Members
Stats
  • Total Posts: 29756
  • Total Topics: 8752
  • Online Today: 1217
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: McAfee ePolicy Orchestrator (ePO)  (Read 76490 times)

0 Members and 1 Guest are viewing this topic.

metalmunna

  • SCF Moderator
  • *****
  • Posts: 141
  • KARMA: 20
  • Gender: Male
    • my heart bleeds for none but my own!
Re: McAfee ePolicy Orchestrator (ePO)
« Reply #20 on: 26. February 2011., 00:05:46 »
Organizing the System Tree;



In ePolicy Orchestrator, the System Tree is the starting point for organizing your managed
environment.


• System Tree — The System Tree allows for easy management of policies and tasks, and
organization of systems and groups.
• Tags — Tags allow you to create labels that can be applied to systems manually or
automatically, based on criteria assigned to the tag. You can sort systems into groups based
on tags (like IP address sorting), send client tasks to computers based on tags, or use tags
for criteria in queries.
• NT Domain and Active Directory synchronization — This feature now allows for:
• True synchronization of the Active Directory structure.
• Control of potential duplicate system entries in the System Tree.
• Control of systems in the System Tree when they are deleted from the domain or
container.
• Sorting systems into groups automatically — You can now use tags as sorting criteria,

in addition to the previous functionality provided by IP address sorting. Each type of sorting
criteria can be used alone or in combination.

The System Tree contains all of the systems managed by ePolicy Orchestrator; it is the primary
interface for managing policies and tasks on these systems. You can organize systems into
logical groups (for example, functional department or geographic location), and sort them by
IP address, subnet masks, or tags. You can manage policies (product configuration settings)
and schedule tasks (for example, updating virus definition files) for systems at any level of the
System Tree.

Before configuring ePolicy Orchestrator to deploy or manage the security software in your
environment, you must plan how to best organize systems for management and select the
methods to bring into and keep systems in the System Tree.
TIP: Many factors can influence how you should create and organize your System Tree. McAfee
recommends taking time to review this entire guide before you begin creating your System
Tree.

Are you setting up the System Tree for the first time?
When setting up the System Tree for the first time:
1 Evaluate the methods of populating the System Tree with your systems, and keeping it
up-to-date. For example, through Active Directory synchronization, or criteria-based sorting.
2 Create and populate the System Tree.

The System Tree;

The System Tree organizes managed systems in units for monitoring, assigning policies,
scheduling tasks, and taking actions.
Groups
The System Tree is a hierarchical structure that allows you to combine your systems within
units called groups.
Groups have these characteristics:
• Groups can be created by global administrators or users with the appropriate permissions.
• A group can include both systems and other groups.
• Groups are administered by a global administrator or a user with appropriate permissions.
Grouping systems with similar properties or requirements into these units allows you to manage
policies for systems in one place, rather than setting policies for each system individually.
As part of the planning process, consider the best way to organize systems into groups prior
to building the System Tree.

Lost&Found group;

The System Tree root (My Organization) includes a Lost&Found group. Depending on the
methods for creating and maintaining the System Tree, the server uses different characteristics
to determine where to place systems. The Lost&Found group stores systems whose locations
could not be determined.
The Lost&Found group has these characteristics:
• It can't be deleted.
• It can't be renamed.
• Its sorting criteria can't be changed from being a catch-all group (although you can provide
sorting criteria for the subgroups you create within it.)
• It always appears last in the list and is not alphabetized among its peers.
• Users must be granted permissions to the Lost&Found group to see the contents of
Lost&Found.
• When a system is sorted into Lost&Found, it is placed in a subgroup named for the system’s
domain. If no such group exists, one is created.

CAUTION: If you delete systems from the System Tree, be sure you select the option to remove
their agents. If the agent is not removed, deleted systems reappear in the Lost&Found group
because the agent continues to communicate to the server.

