Samker's Computer Forum - SCforum.info
Server & Network Security Base: => System & Security Management => Topic started by: metalmunna on 17. February 2011., 19:51:55
-
hi guys,
do you know about McAfee ePolicy Orchestrator? how it works and how to distribute to the whole enterprise network and manage and control? enough we talked like a kid for a simple antivirus, now we will work about the whole Enterprise security and how to controlling from a central point. so lets jump in advanced level ...
To know detail of McAfee ePolicy Orchestrator, walk here;
http://www.mcafee.com/us/products/security-management/index.aspx (http://www.mcafee.com/us/products/security-management/index.aspx)
http://www.mcafee.com/us/products/epolicy-orchestrator.aspx (http://www.mcafee.com/us/products/epolicy-orchestrator.aspx)
(McAfee ePolicy Orchestrator (ePO) is widely acknowledged as the most advanced and scalable security management software in the industry. With ePO software, organizations of all sizes can efficiently manage any number of devices — all from a personalized web console. As a key component of the McAfee Security Management Platform, ePO software manages security across endpoints, networks, and data; integrates third-party solutions; and automates workflows to create efficiencies, streamline compliance, and provide visibility into security and compliance postures.
Only McAfee ePO delivers:
End-to-end visibility — Get a unified view of your security posture. A single point of reference for security data across endpoints, data, and networks provides immediate insight and shortens response times.
An open, extensible architecture — Easily leverage your existing IT infrastructure. McAfee ePO software connects management of both McAfee and third-party security solutions to your LDAP, IT operations, and configuration management tools.
Proven efficiencies — Respond quickly and spend less. Independent studies show ePO software helps organizations of every size streamline administrative tasks, ease audit fatigue, and reduce security management-related hardware costs.
)
we the guys who know better and have experience on McAfee ePolicy Orchestrator will try to help others who will be new and wanted to learn and deploy on small business to enterprise network ...
-
Nice Topic Munna. :thumbsup:
-
Nice Topic Munna. :thumbsup:
thanks man, it's a nice enterprise security management software and fully automated ... most of entry level and mid level administrator don't know how to automated(included automated installation, update, patch update, scanning, reporting ..etc.) the security system for the whole network, they feel it but don't know how to solve .. on the 1st stage it's little complicated but not too much complicated ... OK we should learn more.
lets wait for the question .... i know it will take little more time to run ... i meant the topic. hoping will grow up soon and we all should learn something new by exchanging the experience and knowledge ..
-
Nice Topic Munna. :thumbsup:
lets wait for the question .... i know it will take little more time to run ... i meant the topic. hoping will grow up soon and we all should learn something new by exchanging the experience and knowledge ..
I'm sure this will be very popular Topic since We have a lot of McAfee users at SCF. ;)
-
thanks man, till the question comes we can start learning(included me) .. from the very beginning by small part of every essential steps on each session;
(It is recommended that we should have a working knowledge of Microsoft Windows administration and system administration concepts, a basic understanding of computer security concepts, and a general understanding of viruses and anti-virus technologies.)
lets start from the installation and pre request installation;
(used by Official McAfee ePolicy Orchestrator 4.5 Installation Guide)
System requirements
Verify that your environment meets the minimum requirements listed here:
• Server and Agent Handler
• Database
• Distributed repositories
Server and Agent Handler requirements
Free disk space — 1 GB minimum (first-time installation); 1.5 GB minimum (upgrade);
2 GB recommended.
Memory — 1 GB available RAM; 2–4 GB recommended.
Processor — Intel Pentium III-class or higher; 1 GHz or higher.
Monitor — 1024x768, 256-color, VGA monitor.
NIC — Network interface card; 100 MB or higher.
NOTE: If using a server with more than one IP address, ePolicy Orchestrator uses the first
identified IP address. If you want to use additional IP addresses for agent-server communication,
see Installing an Agent Handler.
Dedicated server — If managing more than 250 computers, McAfee recommends using a
dedicated server.
File system — NTFS (NT file system) partition recommended.
IP address — McAfee recommends using static IP addresses for ePO servers.
Server-class operating system — 32bit or 64bit
• Windows Server 2003 Enterprise with Service Pack 2 or later
• Windows Server 2003 Standard with Service Pack 2 or later
• Windows Server 2003 Web with Service Pack 2 or later
• Windows Server 2003 R2 Enterprise with Service Pack 2 or later
• Windows Server 2003 R2 Standard with Service Pack 2 or later
• Windows Server 2008
NOTE: Installation is blocked if you attempt to install on a version of Windows earlier than
Server 2003. In addition, ePolicy Orchestrator stops functioning if, after having been installed
on Windows Server 2003, the server is upgraded to Windows Server 2008.
Browser
• Firefox 3.0
• Microsoft Internet Explorer 7.0 or 8.0
If using Internet Explorer and a proxy, follow these steps to bypass the proxy server.
1 From the Tools menu in Internet Explorer, select Internet Options.
2 Select the Connections tab and click LAN Settings.
3 Select Use a proxy server for your LAN, then select Bypass proxy server for local
addresses.
4 Click OK as needed to close Internet Options.
Domain controllers — The server must have a trust relationship with the Primary Domain
Controller (PDC) on the network. For instructions, see the Microsoft product documentation.
Security software
• Install and/or update the anti-virus software on the ePolicy Orchestrator server and scan
for viruses.
CAUTION: If running VirusScan Enterprise 8.5i or 8.7i on the system where you are installing
ePolicy Orchestrator, you must ensure that the VSE Access Protection rules are disabled
during the installation process, or the installation fails.
• Install and/or update firewall software on the ePolicy Orchestrator server.
Ports
• McAfee recommends avoiding the use of Port 8443 for HTTPS communication. Although this
is the default port, it is also the primary port used by many web-based activities, is a popular
target for malicious exploitation, and it is likely to be disabled by the system administrator
in response to a security violation or outbreak.
NOTE: Ensure that the ports you choose are not already in use on the ePolicy Orchestrator
server computer.
• Notify the network staff of the ports you intend to use for HTTP and HTTPS communication
via ePolicy Orchestrator.
NOTE: Installing the software on a Primary Domain Controller (PDC) is supported, but not
recommended.
Supported virtual infrastructure software
• VMware ESX 3.5.x
• Microsoft Virtual Server 2005 R2 with Service Pack 1
• Windows Server 2008 Hyper-V
-
Database requirements
Microsoft updates and patches Update both the ePO server and the database server with the latest Microsoft security updates.
If you are upgrading from MSDE 2000 or SQL 2000, be sure to follow Microsoft's required upgrade scenarios.
Databases supported for use with ePolicy Orchestrator
• SQL Server 2005 Express. This database is included with ePolicy Orchestrator for use in
environments where there is no supported database available.
• SQL Server 2005.
• SQL Server 2008 Express.
• SQL Server 2008.
NOTE: Use of ePolicy Orchestrator with MSDE 2000 or SQL 2000 (or earlier) is not supported.
Database installation documented in this Guide
The only database installation scenario described in detail is a first-time installation of SQL
Server 2005 Express. In this scenario, the ePOSetup installs both the ePolicy Orchestrator
software and the database on the same server. If the database is to be installed on a different
server from the ePolicy Orchestrator software, manual installation is required on the remote
servers.
Other relevant database installations and upgrades
See the documentation provided by the database manufacturer for information about the
following installation scenarios:
• Installing SQL Server 2005.
• Installing SQL Server 2008.
• Upgrading from MSDE 2000.
• Upgrading from SQL 2000.
• Upgrading from SQL 2005.
• Upgrading from SQL 2005 Express.
• Maintenance settings — McAfee recommends making specific maintenance settings to
ePO databases.
• Dedicated server and network connection — Use a dedicated server and network
connection if managing more than 5,000 client computers.
• Local database server — If using SQL Server on the same system as the ePOserver,
McAfee recommends using a fixed memory size in Enterprise Manager that is approximately
two-thirds of the total memory for SQL Server. For example, if the computer has 1GB of
RAM set 660MB as the fixed memory size for SQL Server.
