Topic: McAfee ePolicy Orchestrator (ePO)

[metalmunna]

lets try ePO setup again .... yes, passed that error but got a warning about SQL server, click OK ... got the installation window, next .. one more warning; setup is ready to install Microsoft Visual C++ 2008 redistributable on your system ... lets select Yes .. so it start installation Visual C++, now it wants a reboot ...

again, ePO setup ........ wow, working ... now wanted the license key ... lets give her that, i'm her master :@

lets walk forward .... choosing admin and password and now standing on set database information!m selecting that and next, new error:@ setup is unable to access the sql udp port 1434

to come out from this error, enable TCP/IP from the SQL server configuration manager>SQL Server Network Configuration>Protocols for SQL server> on right box you will get protocols list, from there enable the TCP/IP, and then select the TCP/IP Properties ... select IP Addresses tab, now look on the box Enable>Yes on IP1, IP2, IP3 ... it will want a restart for the SQL server, so do it ...

now try again the ePO setup ... yes, it's working now ........ now we are on set HTTP configuration ... if on your server installed Web service then you will get one more error to set different port for the agent server communication ..... if so, just change the default 80 to 82 and 443 to 444 ...... we left nothing more, so ....... it will start installing ..... and anytime it will be done:@

now we know how to install ePO 4.5(when i tried by myself alone those time i took 2 more days to get successful and have to solve alone all of that by my own)  ... have a nice day guys ......... no more today ..... but you can ask anything anytime !!!

[amko_sa]

Tnx metalmunna for this post. We use McAfee 8.7 and ePO 4.5 at work and we are very satisfied.
We have the server side and allow Mcafee agent installation on client machines.
Honestly I do not know how it all works.  

[metalmunna]

Tnx metalmunna for this post. We use McAfee 8.7 and ePO 4.5 at work and we are very satisfied.
We have the server side and allow Mcafee agent installation on client machines.
Honestly I do not know how it all works. 

thanks man,

but i know how it works and you should know too, when i will start telling server side configuration steps one by one ... coz i did it 3 times and wanna do 4th time too coz i should know more when doing it again. but not today!!

[amko_sa]

Super, I'll continue to follow this Topic

[metalmunna]

hi guys, i'm sorry to say that i can't start server side configuration before next friday coz my damn job has started again and job will be continue till next friday. so i might not start on this time ..... sorry guys but i will keep continue .. thanks to all!

note; you guys can ask me any question anytime related it and i will answer asap.

[metalmunna]

lets check for the image;
Log in screen of ePO;



accessible through local server; https://localhost:8443  [note; you have to use https]

through the whole network (from another pc or server which is connected on the same network) you have to use FQDN with the port number or IP address with the port number. Ex;

https://ePO.metalmunna.com:8443
https://10.0.0.5:8443

After logged in;



the 1st page is the dashboard and it's customizable, on the right side you will see; Options.

under Options you will found; new dashboard, manage dashboard, select active dashboard and edit dashboard preferences
but we will not talk about it now ... so leaving it here ...

[metalmunna]

Hello guys,

lets read some pages to get a clear idea of ePO internals;

The Menu;



The Menu is new in version 4.5 of ePolicy Orchestrator software. The Menu uses categories
that comprise the various ePO features and functionalities. Each category contains a list of
primary feature pages associated with a unique icon. The Menu and its categories replace static
group of section icons used to navigate the 4.0 version of the interface. For example, in the
4.5 version, the Reporting category includes all of the pages included in the 4.0 version Reporting
section, plus other commonly used reporting tools such as the Dashboards page. When an item
in the Menu is highlighted, its choices appear in the details pane of the interface.

The navigation bar;

In ePolicy Orchestrator 4.5, the navigation bar is customizable. In the 4.0 version of the interface,
the navigation bar was comprised of a fixed group of section icons that organized functionality
into categories. Now you can decide which icons are displayed on the navigation bar by dragging
any Menu item on or off the navigation bar. When you navigate to a page in the Menu, or click
an icon in the navigation bar, the name of that page is displayed in the blue box next to the
Menu.