Inheritance;

Inheritance is an important property that simplifies policy and task administration. Because of
inheritance, child groups in the System Tree hierarchy inherit policies set at their parent groups.
For example:
• Policies set at the My Organization level of the System Tree are inherited by groups below
it.
• Group policies are inherited by subgroups or individual systems within that group.
Inheritance is enabled by default for all groups and individual systems that you add to the
System Tree. This allows you to set policies and schedule client tasks in fewer places.
To allow for customization, however, inheritance can be broken by applying a new policy at
any location of the System Tree (provided a user has appropriate permissions). You can lock
policy assignments to preserve inheritance.

Considerations when planning your System Tree;

An efficient and well-organized System Tree can simplify maintenance. Many administrative,
network, and political realities of each environment can affect how your System Tree is
structured. Plan the organization of the System Tree before you build and populate it. Especially
for a large network, you want to build the System Tree only once.
Because every network is different and requires different policies — and possibly different
management — McAfee recommends planning your System Tree before implementing the ePO
software.

Regardless of the methods you choose to create and populate the System Tree, consider your
environment while planning the System Tree.

Administrator access;

When planning your System Tree organization, consider the access requirements of those who
must manage the systems.
For example, you might have very decentralized network administration in your organization,
where different administrators have responsibilities over different parts of the network. For
security reasons, you might not have a global administrator account that can access every part
of your network. In this scenario, you might not be able to set policies and deploy agents using
a single global administrator account. Instead, you might need to organize the System Tree
into groups based on these divisions and create accounts and permission sets.
Consider these questions:
• Who is responsible for managing which systems?
• Who requires access to view information about the systems?
• Who should not have access to the systems and the information about them?
These questions impact both the System Tree organization, and the permission sets you create

Active Directory and NT domain synchronization;



ePolicy Orchestrator 4.5 can integrate with Active Directory and NT domains as a source for
systems, and even (in the case of Active Directory) as a source for the structure of the System
Tree.

Active Directory synchronization;

If your network runs Active Directory, you can use Active Directory synchronization to create,
populate, and maintain part or all of the System Tree with Active Directory synchronization
settings. Once defined, the System Tree is updated with any new systems (and subcontainers)
in your Active Directory.

Active Directory integration allows you to:

• Synchronize with your Active Directory structure, by importing systems and the Active
Directory subcontainers (as System Tree groups) and keeping them up-to-date with Active
Directory. At each synchronization, both systems and the structure are updated in the System
Tree to reflect the systems and structure of Active Directory.
• Import systems as a flat list from the Active Directory container (and its subcontainers) into
the synchronized group.
• Control what to do with potential duplicate systems.
• Use the system description, which is imported from Active Directory with the systems.
In previous versions of ePolicy Orchestrator, there were the two tasks: Active Directory Import
and Active Directory Discovery. Now, use this process to integrate the System Tree with your

Active Directory systems structure:


1 Configure the synchronization settings on each group that is a mapping point in the System
Tree. At the same location, you can configure whether to:
• Deploy agents to discovered systems.
• Delete systems from the System Tree when they are deleted from Active Directory.
• Allow or disallow duplicate entries of systems that already exist elsewhere in the System
Tree.
2 Use the Synchronize Now action to import Active Directory systems (and possibly structure)
into the System Tree according to the synchronization settings.
3 Use an NT Domain/Active Directory Synchronization server task to regularly synchronize
the systems (and possibly the Active Directory structure) with the System Tree according
to the synchronization settings.

Systems and structure;

When using this synchronization type, changes in the Active Directory structure are carried over
into your System Tree structure at the next synchronization. When systems or containers are
added, moved, or removed in Active Directory, they are added, moved, or removed in the
corresponding locations of the System Tree.
When to use this synchronization type
Use this to ensure that the System Tree (or parts of it) look exactly like your Active Directory
structure.
If the organization of Active Directory meets your security management needs and you want
the System Tree to continue to look like the mapped Active Directory structure, use this
synchronization type with subsequent synchronization.

Systems only;

Use this synchronization type to import systems from an Active Directory container, including
those in non-excluded subcontainers, as a flat list to a mapped System Tree group. You can
then move these to appropriate locations in the System Tree by assigning sorting criteria to
groups.
If you choose this synchronization type, be sure to select not to add systems again if they exist
elsewhere in the System Tree. This prevents duplicate entries for systems in the System Tree.
When to use this synchronization type
Use this synchronization type when you use Active Directory as a regular source of systems for
ePolicy Orchestrator, but the organizational needs for security management do not coincide
with the organization of containers and systems in Active Directory.

