Install Deep Security Manager on multiple nodes

Instead of running Deep Security Manager on one server, you can install Deep Security Manager on multiple servers ("nodes") and connect them to one shared database. This provides better:

  • Reliability
  • Availability
  • Scalability
  • Performance

You can log in to any node. Each node can do all types of tasks. No node is more important than any of the others. A node failure does not cause service downtime, and does not result in data loss. Deep Security Manager processes many concurrent activities in a distributed pool that all online nodes execute. All activity that does not happen due to user input is packaged as a job, and runs on any available manager (with some exceptions for "local" jobs that are executed on each node, like cache clearing).

Each node must run the same Deep Security Manager software version. When you upgrade, the first manager you upgrade will temporarily take over all duties and shut down the other nodes. On Administration > Manager Nodes, other nodes' status will be "Offline" with an indication that an upgrade is required. Once upgraded, nodes will automatically return online and begin processing again.

Set up a load balancer

If you are deploying multiple server nodes of Deep Security Manager for a large scale deployment, a load balancer can help distribute connections with agents and appliances. Load balancers with virtual IPs can also provide a single inbound port number such as TCP 443, instead of the multiple port numbers that Deep Security normally requires.

Balance load based upon TCP connections; do not use SSL termination. This ensures that an entire connection occurs with the same manager node. The next connection may be distributed to a different node.

For more Deep Security Manager deployment recommendations, see the Deep Security Best Practice Guide.

Configure the load balancer in Deep Security

By default, a multi-node manager gives the address of all nodes to all agents and virtual appliances. The agents and virtual appliances randomly select a node from the list when they try to connect. If they cannot, then they try another node on the list, continuing this process until either a connection succeeds, or no nodes can be reached. If they can't reach any node, then they wait until the next heartbeat to try again.

Each time a node is added or removed, an updated list is sent to all agents and virtual appliances. Until then, connections to old nodes may fail, and the new node will be unused. This causes slow communications and increased network traffic. To avoid this, instead configure agents and virtual appliances to connect via the load balancer's address.

Deep Security load balancer port 443

Add a node

  1. Set up a load balancer.
  2. After you have installed Deep Security Manager on one server node, run the installer again on another server. Make sure you follow the guidelines below.
    • Install the same version of the manager on all nodes.
    • Never run more than one instance of the installer at the same time. Doing so can lead to unpredictable results including corruption of the database.
    • Connect all nodes to the same database.
    • Make sure all nodes use the same master key (if configured).
    • Have the master key always available so that all nodes can decrypt and read the encrypted configuration properties and personal data when required. For more information, see masterkey.
    • If the installer shows a Master Key page with the following text: Type the local secret used to access the master key. All nodes that belong to the same Deep Security Manager must be configured with the same local secret. On this page, enter the secret that you specified when you set up the first node. For details, see Install the manager.
    • Set the system clock of each manager node to use the same time zone. The database must also use the same time zone. If the time zone is different, this causes Manager Time Out of Sync errors.

Remove a node

Before you remove or replace a server, you should remove it from the pool of Deep Security Manager nodes.

  1. Halt the service or uninstall Deep Security Manager on the node that you want to remove.

    Its status must change to "Offline".

  2. Log into Deep Security Manager on another node.
  3. Go to Administration > Manager Nodes.
  4. Double-click the node that you want to remove.

    The node's Properties window should appear.

  5. In the Options area, click Decommission.

Upgrade a node

Follow the instructions in Upgrade the manager in a multi-node deployment for details on upgrading manager nodes.

Viewing node statuses

To display all Deep Security Manager nodes along with their status, combined activity, and jobs being processed, go to Administration > System Information. From the drop-down menu, select which graph you want to view.

Network Map with Activity Graph

The Network Map with Activity Graph in the System Activity area displays a map of all installed manager nodes and their current status as well their relative activity over the last hour. The nodes can be in the following states:

  • Online
  • Offline
  • Offline (Upgrade Required)
All Deep Security Manager nodes periodically check the health of all other nodes. If any manager node loses network connectivity for more than 3 minutes, it is considered offline. The remaining nodes assume its tasks.

Jobs by Node

This chart displays the number of jobs carried out over the last hour by each node.

Jobs by Type

This chart displays the jobs carried out over the last hour by type.

Total jobs by node and type

This chart displays the number of job types for each node over the last hour.