McAfee EPOCDE-AA-BA Product Manual

Page 1

Product Guide

McAfee® ePolicy Orchestrator® 4.6.0 Software

Page 2

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 3

Contents

Preface 11

About this guide ..................................11

Finding product documentation ............................12

Introducing McAfee ePolicy Orchestrator Software version 4.6.0

1 Introducing McAfee ePolicy Orchestrator Software version 4.6.0 15

What is ePolicy Orchestrator software ......................... 15

Components and what they do ............................16

How the software works ...............................17

How to navigate the ePolicy Orchestrator interface ....................18

Audience ..................................11

Conventions .................................11

What's in this guide .............................12

About the ePolicy Orchestrator navigation Menu ..................18

About the navigation bar ............................19

2 Planning your ePolicy Orchestrator configuration 21

About scalability ..................................21

When to use multiple ePolicy Orchestrator servers .................21

When to use multiple remote Agent Handlers ...................22

Server configuration overview ............................ 22

Setting up and configuring your ePolicy Orchestrator server

3 Configuring essential features 27

About essential features ...............................27

Using the Guided Configuration to configure essential features ...............28

4 Configuring general server settings 31

About general server settings ............................ 31

Configuring general server settings .......................... 31

Allowing agent deployment credentials to be cached ................31

Specifying default dashboards and dashboard refresh intervals ............32

Determining which events are forwarded to the server ................32

Choosing an ePO Notification Event interval ....................33

Configuring settings for global updates ......................33

Providing a license key ............................34

Creating a custom login message ........................34

McAfee Labs Security Threats ......................... 34

Controlling unsupported product policy visibility ..................35

Changing agent communication ports ......................36

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 4

Contents

Configuring the template and location for exported reports ..............36

Using a proxy server .............................36

SSL certificates ............................... 37

Enabling System Tree sorting on the server ....................39

ePolicy Orchestrator server settings categories and their descriptions ......... 39

5 Creating user accounts 43

About user accounts ................................ 43

Global administrators .............................43

Working with user accounts ............................. 44

Creating user accounts ............................44

Editing user accounts .............................44

Deleting user accounts ............................ 45

6 Setting up permission sets 47

How users, groups, and permission sets fit together ....................47

Working with permission sets .............................49

Creating a new permission set .........................49

Modifying an existing permission set .......................50

Duplicating a permission set ..........................50

Exporting permission sets ...........................50

Importing permission sets ...........................51

Removing a permission set ...........................51

Deleting permission sets ............................51

7 Configuring advanced server settings 53

Configuring Active Directory user login .........................53

Managing ePolicy Orchestrator users with Active Directory ..............53

Configuring Windows authentication and authorization ................56

Authenticating with certificates ............................58

When to use certificate authentication ......................58

Configuring ePolicy Orchestrator for certificate authentication .............58

Uploading server certificates ..........................59

Removing server certificates ..........................59

Configuring users for certificate authentication ...................60

Problems with certificate authentication ......................60

Configuring Rogue System Detection server settings ................... 61

Configuring server settings for Rogue System Detection ...............61

Managing security keys ...............................64

Security keys and how they work ........................64

Master repository key pair ...........................65

Agent-server secure communication (ASSC) keys ..................67

Backing up and restoring keys .........................71

Configuring source and fallback sites ..........................73

Working with source and fallback sites ......................73

8 Setting up repositories 77

Repository types and what they do .......................... 78

Types of distributed repositories .........................79

Repository branches and their purposes ..................... 80

Repository list file and its uses .........................81

How repositories work together ............................82

Ensuring access to the source site ...........................82

Configuring proxy settings ...........................83

Configuring proxy settings for the McAfee Agent ..................83

Configuring proxy settings for McAfee Labs Security Threats .............84

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 5

Contents

Using SuperAgents as distributed repositories ......................84

Creating SuperAgent repositories ........................85

Selecting which packages are replicated to SuperAgent repositories ..........86

Deleting SuperAgent distributed repositories ....................86

Creating and configuring FTP, HTTP, and UNC repositories ................. 86

Creating a folder location on an FTP, HTTP server or UNC share ............87

Adding the distributed repository to ePolicy Orchestrator ...............87

Avoiding replication of selected packages .....................89

Disabling replication of selected packages .....................89

Enabling folder sharing for UNC and HTTP repositories ................90

Editing distributed repositories .........................90

Deleting distributed repositories .........................90

Using local distributed repositories that are not managed ................. 91

Working with the repository list files ..........................92

Exporting the repository list SiteList.xml file ....................92

Exporting the repository list SiteMgr.xml file for backup or use by other servers ..... 93

Importing distributed repositories from the SiteMgr.xml file ..............93

Importing source sites from the SiteMgr.xml file ..................93

Changing credentials on multiple distributed repositories ..................94

9 Setting up registered servers 95

Registering servers .................................95

Registering McAfee ePO servers .........................95

Registering LDAP servers ........................... 97

Registering SNMP servers ...........................98

Registering a database server ......................... 99

10 Setting up Agent Handlers 101

Agent Handlers and what they do ...........................101

How Agent Handlers work ..............................101

Handler groups and priority .............................102

Working with Agent Handlers ............................103

Assigning agents to Agent Handlers .......................103

Managing Agent Handler assignments ......................104

Setting up Agent Handler groups ........................104

Managing Agent Handler groups ........................105

Moving agents between handlers ........................105

11 Other important server information 109

About Internet Protocols in managed environment ...................109

Exporting objects from ePolicy Orchestrator ......................110

Importing items into ePolicy Orchestrator .......................110

Exporting objects and data from your ePolicy Orchestrator server ..............111

ePolicy Orchestrator Log Files ............................112

The Audit Log ...............................112

The Server Task log .............................114

The Threat Event Log ............................116

Managing your network security with your ePolicy Orchestrator server

12 Organizing the System Tree 121

The System Tree structure .............................121

Considerations when planning your System Tree .....................123

Administrator access .............................123

Environmental borders and their impact on system organization ...........124

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 6

Contents

Subnets and IP address ranges ........................124

Tags and systems with similar characteristics ...................124

Operating systems and software ........................125

Tags and how they work ..............................125

Active Directory and NT domain synchronization .....................126

Active Directory synchronization ........................126

NT domain synchronization ..........................127

Criteria-based sorting ...............................128

How settings affect sorting ..........................129

IP address sorting criteria ...........................129

Tag-based sorting criteria ...........................130

Group order and sorting ...........................130

Catch-all groups ..............................130

How a system is added to the System Tree when sorted .................130

Working with tags .................................132

Creating tags with the Tag Builder .......................132

Excluding systems from automatic tagging ....................133

Applying tags to selected systems .......................133

Applying criteria-based tags automatically to all matching systems ..........133

Creating and populating groups ...........................135

Creating groups manually ...........................136

Adding systems manually to an existing group ..................137

Exporting systems from the System Tree .....................138

Importing systems from a text file .......................138

Sorting systems into criteria-based groups ....................140

Importing Active Directory containers ......................142

Importing NT domains to an existing group ....................144

Synchronizing the System Tree on a schedule ...................146

Updating the synchronized group with an NT domain manually ............147

Moving systems manually within the System Tree ....................147

Transferring systems between McAfee ePO servers ....................148

13 Working with the agent from the McAfee ePO server 149

Agent-server communication ............................149

Agent-server communication interval ......................150

Agent-server communication interruption handling ................150

Wake-up calls and tasks ...........................151

SuperAgents and broadcast wake-up calls ....................151

SuperAgent caching and communication interruptions ...............152

Viewing agent and product properties .........................153

Responding to policy events .............................153

Running client tasks immediately ...........................154

Sending manual wake-up calls to systems .......................155

Sending manual wake-up calls to a group .......................155

Locate inactive agents ...............................156

Queries provided by McAfee Agent ..........................156

Windows system and product properties reported by the agent ...............157

14 Using the Software Manager to check in software 159

What's in the Software Manager ...........................159

Checking in, updating, and removing software using the Software Manager ..........160

15 Using policies to manage products and systems 163

Policy management ................................163

Policy application .................................165

How policy assignment rules work ..........................166

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 7

Contents

Policy assignment rule priority .........................166

About user-based policy assignments ......................167

About system-based policy assignments .....................168

Using tags to assign system-based policies ....................168

Working with policy assignment rules ......................169

Creating Policy Management queries .........................170

Working with the Policy Catalog ...........................171

Creating a policy from the Policy Catalog page ..................172

Duplicating a policy on the Policy Catalog page ..................172

Editing a policy’s settings from the Policy Catalog .................173

Renaming a policy from the Policy Catalog ....................173

Deleting a policy from the Policy Catalog .....................173

Working with policies ................................173

Configuring agent policies to use a distributed repository ..............174

Changing the owners of a policy ........................175

Moving policies between McAfee ePO servers ...................175

Assigning a policy to a group of the System Tree .................176

Assigning a policy to a managed system .....................177

Assigning a policy to multiple managed systems within a group ...........177

Enforcing policies for a product on a group ....................178

Enforcing policies for a product on a system ...................178

Copying and pasting assignments .......................179

Viewing policy information .............................180

Viewing groups and systems where a policy is assigned ...............181

Viewing the settings of a policy ........................181

Viewing policy ownership ...........................182

Viewing assignments where policy enforcement is disabled .............182

Viewing policies assigned to a group ......................182

Viewing policies assigned to a specific system ...................183

Viewing a group’s policy inheritance .......................183

Viewing and resetting broken inheritance ....................183

Sharing policies among McAfee ePO servers ......................183

Setting up policy sharing for multiple McAfee ePO servers ..............184

Frequently asked questions .............................185

16 Using tasks to manage products and systems 187

Deployment packages for products and updates .....................187

Product and update deployment ...........................189

First time product and update deployment overview ...................189

Server tasks and what they do ...........................190

Global updating ...............................190

Pull tasks .................................192

Replication tasks ..............................193

Deploying update packages with pull and replication tasks ..............194

Allowed Cron syntax when scheduling a server task ................198

About the pull and replication task information in the Server Task log .........199

Client tasks and what they do ............................199

How the Client Task Catalog works .......................200

Deployment tasks ..............................200

Update tasks ................................203

Working with client tasks ...........................204

Confirming that clients are using the latest DAT files ...................205

Evaluating new DATs and engines before distribution ...................206

17 Managing packages and extensions manually 207

Bringing products under management .........................207

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 8

Contents

Checking in packages manually ...........................207

Deleting DAT or engine packages from the master repository ...............208

Manually moving DAT and engine packages between branches ...............208

Checking in engine, DAT and ExtraDAT update packages manually .............209

18 Responding to events in your network 211

About using Automatic Responses ..........................212

Automatic Responses and how it works ........................212

Throttling, aggregation, and grouping ......................213

Default rules ................................213

Planning .....................................214

Determining how events are forwarded ........................214

Determining which events are forwarded immediately ...............215

Determining which events are forwarded .....................215

Configuring Automatic Responses ...........................216

Assigning permission sets to access Automatic Responses ..............216

Working with SNMP servers ..........................217

Working with registered executables and external commands ............220

Creating and editing Automatic Response rules .....................222

Describing the rule .............................222

Setting filters for the rule ...........................223

Setting thresholds of the rule .........................223

Configuring the action for Automatic Response rules ................224

Frequently asked questions .............................226

Monitoring and reporting on your network security status

19 Monitoring with Dashboards 229

Working with dashboards ..............................229

Creating dashboards .............................230

Adding monitors to dashboards ........................230

Removing monitors from dashboards ......................231

Duplicating dashboards ............................231

Deleting dashboards .............................232

Importing dashboards ............................232

Exporting dashboards ............................232

Changing the system default dashboard .....................233

Assigning permissions to dashboards ......................233

Working with dashboard monitors ..........................234

Configuring dashboard monitors ........................234

Moving and resizing dashboard monitors .....................235

Default dashboards and their monitors ........................235

20 Querying the database and reporting on system status 239

Query and report permissions ............................240

About queries ..................................240

Query Builder ................................242

Working with queries ................................243

Creating custom queries ...........................243

Running an existing query ..........................244

Running a query on a schedule .........................245

Creating a query group ............................245

Moving a query to a different group .......................246

Duplicating queries .............................246

Deleting queries ..............................246

Exporting a query ..............................247

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 9

Contents

Importing a query ..............................247

Exporting query results to other formats .....................248

Multi-server rollup querying .............................249

Creating a Rollup Data server task .......................249

Creating a query to define compliance ......................250

Generating compliance events .........................250

About reports ...................................251

Structure of a report .............................251

Working with reports ................................252

Creating a new report ............................253

Editing an existing report ...........................253

Viewing report output ............................258

Grouping reports together ..........................258

Running reports ...............................259

Configuring Internet Explorer 8 to automatically accept McAfee ePO downloads .....259

Running a report with a server task .......................260

Exporting reports ..............................260

Importing reports ..............................261

Deleting reports ...............................261

Using database servers ...............................261

Working with database servers ............................262

Modifying a database registration ........................262

Removing a registered database ........................262

21 Detecting Rogue Systems 265

What are rogue systems ..............................265

Rogue System Detection states ........................266

Rogue Sensor Blacklist ............................269

Rogue System Detection policy settings .....................269

Rogue System Detection permission sets .....................271

How the Rogue System Sensor works .........................272

Passive listening to layer-2 traffic ........................272

Intelligent filtering of network traffic ......................272

Data gathering and communications to the server .................273

Systems that host sensors ..........................273

How detected systems are matched and merged ....................274

Working with detected systems ...........................274

Configuring Rogue System Detection policy settings ................275

Adding systems to the Exceptions list ......................276

Adding systems to the Rogue Sensor Blacklist ..................277

Adding detected systems to the System Tree ...................277

Editing system comments ...........................277

Exporting the Exceptions list ..........................278

Importing systems to the Exceptions list .....................278

Merging detected systems ..........................278

Pinging a detected system ..........................279

Querying detected system Agents .......................279

Removing systems from the Detected Systems list .................279

Removing systems from the Exceptions list ....................280

Removing systems from the Rogue Sensor Blacklist ................280

Viewing detected systems and their details ....................280

Working with sensors ...............................280

Installing sensors ..............................281

Editing sensor descriptions ..........................283

Removing sensors ..............................283

Working with subnets ...............................284

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 10

Contents

Adding subnets ...............................284

Deleting subnets ..............................285

Ignoring subnets ..............................285

Including subnets ..............................285

Renaming subnets ..............................286

Viewing detected subnets and their details ....................286

Rogue System Detection command-line options .....................286

Default Rogue System Detection queries ........................287

22 Managing Issues and Tickets 289

Issues and how they work .............................290

Working with issues ................................290

Creating basic issues manually .........................290

Configuring responses to automatically create issues ................291

Managing issues ..............................294

Purging closed issues ...............................295

Purging closed issues manually ........................295

Purging closed issues on a schedule .......................295

Tickets and how they work .............................296

Ways to add tickets to issues .........................296

Assignment of ticketed issues to users .....................296

How tickets and ticketed issues are closed ....................296

Benefits of adding comments to ticketed issues ..................297

How tickets are reopened ...........................297

Ticketed issue synchronization .........................297

Integration with ticketing servers ...........................297

Considerations when deleting a registered ticketing server .............298

Required fields for mapping ..........................298

Sample mappings ..............................298

Working with tickets ................................301

Adding tickets to issues ............................301

Synchronizing ticketed issues .........................302

Synchronizing ticketed issues on a schedule ...................302

Working with ticketing servers ............................302

Installing extensions for ticketing server .....................303

Registering and mapping a ticketing server ....................305

Configuring the field mappings .........................306

Upgrading a registered ticketing server ........................308

A Appendix: Maintaining ePolicy Orchestrator Databases 311

Perform regular maintenance of SQL Server databases ..................311

Backup and restore ePolicy Orchestrator databases ...................312

Changing SQL Server information ..........................312

Index 315

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 11

Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

Contents

About this guide Finding product documentation

About this guide

This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience

McAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all of its features.

• Security officers — People who determine sensitive and confidential data, and define the corporate policy that protects the company's intellectual property.

• Reviewers — People who evaluate the product.

Conventions

This guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code

User interface

Hypertext blue A live link to a topic or to a website.

A code sample.

Words in the user interface including options, menus, buttons, and dialog boxes.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 12

Preface

Finding product documentation

Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardware product.

What's in this guide

This guide is organized to help you find the information you need.

It's divided into functional parts intended to support the goals you need to accomplish when using your McAfee ePolicy Orchestrator (McAfee ePO™) software. Each part is then further divided into chapters that group relevant information together by feature and associated tasks, so you can go directly to the topic you need to successfully accomplish your goals.

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

Task

Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

Under Self Service, access the type of information you need:

To access... Do this...

User documentation

KnowledgeBase

Click Product Documentation.

Select a Product, then select a Version.

Select a product document.

• Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 13

Introducing McAfee ePolicy Orchestrator Software version

4.6.0

Get familiar with what ePolicy Orchestrator software is, the components of the software, and how they protect your environment. Then, review the configuration process overview.

Chapter 1 Introducing McAfee ePolicy Orchestrator Software version 4.6.0 Chapter 2 Planning your ePolicy Orchestrator configuration

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 14

Page 15

Introducing McAfee ePolicy Orchestrator Software version 4.6.0

McAfee ePolicy Orchestrator software is a key component of the McAfee Security Management Platform which provides unified management of endpoint, network, and data security. It provides you with end-to-end visibility and powerful automation features that reduce incident response times, strengthens protection, and decreases the complexity of managing risk and security.

See also

What is ePolicy Orchestrator software on page 15 Components and what they do on page 16 How the software works on page 17 How to navigate the ePolicy Orchestrator interface on page 18

Contents

What is ePolicy Orchestrator software Components and what they do How the software works How to navigate the ePolicy Orchestrator interface

What is ePolicy Orchestrator software

ePolicy Orchestrator software is a scalable, extensible management platform that enables centralized policy management and enforcement of your security products and the systems on which they reside. It also provides comprehensive reporting and product deployment capabilities, all through a single point of control.

Using an ePolicy Orchestrator server, you can:

• Deploy security products, patches, and service packs to the systems in your network.

• Manage the host and network security products deployed to your systems through the enforcement of security policies, client tasks, and server tasks.

• Update the DATs, Engines and other security content required by your security software to ensure your managed systems are secure.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 16

Introducing McAfee ePolicy Orchestrator Software version 4.6.0

Components and what they do

The ePolicy Orchestrator software is comprised of these components.

• McAfee ePO server — The center of your managed environment. The server delivers security policies and tasks, controls updates, and processes events for all managed systems. The ePolicy Orchestrator server includes these subcomponents:

• Apache server — Along with the event parser, this component is responsible for communicating

with the McAfee Agent. Together, these two components receive updated events and properties from agents, and send updated policies and tasks.

• Application server — This component hosts the user interface and server task scheduler.

• Event parser — This component works in conjunction with the apache server to communicate

events and properties from the agent to the server, and send policies and tasks from the server to the agent.

• Database — The central storage component for all data created and used by ePolicy Orchestrator. You can choose whether to house the database on your McAfee ePO server or on a separate system, depending on the specific needs of your organization.

• McAfee Agent — A vehicle of information and enforcement between the ePolicy Orchestrator server and each managed system. The agent retrieves updates, ensures task implementation, enforces policies, and forwards events for each managed system. It uses a separate secure data channel to transfer data to the server. A McAfee Agent can also be configured as a SuperAgent.

• Master repository — The central location for all McAfee updates and signatures, residing on the ePolicy Orchestrator server. Master repository retrieves user-specified updates and signatures from McAfee or from user-defined source sites.

• Distributed repositories — Local access points strategically placed throughout your environment for agents to receive signatures, product updates, and product installations with minimal bandwidth impact. Depending on how your network is configured, you can set up SuperAgent, HTTP, FTP, or UNC share distributed repositories.

• Remote Agent Handlers — A server that you can install in various network locations to help manage agent communication, load balancing, and product updates. Remote Agent Handlers are comprised of an apache server and an event parser. They can help you manage the needs of large or complex network infrastructures by allowing you more control over agent-server communication.

• Registered servers — Used to register other servers with your ePolicy Orchestrator server. Registered server types include:

• LDAP server — Used for Policy Assignment Rules and to enable automatic user account creation.

• SNMP server — Used to receive an SNMP trap. You must add the SNMP server’s information so

that ePolicy Orchestrator knows where to send the trap.

• Database server — Used to extend the advanced reporting tools provided with ePolicy

Orchestrator software.

• Ticketing server — Before tickets can be associated with issues, you must have a registered

ticketing server configured. The system running the ticketing extension must be able to resolve the address of the Service Desk system.

Depending on the needs of your organization and the complexity of your network, you might only need to use some of these components.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 17

How the software works

McAfee ePO software is designed to be extremely flexible. It can be set up in many different ways, to meet your unique needs.

The software follows the classic client-server model, in which a client system (system) calls into your server for instructions. To facilitate this call to the server, a McAfee Agent is deployed to each system in your network. Once an agent is deployed to a system, the system can be managed by your ePolicy Orchestrator server. Secure communication between the server and managed system is the bond that connects all the components of your ePolicy Orchestrator software. The figure below shows an example of how your ePolicy Orchestrator server and components inter-relate in your secure network environment.

Introducing McAfee ePolicy Orchestrator Software version 4.6.0

How the software works

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 18

Introducing McAfee ePolicy Orchestrator Software version 4.6.0

How to navigate the ePolicy Orchestrator interface

Your ePolicy Orchestrator server connects to the McAfee update server to pull down the latest security content.

The ePolicy Orchestrator database stores all the data about the managed systems on your network, including:

• System properties

• Policy information

• Directory structure

• All other relevant data the server needs to keep your systems up-to-date.

McAfee Agents are deployed to your systems to facilitate:

• Policy enforcement

• Product deployments and updates

• Reporting on your managed systems

Agent-server secure communication (ASSC) occurs at regular intervals between your systems and server. If remote Agent Handlers are installed in your network, agents communicate with the server through their assigned Agent Handlers.

Users log onto the ePolicy Orchestrator console to perform security management tasks, such as running queries to report on security status or working with your managed software security policies.

The McAfee update server hosts the latest security content, so your ePolicy Orchestrator can pull the content at scheduled intervals.

Distributed repositories placed throughout your network host your security content locally, so agents can receive updates more quickly.

Remote Agent Handlers help to scale your network to handle more agents with a single ePolicy Orchestrator server.

Ticketing servers connect to your ePolicy Orchestrator server to help manage your issues and tickets.

Automatic Response notifications are sent to security administrators to notify them that an event has occurred.

How to navigate the ePolicy Orchestrator interface

The ePolicy Orchestrator interface uses a menu-based navigation model with a customizable favorites bar to ensure that you can get where you need to go quickly.

Menu sections represent the top-level features of your ePolicy Orchestrator server. As you add new managed products to your server, the associated interface pages are either added to an existing category, or a new category is created in the Menu.

About the ePolicy Orchestrator navigation Menu

The ePolicy Orchestrator Menu provides the primary navigation for your server.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 19

Introducing McAfee ePolicy Orchestrator Software version 4.6.0

How to navigate the ePolicy Orchestrator interface

The Menu uses categories that comprise the various features and functionality of your ePolicy Orchestrator server. Each category contains a list of primary feature pages associated with a unique icon. Select a category in Menu to view and navigate to the primary pages that make up that feature.

About the navigation bar

Customize the navigation bar to provide quick access to the features and functionality you use most often.

You can decide which icons are displayed on the navigation bar by dragging any Menu item on or off the navigation bar. When you navigate to a page in the Menu, or click an icon in the navigation bar, the name of that page is displayed in the blue box next to the Menu.

On systems with 1024x768 screen resolution, the navigation bar can display six icons. When you place more than six icons on the navigation bar, an overflow menu is created on the right side of the bar. Click > to access the Menu items not displayed in the navigation bar. The icons displayed in the navigation bar are stored as user preferences, so each user's customized navigation bar is displayed regardless of which console they use to log on to the server.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 20

Page 21

Planning your ePolicy Orchestrator

About scalability

configuration

Getting started using your ePolicy Orchestrator server requires planning and consideration with regard to infrastructure and configuration.

How you setup your server infrastructure, and how you much configuration you need to perform depends on the unique needs of your network environment. Considering these areas in advance can reduce the time it takes to get up-and-running.

Contents

About scalability Server configuration overview

How you manage your scalability needs depends on whether you use multiple ePolicy Orchestrator servers or multiple remote Agent Handlers.

With ePolicy Orchestrator software, you can scale your network vertically or horizontally.

• Vertically scalability — Adding and upgrading to bigger, faster hardware to manage larger and larger deployments. Scaling your ePolicy Orchestrator server infrastructure vertically is accomplished by upgrading your server hardware, and using multiple ePolicy Orchestrator servers throughout your network, each with its own database.

• Horizontal scalability — Accomplished by increasing the deployment size that a single ePolicy Orchestrator server can manage. Scaling your server horizontally is accomplished by installing multiple remote Agent Handlers, each reporting to a single database.

When to use multiple ePolicy Orchestrator servers

Depending on the needs of your organization, using multiple ePolicy Orchestrator servers might be required.

Some scenarios in which you might want to use multiple servers include:

• You want to maintain separate databases for distinct units within your organization.

• You require separate IT infrastructures, administrative groups, or test environments.

• Your organization is distributed over a large geographic area, and uses a network connection with relatively low bandwidth such as a WAN, VPN, or other slower connections typically found between remote sites. For more information about bandwidth requirements, see the McAfee ePolicy Orchestrator Hardware Usage and Bandwidth Sizing Guide.

Using multiple servers in your network requires that you maintain a separate database for each server. You can roll up information from each server to your main ePolicy Orchestrator server and database.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 22

Planning your ePolicy Orchestrator configuration

Server configuration overview

When to use multiple remote Agent Handlers

Multiple remote Agent Handlers can help you manage large deployments without adding additional ePolicy Orchestrator servers to your environment.

The Agent Handler is the component of your server responsible for managing agent requests. Each McAfee ePO server installation includes an Agent Handler by default. Some scenarios in which you might want to use multiple remote Agent Handlers include:

• You want to allow agents to choose between multiple physical devices, so they can continue to call in and receive policy, task, and product updates; even if the application server is unavailable, and you don't want to cluster your ePolicy Orchestrator server.

• Your existing ePolicy Orchestrator infrastructure needs to be expanded to handle more agents, more products, or a higher load due to more frequent agent-server communication intervals (ASCI).

• You want to use your ePolicy Orchestrator server to manage disconnected network segments, such as systems that use Network Address Translation (NAT) or in an external network.

This is functional as long as the Agent Handler has a high bandwidth connection to your ePolicy Orchestrator database.

Multiple Agent Handlers can provide added scalability and lowered complexity in managing large deployments. However, because Agent Handlers require a very fast network connection, there are some scenarios in which you should not use them, including:

• To replace distributed repositories. Distributed repositories are local file shares intended to keep agent communication traffic local. While Agent Handlers do have repository functionality built in, they require constant communication with your ePolicy Orchestrator database, and therefore consume a significantly larger amount of bandwidth.

• To improve repository replication across a WAN connection. The constant communication back your database required by repository replication can saturate the WAN connection.

• To connect a disconnected network segment where there is limited or irregular connectivity to the ePolicy Orchestrator database.

Server configuration overview

How you set up your ePolicy Orchestrator server depends on the unique needs of your environment.

This process overview highlights the major setup and configuration required to use your ePolicy Orchestrator server. Each of the steps represents a chapter or section in this guide, where you can find the detailed information you need to understand the features and functionality of the software, along with the tasks needed to implement and use them.

Depending on the size and complexity of your network, you might not need to configure all available features.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 23

Planning your ePolicy Orchestrator configuration

Server configuration overview

Process overview

This process is a high-level overview of the configuration process for your server. Many items represent specific feature sets or functional areas of the ePolicy Orchestrator software:

Configure essential features — ePolicy Orchestrator software has some essential features that you must configure for your server to function properly. Use the Guided Configuration tool to configure the essential features of your McAfee ePO server.

Configure general server settings — Server settings in this group affect functionality that you do not need to modify for your server to operate correctly, but you can customize some aspects of how your server works.

Create user accounts — User accounts provide a means for users to access the server.

Configure permission sets — Permission sets grant rights and access to ePolicy Orchestrator features.

Configure advanced server settings and features — Your ePolicy Orchestrator server provides advanced features and functionality to help you automate the management of your network security.

Setup additional components — Additional components such as distributed repositories, registered servers, and Agent Handlers are required to use many of the advanced features of your ePolicy Orchestrator software.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 24

Page 25

Setting up and configuring your ePolicy Orchestrator server

Setting up and configuring your ePolicy Orchestrator server is the first step to managing your network security.

Chapter 3 Configuring essential features Chapter 4 Configuring general server settings Chapter 5 Creating user accounts Chapter 6 Setting up permission sets Chapter 7 Configuring advanced server settings Chapter 8 Setting up repositories Chapter 9 Setting up registered servers Chapter 10 Setting up Agent Handlers Chapter 11 Other important server information

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 26

Page 27

Configuring essential features

Get up-and-running quickly by configuring the essential features of your ePolicy Orchestrator server.

Contents

About essential features Using the Guided Configuration to configure essential features

About essential features

Several of your ePolicy Orchestrator server features are essential for its use, and must be configured before you can deploy and manage security software on the systems in your network.

The essential features of your McAfee ePO server are:

• The Software Manager — Allows you to check in new and updated security software into your ePolicy Orchestrator server and Master Repository from within the console.

• The System Tree — Contains all of the systems managed by your ePolicy Orchestrator server.

• The Policy Catalog — Where you configure the security policies that control the security software deployed to your managed systems.

• The Client Task Catalog — Where you create, assign, and schedule client tasks to automate tasks that run on your managed systems.

• The McAfee Agent — Enables management of a system on your network. Once deployed, the agent communicates status and all associated data to and from your server and the managed system. It is the vehicle through which security software is deployed, policies are enforced, and tasks are assigned.

The McAfee Agent is an independent software product required for your ePolicy Orchestrator server to manage systems on your network. It is checked in to your Master Repository automatically when you install your McAfee ePO software.

This version of the software comes equipped with the ePolicy Orchestrator Guided Configuration tool. This tool is designed to help you configure these essential features, and to become familiar with the ePolicy Orchestrator interface. The Guided Configuration helps you complete the necessary steps to:

Get McAfee security software checked into your Master Repository, so it can be deployed to systems in your network.

Add your systems to the ePolicy Orchestrator System Tree, so you can bring them under management.

Create and assign at least one security policy to be enforced on your managed systems.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 28

Configuring essential features

Using the Guided Configuration to configure essential features

Schedule a client update task to keep your security software up-to-date.

Deploy your security software to your managed systems.

Using the Guided Configuration is not required. You can perform each of these steps manually. If you choose to perform these steps manually, McAfee recommends that you use a similar workflow during your configuration process. Regardless of the method you choose to configure these features, you can continue to modify and tune your server's configuration using the Guided Configuration tool or by navigating directly to each page from the McAfee ePO Menu.

Using the Guided Configuration to configure essential features

The Guided Configuration tool is designed to help you configure your ePolicy Orchestrator server by directing you through pages used to configure some essential features.

Work through each step in the task below to:

• Select the security software you want to deploy to systems on your network.

• Select the systems on your network you want manage with your McAfee ePO server, and add them to the System Tree.

• Configure a Default policy to be assigned and enforced on your managed systems.

• Schedule a product update task to ensure that your managed systems have the latest updates installed.

• Deploy your security software to your managed systems.

You don't have to complete each step, and you can revisit any step as often as you like. However, McAfee recommends that you use this configuration tool like a wizard, and complete each step in sequence. Doing so will help you get familiar with the individual interface pages that control these features, so you can use them without the configuration tool in the future.

Task

For option definitions, click ? in the interface.

In the ePolicy Orchestrator console click Menu | Reporting | Dashboards, then select Guided Configuration from the Dashboard drop-down and click Start.

Review the Guided Configuration overview and instructions, then click Start.

The Software Selection step opens. To complete this step:

Under the Software Not Checked In product category, click Licensed or Evaluation to display available products.

In the Software table, select the product you want to check in. The product description and all available components are displayed in the table below.

Click Check In All to check in product extensions to yourePolicy Orchestrator server, and product packages into your Master Repository.

Click Next at the top of the screen when you're finished checking in software and ready to move on to the next step.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 29

Using the Guided Configuration to configure essential features

The System Selection step opens. To complete this step:

Select the group in your System Tree where you want to add your systems. If you don't have any

Configuring essential features

custom groups defined, select My Organization, then click Next. The Adding your systems dialogue box opens.

Select which method you want to use to add your systems to the System Tree:

Add

To... Then... systems using...

AD Sync

Synchronize your ePolicy

Orchestrator server with your

Active Directory (AD) server or

Domain Controller (DC). If you're

using one of these in your

environment, AD Sync is the

quickest way to add your systems

to the System Tree.

Manual

Manually add systems to your

System Tree by specifying names

or browsing a list of systems by

domain.

The Policy Configuration step opens. To complete this step:

Select... To... Then...

Accept Defaults

Use the My Default policy setting for the software you'll deploy and continue your configuration.

Configure Policy

Specify custom policy settings now for each software product you checked in.

In the AD Sync dialog box, select the Synchronization type you want to use and specify the appropriate settings.

Click Synchronize and Save to move on to the next step.

In the New Systems page, click Browse to add individual systems from a Domain and click OK, or type system names in the Target systems field.

Click Add Systems to move on to the next step.

