ESM Server Software Requirements
In a Multi-ESM Server deployment you can deploy multiple ESM Servers to support the agents in your organization. Each ESM Server supports up to 30,000 agents for a total number of 150,000 agents per database. While you can deploy as many ESM Servers as you want, you cannot exceed the total number of supported agents for the database.
Before installing ESM Server software, make sure that the server meets the following prerequisites:
- ESM Server and ESM Console running the same version.
- ESM Server hostname of 15 or fewer characters
- Ensure that the round-trip communication time between the ESM Server and the database is less than 80 ms.
- .NET Framework 4.5.1 Full
- SSL certificate from a trusted certificate authority (CA) with server authentication and client authentication (recommended)
- Allow communication on the TCP port from clients to server (the default is port 2125)
- For automated content updates, enable SSL/TLS 1.2 communication between the ESM Server and the updates server (updates.paloaltonetworks.com) on port 443.
- Forensic folder with BITS enabled
- Internet Information Services (IIS) 7.0 or above with ASP.NET and Static Content Compressions components
- English- or Japanese-language version of a physical or virtual Windows Server. To determine which versions of Windows Server are supported, refer to Where Can I Install the Endpoint Security Manager(ESM)? in the Palo Alto Networks® Compatibility Matrix .
- Communication between the ESM Server and the agents is based on Windows Communication Foundation (WCF) client with a TLS/SSL version which is dependent on the version of the Traps agent and the operating system.
- Traps 4.0 and 4.1 releases on Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008—TLS/SSL 1.0
- Traps 4.0 and 4.1 releases on all other operating systems—TLS/SSL 1.2
- Traps 3.4 releases—TLS/SSL 1.0
- For ESM Server hardware requirements, see Distributed Endpoint Security Manager Hardware Requirements