Merging of FSPM servers including whitelist of device policies

Scholar

Merging of FSPM servers including whitelist of device policies

Can I merge database of 3 FSPM server into once, 3 servers were catering for different sets of clients. And each having many clients which are whitelisted to use HDD. If I make all clients to report into one server, how can I import the same setting from different servers to single?

6 REPLIES 6
Moderator

Re: Merging of FSPM servers including whitelist of device policies

Hi sonu

 

I will need to check with the product team and get back to you.

 

Are you using v13 or v14 clients, or mix of both ?

Superuser

Re: Merging of FSPM servers including whitelist of device policies

What exactly did you do?
Whitelist internal HDDs each to the host's node?
What is that good for?

I am trying to understand the concept. Maybe there is a way simpler solution to your problem.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

F-Secure

Re: Merging of FSPM servers including whitelist of device policies

Hi Sonu,

 

Starting from PM 14.10, policy settings can be exported to a file and then imported into another Policy Manager instance. So, you can replicate policies from 3 PM instances to the single one and move all hosts there.

If all PMs are using same admin pub/prv key pair, host migration would be easy: just specify new PM address in all PMs (including target one) and that’s it. In case you use unique key pairs, key replacer should be used for migration.

 

Regards,

Alex

 

Superuser

Re: Merging of FSPM servers including whitelist of device policies

While exporting the settings for one host does include the device blocked, exporting a subdomain does not include individual settings for the hosts belonging to that subdomain.
Thus the effort to newly add the HDDs on the new sever would be equal to export/import the setting for each individual host.

I am still not sure if  @_sonu  really means "block all local HDDs except one"

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Scholar

Re: Merging of FSPM servers including whitelist of device policies

Thanks for all replies.

I would like to explain my whole scenario.

I have around 40k clients and 04 FSPM servers for each 10k clients. In each server, there are around 1000 clients which have been allowed to use HDD, scanners or some other external devices. But for each clientes there is different HDD and scanner as these clients are at separate geo locations.

Now we plan to merge all 04 FSPM into One with enhanced server configuration, I expect 16gb RAM and 12 core cpu for all 40k clients.

 

So I require a solution which can migrate all 04fspm  to a new or 03 to one existing with all policies whether it is applied to root, a whole policy domain or on individual client.

 

Is it possible? 

 

Thanks in advance.

 

Superuser

Re: Merging of FSPM servers including whitelist of device policies

Hi,
this is what I expected. You are talking about some 4000 external HDDs (possible some large USB-Sticks as well?!) and each may only serve one (or two) hosts.

 

What threat are you fearing? You allow one external drive to connect to one controlled host, but you can not disallow this drive to connect to a foreign (external, private, unmanaged) host. What is the idea of that extenal HDD (or did you mean USB-Sticks)

F-Secure Device Control is not ready to serve that amount of individual configurations. While on the Host nothing more is needed, the PMSs UI for that module is "rudimentary" only. You should rather think about a more common, less complex setup like a subdomain of systems to use external media". Yes, these would be allowed to swap the drives, but why not (see above, what is the idea)?

Apart for the sheer amount Windows has changed the way external drives are identified from "USB\Class_08" to "USBSTOR\GenDisk". This might urge you to start from scratch anyway, but may depend on the exact way how you identified the drives.

Apart from that you want to manage 40.000 Hosts on one PMS?

IMHO PMS is currently hardly ready to serve that. E.g. each client has a life connection to the PMS, which means you will need 40.000 sockets plus those for updates and PMS internal connections. The limit of 64k sockets will cause trouble!

Thus I have to warn you about to proceed without an F-Secure Engineer at your side. R&D will also be happy to learn about the results.


We have a quite long experience with customers running 23.000 hosts on a Linux based PMS. We can assist you, but the Community Forum is the wrong place.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de