On systems with 1024x768 screen resolution, the navigation bar can display six icons. When
you place more than six icons on the navigation bar, an overflow menu is created on the right
side of the bar. Click > to access the Menu items not displayed in the navigation bar. The icons
displayed in the navigation bar are stored as user preferences, so each user's customized
navigation bar is displayed regardless of which console they log on to.
Setting up ePolicy Orchestrator

How you set up ePolicy Orchestrator depends on the unique needs of your environment. This
process overview highlights the major set up and configuration required to use ePolicy
Orchestrator. Each of the steps represents a chapter in this product guide, where you can find
the detailed information you need to understand the features and functionalities of ePolicy
Orchestrator, along with the tasks needed to implement and use them.

Configure your ePO server;



To configure your ePO server, you'll need to:
• Set up user accounts
• Assign permission sets
• Configure ePO server settings

Set up user accounts;



Set up user accounts for all of the users in your network who need to access and use the ePolicy
Orchestrator software. You need to set up these accounts before assigning permission sets.
For more information on setting up user accounts, see ePO user accounts in Configuring ePolicy
Orchestrator.
To set up user accounts, click Menu | User Management | Users.

Assign permission sets;

Assign permission sets for your ePO users. Permission sets allow you to define what users are
allowed to do with the software. You can assign permission sets to individuals or to groups. For
more information on assigning permission sets, see How permission sets work in Managing
User Roles and Permissions.
To assign permission sets, click Menu | User Management | Permissions Sets.

Configure server settings;

Configure server settings for your specific environment. You can change the server settings at
any time. For more information on configuring server settings, see Server settings and the
behaviors they control in Managing User Roles and Permissions.
To configure server settings, click Menu | Configuration | Server Settings.



Add systems to the System Tree;



The System Tree allows you to organize and act on all systems you manage with ePolicy
Orchestrator. Before setting up other features, you must create your System Tree. There are
several ways you can add systems to the System Tree, including:
• Synchronize ePolicy Orchestrator with your Active Directory server.
• Browse to systems on your network individually.
• Add individual and groups of systems by importing a text (.txt) file containing a list of systems.
For more information on all of the methods you can use to add systems, including detailed
steps for each method, see Organizing the System Tree.
To begin adding systems to the System Tree, click Menu | Systems | System Tree.

Distribute agents to your systems;

Each system you want to manage must have the McAfee Agent installed. You can install agents
on Windows-based systems manually, or by using the ePO interface. You must install agents
on non-Windows systems manually.
Once agents are installed on all of your systems, you can use ePolicy Orchestrator to manage,
update, and report on these systems. For more information on distributing agents, see
Distributing Agents.
To begin distributing agents to your systems, click Menu | Systems | System Tree.

[metalmunna]

Create repositories;

Before deploying any products, components, or updates to your managed systems with ePolicy
Orchestrator, you must configure repositories. There are two types of repositories you can use
in your environment, master and distributed.

Master repository;

The master repository is located on your ePO server. It is the location where products and
updates that are pulled from the Source Site are saved. For more information about the master
repository, see Repository types and what they do in Creating Repositories.
To start working with the master repository, click Menu | Software | Master Repository.



Distributed repositories;

Distributed repositories are those that you place throughout your network. The placement and
type of distributed repositories you use depend on the unique needs of your organization and
environment. There are several ePO components and types you can use for distributed
repositories, including:
• SuperAgents
• FTP
• HTTP
• UNC share
• Unmanaged
The complexity and size of your network are determining factors in which type and how many
distributed repositories you use. For more information about distributed repositories, see
Repository types and what they do in Creating Repositories.
To start working with distributed repositories, click Menu | Software | Distributed
Repository.




Configure your policies and client tasks;

McAfee recommends that you configure policy settings before deploying the respective product,
component, or update to your managed systems. By doing so you can ensure that products
and components have the desired settings as soon as possible.

Policies;

A policy is a collection of settings that you create and configure. These policies are enforced
by McAfee products. Policies ensure that the managed security products are configured and
perform according to that collection of settings.
Once configured, policies can be enforced at any level of the System Tree, as well as on specific
groups of users. System policies are inherited from their parent group in the System Tree.
However, you can break inheritance at any location in the tree in order to enforce specific
policies at a particular location. For more information about policies, see Policy management
and Policy application in Configuring Policies and Client Tasks.
To start configuring policies for systems in the System Tree, click Menu | Policy | Policy
Catalog, then select a product from the Product menu and click Actions | New Policy.



Client tasks;

Client tasks are scheduled actions that run on managed systems that host any client-side
software. You can define tasks for the entire System Tree, a specific group, or an individual
system. Like policy settings, client tasks are inherited from parent groups in the System Tree.
For more information about client tasks, see Client tasks and what they do in Configuring Policies
and Client Tasks.
To start scheduling client tasks, click Menu | Systems | System Tree | Client Tasks, then
click Actions | New Task.

