Best Practices Guide McAfee® ePolicy Orchestrator® 4.0 and 4.
COPYRIGHT Copyright © 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
Contents 1 Preface About this guide . . . . . . Audience . . . . . . Conventions . . . . . What's in this guide . . Finding product documentation 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 History of McAfee ePolicy Orchestrator software 2 ePolicy Orchestrator product architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . .
Contents 6 McAfee Agent 43 Agent functionality . . . . . . . . . . Deploying agents . . . . . . . . . . . Deploy from the McAfee ePO server Synchronize with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 44 46 46 Deploy the agent using third-party tools . . . . . . . . . . . . . . . . . . . . .
Contents 14 Disaster recovery 107 Configuring simple disaster recovery . . . . Use server clusters for disaster recovery . . . Use cold and hot spares on one physical site . Use cold and hot spares on two physical sites . 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 108 108 108 Reference documentation 111 Index 113 McAfee® ePolicy Orchestrator® 4.
Preface Contents About this guide Finding product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: • Administrators — People who implement and enforce the company's security program.
Preface Finding product documentation Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
1 History of McAfee ePolicy Orchestrator software ePolicy Orchestrator software is a mature security management platform that delivers the quality and stability that can only be provided by a product that has evolved in the security environment. Understanding the history of the ePolicy Orchestrator software and the initial products it managed can help you use the information in this Best Practices Guide more effectively.
2 ePolicy Orchestrator product architecture The ePolicy Orchestrator software architecture offers extensive functionality that can be configured many different ways. It uses a classic client-to-server model where the client calls the McAfee ePO server asking for instructions.
2 ePolicy Orchestrator product architecture Architecture overview 1 ePO server — Connects to the McAfee update server to download the latest security content 2 ePO Microsoft SQL database — Stores all the data about the managed systems on your network 3 McAfee Agents — Provides policy enforcement, product deployments and updates, and reporting on your managed systems 4 Agent-server secure communication (ASSC) connections — Provides communications that occur at regular intervals between your systems
ePolicy Orchestrator product architecture Hardware configuration 2 6 McAfee update server — Hosts the latest security content so your ePolicy Orchestrator can pull the content at scheduled intervals.
2 ePolicy Orchestrator product architecture Hard disk configuration Use VMs for the McAfee ePO Server The McAfee ePO server supports multiple versions of virtual environments, but when your node count reaches 25,000 to 30,000 nodes you run into the most common virtual machine (VM) bottleneck, disk performance. To install the McAfee ePO server on a VM and solve this disk performance problem, you must: • Dedicate physical disks to the McAfee ePO server in the VM.
2 ePolicy Orchestrator product architecture Hard disk configuration Manage fewer than 5,000 nodes If you have fewer than 5,000 nodes to manage with the McAfee ePO server, disk configuration is rarely an issue. Use your normal procedure for configuring the disks on the server. Typically assign individual disks to the: • Operating system • McAfee ePolicy Orchestrator • SQL database If you are using RAID for redundancy then any form of RAID is adequate and most organizations use RAID 5 as a standard.
2 ePolicy Orchestrator product architecture Hard disk configuration • RAID 1 for the operating system with individual partitions for the SQL database (the MDF file) and the SQL transaction log (the LDF file). • RAID 1 for the log partition • RAID 10 for the database partition To manage this size organization with the McAfee ePO server, McAfee recommends you use RAID 10 for the SQL Server. The following example shows this RAID disk configuration.
ePolicy Orchestrator product architecture SAN usage 2 SAN usage Storage area network (SAN) devices are the standard configuration for larger storage requirements such as SQL databases that require backup and maintenance. SAN storage is a valid method for storing your SQL database, but adds a potential layer of complexity to your SQL implementation that should be understood. A SAN engineer might maintain the SAN and not be familiar with McAfee ePolicy Orchestrator and its heavy I/O requirements.
2 ePolicy Orchestrator product architecture Determining the server hardware needed The following sections offer hypothetical environments to provide some guidelines for organization size and hardware requirements. These example provide minimum requirements for hardware. McAfee recommends you exceed these requirements to improve performance and allow for growth, wherever possible. The McAfee ePO server performance is determined by the SQL database, where the McAfee ePO server data is stored.
2 ePolicy Orchestrator product architecture Determining the server hardware needed Medium organization example A medium organization ranges from 5,000 to 25,000 nodes. A single McAfee ePO server can easily manage this size organization with properly placed repositories to update content and software to the agents. As your node count approached 25,000 nodes, McAfee recommends that you separate the McAfee ePO server and SQL Servers on their own physical servers.
2 ePolicy Orchestrator product architecture Determining the server hardware needed • 16 processors • 32 – 128 GB of RAM • At least 300 GB of space for the SQL database These are not upper limits for hardware. If you have the budget for additional hardware resources, exceed these recommendations. 20 McAfee® ePolicy Orchestrator® 4.0 and 4.
3 Repositories A repository is a file sharing device that serves out files for clients to download. It does not manage policies, collect events, or have any code installed. Policies and events are always handled by the McAfee ePO server or Agent Handler.
3 Repositories FTP repositories • UNC share repositories • SuperAgents There are several things to keep in mind about these repositories: • The McAfee ePO server requires certain protocols be used for the repositories, but any server vendor can provide those protocols. For example, if you use an HTTP repository you can use either Microsoft Internet Information Services (IIS) or Apache server (Apache is the faster option).
Repositories SuperAgent repositories 1 Create the folder 2 Adjust share permissions 3 Change the NTFS permissions 4 Create two accounts, one with read and another with write access 3 All of these tasks increase the chance of failure since these processes must be completed manually risking human errors.
3 Repositories SuperAgent repositories Creating a new SuperAgent policy A SuperAgent policy allows you to assign that policy to client machines to convert them to SuperAgents. Task 1 From the Policy Catalog, click McAfee Agent and from the Category list, select General to create a new policy. Give the new policy a distinctive name, for example SuperAgent policy. A common mistake is accidentally changing your primary McAfee Agent policy and turning all your nodes into SuperAgents.
Repositories SuperAgent repositories 3 Task 1 From the System Tree, click System Tree Actions | New Subgroup and give it a distinctive name, for example 1_SuperAgents. 2 Click OK. The new group appears in the System Tree list. Assigning the new SuperAgents policy to the new SuperAgents group When you assign the SuperAgents policy to the new SuperAgents group you complete the configuration of the SuperAgent group. Assign the new SuperAgents policy to the new SuperAgents group.
3 Repositories SuperAgent repositories Task 1 From the SuperAgent group you created, click the Assign Policies tab and select McAfee Agent from the Product list. 2 From the Actions column, click Edit Assignments. The McAfee Agent : General dialog box appears. 3 Click Break inheritance and assign the policy and settings below, select the SuperAgent policy you created from the Assigned Policy list, and click Save.
3 Repositories Place repositories Task 1 In the System Tree, click the Systems tab and find the system you want to change to a SuperAgent repository. 2 Drag that row with the system name and drop it into the new SuperAgent group you created in the System Tree. Once the system communicates with the McAfee ePO server it changes to a SuperAgent repository. 3 To confirm the system is now a SuperAgent repository, click Menu | Software | Distributed Repositories and select SuperAgent from the Filter list.
3 Repositories Calculating bandwidth of repository replication To download the daily DAT file randomly from the central ePO server to the system agents takes the following bandwidth: 100 Agents * 200 KB file = 20 MB of bandwidth Example 2: Downloading the DAT file to the local repository For the McAfee ePO server to replicate the DAT file to each repository every day takes at least 70 MB of bandwidth.
3 Repositories Determine repository count Example 2 — A large office in Tokyo The large office in Tokyo needs to download the 200 Kb per day for DAT files to its 4,000 nodes, using the formula: (200 Kb) x (4,000 nodes) = 800 MB of data randomly pulled per day to Tokyo In the large office in Tokyo with 4,000 nodes uses 800 MB of bandwidth per day just to update the DAT files alone.
3 Repositories Determine repository count Server hardware Nodes updated Dedicated or shared client hardware Single 3 Ghz processor with 4 GB of memory 3,000 Shared with other applications 3,000 – 7,000 Dedicated 5,000 – 7,000 Dedicated Server class hardware, dual-quad processor and 8 GB of RAM Disk space needed for a repository is rarely a concern with today’s storage standards.
3 Repositories Determine repository count The EMEA offices have another data center in the UK with several other offices across EMEA. These other offices range from 200 nodes 3,000 nodes. The one ePO server resides in the UK data center and runs VirusScan Enterprise, Host Intrusion Prevention System, and SiteAdvisor. The APAC offices include two smaller offices. Region Office Number of nodes Servers U.S. New York, Data Center 7,000 Repository U.S. Office 1 5,000 Repository U.S.
3 Repositories Global updates Improve agent update performance In large environments, the ePolicy Orchestrator server is already very busy distributing policies and collecting events. You can improve performance by changing the agent policy so agents don't pull content from the McAfee ePO server itself, the default master repository. Making this change forces the agents to use only the repositories you created manually.
Repositories Global updates 3 How Global Updates works If the McAfee ePO server is scheduled to pull the latest DATs from the McAfee website at 2 p.m. Eastern time, and it changes the master repository, which is always the McAfee ePO server, the server automatically starts to replicate the DATs to all your distributed repositories. The Global Updates process works like this: 1 Content or packages are checked in to the master repository.
4 Agent Handlers Agent Handlers co-ordinate work between themselves and the McAfee ePO server that communicates with the remote Agent Handlers. Agent Handlers use a work queue in the SQL database as their primary communication method. The Agent Handlers check the work queue frequently and perform the requested action. Agent Handlers overview Users have many questions about Agent Handlers and they are answered in the McAfee Agent Handlers white paper. In ePolicy Orchestrator 4.
5 Installation and upgrade of ePolicy Orchestrator software There are two types of ePolicy Orchestrator installations: a new installation in an environment where no previous version of ePolicy Orchestrator software has been installed, and an upgrade installation where you are replacing an existing verison of ePolicy Orchestrator software. Before you install your ePolicy Orchestrator server software, an understanding of the hardware requirements is very important. See the McAfee ePolicy Orchestrator 4.
5 Installation and upgrade of ePolicy Orchestrator software Upgrade the software • You retain all your policies and client tasks — This means you don't have to rebuild them and could save you time. • You retain your directory structure — If you have invested a lot time building this structure an in-place upgrade may be a good idea. • You don't have to transfer any McAfee agents to a new server — Since nothing changes with an in-place upgrade the upgrade is transparent to all your agents.
Installation and upgrade of ePolicy Orchestrator software Move the server • Test your upgrade in a VM environment with a copy of your SQL database to make sure the upgrade works smoothly. • Validate all your settings to confirm they are in place after the upgrade. 5 Move the server There might be a time when you need to move your McAfee ePO server from one physical server to another and maintain all your settings. For example, when your hardware is old, has failed, or is out of warranty.
5 Installation and upgrade of ePolicy Orchestrator software Move McAfee Agents between servers Move McAfee Agents between servers Before the release of ePolicy Orchestrator 4.5, many customers wanted an upgrade path that would allow them to start with a new database, while retaining their old settings. Version 4.
Installation and upgrade of ePolicy Orchestrator software Move McAfee Agents between servers 5 Exporting and import the ASSC keys You must export the agent-server secure communication (ASSC) keys from the old server to the new server before moving your clients to the new McAfee ePO server. See McAfee ePolicy Orchestrator 4.5 Product Guide for detailed agent-server secure communication key export and import instructions. Using Transfer Systems feature on ePolicy Orchestrator 4.
5 Installation and upgrade of ePolicy Orchestrator software Move McAfee Agents between servers 3 Select the systems to move to the new McAfee ePO server and click Actions | Agents | Transfer Systems. The Transfer Systems dialog box appears. 4 Select the server from the drop-down menu and click OK. Once a managed system has been marked for transfer, two agent-server communications must occur before the system is displayed in the System Tree of the target server.
6 McAfee Agent The McAfee agent is the liaison between all point-products and the McAfee ePO server. This 5 MB executable file is not a security product on its own; instead it communicates to all the McAfee and partner security products and passes the appropriate information to and from the McAfee ePO server.
6 McAfee Agent Deploying agents Once an agent is installed on a system, you never need to use a third-party deployment tool to update anything on that client. Figure 6-1 One agent to communicate with many products McAfee Agent modularity The advantage to the agent design is modularity. This modular design allows you to add new security offerings to your environment, as your needs change, using the same agent framework.
McAfee Agent Deploying agents 6 The McAfee Agent is a 5 MB executable file that can simply be executed manually or more commonly deployed on a larger scale to hundreds or thousands of nodes. The agent can be deployed using: • A logon script • Manual execution • The McAfee ePO server • Third-party tools • An image with the agent as part of the image You must use the specific McAfee agent executable file obtained from the McAfee ePO server in your environment.
6 McAfee Agent Deploying agents If you gave this custom McAfee Agent to your desktop team a year ago, it is probably outdated. It becomes outdated if, for example you have made changes to your ePolicy Orchestrator server such as rebuilding it with a new IP address, or checked in a newer version of the McAfee Agent into your server.
