Best Practices Guide McAfee® ePolicy Orchestrator® for use with ePolicy Orchestrator versions 4.5.0 and 4.0.
COPYRIGHT Copyright © 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
Contents Preface 5 About this guide . . . . . . . . . . Audience . . . . . . . . . . Conventions . . . . . . . . . What's in this guide . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The history and architecture of ePolicy Orchestrator software 5 5 5 6 7 About the history ePolicy Orchestrator software . . . . . . . . .
Contents What is the System Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Use Active Directory synchronization . . . . . . . . . . . . . . . . . . . . . . 47 Dynamically sorting your machines . . . . . . . . . . . . . . . . . . . . . . . 48 7 Managing endpoint security with policies and packages Manage policies . . . . . . . . . . . . . . . . McAfee agent policy . . . . . . . . . . . . . . . Agent to server communication interval (ASCI) .
Preface This guide provides information about suggested best practices for using your McAfee ePolicy Orchestrator (McAfee ePO™) 4.5 and 4.0 software. About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience.
Preface About this guide What's in this guide This guide outlines some core recommendations for implementing McAfee ePolicy Orchestrator software versions 4.5 and 4.0. This document is not meant to be a comprehensive guide for all implementations. Instead, it should be used to assist in planning and maintaining your ePolicy Orchestrator managed environment.
1 The history and architecture of ePolicy Orchestrator software ePolicy Orchestrator software is a mature security management platform that delivers the quality and stability that can only be provided by a product that has evolved in the security environment. Understanding the history and architecture of the software can help you use the information in this guide more effectively.
1 The history and architecture of ePolicy Orchestrator software Overview of the product architecture Overview of the product architecture The architecture of the ePolicy Orchestrator software and its components provides all the functionality needed to manage and protect your environment.
The history and architecture of ePolicy Orchestrator software Overview of the product architecture 1 1 ePO server — Connects to the McAfee update server to download the latest security content 2 ePO Microsoft SQL database — Stores all the data about the managed systems on your network 3 McAfee Agents — Provides policy enforcement, product deployments and updates, and reporting on your managed systems 4 Agent-server secure communication (ASSC) connections — Provides communications that occur at regu
2 Configuring your hardware for ePolicy Orchestrator software How you configure your ePolicy Orchestrator software is influenced by many factors, including the size of your network, and the hardware you use. Use the guidelines and scenarios in this chapter to help you choose the best configuration for your network.
2 Configuring your hardware for ePolicy Orchestrator software Hard disk configuration • Optimize your storage using multiple dedicated drives (see Hard disk configuration) for each application as your node count increases • Manage only the basic McAfee products, such as VirusScan Enterprise and Host Intrusion Prevention If in the future if you plan to manage more McAfee products and to add many more nodes, split the one server into two physical servers, one dedicated to the McAfee ePO server and the ot
2 Configuring your hardware for ePolicy Orchestrator software Hard disk configuration The primary limiting factor when choosing your configuration is the cost of storage. Depending on your hardware budget, choose the best configuration to prepare for future growth even though now you might only have 5,000 nodes to manage with the McAfee ePO server. If your budget allows, choose the best and fastest configuration that you can afford.
2 Configuring your hardware for ePolicy Orchestrator software Hard disk configuration Manage 25,000 to 75,000 nodes If you have 25,000 to 75,000 nodes to manage with the McAfee ePO server, use two separate servers. For the McAfee ePO server, use: • RAID 1 for the operating system • RAID 10 for the ePO application For the SQL Server, use: • RAID 1 for the operating system with individual partitions for the SQL database (the MDF file) and the SQL transaction log (the LDF file).
Configuring your hardware for ePolicy Orchestrator software SAN usage 2 SAN usage Storage area network (SAN) devices are the standard configuration for larger storage requirements such as SQL databases that require backup and maintenance. SAN storage is a valid method for storing your SQL database, but adds a potential layer of complexity to your SQL implementation that should be understood.
2 Configuring your hardware for ePolicy Orchestrator software Determining the server hardware needed There is no technical limit on how many nodes can be managed by one McAfee ePO server. The key concept to remember about McAfee ePO servers is less is better. The fewer McAfee ePO servers you have the easier it is to maintain your environment. There are many McAfee ePO server users with 200,000 nodes being managed by one server.