This step is complete.

In the Policy Configuration dialog box, click OK

Select a product from the Product list and click My Default to edit the default policy settings.

Click Next to move on to the next step.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 30

Configuring essential features

Using the Guided Configuration to configure essential features

The Software Updating step opens. To complete this step:

Select... To... Then...

Create Defaults

Automatically create a

This step is complete. default product update client task that runs daily at 12:00 P.M.

Set Task Schedule

Manually configure the schedule for your product update client task.

Using the Client Task Assignment Builder, specify a Product and Task Name for your product update task.

Do not change the Task Type selection. Task Type must be set to Product Update.

Configure the Lock task inheritance and Tags options, then click Next.

Specify the schedule for the update task, then click Next.

Review the summary and click Save.

The Software Deployment step opens. To complete this step:

Select the location in the System Tree that contains the systems where you want to deploy your software, then click Next. The Software Deployment dialog box opens. Click OK to continue.

Specify your settings for the McAfee Agent deployment, then click Deploy.

Click Skip Agent Deployment if you want to wait until later to perform this action. However, you must deploy agents in order to deploy your other security software.

The Software Deployment dialog box opens. Select the software packages you want to deploy to your managed systems, then click Deploy.

The Configuration Summary dialog box opens. Your configuration is complete. Click Finish to close the Guided Configuration.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 31

Configuring general server settings

Configuring your software's general server settings is optional, but strongly recommended. Some features of your server rely on these settings to function properly.

Contents

About general server settings Configuring general server settings

About general server settings

General server settings allow you to enable and customize some of your software's non-essential features and functionality.

Modify these server settings to customize some aspects of your server's behavior. For example, specifying an email server for use with your ePolicy Orchestrator server is not required. However, before your server can send an automatically generated email in response to an event in your network, you must configure the Email Server settings your McAfee ePO server needs to connect to your email server.

Configuring general server settings

General server settings control functionality that does not require specific configuration, or basic features that are not required for your server to function properly.

Use these tasks to configure your ePolicy Orchestrator server's general server settings.

Allowing agent deployment credentials to be cached

Users must provide client credentials to successfully deploy agents from your ePolicy Orchestrator server to systems in your network. You can choose whether to allow agent deployment credentials to be cached for each user.

Once a user's credentials are cached, that user can deploy agents without having to provide them again. Credentials are cached per user, so a user that has not previously provided credentials cannot deploy agents without providing their own credentials first.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select Agent Deployment Credentials from the Setting Categories, then click Edit.

Select the checkbox to allow agent deployment credentials to be cached.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 32

Configuring general server settings

Specifying default dashboards and dashboard refresh intervals

The Dashboards server setting specifies the default dashboard a user sees when logging on to your server, as well as the rate at which all dashboards are refreshed.

You can specify which dashboard a user sees when they log on to your ePolicy Orchestrator server for the first time by mapping it to the user's permission set. Mapping dashboards to permission sets ensures that users assigned a particular role are automatically presented with the information they need. Users with permission to view dashboards other than their default see the most recent dashboard they viewed each time they go to the Dashboards page.

Using the Dashboards server setting, you can also:

• Configure which dashboard is displayed to users who belong to a permission set that does not have a default dashboard assignment.

• Control the automatic refresh rate for dashboards.

Dashboards are refreshed automatically. Each time a refresh occurs, the underlying query is run, and the results displayed in the dashboard. When query results contain large amounts of data, a short refresh interval might impact available bandwidth. McAfee recommends that you choose a refresh interval (5 minutes by default) that is frequent enough to ensure accurate and timely information is displayed without consuming undue network resources.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select Dashboards from the Setting Categories, then click Edit.

Select a permission set and default dashboard from the menus.

Use and to add or remove multiple dashboards for each permission set, or to assignments for multiple permission sets.

Specify a value between 1 minute and 60 hours for the dashboard monitor refresh interval (5 minutes by default), then click Save.

Determining which events are forwarded to the server

Use this task to determine which events are forwarded to the server. This selection impacts the bandwidth used in your environment, as well as the results of event-based queries.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select Event Filtering, then click Edit at the bottom of the page. The Edit Event Filtering page appears.

Select the events you want the agent to forward to the server, then click Save.

Changes to these settings take effect after all agents have communicated with the McAfee ePO server.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 33

Configuring general server settings

Choosing an ePO Notification Event interval

This setting determines how often ePO Notification Events are sent to the Automatic Response system.

There are three types of ePO Notification Events:

• Client events — Events that occur on managed systems. For example, "Product update succeeded."

• Threat events — Events that indicate a possible threat is detected. For example, "Virus detected."

• Server events — Events that occur on the server. For example, "Repository pull failed."

An automatic response can be triggered only after the Automatic Response system receives a notification. McAfee recommends that you specify a relatively short interval for sending these Notification events. McAfee recommends that you choose an evaluation interval that is frequent enough to ensure that the Automatic Response system can respond to an event in a timely manner, but infrequent enough to avoid excessive bandwidth consumption.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select Event Notifications from the Setting Categories, then click Edit.

Specify a value between 1 and 9,999 minutes for the Evaluation Interval (1 minute by default), then click Save.

Configuring settings for global updates

Global updates automate repository replication in your network. The content distributed to repositories during a global update, and whether global updates are enabled are configured using the Global Updating server setting.

Global updates are disabled by default. However, McAfee recommends that you enable and use them as part of your updating strategy. You can specify a randomization interval and package types to be distributed during the update. The randomization interval specifies the time period in which all systems are updated. Systems are updated randomly within the specified interval.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select Global Updating from the Setting Categories, then click Edit.

Set the status to Enabled and specify a Randomization interval between 0 and 32,767 minutes.

Specify which Package types to include in the global updates:

• All packages — Select this option to include all signatures and engines, and all patches and service

packs.

• Selected packages — Select this option to limit the signatures and engines, and patches and service

packs included in the global update.

When using global updating, McAfee recommends scheduling a regular pull task (to update the master repository) at a time when network traffic is minimal. Although global updating is much faster than other methods, it increases network traffic during the update. For more information about performing global updates, see Global updating under Product and update deployment.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 34

Configuring general server settings

Providing a license key

A license key entitles you to a full installation of the ePolicy Orchestrator software, and makes the other licensed McAfee software your company owns available in the ePolicy Orchestrator Software Manager.

Without a license key, your software runs in evaluation mode. Once the evaluation period is expired, the software ceases to function. You can add a license key at any time during the evaluation period.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select License Key from the Setting Categories, then click Edit.

Type your License Key and click Save.

Creating a custom login message

Create and display a custom login message to be displayed on the Log On page.

Your message can be written in plain text, or formatted using HTML. If you create an HTML formatted message, you are responsible for all formatting and escaping.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select Login Message from the Settling Categories, then click Edit.

Select Display custom login message, then type your message and click Save.

McAfee Labs Security Threats

The McAfee Labs Security Threats page informs you of the top ten medium-to-high-risk threats for corporate users. You no longer need to manually search for this information from the press (TV, radio,

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 35

Configuring general server settings

newspapers), informational websites, mailing lists, or your peers. You are automatically notified of these threats from McAfee Labs.

Protection status and risk assessment

You can easily determine whether the DAT and engine files in the Current branch of the master repository provide protection against the top 10 threats and, if not, the highest risk level of any new threats.

Protection available

The DAT and engine files in the repository already provide protection against all threats that are known to McAfee Labs. To determine whether each managed system is protected, run a query against DAT and engine file coverage.

Protection pending on Medium-to-Low Risk Threats

The updated DAT file for threats assessed by McAfee Labs as medium risk is pending. However, updated protection is available in a supplemental virus definition (ExtraDAT) file, which you can manually download if you need protection before the next full DAT file is available, such as in an outbreak scenario.

Protection Pending on High-Risk Threats

The updated DAT file for threats assessed by McAfee Labs as high risk is pending. However, updated protection is available in a supplemental virus definition (ExtraDAT) file, which you can manually download if you need protection before the next full DAT file is available, such as in an outbreak scenario.

Working with McAfee Labs Security Threats

Use these task to mark threat notifications as read or unread or to delete them. Data is sorted by the date the threat was discovered. In addition, you can click the threat name to go to the McAfee Labs website to view information about each threat.

Each user views a McAfee Labs Security Threats page that is unique to their account. When one user deletes or marks threat notifications as read or unread, these actions are not represented in the table when another user account logs on.

Controlling unsupported product policy visibility

If you've been using your ePolicy Orchestrator server for a while, or you've recently updated from a previous version of the software, you might have some unsupported products installed on your server. You can control whether the policies associated with these products are visible in the Policy Catalog.

If you have unsupported products checked in to your server, you can choose whether the policies for those products are visible or hidden.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select Policy Maintenance from the Setting Categories, then click Edit.

Specify whether to show or hide policies for an unsupported product, optionally delete any unsupported products, then click Save.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 36

Configuring general server settings

Changing agent communication ports

You can change some of the ports used for agent communication on your ePolicy Orchestrator server.

You can modify the settings for these agent communication ports:

Agent-to-server communication secure port

•

Agent wake-up communication port

•

Agent broadcast communication port

•

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select Ports from the Setting Categories, then click Edit.

Select whether to enable port 443 as the secure port for agent-to-server communications, type the ports to be used for agent wake-up calls and agent broadcasts, then click Save.

Configuring the template and location for exported reports

You can define the appearance and storage location for tables and dashboards you export as documents.

Using the Printing and Exporting server setting, you can configure:

• Headers and footers, including a custom logo, name, page numbering, etc.

• Page size and orientation for printing.

• Directory where exported tables and dashboards are stored.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, then select Printing and Exporting in the Settings list.

Click Edit. The Edit Printing and Exporting page appears.

In the Headers and footers for exported documents section, click Edit Logo to open the Edit Logo page.

Select Text and type the text you want included in the document header, or do one of the following:

• Select Image and browse to the image file, such as your company logo.

• Select the default McAfee logo.

Click OK to return to the Edit Printing and Exporting page.

From the drop-down lists, select any metadata that you want displayed in the header and footer.

Select a Page size and Page orientation.

Type a new location or except the default location where exported documents will be saved.

Click Save.

Using a proxy server

If you use a proxy server in your network environment, you need to specify the proxy settings in the ePolicy Orchestrator server settings.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 37

Configuring general server settings

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select Proxy Settings from the Setting Categories, then click Edit.

Select Configure the proxy settings manually, provide the specific configuration information your proxy server uses for each set of options, then click Save.

SSL certificates

The browsers supported by McAfee ePO show a warning about a server’s SSL certificate if it cannot verify that the certificate is valid or signed by a source that the browser trusts. By default, the McAfee ePO server uses a self-signed certificate for SSL communication with the web browser, which, by default, the browser will not trust. This causes a warning message to display every time you visit the McAfee ePO console.

To stop this warning message from appearing you must do one of the following:

• Add the McAfee ePO server certificate to the collection of trusted certificates used by the browser.

This must be done for every browser that interacts with McAfee ePO. If the browser certificate changes, you must add the McAfee ePO server certificate again since the certificate sent by the server no longer matches the one that the browser is configured to use.

• Replace the default McAfee ePO server certificate with a valid certificate that has been signed by a certificate authority (CA) that the browser trusts. This is the best option. Because the certificate is signed by a trusted CA, you do not need to add the certificate to all web browsers within your organization.

If the server host name changes, you can replace the server certificate with a different one that has also been signed by a trusted CA.

To replace the McAfee ePO server certificate, you must first obtain the certificate — preferably a certificate that has been signed by a trusted CA. You must also obtain the certificate’s private key and its password (if it has one). Then you can use all of these files to replace the server’s certificate. For more information on replacing server certificates, see Security keys and how they work.

The McAfee ePO browser expects the linked files to use the following format:

• Server certificate — P7B or PEM

• Private key — PEM

If the server certificate or private key are not in these formats, they must be converted to one of the supported formats before they can be used to replace the server certificate.

Replacing the server certificate

Use this task to specify the server certificate and private key used by ePolicy Orchestrator.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, then click Server Certificate in the Settings Categories list.

Click Edit. The Edit Server Certificate page appears.

Browse to the server certificate file and click Open.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 38

Configuring general server settings

Browse to the private key file and click Open.

If needed, type the private key password.

Click Save.

After applying the new certificate and private key, you need to restart ePolicy Orchestrator for the change to take effect.

Installing a trusted security certificate for the McAfee ePO browser

Use these tasks to install a trusted security certificate for your McAfee ePO browser, to stop the server certificate warning from appearing every time you log on.

Installing the security certificate when using Internet Explorer

Use this task to install the security certificate when using supported versions of Internet Explorer, so that the warning dialog box won’t appear every time you log on.

Task

From your browser, start ePolicy Orchestrator. The Certificate Error: Navigation Blocked page appears.

Click Continue to this website (not recommended) to open the logon page. The address bar is red, indicating the browser cannot verify the security certificate.

To the right of the address bar, click Certificate Error to display the Certificate Invalid warning.

At the bottom of the warning, click View certificates to open the Certificate dialog box.

Do not click Install Certificate on the General tab. If you do, the process fails.

Select the Certification Path tab, then select Orion_CA_<servername>, and click View Certificate. Another Certificate dialog box opens to the General tab, displaying the Certificate Information.

Click Install certificate to open the Certificate Import Wizard.

Click Next to specify where the certificate is stored.

Select Place all certificates in the following store, then click Browse to select a location.

Select the Trusted Root Certificate Authorities folder from the list, click OK, then click Next.

Click Finish. In the Security Warning that appears, click Yes.

Close the browser.

Change the target of the ePolicy Orchestrator desktop shortcut to use the NetBIOS name of the ePolicy Orchestrator server instead of "localhost".

Restart ePolicy Orchestrator.

Now when you log on to ePolicy Orchestrator, you are no longer prompted to accept the certificate.

Installing the security certificate when using Firefox 3.5 or higher

Use this task to install the security certificate when using Firefox 3.5 or higher, so that the warning dialog box won’t appear every time you log on.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 39

Configuring general server settings

Task

From your browser, start ePolicy Orchestrator. The Secure Connection Failed page appears.

Click Or you can add an exception at the bottom of the page. The page now displays the Add Exception button.

Click Add Exception. The Add Security Exception dialog appears.

Click Get Certificate. The Certification Status information is populated and the Confirm Security Exception button is enabled.

Make sure that Permanently store this exception is selected, then click Confirm Security Exception.

Now when you log on to ePolicy Orchestrator, you are no longer prompted to accept the certificate.

Enabling System Tree sorting on the server

Use this task to enable System Tree sorting on the server. System Tree sorting must be enabled on the server and the desired systems for systems to be sorted.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, then select System Tree Sorting in the Setting Categories list and click Edit.

Select whether to sort systems only on the first agent-server communication or on each agent-server communication.

If you selected to sort only on the first agent-server communication, all enabled systems are sorted on their next agent-server communication and are never sorted again for as long as this option is selected. However, these systems can be sorted again manually by taking the Sort Now action, or by changing this setting to sort on each agent-server communication.

If you selected to sort on each agent-server communication, all enabled systems are sorted at each agent-server communication as long as this option is selected.

ePolicy Orchestrator server settings categories and their descriptions

These are the default server settings categories available in ePolicy Orchestrator software.

When you check in additional software to your McAfee ePO server, product-specific server settings are added to the Server settings category list. For information on product-specific server settings, see the associated product documentation. You can modify server settings from the interface by navigating to the Server Settings page in the Configuration section of the ePolicy Orchestrator interface.

Table 4-1 Default server settings categories and their descriptions

Server settings category

Active Directory User Login

Agent Deployment Credentials

Description

Specifies whether members of your mapped Active Directory (AD) groups can log on to your server using their AD credentials once the Active Directory User Login feature has been fully configured.

Specifies whether users are allowed to cache agent deployment credentials.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 40

Configuring general server settings

Table 4-1 Default server settings categories and their descriptions (continued)

Server settings

Description

category

Source Sites Specifies which source sites your server connects to for updates, as well

as which sites should be used as a fallback.

System Details Settings Specifies which queries and systems properties are displayed in the System

Details page for your managed systems.

System Tree Sorting Specifies whether and how System Tree sorting is enabled in your

environment.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 42

Page 43

Creating user accounts

User accounts provide a means for users to access and use the software. Each account is associated with one or more permission sets, which define what the user allowed to do with the software.

Contents

About user accounts Working with user accounts

About user accounts

There are two types of users, global administrators and users with limited permissions.

User accounts can be created and managed in several ways. You can:

• Create user accounts manually, then assign each account an appropriate permission set.

• Configure your ePolicy Orchestrator server to allow users to log on using Windows authentication.

Allowing users to log on using their Windows credentials is an advanced feature that requires configuration and set up of multiple settings and components. For more information on this option, see Managing ePolicy Orchestrator users with Active Directory.

While user accounts and permission sets are closely related, they are created and configured using separate steps. For more information on permission sets, see Setting up permission sets.

