You must take several factors into consideration before deploying TMCM to your network. This article helps you plan for TMCM deployment.
Deployment is the process of strategically distributing TMCM servers in your network environment to facilitate and provide optimal management of antivirus and content security products. Deploying enterprise-wide, client-server software like TMCM to a network requires careful planning and assessment. For ease of planning, Trend Micro recommends two deployment architectures:
- Single-site deployment: Refers to distributing and managing endpoints from a single TMCM located in a central office. If your organization has several offices but has fast and reliable local and wide area network connections between sites, single-site deployment still applies to your environment.
- Multiple-site deployment:Refers to distributing and managing
TMCM servers in an organization that has main offices in different geographical locations.
Single-site deployment refers to distributing and managing endpoints from a single TMCM located in a central office.
This picture shows a single-server deployment using a TMCM and managed products.
Before deploying TMCM to a single site, complete the following tasks:
- Determine the number of managed products and endpoints.
- Designate the TMCM Standard server or TMCM Advanced server.
Given the uniqueness of each network, exercise judgment as to how many TMCM servers would be optimal. Deploy TMCM servers in a number of different locations, including the demilitarized zone (DMZ) or the private network. Position the TMCM server in the DMZ on the public network to administer managed products or endpoints, and access the TMCM web console using Internet Explorer over the Internet.
This picture shows a multi-site deployment using multiple Control Manager Advanced parent servers.
Consider the following for multi-site deployment:
- Group the managed products and endpoints.
- Determine the number of sites.
- Determine the number of managed products and endpoints.
- Plan for network traffic.
- Decide where to install the Control Manager server
TMCM generates network traffic when the server and managed products/endpoints servers communicate. Plan the TMCM network traffic to minimize the impact on an organization's network.
These are the sources of TMCM-related network traffic:
- Communicator schedule
- Managed product registration to TMCM server
TMCM servers, by default, contain all the product profiles available during the TMCM release. However, if you register a new version of a product to TMCM, a version that does not correspond to any existing product profiles, the new product will upload its profile to the TMCM server. For brand-new Trend Micro products that have not had a product profile, Trend Micro delivers updates to enable TMCM to identify these products.
- Downloading and deploying updates
- Policy deployment
Consider the following when planning for server distribution:
- Administration models
- Control Manager server distribution
- Single-server topology
- Multiple-server topology
Understanding Administration Models
Early in the TMCM deployment, determine exactly how many people you want to grant access to your TMCM server. The number of users depends on how centralized you want your management to be.
The guiding principle being: the degree of centralization is inversely proportional to the number of users. Follow one of these administration models:
- Centralized management: This model gives TMCM access to as few people as possible. A highly centralized network would have only one administrator, who then manages all the antivirus and content security servers on the network.
Centralized management offers the tightest control over your network antivirus and content security policy. However, as network complexity increases, the administrative burden may become too much for one administrator.
- Decentralized management: This is appropriate for large networks where system administrators have clearly defined and established areas of responsibility. For Planning and Implementing the TMCM Deployment 2-15 example, the mail server administrator may also be responsible for email protection; regional offices may be independently responsible for their local areas.
A main TMCM administrator would still be necessary, but he or she shares the responsibility for overseeing the network with other product or regional administrators.
Grant TMCM access to each administrator, but limit access rights to view and/or configure segments of the TMCM network that are under their responsibility.
With one of these administration models initialized, you can then configure the Product Directory and necessary user accounts to manage your TMCM network.
Understanding Control Manager Server Distribution
TMCM can manage products regardless of physical location, and so it is possible to manage all your antivirus and content security products using a single TMCM server. However, there are advantages in piding control of your TMCM network among different servers. Based on the uniqueness of your network, you can decide the optimum number of TMCM servers.
This topology facilitates administration by a single administrator, but does not preclude the creation of additional administrator accounts as required by your Administration plan. However, this arrangement concentrates the burden of network traffic (agent polling, data transfer, update deployment, and so on) on a single server, and the LAN that hosts it. As your network grows, the impact on performance also increases.
For very large enterprises with multiple sites, it may be necessary to set up regional TMCM servers to pide the network load.
For additional information, refer to the Control Manager Installation Guide.