2 Configuring your hardware for ePolicy Orchestrator software Determining the server hardware needed The ePolicy Orchestrator software 4.5 installation is bundled with Microsoft SQL Express for installing McAfee ePO server in very small environments. Microsoft does not allow the SQL Express database to exceed 4 GB. The SQL Express database can only be used for testing the McAfee products and can also be used in production environments with fewer than 500 nodes.
2 Configuring your hardware for ePolicy Orchestrator software Determining the server hardware needed • 8 processors • 16 – 32 GB of RAM • Disk space is not a concern since all the data is stored in the SQL database The minimum SQL Server hardware recommended to manage this very large organization is: • 16 processors • 32 – 128 GB of RAM • At least 300 GB of space for the SQL database These are not upper limits for hardware.
3 Using distributed repositories to keep your security software up to date Distributed repositories are file shares that you create to store and distribute important security content for your managed client systems. They play an important roll in your McAfee ePO infrastructure. How you configure them, and which type you use, depend on the needs of your environment.
3 Using distributed repositories to keep your security software up to date Overview of repository types Overview of repository types There are several types of repositories you can use in your managed environment. The ePolicy Orchestrator server always acts as the Master Repository. It keeps the master copy of all the content needed by your agents. The server replicates content to each of the repositories distributed throughout your environment.
Using distributed repositories to keep your security software up to date Overview of repository types 3 UNC share repositories You can use Universal Naming Convention (UNC) shares to host your McAfee ePO server repository. Since most administrators are familiar with the concept of UNC shares this might seem like the easiest method to choose. But, this might not be true.
3 Using distributed repositories to keep your security software up to date Overview of repository types Creating a new SuperAgent policy A SuperAgent policy allows you to assign that policy to client machines to convert them to SuperAgents. Task 1 From the Policy Catalog, click McAfee Agent and from the Category list, select General to create a new policy. Give the new policy a distinctive name, for example SuperAgent policy.
Using distributed repositories to keep your security software up to date Overview of repository types 3 Task 1 From the System Tree, click System Tree Actions | New Subgroup and give it a distinctive name, for example 1_SuperAgents. 2 Click OK. The new group appears in the System Tree list. Assigning the new SuperAgents policy to the new SuperAgents group When you assign the SuperAgents policy to the new SuperAgents group you complete the configuration of the SuperAgent group.
3 Using distributed repositories to keep your security software up to date Overview of repository types Task 1 From the SuperAgent group you created, click the Assign Policies tab and select McAfee Agent from the Product list. 2 From the Actions column, click Edit Assignments. The McAfee Agent : General dialog box appears. 3 Click Break inheritance and assign the policy and settings below, select the SuperAgent policy you created from the Assigned Policy list, and click Save.
3 Using distributed repositories to keep your security software up to date Where to place repositories Task 1 In the System Tree, click the Systems tab and find the system you want to change to a SuperAgent repository. 2 Drag that row with the system name and drop it into the new SuperAgent group you created in the System Tree. Once the system communicates with the McAfee ePO server it changes to a SuperAgent repository.
3 Using distributed repositories to keep your security software up to date How many repositories do you need To download the daily DAT file randomly from the central ePO server to the system agents takes the following bandwidth: 100 Agents * 200 KB file = 20 MB of bandwidth Example 2: Downloading the DAT file to the local repository For the McAfee ePO server to replicate the DAT file to each repository every day takes at least 70 MB of bandwidth.
Using distributed repositories to keep your security software up to date How many repositories do you need • Policy deployment • Event collection • Distributing all updates and software 3 Example 2 — Medium organization with four offices The medium organization example has approximately 15,000 to 20,000 nodes. It has one data center in New York where all traffic destined for the Internet must be routed. There are four offices in the U.S. located in New York, San Francisco, Dallas, and Orlando.
3 Using distributed repositories to keep your security software up to date How many repositories do you need APAC region servers There are small offices in the APAC region with slow WAN links back to the McAfee ePO server in the UK. Plus these WAN links are already saturated with traffic. This means replication from the McAfee ePO server to an APAC repository is not feasible unless it is done during off hours. This is a reasonable option if you want to put SuperAgents in APAC.
Using distributed repositories to keep your security software up to date How many repositories do you need 4 From the Repositories list find the McAfee ePO server and click Disable in the Actions column. 5 Click Save and the McAfee ePO server repository is disabled. 3 Calculating bandwidth of repository replication Repository replication consumes valuable bandwidth in all environments. If you are only replicating DAT files, the bandwidth use will be approximately 70Mb of replication per day.
