SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
Table of Contents
Tectia Manager scalability can be improved by adding Distribution Servers into large networks (with > 2000 hosts). Distribution Servers act as management connection proxies for the managed hosts, concentrating management connections and caching binaries and configuration files for distribution. They are low-maintenance software components with no management database or user interface, and can be deployed and configured by the Management Server.
Any Management Agent can be nominated a Distribution Server, but make sure the selected hosts have space for caching the installation packages and other hosts can connect to them.
The distribution architecture supports five levels, which means that there can be maximum five Distribution Servers in the hierarchy between a host and the Management Server. Each Distribution Server has a hard limit of 10.000 connected hosts. In practice, the amount of hosts per Distribution Server should be kept lower.
With Distribution Servers, the load is shared more evenly and the required bandwith and the number of network connections is reduced, as compared to every host connecting directly to the Management Server. Also note that the Management Server requires one file descriptor per Management Agent or Distribution Server connecting directly to it. In large environments, it is advisable to use several Distribution Servers to keep the ulimit for file descriptors on reasonable level.
Large networks can be arranged into several distribution groups, each served by one or two Distribution Servers. When two Distribution Servers have been defined for a distribution group, they act as backup for each other. If a host cannot connect to the first Distribution Server, it attempts connection to the second one. In case both Distribution Servers fail connections, the Management Agents on the hosts will connect the Management Server directly.
All operations except software installation will work identically for hosts connected directly to the Management Server and for hosts connected through Distribution Servers. The hosts will register themselves to the Management Server as usual. The only difference is that the management protocol is routed through the Distribution Servers using their built-in protocol concentrator functionality.
Software installation will work normally when using distribution groups, except that the installation packages will be transferred from Management Server to each downstream Distribution Server only once. This will significantly lessen the bandwidth load the Management Server causes during installation operations, as directly connected hosts would transfer each installation package separately straight from the Management Server.