Pre-Installation
System requirements
• SQL Server licenses — If using SQL Server, a SQL Server license is required for each
processor on the computer where SQL Server is installed.
CAUTION: If the minimum number of SQL Server licenses is not available after you install
the SQL Server software, you may have issues installing or starting the ePolicy Orchestrator
software.
-
Database considerations
Using ePolicy Orchestrator with a database
A database must be installed before ePolicy Orchestrator can be installed. Any of the following
databases, if previously installed, meets this requirement.
• SQL Server 2005
• SQL 2005 Express
• SQL 2008
• SQL 2008 Express
NOTE: SQL 2000 is not supported.
If none of those databases was previously installed, the ePO installation wizard detects that no
database is present and offers you the opportunity to install SQL Server 2005 Express.
Database Requirements Note
Dedicated server and network Needed if managing more than 5,000 computers.
connection
SQL Server 2005
or SQL Server
2008
If the database and ePO server are on the same system,
McAfee recommends using a fixed memory size in Enterprise
Local database server
Manager or SQL Server Management Studio that is
approximately two-thirds of the total memory for SQL Server.
For example, if the computer has 1 GB of RAM, set 660 MB
as the fixed memory size for SQL Server.
A license is required for each processor on the computer
where SQL Server is installed. If the minimum number of SQL
Licenses
Server licenses is not available, you might have difficulty
installing or starting the ePolicy Orchestrator software.
SQL Server 2005 .NET Framework You must acquire and install.
Express
Software Note
MSXML 6.0 You must acquire and install.
1 From the Internet Explorer Tools menu, select Windows
Update.
2 Click Custom, then select Software.
3 Select MSXML6.
4 Select Review and install updates, then click Install Updates.
Pre-Installation
System requirements
Software Note
Internet Explorer 7 or 8, or You must acquire and install.
Firefox 3.0
.NET Framework 2.0 You must acquire and install if using SQL Server 2005 Express.
Microsoft Visual C++ If not previously installed, the installation wizard installs automatically.
Redistributable
Microsoft Visual C++ If not previously installed, the installation wizard installs automatically.
Redistributable - x86 9.0.21022
MDAC 2.8 If not previously installed, the installation wizard installs automatically.
SQL Server 2005 Backward If not previously installed, the installation wizard installs automatically.
Compatibility
If no other database has been previously installed, this database can be installed
automatically at user’s selection.
SQL Server 2005 Express
Update the ePolicy Orchestrator server and the database server with the most
current updates and patches.
Microsoft updates
MSI 3.1 The installation fails if using a version of MSI previous to MSI 3.1.
Database installation documented in this guide
The only database installation scenario described in detail is a first-time installation of SQL
Server 2005 Express. In this scenario, the ePolicy Orchestrator Setup installs both the ePolicy
Orchestrator software and the database on the same server. If the database is to be installed
on a different server from the ePolicy Orchestrator software, manual installation of SQL is
required on the remote server.
Other relevant database installations and upgrades
See the documentation provided by the database manufacturer for information about the
following installation scenarios:
• Installing SQL Server 2005 or 2008.
• Upgrading from MSDE 2000 to SQL Server 2005 or 2008.
• Upgrading from MSDE 2000 to SQL Server 2005 Express.
Nested triggers — The SQL Server Nested Triggers option must be enabled.
Database collation — The only database collation supported by ePolicy Orchestrator is the
U.S. English default: SQL_Latin1_General_Cp1_CI_AS.
Maintenance settings — McAfee recommends making specific maintenance settings to ePolicy
Orchestrator databases. For instructions, see Maintaining ePolicy Orchestrator databases in the
ePolicy Orchestrator 4.5 Help.
SQL Server
Dedicated server and network connection — Use a dedicated server and network connection
if managing more than 5,000 client computers.
Local database server — If using SQL Server on the same system as the ePolicy Orchestrator
server, McAfee recommends using a fixed memory size in Enterprise Manager that is
approximately two-thirds of the total memory for SQL Server. For example, if the computer has
1 GB of RAM, set 660 MB as the fixed memory size for SQL Server.
Pre-Installation
System requirements
SQL Server licenses — If using SQL Server, a SQL Server license is required for each processor
on the computer where SQL Server is installed.
CAUTION: If the minimum number of SQL Server licenses is not available after you install the
SQL Server software, you might have issues installing or starting the ePolicy Orchestrator
software.
Distributed repositories
Free disk space — 400 MB on the drive where the repository is stored.
NOTE: The disk space requirement for the distributed repositories on agents that are designated
as SuperAgents is equal to the disk space available for the master repository.
Memory — 256 MB minimum.
Possible hosts:
• HTTP-compliant servers on Microsoft Windows, Linux, or Novell NetWare operating systems
• Windows, Linux, or NetWare FTP servers
• Windows, Linux, or UNIX Samba UNC shares
• Computer with a SuperAgent installed on it
[NOTE; no more today, we will jump next stage tomorrow, now forget about it and go back as we were doing]
-
hi guys,
tomorrow we will start installing and i will do itl on a virtual server and will keep telling every error i will get on installation time and how to solve, there must have some error on 1st time installation. i think no one can complete the installation 1st time(if have no previous experience and fixing error before installation) without fixing some default error which comes for the default system settings on the server ......
Supported products and components by ePO 4.5
• McAfee Agent 4.0 for Email and Web Security
• McAfee Agent 4.0 for HP-UX
• McAfee Agent 4.0 for Linux
• McAfee Agent 4.0 for Macintosh
• McAfee Agent 4.0 for Solaris
• McAfee Agent 4.5
• McAfee Agent for Windows Patch 1 and Patch 2
• McAfee Common Management Agent 3.7 Patch 1
• McAfee Common Management Agent MA 3.6 Patch 4
• McAfee Data Loss Prevention 2.1 Patch 2
• McAfee Data Loss Prevention 2.2
• McAfee Data Loss Prevention 3.0
• McAfee Email and Web Security 5.1 Appliance
• McAfee Endpoint Encryption 5.2.1
• McAfee Endpoint Encryption 5.3
• McAfee Endpoint Encryption Files/Folders 3.1 (EEFF)
• McAfee Endpoint Encryption Files/Folders 4.x (EEFF)
• McAfee EndPoint Encryption for Mobile 3.0 (EEMO)
• McAfee Foundstone 6.5.3
• McAfee GroupShield for Domino 7.0
• McAfee GroupShield for Exchange 6.0.2 with SKE
Pre-Installation
Supported products and components
10 McAfee ePolicy Orchestrator 4.5 Installation Guide
• McAfee GroupShield for Exchange 7.0
• McAfee GroupShield for Exchange 7.0 SP 1
• McAfee Host Intrusion Prevention 6.1 Patch 3
• McAfee Host Intrusion Prevention 7.0 Patch 3
• McAfee Host Intrusion Prevention 7.1
• McAfee IntruShield 4.1
• McAfee IntruShield 5.1
• McAfee LinuxShield 1.5.1
• McAfee Network Access Control 3.1
• McAfee Policy Auditor 5.1 (Feyman)
• McAfee PortalShield 2.0 Patch 1
• McAfee Quarantine Manager 6.0
• McAfee Rogue System Detection 2.0 Patch 2
• McAfee Security for Lotus Domino Linux 7.5
• McAfee Security for Macintosh v1.0
• McAfee SiteAdvisor Enterprise 1.6
• McAfee SiteAdvisor Enterprise 2.0+
• McAfee SiteAdvisor Enterprise 3.0
• McAfee VirusScan 8.5i with McAfee AntiSpyware Enterprise
• McAfee VirusScan 8.7 with McAfee AntiSpyware Enterprise
• McAfee VirusScan 8.8 with McAfee AntiSpyware Enterprise (it's not added on the main list but as i test that on real world scenario so i know it's compatible with ePo 4.5 too.)
