ms, Address=https://esmserverA.example.com:2125/
Priority=1, TTL=2, Latency=20.00ms, Address=https://esmserverC.example.com:2125/
Priority=2, TTL=3, Latency=30.00ms, Address=https://10.31.32.1:2125/
Priority=2, TTL=4, Latency=40.00ms, Address=https://10.31.32.2:2125/
Priority=2, TTL=5, Latency=50.00ms, Address=https://10.31.32.3:2125/
Priority=3, TTL=2, Latency=20.00ms, Address=https://esmserverD.example.com:2125/
In this example, ESM Server B has the lowest TTL value (fewest
number of hops) and highest priority. If Traps cannot establish
a connection to ESM Server B—the preferred ESM Server—it moves on
down the list until it is able to successfully establish an ESM
Server connection.
In the event of a tie—where two ESM Servers have the same priority
and the same TTL value—the Traps agent selects a server at random.
If no ESM Servers are reachable (the ESM Server list is empty),
the agent status changes to No Connection. After a period of inactivity,
the agent tries to connect again (by default once every minute or
as specified in an Agent Settings communication rule). The Traps
agent also periodically verifies the integrity of the ESM Server list
(by default once every hour or as specified in an Agent Settings
communication rule). The Traps agent can also immediately validate
the list of ESM Servers when any of the following occur:
- The network address of the endpoint changes
- The endpoint resumes or restarts
- The IP address for an ESM Server changes
- A manual Check-In Now is initiated from the Traps console
- A communication request from the agent to the server times out or failsIf you remove or temporarily disable an ESM Server, the ESM Console removes the ESM Server from the list of available ESM Servers and pushes it to Traps agents at the next heartbeat. However, if you specified the (now disabled) ESM Server during the Traps installation, those agents retain the (priority 3) ESM Server in the list of available ESM Servers to which they can connect.