Global administrators

Global administrators have read and write permissions and rights to all operations.

When you install the server, a global administrator account is created automatically. By default, the user name for this account is admin. If the default value is changed during installation, this account is named accordingly.

You can create additional global administrator accounts for people who require global administrator rights.

Permissions exclusive to global administrators include:

• Create, edit, and delete source and fallback sites.

• Change server settings.

• Add and delete user accounts.

• Add, delete, and assign permission sets.

• Import events into ePolicy Orchestrator databases and limit events that are stored there.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 44

Creating user accounts

Working with user accounts

You can create, edit, and delete user accounts manually with these tasks.

Tasks

• Creating user accounts on page 44 Use this task to create a user account. You must be a global administrator to add, edit, or delete user accounts.

• Editing user accounts on page 44 Use this task to edit a user account. Global administrators can change passwords on any user account. Other users can only change passwords on their own accounts.

• Deleting user accounts on page 45 Use this task to delete a user account. You must be a global administrator to delete user accounts.

Creating user accounts

Use this task to create a user account. You must be a global administrator to add, edit, or delete user accounts.

Task

For option definitions, click ? in the interface.

Click Menu | User Management | Users, then click New User. The New User page appears.

Type a user name.

Select whether to enable or disable the logon status of this account. If this account is for someone who is not yet a part of the organization, you might want to disable it.

Select whether the new account uses McAfee ePO authentication,Windows authentication, or Certificate Based Authentication and provide the required credentials or browse and select the certificate.

Optionally, provide the user's full name, email address, phone number, and a description in the

Notes text box.

Choose to make the user is a global administrator, or select the appropriate permission sets for the user.

Click Save to save the current entries and return to the Users tab. The new user should appear in the Users list.

Editing user accounts

Use this task to edit a user account. Global administrators can change passwords on any user account. Other users can only change passwords on their own accounts.

Task

For option definitions, click ? in the interface.

Click Menu | User Management | Users.

From the Users list, select the user you want to edit, then click Actions | Edit.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 45

Creating user accounts

Working with user accounts

Edit the account as needed.

Click Save.

Deleting user accounts

Use this task to delete a user account. You must be a global administrator to delete user accounts.

McAfee recommends disabling the Login status of an account instead of deleting it, until you are sure all valuable information associated with the account has been moved to other users.

Task

For option definitions, click ? in the interface.

Click Menu | User Management | Users.

From the Users list, select the user you want to delete, then click Actions | Delete.

Click OK.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 46

Page 47

Setting up permission sets

Permission sets control the level of access users have to the different features available in the software.

Even the smallest of ePolicy Orchestrator installations needs to specify and control the access users have to different parts of the system.

Contents

How users, groups, and permission sets fit together Working with permission sets

How users, groups, and permission sets fit together

Access to items within ePolicy Orchestrator is controlled by interactions between users, groups, and permission sets.

Users

Users fall into two general categories. Either they are administrators, having full rights throughout the system, or they are regular users. Regular users can be assigned any number of permission sets to define their access levels within ePolicy Orchestrator.

Groups

Queries and reports are assigned to groups. Each group can be private (to that user only), globally public (or "shared"), or shared to one or more permission sets.

Permission sets

A particular access profile is defined within a permission set. This usually involves a combination of access levels to various parts of ePolicy Orchestrator. For example, a single permission set might grant the ability to read the Audit log, use public and shared dashboards, and create and edit public reports or queries.

Permission sets can be assigned to individual users, or if you are using Active Directory, to all users from specific Active Directory servers.

Putting the pieces together

These three objects tightly interact. Understanding the interaction is the key to controlling access within ePolicy Orchestrator. Users do not have access to an object unless they are assigned a permission set that gives them that access. That same user does not have access to any reports or queries in a group unless the group is globally public or shared to a permission set assigned to that user.

Due to the interwoven nature of these objects, you might have to create and modify permission sets, groups, and users multiple times to get everything set up the way you want.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 48

Setting up permission sets

How users, groups, and permission sets fit together

An example access configuration

As an example, let's say you want to give all users from your "Dallas" Active Directory server access to a specific group of reports, and you want one particular engineer (let's call her "ElaineG") to be able to create and modify queries in that group. To accomplish this, you'll need to create two permission sets and one group, and edit ElaineG's user account.

Create a permission set called "Dallas Users."

Add the Dallas Active Directory server to the list called Active Directory groups mapped to this permission set.

Make sure they have the Queries and Reports permission Use all public groups and the shared groups below; create and edit personal queries/reports. as well as other permissions you want to grant.

Duplicate the "Dallas Users" permission set and call the new set "Dallas Report Creators".

Create a query group called "Dallas Reports" and give it By permission set (Shared Groups) visibility to the "Dallas Users" and "Dallas Report Creators" permission sets.

In the "Dallas Users" permission set, select the "Dallas Reports" group under Queries and Reports permissions. Do the same for the "Dallas Report Creators" permission set.

Change the Queries and Reports permission in this new permission set to Edit public groups and the shared groups below; create and edit personal queries/reports; make personal queries/reports public. The

list of selected groups should not change.

Edit ElaineG's user account and assign her to the "Dallas Report Creators" group.

You've now got an entire class of users (members of the "Dallas" Active Directory server) with access to a specific query group, and an individual with the ability to create and modify queries and reports within that group.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 49

Working with permission sets

Permission sets can be created, deleted, modified, imported and exported as you can with many other objects in an ePolicy Orchestrator server.

Tasks

• Creating a new permission set on page 49 Providing access levels between seeing everything or nothing requires you to create a permission set.

• Modifying an existing permission set on page 50 The permissions granted within a specific permission set can be modified at any time.

• Duplicating a permission set on page 50 Occasionally, the easiest way to create a new permission set is to duplicate an existing one similar to what you want.

• Exporting permission sets on page 50 Once you have fully defined your permission sets, the fastest way to migrate them to other ePolicy Orchestrator servers is to export them and import them onto other servers.

• Importing permission sets on page 51 Permission sets can take some time to configure, so exporting and importing them is a quick way to move this configuration from one ePolicy Orchestrator server to another.

• Removing a permission set on page 51 Permission sets can be deleted when they are no longer required.

• Deleting permission sets on page 51 Use this task to delete a permission set. Only global administrators can delete permission sets.

Setting up permission sets

Working with permission sets

Creating a new permission set

Providing access levels between seeing everything or nothing requires you to create a permission set.

If you want to create a new permission set that is unlike other permission sets you have created to this point, starting with this task is the best approach. If you want a new permission set that is similar to another existing permission set, it is easier to duplicate that permission set and modify the duplicate.

Task

For option definitions, click ? in the interface.

Open the permission sets page by clicking Menu | User Management | Permission Sets.

Click Actions | New.

Enter a name for the new permission set. ePolicy Orchestrator will not allow you to use a name that already exists. Each permission set name must be unique.

If you want to immediately assign specific users to this permission set, select their user names in the Users section.

If there are any Active Directory groups where you want all users from that group mapped to this permission set, select the server from the Server Name drop-down list and click Add.

If you have added any Active Directory servers you want to remove, select them in the Active Directory list box click Remove.

Click Save to create the permission set.

At this point, you have created the permission set but have not yet assigned permissions to it.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 50

Setting up permission sets

Working with permission sets

Modifying an existing permission set

The permissions granted within a specific permission set can be modified at any time.

The need to modify a permission set can come about immediately after creating it, or changing requirements over time.

Task

For option definitions, click ? in the interface.

Select a permission set by clicking Menu | User Management | Permission Sets. Select a permission set to modify. If you have just created a new permission set, the newly-created permission set is already selected for you.

Select a category of permissions to modify by clicking Edit in that category's row.

The options appropriate to the selected permissions category will appear.

Change the permissions as desired, can click Save.

This will commit the changes to the permission set into the database.

There is no need to click a Save button when you have completed modifying the permission set. The changes are saved for you when modifying each individual category. The changes you make are immediately reflected in the system, and will be propagated to the remainder of your network according to your policy configuration.

Duplicating a permission set

Occasionally, the easiest way to create a new permission set is to duplicate an existing one similar to what you want.

Task

For option definitions, click ? in the interface.

Click Menu | User Management | Permission Sets and then select a permission set to duplicate from the Permission Sets list.

Click Actions | Duplicate.

Choose a new name for the duplicate. By default, ePolicy Orchestrator appends (copy) to the existing name.

ePolicy Orchestrator will not allow you to use a name that already exists. Each permission set name must be unique.

Click OK.

The permission set is duplicated, but the original is still selected in the Permission Sets list.

Exporting permission sets

Once you have fully defined your permission sets, the fastest way to migrate them to other ePolicy Orchestrator servers is to export them and import them onto other servers.

Permission sets cannot be exported individually. You can only export the entire list of permission sets at one time.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 51

Setting up permission sets

Working with permission sets

Task

For option definitions, click ? in the interface.

Select Menu | User Management | Permission Sets.

Select the permission set(s) you want to export.

Click Permission Sets Actions | Export All

The McAfee ePO server sends an XML file to your browser. What happens next depends on your browser settings. By default, most browsers ask you to save the file.

The XML file only contains roles with some level of permission defined. If, for example, a particular permission set has no permissions for queries and reports, no entry will appear in the file.

Importing permission sets

Permission sets can take some time to configure, so exporting and importing them is a quick way to move this configuration from one ePolicy Orchestrator server to another.

Task

For option definitions, click ? in the interface.

Select Menu | User Management | Permission Sets

Click Permission Sets Actions | Import.

Click Browse to navigate to and select the XML file containing the permission set you want to import.

Choose whether you want to keep permission sets with the same name as an imported permission set or not by selecting the appropriate option. Click OK.

If ePolicy Orchestrator cannot locate a valid permission set within the indicated file, an error message is displayed and the import process is aborted.

The permission sets are added to the server and displayed in the Permission Sets list.

Removing a permission set

Permission sets can be deleted when they are no longer required.

Task

For option definitions, click ? in the interface.

Click Menu | User Management | Permission Sets, then select a permission set to delete.

Click Actions | Delete, then click OK in the verification dialog box.

The permission set is deleted from the system, and any objects or users that had that permission set applied to them will no longer have the access the permission set granted unless granted otherwise.

Deleting permission sets

Use this task to delete a permission set. Only global administrators can delete permission sets.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 52

Setting up permission sets

Working with permission sets

Task

For option definitions, click ? in the interface.

Click Menu | User Management | Permission Sets, then select the permission set you want to delete in the Permission Sets list. Its details appear to the right.

Click Actions | Delete, then click OK in the Action pane. The permission set no longer appears in the Permission Sets list.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 53

Configuring advanced server settings

Advanced server settings enable and control the behavior of your server's advanced features. These features allow, and often require, configuration and tuning of multiple server settings to operate correctly in your managed environment.

Contents

Configuring Active Directory user login Authenticating with certificates Configuring Rogue System Detection server settings Managing security keys Configuring source and fallback sites

Configuring Active Directory user login

When you have many users accessing your ePolicy Orchestrator server, managing user accounts manually can be overwhelming. You can reduce the overhead of managing user accounts and access by configuring Active Directory user login.

Contents

Managing ePolicy Orchestrator users with Active Directory Configuring Windows authentication and authorization

Managing ePolicy Orchestrator users with Active Directory

ePolicy Orchestrator offers the ability to dynamically create McAfee ePO users and assign permission sets to them by automatically creating users based on Windows authenticated user credentials.

This process is accomplished by mapping McAfee ePO permission sets to Active Directory groups in your environment. This feature can reduce the management overhead when you have a large number of McAfee ePO users in your organization. To complete the configuration, you must work though the following process:

Configure user authentication.

Assign permission sets to the Active Directory group.

User authentication

ePolicy Orchestrator users can be authenticated with McAfee ePO password authentication or Windows authentication. If you use Windows authentication, you can specify whether users authenticate:

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 54

Configuring advanced server settings

Configuring Active Directory user login

• Against the domain that your McAfee ePO server is joined to (default).

• Against a list of one or more domain controllers.

• Against a list of one or more DNS-style domain names.

• Using a WINS server to look up the appropriate domain controller.

If you use domain controllers, DNS-style domain names, or a WINS server, you must configure the Windows authentication server setting.

Registered LDAP servers

It is necessary to register LDAP servers with your McAfee ePO server to permit dynamically assigned permission sets for Windows users. Dynamically assigned permission sets are permission sets assigned to users based on their Active Directory group memberships.

Users trusted via one-way external trusts are not supported.

The user account used to register the LDAP server with ePolicy Orchestrator must be trusted via a bi-directional transitive trust, or must physically exist on the domain where the LDAP server belongs.

Windows authorization

The server setting for Windows authorization specifies which Active Directory (AD) server ePolicy Orchestrator uses to gather user and group information for a particular domain. You can specify multiple domain controllers and AD servers. This server setting supports the ability to dynamically assign permission sets to users that supply Windows credentials at login.

ePolicy Orchestrator can dynamically assign permission sets Windows Authenticated users even if Active Directory User Login is not enabled.

Assign permissions

You must assign at least one permission set to an AD group other than a user's Primary Group. Dynamically assigning permission sets to a user's Primary Group is not supported, and results in application of only those permissions manually assigned to the individual user. The default Primary Group is "Domain Users."

Active Directory User Login

When you have configured the previously discussed sections, you can enable the User autocreation server setting. User autocreation allows user records to be automatically created when the following conditions are met:

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 55

Configuring advanced server settings

Configuring Active Directory user login

• Users provide valid credentials, using the <domain\name> format. For example, a user with Windows credentials jsmith1, who is a member of the Windows domain named eng, would supply the following credentials: eng\jsmith1, along with the appropriate password.

• An Active Directory server that contains information about this user has been registered with ePolicy Orchestrator.

• The user is a member of at least one Domain Local or Domain Global group that maps to an McAfee ePO permission set.

Windows authentication and authorization strategies

There are a variety of approaches you can take when planning how to register your LDAP servers. Taking the time in advance to plan your server registration strategy will help you get it right the first time and reduce user authentication problems.

Ideally, this is a process you go through once, and only change if your overall network topology changes. Once servers are registered and Windows authentication configured, you shouldn't need to modify these settings very often.

Authentication versus authorization

Authentication involves verifying the user's identity. This is the process of matching the credentials supplied by the user to something the system trusts as authentic. This could be an ePolicy Orchestrator server account, Active Directory credentials, or a certificate. If you want to use Windows authentication, you will need to examine how the domains (or servers) containing your user accounts are organized.

Authorization is after you've verified the user's credentials. This is where permission sets are applied, determining what the user can do within the system. When using Windows authentication, you can determine what users from different domains should be authorized to do. This is done by attaching permission sets to groups contained within these domains.

User account network topology

How much effort will be required to fully configure Windows authentication and authorization depends on your network topology, and the distribution of user accounts across your network.

• If the credentials for your prospective users are all contained in a small set of domains (or servers) contained within a single domain tree, merely register the root of that tree, and you're done.

• If your user accounts are more spread out, you will need to register a number of servers or domains. Determine the minimum number of domain (or server) sub-trees you will need and register the roots of those trees. Try to register them in the order they'll be most used. As the authentication process goes down the list of domains (or servers) in the order they're listed, putting the most commonly used domains at the top of the list will improve average authentication performance.

Permission structure

For users to be able to log on to an ePolicy Orchestrator server using Windows authentication, a permission set must be attached to the Active Directory group their account belongs to on their domain. When determining how permission sets should be assigned, keep in mind the following capabilities:

• Permission sets can be assigned to multiple Active Directory groups.

• Permission sets can be dynamically assigned only to an entire Active Directory group. They cannot be assigned to just some users within a group.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 56

Configuring advanced server settings

Configuring Active Directory user login

If you need to assign special permissions to an individual user, you can do so by creating an Active Directory group that contains only that user.

Configuring Windows authentication and authorization

Use these tasks to set up Active Directory User Login.

Tasks

• Enabling Windows authentication in ePO Server on page 56 Before more advanced Windows authentication can be used, the server must be prepared.

• Configuring Windows authentication on page 56 There are multiple ways to allow users to use existing Windows account credentials within ePolicy Orchestrator.

• Configuring Windows authorization on page 57 Users attempting to log on to an ePolicy Orchestrator server using Windows authentication need a permission set assigned to one of their Active Directory groups to log on successfully.

Enabling Windows authentication in ePO Server

Before more advanced Windows authentication can be used, the server must be prepared.

To activate the Windows Authentication page in the server settings, you must first stop the ePolicy Orchestrator service. This task must be performed on the McAfee ePO server itself.

Task

For option definitions, click ? in the interface.

From the server console, select Start | Settings | Control Panel | Administrative Tools

Select Services.

In the Services window, right-click McAfee ePolicy Orchestrator Applications Server and select Stop.

Rename Winauth.dll to Winauth.bak. In a default installation, this file is found in C:\Program Files\McAfee\ePolicy Orchestrator \Server\bin.

Restart the server.

When you next open the Server Settings page, a Windows Authentication option appears.

Configuring Windows authentication

There are multiple ways to allow users to use existing Windows account credentials within ePolicy Orchestrator.

Before you begin

You must have first prepared your server for Windows authentication. See Enabling Windows authentication in ePO server.

How you configure these settings depends on several issues:

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 57

Configuring advanced server settings

Configuring Active Directory user login

• Do you want to use multiple domain controllers?

• Do you have users spread across multiple domains?

• Do you want to use a WINS server to look up which domain your users are authenticating against?

Without any special configuration, users can authenticate using Windows credentials for the domain that the McAfee ePO server is joined to, or any domain that has a two-way trust relationship with the McAfee ePO server's domain. If you have users in domains that don't meet that criteria, you must configure Windows authentication.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, then select Windows Authentication from the Settings Categories list.

Click Edit.

Specify whether you want to use one or more Domains, one or more Domain controllers, or a WINS server. Domains must be provided in DNS format. (e.g. internaldomain.com) Domain controllers and

WINS servers must have fully-qualified domain names. (e.g. dc.internaldomain.com)

You can specify multiple domains or domain controllers, but only one WINS server. Click + to add additional domains or domain controllers to the list.

Click Save when you are finished adding servers.

If you specify domains or domain controllers, the McAfee ePO server will attempt to authenticate users with servers in the order they are listed. It starts at the first server in the list and continues down the list until the user authenticates successfully.

Configuring Windows authorization

Users attempting to log on to an ePolicy Orchestrator server using Windows authentication need a permission set assigned to one of their Active Directory groups to log on successfully.

Task

For option definitions, click ? in the interface.

Click Menu | User Management | Permission Sets.

Either choose an existing permission set from the Permission Sets list and click Edit in the Name and users section, or click Actions | New.

Select any individual users the permission set should apply to.

Select a Server name from the list and click Add.

In the LDAP browser, navigate through the groups and select the groups to which this permission set should apply. Selecting an item in the Browse pane will display the members of that item in the Groups pane. You can select any number of those groups to receive the permission set dynamically. Only members from one item at a time may be added. If you need to add more, repeat steps 4 and 5 until you are finished.

Click Save.

The permission set will now be applied to all users from the groups you specified logging on to the server using Windows authentication.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 58

Configuring advanced server settings

Authenticating with certificates

Client-side certificate authentication allows a client to use a digital certificate as their authentication credentials when logging on to an ePolicy Orchestrator server.

This chapter details how and when certificate authentication should be used.

Contents

When to use certificate authentication Configuring ePolicy Orchestrator for certificate authentication Uploading server certificates Removing server certificates Configuring users for certificate authentication Problems with certificate authentication

When to use certificate authentication

Certificate authentication is the most secure method available. However, it is not the best choice for all environments.

Certificate authentication is an extension of public-key authentication. It uses public keys as a basis, but differs from public-key authentication in that you only need to trust a trusted third party known as a certification authority (or CA). Certificates are digital documents containing a combination of identity information and public keys, and are digitally signed by the CA who verifies that the information is accurate.

Advantages of certificate-based authentication

Certificate-based authentication has a number of advantages over password authentication:

• Certificates have predefined lifetimes. This allows for a forced, periodic review of a user's permissions when their certificate expires.

• If a user's access must be suspended or terminated, the certificate can be added to a certificate revocation list, or CRL, which is checked on each logon attempt to prevent unauthorized access.

• Certificate authentication is more manageable and scalable in large institutions than other forms of authentication because only a small number of CAs (frequently only one) must be trusted.

Disadvantages of certificate-based authentication

Not every environment is best for certificate-based authentication. Disadvantages of this method include:

• A public-key infrastructure is required. This can add additional cost that in some cases may not be worth the additional security.

• Additional overhead in maintaining certificates is required when comparing to password-based authentication.

Configuring ePolicy Orchestrator for certificate authentication

Before users can log on with certificate authentication, ePolicy Orchestrator must be configured properly.

Before you begin

You must have already received a signed certificate in P7B, PKCS12, DER, or PEM format.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 59

Configuring advanced server settings

Task

Click Menu | Configuration | Server Settings.

Select Certificate Based Authentication and click Edit.

Click Browse next to CA certificate for client certificate (P7B, PEM).

Navigate to and select the certificate file, then click OK.

If you have a Certificate Revoked List (CRL) file, click Browse next to this edit box, navigate to the CRL file, and click OK.

Click Save to save all changes.

Restart ePolicy Orchestrator to activate certificate authentication.

Authenticating with certificates

Uploading server certificates

Servers require certificates for SSL connections providing increased security than standard HTTP sessions.

Before you begin

To upload a signed certificate, you must have already received a server certificate from a Certificate Authority (CA).

It is possible to create self-signed certificates instead of using externally signed ones, though this carries slightly higher risk. This task can be used to initially configure certificate-based authentication, or modify an existing configuration with an updated certificate.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings.

Select Certificate Based Authentication and click Edit.

Select Enable Certificate Based Authentication.

Click Browse next to CA certificate for client certificate (PKCS7, PEM encoded, DER encoded, or PKCS12 file with extension like .cer, .crt, .pem, .der, .p12, .p7b). Navigate to and select the certificate file and click OK.

If you have provided a PKCS12 certificate file, enter a password and alias name as appropriate.

If you want to provide a Certificate Revoked List (CRL) file, click Browse next to Certificate Revoked List file (PEM) . Navigate to and select the CRL file and click OK.

The CRL file must be in PEM format.

Click Save to save all changes.

Restart the server to enable the Certificate Based Authentication settings changes.

Removing server certificates

Server certificates can and should be removed if they are no longer used.

Before you begin

The server must already be configured for certificate authentication before you can remove server certificates.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 60

Configuring advanced server settings

Authenticating with certificates

To remove the server certificate, you must disable certificate based authentication. Once a server certificate is uploaded it can only be changed, not removed.

Task

For option definitions, click ? in the interface.

Open the Server Settings page by selecting Menu | Configuration | Server Settings.

Select Certificate Based Authentication and click Edit.

Deselect Enable Certificate Based Authentication, then click Save.

The server settings have been changed, but you must restart the server in order to complete the configuration change.

Configuring users for certificate authentication

Users must have certificate authentication configured before they can authenticate with their digital certificate.

Certificates used for user authentication are typically acquired with a smart card or similar device. Software bundled with the smart card hardware can extract the certificate file. This extracted certificate file is usually the file uploaded in this procedure.

Task

For option definitions, click ? in the interface.

Click Menu | User Management | Users.

Select a user and click Actions | Edit.

Select Change authentication or credentials, then select Certificate Based Authentication.

Use one of these methods to provide credentials.

• Copy the DN field from the certificate file and paste it into the Personal Certificate Subject DN Field edit

box

• Upload a certificate file. Click Browse, navigate to and select the certificate file on your computer,

and click OK.

User certificates can be PEM- or DER-encoded. The actual certificate format does not matter as long as the format is X.509 or PKCS12 compliant.

Click Save to save changes to the user's configuration.

The certificate information provided is verified, and a warning is issued if found invalid. From this point on, when the user attempts to log on to ePolicy Orchestrator from a browser that has the user's certificate installed, the log on form is greyed out and the user is immediately authenticated.

Problems with certificate authentication

Most authentication problems using certificates are caused by one of a small number of problems.

If a user cannot log on to ePolicy Orchestrator with their certificate, try one of the following options to resolve the problem:

• Verify the user has not been disabled.

• Verify the certificate has not expired or been revoked.

• Verify the certificate is signed with the correct certificate authority.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 61

Configuring Rogue System Detection server settings

Configuring advanced server settings

• Verify the DN field is correct on the user configuration page.

• Verify the browser is providing the correct certificate.

• Check the audit log for authentication messages.

Configuring Rogue System Detection server settings

Rogue System Detection server settings determine how information about subnets and detected systems is displayed in the Detected Systems page within your ePolicy Orchestrator console.

Configuring server settings for Rogue System Detection

These server settings allow you to customize Rogue System Detection to meet the specific needs of your organization.

These settings control important behavior, including:

• Whether a detected system is compliant (based on last agent communication).

• The categories for system exceptions (systems that don't need an agent).

• How detected system interfaces are matched.

• The list of OUIs used to identify vendor specific NICs used by systems connecting to your network.

• How your Rogue System Sensors are configured.

Use these tasks to configure server settings for Rogue System Detection.

Tasks

• Editing Detected System Compliance on page 61 Use this task to edit the Detected System Compliance settings. These settings are user-configured and have two important functions:

• Editing Detected System Exception Categories on page 62

• Editing Detected Systems Matching on page 62 Use this task to edit the matching settings for Rogue System Detection. Matching settings are user-configured and have these important functions:

• Editing Detected System OUIs on page 63 Use this task to edit the settings that specify the method and location used to update Detected System OUIs (Organizationally Unique Identifiers). Rogue System Detection uses OUIs to provide details about the systems on your network.

• Editing Rogue System Sensor settings on page 63 Use this task to edit the sensor settings for Rogue System Detection. Sensor settings are user-configured and specify:

Editing Detected System Compliance

Use this task to edit the Detected System Compliance settings. These settings are user-configured and have two important functions:

• They specify the time-frame that determines the state of detected systems (Managed, Rogue, Exception, Inactive).

• They control the visual feedback of the Rogue System Detection status monitors on the Detected Systems page.

For option definitions, click ? in the interface.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 62

Configuring advanced server settings

Configuring Rogue System Detection server settings

Task

Click Menu | Configuration | Server Settings, then in the Settings Categories list, click Detected System Compliance.

In the details pane, click Edit.

Edit the number of days to categorize Detected Systems as Managed or Inactive.

The number of days in Rogue | Has Agent in McAfee ePO Database, but is older

than__days is controlled by the number of days set in the Managed field.

Edit the percentage levels for these options, so that the color codes represent your requirements:

• Covered Subnets — Required coverage.

• Compliant Systems — Required compliance status.

• Sensor Health — Ratio of active to missing sensors.

ePO Servers — Configure additional McAfee ePO servers whose detected systems should not be

considered rogue systems.

Click Save.

Editing Detected System Exception Categories

Use this task to configure and edit the categories to use to manage exception systems in your network. Exceptions are system that you know are unmanaged (don't have a McAfee Agent on them).

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, then from the Settings Categories list, select Detected System Exception Categories and click Edit.

Add or subtract exception categories using + and -.

Use the Delete and Change links to modify existing exceptions categories.

Specify a name and description for each exception category. For example, you might want to create a category named "Printers-US-NW" to contain all the printers on your network in your company's Northwest regional offices. This way you can keep track of these systems without receiving reports about them being rogue.

Click Save.

Editing Detected Systems Matching

Use this task to edit the matching settings for Rogue System Detection. Matching settings are user-configured and have these important functions:

• They define the properties that determine how newly detected interfaces are matched with existing systems.

• They specify static IP ranges for matching.

• They specify which ports to check for a McAfee Agent.

For option definitions, click ? in the interface.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 63

Configuring Rogue System Detection server settings

Task

Click Menu | Configuration | Server Settings, then in the Settings Categories list select Detected System Matching and click Edit.

Use the Matching Detected Systems table to define the properties that determine when to match detected systems.

Use the Matching Managed Systems table to define the properties that determine when a newly detected interface belongs to an existing managed system.

In Static IP Ranges for Matching, type the static IP ranges to use when matching on static IP addresses.

In Alternative McAfee Agent Ports, specify any alternate ports you want to use when querying detected systems to check for a McAfee Agent.

Click Save.

Configuring advanced server settings

Editing Detected System OUIs

Use this task to edit the settings that specify the method and location used to update Detected System OUIs (Organizationally Unique Identifiers). Rogue System Detection uses OUIs to provide details about the systems on your network.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, then from the server settings Categories list, select Detected System OUIs and click Edit.

Choose one of the following options to specify where to update your list of OUIs:

• URL — Specifies the location of an OUI.txt file to be read. The McAfee ePO server must have

access to this location in order to pull the file directly from the path specified in the URL.

• Server location — Specifies a location on this McAfee ePO server where the OUI.txt file is located.

• File upload — Type or browse to an OUI.txt file to upload to this McAfee ePO server for processing,

then click Update.

Editing Rogue System Sensor settings

Use this task to edit the sensor settings for Rogue System Detection. Sensor settings are user-configured and specify:

• The amount of time sensors are active.

• The maximum number of sensors active in each subnet.

• How long the server waits to hear from a sensor before categorizing it as missing.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, then in the Settings Categories list, select Rogue System Sensor and click Edit.

Edit the Sensor Timeout field to set the maximum amount of time the server waits for a sensor to call in before marking it as missing.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 64

Configuring advanced server settings

Managing security keys

Edit the Sensors per Subnet field to set the maximum number of sensors active in each subnet, or select All sensors active.

Add a list of Sensor Scanning MAC addresses and OUIs that the sensors should not actively probe, regardless of the configured policy.

Edit the Active Period time field to set the maximum amount of time that passes before the server tells a sensor to sleep, to allow a new sensor to become active.

The Active Period setting does not set the communication times for the active and inactive sensors. Communication time is configured using communication policy settings for Rogue System Detection.

Click Save.

Managing security keys

Security keys are used to verify and authenticate communications and content within your ePolicy Orchestrator managed environment.

Contents

Security keys and how they work Master repository key pair Agent-server secure communication (ASSC) keys Backing up and restoring keys

Security keys and how they work

The ePolicy Orchestrator server relies on three security key pairs.

The three security pairs are used to:

• Authenticate agent-server communication.

• Verify the contents of local repositories.

• Verify the contents of remote repositories.

Each pair's secret key signs messages or packages at their source, while the pair's public key verifies the messages or packages at their target.

Agent-server secure communication (ASSC) keys

• The first time the agent communicates with the server, it sends its public key to the server.

• From then on, the server uses the agent public key to verify messages signed with the agent's secret key.

• The server uses its own secret key to sign its message to the agent.

• The agent uses the server's public key to verify the agent's message.

• You can have multiple secure communication key pairs, but only one can be designated as the master key.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 65

Configuring advanced server settings

Managing security keys

• When the client agent key updater task runs (McAfee ePO Agent Key Updater), agents using different public keys receive the current public key.

• If you are upgrading from ePolicy Orchestrator 4.0, the master key is unchanged. Whether or not you upgrade from version 4.0 or 4.5, the existing keys are migrated to your McAfee ePO 4.6 server.

Local master repository key pairs

• The repository secret key signs the package before it is checked in to the repository.

• The repository public key verifies the contents of packages in the master repository and distributed repository.

• The agent retrieves available new content each time the client update task runs.

• This key pair is unique to each server.

• By exporting and importing keys among servers, you can use the same key pair in a multi-server environment.

Other repository key pairs

• The secret key of a trusted source signs its content when posting that content to its remote repository. Trusted sources include the McAfee download site and the McAfee Security Innovation Alliance (SIA) repository.

If this key is deleted, you cannot perform a pull, even if you import a key from another server. Before you overwrite or delete this key, make sure to back it up in a secure location.

• The agent public key verifies content that is retrieved from the remote repository.

Master repository key pair

The master repository private key signs all unsigned content in the master repository. This key is a feature of agents 4.0 and later.

Agents 4.0 and later use the public key to verify the repository content that originates from the master repository on this McAfee ePO server. If the content is unsigned, or signed with an unknown repository private key, the downloaded content is considered invalid and deleted.

This key pair is unique to each server installation. However, by exporting and importing keys, you can use the same key pair in a multi-server environment. This is a fallback measure that can help to ensure that agents can always connect to one of your master repositories, even when another repository is down.

Other repository public keys

Keys other than the master key pair are the public keys that agents use to verify content from other master repositories in your environment or from McAfee source sites. Each agent reporting to this server uses the keys in the Other repository public keys list to verify content that originates from other McAfee ePO servers in your organization, or from McAfee-owned sources.

If an agent downloads content that originated from a source where the agent does not have the appropriate public key, the agent discards the content.

These keys are a new feature, and only agents 4.0 and later are able to use the new protocols.

Working with repository keys

Use these tasks to work with and manage repository keys.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 66

Configuring advanced server settings

Managing security keys

Tasks

• Using one master repository key pair for all servers on page 66 Use this task to ensure that all McAfee ePO servers and agents use the same master repository key pair in a multi-server environment.

• Using master repository keys in multi-server environments on page 66 Use this task to ensure that agents can use content originating from any McAfee ePO server in your environment.

Using one master repository key pair for all servers

Use this task to ensure that all McAfee ePO servers and agents use the same master repository key pair in a multi-server environment.

This consists of first exporting the key pair you want all servers to use, then importing the key pair into all other servers in your environment.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

Next to Local master repository key pair, click Export Key Pair. The Export Master Repository Key Pair dialog box appears.

