Multi-ESM behavior and the use of load balancer are mutually exclusive. If you choose to use a load balancer, be sure to set all ESM Servers to "Disabled" in ESM Console's Settings > ESM > Multi-ESM tab. This setting does not disable the ESM Servers as whole; ESM Servers set to "Disabled" on this screen continue to operate as normal except that they do not participate in the Multi-ESM algorithm.
If you fail to set the ESM Servers to "Disabled" in a load-balancer configuration, the consequece will be that endpoints learn about the serves as part of their regular heartbeat cycle and then might (depending on network topology) try to connect directly to an ESM Server instead of through your load balancer.
The Multi-ESM Algorithm
On each heartbeat, each endpoint:
- Retrieves the list of ESM Servers;
- Sorts the list of known ESM Servers configured "internal" IP addresses by hop count;
- Tries to connect to the lowest; if no connection, the next lowest....; if all attempts fail:
- Sorts the list of known ESM Servers configured "external" IP address by hop count;
- Tries to connect to the lowest; if no connection, the next lowest....; if all attempts fail:
- Tries to connect to the ESM Server to which it was configured at install time.
Deployment without Load Balancer
- All ESM Servers take traffic;
- Endpoints lear the list of ESM Servers in server heartbeart;
- Endoints connect to the ESM Server that is both topologically closest and "Enabled" in the ESM console;
- More than one ESM Server direct its endpoints to the same forensic folder.
Deployment with Load Balancer
- All ESM Servers take traffic;
- Endpoints are configured to point to the load balancer VIP on port TCP 2125, and not to individual ESM Servers;
- Endpoints connect through load balancer to an ESM server based on Load Balancer algorithm configuration such as Round robin, least connections, and so on;
- All ESM Server should be set to "Disabled" in the ESM Console's Multi-ESM screen.
Willian
