Product guide

ManualsBrandsMcAfee ManualsOtherENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE

Table Of Contents

• Longer ASCI interval

• Password only deployments should remove certificate query from EE LDAP User/Group Synchronization

task.

The User Certificate attribute is used by the McAfee ePO server to determine which certificate should

be sent from McAfee ePO to the client, for example, for smartcard tokens. It is better not to query

this attribute when you use the Password only token as tests have shown that LDAP query

performance decreases when certificates are included in the query. Setting this attribute can also

accumulate a large size of data in the database; therefore, you can remove the certificate query

from EE LDAP Server User/Group Synchronization while using the Password only token.

• Phased rollout during migration, upgrade, or first time installation of EEPC 7.0 Patch 1.

These configurations and factors will degrade scalability:

• Policy Assignment Rules — The policy assignment rules should be setup in a logical order to ensure

minimal processing. Create an ordered list of rules associated with a User Based Policy. For each

user, the rules engine evaluates the rules in order, and the first rule that is satisfied defines which

UBP is assigned to the user.

Make sure that you enable the Policy Assignment Rules for a small number of users to minimize

overloading ePolicy Orchestrator.

Given that ePolicy Orchestrator needs to send all users down to a client during activation, each

user will need to have rules run to associate a UBP with them (if UBPs are enabled and rules are

defined). With r rules, m machines and u users, the worst case scenario would be an O[n

]

calculation (r * m *u), which is not recommended.

Best practice is therefore to configure the rules in the correct order, such that they are defined in

descending order of the number of users that each rule would “catch”. For example, if rule A

catches 10% of users, rule B catches 80% of users, C 5%, D 2%, E 3%, the most efficient way of

ordering the rules would be B‑>A‑>C‑>E‑>D, if the logic of your rules allows this to be done.

• Large number of user per machine (>20)

• Deployment of unnecessary languages (recovery questions)

The rate of activation can be calculated with the formula, N

max

=ASCI

secs

upstream

.DC

rate

Where,

• DC

rate

depends on hardware configuration of ePolicy Orchestrator and Database

• M

upstream

is the number of data channels (two) being sent from each client

For more details on EEPC 7.0 Patch 1 scalability, refer to the KB article https://kc.mcafee.com/

corporate/index?page=content&id=KB71363.

Operations and maintenance

EEPC 7.0 Patch 1 scalability

McAfee Endpoint Encryption 7.0 Patch 1 Software Best Practices Guide