Fully enabling caching benefits the DXL topology, but must be properly designed to adhere to the following best practices:
- Each Reputation Cache server must be closely connected to the DXL Hub that the endpoint clients are connecting to. Doing so minimizes response latency.
- Each Reputation Cache DXL Hub must have an enabled DXL Service Zone. So, the Reputation Cache is the preferred reputation service.
- The DXL Client policy for the Reputation Cache server and the endpoints must restrict connection affinity to the Reputation Cache DXL Hub only.
- No TIE Server Primary or Secondary instances must be connected to the Reputation Cache DXL Hub.
Multiple Reputation Cache instances can be added in the same DXL Hub. Also, multiple Reputation Cache DXL Hubs can be used in a DXL topology.
Configuration
Assume that there's a new TIE Server without operation mode in an already functional TIE Server environment with a target DXL hub. The recommended configuration steps are as follows:
- Enable Service Zone in the target DXL Hub:
- Open the ePO console.
- Select Server Settings, and edit the DXL Topology page.
- Use drag-and-drop to locate the target DXL Hub closest to the endpoint connections.
- Choose the target DXL Hub and select the Enable Service Zone option.
- Create a policy and set restricted affinity for endpoints and Reputation Cache to the target DXL Hub:
- Go to the ePO Policy Catalog, select the McAfee DXL Client product, and duplicate the My Default policy twice.
- Edit the Client Broker Connections section in a newly created policy.
- Select only the target DXL Hub. Then, select both the Enable client broker preference and Restrict to the selected broker or hub options.
- Set restricted affinity for non-Reputation Cache outside of the target DXL Hub. Repeat the previous steps to create another policy for non-Reputation Caches to restrict them from connecting to the target DXL Hub.
- Assign the DXL Client Policy:
- Go to the ePO System Tree and create different subgroups for placing endpoints, Reputation Caches, and Non-Reputation Cache instances.
- Use the Assigned Policies tab to select the previously created 'McAfee DXL Client' policies into the groups. Then, enable the Break inheritance and assign the policy and settings below option. See the "Assigning Policies" section of the ePO 5.10 Product Guide, if needed.
- Verify client-to-broker connections in the DXL topology:
- Go to the ePO Data Exchange Layer Fabric page and select Display Bridge Direction.
- Verify that the DXL Hub where the future Reputation Cache is connected does not have a connection from any Primary or Secondary TIE Servers.
- Verify that there's only one outgoing connection from the DXL Hub where the future Reputation Cache is connected. Also, verify that there are no incoming connections.
- Enable Reputation Cache Operation Mode:
- Go to ePO Server Settings, edit TIE Server Topology Management, and enable Reputation Cache operation mode.
- Verify that no warnings are displayed before you save. Wait until the policy is enforced and the Health Status checks are listed as OK.