• McAfee VirusScan Advanced Server (NetApp)
• McAfee VirusScan Advanced Server (SAP)
• McAfee VirusScan Advanced Server (Virtualization)
• McAfee VirusScan for Macintosh 8.6.1
• Symantec SAV 10.x
• Symantec SAV 9.x
• USB Device 1.0 (EEV)
• Vdisk 4.1 (EEV)
• vDisk for Macintosh 1.0
-
lets work ...
just finished installation Windows Server 2008 R2(DataCenter) on Hyper-V. kept the IP 10.0.0.5 with default mask and join it on the domain controller.
as needed to install SQL server for the ePO 4.5, so lets install the SQL server first .. i choose the SQL server 2012 CP version for this time and lets see what will happen!!
damn god, SQL server check list failed and need to install dotnet 4 ... ok, doing ........ done. lets try again the SQL 2011, working now ... choosing Express with Advanced Service as the edition .... Please Note; the SQL Browser must be enabled nor you cannot complete the installation wizard when you will try to install ePO 4.5. so startup type of SQL Browser is Automatic.
now wait till the SQL Server installed ...
-
done, SQL installation, lets jump to install the ePO 4.5 ... just run the setup ...
1st installation error; "The 8.3 naming convention is required for installation. Click "OK" to cancel this installation and enable the 8.3 naming convention before proceeding."
lets fix it ...
Click Start, Run, type regedit and click OK.
Navigate to and select the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
In the right pane, right-click NtfsDisable8dot3NameCreation and select Properties.
Modify the Value data from 1 to 0.
NOTE: On Windows 2008 server the default value is 2 and will need to be changed to 0.[/size]
and restart the server ....
-
lets try ePO setup again .... yes, passed that error but got a warning about SQL server, click OK ... got the installation window, next .. one more warning; setup is ready to install Microsoft Visual C++ 2008 redistributable on your system ... lets select Yes .. so it start installation Visual C++, now it wants a reboot ...
again, ePO setup ........ wow, working ... now wanted the license key ... lets give her that, i'm her master :@
lets walk forward .... choosing admin and password and now standing on set database information!m selecting that and next, new error:@ setup is unable to access the sql udp port 1434
to come out from this error, enable TCP/IP from the SQL server configuration manager>SQL Server Network Configuration>Protocols for SQL server> on right box you will get protocols list, from there enable the TCP/IP, and then select the TCP/IP Properties ... select IP Addresses tab, now look on the box Enable>Yes on IP1, IP2, IP3 ... it will want a restart for the SQL server, so do it ...
now try again the ePO setup ... yes, it's working now ........ now we are on set HTTP configuration ... if on your server installed Web service then you will get one more error to set different port for the agent server communication ..... if so, just change the default 80 to 82 and 443 to 444 ...... we left nothing more, so ....... it will start installing ..... and anytime it will be done:@
now we know how to install ePO 4.5(when i tried by myself alone those time i took 2 more days to get successful and have to solve alone all of that by my own) ... have a nice day guys ......... no more today ..... but you can ask anything anytime !!!
-
Tnx metalmunna for this post. We use McAfee 8.7 and ePO 4.5 at work and we are very satisfied.
We have the server side and allow Mcafee agent installation on client machines.
Honestly I do not know how it all works. ;D
-
Tnx metalmunna for this post. We use McAfee 8.7 and ePO 4.5 at work and we are very satisfied.
We have the server side and allow Mcafee agent installation on client machines.
Honestly I do not know how it all works. ;D
thanks man,
but i know how it works and you should know too, when i will start telling server side configuration steps one by one ... coz i did it 3 times and wanna do 4th time too coz i should know more when doing it again. but not today!!
-
Super, I'll continue to follow this Topic :)
-
hi guys, i'm sorry to say that i can't start server side configuration before next friday coz my damn job has started again and job will be continue till next friday. so i might not start on this time ..... sorry guys but i will keep continue .. thanks to all!
note; you guys can ask me any question anytime related it and i will answer asap.
-
lets check for the image;
Log in screen of ePO;
(http://img12.imageshack.us/img12/6994/epo1st.jpg) (http://img12.imageshack.us/i/epo1st.jpg/)
accessible through local server; https://localhost:8443 (https://localhost:8443) [note; you have to use https]
through the whole network (from another pc or server which is connected on the same network) you have to use FQDN with the port number or IP address with the port number. Ex;
https://ePO.metalmunna.com:8443 (https://ePO.metalmunna.com:8443)
https://10.0.0.5:8443 (https://10.0.0.5:8443)
After logged in;
(http://img821.imageshack.us/img821/7237/epod.jpg) (http://img821.imageshack.us/i/epod.jpg/)
the 1st page is the dashboard and it's customizable, on the right side you will see; Options.
under Options you will found; new dashboard, manage dashboard, select active dashboard and edit dashboard preferences
but we will not talk about it now ... so leaving it here ...
-
Hello guys,
lets read some pages to get a clear idea of ePO internals;
The Menu;
(http://img641.imageshack.us/img641/5194/43919546.jpg) (http://img641.imageshack.us/i/43919546.jpg/)
The Menu is new in version 4.5 of ePolicy Orchestrator software. The Menu uses categories
that comprise the various ePO features and functionalities. Each category contains a list of
primary feature pages associated with a unique icon. The Menu and its categories replace static
group of section icons used to navigate the 4.0 version of the interface. For example, in the
4.5 version, the Reporting category includes all of the pages included in the 4.0 version Reporting
section, plus other commonly used reporting tools such as the Dashboards page. When an item
in the Menu is highlighted, its choices appear in the details pane of the interface.
The navigation bar;
In ePolicy Orchestrator 4.5, the navigation bar is customizable. In the 4.0 version of the interface,
the navigation bar was comprised of a fixed group of section icons that organized functionality
into categories. Now you can decide which icons are displayed on the navigation bar by dragging
any Menu item on or off the navigation bar. When you navigate to a page in the Menu, or click
an icon in the navigation bar, the name of that page is displayed in the blue box next to the
Menu.
On systems with 1024x768 screen resolution, the navigation bar can display six icons. When
you place more than six icons on the navigation bar, an overflow menu is created on the right
side of the bar. Click > to access the Menu items not displayed in the navigation bar. The icons
displayed in the navigation bar are stored as user preferences, so each user's customized
navigation bar is displayed regardless of which console they log on to.
Setting up ePolicy Orchestrator
How you set up ePolicy Orchestrator depends on the unique needs of your environment. This
process overview highlights the major set up and configuration required to use ePolicy
Orchestrator. Each of the steps represents a chapter in this product guide, where you can find
the detailed information you need to understand the features and functionalities of ePolicy
Orchestrator, along with the tasks needed to implement and use them.
Configure your ePO server;
(http://img64.imageshack.us/img64/4803/em1u.jpg) (http://img64.imageshack.us/i/em1u.jpg/)
To configure your ePO server, you'll need to:
• Set up user accounts
• Assign permission sets
• Configure ePO server settings
Set up user accounts;
(http://img156.imageshack.us/img156/5963/em2ar.jpg) (http://img156.imageshack.us/i/em2ar.jpg/)
Set up user accounts for all of the users in your network who need to access and use the ePolicy
Orchestrator software. You need to set up these accounts before assigning permission sets.
For more information on setting up user accounts, see ePO user accounts in Configuring ePolicy
Orchestrator.
To set up user accounts, click Menu | User Management | Users.
Assign permission sets;
Assign permission sets for your ePO users. Permission sets allow you to define what users are
allowed to do with the software. You can assign permission sets to individuals or to groups. For
more information on assigning permission sets, see How permission sets work in Managing
User Roles and Permissions.
To assign permission sets, click Menu | User Management | Permissions Sets.
Configure server settings;
Configure server settings for your specific environment. You can change the server settings at
any time. For more information on configuring server settings, see Server settings and the
behaviors they control in Managing User Roles and Permissions.
To configure server settings, click Menu | Configuration | Server Settings.
