Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Chapter 6 Distributed Environment

In large networks, SSH Tectia Manager scalability can be improved by adding Distribution Servers. If every host connects directly to the Management Server, it creates a large load both in number of network connections and bandwidth required to distribute the installation packages. Distribution Servers can be used to share the load by grouping the hosts to distribution groups served by Distribution Servers. The Distribution Servers both concentrate the network connections and cache the installation packages, easing the load on the Management Server.

Also note that the Management Server requires one file descriptor per Management Agent or Distribution Server connecting directly to it. In large environments, it is advisable to use several Distribution Servers to keep the ulimit for file descriptors on reasonable level.

Example scenario

Figure 6.1. Example scenario

The hierarchy is managed using distribution groups. By default, every host resides in the top-level group and is served directly by the Management Server. From here, the administator may create a number of distribution groups, assign one or two Distribution Servers to each group, and assign hosts to groups. The hosts in each group will, after deploying the hierarchy, disconnect and then contact the Distribution Servers of the group. The Distribution Servers will contact the Distribution Servers at the next level, or the Management Server for the groups directly under the top level.

Each Distribution Server has a hard limit of 10000 connected hosts. In practice, the amount of hosts per Distribution Server should be kept lower. The architecture supports at most five levels, i.e. there can be at most five Distribution Servers in the hierarchy between a host and the Management Server.

All operations except software installation will work identically for hosts connected directly to the Management Server and for hosts connected through Distribution Servers. The hosts will register themselves to the Management Server as usual. The only difference is that the management protocol is routed through the Distribution Servers using their built-in protocol concentrator functionality.

Software installation will work normally when using distribution groups, except that the installation packages will be transferred from Management Server to each downstream Distribution Server only once. This will significantly lessen the bandwidth load the Management Server causes during installation operations, as directly connected hosts would transfer each installation package separately straight from the Management Server.

If both Distribution Servers of a group are unreachable for some reason, the hosts in the group will try to connect directly to the Management Server.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now