1  

Cloud-­‐enabled  Management  

Agenda  

Managing  in  the  Cloud   2  

Why  Cloud-­‐enabled  Management?  1  

Scenarios  2  

SMP  Internet  Gateway  3  

Supported  Func?onality  4  

Installa?on      5  

Disclaimer!  

This   informa?on   is   about   pre-­‐release   soBware.   Any   unreleased   update   to   the  product   or   other   planned   modifica?on   is   subject   to   ongoing   evalua?on   by  Symantec  and  therefore  subject  to  change.    

This   informa?on   is  provided  without  warranty  of  any  kind,  express  or   implied.    Customers   who   purchase   Symantec   products   should   make   their   purchase  decision  based  upon  features  that  are  currently  available.  

3  

3  Managing  in  the  Cloud  

Why  CEM?  

•  IT  admins  want:  –  100%  visibility  for  the  systems  in  the  environment  and  what  is  installed  on  all  of  them  

–  100%  Patch  compliance  –  Consistent  soBware  delivery  rollouts  (up-­‐to-­‐date  soBware/AV)  

• Reality?  –  Not  knowing  how  many  systems  are  actually  there  –  Unsure  about  the  soBware  usage  within  the  company  

–  Low  Patch  compliance  

–  SoBware  version  inconsistency  across  the  environment  

Managing  in  the  Cloud   4  

5  

Mobile  Devices  

Cloud  Services  

Mobile  Workforce  

By  2015,  over  

37%    of  the  global  workforce  will  work  outside  the  corporate  

firewall  

Laptops    are  consistently  outselling  

desktops  since  2008  

54%    of  businesses  use  SaaS  

Why  is  it  geIng  harder  for  IT  Admins?  

Managing  in  the  Cloud  

CEM  helps  increase  manageability  (“Managed  endpoint  is  a  secure  endpoint”)      

Covered  Scenarios  

• Enterprises  –  Travelling  employees  

–  Employees  working  from  home  

– Mainly  laptops  

• Highly  distributed  companies  –  Telecommu?ng  employees/Home  office  

• Managed  Service  Providers  (MSP)  –  No  VPN  link  from  customer  to  the  service  provider  

Managing  in  the  Cloud   6  

Cloud-­‐enabled  Management  (CEM)  

• Allows  managing  endpoints  over  Internet  • Does  not  require  a  VPN  connec?on  to  the  SMP  Server  

• Does  not  require  exposing  management  servers  to  the  Internet  

• Provides  enhanced  security  for  communica?ons  

• Built-­‐in  into  the  Agent  

Managing  in  the  Cloud   7  

Cloud-­‐enabled  Agent  

Managing  in  the  Cloud   8  

Internal External DMZ

Agent Internet Gateway

Internal Firewall

External Firewall

Gateway blocks un-trusted connections

Secure connection No VPN required

Symantec Management

Platform

Internet  

Managing  Through  the  Cloud  

Managing  in  the  Cloud   9  

Customer Site B

Internet

SMP Internet Gateway

Symantec Management

Platform

CEM SSL Tunnel

HTTPS

Remote Package Server

Customer Site A

CEM SSL Tunnel

Remote Package Server

SMP  Internet  Gateway  

• Placed  in  the  Demilitarized  Zone  (DMZ)  • Faces  the  Internet  • Protects  the  SMP  Server  and  Site  Servers  

–  That  are  located  on  the  internal  network  • Blocks  untrusted  clients  • Routes  trusted  clients  to  the  management  servers  

• Single  Gateway  can  serve  mul?ple  SMP  and  Site  Servers  

Managing  in  the  Cloud   10  

SMP  Internet  Gateway  -­‐  scalability  

•  Internet  Gateway  can  handle  up  to  3,000  concurrent  connec?ons:  –  Translates  into  up  to  60,000  CEM-­‐enabled  nodes  

• Hardware  requirements:    –  Preferably  physical  box,  8GB  RAM,  40GB  HDD  and  dual-­‐core  CPU  –  VM-­‐based  IG  offers  lower  scalability,  but  s?ll  sufficient  for  a  fully-­‐loaded  NS  

Managing  in  the  Cloud   11  

SMP  Internet  Gateway  architecture  -­‐  examples  

Managing  in  the  Cloud   12  

OperaYng  Systems  Support  

• Managed  endpoints  – Windows  – No  UNIX/Linux  support  now  (Mac  support  upcoming)      

