McAfee EPOLICY ORCHESTRATOR 4.5 - Guide d'installation

Best Practices GuideMcAfee® ePolicy Orchestrator®for use with ePolicy Orchestrator versions 4.5.0 and 4.0.0

Setting up a maintenance task to automatically reindex and rebuild your ePolicy Orchestrator SQLdatabase only takes a few minutes and is essential to

12Disaster recovery Many ePolicy Orchestrator users want to know how to set up ePolicy Orchestrator for a disasterrecovery scenario. There are a few o

Use server clusters for disaster recoveryIf you require zero downtime if a hardware failure occurs you can cluster your ePolicy Orchestrator andSQL se

Now, if the primary site fails you must make all the agents previously communicating with the primaryMcAfee ePO server start communicating with the s

Reference documentationFollowing are several informative and valuable links for your McAfee implementation.Product videosSupport Video Tutorials— Thes

Other Informative ArticlesDeploying SQL Server 2005 with SAN #1Deploying SQL Server 2005 with SAN #2Deploying SQL Server 2005 with SAN #3SQL Storage T

IndexAabout this guide 5Active Directoryorganizing the System Tree 47synchronization 44, 47AD, See Active DirectoryAgent Handlersabout 8, 33increased

databases (continued)installed with ePolicy Orchestrator 11maintaining 99recommended hardware 15reindex 99restoring 101server clusters for disaster re

IP address (continued)used to sort the System Tree 48LLDF file 12Mmaster repositorydefault 26disabling from ePolicy Orchestrator server 68on ePolicy O

2Configuring your hardware for ePolicyOrchestrator softwareHow you configure your ePolicy Orchestrator software is influenced by many factors, includi

server tasks (continued)acting on a query 65serverscombining ePolicy Orchestrator and database 11disaster recovery 101finding performance problems 94p

• Optimize your storage using multiple dedicated drives (see Hard disk configuration) for eachapplication as your node count increases• Manage only th

The primary limiting factor when choosing your configuration is the cost of storage. Depending on yourhardware budget, choose the best configuration t

Manage 25,000 to 75,000 nodesIf you have 25,000 to 75,000 nodes to manage with the McAfee ePO server, use two separate servers.For the McAfee ePO ser

SAN usageStorage area network (SAN) devices are the standard configuration for larger storage requirementssuch as SQL databases that require backup

There is no technical limit on how many nodes can be managed by one McAfee ePO server. The keyconcept to remember about McAfee ePO servers is less is

The ePolicy Orchestrator software 4.5 installation is bundled with Microsoft SQL Express for installingMcAfee ePO server in very small environments. M

• 8 processors• 16 – 32 GB of RAM• Disk space is not a concern since all the data is stored in the SQL databaseThe minimum SQL Server hardware recomme

3Using distributed repositories to keepyour security software up to dateDistributed repositories are file shares that you create to store and distribu

COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrie

Overview of repository typesThere are several types of repositories you can use in your managed environment.The ePolicy Orchestrator server always act

UNC share repositoriesYou can use Universal Naming Convention (UNC) shares to host your McAfee ePO server repository.Since most administrators are fam

Creating a new SuperAgent policyA SuperAgent policy allows you to assign that policy to client machines to convert them to SuperAgents.Task1From the P

Task1From the System Tree, click System Tree Actions | New Subgroup and give it a distinctive name, forexample 1_SuperAgents. 2Click OK. The new grou

Task1From the SuperAgent group you created, click the Assign Policies tab and select McAfee Agent from theProduct list.2From the Actions column, click

Task1In the System Tree, click the Systems tab and find the system you want to change to a SuperAgentrepository.2Drag that row with the system name an

To download the daily DAT file randomly from the central ePO server to the system agents takes thefollowing bandwidth: 100 Agents * 200 KB file = 20 M

• Policy deployment• Event collection• Distributing all updates and softwareExample 2 — Medium organization with four officesThe medium organization e

APAC region serversThere are small offices in the APAC region with slow WAN links back to the McAfee ePO server in theUK. Plus these WAN links are alr

4From the Repositories list find the McAfee ePO server and click Disable in the Actions column. 5Click Save and the McAfee ePO server repository is d

ContentsPreface 5About this guide ...5Audience ...5Conventions ...