(http://img832.imageshack.us/img832/8830/em3f.jpg) (http://img832.imageshack.us/i/em3f.jpg/)
Add systems to the System Tree;
(http://img832.imageshack.us/img832/8830/em3f.jpg) (http://img832.imageshack.us/i/em3f.jpg/)
The System Tree allows you to organize and act on all systems you manage with ePolicy
Orchestrator. Before setting up other features, you must create your System Tree. There are
several ways you can add systems to the System Tree, including:
• Synchronize ePolicy Orchestrator with your Active Directory server.
• Browse to systems on your network individually.
• Add individual and groups of systems by importing a text (.txt) file containing a list of systems.
For more information on all of the methods you can use to add systems, including detailed
steps for each method, see Organizing the System Tree.
To begin adding systems to the System Tree, click Menu | Systems | System Tree.
Distribute agents to your systems;
Each system you want to manage must have the McAfee Agent installed. You can install agents
on Windows-based systems manually, or by using the ePO interface. You must install agents
on non-Windows systems manually.
Once agents are installed on all of your systems, you can use ePolicy Orchestrator to manage,
update, and report on these systems. For more information on distributing agents, see
Distributing Agents.
To begin distributing agents to your systems, click Menu | Systems | System Tree.
-
Create repositories;
Before deploying any products, components, or updates to your managed systems with ePolicy
Orchestrator, you must configure repositories. There are two types of repositories you can use
in your environment, master and distributed.
Master repository;
The master repository is located on your ePO server. It is the location where products and
updates that are pulled from the Source Site are saved. For more information about the master
repository, see Repository types and what they do in Creating Repositories.
To start working with the master repository, click Menu | Software | Master Repository.
(http://img832.imageshack.us/img832/7992/em5a.jpg) (http://img832.imageshack.us/i/em5a.jpg/)
Distributed repositories;
Distributed repositories are those that you place throughout your network. The placement and
type of distributed repositories you use depend on the unique needs of your organization and
environment. There are several ePO components and types you can use for distributed
repositories, including:
• SuperAgents
• FTP
• HTTP
• UNC share
• Unmanaged
The complexity and size of your network are determining factors in which type and how many
distributed repositories you use. For more information about distributed repositories, see
Repository types and what they do in Creating Repositories.
To start working with distributed repositories, click Menu | Software | Distributed
Repository.
(http://img38.imageshack.us/img38/7931/em6v.jpg) (http://img38.imageshack.us/i/em6v.jpg/)
Configure your policies and client tasks;
McAfee recommends that you configure policy settings before deploying the respective product,
component, or update to your managed systems. By doing so you can ensure that products
and components have the desired settings as soon as possible.
Policies;
A policy is a collection of settings that you create and configure. These policies are enforced
by McAfee products. Policies ensure that the managed security products are configured and
perform according to that collection of settings.
Once configured, policies can be enforced at any level of the System Tree, as well as on specific
groups of users. System policies are inherited from their parent group in the System Tree.
However, you can break inheritance at any location in the tree in order to enforce specific
policies at a particular location. For more information about policies, see Policy management
and Policy application in Configuring Policies and Client Tasks.
To start configuring policies for systems in the System Tree, click Menu | Policy | Policy
Catalog, then select a product from the Product menu and click Actions | New Policy.
(http://img141.imageshack.us/img141/4186/em7l.jpg) (http://img141.imageshack.us/i/em7l.jpg/)
Client tasks;
Client tasks are scheduled actions that run on managed systems that host any client-side
software. You can define tasks for the entire System Tree, a specific group, or an individual
system. Like policy settings, client tasks are inherited from parent groups in the System Tree.
For more information about client tasks, see Client tasks and what they do in Configuring Policies
and Client Tasks.
To start scheduling client tasks, click Menu | Systems | System Tree | Client Tasks, then
click Actions | New Task.
Deploy your products and software;
Once your repositories, policy settings, and client tasks are created and configured, you can
deploy products, components, and updates to the desired systems with ePolicy Orchestrator.
You can perform these actions as needed, or you can schedule them using server tasks. For
more information, see Deploying Software and Updates.
To schedule these actions, click Menu | Automation | Server Tasks, then click Actions |
New Task.
(http://img543.imageshack.us/img543/3872/em8g.jpg) (http://img543.imageshack.us/i/em8g.jpg/)
-
Configuring ePolicy Orchestrator;
The ePO server is the center of your managed environment, providing a single location from
which to administer system security throughout your network.
If your organization is very large or divided into multiple large sites, ePolicy Orchestrator 4.5
is scalable to allow you to customize how you set up your managed environment. You can:
• Install a separate ePO server at each site.
• Install remote Agent Handlers at each site, provided an ePO server is installed that you want
to communicate with.
The option you choose depends on the needs of your environment. Using remote agent handlers
allows you to reduce network traffic when managing agents and sending updates. Agent handlers
can also serve as distributed repositories. Remote agent handlers help to load balance your
network and increase fallback security, while passing all agent-server communication back to
your ePO server and its database.
Using multiple ePO servers differs from using remote agent handlers because each ePO server
maintains a separate database from which you can roll up information to your main ePO server
and database. Both choices can help to limit the amount of network traffic created within a
local LAN. Network traffic has a larger impact on your resources when this communication takes
place across WAN, VPN, or other slower network connections typically found between remote
sites.
Are you configuring the ePO server for the first time?
When configuring the ePO server for the first time:
1 Decide how to implement the flexibility of permission sets.
2 Create user accounts and permission sets, and assign the permission sets to the user
accounts as needed.
3 Set up your contacts list and email server settings.
(http://img189.imageshack.us/img189/4790/em9d.jpg) (http://img189.imageshack.us/i/em9d.jpg/)
ePO user accounts;
User accounts provide a means for users to access and use the software. They are associated
with permission sets, which define what users are allowed to do with the software.
You must create user accounts and permission sets to accommodate the needs of each user
that logs on to the ePO server. You can create accounts for individual users, or you can create
a permission set that maps to users or groups in your Active Directory/NT server.
There are two types of users, global administrators and users with limited permissions.
Global administrators;
Global administrators have read and write permissions and rights to all operations. When you
install the server, a global administrator account is created with the user name admin.
You can create additional global administrator accounts for people who require global
administrator rights.
Permissions exclusive to global administrators include:
• Create, edit, and delete source and fallback sites.
• Change server settings.
• Add and delete user accounts.
• Add, delete, and assign permission sets.
• Import events into ePolicy Orchestrator databases and limit events that are stored there.
Creating user accounts;
Use this task to create a user account. You must be a global administrator to add, edit, or delete
user accounts.
Task
For option definitions, click ? in the interface.
1 Click Menu | User Management | Users, then click New User. The New User page
appears.
2 Type a user name.
3 Select whether to enable or disable the logon status of this account. If this account is for
someone who is not yet a part of the organization, you might want to disable it.
4 Select whether the new account uses ePO authentication or Windows authentication,
and provide the required credentials.
5 Optionally, provide the user’s full name, email address, phone number, and a description
in the Notes text box.
6 Choose to make the user a global administrator, or select the appropriate permission sets
for the user.
7 Click Save to save the current entries and return to the Users tab. The new user should
appear in the Users list.
(http://img835.imageshack.us/img835/9255/em11w.jpg) (http://img835.imageshack.us/i/em11w.jpg/)
How permission sets work;
A permission set is a group of permissions that can be granted to users or Active Directory (AD)
groups by assigning it to those users’ accounts. One or more permission sets can be assigned
to users who are not global administrators (global administrators have all permissions to all
products and features).
Permission sets only grant rights and access — no permission ever removes rights or access.
When multiple permission sets are applied to a user account, they aggregate. For example, if
one permission set does not provide any permissions to server tasks, but another permission
set applied to the same account grants all permissions to server tasks, that account has all
permissions to server tasks. Consider this as you plan your strategy for granting permissions
to the users in your environment.
When are permission sets assigned?
Global administrators can assign existing permission sets when they create or edit user accounts
and when they create or edit permission sets.
What happens when I install new products?