Click OK. The File Download dialog box appears.

Click Save, browse to a location that is accessible by the other servers, where you want to save the zip file containing the secure-communication key files, then click Save.

Next to Import and back up keys, click Import . The Import Keys wizard opens.

Browse to the zip file containing the exported master repository key files, then click Next.

Verify that these are the keys you want to import, then click Save.

The imported master repository key pair replaces the existing key pair on this server. Agents begin using the new key pair after the next agent update task runs. Once the master repository key pair is changed, an ASSC must be performed before the agent can use the new key.

Using master repository keys in multi-server environments

Use this task to ensure that agents can use content originating from any McAfee ePO server in your environment.

The server signs all unsigned content that is checked in to the repository with the master repository private key. Agents use repository public keys to validate content that is retrieved from repositories in your organization or from McAfee source sites.

The master repository key pair is unique for each installation of ePolicy Orchestrator. If you use multiple servers, each uses a different key. If your agents can download content that originates from different master repositories, you must ensure that agents recognize the content as valid.

You can ensure this in two ways:

• Use the same master repository key pair for all servers and agents.

• Ensure agents are configured to recognize any repository public key that is used in your environment.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 67

Configuring advanced server settings

The following process exports the key pair from one McAfee ePO server to a target McAfee ePO server, then, at the target McAfee ePO server, imports and overwrites the existing key pair.

For option definitions, click ? in the interface.

Task

On the McAfee ePO server with the master repository key pair, click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

Next to Local master repository key pair, click Export Key Pair. The Export Master Repository Key Pair dialog box appears.

Click OK. The File Download dialog box appears.

Click Save, then browse to a location on the target McAfee ePO server to save the zip file.

Change the name of the file if needed, then click Save.

On the target McAfee ePO server where you want to load the master repository key pair, click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit. The Edit Security Keys page appears.

Managing security keys

Next to Import and back up keys, click Import. The Import Keys dialog box appears.

Next to Select file, browse to and select the master key pair file you saved, then click Next. The summary dialog box appears.

If the summary information appears correct, click Save. The new master key pair appears in the list next to Agent-server secure communication keys.

From the list, select the file you imported in the previous steps and click Make Master. This changes the existing master key pair to the new key pair you just imported.

Click Save to complete the process.

Agent-server secure communication (ASSC) keys

Agent-server secure communication (ASSC) keys are used by the agents to communicate securely with the server.

You can make any ASSC key pair the master, which is the key pair currently assigned to all deployed agents. Existing agents that use other keys in the Agent-server secure communication keys list do not change to the new master key unless there is a client agent key updater task scheduled and run.

Be sure to wait until all agents have updated to the new master before deleting older keys.

Windows agents older than version 3.6 are not supported.

Working with ASSC keys

Use these tasks to work with and manage ASSC keys in your environment.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 68

Configuring advanced server settings

Managing security keys

Tasks

• Deleting agent-server secure communication (ASSC) keys on page 68 Use this task to delete unused keys in the Agent-server secure communication keys list. Make sure that the selected key is not being used by any agent that is managed by this McAfee ePO server.

• Exporting ASSC keys on page 68 Use this task to export agent-server secure communication keys from one McAfee ePO server to a different McAfee ePO server, to allow agents to access that new McAfee ePO server.

• Importing ASSC keys on page 69 Use this task to import agent-server secure communication keys that were exported from a different McAfee ePO server. This procedure allows agents from that server to access this McAfee ePO server.

• Generating and using new ASSC key pairs on page 69 Use this task to generate new agent-server secure communication key pairs.

• Designating an ASSC key pair as the master on page 70 Use this task to change which key pair, listed in the Agent-server secure communication keys list, is specified as the master. Do this after importing or generating a new key pair.

• Using the same ASSC key pair for all servers and agents on page 70 Follow this process to ensure that all McAfee ePO servers and agents use the same agent-server secure communication (ASSC) key pair.

• Using a different ASSC key pair for each McAfee ePO server on page 71 Use this task to ensure that all agents can communicate with the required McAfee ePO servers in an environment where each McAfee ePO server must have a unique agent-server secure communication key pair.

• Viewing systems that use an ASSC key pair on page 71 Use this task to view the systems whose agents use a specific agent-server secure communication key pair, which appears in the Agent-server secure communication keys list.

Deleting agent-server secure communication (ASSC) keys

Use this task to delete unused keys in the Agent-server secure communication keys list. Make sure that the selected key is not being used by any agent that is managed by this McAfee ePO server.

Do not delete any keys that are currently in use by any agents. If you do, those agents cannot communicate with the server.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

From the Agent-server secure communication keys list, select the key you want to remove, then click Delete. The Delete Key dialog box appears.

Click OK to delete the key pair from this server.

Exporting ASSC keys

Use this task to export agent-server secure communication keys from one McAfee ePO server to a different McAfee ePO server, to allow agents to access that new McAfee ePO server.

For option definitions, click ? in the interface.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 69

Configuring advanced server settings

Managing security keys

Task

Click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

In the Agent-server secure communication keys list, select a key, then click Export. The Export Agent-Server Communication Keys dialog box appears.

Click OK. Your browser prompts you to for action to download the sr<ServerName>.zip file to the specified location.

Depending on the internet browser you are using, If you have specified a default location for all downloads this file might be automatically saved to that location.

Importing ASSC keys

Use this task to import agent-server secure communication keys that were exported from a different McAfee ePO server. This procedure allows agents from that server to access this McAfee ePO server.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

Click Import. The Import Keys page appears.

Browse to and select the key from the location where you saved it (by default, on the desktop), then click Open.

Click Next and review the information on the Import Keys page.

Click Save.

Generating and using new ASSC key pairs

Use this task to generate new agent-server secure communication key pairs.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

Next to the Agent-server secure communication keys list, click New Key. In the dialog box, type the name of the security key.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 70

Configuring advanced server settings

Managing security keys

If you want existing agents to use the new key, select the key in the list, then click Make Master. Agents begin using the new key after the next agent update task is complete. If the server manages 4.6 agents, make sure the 4.6 Agent Key Updater package has been checked into the master repository.

In large installations, generating and using new master key pairs should be performed only when you have specific reason to do so. McAfee recommends performing this procedure in phases so you can more closely monitor progress.

After all agents have stopped using the old key, delete it. In the list of keys, the number of agents currently using that key is displayed to the right of every key.

Back up all keys.

Designating an ASSC key pair as the master

Use this task to change which key pair, listed in the Agent-server secure communication keys list, is specified as the master. Do this after importing or generating a new key pair.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

From the Agent-server secure communication keys list, select a key , then click Make Master.

Create an update task for the agents to run immediately, so that agents update after the next agent-server communication.

Ensure that the agent key updater package is checked in to the master repository and has been replicated to all distributed repositories that are managed by ePolicy Orchestrator. Agents begin using the new key pair after the next update task for the agent is complete. At any time, you can see which agents are using any of the agent-server secure communication key pairs in the list.

Back up all keys.

Using the same ASSC key pair for all servers and agents

Follow this process to ensure that all McAfee ePO servers and agents use the same agent-server secure communication (ASSC) key pair.

If you have a large number of managed systems in your environment, McAfee recommends performing this process in phases so you can monitor agent updates.

Create an agent update task.

Export the keys chosen from the selected McAfee ePO server.

Import the exported keys to all other servers.

Designate the imported key as the master on all servers.

Perform two agent wake-up calls

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 71

Configuring advanced server settings

When all agents are using the new keys, delete any unused keys.

Back up all keys.

Managing security keys

Using a different ASSC key pair for each McAfee ePO server

Use this task to ensure that all agents can communicate with the required McAfee ePO servers in an environment where each McAfee ePO server must have a unique agent-server secure communication key pair.

Agents can communicate with only one server at a time. The McAfee ePO server can have multiple keys to communicate with different agents, but the opposite is not true. Agents cannot have multiple keys to communicate with multiple McAfee ePO servers.

For option definitions, click ? in the interface.

Task

From each McAfee ePO server in your environment, export the master agent-server secure communication key pair to a temporary location.

Import each of these key pairs into every McAfee ePO server.

Viewing systems that use an ASSC key pair

Use this task to view the systems whose agents use a specific agent-server secure communication key pair, which appears in the Agent-server secure communication keys list.

After making a specific key pair the master, you might want to view the systems that are still using the previous key pair. Do not delete a key pair until you know that no agents are still using it.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

In the Agent-server secure communication keys list, select a key, then click View Agents. The Systems using this key page appears.

This page lists all systems whose agents are using the selected key.

Backing up and restoring keys

Use these tasks to back up and restore security keys.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 72

Configuring advanced server settings

Managing security keys

Tasks

• Backing up all security keys on page 72 McAfee recommends periodically backing up all security keys, and always creating a backup before making any changes to the key management settings.

• Restoring security keys on page 72 McAfee recommends periodically backing up all security keys. In the unexpected event any security keys are lost from the McAfee ePO server, you can restore them from the backup that you have stored in a secure network location.

• Restoring security keys from a backup file on page 73 Use this task to restore all security keys from a backup file.

Backing up all security keys

McAfee recommends periodically backing up all security keys, and always creating a backup before making any changes to the key management settings.

Store the backup in a secure network location, so that the keys can be restored easily in the unexpected event any are lost from the McAfee ePO server.

Use this task to back up all security keys that are currently managed on this McAfee ePO server.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

Click Back Up All near the bottom of the page. The Backup Keystore dialog box appears.

You can optionally enter a password to encrypt the keystore ZIP file or click OK to save the files as unencrypted text.

From the File Download dialog box, click Save to create a zip file of all security keys. The Save As dialog box appears.

Browse to a secure network location to store the zip file, then click Save.

Restoring security keys

McAfee recommends periodically backing up all security keys. In the unexpected event any security keys are lost from the McAfee ePO server, you can restore them from the backup that you have stored in a secure network location.

Use this task to restore the security keys on the McAfee ePO server.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

Click Restore All near the bottom of the page. The Restore Security Keys page appears.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 73

Configuring advanced server settings

Configuring source and fallback sites

Browse to the zip file containing the security keys, select it, and click Next. The Restore Security Keys wizard opens to the Summary page.

Browse to the keys you want to replace your existing key with, then click Next.

Click Restore. The Edit Security Keys page reappears.

Browse to a secure network location to store the zip file, then click Save.

Restoring security keys from a backup file

Use this task to restore all security keys from a backup file.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.

The Edit Security Keys page appears.

Click Restore All at the bottom of the page. The Restore Security Keys wizard opens.

Browse to and select the backup zip file, then click Next.

Verify that the keys in this file are the ones you want to overwrite your existing keys, then click Restore All.

Configuring source and fallback sites

You need to configure the source and fallback sites from which your ePolicy Orchestrator server retrieves updates and signatures needed to keep your security software up-to-date.

Working with source and fallback sites

Use these tasks to change the default source and fallback sites. You must be a global administrator or have appropriate permissions to define, change, or delete source or fallback sites. You can edit settings, delete existing source and fallback sites, or switch between them.

McAfee recommends using the default source and fallback sites. If you require different sites for this purpose, you can create new ones.

Tasks

• Creating source sites on page 74 Use this task to create a new source site.

• Switching source and fallback sites on page 75 Use this task to change which sites are the source and fallback sites. Depending on your network configuration, you might find that HTTP or FTP updating works better. Therefore, you might want to switch the source and fallback sites.

• Editing source and fallback sites on page 75 Use this task to edit the settings of source or fallback sites, such as URL address, port number, and download authentication credentials.

• Deleting source sites or disabling fallback sites on page 75 Use this task to delete source sites or disable fallback sites.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 74

Configuring advanced server settings

Configuring source and fallback sites

Creating source sites

Use this task to create a new source site.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings, then select Source Sites.

Click Add Source Site. The Source Site Builder wizard appears.

On the Description page, type a unique repository name and select HTTP, UNC, or FTP, then click Next.

On the Server page, provide the web address and port information of the site, then click Next.

HTTP or FTP server type:

• From the URL drop-down list, select DNS Name, IPv4, or IPv6 as the type of server address, then

enter the address.

Option Definition

DNS Name

IPv4

IPv6

Specifies the DNS name of the server.

Specifies the IPv4 address of the server.

Specifies the IPv6 address of the server.

• Enter the port number of the server: FTP default is 21; HTTP default is 80.

UNC server type:

• Enter the network directory path where the repository resides. Use this format: \\<COMPUTER>

\<FOLDER>.

On the Credentials page, provide the Download Credentials used by managed systems to connect to this repository. Use credentials with read-only permissions to the HTTP server, FTP server, or UNC share that hosts the repository.

HTTP or FTP server type:

• Select Anonymous to use an unknown user account.

• Select FTP or HTTP authentication (if the server requires authentication), then enter the user account

information.

UNC server type:

• Enter domain and user account information.

Click Test Credentials. After a few seconds, a confirmation message appears that the site is accessible to systems using the authentication information. If credentials are incorrect, check the:

• User name and password.

• URL or path on the previous panel of the wizard.

• The HTTP, FTP or UNC site on the system.

Click Next.

Review the Summary page, then click Save to add the site to the list.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 75

Configuring advanced server settings

Configuring source and fallback sites

Switching source and fallback sites

Use this task to change which sites are the source and fallback sites. Depending on your network configuration, you might find that HTTP or FTP updating works better. Therefore, you might want to switch the source and fallback sites.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings.

Select Source Sites, then click Edit. The Edit Source Sites page appears.

From the list, locate the site that you want to set as fallback, then click Enable Fallback.

Editing source and fallback sites

Use this task to edit the settings of source or fallback sites, such as URL address, port number, and download authentication credentials.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings.

Select Source Sites, then click Edit. The Edit Source Sites page appears.

Locate the site in the list, then click on the name of the site. The Source Site Builder wizard opens.

Edit the settings on the wizard pages as needed, then click Save.

Deleting source sites or disabling fallback sites

Use this task to delete source sites or disable fallback sites.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings.

Select Source Sites, then click Edit. The Edit Source Sites page appears.

Click Delete next to the required source site. The Delete Source Site dialog box appears.

Click OK.

The site is removed from the Source Sites page.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 76

Page 77

Setting up repositories

Repositories house your security software packages and updates for distribution to your managed systems.

Security software is only as effective as the latest installed updates. For example, if your DAT files are out-of-date, even the best anti-virus software cannot detect new threats. It is critical that you develop a robust updating strategy to keep your security software as current as possible.

The ePolicy Orchestrator repository architecture offers flexibility to ensure that deploying and updating software is as easy and automated as your environment allows. Once your repository infrastructure is in place, create update tasks that determine how, where, and when your software is updated.

Are you setting up repositories for the first time?

When creating and setting up repositories for the first time:

Decide which types of repositories to use and their locations.

Create and populate your repositories.

Contents

Repository types and what they do How repositories work together Ensuring access to the source site Using SuperAgents as distributed repositories Creating and configuring FTP, HTTP, and UNC repositories Using local distributed repositories that are not managed Working with the repository list files Changing credentials on multiple distributed repositories

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 78

Setting up repositories

Repository types and what they do

To deliver products and updates throughout your network, the ePolicy Orchestrator software offers several types of repositories that create a robust update infrastructure when used together. These provide the flexibility to develop an updating strategy to ensure your systems stay up-to-date.

Master repository

The master repository maintains the latest versions of security software and updates for your environment. This repository is the source for the rest of your environment.

By default, ePolicy Orchestrator uses Microsoft Internet Explorer proxy settings.

Distributed repositories

Distributed repositories host copies of your master repository’s contents. Consider using distributed repositories and placing them throughout your network strategically to ensure managed systems are updated while network traffic is minimized, especially across slow connections.

As you update your master repository, ePolicy Orchestrator replicates the contents to the distributed repositories.

Replication can occur:

• Automatically when specified package types are checked in to the master repository, as long as global updating is enabled.

• On a recurring schedule with Replication tasks.

• Manually, by running a Replicate Now task.

A large organization can have multiple locations with limited bandwidth connections between them. Distributed repositories help reduce updating traffic across low bandwidth connections, or at remote sites with a large number of client systems. If you create a distributed repository in the remote location and configure the systems within that location to update from this distributed repository, the updates are copied across the slow connection only once — to the distributed repository — instead of once to each system in the remote location.

If global updating is enabled, distributed repositories update managed systems automatically, as soon as selected updates and packages are checked in to the master repository. Update tasks are not necessary. However, you do need to be running SuperAgents in your environment if you want automatic updating. You must still create and configure repositories and the update tasks.

If distributed repositories are set up to replicate only selected packages, your newly checked-in package is replicated by default. To avoid replicating a newly checked-in package, deselect it from each distributed repository or disable the replication task before checking in the package. For additional information, see Avoiding replication of selected packages and Disabling replication of selected packages.

Do not configure distributed repositories to reference the same directory as your master repository. Doing so causes the files on the master repository to become locked by users of the distributed repository, which can cause pulls and package check-ins to fail and leave the master repository in an unusable state.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 79

Repository types and what they do

Setting up repositories

Source site

The source site provides all updates for your master repository. The default source site is the McAfeeHttp update site, but you can change the source site or create multiple source sites if you require. McAfee recommends using the McAfeeHttp or McAfeeFtp update sites as your source site.

Source sites are not required. You can download updates manually and check them in to your master repository. However, using a source site automates this process.

McAfee posts software updates to these sites regularly. For example, DAT files are posted daily. Update your master repository with updates as they are available.

Use pull tasks to copy source site contents to the master repository.

McAfee update sites provide updates to detection definition (DAT) and scanning engine files, as well as some language packs. You must check in all other packages and updates, including service packs and patches, to the master repository manually.

Fallback site

The fallback site is a source site that’s been enabled as the backup site, from which managed systems can retrieve updates when their usual repositories are inaccessible. For example, when network outages or virus outbreaks occur, accessing the established location might be difficult. Therefore, managed systems can remain up-to-date in such situations. The default fallback site is the McAfeeHttp update site. You can enable only one fallback site.

If managed systems use a proxy server to access the Internet, you must configure agent policy settings for those systems to use proxy servers when accessing this fallback site.

Types of distributed repositories

The ePolicy Orchestrator software supports four types of distributed repositories. Consider your environment and needs when determining which type of distributed repository to use. You are not limited to using one type, and might need several, depending on your network.

SuperAgent repositories

Use systems hosting SuperAgents as distributed repositories. SuperAgent repositories have several advantages over other types of distributed repositories:

• Folder locations are created automatically on the host system before adding the repository to the repository list.

• File sharing is enabled automatically on the SuperAgent repository folder.

• SuperAgent repositories don’t require additional replication or updating credentials — account permissions are created when the agent is converted to a SuperAgent.

Although functionality of SuperAgent broadcast wake-up calls requires a SuperAgent in each broadcast segment, this is not a requirement for functionality of the SuperAgent repository. Managed systems only need to “see” the system hosting the repository.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 80

Setting up repositories

Repository types and what they do

FTP repositories

You can use an FTP server to host a distributed repository. Use FTP server software, such as Microsoft Internet Information Services (IIS), to create a new folder and site location for the distributed repository. See your web server documentation for details.

HTTP repositories

You can use an HTTP server to host a distributed repository. Use HTTP server software, such as Microsoft IIS, to create a new folder and site location for the distributed repository. See your web server documentation for details.

UNC share repositories

You can create a UNC shared folder to host a distributed repository on an existing server. Be sure to enable sharing across the network for the folder, so that the McAfee ePO server can copy files to it and agents can access it for updates.

Unmanaged repositories

If you are unable to use managed distributed repositories, ePolicy Orchestrator administrators can create and maintain distributed repositories that are not managed by ePolicy Orchestrator.

If a distributed repository is not managed, a local administrator must keep it up-to-date manually.

Once the distributed repository is created, use ePolicy Orchestrator to configure managed systems of a specific System Tree group to update from it.

Refer to Enabling the agent on unmanaged McAfee products so that they work with ePolicy Orchestrator for configuration of unmanaged systems.

McAfee recommends that you manage all distributed repositories through ePolicy Orchestrator. This and using global updating, or scheduled replication tasks frequently, ensures your managed environment is up-to-date. Use unmanaged distributed repositories only if your network or organizational policy do not allow managed distributed repositories.

Repository branches and their purposes

The ePolicy Orchestratorsoftware provides three repository branches, allowing you to maintain three versions of all packages in your master and distributed repositories.

The repository branches are Current, Previous, and Evaluation. By default, ePolicy Orchestrator uses only the Current branch. You can specify branches when adding packages to your master repository. You can also specify branches when running or scheduling update and deployment tasks, to distribute different versions to different parts of your network.

Update tasks can retrieve updates from any branch of the repository, but you must select a branch other than the Current branch when checking in packages to the master repository. If a non-Current branch is not configured, the option to select a branch other than Current does not appear.

To use the Evaluation and Previous branches for packages other than updates, you must configure this in the Repository Packages server settings. Agent versions 3.6 and earlier can retrieve update packages only from the Evaluation and Previous branches.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 81

Repository types and what they do

Setting up repositories

Current branch

The Current branch is the main repository branch for the latest packages and updates. Product deployment packages can be added only to the Current branch, unless support for the other branches has been enabled.

Evaluation branch

You might want to test new DAT and engine updates with a small number of network segments or systems before deploying them to your entire organization. Specify the Evaluation branch when checking in new DATs and engines to the master repository, then deploy them to a small number of test systems. After monitoring the test systems for several hours, you can add the new DATs to your Current branch and deploy them to your entire organization.

Previous branch

Use the Previous branch to save and store prior DAT and engine files before adding the new ones to the Current branch. In the event that you experience an issue with new DAT or engine files in your environment, you have a copy of a previous version that you can redeploy to your systems if necessary. ePolicy Orchestrator saves only the most immediate previous version of each file type.

You can populate the Previous branch by selecting Move existing packages to Previous branch when you add new packages to your master repository. The option is available when you pull updates from a source site and, when you manually check in packages to the Current branch.

Repository list file and its uses

The repository list (SiteList.xml and SiteMgr.xml) file contains the names of all the repositories you are managing.

The repository list includes the location and encrypted network credentials that managed systems use to select the repository and retrieve updates. The server sends the repository list to the agent during agent-server communication.

If needed, you can export the repository list to external files (SiteList.xml or SiteMgr.xml).

Use an exported SiteList.xml file to:

• Import to an agent during installation.

Use an exported SiteMgr.xml file to:

• Backup and restore your distributed repositories and source sites if you need to reinstall the server.

• Import the distributed repositories and source sites from a previous installation of the ePolicy Orchestrator software.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 82

Setting up repositories

How repositories work together

The repositories work together in your environment to deliver updates and software to managed systems. Depending on the size and geography of your network, you might need distributed repositories.

Figure 8-1 Sites and repositories delivering packages to systems

The master repository regularly pulls DAT and engine update files from the source site.

The master repository replicates the packages to distributed repositories in the network.

The managed systems in the network retrieve updates from a distributed repository. If managed systems can’t access the distributed repositories or the master repository, they retrieve updates from the fallback site.

Ensuring access to the source site

Use these tasks to ensure that the McAfee ePO master repository, managed systems, and the McAfee Labs Security Threats dashboard monitor can access the Internet when using the McAfeeHttp and the McAfeeFtp sites as source and fallback sites.

This section describes the steps for configuring the McAfee ePO master repository, the McAfee Agent, and McAfee Labs Security threats to connect to the download site directly or via a proxy. The default selection is Do not use proxy.

Tasks

• Configuring proxy settings on page 83 Use this task to configure proxy settings to pull DATs for updating your repositories and to update McAfee Labs Security threats.

• Configuring proxy settings for the McAfee Agent on page 83

• Configuring proxy settings for McAfee Labs Security Threats on page 84 Use this task to configure proxy settings for the McAfee Labs Security Threats.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 83

Setting up repositories

Ensuring access to the source site

Configuring proxy settings

Use this task to configure proxy settings to pull DATs for updating your repositories and to update McAfee Labs Security threats.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings. The Server Settings page appears.

From the list of setting categories, select Proxy Settings, then click Edit. The Edit Proxy Settings page appears.

Select Configure the proxy settings manually.

Next to Proxy server settings, select whether to use one proxy server for all communication, or different proxy servers for HTTP and FTP proxy servers. Then type the IP address or fully-qualified domain name and the Port number of the proxy server.

If you are using the default source and fallback sites, or if you configure another HTTP source site and FTP fallback site (or vice versa), configure both HTTP and FTP proxy authentication information here.

Next to Proxy authentication, configure the settings as appropriate, depending on whether you pull updates from HTTP repositories, FTP repositories, or both.

Next to Exclusions, select Bypass Local Addresses, then specify distributed repositories the server can connect to directly by typing the IP addresses or fully-qualified domain name of those systems, separated by semi-colons.

Click Save.

Configuring proxy settings for the McAfee Agent

Use this task to configure proxy settings for the McAfee Agent.

For option definitions, click ? in the interface.

Task

Click Menu | Policy | Policy Catalog, then from the Product list click McAfee Agent, and from the Category list, select Repository. A list of agents configured for the McAfee ePO server appears.

On the My Default agent, click Edit Settings. The edit settings page for the My Default agent appears.

Click the Proxy tab. The Proxy Settings page appears.

Select Use Internet Explorer settings (Windows only) for Windows systems, and select Allow user to configure proxy settings, if appropriate.

There are multiple methods to configuring Internet Explorer for use with proxies. McAfee provides instructions for configuring and using McAfee products, but does not provide instructions for non-McAfee products. For information on configuring proxy settings, see Internet Explorer Help and http://support.microsoft.com/kb/226473.

Select Configure the proxy settings manually to configure the proxy settings for the agent manually.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 84

Setting up repositories

Using SuperAgents as distributed repositories

Type the IP address or fully-qualified domain name and the port number of the HTTP and/or FTP source where the agent pulls updates. Select Use these settings for all proxy types to make these the default settings for all the proxy types.

Select Specify exceptions to designate systems that do not require access to the proxy. Use a semicolon to separate the exceptions.

Select Use HTTP proxy authentication and/or Use FTP proxy authentication, then provide a user name and credentials.

Click Save.

Configuring proxy settings for McAfee Labs Security Threats

Use this task to configure proxy settings for the McAfee Labs Security Threats.

For option definitions, click ? in the interface.

Task

Click Menu | Configuration | Server Settings.

Select Proxy Settings and click Edit. The Edit Proxy Settings page appears.

Select Configure the proxy settings manually.

Next to Proxy authentication, configure the settings as appropriate, depending on whether you pull updates from HTTP repositories, FTP repositories, or both.

Next to Exclusions, select Bypass Local Addresses, then specify any distributed repositories where the server can connect to directly by typing the IP addresses or fully-qualified domain name of those systems, separated by semicolons.

Click Save.

Using SuperAgents as distributed repositories

Use these tasks to create and configure repositories on systems that host SuperAgents. You cannot create these SuperAgents until agents have been distributed to the target systems.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 85

Using SuperAgents as distributed repositories

Tasks

• Creating SuperAgent repositories on page 85 Use this task to create a SuperAgent repository. The desired system must have an McAfee ePO agent installed and running. McAfee recommends using SuperAgent repositories with global updating.

• Selecting which packages are replicated to SuperAgent repositories on page 86 Use this task to select which repository-specific packages are replicated to any distributed repository.

• Deleting SuperAgent distributed repositories on page 86 Use the task to remove SuperAgent distributed repositories from the host system and the repository list (SiteList.xml). New configurations take effect during the next agent-server communication.

Setting up repositories

Creating SuperAgent repositories

Use this task to create a SuperAgent repository. The desired system must have an McAfee ePO agent installed and running. McAfee recommends using SuperAgent repositories with global updating.

This task assumes that you know where the desired systems are located in the System Tree. McAfee recommends that you create a “SuperAgent” tag so that you can easily locate the systems with the Tag Catalog page, or by running a query.

For option definitions, click ? in the interface.

Task

Click Menu | Policy | Policy Catalog, then from the Product list click McAfee Agent, and from the Category list, select General. A list of agents configured for the McAfee ePO server appears.

Create a new policy, duplicate an existing one, or open one that’s already applied to systems that host a SuperAgent where you want to host SuperAgent repositories.

Select the General tab, then ensure Convert agents to SuperAgents (Windows only) is selected.

Select Use systems running SuperAgents as distributed repositories, then type a folder path location for the repository. This is the location where the master repository copies updates during replication. You can use standard Windows variables, such as <PROGRAM_FILES_DIR>.

Managed systems updating from this SuperAgent repository are able to access this folder. You do not need to manually enable file sharing.

Click Save.

Assign this policy to each system that you want to host a SuperAgent repository.

The next time the agent calls in to the server, the new configuration is retrieved. When the distributed repository is created, the folder you specified is created on the system if it did not already exist. If the folder you specify cannot be created, one of two folders is created:

<DOCUMENTS AND SETTINGS>\ ALL USERS\APPLICATION DATA\MCAFEE\FRAMEWORK\DB\SOFTWARE

•

<AGENT INSTALLATION PATH>\DATA\DB\SOFTWARE

•

In addition, the location is added to the repository list (SiteList.xml) file. This makes the site available for updating by systems throughout your managed environment.

If you do not want to wait for the next agent-server communication, you can send an agent wake-up call to the systems.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 86

Setting up repositories

Creating and configuring FTP, HTTP, and UNC repositories

Selecting which packages are replicated to SuperAgent repositories

Use this task to select which repository-specific packages are replicated to any distributed repository.

For option definitions, click ? in the interface

Task

Click Menu | Software | Distributed Repositories. A list of all distributed repositories appears.

Locate and click on the desired SuperAgent repository. The Distributed Repository Builder wizard opens.

On the Package Types page, select the required package types.

Ensure that all packages required by any managed system using this repository are selected. Managed systems go to one repository for all packages — the task fails for systems that are expecting to find a package type that is not present. This feature ensures packages that are used only by a few systems are not replicated throughout your entire environment.

Click Save.

Deleting SuperAgent distributed repositories

Use the task to remove SuperAgent distributed repositories from the host system and the repository list (SiteList.xml). New configurations take effect during the next agent-server communication.

For option definitions, click ? in the interface.

Task

Open the desired McAfee Agent policy pages (in edit mode) from the desired assignment point in the System Tree or from the Policy Catalog page.

On the General tab, deselect Use systems running SuperAgents as distributed repositories, then click Save.

To delete a limited number of your existing SuperAgent distributed repositories, duplicate the McAfee Agent policy assigned to these systems and deselect Use systems running SuperAgents as distributed repositories before saving it. Assign this new policy as needed.

The SuperAgent repository is deleted and removed from the repository list. However, the agent still functions as a SuperAgent as long as you leave the Convert agents to SuperAgents option selected.

Creating and configuring FTP, HTTP, and UNC repositories

Use these tasks to host distributed repositories on existing FTP, HTTP servers or UNC shares. Although you do not need to use a dedicated server, the system should be powerful enough for the desired number of managed systems to connect for updates.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 87

Creating and configuring FTP, HTTP, and UNC repositories

Setting up repositories

Tasks

• Creating a folder location on an FTP, HTTP server or UNC share on page 87 Use this task to create the folder that hosts repository contents on the distributed repository system.

• Adding the distributed repository to ePolicy Orchestrator on page 87 Use this task to add the new distributed repository to the repository list and configure it to use the folder you created.

• Avoiding replication of selected packages on page 89 If distributed repositories are set up to replicate only selected packages, your newly checked-in package is replicated by default. Depending on your requirements for testing and validating, you might want to avoid replicating some packages to your distributed repositories.

• Disabling replication of selected packages on page 89

• Enabling folder sharing for UNC and HTTP repositories on page 90 Use this task to share a folder on an HTTP or UNC distributed repository.

• Editing distributed repositories on page 90 Use this task to edit a distributed repository.

• Deleting distributed repositories on page 90 Use this task to delete HTTP, FTP, or UNC distributed repositories. Doing this removes them from the repository list, and removes the distributed repository contents.

Creating a folder location on an FTP, HTTP server or UNC share

Use this task to create the folder that hosts repository contents on the distributed repository system.

• For UNC share repositories, create the folder on the system and enable sharing.

• For FTP or HTTP repositories, use your existing FTP or HTTP server software, such as Microsoft Internet Information Services (IIS), to create a new folder and site location. See your web server documentation for details.

Adding the distributed repository to ePolicy Orchestrator

Use this task to add the new distributed repository to the repository list and configure it to use the folder you created.

Task

For option definitions, click ? in the interface.

Click Menu | Software | Distributed Repositories, then click Actions | New Repository. The Distributed Repository Builder wizard opens.

On the Description page, type a unique name and select HTTP, UNC, or FTP, then click Next. The name of the repository does not need to be the name of the system hosting the repository.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 88

Setting up repositories

Creating and configuring FTP, HTTP, and UNC repositories

On the Server page, provide the web address and port information of the site.

HTTP or FTP server type:

• From the URL drop-down list, select DNS Name, IPv4, or IPv6 as the type of server address, then

enter the address.

Option Definition

DNS Name

IPv4

IPv6

Specifies the DNS name of the server.

Specifies the IPv4 address of the server.

Specifies the IPv6 address of the server.

• Enter the port number of the server: FTP default is 21; HTTP default is 80.

• Specify the Replication UNC path for your HTTP folder.

UNC server type

• Enter the network directory path where the repository resides. Use this format: \\<COMPUTER>

\<FOLDER>.

Click Next.

On the Credentials page:

Enter Download credentials. Use credentials with read-only permissions to the HTTP server, FTP server, or UNC share that hosts the repository. HTTP or FTP server type:

• Select Anonymous to use an unknown user account.