3 Using distributed repositories to keep your security software up to date How many repositories do you need In the small office in India you could add a repository but you must replicate the DAT file from the McAfee ePO server to the repository. This file replication uses approximately 70 MB of bandwidth per day over a slow WAN link could negatively impact the WAN link to India since it would occur all at once.
Using distributed repositories to keep your security software up to date About Global Updating 3 About Global Updating Global Updating is a powerful feature, but if it is used incorrectly it can have a negative impact in your environment. Global Updating is used to update your repositories as quickly as possible whenever the master repository changes. This is great if you have a smaller environment (fewer than 3,000 nodes) with no WAN links.
4 Scaling your ePolicy Orchestrator infrastructure with Agent Handlers Agent Handlers co-ordinate work between themselves and the ePolicy Orchestrator server. You can place multiple remote Agent Handlers throughout your network. Once in place, your remote Agent Handlers use a work queue in the SQL database as their primary communication method. The Agent Handlers check the work queue frequently and perform the requested action.
4 Scaling your ePolicy Orchestrator infrastructure with Agent Handlers What are Agent Handlers Do not use Agent Handlers to replace repositories. A repository is a simple file share meant to keep update traffic local. While an Agent Handler has repository functionality built in, it has much more intelligence and requires constant communication back to the SQL database. This constant communication can saturate the WAN link.
5 Installing and upgrading ePolicy Orchestrator software There are two types of ePolicy Orchestrator installations: a new installation in an environment where no previous version of ePolicy Orchestrator software has been installed, and an upgrade installation where you are replacing an existing version of ePolicy Orchestrator software. Before you install your ePolicy Orchestrator server software, an understanding of the hardware requirements is very important. See the McAfee ePolicy Orchestrator 4.
5 Installing and upgrading ePolicy Orchestrator software Upgrade the software • You retain all your policies and client tasks — This means you don't have to rebuild them and could save you time. • You retain your directory structure — If you have invested a lot time building this structure an in-place upgrade may be a good idea. • You don't have to transfer any McAfee agents to a new server — Since nothing changes with an in-place upgrade the upgrade is transparent to all your agents.
Installing and upgrading ePolicy Orchestrator software Move the server • Test your upgrade in a VM environment with a copy of your SQL database to make sure the upgrade works smoothly. • Validate all your settings to confirm they are in place after the upgrade. 5 Move the server There might be a time when you need to move your McAfee ePO server from one physical server to another and maintain all your settings. For example, when your hardware is old, has failed, or is out of warranty.
5 Installing and upgrading ePolicy Orchestrator software Move McAfee Agents between servers Move McAfee Agents between servers Before the release of ePolicy Orchestrator 4.5, many customers wanted an upgrade path that would allow them to start with a new database, while retaining their old settings. Version 4.
Installing and upgrading ePolicy Orchestrator software Move McAfee Agents between servers 5 Exporting and import the ASSC keys You must export the agent-server secure communication (ASSC) keys from the old server to the new server before moving your clients to the new McAfee ePO server. See McAfee ePolicy Orchestrator 4.5 Product Guide for detailed agent-server secure communication key export and import instructions. Using Transfer Systems feature on ePolicy Orchestrator 4.
5 Installing and upgrading ePolicy Orchestrator software Move McAfee Agents between servers 3 Select the systems to move to the new McAfee ePO server and click Actions | Agents | Transfer Systems. The Transfer Systems dialog box appears. 4 Select the server from the drop-down menu and click OK. Once a managed system has been marked for transfer, two agent-server communications must occur before the system is displayed in the System Tree of the target server.
6 The McAfee Agent and your System Tree The McAfee Agent and your System Tree are two of the most important pieces of your managed environment. The agent is the liaison between all point-products and the McAfee ePO server. The System Tree is the logical representation of your managed environment.
6 The McAfee Agent and your System Tree Agent functionality Once an agent is installed on a system, you never need to use a third-party deployment tool to update anything on that client. Figure 6-1 One agent to communicate with many products McAfee Agent modularity The advantage to the agent design is modularity. The modular design allows you to add new security offerings to your environment, as your needs change, using the same agent framework.
The McAfee Agent and your System Tree Agent functionality • A logon script • Manual execution • The McAfee ePO server • Third-party tools • An image with the agent as part of the image 6 You must use the specific McAfee agent executable file obtained from the McAfee ePO server in your environment. Each agent is created dynamically during the initial installation of your McAfee ePO server.
