Good day,
I am planning a new implementation with 100k devces.
According the installation guide you should seperate the inventory server from 50K FNMS devices. Because of this I have a few questions:
1 : How do you configure the beacon data to point to inventory server A and the other to B? Is this done in the parent connections?
2: Do you create 2 IM databases or just one?
3: How serious should I take the 50K FNMS devices limit? Whould it also be sufficiënt if I just seperate the Web application server and the Inventory and batch on one server with 100k endpoint devices reporting. (With of course the right amount scalled Hardware)
4 : What are the Hardware requirements details per Server role type. So Web, Inventory and batch
Regards
Ronald
‎Jan 07, 2021 06:45 AM - edited ‎Jan 07, 2021 07:19 AM
Hi @Ronny_OO7 - just wanted to wish you happy new year & good luck with this project - it is really helpful to hear these considerations and considerations. 🙂
‎Jan 07, 2021 07:10 AM
‎Jan 07, 2021 07:16 AM
Oh my goodness! It's certainly not such a list to require two considerations. Apologies about that!
‎Jan 07, 2021 07:52 AM
‎Jan 07, 2021 08:00 AM
Hi Ron,
You will need 1 IM database.
Each beacon will point to your Process server which does the actual entry of data into the database.
As for real beacon capacity, a lot depends on how your organization wants to work.
How often do you want inventory data?
How big a window do you have to gather data?
Are you going to gather a software inventory (required for Adobe Acrobat since the only way to tell edition is from the swig file)
There are additional questions that are network related and most organizations consider proprietary as part of defense in depth.
Are the beacons physical or virtual?
What is the hardware config and the actual load on the physical server?
I have seen beacons overwhelmed with a daily full hardware & software inventory done within a 5 hour window using beacon minimum hardware configs.
Jeff
‎Jan 07, 2021 08:29 AM
‎Jan 07, 2021 08:45 AM
Regarding 1 : How do you configure the beacon data to point to inventory
server A and the other to B? Is this done in the parent connections?
--> We have two inventory server in load balancer and use the URL of the load balancer in the parent connections.
Regarding 2: Do you create 2 IM databases or just one?
--> We have just one IM database but in a SQL availability group.
Is working for 150k devices.
‎Jan 07, 2021 08:42 AM
‎Jan 07, 2021 08:48 AM
Correct, the load balancer decide it and you can check it in the IIS logs of the server.
When you stop the IIS service on one of the server the other one takeover without any interruption.
‎Jan 07, 2021 08:55 AM - edited ‎Jan 07, 2021 08:57 AM
Agents report to the beacons based off of the fully qualified DNS names used in registering the beacon servers. The agents have a number of randomization methods (some may actually work well for an all Microsoft shop). The latest beacons are supposed to have a method to tell them to only accept connections from certain subnets but I have not tried that yet.
Worst case would be Agents daily full inventory scanning all files on the hard drive with the IBM every 30 minute verification for sub-capacity.
The documentation on FNMS says a beacon can due up to 50,000 agents with only differential hardware and not specifying scan frequency but suspect they are expecting weekly.
Your every 30 minute IBM sub-capacity scan will generate files for each of the VM hosts, depending on size of host your files will be in the 60-70kb range uncompressed. The VM's will send a hardware only compressed inventory of about 15kb every 30 minutes.
Desktops will send compressed inventory files in the 2 MB range starting shortly after the start window. (if you have catchup turned on, you systems that were turned off will report in shortly after startup and will spike the processor during inventory, and depending on anti-virus rules may really make the first 20 minutes sluggish for users.
all the inventory files are sent to disk by the beacons web server.
inventory files are uploaded and removed from the file system by a separate process.
Disk IO is usually the bottleneck and your vm's storage will be the hold up.
The process server's ability to process the inventory files is dependent on the SQL server's ability to process the requests.
Note: your beacons will also need to be doing discovery regularly even if you are not adopting clients. Auditors expect FNMS to be scanning everywhere and you will need to explain anything that doesn't resolve and why any subnet is not being scanned.
a minimum requirements beacon begins choking on worst case at about 3000 clients in a 5 hour window from my experience.
‎Jan 11, 2021 10:00 AM
‎Jan 13, 2021 05:25 AM
I'm pretty sure, for the batch, you can use only one server (mt, on premise).
‎Jan 13, 2021 06:01 AM
‎Jan 13, 2021 09:34 AM
You can have:
2 web server (load balancer)
2 upload server (load balancer)
but only 1 batch server
My answer was about using load balancer.
‎Jan 13, 2021 10:10 AM
‎Jan 14, 2021 04:10 AM
I would split of the WebUI from the main server.
Make sure the Import and export shares on the Process server are working and that the account used for MSMQ on the WebUI server can read and write there. depending on how stringent your security rules are the built in creation may not get you by.
‎Jan 13, 2021 09:03 AM
‎Jan 13, 2021 09:34 AM