When a new product extension is installed, it can add one or more groups of permissions to
the permission sets. For example, when you install a VirusScan Enterprise extension, a VirusScan
Enterprise section is added to each permission set. Initially, the newly added section is listed
in each permission set with no permissions yet granted. The global administrators can then
grant permissions to users through existing or new permission sets.
Default permission sets;
ePolicy Orchestrator 4.5 ships with four default permission sets that provide permissions to
ePolicy Orchestrator functionality. These are:
• Executive Reviewer — Provides view permissions to dashboards, events, contacts, and
can view information that relates to the entire System Tree.
• Global Reviewer — Provides view access globally across functionality, products, and the
System Tree, except for extensions, multi-server roll-up data, registered servers, and software.
• Group Admin — Provides view and change permissions across ePolicy Orchestrator features.
Users that are assigned this permission set each need at least one more permission set that
grants access to needed products and groups of the System Tree.
• Group Reviewer — Provides view permissions across ePolicy Orchestrator features. Users
that are assigned this permission set each need at least one more permission set that grants
access to needed products and groups of the System Tree.
(http://img62.imageshack.us/img62/3836/em12.jpg) (http://img62.imageshack.us/i/em12.jpg/)
Server settings and the behaviors they control;
Various settings control how the ePO server behaves. You can change most settings at any
time. But, only global administrators can access the server settings.
Types of ePO server settings are:
• Dashboards — Specifies the default active dashboard that is assigned to new users’ accounts
at the time of account creation, if one has been defined.
• Detected System Compliance — Specifies the settings that affect how rogue systems in
your network are identified and treated.
• Detected System Exception Categories — Specifies the categories that can be used to
mark systems in your environment as exceptions.
• Detected System Matching — Specifies the settings used to match detected systems and
system interfaces.
• Detected System OUIs — Specifies how your OUI (Organizationally Unique Identifier) list
is updated, and when the last update occurred.
• Email Server — Specifies the email server that is used when ePolicy Orchestrator sends
email messages.
• Event Filtering — Specifies which events are forwarded by the agent.
• Event Notification — Specifies the interval at which you want ePO Notification Events to
be sent to Automatic Responses.
• Global Updating — Specifies whether and how global updating is enabled.
• License Key — Specifies the 25 digit license key you provide while installing ePolicy
Orchestrator, via the hyperlink from the Log On to ePO page to an Enter License Key page,
or via this Server Settings page. McAfee introduced license keys to help customers with
license usage tracking needs and to be compliant with McAfee licensing terms.
• MyAvert Security Threats — Specifies the update frequency for the MyAvert Security
Threats service. If proxy settings are entered in Proxy Settings, they are used while collecting
MyAvert security threats.
• Policy Maintenance — Specifies whether policies for unsupported products are visible or
hidden. This is needed only after ePolicy Orchestrator is upgraded to 4.5 from a previous version.
• Ports — Specifies the ports used by the server when it communicates with agents and the
database.
• Printing and exporting — Specifies how information is exported to other formats, and
the template for PDF exports. It also specifies the default location where the exported files
are stored.
• Proxy Settings — Specifies the type of proxy settings configured for your ePO server.
• Repository Packages — Specifies whether any package can be checked in to any branch.
Only agents later then version 3.6 can retrieve packages other than updates from branches
other than Current.
• Rogue System Sensor — Specifies the settings that define behavior for Rogue System
Sensors in your network.
• Security Keys — Specifies and manages the agent-server secure communication keys, and
repository keys.
• Server Certificate — Specifies the server certificate that your ePO server uses for HTTPS
communication with browsers.
• System Tree Sorting — Specifies whether and how System Tree sorting is enabled in your
environment.
• User Auto Creation — Specifies whether ePO users are automatically created upon logon,
based on AD (Active Directory) user profiles.
• Windows Authentication — Specifies the domain name and Active Directory servers
configured. This is also used for user authentication. For example, Windows Authentication
is used to determine if the password entered should allow the user to log on to ePolicy
Orchestrator.
• Windows Authorization — Specifies the domain name and Active Directory servers
configured for use with this ePO server. This is used while dynamically assigning permissions
to the users who have logged on to ePolicy Orchestrator.
Enabling user autocreation;
Use this task to enable user autocreation, which creates ePO user account records for Active
Directory users when they first log on.
Before you begin;
Configure the following prerequisites before enabling User Auto Creation,
1 Register the LDAP server containing the user accounts with your ePO server.
NOTE: ePO 4.5 supports only Windows LDAP servers.
(http://img197.imageshack.us/img197/8731/em13.jpg) (http://img197.imageshack.us/i/em13.jpg/)
2 Edit Windows Authorization settings to map the corresponding domain and the registered
LDAP server.
NOTE: If the LDAP server is on a different domain, then specify the corresponding domain
controller on the Windows Authentication settings. For more information on editing windows
authentication settings, see Configuring Windows authentication section.
3 Create a new permission set and map the Active Directory groups.
NOTE: Permission sets are assigned to users based on the Active Directory groups mapped
to it. For example, User1 is a member of Group1 and Group2. P1 and P2 are permission
sets mapped to Group1 and Group2 respectively. In this case, User1 will have a combined
permissions of P1 and P2 to the ePO server.
4 Add users to be created to the Active Directory group.
-
Managing ePolicy Orchestrator users with Active Directory;
ePolicy Orchestrator 4.5 offers the ability to dynamically create ePO users and assign permission
sets to them by automatically creating users based on Windows authenticated user credentials.
This process is accomplished by mapping ePO permission sets to Active Directory groups in
your environment. This feature can reduce the management overhead when you have a large
number of ePO users in your organization. To complete the configuration, you must work though
the following process:
1 Configure user authentication.
2 Register LDAP servers.
3 Configure Windows authorization.
4 Assign permission sets to the Active Directory group.
5 Enable user autocreation.
User authentication;
ePolicy Orchestrator users can be authenticated with ePO password authentication or Windows
authentication. If you use Windows authentication, you can specify whether users authenticate:
• Against the domain that your ePO server is joined to (default).
• Against a list of one or more domain controllers.
• Using a WINS server to look up the appropriate domain controller.
If you use domain controllers or a WINS server, you must configure the Windows authentication
server setting.
Registered LDAP servers;
It is necessary to register LDAP servers with your ePO server to permit dynamically assigned
permission sets for Windows users. Dynamically assigned permission sets are permission sets
assigned to users based on their Active Directory group memberships.
NOTE: Users trusted via one-way external trusts are not supported. Active Directory is the only
LDAP server type supported at this time.
The user account used to register the LDAP server with ePolicy Orchestrator must be trusted
via a bi-directional transitive trust, or must physically exist on the domain where the LDAP
server belongs.
Windows authorization;
The server setting for Windows authorization specifies which Active Directory (AD) server ePolicy
Orchestrator uses to gather user and group information for a particular domain. You can specify
multiple domain controllers and AD servers. this server setting supports the ability to dynamically
assign permission sets to users that supply Windows credentials at login.
NOTE: ePolicy Orchestrator can dynamically assign permission sets Windows Authenticated
users even if user autocreation is not enabled.
Assign permissions;
You must assign at least one permission set to an AD group other than a user's Primary Group.
Dynamically assigning permission sets to a user's Primary Group is not supported, and results
in application of only those permissions manually assigned to the individual user.
User autocreation;
When you have configured the previously discussed sections, you can enable the User
autocreation server setting. User autocreation allows user records to be automatically created
when the following conditions are met:
• Users provide valid credentials, using the <domain\name> format. For example, a user with
Windows credentials jsmith1, who is a member of the Windows domain named eng, would
supply the following credentials: eng\jsmith1, along with the appropriate password.
• The domain used in the logon attempt maps to a domain listed in the windows authorization
server setting.
• The Active Directory server mapped to the domain contains a record for the user.
• The user is a member of at least one group that maps to an ePO permission set.
Configuring Windows authentication and authorization;
Use these tasks to set up automatic user creation.
Configuring Windows authentication;
Use this task to configure Windows authentication. How you configure these settings depends
on several variables:
• Do you want to use a WINS server to look up which domain your users are authenticating
against?
• Do you want to use multiple domain controllers?
By default, users can authenticate using Windows credentials for the domain that the ePO server
is joined to. If you have multiple domains, or your ePO server is not located in the same domain
as your users, you must configure Windows authentication
Before you begin;
To access the Windows Authentication page in the server settings, you must stop the ePolicy
Orchestrator application service using these steps:
1 From the server console, click Start | Settings | Control Panel | Administrative
Tools | Services. The Services window opens.
2 Right-click McAfee ePolicy Orchestrator Applications Server and select Stop.
3 Rename the WinAuth.dll file to WinAuth.bak.
NOTE: In default installations, this file's location is C:\Program Files\McAfee\ePolicy
Orchestrator\Server\bin.
Task;
For option definitions, click ? in the interface.
1 Click Menu | Configuration | Server Settings, then select Windows Authentication
from the Settings Categories list.
2 Click Edit. The Edit Windows Authentication page opens.
3 Specify whether to use Domain controllers or WINS server, using the DNS host name.
NOTE: You can specify multiple domain controllers, but only one WINS server. Click + to
add additional domain controllers to the list.
4 Click Save.
(http://img839.imageshack.us/img839/2898/em15.jpg) (http://img839.imageshack.us/i/em15.jpg/)
-
Organizing the System Tree;
(http://img534.imageshack.us/img534/9800/em16c.jpg) (http://img534.imageshack.us/i/em16c.jpg/)
In ePolicy Orchestrator, the System Tree is the starting point for organizing your managed
environment.
• System Tree — The System Tree allows for easy management of policies and tasks, and
organization of systems and groups.
• Tags — Tags allow you to create labels that can be applied to systems manually or
automatically, based on criteria assigned to the tag. You can sort systems into groups based
on tags (like IP address sorting), send client tasks to computers based on tags, or use tags
for criteria in queries.
• NT Domain and Active Directory synchronization — This feature now allows for:
• True synchronization of the Active Directory structure.
• Control of potential duplicate system entries in the System Tree.
• Control of systems in the System Tree when they are deleted from the domain or
container.
• Sorting systems into groups automatically — You can now use tags as sorting criteria,
in addition to the previous functionality provided by IP address sorting. Each type of sorting
criteria can be used alone or in combination.
The System Tree contains all of the systems managed by ePolicy Orchestrator; it is the primary
interface for managing policies and tasks on these systems. You can organize systems into
logical groups (for example, functional department or geographic location), and sort them by
IP address, subnet masks, or tags. You can manage policies (product configuration settings)
and schedule tasks (for example, updating virus definition files) for systems at any level of the
System Tree.
Before configuring ePolicy Orchestrator to deploy or manage the security software in your
environment, you must plan how to best organize systems for management and select the
methods to bring into and keep systems in the System Tree.
TIP: Many factors can influence how you should create and organize your System Tree. McAfee
recommends taking time to review this entire guide before you begin creating your System
Tree.
Are you setting up the System Tree for the first time?
When setting up the System Tree for the first time:
1 Evaluate the methods of populating the System Tree with your systems, and keeping it
up-to-date. For example, through Active Directory synchronization, or criteria-based sorting.
2 Create and populate the System Tree.
The System Tree;
The System Tree organizes managed systems in units for monitoring, assigning policies,
scheduling tasks, and taking actions.
Groups
The System Tree is a hierarchical structure that allows you to combine your systems within
units called groups.
Groups have these characteristics:
• Groups can be created by global administrators or users with the appropriate permissions.
• A group can include both systems and other groups.
• Groups are administered by a global administrator or a user with appropriate permissions.
Grouping systems with similar properties or requirements into these units allows you to manage
policies for systems in one place, rather than setting policies for each system individually.
As part of the planning process, consider the best way to organize systems into groups prior
to building the System Tree.
Lost&Found group;
The System Tree root (My Organization) includes a Lost&Found group. Depending on the
methods for creating and maintaining the System Tree, the server uses different characteristics
to determine where to place systems. The Lost&Found group stores systems whose locations
could not be determined.
The Lost&Found group has these characteristics:
• It can't be deleted.
• It can't be renamed.
• Its sorting criteria can't be changed from being a catch-all group (although you can provide
sorting criteria for the subgroups you create within it.)
• It always appears last in the list and is not alphabetized among its peers.
• Users must be granted permissions to the Lost&Found group to see the contents of
Lost&Found.
• When a system is sorted into Lost&Found, it is placed in a subgroup named for the system’s
domain. If no such group exists, one is created.
CAUTION: If you delete systems from the System Tree, be sure you select the option to remove
their agents. If the agent is not removed, deleted systems reappear in the Lost&Found group
because the agent continues to communicate to the server.
Inheritance;
Inheritance is an important property that simplifies policy and task administration. Because of
inheritance, child groups in the System Tree hierarchy inherit policies set at their parent groups.
For example:
• Policies set at the My Organization level of the System Tree are inherited by groups below
it.
• Group policies are inherited by subgroups or individual systems within that group.
Inheritance is enabled by default for all groups and individual systems that you add to the
System Tree. This allows you to set policies and schedule client tasks in fewer places.
To allow for customization, however, inheritance can be broken by applying a new policy at
any location of the System Tree (provided a user has appropriate permissions). You can lock
policy assignments to preserve inheritance.
Considerations when planning your System Tree;
An efficient and well-organized System Tree can simplify maintenance. Many administrative,
network, and political realities of each environment can affect how your System Tree is
structured. Plan the organization of the System Tree before you build and populate it. Especially
for a large network, you want to build the System Tree only once.
Because every network is different and requires different policies — and possibly different
management — McAfee recommends planning your System Tree before implementing the ePO
software.
Regardless of the methods you choose to create and populate the System Tree, consider your
environment while planning the System Tree.
Administrator access;
When planning your System Tree organization, consider the access requirements of those who
must manage the systems.
For example, you might have very decentralized network administration in your organization,
where different administrators have responsibilities over different parts of the network. For
security reasons, you might not have a global administrator account that can access every part
of your network. In this scenario, you might not be able to set policies and deploy agents using
a single global administrator account. Instead, you might need to organize the System Tree
into groups based on these divisions and create accounts and permission sets.
Consider these questions:
• Who is responsible for managing which systems?
• Who requires access to view information about the systems?
• Who should not have access to the systems and the information about them?
These questions impact both the System Tree organization, and the permission sets you create
Active Directory and NT domain synchronization;
(http://img339.imageshack.us/img339/8681/em17.jpg) (http://img339.imageshack.us/i/em17.jpg/)
ePolicy Orchestrator 4.5 can integrate with Active Directory and NT domains as a source for
systems, and even (in the case of Active Directory) as a source for the structure of the System
Tree.
Active Directory synchronization;
If your network runs Active Directory, you can use Active Directory synchronization to create,
populate, and maintain part or all of the System Tree with Active Directory synchronization
settings. Once defined, the System Tree is updated with any new systems (and subcontainers)
in your Active Directory.
Active Directory integration allows you to:
• Synchronize with your Active Directory structure, by importing systems and the Active
Directory subcontainers (as System Tree groups) and keeping them up-to-date with Active
Directory. At each synchronization, both systems and the structure are updated in the System
Tree to reflect the systems and structure of Active Directory.
• Import systems as a flat list from the Active Directory container (and its subcontainers) into
the synchronized group.
• Control what to do with potential duplicate systems.
• Use the system description, which is imported from Active Directory with the systems.
In previous versions of ePolicy Orchestrator, there were the two tasks: Active Directory Import
and Active Directory Discovery. Now, use this process to integrate the System Tree with your
Active Directory systems structure:
1 Configure the synchronization settings on each group that is a mapping point in the System
Tree. At the same location, you can configure whether to:
• Deploy agents to discovered systems.
• Delete systems from the System Tree when they are deleted from Active Directory.