When to use this synchronization type;

Use this synchronization type when you use Active Directory as a regular source of systems for
ePolicy Orchestrator, but the organizational needs for security management do not coincide
with the organization of containers and systems in Active Directory.

NT domain synchronization;

Use your NT domains as a source for populating your System Tree. When you synchronize a
group to an NT domain, all systems from the domain are put in the group as a flat list. You can
manage these systems in the single group, or you can create subgroups for more granular
organizational needs. Use a method, like automatic sorting, to populate these subgroups
automatically.
If you move systems to other groups or subgroups of the System Tree, be sure to select to not
add the systems when they already exist elsewhere in the System Tree. This prevents duplicate
entries for systems in the System Tree.
Unlike Active Directory synchronization, only the system names are synchronized with NT domain
synchronization; the system description is not synchronized.

How a system is first placed in the System Tree;


Task;

For option definitions, click ? in the interface.
1 Click Menu | Systems | System Tree | Group Details, then select the desired group
in the System Tree. This should be the group to which you want to map an Active Directory
container.
NOTE: You cannot synchronize the Lost&Found group of the System Tree.

When the agent communicates with the server for the first time, the server uses an algorithm
to place the system in the System Tree. When it cannot find an appropriate location for a system,
it puts the system in the Lost&Found group.
At the first agent-server communication
On each agent-server communication, the server attempts to locate the system in the System
Tree by agent GUID (only systems whose agents have already called into the server for the
first time have an agent GUID in the database). If a matching system is found, it is left in it’s
existing location.
If a matching system is not found, the server uses an algorithm to sort the systems into the
appropriate groups. Systems can be sorted into any criteria-based group in the System Tree,
no matter how deep it is in the structure, as long as each parent group in the path does not
have non-matching criteria. Parent groups of a criteria-based subgroup must have either no
criteria or matching criteria.
Remember, the order that subgroups are placed in the Group Details tab determines the order
that subgroups are considered by the server when it searches for a group with matching criteria.
1 The server searches for a system without an agent GUID (its agent has never called in
before) with a matching name in a group with the same name as the domain. If found,
the system is placed in that group. This can happen after the first Active Directory or NT
domain synchronization, or when you have manually added systems to the System Tree.
2 If a matching system is still not found, the server searches for a group of the same name
as the domain where the system originates. If such a group is not found, one is created
under the Lost&Found group, and the system is placed there.
3 Properties are updated for the system.
4 The server applies all criteria-based tags to the system if the server is configured to run
sorting criteria at each agent-server communication.
5 What happens next depends on whether System Tree sorting is enabled on both the server
and the system.



Importing Active Directory containers;

Use this task to import systems from your network’s Active Directory containers directly into
your System Tree by mapping Active Directory source containers to the groups of the System
Tree. Unlike previous versions, you can now:
• Synchronize the System Tree structure to the Active Directory structure so that when
containers are added or removed in Active Directory, the corresponding group in the System
Tree is added or removed also.
• Delete systems from the System Tree when they are deleted from Active Directory.
• Prevent duplicate entries of systems in the System Tree when they already exist in other
groups.


Task;

For option definitions, click ? in the interface.
1 Click Menu | Systems | System Tree | Group Details, then select the desired group
in the System Tree. This should be the group to which you want to map an Active Directory
container.
NOTE: You cannot synchronize the Lost&Found group of the System Tree.

2 Next to Synchronization type, click Edit. The Synchronization Settings page for the
selected group appears.




MetalMunnA
http://www.halfrain.com
http://www.coreyz.com
I just sit and wonder, why!! Everything i touch it dies!!!

Samker's Computer Forum - SCforum.info

Re: McAfee ePolicy Orchestrator (ePO)
« Reply #20 on: 26. February 2011., 00:05:46 »




metalmunna

  • SCF Moderator
  • *****
  • Posts: 141
  • KARMA: 20
  • Gender: Male
    • my heart bleeds for none but my own!
Re: McAfee ePolicy Orchestrator (ePO)
« Reply #21 on: 26. February 2011., 00:26:43 »
no more today, tomorrow i will try to make it easy and quick ..... till now i did that to make you understand that there has a lot of area where you have to ride before jump deployment McAfee software (antivirus, agent .... etc.) automatically to the clients ... for now ta ta ....