McAfee Agent Deploying agents 6 • The machines in your AD tree must be well maintained. This is not always the case in many larger organizations. Machines need to be deleted and placed into appropriate containers in AD for ePolicy Orchestrator to properly mirror your AD structure. • You must have the proper credentials, have the admin$ share enabled, and there must be no local firewall blocking the netbios ports on the destination client for the push from ePolicy Orchestrator to work properly.
6 McAfee Agent Deploying agents Using third-party tools is not a requirement, but your organization might have strict policies that dictate how products are deployed for consistency and change control reasons. Some common deployment tools include: • Microsoft SCCM (formerly known as SMS) • IBM Tivoli • Novell Zenworks • BMC Client Automation (formerly Marimba) • Simple logon scripts The process used to deploy the agent for the first time using these third-party tools is very straightforward.
McAfee Agent Deploying agents 6 Confirm you deleted the agent GUID before freezing the image If you choose option 1, Include the agent in your Windows image it can cause one of the most common problems seen in ePolicy Orchestrator, not resetting the Agent GUID. This causes the systems to not appear in the ePolicy Orchestrator directory. To solve this problem, you must make sure you delete the agent GUID before freezing the image when you make the agent part of your image.
7 Organizing your System Tree Your System Tree is a very important feature of your McAfee ePO server and you can configure the System Tree hierarchy in multiple ways.
7 Organizing your System Tree Dynamically sorting your machines Dynamically sorting your machines To dynamically sort your machines into your ePolicy Orchestrator System Tree use a combination of system criteria, such as machine name or IP address, to dynamically move machines into their appropriate group in your ePolicy Orchestrator System Tree. This requires you to create some basic groups for your tree structure.
Organizing your System Tree Dynamically sorting your machines 7 McAfee® ePolicy Orchestrator® 4.0 and 4.
8 Policies and packages Policies are the settings that govern each product on the endpoint. Packages are the binaries that can be deployed by the McAfee Agent to your endpoints. Policies include the settings for any supported products from McAfee VirusScan Enterprise to McAfee Endpoint Encryption. These policies include every checkbox and setting that dictates what the endpoint product does on each one of your systems.
8 Policies and packages McAfee agent policy This is not an exhaustive list and new products are constantly being added as McAfee expands its solution portfolio. Because of the McAfee ePO server's modular architecture, you can instantly add new product policies for management by ePolicy Orchestrator by checking in a product extension. An extension is a zip file, released by McAfee or a partner vendor, that you simply check into ePolicy Orchestrator so you can manage a product's policies.
Policies and packages McAfee agent policy • Collects and sends its properties to the McAfee ePO server or Agent Handler • Checks to see if any policy changes or client tasks have occurred on the McAfee ePO server and pulls down the changes to the client 8 For example, if any change is made to a policy for a point-product managed by ePolicy Orchestrator, such as VirusScan Enterprise, Endpoint Encryption, or Host Data Loss Protection, at the ASCI time that change is pulled down by the agent and applied
8 Policies and packages McAfee agent policy Configuring ASCI Configure the ASCI to determine how often every McAfee Agent calls the McAfee ePO server The ASCI is set to 60 minutes by default. If that interval is too frequent change the interval. 58 McAfee® ePolicy Orchestrator® 4.0 and 4.
8 Policies and packages McAfee agent policy Task 1 Click Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from the Category list. 2 Click the General tab, and type the Agent-to-server communication interval as shown in the following figure. 3 Click Save. If you need to send a policy change or add a client task immediately, you execute an agent wake-up call. See Agent to server communication interval (ASCI), Sending a policy change immediately.
8 Policies and packages Deploying packages 1 Click Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from the Category list. 2 Click the General tab, and type the Policy enforcement interval as shown in the following example. Deploying packages Packages are the binaries or files that can be deployed to an endpoint. All packages that could be deployed from the McAfee ePO server are located in the master repository.
Policies and packages Deploying packages 8 Task For option definitions, click ? in the interface. 1 Click Menu | Configuration | Server Settings, then in the Settings Category pane click Repository Packages, The following dialog box appears. 2 Click Edit and change the default from No to Yes and save the change. Once configured, the branch used for a particular installation can be selected when configuring the Client Task McAfee® ePolicy Orchestrator® 4.0 and 4.
