Summary:
Deployment scheme of Trust Protection Platform for SSH depends on amount of keys, devices and agents in your infrastructure. While small amounts of keys/devices may just require 1 TPP server, large setups need proper amount of platforms and configuration to perform efficiently.
The general advice is as following:
- Consuming agent input is expensive. For that reason, overall amount of TPPs with VEDClient installed depends on amount of agents and their checkin interval. The recommendation is at least 1 VEDClient pool per 1000 agents checking in for remediation every 15 minutes and for discovery every 1 hour. If the intervals can be made bigger, number of agents handled by single VEDClient can be increased linearly, for example if remediation schedule is 1/hour and checkin and discovery schedule is 1/day, VEDClient can handle 4000 agents.
- In case of high agent load, it is recommended to not have any applications and services running at the same platform.
- Agentless needs can be extrapolated from the base point of 1000 devices per processor core for 1/day discovery. So 2 SSH Managers with 4 cores each will scan 8000 devices per day. Having hourly discovery for same amount of devices will require x24 number of cores, e.g. 12 SSH Managers with 16 cores each.
- For best performance, it is recommended to separate user-facing applications (WebSDK, Aperture, VEDAdmin) from background applications and services (such as VPlatform and SSHManager) in the setup.
- Having certificates increases amount of platform for background services.
More Info:
Example:
5000 agents will be checking in the system with both TLS certificates and SSH keys. Business needs allow to have 1 hour remediation interval and daily discovery/checkin interval.
Minimal setup is 5 TPP engines:
2 for VEDClient (they will handle roughly 5500 connections per hour)
2 for VPlatform, Certificate Manager, SSH Manager and other background services (they will operate on key and certificate data)
1 for WebSDK and Aperture UI (not a lot of users are expected to use the system concurrently).
Comments