MetalMunnA
http://www.halfrain.com
http://www.coreyz.com
I just sit and wonder, why!! Everything i touch it dies!!!

metalmunna

  • SCF Moderator
  • *****
  • Posts: 141
  • KARMA: 20
  • Gender: Male
    • my heart bleeds for none but my own!
Re: McAfee ePolicy Orchestrator (ePO)
« Reply #22 on: 26. February 2011., 21:04:32 »
OK boys,

lets start again ....

today we will add our network directory(Active Directory) on the ePO system tree.

to adding AD network structure on the ePO system tree, follow me ....
Menu | Systems | System Tree



select My Organization, now look on the right pan .. under My Organization there has 4 sub menu;

Systems|Assigned Policies|Client Tasks|Group Details

select Group Details and then click Edit from Synchronization type: None  Edit

from the new window has 3 options;

Synchronization type:    
None
NT Domain
Active Directory

lets select the Active Directory and then we will get new look of the page with lot of options;

I'm selecting;

Synchronization type: Active Directory
Synchronize: Systems and container structure
Systems that exist elsewhere in the System Tree: Move systems from their current System Tree location to the synchronized group
Active Directory domain: Use specific AD server; mp5.metalmunna.com (FQDN or AD Server)
                                 [ You can use Use registered LDAP server if you already registered your LDAP (AD) on the ePO through Menu|Configuration|Registered Servers ]

Active Directory credentials: Domain: metalmunna.com
                                       User name: administrator
then password and confirm password!



Container: use Browse and select the root directory and then OK.



Exceptions: do nothing here now

Push Agent: Push agents to new systems when they are discovered
      Push settings:  Not configured
so click configure settings; and do it, see the picture ...


When systems are deleted from the synchronization point: Leave the systems in their current location in the System Tree

Last synchronization: (never synchronized) and a tab synchronize now.

you will get this message; A synchronization task for this group is in progress. Go to the Server Task Log to check the status.

now click save and come out from this page and now you will see your AD structure on ePO System Tree;


now ePO knows our network structure ... and on the same time McAfee agent will be installed on the whole network Servers and PCs automatically ....


MetalMunnA
http://www.halfrain.com
http://www.coreyz.com
I just sit and wonder, why!! Everything i touch it dies!!!

metalmunna

  • SCF Moderator
  • *****
  • Posts: 141
  • KARMA: 20
  • Gender: Male
    • my heart bleeds for none but my own!
Re: McAfee ePolicy Orchestrator (ePO)
« Reply #23 on: 26. February 2011., 21:37:51 »
you might missed something if you saw no agent install automatically

if so, jump on Menu|Software|Master Repository

and now we have to add McAfee Agent, McAfee Enterprise VirusScan or any other McAfee product's Zip Packages, so ..

Click Action and then Check in Package



then ...

What package are you checking in?
Note: If distributed repositories are set up to replicate only selected packages, your newly check-in package will be replicated by default. To avoid replicating a newly checked-in package, deselect it from each distributed repository or disable the replication task before checking in the package.
Package type: Product or Update (.ZIP)
File path: \\epo\Mcafee Enterprise All & Original\XYZ.zip



Next .. save. so keep save the installer package on this screen by that simple step ..



So don't forget to do it before adding the AD on the ePO system tree ...

MetalMunnA
http://www.halfrain.com
http://www.coreyz.com
I just sit and wonder, why!! Everything i touch it dies!!!

metalmunna

  • SCF Moderator
  • *****
  • Posts: 141
  • KARMA: 20
  • Gender: Male
    • my heart bleeds for none but my own!
Re: McAfee ePolicy Orchestrator (ePO)
« Reply #24 on: 27. February 2011., 18:28:13 »
hi guys,

i skip so many things coz i'm waiting for the error or questions. whatever, next i will start how to install McAfee VirusScan Enterprise on a domain automatically ... tiill then .... nothing!!!