9 Client tasks Client tasks run on the clients and are typically scheduled to run at a specific time. They are different from policies because they are an action that the client must perform at a predetermined time. Many of the tasks are specific to certain products, if you have their extensions checked in to ePolicy Orchestrator.
9 Client tasks Deploy products Configuring which products are deployed Configure the agent client to deploy a product. See McAfee ePolicy Orchestrator 4.5 Product Guide for details. Task 1 Click Menu | Systems | System Tree | Client Tasks, then select a group in the System Tree. 2 Click Actions | New Task. The Client Task Builder wizard opens. 3 Type a name, select Product Deployment from the list, and click Next. The Client Task Builder page appears.
Client tasks Updating products 9 nodes and you only have one repository, those 5,000 nodes are pulling a total of 180 GB of data from that one repository when the deployment task is executed. To keep that repository from being overwhelmed, you must randomize your deployment. Many customers forget to enable randomization on their tasks and choose a specific time for their task to run such as noon on a daily basis.
9 Client tasks Updating products Signatures, or DAT files, are released on a daily basis at approximately 11 a.m. Eastern time and average 200 Kb per day. Optionally, you can deploy other items, such as product patches, to more targeted groups for testing before making them part of your master update task at the My Organization level. When possible, always set product update tasks at the My Organization level, which is the highest level, in the System Tree.
Client tasks Updating products 4 9 Choose the content to update using this task. In this example the Daily Master Update task downloads the VirusScan Enterprise DAT and Engine files. If you would like to deploy a product patch, make a separate client task designed to deploy that patch only. That makes it easier to keep track of your client tasks McAfee® ePolicy Orchestrator® 4.0 and 4.
9 Client tasks Updating products 5 Click Next to configure the schedule for this task. The key to a good update task is updating several times per day at completely random intervals. Many users think since McAfee releases its signatures once per day then configure the clients to only look for updates once per day. A client can check for updates several times per day at the nearest repository without any negative impact to bandwidth or the repositories.
10 Server tasks Server tasks are any item that is scheduled to run on the McAfee ePO server itself. Using server tasks properly can significantly improve efficiency in your organization. Server tasks automate many of the common items you performed on a daily or weekly basis manually. Server tasks are automatically added as new extensions are added to ePolicy Orchestrator. For example, encryption related server tasks appear when the encryption extension is installed.
10 Server tasks Perform an action on a query 1 Give your server task a descriptive name. 2 Choose an action then a subaction. This is the most important part of creating your task. After the task performs the first action it performs the subaction based on the results of the original action. For example: • Run a query on the machines that have not communicated with the McAfee ePO server in over 30 days. • Email that report to a specific administrator.
Server tasks Creating an automatic report email or export 3 10 Configure a weekly report. • Click Run Query from the Actions list. • Click Managed Inactive Agents query from the Query list dialog box that appears, then click OK. • Create a subaction that deletes the inactive agents generated by the report, then click Next Notice you chose an action then a subaction. This allows the task to perform the first action then it performs the subaction based on the results of the original action.
10 Server tasks Create an automatic content pull and replication 3 Configure an email report. • Click Run Query from the Actions list. • Click Managed Inactive Agents query from the Query list dialog that appears, then click OK. • Create a subaction that emails the file as a PDF file to your selected recipients, then click Next. • Choose the custom or preconfigured query that you want to email and enter the email address where you want the email sent.
Server tasks Create an automatic content pull and replication 10 of content into each branch. Then the different versions can be rolled out to a selected group of test machines before a full deployment to the entire environment. See Validating DAT and Other Content with ePO 4.5 PDF document on the KnowledgeBase. Disabling master repository client pulls To improve the McAfee ePO server performance, if you have distributed repositories, you might need to disable master repository client pulls.
10 Server tasks Purge events automatically 3 From the Repositories list, find the McAfee ePO server and click Disable in the Actions column. 4 Click Save to disable the McAfee ePO server repository. Purge events automatically Every day hundreds or thousands of events are sent to your McAfee ePO server for processing from all your agents. These events can impact the performance of the McAfee ePO server and SQL Servers.
Server tasks Purge events automatically 10 Task For option definitions, click ? in the interface. 1 Click Menu | Automation | Server Tasks, then click Action | New Task. The Server Task Builder dialog box appears. 2 Give the task a name, for example Delete client events, and from the Actions tab configure the following from the Actions list: • Purge Audit Log — Purge after 6 months. • Purge Client Events — Purge after 6 months. • Purge Server Task Log — Purge after 6 months.
10 Server tasks Purging events by query events is only 10 days because it collects all URLs that are visited by managed machines. This can save a lot of data in environments with greater than 10,000 nodes. Therefore this data is saved for a much shorter time compared to other event types. 3 Schedule the task to run every day during non-business hours, then click Save. Purging events by query You can use a custom configured query as a base to clear client events.
Server tasks Deleting inactive systems automatically 10 Deleting inactive systems automatically Most environments are constantly changing, new systems are added and old systems removed. This creates inactive McAfee Agent systems that, if not deleted, can ultimately skew your compliance reports. As systems are decommissioned, or disappear because of extended travel, users on leave, or other reasons, remove them from the System Tree.
10 Server tasks Deleting inactive systems automatically 1 Click Menu | Automation | Server Tasks and click Edit for the Inactive Agent Cleanup Task for 4.5 in the Action column. The Server Task dialog box appears. 2 If needed, change the name, click Enabled next to Schedule status, and click Next. The Actions dialog box appears.
Server tasks Deleting inactive systems automatically 10 Changing the Managed Inactive Agents query The Inactive Agent Cleanup server task uses a preconfigured query named Managed Inactive Agents. Whichever systems are returned from the query are deleted or moved according to the subaction configured in the server task. If you want to see what that query is using as a filter, edit that specific query in the query area.
11 Reporting ePolicy Orchestrator ships with its own querying and reporting capabilities. These are highly customizable, flexible and easy to use. The Query Builder and Report Builder creates and runs queries and reports that result in user-configured data in user-configured charts and tables. The data for these queries and reports can be obtained from any registered internal or external database in your ePolicy Orchestrator system.
11 Reporting Custom queries The following example shows some of the categories of preconfigured queries provided with the ePolicy Orchestrator software. Custom queries Creating custom queries is a straightforward process on the McAfee ePO server, plus you can duplicate and modify existing queries to change the output and reports. Custom queries can be created in four simple steps. Like most tasks in ePolicy Orchestrator you can follow the simple wizard at the top of the screen.
Reporting Custom queries • Have not communicated with the McAfee ePO server in a while • Are suspected of not working properly when you attempt to wake them up • Need a new agent deployed to them directly from the McAfee ePO server McAfee® ePolicy Orchestrator® 4.0 and 4.
11 Reporting Custom queries Creating custom event queries Create a custom query. Task 1 Click Menu | Reporting | Queries, then Actions | New Query. The Query Wizard appears starting with the Result Types tab. The result types are organized into groups on the left hand side of the page. Depending on what extensions have been checked into ePolicy Orchestrator these groups vary. Most of the result types are self explanatory but two of the more powerful result types are Threat Events and Managed Systems.
Reporting Custom queries 11 McAfee® ePolicy Orchestrator® 4.0 and 4.
11 Reporting Custom queries 3 You must choose the label or variable that you want the report to display. There are many variables you can choose to have the McAfee Agent reports display. Many times the report does not have to return data on McAfee products. For example you can report on the operating system versions used in your environment. In the Labels are list, click OS Type. 86 McAfee® ePolicy Orchestrator® 4.0 and 4.
Reporting Custom queries 4 11 You can choose the columns that you want to see if you drill down on any of the variables in your report. This is not a critical component when building your query and can be adjusted at a later time. You can also drag and drop your columns from left to right and add and remove columns that you want displayed. Click Next to use the default columns. You can filter the data that you want the query to return.
11 Reporting Custom queries 5 Click Next to not create any filters and display all of the operating system types. 6 Click Run to generate the report and see the results. After you create the reports and display the output you can fine tune your report without starting again from the beginning. To do this, click Edit Query. This allows you to go back and adjust your report and run it again within seconds. When you have made all the changes to your report to save it permanently, click Save.
Reporting Custom queries 11 3 Click Events in the Features Group and Client Events in the Result Type. Click Next to continue to the Chart dialog box. 4 Under Summary, click Single Group Summary Table, to display a total count of all the client events in the events table. McAfee® ePolicy Orchestrator® 4.0 and 4.
11 Reporting Custom queries 5 Click Event Description, in the Labels are list, under Threat Event Descriptions to create a filter with a good human readable description of the events. Optionally, you can also filter on the Event ID which is the number that represents client event data in ePolicy Orchestrator. See McAfee Point Product generated Event IDs listed in ePO, KnowledgeBase Article KB54677.
