I indeed found out that implementation as such is quiet simple. What i'm actually trying to get from all of you is bits of information on the following questions (sorry if i haven't been clear enough at the first place)
- I have +/- 400 users, all data will be hosted on the Netapp (including home folders, profiles and so on), I think of two AV server to begin with (I'll go deeper in my perf reports to find out exactly the number of request / second & the trends over the past few months). Would that be Ok?
- Can I safely / reasonnably run the AV Servers on an ESX platform ? (I can think of possible network speed issue, an/of performance with the AV Server self).
- Do you have any recommandations over the AV product itself (of any "NO GO") ? I've got very different experience with the AV vendors (their support to be precise) and i'd like to avoid any known issue while "playing"with the storage.
- With a FAS3140 that will be used for FC / IScsi / CIFS, how would be your recommandations ? My thoughts so far:
- Out of the 4 NICS, 2 dedicated for Iscsi (In fail-over mode, we're then talking of 1Gb/s throughput)
2 for CIFS & AV scan ((In fail-over mode, we're then talking of 1Gb/s throughput)
But i still doubet over mixing the AV & CIFS Traffic.
In our storage infra, we are using Symantec Scan Engine for NetApp and the licensing is base on per filer and per number of users, so you dont have to worry on how many scan servers will you use. To start with 400 users, I recommend to have atleast 3 Scan servers - 2 as your primary scan servers and 1 as your secondary(or backup) scan server, 2 scan server is enough but you dont have any secondary scan server.
In our side, we actually use a good server with a good processor and memory, if your VMWare/ESX can handle the Scan Server CPU & Memory requirements it will be fine, but as my experience, I would not suggest to put the scan servers in an VMWare infra, I suggest that you use a separate stand alone servers.
I've tested and use trend micro, but we choose Symantec its because our corporate is using it already. There is no known issues on both products, just make sure you read carefully the configuration requirements, coz different brand have difrerent configuration and different behaviors.
For your network configurations, I recommend to have a seprate network/vlan for your scan servers over your CIFS/public traffic.
400 users across 2 AV servers sounds plenty, although it does depend how heavy those users are. Some vendors charge you per appliance, so having multiple servers doesn't cost any extra.
The customers I mentioned before all run AV in an ESX environment. Things to watch out for are that the AV server will generally have a very high CPU and Memory usage almost all the time. So whatever you size it for, make sure you have those resources free. You may want to disable DRS for this one server as VMware tends to try move it around a lot!
I haven't had any bad experiences with AV products. Most vendors are relatively good with virus updates. From a support side, I've never really had to deal with it as there's little to support, so I'm afraid can't give you much advice there. What I would say is use a different vendor than your main AV solution. Ideally you would have one vendor on the gateway, a different one on the desktops, then another one on the filer. This helps to cover your bases as each will use slightly different heurestics and have different cycles for virus signature updates.
I think the general rule of thumb is that you need a dedicated network for AV scanning. This would be the case both on the filer and on the ESX side of things. I wouldn't run it over your normal corporate network as there is a lot of traffic, and the response times are very critical! This may leave you in a sticky situation with CIFS traffic though, as you may not want a single NIC for CIFS.
Out of interest, where are you getting 4 ports from? The 3140 has 2 ports onboard (don't confuse the e0M and console ports!!!), and most PCI cards are 4 port cards. So surely you would have either 2 or 6 ports?
Be careful with sizing. The documentation is pretty good on vscan and the sizing of it. As a rough rule of thumb, each vscan server can deal with around 80-120 requests per second. If you're not sure what this works out as, last few customers I had run this had around 5000 users and were getting about 400 requests per second (filer hosting home dirs, user profiles and group shares).
Works well with Trend, Symantec, McAfee, etc Basically just a server that deals with requests, and pretty uneventful. The thing to watch out for is the sizing and whatever default rules you put on. If you put on a default rule of delete on failure, and your AV servers can't deal with the requests quick enough, then innocent files may get deleted.
The filer uses something called vscan. Here's a sample output:
Virus scanning is enabled.
Virus scanners(IP and Name) P/S Connect time (dd:hh:mm) Reqs Fails ---------------------------------------------------------------------------- 184.108.40.206 \\SNOOPY Pri 01:09:10 25505 0
List of extensions to scan: ??_,ARJ,ASP,BAT,BIN,CAB,CDR,CL?,COM,CSC,DL?,DOC,DOT,DRV,EML,EXE,GMS,GZ?,HLP,HT?,IM?,INI,JS?,LZH,MD?,MPP,MPT,MSG,MSO,OCX,OFT,OLE,OV?,PIF,POT,PP?,RAR,RTF,SCR,SHS,SMM,SWF,SYS,VBS,VS?,VXD,WBK,WPD,XL?,XML
List of extensions not to scan: Extensions-not-to-scan list is empty.
Number of files scanned: 4733823 Number of scan failures: 6822 cabo>
Basically your choices are limited to whatever partners Netapp uses with this option. The big two are Trend and Symantec. I've run Trend in my shop for years, frankly it's not very exciting. Namely because all your virus intrusions detection happens at the edge in the form of firewalls, email scanners, desktop software, etc. The way vscan works is like a proxy server...you make a file request read or write and the vscan sends the request off to the virus scanner server for a quick scan before serving the data. Yes this adds latency so make sure you scanner is set up for GB and that you set your conditions not to scan huge files.
Other than that it's really not rocket science. I think of it as insurance for that rainy day when that consultant comes in with a laptop from hell and proceeds to infect the hand that feeds him. Of course he was payed in advance...but that's a story for another day.