MetalMunnA
http://www.halfrain.com
http://www.coreyz.com
I just sit and wonder, why!! Everything i touch it dies!!!

metalmunna

  • SCF Moderator
  • *****
  • Posts: 141
  • KARMA: 20
  • Gender: Male
    • my heart bleeds for none but my own!
Re: McAfee ePolicy Orchestrator (ePO)
« Reply #25 on: 04. March 2011., 19:31:39 »
OK boys, time to work again ...

as i told, next time we will set the McAfee VirusScan Enterprise to the domain to deploy automatically, it's so simple task if you already configured your ePO server ... so follow me;

Menu>System tree

now jump on the right box; My Organization>Client Tasks;

note; if you want to deploy to the whole domain then you should stay on the root level of the domain tree, or if you want to deploy VSE only to an OU then you should select the that OU before jumping on the client task!

now, under the Client Tasks screen, look on the down and you will see New Task, so click it ...



on the name field, use a name for the task; VSE 8.8
on the note field you can keep it blank or you can keep any note! next one ... Type; here has a lot of options but we will select "Product Deployment", next is Tags and leave that default; Send this task to all computers. click Next to go next screen



What do you want this task to do?
Target platforms: Windows
Products and components: VirusScan Enterprise 8.8 | Action: Install |Language: Neutral|Branch:Current. (use plus(+) to add more product!
Options: Run at every policy enforcement (Windows only), check/unchecked and the NEXT;



When do you want this task to run?
Schedule status: Enable
Schedule type :Run  Immediately or as you need

keep other default and click Next ...

Click "Save" to add the client task. and summery. now click the save to come out from this screen ...



now wait some minutes and then check your workstations or servers of that OU ... is the McAfee VirusScan Enterprise 8.8 Installed?



it's done ...... if not ask me!!!

MetalMunnA
http://www.halfrain.com
http://www.coreyz.com
I just sit and wonder, why!! Everything i touch it dies!!!

vishwanath99

  • SCF Member
  • **
  • Posts: 61
  • KARMA: 6
  • Gender: Male
Re: McAfee ePolicy Orchestrator (ePO)
« Reply #26 on: 25. March 2011., 10:45:42 »
Hi metalmunna nice topic u hv choosen..

Maximum how much system is it control, what r d product it controls and how. Is it manages only Mcafee product. Is it manage only security product

metalmunna

  • SCF Moderator
  • *****
  • Posts: 141
  • KARMA: 20
  • Gender: Male
    • my heart bleeds for none but my own!
Re: McAfee ePolicy Orchestrator (ePO)
« Reply #27 on: 25. March 2011., 16:44:51 »
Hi metalmunna nice topic u hv choosen..

Maximum how much system is it control, what r d product it controls and how. Is it manages only Mcafee product. Is it manage only security product

hi, ePO can be managed thousands up systems depends your server and hardware;

example; 2 processor ePO server with 4
processor SQL server can be manage 34,200 client system and required response time 1 hour.

for Supported products and components in ePO 4.5 please check this link; https://kc.mcafee.com/corporate/index?page=content&id=KB66144

MetalMunnA
http://www.halfrain.com
http://www.coreyz.com
I just sit and wonder, why!! Everything i touch it dies!!!

vishwanath99

  • SCF Member
  • **
  • Posts: 61
  • KARMA: 6
  • Gender: Male
Re: McAfee ePolicy Orchestrator (ePO)
« Reply #28 on: 30. March 2011., 07:52:56 »
How can we use user defined rules in access protection

metalmunna

  • SCF Moderator
  • *****
  • Posts: 141
  • KARMA: 20
  • Gender: Male
    • my heart bleeds for none but my own!
Re: McAfee ePolicy Orchestrator (ePO)
« Reply #29 on: 30. March 2011., 20:06:27 »
How can we use user defined rules in access protection

for that you have to create a policy; menu>policy>policy catalog> create new policy (don't forget to select the product that you wanted to create new policy)

MetalMunnA
http://www.halfrain.com
http://www.coreyz.com
I just sit and wonder, why!! Everything i touch it dies!!!

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising