User manual MCAFEE ENDPOINT ENCRYPTION ENTERPRISE BEST PRACTICES GUIDE

[. . . ] McAfee® Endpoint Encryption Enterprise Best Practices Guide November 2009 1 Copyright © 2009 McAfee, Inc. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc. , or its suppliers or affiliate companies. 2 Contents INTRODUCTION PURPOSE OF THIS GUIDE RELEVANT PRODUCTS SOLUTION ARCHITECTURE DESIGN PHILOSOPHY SERVER CONFIGURATION BASIC SERVER REQUIREMENTS RECOMMENDED SERVER HARDWARE SERVER REDUNDANCY HOT BACKUP DATABASES CLUSTERING LOAD BALANCING SERVER AND OBJECT DIRECTORY OPTIMISATION ENDPOINT TO SERVER COMMUNICATION NETWORK LOAD ESTIMATION ESTIMATING THE SIZE OF THE OBJECT DIRECTORY TYPICAL GROWTH OF 5000 USER/MACHINE OBJECT DIRECTORY VIRTUAL SERVERS GLOBAL DEPLOYMENTS OPTIMISATION ACTIONS OPTIMISATION ACTIONS OVERVIEW NAME INDEXING (DBCFG. INI) WARNINGS DBCFG. INI GROUP SIZES TCP/IP KEEPALIVETIME REDUCTION LAST ACCESS TIME STAMP (NTFSDISABLELASTACCESSUPDATE) WINDOWS SERVER AS A FILE SERVER OBJECT DIRECTORY BACKUP TOOL SETUP ANTIVIRUS SCANNER WINDOWS PERFORMANCE MANAGING AUDITS FILE CACHE ON RAID HARD DRIVE CONTROLLER CONNECTION SPEED OBJECT DIRECTORY PHYSICAL LOCATION OBJECT DIRECTORY ACCESS SEARCHING FOR OBJECTS CLEARING DELETED OBJECTS SBSERVER. INI 5 5 5 6 6 7 7 7 8 8 8 8 9 9 9 10 10 11 11 12 13 13 13 14 15 15 15 16 16 17 17 17 17 18 18 18 18 18 3 OBJECT DIRECTORY MAINTENANCE MAINTENANCE INTRODUCTION ENVIRONMENT AUDIT MAINTENANCE EXTRACTING AND CLEARING AUDIT FROM THE DATABASE CLEARING THE AUDIT DELETED ITEMS CLEANUP CHECKING FOR DATABASE CORRUPTION WHY DOES THE DATABASE GET CORRUPTED? ORPHANED OBJECTS RESTORE COMMANDS CLEANUP COMMANDS DUMP MACHINE DESCRIPTION USER OBJECTS GENERAL PERFORMANCE TIPS GENERAL ADVICE DEFAULT PRODUCT SETTINGS (FOR MAXIMUM COMPATIBILITY). THINGS TO AVOID 19 19 19 19 19 19 20 20 20 21 21 21 22 23 24 24 25 4 Introduction Purpose of this Guide When planning a large rollout of Endpoint Encryption v5, it is important to understand the process of scaling the back end Object Directory and the associated Endpoint Encryption Communications Server processes to meet requirements. [. . . ] A user group of 5000 can take 20 seconds or more to open even on a fast server. Optimally 1000 or less will work well in many cases for faster access to groups on any server. Also assigning large group of users directly to a client can have performance implications (network/server performance, slow client boot up and sync times and installation processes) so smaller groups are better. 14 TCP/IP KeepAliveTime Reduction Reduce this setting on all EEPC servers from two hours (the default) to five minutes. Once this is done, if an endpoint client loses the connection with the server, the server will release the lock after approximately 5 minutes. This will also prevent broken remote sbadmcl connections from locking the scripting user account for 2 hours. Extra info The KeepAliveTime setting controls how often keepalive packets are sent in milliseconds (300, 000 is recommended). It controls how often TCP sends a keepalive packet to verify that an idle connection is still intact. If the remote computer is still reachable, it acknowledges the keepalive packet. MS KB article: http://support. microsoft. com/default. aspx?scid=kb;enus;324270#EQACAAA Key: Tcpip\Parameters Value Type: REG_DWORD (Time in milliseconds) Valid Range: 10xFFFFFFFF Default: 7, 200, 000 (two hours) NOTE: A similar setting KeepAliveInterval has a default 1000 (= 1 second), this setting is correct so do not change this. Open Regedit Go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Open or create the Dword KeepAliveTime Change the value to 300000 in decimals (Time in milliseconds) Last Access Time Stamp (NtfsDisableLastAccessUpdate) With large databases, it is possible that some groups may become overpopulated. When a large group is opened (for example one with over 5000 users), it can take some time to open. To reduce hard disk read and write time, a registry setting can be set to prevent the Last Access time stamp from being updated on every file access. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem. Create a new DWORD value, or modify the existing value, named "NtfsDisableLastAccessUpdate" and set it to "1". Microsoft article: http://technet2. microsoft. com/WindowsServer/en/library/80dc50667f134ac38da8 48ebd60b44471033. mspx?mfr=true 1. 3. Windows Server as a File Server Tune Microsoft Windows 2003 server to be a file server. See the Microsoft article http://support. microsoft. com/kb/174619 about this. Theory Increase NTFS MFT (Master File Table, used to be FAT) to 50% of the disk space. The result is that small files are being stored in the MFT and not as separate files in the NTFS. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem. If not exists, create a new DWORD NtfsMftZoneReservation in the registry and set its value to 4. [. . . ] Alternatively, use with a floppy disk drive or bootable CD (make an ISO from the floppy disk to make a bootable CD). For example, changing the encryption state and upgrading EEPC clients at the same time will cause problems. Do one major thing at a time, allow clients to sync and perform the change, then make the second change. Do not assign multiple unnecessary file groups as a "catch all" for all possible hardware/software combinations. [. . . ]