Trend Micro Management Communication Protocol (MCP) is Trend Micro's next generation agent for managed products. MCP will replace TMI as the way Control Manager communicates with managed products. MCP has several advantages over TMI:
Reduced network loading and package size
TMI uses an application protocol based on XML. Even though XML provides a degree of extensibility and flexibility in the protocol design, the drawbacks of applying XML as the data format standard for the communication protocol consist of the following:
XML parsing requires more system resources compared to the other data formats such as CGI name-value pair and binary structure (the program leaves a large footprint on your server or device).
The agent footprint required to transfer information is much larger in XML compared with other data formats.
Data processing performance is slower due to the larger data footprint.
Packet transmissions take longer and the transmission rate is less than other data formats.
With the issues mentioned above, MCP's data format is devised to resolve these issues. The MCP's data format is a BLOB (binary) stream with each item composed of name ID, type, length and value. This BLOB format has the following advantages:
Smaller size compared to XML. Each primitive type will only require a limited number of bytes to store the information. These primitive types are integer, unsigned integer, Boolean, floating point.
Faster parsing speed. With a fixed binary format, each data item can be easily parsed one by one. Compared to XML, the performance is several times faster.
Design flexibility is also been considered since each item is composed of name ID, type, length and value. There will be no strict item order and compliment items can be present in the communication protocol only if needed.
In addition to applying binary stream format for data transmission, more than one type of data can be packed in a connection, with/or without compression. With this type of data transfer strategy, network bandwidth can be preserved and improved scalability is also created.
NAT and firewall traversal support
With limited addressable IPs on the IPv4 network, NAT (Network Address Translation) devices have become widely used to allow more end-point computers to connect to the Internet. NAT devices achieve this by forming a private virtual network to the computers attached to the NAT device. Each computer that connects to the NAT device will have one dedicated private virtual IP address. The NAT device will translate this private IP address into a real world IP address before sending a request to the Internet. This introduces some problems since each connecting computer uses a virtual IP and many network applications are not aware of this behaviour. This usually results in unexpected program malfunctions and network connectivity issues.
For products that work with TMCM 2.5/3.0 agents, one pre-condition is assumed. The server relies on the fact that the agent can be reached by initiating a connection from server to the agent. This is a so-called two-way communication product, since both sides can initiate network connection with each other. This assumption breaks when agent sits behinds a NAT device (or TMCM server sits behind a NAT device) since the connection can only route to the NAT device, not the product behind the NAT device (or the TMCM server sitting behind a NAT device). One common work-around is that a specific mapping relationship is established on the NAT device to direct it to automatically route the in-bound request to the respective agent. However, this solution needs user involvement and it does not work well when large scale product deployment is needed.
The MCP deals with this issue by introducing a one-way communication model. With one-way communication, only the agent initiates the network connection to the server. The server cannot initiate connection to the agent. This one-way communication works well for log data transfers. However, the server dispatching of commands occurs under a passive mode. That is, the command deployment relies on the agent to poll the server for available commands.
The MCP integration protocol applies the industry standard communication protocol (HTTP/HTTPS). HTTP/HTTPS has several advantages over TMI:
A large majority of people in IT are familiar with HTTP/HTTPS, which makes it easier to identify communication issues and find solutions those issues
For most enterprise environments, there is no need to open extra ports in the firewall to allow packets to pass
Existing security mechanisms built for HTTP/HTTPS, such as SSL/TLS and HTTP digest authentication, can be used.
Using MCP, Control Manager has three security levels:
Normal security: Control Manager uses HTTP for communication
Medium security: Control Manager uses HTTPS for communication if HTTPS is supported and HTTP if HTTPS is not supported
High security: Control Manager uses HTTPS for communication
One-way and two-way communication support
NAT traversal has become an increasingly more significant issue in the current real-world network environment. In order to address this issue, MCP uses one-way communication. One-way communication has the MCP client initiating the connection to and polling of commands from the server. Each request is a CGI-like command query or log transmission. In order to reduce the network impact, the connection is kept alive and open as much as possible. A subsequent request uses an existing open connection. Even if the connection is dropped, all connections involving SSL to the same host benefit from session ID cache that drastically reduces re-connection time.
Two-way communication is an alternative to one-way communication. It is still based on one-way communication, but has a extra channel to receive server notifications. This extra channel is also based on HTTP protocol. Two-way communication can improve real time dispatching and processing of commands from the server by the MCP agent. The MCP agent end needs to have a web server or CGI compatible program that can process CGI-like requests to receive notifications from Control Manager server.
Through MCP, Control Manager 3.5 now supports single sign-on (SSO) functionality for Trend Micro products. This feature allows users to sign in to Control Manager and access the resources of other Trend Micro products without having to sign in to those products as well.
The following products support SSO with Control Manager 3.5:
� SeverProtect for Linux version 2.5
� Network VirusWall Enforcer 2500
Under varying cases administrators may like to group certain product instances as a logical unit, or cluster (for example products installed under a cluster environment present all installed product instances under one cluster group). However, from the Control Manager server's perspective, each product instance that goes through the formal registration process is regarded as an independent managed unit and each managed unit is no different from another.
Through MCP, Control Manager supports cluster nodes.
Cluster support depends on the managed product cluster support. Please refer to your managed products documentation for information on it's cluster support capabilities.