• Allow or disallow duplicate entries of systems that already exist elsewhere in the System
Tree.
2 Use the Synchronize Now action to import Active Directory systems (and possibly structure)
into the System Tree according to the synchronization settings.
3 Use an NT Domain/Active Directory Synchronization server task to regularly synchronize
the systems (and possibly the Active Directory structure) with the System Tree according
to the synchronization settings.
Systems and structure;
When using this synchronization type, changes in the Active Directory structure are carried over
into your System Tree structure at the next synchronization. When systems or containers are
added, moved, or removed in Active Directory, they are added, moved, or removed in the
corresponding locations of the System Tree.
When to use this synchronization type
Use this to ensure that the System Tree (or parts of it) look exactly like your Active Directory
structure.
If the organization of Active Directory meets your security management needs and you want
the System Tree to continue to look like the mapped Active Directory structure, use this
synchronization type with subsequent synchronization.
Systems only;
Use this synchronization type to import systems from an Active Directory container, including
those in non-excluded subcontainers, as a flat list to a mapped System Tree group. You can
then move these to appropriate locations in the System Tree by assigning sorting criteria to
groups.
If you choose this synchronization type, be sure to select not to add systems again if they exist
elsewhere in the System Tree. This prevents duplicate entries for systems in the System Tree.
When to use this synchronization type
Use this synchronization type when you use Active Directory as a regular source of systems for
ePolicy Orchestrator, but the organizational needs for security management do not coincide
with the organization of containers and systems in Active Directory.
When to use this synchronization type;
Use this synchronization type when you use Active Directory as a regular source of systems for
ePolicy Orchestrator, but the organizational needs for security management do not coincide
with the organization of containers and systems in Active Directory.
NT domain synchronization;
Use your NT domains as a source for populating your System Tree. When you synchronize a
group to an NT domain, all systems from the domain are put in the group as a flat list. You can
manage these systems in the single group, or you can create subgroups for more granular
organizational needs. Use a method, like automatic sorting, to populate these subgroups
automatically.
If you move systems to other groups or subgroups of the System Tree, be sure to select to not
add the systems when they already exist elsewhere in the System Tree. This prevents duplicate
entries for systems in the System Tree.
Unlike Active Directory synchronization, only the system names are synchronized with NT domain
synchronization; the system description is not synchronized.
How a system is first placed in the System Tree;
Task;
For option definitions, click ? in the interface.
1 Click Menu | Systems | System Tree | Group Details, then select the desired group
in the System Tree. This should be the group to which you want to map an Active Directory
container.
NOTE: You cannot synchronize the Lost&Found group of the System Tree.
When the agent communicates with the server for the first time, the server uses an algorithm
to place the system in the System Tree. When it cannot find an appropriate location for a system,
it puts the system in the Lost&Found group.
At the first agent-server communication
On each agent-server communication, the server attempts to locate the system in the System
Tree by agent GUID (only systems whose agents have already called into the server for the
first time have an agent GUID in the database). If a matching system is found, it is left in it’s
existing location.
If a matching system is not found, the server uses an algorithm to sort the systems into the
appropriate groups. Systems can be sorted into any criteria-based group in the System Tree,
no matter how deep it is in the structure, as long as each parent group in the path does not
have non-matching criteria. Parent groups of a criteria-based subgroup must have either no
criteria or matching criteria.
Remember, the order that subgroups are placed in the Group Details tab determines the order
that subgroups are considered by the server when it searches for a group with matching criteria.
1 The server searches for a system without an agent GUID (its agent has never called in
before) with a matching name in a group with the same name as the domain. If found,
the system is placed in that group. This can happen after the first Active Directory or NT
domain synchronization, or when you have manually added systems to the System Tree.
2 If a matching system is still not found, the server searches for a group of the same name
as the domain where the system originates. If such a group is not found, one is created
under the Lost&Found group, and the system is placed there.
3 Properties are updated for the system.
4 The server applies all criteria-based tags to the system if the server is configured to run
sorting criteria at each agent-server communication.
5 What happens next depends on whether System Tree sorting is enabled on both the server
and the system.
(http://img545.imageshack.us/img545/7981/em18t.jpg) (http://img545.imageshack.us/i/em18t.jpg/)
Importing Active Directory containers;
Use this task to import systems from your network’s Active Directory containers directly into
your System Tree by mapping Active Directory source containers to the groups of the System
Tree. Unlike previous versions, you can now:
• Synchronize the System Tree structure to the Active Directory structure so that when
containers are added or removed in Active Directory, the corresponding group in the System
Tree is added or removed also.
• Delete systems from the System Tree when they are deleted from Active Directory.
• Prevent duplicate entries of systems in the System Tree when they already exist in other
groups.
Task;
For option definitions, click ? in the interface.
1 Click Menu | Systems | System Tree | Group Details, then select the desired group
in the System Tree. This should be the group to which you want to map an Active Directory
container.
NOTE: You cannot synchronize the Lost&Found group of the System Tree.
2 Next to Synchronization type, click Edit. The Synchronization Settings page for the
selected group appears.
(http://img87.imageshack.us/img87/7741/em19.jpg) (http://img87.imageshack.us/i/em19.jpg/)
(http://img534.imageshack.us/img534/9800/em16c.jpg) (http://img534.imageshack.us/i/em16c.jpg/)
-
no more today, tomorrow i will try to make it easy and quick ..... till now i did that to make you understand that there has a lot of area where you have to ride before jump deployment McAfee software (antivirus, agent .... etc.) automatically to the clients ... for now ta ta ....
-
OK boys,
lets start again ....
today we will add our network directory(Active Directory) on the ePO system tree.
to adding AD network structure on the ePO system tree, follow me ....
Menu | Systems | System Tree
(http://img585.imageshack.us/img585/2954/epo1.jpg) (http://img585.imageshack.us/i/epo1.jpg/)
select My Organization, now look on the right pan .. under My Organization there has 4 sub menu;
Systems|Assigned Policies|Client Tasks|Group Details
select Group Details and then click Edit from Synchronization type: None Edit
from the new window has 3 options;
Synchronization type:
None
NT Domain
Active Directory
lets select the Active Directory and then we will get new look of the page with lot of options;
I'm selecting;
Synchronization type: Active Directory
Synchronize: Systems and container structure
Systems that exist elsewhere in the System Tree: Move systems from their current System Tree location to the synchronized group
Active Directory domain: Use specific AD server; mp5.metalmunna.com (FQDN or AD Server)
[ You can use Use registered LDAP server if you already registered your LDAP (AD) on the ePO through Menu|Configuration|Registered Servers ]
Active Directory credentials: Domain: metalmunna.com
User name: administrator
then password and confirm password!
(http://img823.imageshack.us/img823/6302/epo2.jpg) (http://img823.imageshack.us/i/epo2.jpg/)
Container: use Browse and select the root directory and then OK.
(http://img191.imageshack.us/img191/6785/epo3.jpg) (http://img191.imageshack.us/i/epo3.jpg/)
Exceptions: do nothing here now
Push Agent: Push agents to new systems when they are discovered
Push settings: Not configured
so click configure settings; and do it, see the picture ...
(http://img26.imageshack.us/img26/3725/epo4.jpg) (http://img26.imageshack.us/i/epo4.jpg/)
When systems are deleted from the synchronization point: Leave the systems in their current location in the System Tree
Last synchronization: (never synchronized) and a tab synchronize now.
you will get this message; A synchronization task for this group is in progress. Go to the Server Task Log to check the status.
now click save and come out from this page and now you will see your AD structure on ePO System Tree;
(http://img707.imageshack.us/img707/8456/epo5.jpg) (http://img707.imageshack.us/i/epo5.jpg/)
now ePO knows our network structure ... and on the same time McAfee agent will be installed on the whole network Servers and PCs automatically ....
-
you might missed something if you saw no agent install automatically
if so, jump on Menu|Software|Master Repository
and now we have to add McAfee Agent, McAfee Enterprise VirusScan or any other McAfee product's Zip Packages, so ..
