Best Practices GuideMcAfee® ePolicy Orchestrator®for use with ePolicy Orchestrator versions 4.5.0 and 4.0.0
Setting up a maintenance task to automatically reindex and rebuild your ePolicy Orchestrator SQLdatabase only takes a few minutes and is essential to
12Disaster recovery Many ePolicy Orchestrator users want to know how to set up ePolicy Orchestrator for a disasterrecovery scenario. There are a few o
Use server clusters for disaster recoveryIf you require zero downtime if a hardware failure occurs you can cluster your ePolicy Orchestrator andSQL se
Now, if the primary site fails you must make all the agents previously communicating with the primaryMcAfee ePO server start communicating with the s
Reference documentationFollowing are several informative and valuable links for your McAfee implementation.Product videosSupport Video Tutorials— Thes
Other Informative ArticlesDeploying SQL Server 2005 with SAN #1Deploying SQL Server 2005 with SAN #2Deploying SQL Server 2005 with SAN #3SQL Storage T
IndexAabout this guide 5Active Directoryorganizing the System Tree 47synchronization 44, 47AD, See Active DirectoryAgent Handlersabout 8, 33increased
databases (continued)installed with ePolicy Orchestrator 11maintaining 99recommended hardware 15reindex 99restoring 101server clusters for disaster re
IP address (continued)used to sort the System Tree 48LLDF file 12Mmaster repositorydefault 26disabling from ePolicy Orchestrator server 68on ePolicy O
2Configuring your hardware for ePolicyOrchestrator softwareHow you configure your ePolicy Orchestrator software is influenced by many factors, includi
server tasks (continued)acting on a query 65serverscombining ePolicy Orchestrator and database 11disaster recovery 101finding performance problems 94p
• Optimize your storage using multiple dedicated drives (see Hard disk configuration) for eachapplication as your node count increases• Manage only th
The primary limiting factor when choosing your configuration is the cost of storage. Depending on yourhardware budget, choose the best configuration t
Manage 25,000 to 75,000 nodesIf you have 25,000 to 75,000 nodes to manage with the McAfee ePO server, use two separate servers.For the McAfee ePO ser
SAN usageStorage area network (SAN) devices are the standard configuration for larger storage requirementssuch as SQL databases that require backup
There is no technical limit on how many nodes can be managed by one McAfee ePO server. The keyconcept to remember about McAfee ePO servers is less is
The ePolicy Orchestrator software 4.5 installation is bundled with Microsoft SQL Express for installingMcAfee ePO server in very small environments. M
• 8 processors• 16 – 32 GB of RAM• Disk space is not a concern since all the data is stored in the SQL databaseThe minimum SQL Server hardware recomme
3Using distributed repositories to keepyour security software up to dateDistributed repositories are file shares that you create to store and distribu
COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrie
Overview of repository typesThere are several types of repositories you can use in your managed environment.The ePolicy Orchestrator server always act
UNC share repositoriesYou can use Universal Naming Convention (UNC) shares to host your McAfee ePO server repository.Since most administrators are fam
Creating a new SuperAgent policyA SuperAgent policy allows you to assign that policy to client machines to convert them to SuperAgents.Task1From the P
Task1From the System Tree, click System Tree Actions | New Subgroup and give it a distinctive name, forexample 1_SuperAgents. 2Click OK. The new grou
Task1From the SuperAgent group you created, click the Assign Policies tab and select McAfee Agent from theProduct list.2From the Actions column, click
Task1In the System Tree, click the Systems tab and find the system you want to change to a SuperAgentrepository.2Drag that row with the system name an
To download the daily DAT file randomly from the central ePO server to the system agents takes thefollowing bandwidth: 100 Agents * 200 KB file = 20 M
• Policy deployment• Event collection• Distributing all updates and softwareExample 2 — Medium organization with four officesThe medium organization e
APAC region serversThere are small offices in the APAC region with slow WAN links back to the McAfee ePO server in theUK. Plus these WAN links are alr
4From the Repositories list find the McAfee ePO server and click Disable in the Actions column. 5Click Save and the McAfee ePO server repository is d
ContentsPreface 5About this guide ...5Audience ...5Conventions ...
