Support Center > Search Results > SecureKnowledge Details
"Super Node" mode of Endpoint Security Client Technical Level

What is a Super-Node ?

A Super Node is a machine running a specially configured Endpoint Security Client that also supplies server-like and proxy-like capabilities. Currently, Super Node serves as an Anti-Malware signature proxy. 


•       Reduces site bandwidth usage
•       Reduces load from the server
•       Reduces customers cost on server equipment
•       Is scalable

Super Node flows

Super Node runs a light weight web-server Nginx that listens on port 4434 to serve requests.
When the Anti-Malware blade is installed on a Super Node, it 
  • downloads signatures from sources defined in an Anti-Malware policy
  • creates a local mirror of signatures that is used as a source of signatures for other endpoints.
Note: If the Endpoint Security Firewall blade is installed on a Super Node machine, the firewall policy being enforced is overridden to allow inbound traffic on port 4434.

Non-Super Node flows

When Endpoint Security launches an update, it first checks the "Common Client Settings" policy for a "Super Node" list. If such a list is found, a random Super Node is selected for update. If update from the selected node fails, the next entry is taken from the list. Sources defined in the Anti-Malware policy are only used, if all the Super Node possibilities have failed.

Note: An update is considered to be successful if the local signatures are newer than the remote signatures. It is important to be sure that all Super Nodes receive updates.

How to configure a Super Node?

Super Nodes are defined by adding a Base64 encrypted Unicode (Little Endian) string into the "Comment" field of the "Common Client Settings" policy.

A single "Super Node" endpoint is defined using two properties:
  • fqdn - mandatory property that should normally contain a full computer name. The name must be resolvable on an endpoint performing an update. Usage of IPv4 or IPv6 addresses in fqdn requires an additional epguid property. IPv6 addresses must be enclosed in square brackets.
  • epguid - optional property that is used to uniquely identify an endpoint that serves as a Super Node. The value of epguid can be taken from the "Endpoint Connectivity" report in SmartEndpoint (navigate to the "Reporting" tab, expand "Activity Reports", select "Endpoint Connectivity", right-click on a column name in the "Endpoint Connectivity" table and select "Show/Hide Columns", and make the "NID" column visible).
Example of a string that defines four Super Nodes (Note that the first computer is a member of Windows Domain. Consequently, its name includes a domain suffix):

   { "SNList":[
      {"fqdn":"" "epguid":"8471C504-29BB-4E0D-9F4F-B43D706EFAE6"},
      {"fqdn":"[fe80::2cf6:e79:ab20:64e0]" "epguid":"6B147FA8-29C7-4124-9223-12538389163C"}

In the above example: The "AdditionalFeatures" xml tag encloses a json string, where each row that contains an fqdn property corresponds to one Super Node.

In order to convert an xml string into a Base64 representation, use a tool that allows you to specify a destination character set . The destination character set must be UCS2-LE or UTF-16LE.
Following the link one can download a simple tool that helps to create a "Super Node" policy by adding fqdn (and/or epguid), one by one. The tool performs Base64 encoding, as well.

Determining if a client is a Super Node

To check whether an Endpoint Security Client has been configured as a Super Node, open the Windows Task Manager. There should be two instances of the nginx.exe process, running as cpnginx user.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document