Deploy your products and software;

Once your repositories, policy settings, and client tasks are created and configured, you can
deploy products, components, and updates to the desired systems with ePolicy Orchestrator.
You can perform these actions as needed, or you can schedule them using server tasks. For
more information, see Deploying Software and Updates.
To schedule these actions, click Menu | Automation | Server Tasks, then click Actions |
New Task.

[metalmunna]

Configuring ePolicy Orchestrator;

The ePO server is the center of your managed environment, providing a single location from
which to administer system security throughout your network.
If your organization is very large or divided into multiple large sites, ePolicy Orchestrator 4.5
is scalable to allow you to customize how you set up your managed environment. You can:
• Install a separate ePO server at each site.
• Install remote Agent Handlers at each site, provided an ePO server is installed that you want
to communicate with.
The option you choose depends on the needs of your environment. Using remote agent handlers
allows you to reduce network traffic when managing agents and sending updates. Agent handlers
can also serve as distributed repositories. Remote agent handlers help to load balance your
network and increase fallback security, while passing all agent-server communication back to
your ePO server and its database.
Using multiple ePO servers differs from using remote agent handlers because each ePO server
maintains a separate database from which you can roll up information to your main ePO server
and database. Both choices can help to limit the amount of network traffic created within a
local LAN. Network traffic has a larger impact on your resources when this communication takes
place across WAN, VPN, or other slower network connections typically found between remote
sites.

Are you configuring the ePO server for the first time?

When configuring the ePO server for the first time:
1 Decide how to implement the flexibility of permission sets.
2 Create user accounts and permission sets, and assign the permission sets to the user
accounts as needed.
3 Set up your contacts list and email server settings.



ePO user accounts;

User accounts provide a means for users to access and use the software. They are associated
with permission sets, which define what users are allowed to do with the software.
You must create user accounts and permission sets to accommodate the needs of each user
that logs on to the ePO server. You can create accounts for individual users, or you can create
a permission set that maps to users or groups in your Active Directory/NT server.
There are two types of users, global administrators and users with limited permissions.

Global administrators;

Global administrators have read and write permissions and rights to all operations. When you
install the server, a global administrator account is created with the user name admin.
You can create additional global administrator accounts for people who require global
administrator rights.
Permissions exclusive to global administrators include:
• Create, edit, and delete source and fallback sites.
• Change server settings.
• Add and delete user accounts.
• Add, delete, and assign permission sets.
• Import events into ePolicy Orchestrator databases and limit events that are stored there.

Creating user accounts;

Use this task to create a user account. You must be a global administrator to add, edit, or delete
user accounts.
Task
For option definitions, click ? in the interface.
1 Click Menu | User Management | Users, then click New User. The New User page
appears.
2 Type a user name.
3 Select whether to enable or disable the logon status of this account. If this account is for
someone who is not yet a part of the organization, you might want to disable it.
4 Select whether the new account uses ePO authentication or Windows authentication,
and provide the required credentials.
5 Optionally, provide the user’s full name, email address, phone number, and a description
in the Notes text box.
6 Choose to make the user a global administrator, or select the appropriate permission sets
for the user.
7 Click Save to save the current entries and return to the Users tab. The new user should
appear in the Users list.



How permission sets work;

A permission set is a group of permissions that can be granted to users or Active Directory (AD)
groups by assigning it to those users’ accounts. One or more permission sets can be assigned
to users who are not global administrators (global administrators have all permissions to all
products and features).
Permission sets only grant rights and access — no permission ever removes rights or access.
When multiple permission sets are applied to a user account, they aggregate. For example, if
one permission set does not provide any permissions to server tasks, but another permission
set applied to the same account grants all permissions to server tasks, that account has all
permissions to server tasks. Consider this as you plan your strategy for granting permissions
to the users in your environment.

When are permission sets assigned?

Global administrators can assign existing permission sets when they create or edit user accounts
and when they create or edit permission sets.
What happens when I install new products?
When a new product extension is installed, it can add one or more groups of permissions to
the permission sets. For example, when you install a VirusScan Enterprise extension, a VirusScan
Enterprise section is added to each permission set. Initially, the newly added section is listed
in each permission set with no permissions yet granted. The global administrators can then
grant permissions to users through existing or new permission sets.