Reporting Custom queries 8 11 Click Run to display the query report. In this example there are 308 client events total. If you want, you can click one event and drill down on it to find out more information. 9 Click Save and give the report an appropriate name. For example, All Client Events by Event Description. Creating threat events summary query Create a threat events summary query. It displays threat events sent from your McAfee Agents to ePolicy Orchestrator.
11 Reporting Custom queries 5 Click Event Description, in the Labels are list, under Threat Event Descriptions to create a filter with a good human readable description of the events. Optionally, you can also filter on the Event ID which is the number that represents client event data in ePolicy Orchestrator. See McAfee Point Product generated Event IDs listed in ePO, KnowledgeBase Article KB54677. 92 6 If needed, adjust the columns based on what kind of information you want displayed.
Reporting Custom queries 8 11 Click Run to display the query report. The McAfee ePO server displays approximately 8,000 threat events total. The data shown in this example comes from a McAfee ePO server that is only managing a few dozen nodes so these numbers are relatively small. A real production ePolicy Orchestrator database may have millions of threat and client events. McAfee® ePolicy Orchestrator® 4.0 and 4.
11 Reporting Custom queries 9 To determine approximately how many events you should have on your network use the following formula: (10,000 nodes) x (1 to 2 million events) = estimated number of events For example, if you have 50,000 nodes you should be in the range of 5 to 10 million total client and threat events. This number will vary greatly based on the number of products and policies you have and your data retention rate. Do not panic if you exceed this number.
Reporting Custom queries 4 11 If the event is important, make sure you are monitoring the number of events using the Creating event summary queries and Purging events automatically appropriately. So if you are not looking at these events in the first place then you may consider disabling the event completely in the VirusScan Enterprise access protection policy to stop the event from being sent to the McAfee ePO server in the first place.
11 Reporting Custom queries 5 Click Next to skip the Columns dialog box. You can choose the columns you want to analyze. You can skip this step because the McAfee ePO server does not use the columns you choose in the server task. 6 Click Event ID in Available Properties under Client Events to create an Event ID filter. An Event ID row is added in the Filter pane. 7 Click the plus sign, +, at the right to add another comparison row, add 1051 and 1059 in the Value column, then click Run.
Reporting Custom queries 11 11 Find the custom query you just created and click it in the list. 12 Schedule the task to run every night, then click Save. You can use this technique to purge other threat events based on the custom table queries you create. McAfee® ePolicy Orchestrator® 4.0 and 4.
12 FAQ and common scenarios This chapter contains some frequently asked questions (FAQs) and some common scenarios that an ePolicy Orchestrator administrator might have when configuring the McAfee ePO server.
12 FAQ and common scenarios Determining if your server has performance problems Task 1 Click Menu | Automation | Server Tasks to open the Server Tasks Builder. 2 Click Edit for one of the following tasks. 3 • Duplicate Agent GUID — Clear error count. • Duplicate Agent GUID — Remove systems with potentially duplicated GUIDs. In the Description page, select Enabled, then click: • Save — To enable the server task and run it from the Server Task dialog box.
FAQ and common scenarios Determining if your server has performance problems 12 Task 1 Under Reliability and Performance, click Monitoring Tools | Performance Monitoring, then click the plus sign (+). The Add Counters dialog box appears. 2 In the Available counters list, browse to the computer to test, or scroll down to the ePolicy Orchestrator Server counters selection, then click the plus sign (+) to expand the list of counters.
12 FAQ and common scenarios Understand product version numbers You can also check how quickly your ePolicy Orchestrator server processes events from agents by looking in the Events folder on the McAfee ePO server. This folder is where all events are processed by ePolicy Orchestrator and sent to the SQL database. You can find this folder at: C:\Program Files\McAfee\ePolicy Orchestrator\DB\Events At any time, this folder might display a few dozen or a few hundred events.
FAQ and common scenarios Determining the best upgrade strategy • "4.0.0" — Is the product revision number • "1421" — Is the build number. That build number indicates this is "Patch 2" 12 To determine the build number-to-patch number relationship you must go to the KnowledgeBase (KB) articles for each product. See Reference documentation. ePolicy Orchestrator server and McAfee Agent revisions The two most relevant products for this document are the McAfee ePO server and the McAfee Agent.
12 FAQ and common scenarios 1051 and 1059 events • Because the scan timed out due to the size of the file, which is a 1059 event • The file was not scanned because it was inaccessible due to a password or encryption on the file, which is a 1051 event Disable these two events under event filtering to prevent a flood of these events into your database. By disabling these events you are effectively telling the agent to stop sending these events to ePolicy Orchestrator.