Click Action and then Check in Package
(http://img228.imageshack.us/img228/1362/epo6.jpg) (http://img228.imageshack.us/i/epo6.jpg/)
then ...
What package are you checking in?
Note: If distributed repositories are set up to replicate only selected packages, your newly check-in package will be replicated by default. To avoid replicating a newly checked-in package, deselect it from each distributed repository or disable the replication task before checking in the package.
Package type: Product or Update (.ZIP)
File path: \\epo\Mcafee Enterprise All & Original\XYZ.zip
(http://img156.imageshack.us/img156/5924/epo7.jpg) (http://img156.imageshack.us/i/epo7.jpg/)
Next .. save. so keep save the installer package on this screen by that simple step ..
(http://img826.imageshack.us/img826/2544/epo8.jpg) (http://img826.imageshack.us/i/epo8.jpg/)
So don't forget to do it before adding the AD on the ePO system tree ...
-
hi guys,
i skip so many things coz i'm waiting for the error or questions. whatever, next i will start how to install McAfee VirusScan Enterprise on a domain automatically ... tiill then .... nothing!!!
-
OK boys, time to work again ...
as i told, next time we will set the McAfee VirusScan Enterprise to the domain to deploy automatically, it's so simple task if you already configured your ePO server ... so follow me;
Menu>System tree
now jump on the right box; My Organization>Client Tasks;
note; if you want to deploy to the whole domain then you should stay on the root level of the domain tree, or if you want to deploy VSE only to an OU then you should select the that OU before jumping on the client task!
now, under the Client Tasks screen, look on the down and you will see New Task, so click it ...
(http://img821.imageshack.us/img821/7350/18432723.jpg)
on the name field, use a name for the task; VSE 8.8
on the note field you can keep it blank or you can keep any note! next one ... Type; here has a lot of options but we will select "Product Deployment", next is Tags and leave that default; Send this task to all computers. click Next to go next screen
(http://img843.imageshack.us/img843/9040/41897110.jpg)
What do you want this task to do?
Target platforms: Windows
Products and components: VirusScan Enterprise 8.8 | Action: Install |Language: Neutral|Branch:Current. (use plus(+) to add more product!
Options: Run at every policy enforcement (Windows only), check/unchecked and the NEXT;
(http://img141.imageshack.us/img141/3244/20776290.jpg)
When do you want this task to run?
Schedule status: Enable
Schedule type :Run Immediately or as you need
keep other default and click Next ...
Click "Save" to add the client task. and summery. now click the save to come out from this screen ...
(http://img145.imageshack.us/img145/4092/47680911.jpg)
now wait some minutes and then check your workstations or servers of that OU ... is the McAfee VirusScan Enterprise 8.8 Installed?
(http://img232.imageshack.us/img232/5103/11020911.jpg)
it's done ...... if not ask me!!!
-
Hi metalmunna nice topic u hv choosen..
Maximum how much system is it control, what r d product it controls and how. Is it manages only Mcafee product. Is it manage only security product
-
Hi metalmunna nice topic u hv choosen..
Maximum how much system is it control, what r d product it controls and how. Is it manages only Mcafee product. Is it manage only security product
hi, ePO can be managed thousands up systems depends your server and hardware;
example; 2 processor ePO server with 4
processor SQL server can be manage 34,200 client system and required response time 1 hour.
for Supported products and components in ePO 4.5 please check this link; https://kc.mcafee.com/corporate/index?page=content&id=KB66144
-
How can we use user defined rules in access protection
-
How can we use user defined rules in access protection
for that you have to create a policy; menu>policy>policy catalog> create new policy (don't forget to select the product that you wanted to create new policy)
-
I would stick with the ones you are using at present, I havnt had the best experiences with McAfee in the past. AVG FTW
-
I would stick with the ones you are using at present, I havnt had the best experiences with McAfee in the past. AVG FTW
i only trust McAfee, that's depends on the flexibility and use too, so don't blame any one coz that depends on your expertise too, if you want then you can open a topic for AVG FTW too. anyway thanks for the comment.
-
Hi !
I would like to install ePO server 4.6 silently on a Windows 2008 R2 server.
I searched on the Internet but I didn't find any mention of it being possible. Even on mc afee's support service portal.
Do you know how to do it ? Or is it impossible ?
-
Hi !
I would like to install ePO server 4.6 silently on a Windows 2008 R2 server.
I searched on the Internet but I didn't find any mention of it being possible. Even on mc afee's support service portal.
Do you know how to do it ? Or is it impossible ?
hi there,
i'm not sure what you mean by "install silently", you meant to install automatically by GPO or like that? if so, that's not possible and please stop thinking to install all software that way specially server & service type software. thanks.
it's impossible to install ePO server without a human hand:@, but after installing the ePO server and needed configuration, you can install all other security software silently and without any human hand on the system ... as it's a management software, so by it you can manage all from a central point.
-
Hi !
I would like to install ePO server 4.6 silently on a Windows 2008 R2 server.
I searched on the Internet but I didn't find any mention of it being possible. Even on mc afee's support service portal.
Do you know how to do it ? Or is it impossible ?
Are you not confusing by the name of the different product's at McAfee ???
Do you realy mean the ePO Server 4.6 and not the VirusScan Enteprise ???
The ePO is a managment software you use to change configuration of the VirusScan on the clien't and server's in your company and checkout if you have some virus in the network. Normaly you only need one ePO server if you have a good conectivity on you companys network. The only time you need to split it upp to more server is when you have slow connection in the WAN or MAN side. In tha LAN side you probebly just need on server and the leest managment is to just use one server if possible. So whay you need a silent instalation of ePO I don't understand? Do you noramly install SMS servers and so by silent instalation or ???
So I suppose you want to install VirusScan Enterprise insted. You probebly should read this:
https://community.mcafee.com/thread/24738?start=0&tstart=0
https://kc.mcafee.com/corporate/index?page=content&id=KB50382
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22944/en_US/vse_880_installation_guide_en-us.pdf
-
that is nice ...
good Topic
-
hi everyone, i m new here.
i am trying to deploy agents to my local pc, but then i cant see any of my end users pc under the system tree/my organization group
could you please help me out with it? i really have no idea on how to work this thing
thank you
-
hi everyone, i m new here.
i am trying to deploy agents to my local pc, but then i cant see any of my end users pc under the system tree/my organization group
could you please help me out with it? i really have no idea on how to work this thing
thank you
Hi Ahmad,
You'll need to wait for reply from SCforum's Moderator "MetalMunna".
Please be patient...
Best Regards,
S.
-
hi everyone, i m new here.
i am trying to deploy agents to my local pc, but then i cant see any of my end users pc under the system tree/my organization group
could you please help me out with it? i really have no idea on how to work this thing
thank you
i'm so sorry for late reply, i m on run at my work that haven't time to take a look around the world :@ anyway ..
you have to add and register your domain on ePO, please take a look from the 2nd page middle and first from the 3rd page of this topic: http://scforum.info/index.php/topic,5450.20.html
-
Hello everyone,
I am Madhusudhana Reddy, new to this forum.
I have uploaded solutions to some of the McAfee ePO installation issues on my blog, please refer the following link:
http://lakkireddymadhu.wordpress.com/2014/01/16/mcafee-epo-installation-errors/
Please share your thoughts.
-
One fine morning all of sudden I got a doubt, what if I lost McAfee ePO admin password and there were no additional accounts configured. I opened my laptop and started Googling for the solution. There were more blogs describing this issue, but none had a satisfied solution. After a rigorous search on the Internet, I found two good and easy solutions. For solutions, please click on my blog:
http://lakkireddymadhu.wordpress.com/2014/01/20/mcafee-epo-admin-password-lost/
Please share your thoughts.
-
Thanx for sharing, I guess. I don't know anything about McAfee, except that 'I' don't like it ;p
Still, SCForum is a big fan of McAfee, so curious what the others think...
Welcome!
devnullius