Default permission sets;

ePolicy Orchestrator 4.5 ships with four default permission sets that provide permissions to
ePolicy Orchestrator functionality. These are:
• Executive Reviewer — Provides view permissions to dashboards, events, contacts, and
can view information that relates to the entire System Tree.
• Global Reviewer — Provides view access globally across functionality, products, and the
System Tree, except for extensions, multi-server roll-up data, registered servers, and software.
• Group Admin — Provides view and change permissions across ePolicy Orchestrator features.
Users that are assigned this permission set each need at least one more permission set that
grants access to needed products and groups of the System Tree.
• Group Reviewer — Provides view permissions across ePolicy Orchestrator features. Users
that are assigned this permission set each need at least one more permission set that grants
access to needed products and groups of the System Tree.



Server settings and the behaviors they control;

Various settings control how the ePO server behaves. You can change most settings at any
time. But, only global administrators can access the server settings.
Types of ePO server settings are:
• Dashboards — Specifies the default active dashboard that is assigned to new users’ accounts
at the time of account creation, if one has been defined.
• Detected System Compliance — Specifies the settings that affect how rogue systems in
your network are identified and treated.
• Detected System Exception Categories — Specifies the categories that can be used to
mark systems in your environment as exceptions.
• Detected System Matching — Specifies the settings used to match detected systems and
system interfaces.
• Detected System OUIs — Specifies how your OUI (Organizationally Unique Identifier) list
is updated, and when the last update occurred.
• Email Server — Specifies the email server that is used when ePolicy Orchestrator sends
email messages.
• Event Filtering — Specifies which events are forwarded by the agent.
• Event Notification — Specifies the interval at which you want ePO Notification Events to
be sent to Automatic Responses.
• Global Updating — Specifies whether and how global updating is enabled.
• License Key — Specifies the 25 digit license key you provide while installing ePolicy
Orchestrator, via the hyperlink from the Log On to ePO page to an Enter License Key page,
or via this Server Settings page. McAfee introduced license keys to help customers with
license usage tracking needs and to be compliant with McAfee licensing terms.
• MyAvert Security Threats — Specifies the update frequency for the MyAvert Security
Threats service. If proxy settings are entered in Proxy Settings, they are used while collecting
MyAvert security threats.
• Policy Maintenance — Specifies whether policies for unsupported products are visible or
hidden. This is needed only after ePolicy Orchestrator is upgraded to 4.5 from a previous version.
• Ports — Specifies the ports used by the server when it communicates with agents and the
database.
• Printing and exporting — Specifies how information is exported to other formats, and
the template for PDF exports. It also specifies the default location where the exported files
are stored.
• Proxy Settings — Specifies the type of proxy settings configured for your ePO server.
• Repository Packages — Specifies whether any package can be checked in to any branch.
Only agents later then version 3.6 can retrieve packages other than updates from branches
other than Current.
• Rogue System Sensor — Specifies the settings that define behavior for Rogue System
Sensors in your network.
• Security Keys — Specifies and manages the agent-server secure communication keys, and
repository keys.
• Server Certificate — Specifies the server certificate that your ePO server uses for HTTPS
communication with browsers.
• System Tree Sorting — Specifies whether and how System Tree sorting is enabled in your
environment.
• User Auto Creation — Specifies whether ePO users are automatically created upon logon,
based on AD (Active Directory) user profiles.
• Windows Authentication — Specifies the domain name and Active Directory servers
configured. This is also used for user authentication. For example, Windows Authentication
is used to determine if the password entered should allow the user to log on to ePolicy
Orchestrator.
• Windows Authorization — Specifies the domain name and Active Directory servers
configured for use with this ePO server. This is used while dynamically assigning permissions
to the users who have logged on to ePolicy Orchestrator.

Enabling user autocreation;

Use this task to enable user autocreation, which creates ePO user account records for Active
Directory users when they first log on.

Before you begin;

Configure the following prerequisites before enabling User Auto Creation,
1 Register the LDAP server containing the user accounts with your ePO server.
NOTE: ePO 4.5 supports only Windows LDAP servers.



2 Edit Windows Authorization settings to map the corresponding domain and the registered
LDAP server.
NOTE: If the LDAP server is on a different domain, then specify the corresponding domain
controller on the Windows Authentication settings. For more information on editing windows
authentication settings, see Configuring Windows authentication section.
3 Create a new permission set and map the Active Directory groups.
NOTE: Permission sets are assigned to users based on the Active Directory groups mapped
to it. For example, User1 is a member of Group1 and Group2. P1 and P2 are permission
sets mapped to Group1 and Group2 respectively. In this case, User1 will have a combined
permissions of P1 and P2 to the ePO server.
4 Add users to be created to the Active Directory group.