• Select FTP or HTTP authentication (if the server requires authentication), then enter the user account information.

UNC server type:

• Select Use credentials of logged-on account to use the credentials of the currently logged-on user.

• Select Enter the download credentials, then enter domain and user account information.

Click Test Credentials. After a few seconds, a confirmation message appears, stating that the site is accessible to systems using the authentication information. If credentials are incorrect, check the following:

• User name and password

• URL or path on the previous panel of the wizard

• HTTP, FTP, or UNC site on the system

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 89

Creating and configuring FTP, HTTP, and UNC repositories

Enter Replication credentials. The server uses these credentials when it replicates DAT files, engine files, or other product updates from the master repository to the distributed repository. These credentials must have both read and write permissions for the distributed repository:

• For FTP, enter the user account information.

• For HTTP or UNC, enter domain and user account information.

• Click Test Credentials. After a few seconds, a confirmation message appears that the site is accessible to systems using the authentication information. If credentials are incorrect, check the following:

• User name and password

• URL or path on the previous panel of the wizard

• HTTP, FTP, or UNC site on the system

Click Next. The Package Types page appears.

Select whether to replicate all packages or selected packages to this distributed repository, then click Next.

• If you choose the Selected packages option, you must manually select the Signatures and engines and Products, patches, service packs, etc. you want to replicate.

Setting up repositories

• Optionally select to Replicate legacy DATs.

Ensure all packages required by managed systems using this repository are not deselected. Managed systems go to one repository for all packages — if a needed package type is not present in the repository, the task fails. This feature ensures packages that are used by only a few systems are not replicated throughout your entire environment.

Review the Summary page, then click Save to add the repository. The ePolicy Orchestrator software adds the new distributed repository to its database.

Avoiding replication of selected packages

If distributed repositories are set up to replicate only selected packages, your newly checked-in package is replicated by default. Depending on your requirements for testing and validating, you might want to avoid replicating some packages to your distributed repositories.

Use this task to avoid replicating a newly checked-in package.

For option definitions, click ? in the interface.

Task

Click Menu | Software | Distributed Repositories, then click on the desired repository. The Distributed Repository Builder wizard opens.

On the Package Types page, deselect the package that you want to avoid being replicated.

Click Save.

Disabling replication of selected packages

If distributed repositories are set up to replicate only selected packages, your newly checked-in package is replicated by default. To disable the impending replication of a package, disable the replication task before checking in the package.

Use this task to disable replication before checking in the new package.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 90

Setting up repositories

Creating and configuring FTP, HTTP, and UNC repositories

Task

For option definitions, click ? in the interface.

Click Menu | Automation | Server Tasks, then select Edit next to the desired replication server task. The Server Task Builder wizard opens.

On the Description page, select the Schedule status as Disabled, then click Save.

Enabling folder sharing for UNC and HTTP repositories

Use this task to share a folder on an HTTP or UNC distributed repository.

For these repositories, the ePolicy Orchestrator software requires that the folder is enabled for sharing across the network, so that your ePolicy Orchestrator server can copy files to it. This is for replication purposes only. Managed systems configured to use the distributed repository use the appropriate protocol (HTTP, FTP, or Windows file sharing) and do not require folder sharing.

Task

On the managed system, locate the folder you created using Windows Explorer.

Right-click the folder, then select Sharing.

On the Sharing tab, select Share this folder.

Configure share permissions as needed. Systems updating from the repository require only read access, but administrator accounts, including the account used by the ePolicy Orchestrator server service, require write access. See your Microsoft Windows documentation to configure appropriate security settings for shared folders.

Click OK.

Editing distributed repositories

Use this task to edit a distributed repository.

Task

For option definitions, click ? in the interface.

Click Menu | Software | Distributed Repositories, then click the desired repository. The Distributed Repository Builder wizard opens, displaying the details of the distributed repository.

Change configuration, authentication, and package selection options as needed.

Click Save.

Deleting distributed repositories

Use this task to delete HTTP, FTP, or UNC distributed repositories. Doing this removes them from the repository list, and removes the distributed repository contents.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 91

Using local distributed repositories that are not managed

Task

For option definitions, click ? in the interface.

Click Menu | Software | Distributed Repositories, then click Delete next to the desired repository.

On the Delete Repository dialog box, click OK.

Deleting the repository does not delete the packages on the system hosting the repository.

Setting up repositories

Using local distributed repositories that are not managed

Use this task to copy contents from the master repository into the unmanaged distributed repository. Once created, you must manually configure managed systems to go to the unmanaged repository for files.

For option definitions, click ? in the interface.

Task

Copy all files and subdirectories in the master repository folder from the server. By default, this is in the following location on your server: C:\Program Files\McAfee\ePO\4.6.0\DB

\Software

Paste the copied files and subfolders in your repository folder on the distributed repository system.

Configure an agent policy for managed systems to use the new unmanaged distributed repository:

Click Menu | Policy | Policy Catalog, then select the Product as McAfee Agent and Category as Repository.

Click on an existing agent policy or create a new agent policy.

Policy inheritance cannot be broken for tabs of a policy. Therefore, when you apply this policy to systems, ensure that only the desired systems receive and inherit the policy to use the unmanaged distributed repository.

On the Repositories tab, click Add. The Add Repository window appears.

Type a name in the Repository Name text field. The name does not have to be the name of the system hosting the repository.

Under Retrieve Files From, select the type of repository.

Under Configuration, type the location of the repository using appropriate syntax for the repository type.

Type a port number or keep the default port.

Configure authentication credentials as needed.

Click OK to add the new distributed repository to the list.

Select the new repository in the list. The type Local indicates it is not managed by the ePolicy Orchestrator software. When an unmanaged repository is selected in the Repository list, the Edit and Delete buttons are enabled.

Click Save.

Any system where this policy is applied receives the new policy at the next agent-server communication.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 92

Setting up repositories

Working with the repository list files

Use these tasks to export repository list files.

• SiteList.xml — For use by the agent and supported products.

• SiteMgr.xml — For use when reinstalling the McAfee ePO server, or for importing into other McAfee ePO servers that use the same distributed repositories or source sites.

Tasks

• Exporting the repository list SiteList.xml file on page 92 Use this task to export the repository list (SiteList.xml) file for manual delivery to

systems, or for import during the installation of supported products.

• Exporting the repository list SiteMgr.xml file for backup or use by other servers on page

Use this task to export the list of distributed repositories and source sites as the SiteMgr.xml file. Use this file to restore the distributed repositories and source sites when you reinstall the McAfee ePO server, or when you want to share distributed repositories or source sites with another McAfee ePO server.

• Importing distributed repositories from the SiteMgr.xml file on page 93 Use this task to import distributed repositories from a repository list file. This is valuable after reinstalling a server, or if you want one server to use the same distributed repositories as another server.

• Importing source sites from the SiteMgr.xml file on page 93 Use this task to import source sites from a repository list file. This is valuable after reinstalling a server, or if you want one server to use the same distributed repositories as another server.

Exporting the repository list SiteList.xml file

Use this task to export the repository list (SiteList.xml) file for manual delivery to systems, or for import during the installation of supported products.

Task

For option definitions, click ? in the interface.

Click Menu | Software | Master Repository, then click Actions | Export Sitelist. The File Download dialog box appears.

Click Save, browse to the location to save the SiteList.xml file, then click Save.

Once you have exported this file, you can import it during the installation of supported products. For instructions, see the Installation Guide for that product.

You can also distribute the repository list to managed systems, then apply the repository list to the agent.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 93

Working with the repository list files

Setting up repositories

Exporting the repository list SiteMgr.xml file for backup or use by other servers

You can export this file from either the Distributed Repositories or Source Sites pages. However, when you import this file to either page, it imports only the items from the file that are listed on that page. For example, when this file is imported to the Distributed Repositories page, only the distributed repositories in the file are imported. Therefore, if you want to import both distributed repositories and source sites, you must import the file twice, once from each page.

For option definitions, click ? in the interface.

Task

Click Menu | Software | Distributed Repositories (or Source Sites), then click Actions | Export Repositories (or Export Source Sites). The File Download dialog box appears.

Click Save, browse to the location to save the file, then click Save.

Importing distributed repositories from the SiteMgr.xml file

Use this task to import distributed repositories from a repository list file. This is valuable after reinstalling a server, or if you want one server to use the same distributed repositories as another server.

Task

For option definitions, click ? in the interface.

Click Menu | Software | Distributed Repositories, then clickActions | Import Repositories. The Import Repositories page appears.

Browse to select the exported SiteMgr.xml file, then click OK. The distributed repository is imported into the server.

Click OK.

The selected repositories are added to the list of repositories on this server.

Importing source sites from the SiteMgr.xml file

Use this task to import source sites from a repository list file. This is valuable after reinstalling a server, or if you want one server to use the same distributed repositories as another server.

Task

For option definitions, click ? in the interface.

Click Menu | Configuration | Server Settings, then from the Setting Categories list select Source Sites and click Edit. The Edit Source Sites page appears.

Click Import. The Import repositories page appears.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 94

Setting up repositories

Changing credentials on multiple distributed repositories

Browse to and select the exported SiteMgr.xml file, then click OK. The Import Source Sites page appears.

Select the desired source sites to import into this server, then click OK.

The selected source sites are added to the list of repositories on this server.

Changing credentials on multiple distributed repositories

Use this task to change credentials on multiple distributed repositories of the same type. This task is valuable in environments where there are many distributed repositories.

Task

For option definitions, click ? in the interface.

Click Menu | Distributed Repositories. The Distributed Repositories page appears.

Click Actions and select Change Credentials. The Change Credentials wizard opens to the Repository Type page.

Select the type of distributed repository for which you want to change credentials, then click Next. The Repository Selection page appears.

Select the desired distributed repositories, then click Next. The Credentials page appears.

Edit the credentials as needed, then click Next. The Summary page appears.

Review the information, then click Save.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 95

Setting up registered servers

You can access additional servers by registering them with your McAfee ePO server. Registered servers allow you to integrate your software with other, external servers. For example, register an LDAP server to connect with your Active Directory server.

McAfee ePolicy Orchestrator can communication with:

• Other McAfee ePO servers

• Additional, remote, database servers

• LDAP servers

• HTTP servers

• Ticketing servers

Each type of registered server supports or supplements the functionality of ePolicy Orchestrator and other McAfee and third-party extensions and products.

Registering servers

Use these tasks to register additional servers to work with ePolicy Orchestrator.

Tasks

• Registering McAfee ePO servers on page 95 You can register additional McAfee ePO servers for use with your main McAfee ePO server to collect or aggregate data.

• Registering LDAP servers on page 97 You must have a registered LDAP (Lightweight Directory Access Protocol) server to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable Active Directory User Login.

• Registering SNMP servers on page 98 To receive an SNMP trap, you must add the SNMP server’s information, so that ePolicy Orchestrator knows where to send the trap.

• Registering a database server on page 99 Before you can retrieve data from a database server, you must register it with ePolicy Orchestrator.

Registering McAfee ePO servers

You can register additional McAfee ePO servers for use with your main McAfee ePO server to collect or aggregate data.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 96

Setting up registered servers

Registering servers

Task

For option definitions, click ? in the interface.

Select Menu | Configuration | Registered Servers and click New Server.

From the Server type menu on the Description page, select ePO, specify a unique name and any notes, then click Next.

Specify the following options to configure the server:

Option Definition

Authentication type

Specifies the type of authentication to use for this database, including:

Windows authentication

•

SQL authentication

•

Client task sharing

Database name

Database port

Database server

ePO Version

Password

Policy sharing

SQL Server instance

SSL communication with database server

Specifies whether to enable or disable client task for this server.

Specifies the name for this database.

Specifies the port for this database.

Specifies the name of the database for this server. You can specify a database using DNS Name or IP address (IPv4 or IPv6).

Specifies the version of the ePO server being registered.

Specifies the password for this server.

Specifies whether to enable or disable policy sharing for this server.

Allows you to specify whether this is the default server or a specific instance, by providing the Instance name.

Ensure that the SQL browser service is running before connecting to a specific SQL instance using its instance name. Specify the port number if the SQL browser service is not running.

Select the Default SQL server instance and type the port number to connect to the SQL server instance.

Specifies whether ePolicy Orchestrator uses SSL (Secure Socket Layer) communication with this database server including:

Try to use SSL

•

Always use SSL

•

Never use SSL

•

Test connection

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Verifies the connection for the detailed server.

Page 97

Option Definition

Transfer systems

Specifies whether to enable or disable the ability to transfer systems for this server. When enabled, select Automatic sitelist import or Manual sitelist import.

When choosing Manual sitelist import, it is possible to cause older versions of McAfee Agent (version 4.0 and earlier) to be unable to contact their Agent Handler. This may happen when

• Transferring systems from this McAfee ePO server to the registered

• and an Agent Handler name appears alpha-numerically earlier than

• and the older Agents use that Agent Handler

Setting up registered servers

Registering servers

McAfee ePO server

the ePO Server name in the supplied sitelist

Use NTLMv2

Optionally choose to use NT LAN Manager authentication protocol. Select this option when the server you are registering employs this protocol.

User name

Click Save.

Specifies the user name for this server.

Registering LDAP servers

You must have a registered LDAP (Lightweight Directory Access Protocol) server to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable Active Directory User Login.

Task

For option definitions, click ? in the interface.

Select Menu | Configuration | Registered Servers, then click New Server.

From the Server type menu on the Description page, select LDAP Server, specify a unique name and any details, then click Next.

Choose whether you are registering an OpenLDAP or Active Directory server in the LDAP server type list.

The rest of these instructions will assume an Active Directory server is being configured. OpenLDAP-specific information is included where required.

Choose if you are specifying a Domain name or a specific server name in the Server name section. Use DNS-style domain names (e.g. internaldomain.com) and fully-qualified domain names or IP addresses for servers. (e.g. server1.internaldomain.com or 192.168.75.101)

Using domain names gives fail-over support, and allows you to choose only servers from a specific site if desired.

OpenLDAP servers can only use server names. They cannot be specified by domain.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 98

Setting up registered servers

Registering servers

Choose if you want to Use Global Catalog. This is deselected by default. Selecting it can provide significant performance benefits. It should only be selected if the registered domain is the parent of only local domains. If non-local domains are included, chasing referrals could cause significant non-local network traffic, possibly severely impacting performance.

Use Global Catalog is not available for OpenLDAP servers.

If you have chosen to not use the Global Catalog, choose whether to Chase referrals or not. Chasing referrals can cause performance problems if it leads to non-local network traffic, whether or not a Global Catalog is used.

Choose whether to Use SSL when communicating with this server or not.

If you are configuring an OpenLDAP server, enter the Port.

Enter a User name and Password as indicated. These credentials should be for an admin account on the server. Use domain\username format on Active Directory servers and cn=User,dc=realm,dc=com format on OpenLDAP servers.

Either enter a Site name for the server, or select it by clicking Browse and navigating to it.

Click Test Connection to verify communication with the server as specified. Alter information as necessary.

Click Save to register the server.

Registering SNMP servers

To receive an SNMP trap, you must add the SNMP server’s information, so that ePolicy Orchestrator knows where to send the trap.

For option definitions click ? in the interface.

Task

Click Menu | Configuration | Registered Servers, then click New Server.

From the Server type menu on the Description page, select SNMP Server, provide the name and any additional information about the server, then click Next.

From the URL drop-down list, select one of these types of server address, then enter the address:

Table 9-1 Option definitions

Option Definition

DNS Name

IPv4

IPv6

Specifies the DNS name of the registered server.

Specifies the IPv4 address of the registered server.

Specifies the DNS name of the registered server which has an IPv6 address.

Select the SNMP version that your server uses:

• If you select SNMPv1 or SNMPv2c as the SNMP server version, type the community string of the

server under Security.

• If you select SNMPv3, provide the SNMPv3 Security details.

Click Send Test Trap to test your configuration.

Click Save.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 99

Setting up registered servers

The added SNMP server appears on the Registered Server page.

Registering servers

Registering a database server

Before you can retrieve data from a database server, you must register it with ePolicy Orchestrator.

Task

For option definitions, click ? in the interface.

Open the Registered Servers page: select Menu | Configuration | Registered Servers, then click New Server.

Select Database server in the Server type drop-down list, enter a server name and an optional description, then click Next.

Choose a Database type from the drop-down list of registered types. Indicate if you want this database type to be as the default. If there is already a default database assigned for this database type, it is indicated in the Current

Default database for database type row.

Indicate the Database Vendor. Currently only Microsoft SQL Server and MySQL are supported.

Enter the connection specifics and login credentials for the database server.

To verify that all connection information and login credentials are entered correctly, click Test Connection.

A status message indicates success or failure.

Click Save.

McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Page 100

McAfee EPOCDE-AA-BA Product Manual

Specifications and Main Features

Frequently Asked Questions

User Manual