Solved: Re: Cisco AMP Virtual Private Cloud with LoadBalancer

M.Jallad · ‎09-29-2021

Hello,

Is it possible to use load balancers in a setup with multiple AMP VPC servers , the target is to have multiple AMP servers serving AMP connectors in the same time to achieve some high availability since there is no HA capability built into private cloud virtual appliance.

The concerns are :

- How to modify AMP connector configuration file to point to VIP instead of AMP VPC physical IP address after installing the connector ?

- Is it possible to register each connector with multiple AMP VPC server ?

- Is it critical if we don't sync data (computer object information & logs) between backend AMP servers ?

Please advise if this scenario can be implemented without losing any features related to AMP or affecting product efficiency.

Thanks,

Muayad

Troja007 · ‎09-29-2021

Hello @M.Jallad,
enclosed some infos from my side.

Private Cloud HA: We are already working on this. We are in an early phase, and, there is no ETA which can be shared today.
Connector Communication: The connector is using TLS 1.2 encryption. Inside TLS encapsulation there is a binary protocol used. At any time the TLS traffic gets decrypted, it will break the Connector communication.
DNS: DNS is essential for the Private Cloud deployment. There are several checks inside the connector communication to detect man-in-the-middle.

Regarding your questions:

How to modify AMP connector configuration file to point to VIP instead of AMP VPC physical IP address
after installing the connector ?
- Answer: You can modify the local configuration file if you disable the self protection and if you stop the Secure Endpoint service. But, Secure Endpoint will not load the configuration file any more, as the hash value does not fit any more. So the configuration file is invalid.
Is it possible to register each connector with multiple AMP VPC server?
- Answer: No, the design of the connector is to communicate with a single backend.
Is it critical if we don't sync data (computer object information & logs) between backend AMP servers ?
- Answer: even this solution would be possible, the policy version would not match... and many other challenges, because the actual design does not include such a configuration.

Greetings,
Thorsten

View solution in original post

Troja007 · ‎09-29-2021

Hello @M.Jallad,
enclosed some infos from my side.

Private Cloud HA: We are already working on this. We are in an early phase, and, there is no ETA which can be shared today.
Connector Communication: The connector is using TLS 1.2 encryption. Inside TLS encapsulation there is a binary protocol used. At any time the TLS traffic gets decrypted, it will break the Connector communication.
DNS: DNS is essential for the Private Cloud deployment. There are several checks inside the connector communication to detect man-in-the-middle.

Regarding your questions:

How to modify AMP connector configuration file to point to VIP instead of AMP VPC physical IP address
after installing the connector ?
- Answer: You can modify the local configuration file if you disable the self protection and if you stop the Secure Endpoint service. But, Secure Endpoint will not load the configuration file any more, as the hash value does not fit any more. So the configuration file is invalid.
Is it possible to register each connector with multiple AMP VPC server?
- Answer: No, the design of the connector is to communicate with a single backend.
Is it critical if we don't sync data (computer object information & logs) between backend AMP servers ?
- Answer: even this solution would be possible, the policy version would not match... and many other challenges, because the actual design does not include such a configuration.

Greetings,
Thorsten

M.Jallad · ‎09-29-2021

@Troja007 Thanks for your helpful answers.