[metalmunna]

Managing ePolicy Orchestrator users with Active Directory;

ePolicy Orchestrator 4.5 offers the ability to dynamically create ePO users and assign permission
sets to them by automatically creating users based on Windows authenticated user credentials.
This process is accomplished by mapping ePO permission sets to Active Directory groups in
your environment. This feature can reduce the management overhead when you have a large
number of ePO users in your organization. To complete the configuration, you must work though
the following process:
1 Configure user authentication.
2 Register LDAP servers.
3 Configure Windows authorization.
4 Assign permission sets to the Active Directory group.
5 Enable user autocreation.

User authentication;

ePolicy Orchestrator users can be authenticated with ePO password authentication or Windows
authentication. If you use Windows authentication, you can specify whether users authenticate:
• Against the domain that your ePO server is joined to (default).
• Against a list of one or more domain controllers.
• Using a WINS server to look up the appropriate domain controller.
If you use domain controllers or a WINS server, you must configure the Windows authentication
server setting.

Registered LDAP servers;

It is necessary to register LDAP servers with your ePO server to permit dynamically assigned
permission sets for Windows users. Dynamically assigned permission sets are permission sets
assigned to users based on their Active Directory group memberships.
NOTE: Users trusted via one-way external trusts are not supported. Active Directory is the only
LDAP server type supported at this time.
The user account used to register the LDAP server with ePolicy Orchestrator must be trusted
via a bi-directional transitive trust, or must physically exist on the domain where the LDAP
server belongs.

Windows authorization;

The server setting for Windows authorization specifies which Active Directory (AD) server ePolicy
Orchestrator uses to gather user and group information for a particular domain. You can specify
multiple domain controllers and AD servers. this server setting supports the ability to dynamically
assign permission sets to users that supply Windows credentials at login.
NOTE: ePolicy Orchestrator can dynamically assign permission sets Windows Authenticated
users even if user autocreation is not enabled.

Assign permissions;

You must assign at least one permission set to an AD group other than a user's Primary Group.
Dynamically assigning permission sets to a user's Primary Group is not supported, and results
in application of only those permissions manually assigned to the individual user.

User autocreation;

When you have configured the previously discussed sections, you can enable the User
autocreation server setting. User autocreation allows user records to be automatically created
when the following conditions are met:
• Users provide valid credentials, using the <domain\name> format. For example, a user with
Windows credentials jsmith1, who is a member of the Windows domain named eng, would
supply the following credentials: eng\jsmith1, along with the appropriate password.
• The domain used in the logon attempt maps to a domain listed in the windows authorization
server setting.
• The Active Directory server mapped to the domain contains a record for the user.
• The user is a member of at least one group that maps to an ePO permission set.

Configuring Windows authentication and authorization;
Use these tasks to set up automatic user creation.

Configuring Windows authentication;

Use this task to configure Windows authentication. How you configure these settings depends
on several variables:
• Do you want to use a WINS server to look up which domain your users are authenticating
against?
• Do you want to use multiple domain controllers?

By default, users can authenticate using Windows credentials for the domain that the ePO server
is joined to. If you have multiple domains, or your ePO server is not located in the same domain
as your users, you must configure Windows authentication

Before you begin;

To access the Windows Authentication page in the server settings, you must stop the ePolicy
Orchestrator application service using these steps:
1 From the server console, click Start | Settings | Control Panel | Administrative
Tools | Services. The Services window opens.
2 Right-click McAfee ePolicy Orchestrator Applications Server and select Stop.
3 Rename the WinAuth.dll file to WinAuth.bak.
NOTE: In default installations, this file's location is C:\Program Files\McAfee\ePolicy
Orchestrator\Server\bin.

Task;

For option definitions, click ? in the interface.

1 Click Menu | Configuration | Server Settings, then select Windows Authentication
from the Settings Categories list.
2 Click Edit. The Edit Windows Authentication page opens.
3 Specify whether to use Domain controllers or WINS server, using the DNS host name.
NOTE: You can specify multiple domain controllers, but only one WINS server. Click + to
add additional domain controllers to the list.
4 Click Save.