• SMP  Internet  Gateway  – Windows  Server  2008  R2  SP1  (64-­‐bit)  •  .NET  Framework  3.5  SP1  • Two  NICs    

Managing  in  the  Cloud   13  

Agent  communicaYon  in  CEM  mode  

Managing  in  the  Cloud   14  

hhps://Gateway:443  

Agent  cer?ficate  for  IG  IG  cer?ficate  

•  Internet  Gateway  is  listening  on  port  443  • NS  Agent  site  is  configured  on  port  4726  

hhps://NS:4726  

hhps://NS:443          IG  redirects  requests  to  Agent  Site  port  4726  Agent  cer?ficate  for  NS  

ConnecYvity  –  AutomaYc  ConnecYvity  Switching  

• Endpoint  is  on  the  internal  network  –  Communicate  to  the  SMP  Server  directly  

• Endpoint  is  on  the  Internet  (no  VPN)  –  Communicate  to  the  SMP  Server  via  Internet  Gateway  

• Endpoint  is  on  the  VPN  –  Communicate  to  the  SMP  Server  directly  

Managing  in  the  Cloud   15  

ConnecYvity  –  Load  Balancing  

Managing  in  the  Cloud   16  

• Agents  can  switch  between  gateways  • Automa?c  load-­‐balancing  using  round-­‐robin  algorithm  

• All  gateways  are  treated  equally  • Automa?c  failover  •  Inaccessible  gateways  are  marked  as  bad  and  skipped  for  a  registry  configurable  ?meout  

• At  least  two  gateways  are  recommended  for  fault-­‐tolerance  

CEM  Security  hardening  

• Unnecessary  Agent  communica?on  is  disabled  in  CEM  mode  –  Power  management  ?ckle  is  disabled  

– Mul?cast  is  disabled  

–  CTA  ?ckle  is  disabled  • Secure  Apache  HTTP  Server  configura?on  

–  Cer?ficate  usage  is  enforced  –  Only  manually  added  hosts  and  ports  are  allowed  into  internal  network  

• Server  Agent  Trust  –  CEM  Agent  web  site  –  Provides  access  to  only  agent  web  pages  –  Requires  SSL  and  cer?ficates  –  CMDB  resource  updates  are  restricted  for  events  coming  to  CEM  web  site  

17  Managing  in  the  Cloud  

ITMS  –  What  is  Supported?  

• Managed  SoBware  Delivery  • Quick  Delivery  (non  real-­‐?me)  

• Hardware  Inventory  • SoBware  Inventory  • Server  Inventory  • App  Metering  

• Patch  Inventory  • Patch  Management  Policies  

• Basic  Client  Tasks  

Managing  in  the  Cloud   18  

ITMS  –  Limited  or  No  Support  

• Ini?ally  no  support:  – Monitor  Solu?on  – Deployment  Solu?on  

• Limita?ons:  – SoBware  Portal  – Remote  and  Agentless  Management  (OOB/RTSM)  

– Real-­‐?me  tasks  and  jobs  execu?on  

Managing  in  the  Cloud   19  

CEM  ConfiguraYon  

1.  Download  and  install  SMP  Internet  Gateway  (IG)  2.  Generate  IG  security  cer?ficate  +  point  IG  to  the  SMP  

Server(s)  

3.  Configure  IG  on  SMP  Server(s)  +  enable  clients  to  work  over  CEM  

4.  Op?onal:  create  and  distribute  offline  Agent  package  

• Pre-­‐requisite  –  SMP  Server  and  clients  are  communica?ng  over  HTTPS  

Managing  in  the  Cloud   20  

Thank  you!  

Copyright  ©  2010  Symantec  CorporaYon.  All  rights  reserved.  Symantec  and  the  Symantec  Logo  are  trademarks  or  registered  trademarks  of  Symantec  Corpora?on  or  its  affiliates  in  the  U.S.  and  other  countries.    Other  names  may  be  trademarks  of  their  respec?ve  owners.    This  document  is  provided  for  informa?onal  purposes  only  and  is  not  intended  as  adver?sing.    All  warran?es  rela?ng  to  the  informa?on  in  this  document,  either  express  or  implied,  are  disclaimed  to  the  maximum  extent  allowed  by  law.    The  informa?on  in  this  document  is  subject  to  change  without  no?ce.  

Thank  you!  

Cloud-­‐enabled  Management   21