Installing and Configuring ESA

The ESA can be installed on-premise or a cloud platform such as AWS, GCP, or Azure. When upgrading from a previous version, the ESA installer is available as a patch.

Assumptions

  • This section assumes that there is no prior installation of protegrity product and installation is happening from scratch.

  • GTM and LTM are provisioned and installed.

    For more information about the prescribed configurations, refer Recommended Traffic Manager.

This section explains about Installation and Configuration of ESAs as per Architecture Diagram in Deployment with Default Audit logging flow to ESA.

For more information about installing ESA on on-premise or cloud platforms, refer Installation.

Prerequisites

Before proceeding with the installation, ensure the following prerequisites are met.

  • Sites: Ensure that two sites are available — one designated for the Primary Site and another for the Disaster Recovery (DR) Site.

  • Network Connectivity: Ensure there is reliable network connectivity between the Primary and DR sites.

Installing and Configuring ESA

  1. Install ESA (ESA P1) in the Primary Site.

    For more information about detailed installation instructions for on-premise and cloud installation, refer Installing ESA.

  2. Initialize PIM in ESA P1.

    For more information about initializing PIM in ESA, refer Initializing the Policy Information Management (PIM) Module.

  3. Initialize Analytics in the Insight in ESA P1.

    For more information about initializing Analytics, refer Creating the Audit Store Cluster on the ESA.

  4. Upload and apply Custom Certificates. Apply custom certificates for the following components:

    • Management Server/Client
    • Consul Server
    • Audit Store Server/Client
    • Audit Store REST Client
    • Insight Analytics Client
    • PLUG Client

    For more information about recommendations related to certificates for various components, refer Certificate Requirements.

    For more information about steps to upload certificates in ESA, refer Uploading Certificates.

    For more information about steps to apply certificates in ESA, refer Changing Certificates.

  5. Define policies for Data Security. On ESA P1, define the necessary data elements, policies and configure external member source.

  6. Configure Proxy Authentication and External LDAP. On ESA P1, configure proxy authentication for configuration with External LDAP for managing ESA Administration. Refer below sections:

  7. Configuring ESA with External Keystore.

    For more information about setting ESA to External Keystore, refer Section Switching HSM Modules from HSM Integration Guide for ESA.

  8. Configure Rollover Index Insight Scheduler Parameters. Set the rollover index scheduler parameters according to specific requirements.

    For more information about recommended configurations, refer Index Rollover.

  9. Configure Information Lifecycle Management (ILM) Export Insight Scheduler Parameters. Adjust the ILM export scheduler settings based on the requirements.

    For more information about recommendation configurations for ILM Export, refer ILM Export.

  10. Configure ILM Multi Delete Insight Scheduler Parameters. Set the ILM Multi Delete insight scheduler parameters according to specific requirements.

For more information about recommendation configurations for ILM Multi Delete, refer [ILM Delete](/docs/model_arch/model_arch/esa/insight.md#ilm-delete). <!-- fix link here -->
  1. Configure Alerts. Set up the required alerts to monitor system health and events.
For more information about recommendations related to configuration of alerts, refer [Alerting](/docs/model_arch/model_arch/esa/insight.md#alerting). <!-- fix link here -->

  1. Install additional ESAs.

    1. In the Primary Site, install two additional ESAs: ESA S1 and ESA S2.

    2. In the DR Site, install three ESAs: ESA S3, ESA S4, and ESA S5.

  2. Create Trusted Appliances Cluster (TAC) between all ESAs in Primary and DR site. Create a TAC between ESAs P1, S1,S2 in Primary and ESAs S3,S4,S5 in DR Site.

For more information about creating TAC, refer [Creating a TAC using the Web UI](/docs/aog/trusted_appliances_cluster/aog_creating_tac_ui/).
  1. Form an Insight Cluster: Join ESA S1 and ESA S2 to ESA P1 to form a robust and redundant Insight Cluster. Form Insight cluster in DR site between ESA S3,S4 and S5.
For more information about creating Insight cluster, refer [Creating an Audit Store cluster](/docs/installation/upg_creating_audit_store_cluster/).

  1. Create Replication Tasks. Establish a replication task on ESA P1 to replicate all ESA data—excluding SSH settings—to ESA S1, S2, S3, S4, and S5.

    For recommendations, refer point 1 ESA Primary to Secondary Replication Job in the Scheduler Tasks.

    For more information about configuring scheduled task for cluster export, refer Scheduling Configuration Export to Cluster Tasks.

  2. Enable ILM Multi Export Scheduler task. By default, ILM Multi Export Scheduled task is disabled. So, it is necessary to enable this task and configure as per requirements.

    For more information about ILM Multi Export, refer Exporting logs.

  3. Create Scheduled Tasks for copying ILM Exported Files from Primary Site to DR Site. Create a scheduled task in each of the ESAs in the primary site, that is, ESA P1, ESA S1, ESA S2 to copy ILM exported files from ESA P1,ESA S1, and ESA S2 to ESAs in DR site, that is, ESA S3, ESA S4, and ESA S5 in the DR Site.

    For recommendations, refer point 2 ESA Exported Indexes Purge in Scheduler Tasks.

    For more information, refer Creating a scheduled task.

  4. Create Scheduled task for taking backup of ESA P1 to a file.

    For recommendations, refer point 3 Back up Primary ESA data to file in Scheduler Tasks.

Keep a detailed log and documentation of each step performed for future reference and troubleshooting.
Meticulously following these steps help establish a resilient and secure ESA infrastructure that aligns with the specified model architecture diagram.


Last modified : December 10, 2025