Seperate FNMS server roles 100k devices
I am planning a new implementation with 100k devces.
According the installation guide you should seperate the inventory server from 50K FNMS devices. Because of this I have a few questions:
1 : How do you configure the beacon data to point to inventory server A and the other to B? Is this done in the parent connections?
2: Do you create 2 IM databases or just one?
3: How serious should I take the 50K FNMS devices limit? Whould it also be sufficiënt if I just seperate the Web application server and the Inventory and batch on one server with 100k endpoint devices reporting. (With of course the right amount scalled Hardware)
4 : What are the Hardware requirements details per Server role type. So Web, Inventory and batch
Hi @Ronny_OO7 - just wanted to wish you happy new year & good luck with this project - it is really helpful to hear these considerations and considerations. 🙂
Accept as solution to help others find it faster.
Good to hear you like the considerations and considerations. 🙂
Oh my goodness! It's certainly not such a list to require two considerations. Apologies about that!
Accept as solution to help others find it faster.
You will need 1 IM database.
Each beacon will point to your Process server which does the actual entry of data into the database.
As for real beacon capacity, a lot depends on how your organization wants to work.
How often do you want inventory data?
How big a window do you have to gather data?
Are you going to gather a software inventory (required for Adobe Acrobat since the only way to tell edition is from the swig file)
There are additional questions that are network related and most organizations consider proprietary as part of defense in depth.
Are the beacons physical or virtual?
What is the hardware config and the actual load on the physical server?
I have seen beacons overwhelmed with a daily full hardware & software inventory done within a 5 hour window using beacon minimum hardware configs.
Thanks for your response.
The processing server can be devided in 2 roles : Batch with only 1 max and Inventory server with 1 server per 50K devices.
So I assume you point the Beacon to the Inventory server
I expect that the customer is planning to do a daily inventory and also 30min hardware scanning. Let's just assume the worst case scenario with most inventory files possible. We plan to do Hardware and software inventory including filescanning .
All machines will be Virtual. And Hardware config is depending on what Flexera advises if you seperate the servers. I know the configs for 1 App server with all 3 roles and then Seperate Beacons and SQL Server
Regarding 1 : How do you configure the beacon data to point to inventory
server A and the other to B? Is this done in the parent connections?
--> We have two inventory server in load balancer and use the URL of the load balancer in the parent connections.
Regarding 2: Do you create 2 IM databases or just one?
--> We have just one IM database but in a SQL availability group.
Is working for 150k devices.
Correct, the load balancer decide it and you can check it in the IIS logs of the server.
When you stop the IIS service on one of the server the other one takeover without any interruption.
Agents report to the beacons based off of the fully qualified DNS names used in registering the beacon servers. The agents have a number of randomization methods (some may actually work well for an all Microsoft shop). The latest beacons are supposed to have a method to tell them to only accept connections from certain subnets but I have not tried that yet.
Worst case would be Agents daily full inventory scanning all files on the hard drive with the IBM every 30 minute verification for sub-capacity.
The documentation on FNMS says a beacon can due up to 50,000 agents with only differential hardware and not specifying scan frequency but suspect they are expecting weekly.
Your every 30 minute IBM sub-capacity scan will generate files for each of the VM hosts, depending on size of host your files will be in the 60-70kb range uncompressed. The VM's will send a hardware only compressed inventory of about 15kb every 30 minutes.
Desktops will send compressed inventory files in the 2 MB range starting shortly after the start window. (if you have catchup turned on, you systems that were turned off will report in shortly after startup and will spike the processor during inventory, and depending on anti-virus rules may really make the first 20 minutes sluggish for users.
all the inventory files are sent to disk by the beacons web server.
inventory files are uploaded and removed from the file system by a separate process.
Disk IO is usually the bottleneck and your vm's storage will be the hold up.
The process server's ability to process the inventory files is dependent on the SQL server's ability to process the requests.
Note: your beacons will also need to be doing discovery regularly even if you are not adopting clients. Auditors expect FNMS to be scanning everywhere and you will need to explain anything that doesn't resolve and why any subnet is not being scanned.
a minimum requirements beacon begins choking on worst case at about 3000 clients in a 5 hour window from my experience.
In this case my concern is not with the agents or Beacon. It is just Flexera stated that above 50K device Inventory server should be seperated and when another 50K arrives it should be split in to two inventory servers. So I am thinking of splitting Web, Batch and Inventory server.
I would split of the WebUI from the main server.
Make sure the Import and export shares on the Process server are working and that the account used for MSMQ on the WebUI server can read and write there. depending on how stringent your security rules are the built in creation may not get you by.