13 SQL maintenance For your McAfee ePO server to function correctly it is very important to have a well performing SQL database. It is the central storage place for all the data your McAfee ePO server uses and it requires maintenance and care. ePolicy Orchestrator SQL database maintenance The SQL database used by the McAfee ePO server requires regular maintenance and back ups to ensure ePolicy Orchestrator functions correctly.
13 SQL maintenance ePolicy Orchestrator SQL database maintenance Setting up a maintenance task to automatically reindex and rebuild your ePolicy Orchestrator SQL database only takes a few minutes and is essential to maintain proper performance on the McAfee ePO server. You can include the re-indexing as part of your regular backup schedule to combine everything in one task. Do not shrink your database. This is a common misconception that many administrators choose when building their maintenance task.
14 Disaster recovery Many ePolicy Orchestrator users want to know how to set up ePolicy Orchestrator for a disaster recovery scenario. There are a few options available depending on your tolerance of risk and budget available for the additional hardware. Many users think if the McAfee ePO server fails the McAfee Agents on the endpoints and the installed point products stop working properly or malfunction in some way.
14 Disaster recovery Use server clusters for disaster recovery Use server clusters for disaster recovery If you require zero downtime if a hardware failure occurs you can cluster your ePolicy Orchestrator and SQL servers. But, this requires additional hardware and increases the cost of implementation. You might chose to only cluster the SQL Servers, which is a more common option, and SQL should have zero downtime.
Disaster recovery Use cold and hot spares on two physical sites 14 Now, if the primary site fails you must make all the agents previously communicating with the primary McAfee ePO server start communicating with the secondary McAfee ePO server located at another physical site that has a different IP address and different DNS name. Remember, the agents find the McAfee ePO server by communicating to its IP address first and if that fails they use its DNS name.
15 Reference documentation Following are several informative and valuable links for your McAfee implementation.
15 Reference documentation Other Informative Articles Deploying SQL Server 2005 with SAN #1 Deploying SQL Server 2005 with SAN #2 Deploying SQL Server 2005 with SAN #3 SQL Storage Top 10 Best Practices Microsoft SQL Technical Documentation Comparing RAID Implementations for SQL Is RAID 5 Really a Bargain? Battle Against Any RAID Five-BAARF Viewing and Fixing SQL DB Fragmentation 112 McAfee® ePolicy Orchestrator® 4.0 and 4.
Index A C about this guide 7 Active Directory organizing the System Tree 51 clients moving with Transfer Systems 40 asks, deploying products 63 converting to SuperAgents 23 tasks, about 63 configuration agent to server communication interval 58 client event summary queries 88 custom queries 82, 84 disabling 1051 and 1059 events 104 email and export reports from queries 71 event purging 74 event purging with a query 76 Global Updating limitations 32 hard disks 14 inactive system deletion 77 policy enforc
Index databases (continued) installed with ePolicy Orchestrator 13 maintaining 105 recommended hardware 17 reindex 105 restoring 107 server clusters for disaster recovery 108 sharing hardware with ePolicy Orchestrator 14 spares on physical sites 108 deployment agents overview and troubleshooting 46 agents with third-party tools 47 calculating repository bandwidth 28 databases on storage area networks 17 packages 60 products 63 to repositories 27 detection definition files, See DAT files disaster recovery 1
Index IP address (continued) used to sort the System Tree 52 L LDF file 14 M master repository default 29 disabling from ePolicy Orchestrator server 73 on ePolicy Orchestrator 21 McAfee Agents, See agents McAfee ePolicy Orchestrator, See ePolicy Orchestrator McAfee ServicePortal, accessing 8 MDF file 14 Microsoft IIS server 21 Microsoft SQL database, See database N NAT, See Network Address Translation Network Address Translation, Agent Handlers 35 node counts and repositories 23 hard disks 14 questions
Index server tasks (continued) acting on a query 69 servers combining ePolicy Orchestrator and database 13 disaster recovery 107 finding performance problems 100 platform, questions 13 recommended hardware 17 ServicePortal, finding product documentation 8 shell machines, about 46 SIA, See Security Innovation Alliance SiteAdvisor, about 9 SQL database, See databases SQL replication, required with spare database 108 SSL, See Secure Sockets Layer certificates storage area networks, configuring 17 SuperAgents
-00