In the small office in India you could add a repository but you must replicate the DAT file from theMcAfee ePO server to the repository. This file rep

About Global UpdatingGlobal Updating is a powerful feature, but if it is used incorrectly it can have a negative impact in yourenvironment.Global Upda

4Scaling your ePolicy Orchestratorinfrastructure with Agent HandlersAgent Handlers co-ordinate work between themselves and the ePolicy Orchestrator se

Do not use Agent Handlers to replace repositories. A repository is a simple file share meant to keepupdate traffic local. While an Agent Handler has r

5Installing and upgrading ePolicyOrchestrator softwareThere are two types of ePolicy Orchestrator installations: a new installation in an environment

• You retain all your policies and client tasks — This means you don't have to rebuild them andcould save you time.• You retain your directory st

• Test your upgrade in a VM environment with a copy of your SQL database to make sure theupgrade works smoothly.• Validate all your settings to confir

Move McAfee Agents between servers Before the release of ePolicy Orchestrator 4.5, many customers wanted an upgrade path that wouldallow them to start

Exporting and import the ASSC keysYou must export the agent-server secure communication (ASSC) keys from the old server to the newserver before moving

What is the System Tree ... 47Use Active Directory synchronization ... 47Dynamically sorting your mach

3Select the systems to move to the new McAfee ePO server and click Actions | Agents | Transfer Systems.The Transfer Systems dialog box appears. 4Sele

6The McAfee Agent and your System TreeThe McAfee Agent and your System Tree are two of the most important pieces of your managedenvironment.The agent

Once an agent is installed on a system, you never need to use a third-party deployment tool to updateanything on that client.Figure 6-1 One agent to

• A logon script• Manual execution• The McAfee ePO server• Third-party tools• An image with the agent as part of the imageYou must use the specific Mc

If you gave this custom McAfee Agent to your desktop team a year ago, it is probably outdated. Itbecomes outdated if, for example you have made change

• The machines in your AD tree must be well maintained. This is not always the case in many largerorganizations. Machines need to be deleted and place

Using third-party tools is not a requirement, but your organization might have strict policies thatdictate how products are deployed for consistency a

Confirm you deleted the agent GUID before freezing the imageIf you choose option 1, Include the agent in your Windows image it can cause one of the mo

Dynamically sorting your machines To dynamically sort your machines into your ePolicy Orchestrator System Tree use a combination ofsystem criteria, su

The McAfee Agent and your System TreeWhat is the System Tree6McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator ver

PrefaceThis guide provides information about suggested best practices for using your McAfee ePolicyOrchestrator (McAfee ePO™) 4.5 and 4.0 software.Abo

7Managing endpoint security with policiesand packages Policies are the settings that govern each product on the endpoint. Packages are the binaries th

This is not an exhaustive list and new products are constantly being added as McAfee expands itssolution portfolio. Because of the McAfee ePO server&

• Collects and sends its properties to the McAfee ePO server or Agent Handler• Checks to see if any policy changes or client tasks have occurred on th

Configuring ASCI Configure the ASCI to determine how often every McAfee Agent calls the McAfee ePO serverThe ASCI is set to 60 minutes by default. If

Task1Click Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from theCategory list.2Click the General tab, an

1Click Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from theCategory list.2Click the General tab, and ty

TaskFor option definitions, click ? in the interface.1Click Menu | Configuration | Server Settings, then in the Settings Category pane click Repositor

8Using Client and Server tasks in yourmanaged environmentClient and Server tasks are, as their names imply, tasks that are carried out on your ePolicy

What's in this guide This guide outlines some core recommendations for implementing McAfee ePolicy Orchestratorsoftware versions 4.5 and 4.0.This

local and does not need to communicate with the McAfee ePO server. Policy enforcement makes theagent compare the last known product policy pulled from

• Bandwidth• Which machines have the latest content for protection• The quality of your compliance reportsIf a deployment task is being deployed to mu

The following formula calculates the bandwidth needed to move the 12 GB of data per repositoryrandomly over a 9-hour workday. The total equals 1.33 GB

4Choose the content to update using this task. In this example the Daily Master Update task downloads the VirusScan Enterprise DAT and Enginefiles.If

5Click Next to configure the schedule for this task.The key to a good update task is updating several times per day at completely random intervals.Man

Server tasks Server tasks are any item that is scheduled to run on the McAfee ePO server itself. Using server tasksproperly can significantly improve

TaskFor option definitions, click ? in the interface.1Click Menu | Automation | Server Tasks and click Actions | New Task. The Server Task dialog box

TaskFor option definitions, click ? in the interface.1Click Menu | Automation | Server Tasks, and click Actions | New Task. The Server Task dialog box

1Pull content from McAfee into your master repository, which is always the McAfee ePO server.2Replicate that content to your distributed repositories.