In the small office in India you could add a repository but you must replicate the DAT file from theMcAfee ePO server to the repository. This file rep
About Global UpdatingGlobal Updating is a powerful feature, but if it is used incorrectly it can have a negative impact in yourenvironment.Global Upda
4Scaling your ePolicy Orchestratorinfrastructure with Agent HandlersAgent Handlers co-ordinate work between themselves and the ePolicy Orchestrator se
Do not use Agent Handlers to replace repositories. A repository is a simple file share meant to keepupdate traffic local. While an Agent Handler has r
5Installing and upgrading ePolicyOrchestrator softwareThere are two types of ePolicy Orchestrator installations: a new installation in an environment
• You retain all your policies and client tasks — This means you don't have to rebuild them andcould save you time.• You retain your directory st
• Test your upgrade in a VM environment with a copy of your SQL database to make sure theupgrade works smoothly.• Validate all your settings to confir
Move McAfee Agents between servers Before the release of ePolicy Orchestrator 4.5, many customers wanted an upgrade path that wouldallow them to start
Exporting and import the ASSC keysYou must export the agent-server secure communication (ASSC) keys from the old server to the newserver before moving
What is the System Tree ... 47Use Active Directory synchronization ... 47Dynamically sorting your mach
3Select the systems to move to the new McAfee ePO server and click Actions | Agents | Transfer Systems.The Transfer Systems dialog box appears. 4Sele
6The McAfee Agent and your System TreeThe McAfee Agent and your System Tree are two of the most important pieces of your managedenvironment.The agent
Once an agent is installed on a system, you never need to use a third-party deployment tool to updateanything on that client.Figure 6-1 One agent to
• A logon script• Manual execution• The McAfee ePO server• Third-party tools• An image with the agent as part of the imageYou must use the specific Mc
If you gave this custom McAfee Agent to your desktop team a year ago, it is probably outdated. Itbecomes outdated if, for example you have made change
• The machines in your AD tree must be well maintained. This is not always the case in many largerorganizations. Machines need to be deleted and place
Using third-party tools is not a requirement, but your organization might have strict policies thatdictate how products are deployed for consistency a
Confirm you deleted the agent GUID before freezing the imageIf you choose option 1, Include the agent in your Windows image it can cause one of the mo
Dynamically sorting your machines To dynamically sort your machines into your ePolicy Orchestrator System Tree use a combination ofsystem criteria, su
The McAfee Agent and your System TreeWhat is the System Tree6McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator ver
PrefaceThis guide provides information about suggested best practices for using your McAfee ePolicyOrchestrator (McAfee ePO™) 4.5 and 4.0 software.Abo
7Managing endpoint security with policiesand packages Policies are the settings that govern each product on the endpoint. Packages are the binaries th
This is not an exhaustive list and new products are constantly being added as McAfee expands itssolution portfolio. Because of the McAfee ePO server&
• Collects and sends its properties to the McAfee ePO server or Agent Handler• Checks to see if any policy changes or client tasks have occurred on th
Configuring ASCI Configure the ASCI to determine how often every McAfee Agent calls the McAfee ePO serverThe ASCI is set to 60 minutes by default. If
Task1Click Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from theCategory list.2Click the General tab, an
1Click Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from theCategory list.2Click the General tab, and ty
TaskFor option definitions, click ? in the interface.1Click Menu | Configuration | Server Settings, then in the Settings Category pane click Repositor
8Using Client and Server tasks in yourmanaged environmentClient and Server tasks are, as their names imply, tasks that are carried out on your ePolicy
What's in this guide This guide outlines some core recommendations for implementing McAfee ePolicy Orchestratorsoftware versions 4.5 and 4.0.This
local and does not need to communicate with the McAfee ePO server. Policy enforcement makes theagent compare the last known product policy pulled from
• Bandwidth• Which machines have the latest content for protection• The quality of your compliance reportsIf a deployment task is being deployed to mu
The following formula calculates the bandwidth needed to move the 12 GB of data per repositoryrandomly over a 9-hour workday. The total equals 1.33 GB
4Choose the content to update using this task. In this example the Daily Master Update task downloads the VirusScan Enterprise DAT and Enginefiles.If
5Click Next to configure the schedule for this task.The key to a good update task is updating several times per day at completely random intervals.Man
Server tasks Server tasks are any item that is scheduled to run on the McAfee ePO server itself. Using server tasksproperly can significantly improve
TaskFor option definitions, click ? in the interface.1Click Menu | Automation | Server Tasks and click Actions | New Task. The Server Task dialog box
TaskFor option definitions, click ? in the interface.1Click Menu | Automation | Server Tasks, and click Actions | New Task. The Server Task dialog box
1Pull content from McAfee into your master repository, which is always the McAfee ePO server.2Replicate that content to your distributed repositories.
3From the Repositories list, find the McAfee ePO server and click Disable in the Actions column. 4Click Save to disable the McAfee ePO server reposit
1The history and architecture of ePolicyOrchestrator softwareePolicy Orchestrator software is a mature security management platform that delivers the
TaskFor option definitions, click ? in the interface.1Click Menu | Automation | Server Tasks, then click Action | New Task. The Server Task Builder di
events is only 10 days because it collects all URLs that are visited by managed machines. Thiscan save a lot of data in environments with greater than
As systems are decommissioned, or disappear because of extended travel, users on leave, or otherreasons, remove them from the System Tree. Removing th
3Optional. Instead of using the default subaction Delete Systems, you can select Move Systems toanother Group. This moves the systems found by the que
9Reporting on your managed environmentwith QueriesePolicy Orchestrator provides built in querying and reporting capabilities. These are highlycustomiz
See McAfee ePolicy Orchestrator 4.5 Product Guide and McAfee ePolicy Orchestrator 4.5 ReportingGuide for details.The following example shows some of t
• Have not communicated with the McAfee ePO server in a while• Are suspected of not working properly when you attempt to wake them up• Need a new agen
Creating custom event queries Create a custom query.Task1Click Menu | Reporting | Queries, then Actions | New Query. The Query Wizard appears starting
Reporting on your managed environment with QueriesCustom queries9McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator
Overview of the product architectureThe architecture of the ePolicy Orchestrator software and its components provides all the functionalityneeded to m
3You must choose the label or variable that you want the report to display. There are many variablesyou can choose to have the McAfee Agent reports di
4You can choose the columns that you want to see if you drill down on any of the variables in yourreport. This is not a critical component when buildi
5Click Next to not create any filters and display all of the operating system types.6Click Run to generate the report and see the results. After you
3Click Events in the Features Group and Client Events in the Result Type. Click Next to continue to theChart dialog box. 4Under Summary, click Single
5Click Event Description, in the Labels are list, under Threat Event Descriptions to create a filter with agood human readable description of the even
8Click Run to display the query report. In this example there are 308 client events total. If you want, you can click one event and drilldown on it t
5Click Event Description, in the Labels are list, under Threat Event Descriptions to create a filter with agood human readable description of the even
8Click Run to display the query report. The McAfee ePO server displays approximately 8,000 threat events total.The data shown in this example comes f
9To determine approximately how many events you should have on your network use the followingformula:(10,000 nodes) x (1 to 2 million events) = estima
4If the event is important, make sure you are monitoring the number of events using theCreating event summary queries and Purging events automatically
1ePO server — Connects to the McAfee update server to download the latest security content2ePO Microsoft SQL database — Stores all the data about the
5Click Next to skip the Columns dialog box. You can choose the columns you want to analyze.You can skip this step because the McAfee ePO server does n
11Find the custom query you just created and click it in the list. 12Schedule the task to run every night, then click Save.You can use this technique
10FAQs and common scenariosThis chapter contains some frequently asked questions (FAQs) and some common scenarios that anePolicy Orchestrator administ
Task1Click Menu | Automation | Server Tasks to open the Server Tasks Builder.2Click Edit for one of the following tasks.• Duplicate Agent GUID — Clear
Task1Under Reliability and Performance, click Monitoring Tools | Performance Monitoring, then click the plus sign(+). The Add Counters dialog box appe
You can also check how quickly your ePolicy Orchestrator server processes events from agents bylooking in the Events folder on the McAfee ePO server.
• "4.0.0" — Is the product revision number• "1421" — Is the build number. That build number indicates this is "Patch 2"T
• Because the scan timed out due to the size of the file, which is a 1059 event• The file was not scanned because it was inaccessible due to a passwor
11Maintaining your SQL databaseFor your McAfee ePO server to function correctly it is very important to have a well performing SQLdatabase. It is the
Commentaires sur ces manuels