Large Multi-Site Deployment with Roaming Agents (Without VPN)

system-arch-multi-site-roaming-no-vpn.png
This deployment scenario consists of the following components:
  • One dedicated database server
  • One ESM Console in the same location as the database for managing the security policy and Traps agents
  • One ESM Server for every 30,000 Traps agents (for a maximum of 150,000 agents) in each site
  • One ESM Server with a public-facing DNS record that accepts connections from roaming Traps agents configured in one of two ways:
    • Configured with a port that accepts connections from external networks
    • Installed in a perimeter network such as a DMZ with a connection to the internal database server
      This server can also function as a backup server.
  • One forensic folder for each ESM Server that is accessible by all endpoints for storing real-time forensic details about security events
  • (Recommended) WildFire integration
  • (Optional) Load balancer for distributing traffic across ESM Servers
  • (Optional) External logging platform such as an SIEM or syslog
In this example, Sites A, B, C, and D each need to support up to 30,000 Traps agents. An additional site supports Traps agents that are roaming. To support this scenario, each site contains an ESM Server that retrieves the security policy from the database located at Site A. Internal endpoints connect to the Endpoint Security Manager using their local ESM Servers. External endpoints connect through a publicly available ESM Server located in a DMZ or through a port that is configured to allow traffic from external networks. If an endpoint is roaming and cannot connect to the ESM Server, Traps collects prevention data locally until the agent can establish a connection to the forensic folder.
For additional deployment considerations, see Known Limitations with Multi-ESM Deployments.

Related Documentation