What is a Super-Node ?
A Super Node is a machine running a specially configured Endpoint Security Client that also supplies server-like and proxy-like capabilities. Currently, Super Node serves as an Anti-Malware signature proxy.
• Reduces site bandwidth usage
• Reduces load from the server
• Reduces customers cost on server equipment
• Is scalable
Super Node flows
Super Node runs a light weight web-server Nginx that listens on port 4434 to serve requests.
When the Anti-Malware blade is installed on a Super Node, it
- downloads signatures from sources defined in an Anti-Malware policy
- creates a local mirror of signatures that is used as a source of signatures for other endpoints.
If the Endpoint Security Firewall blade is installed on a Super Node machine, the firewall policy being enforced is overridden to allow inbound traffic on port 4434.
Non-Super Node flows
When Endpoint Security launches an update, it ﬁrst checks the "Common Client Settings" policy for a "Super Node" list. If such a list is found, a random Super Node is selected for update. If update from the selected node fails, the next entry is taken from the list. Sources deﬁned in the Anti-Malware policy are only
used, if all the Super Node possibilities have failed.Note:
An update is considered to be successful if the local signatures are newer than the remote signatures. It is important to be sure that all Super Nodes receive updates.
How to configure a Super Node?
Super Nodes are defined by adding a Base64 encrypted Unicode (Little Endian) string into the "Comment" field of the "Common Client Settings" policy.
A single "Super Node" endpoint is defined using two properties:
Example of a string that defines four Super Nodes
fqdn - mandatory property that should normally contain a full computer name. The name must be resolvable on an endpoint performing an update. Usage of IPv4 or IPv6 addresses in
fqdn requires an additional
epguid property. IPv6 addresses must be enclosed in square brackets.
epguid - optional property that is used to uniquely identify an endpoint that serves as a Super Node. The value of
epguid can be taken from the "Endpoint Connectivity" report in SmartEndpoint (navigate to the "Reporting" tab, expand "Activity Reports", select "Endpoint Connectivity", right-click on a column name in the "Endpoint Connectivity" table and select "Show/Hide Columns", and make the "NID" column visible).
(Note that the first computer is a member of Windows Domain. Consequently, its name includes a domain suffix):
<AdditionalFeatures>In the above example:
The "AdditionalFeatures" xml tag encloses a
string, where each row that contains an
property corresponds to one Super Node.
In order to convert an xml string into a Base64 representation, use a tool that allows you to specify a destination character set . The destination character set must be UCS2-LE or UTF-16LE.
Following the link
one can download a simple tool that helps to create a "Super Node" policy by adding
), one by one. The tool performs Base64 encoding, as well.
Determining if a client is a Super Node
To check whether an Endpoint Security Client has been configured as a Super Node, open the Windows Task Manager. There should be two instances of the
process, running as
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.