3From the Repositories list, find the McAfee ePO server and click Disable in the Actions column. 4Click Save to disable the McAfee ePO server reposit

1The history and architecture of ePolicyOrchestrator softwareePolicy Orchestrator software is a mature security management platform that delivers the

TaskFor option definitions, click ? in the interface.1Click Menu | Automation | Server Tasks, then click Action | New Task. The Server Task Builder di

events is only 10 days because it collects all URLs that are visited by managed machines. Thiscan save a lot of data in environments with greater than

As systems are decommissioned, or disappear because of extended travel, users on leave, or otherreasons, remove them from the System Tree. Removing th

3Optional. Instead of using the default subaction Delete Systems, you can select Move Systems toanother Group. This moves the systems found by the que

9Reporting on your managed environmentwith QueriesePolicy Orchestrator provides built in querying and reporting capabilities. These are highlycustomiz

See McAfee ePolicy Orchestrator 4.5 Product Guide and McAfee ePolicy Orchestrator 4.5 ReportingGuide for details.The following example shows some of t

• Have not communicated with the McAfee ePO server in a while• Are suspected of not working properly when you attempt to wake them up• Need a new agen

Creating custom event queries Create a custom query.Task1Click Menu | Reporting | Queries, then Actions | New Query. The Query Wizard appears starting

Reporting on your managed environment with QueriesCustom queries9McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator

Overview of the product architectureThe architecture of the ePolicy Orchestrator software and its components provides all the functionalityneeded to m

3You must choose the label or variable that you want the report to display. There are many variablesyou can choose to have the McAfee Agent reports di

4You can choose the columns that you want to see if you drill down on any of the variables in yourreport. This is not a critical component when buildi

5Click Next to not create any filters and display all of the operating system types.6Click Run to generate the report and see the results. After you

3Click Events in the Features Group and Client Events in the Result Type. Click Next to continue to theChart dialog box. 4Under Summary, click Single

5Click Event Description, in the Labels are list, under Threat Event Descriptions to create a filter with agood human readable description of the even

8Click Run to display the query report. In this example there are 308 client events total. If you want, you can click one event and drilldown on it t

5Click Event Description, in the Labels are list, under Threat Event Descriptions to create a filter with agood human readable description of the even

8Click Run to display the query report. The McAfee ePO server displays approximately 8,000 threat events total.The data shown in this example comes f

9To determine approximately how many events you should have on your network use the followingformula:(10,000 nodes) x (1 to 2 million events) = estima

4If the event is important, make sure you are monitoring the number of events using theCreating event summary queries and Purging events automatically

1ePO server — Connects to the McAfee update server to download the latest security content2ePO Microsoft SQL database — Stores all the data about the

5Click Next to skip the Columns dialog box. You can choose the columns you want to analyze.You can skip this step because the McAfee ePO server does n

11Find the custom query you just created and click it in the list. 12Schedule the task to run every night, then click Save.You can use this technique

10FAQs and common scenariosThis chapter contains some frequently asked questions (FAQs) and some common scenarios that anePolicy Orchestrator administ

Task1Click Menu | Automation | Server Tasks to open the Server Tasks Builder.2Click Edit for one of the following tasks.• Duplicate Agent GUID — Clear

Task1Under Reliability and Performance, click Monitoring Tools | Performance Monitoring, then click the plus sign(+). The Add Counters dialog box appe

You can also check how quickly your ePolicy Orchestrator server processes events from agents bylooking in the Events folder on the McAfee ePO server.

• "4.0.0" — Is the product revision number• "1421" — Is the build number. That build number indicates this is "Patch 2"T

• Because the scan timed out due to the size of the file, which is a 1059 event• The file was not scanned because it was inaccessible due to a passwor

11Maintaining your SQL databaseFor your McAfee ePO server to function correctly it is very important to have a well performing SQLdatabase. It is the