How many computers per update relay

Hi,

Updating and RMS requirements are two different things in terms of limits/recommendations with regards to scalability.

In terms of what's supported by RMS, the bottom line is 25K managed machines from a single management server.  I asked the number of relays Sophos test with during testing and they told me 4, so 6250 clients per relay would be the absolute maximum I would suggest before you go out of the tested scenario. I'm sure this isn't the limit but I find it's best to stay within supported limits to avoid problems later.  10K tests are run without relays so in this case the SEC server's router is handling 10K machines and it's also the SEC server. 

The operating system you run the relay on (same rules apply to a SEC server) is also is a factor.  Please see:

http://www.sophos.com/support/knowledgebase/article/112950.html and

http://www.sophos.com/support/knowledgebase/article/113945.html#RunningOnWindows2008 .

Based on these two articles I would suggest avoiding Windows 2008 (not R2) where possible for this role unless you have to and even then 4000 would be the maximum.  If you use Windows 2003 with more than 3000 managed machines (and factoring in other roles of the machine), remember the maxuserport key: http://www.sophos.com/support/knowledgebase/article/14243.html .

So if I had a single site with 25K machines, I would probably go with 6 relays running on 2008R2 or 2003 R2.  The load would be split at around 4000 clients per relay for expansion. 2GB RAM per machine would probably do for just a message relay.  If I was going to add a SUM to those machines as well so the relay was sharing out an update location locally, I would probably double the RAM to 4GB to enable clients to update and SUM to work ok.  

In an ideal world, I would however probably keep updating and messaging separate and have SUM push the distributions to a dedicated file server/filer for better performance.  This way, you might loose management but updating keeps working (most important I would say) and visa versa.  The files could be hosted on Apache/IIS and would probably give better performance than UNC.

If I had 50 sites, with an even number of machines per site, I would probably install SUM and a relay on the same machine at each site.  I find it just gives more control and it's a better overall topology.  If there is a virus outbreak for example at "site x" where it is flooding the management server to the point where it is causing system wide problems, it might be then wise to just stop the message router at that problem site temporarily to isolate it.  Clean up and then start it.  This is what I like about relays so reducing them because you can based on the supported numbers may not always be the best thing.

50 SUMs in SEC is fine and they can typically all have the same subscription, plus, I would probably configure them to update from Sophos, if that was a "cheaper" local update route.  

Hope that offers some useful thoughts.

Regards,

Jak

Hi,

Updating and RMS requirements are two different things in terms of limits/recommendations with regards to scalability.

In terms of what's supported by RMS, the bottom line is 25K managed machines from a single management server.  I asked the number of relays Sophos test with during testing and they told me 4, so 6250 clients per relay would be the absolute maximum I would suggest before you go out of the tested scenario. I'm sure this isn't the limit but I find it's best to stay within supported limits to avoid problems later.  10K tests are run without relays so in this case the SEC server's router is handling 10K machines and it's also the SEC server. 

The operating system you run the relay on (same rules apply to a SEC server) is also is a factor.  Please see:

http://www.sophos.com/support/knowledgebase/article/112950.html and

http://www.sophos.com/support/knowledgebase/article/113945.html#RunningOnWindows2008 .

Based on these two articles I would suggest avoiding Windows 2008 (not R2) where possible for this role unless you have to and even then 4000 would be the maximum.  If you use Windows 2003 with more than 3000 managed machines (and factoring in other roles of the machine), remember the maxuserport key: http://www.sophos.com/support/knowledgebase/article/14243.html .

So if I had a single site with 25K machines, I would probably go with 6 relays running on 2008R2 or 2003 R2.  The load would be split at around 4000 clients per relay for expansion. 2GB RAM per machine would probably do for just a message relay.  If I was going to add a SUM to those machines as well so the relay was sharing out an update location locally, I would probably double the RAM to 4GB to enable clients to update and SUM to work ok.  

In an ideal world, I would however probably keep updating and messaging separate and have SUM push the distributions to a dedicated file server/filer for better performance.  This way, you might loose management but updating keeps working (most important I would say) and visa versa.  The files could be hosted on Apache/IIS and would probably give better performance than UNC.

If I had 50 sites, with an even number of machines per site, I would probably install SUM and a relay on the same machine at each site.  I find it just gives more control and it's a better overall topology.  If there is a virus outbreak for example at "site x" where it is flooding the management server to the point where it is causing system wide problems, it might be then wise to just stop the message router at that problem site temporarily to isolate it.  Clean up and then start it.  This is what I like about relays so reducing them because you can based on the supported numbers may not always be the best thing.

50 SUMs in SEC is fine and they can typically all have the same subscription, plus, I would probably configure them to update from Sophos, if that was a "cheaper" local update route.  

Hope that offers some useful thoughts.

Regards,

Jak