6 The McAfee Agent and your System Tree Agent functionality If you gave this custom McAfee Agent to your desktop team a year ago, it is probably outdated. It becomes outdated if, for example you have made changes to your ePolicy Orchestrator server such as rebuilding it with a new IP address, or checked in a newer version of the McAfee Agent into your server.
The McAfee Agent and your System Tree Agent functionality 6 • The machines in your AD tree must be well maintained. This is not always the case in many larger organizations. Machines need to be deleted and placed into appropriate containers in AD for ePolicy Orchestrator to properly mirror your AD structure.
6 The McAfee Agent and your System Tree Agent functionality Using third-party tools is not a requirement, but your organization might have strict policies that dictate how products are deployed for consistency and change control reasons.
The McAfee Agent and your System Tree What is the System Tree 6 Confirm you deleted the agent GUID before freezing the image If you choose option 1, Include the agent in your Windows image it can cause one of the most common problems seen in ePolicy Orchestrator, not resetting the Agent GUID. This causes the systems to not appear in the ePolicy Orchestrator directory. To solve this problem, you must make sure you delete the agent GUID before freezing the image when you make the agent part of your image.
6 The McAfee Agent and your System Tree What is the System Tree Dynamically sorting your machines To dynamically sort your machines into your ePolicy Orchestrator System Tree use a combination of system criteria, such as machine name or IP address, to dynamically move machines into their appropriate group in your ePolicy Orchestrator System Tree. This requires you to create some basic groups for your tree structure.
The McAfee Agent and your System Tree What is the System Tree 6 McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator versions 4.5.0 and 4.0.
7 Managing endpoint security with policies and packages Policies are the settings that govern each product on the endpoint. Packages are the binaries that can be deployed by the McAfee Agent to your endpoints. Policies include the settings for any supported products from McAfee VirusScan Enterprise to McAfee Endpoint Encryption. These policies include every checkbox and setting that dictates what the endpoint product does on each one of your systems.
7 Managing endpoint security with policies and packages McAfee agent policy This is not an exhaustive list and new products are constantly being added as McAfee expands its solution portfolio. Because of the McAfee ePO server's modular architecture, you can instantly add new product policies for management by ePolicy Orchestrator by checking in a product extension.
Managing endpoint security with policies and packages McAfee agent policy • Collects and sends its properties to the McAfee ePO server or Agent Handler • Checks to see if any policy changes or client tasks have occurred on the McAfee ePO server and pulls down the changes to the client 7 For example, if any change is made to a policy for a point-product managed by ePolicy Orchestrator, such as VirusScan Enterprise, Endpoint Encryption, or Host Data Loss Protection, at the ASCI time that change is pulle
7 Managing endpoint security with policies and packages McAfee agent policy Configuring ASCI Configure the ASCI to determine how often every McAfee Agent calls the McAfee ePO server The ASCI is set to 60 minutes by default. If that interval is too frequent change the interval. 54 McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator versions 4.5.0 and 4.0.
7 Managing endpoint security with policies and packages McAfee agent policy Task 1 Click Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from the Category list. 2 Click the General tab, and type the Agent-to-server communication interval as shown in the following figure. 3 Click Save. If you need to send a policy change or add a client task immediately, you execute an agent wake-up call.
7 Managing endpoint security with policies and packages Deploying packages 1 Click Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from the Category list. 2 Click the General tab, and type the Policy enforcement interval as shown in the following example. Deploying packages Packages are the binaries or files that can be deployed to an endpoint. All packages that could be deployed from the McAfee ePO server are located in the master repository.
Managing endpoint security with policies and packages Deploying packages 7 Task For option definitions, click ? in the interface. 1 Click Menu | Configuration | Server Settings, then in the Settings Category pane click Repository Packages, The following dialog box appears. 2 Click Edit and change the default from No to Yes and save the change.
8 Using Client and Server tasks in your managed environment Client and Server tasks are, as their names imply, tasks that are carried out on your ePolicy Orchestrator server or the clients it manages. Using these tasks effectively can help ease the overhead of managing your secure network. Contents Client tasks Server tasks Client tasks Client tasks run on the clients and are typically scheduled to run at a specific time.
8 Using Client and Server tasks in your managed environment Client tasks local and does not need to communicate with the McAfee ePO server. Policy enforcement makes the agent compare the last known product policy pulled from the McAfee ePO server to the current policy on the client. By enabling this feature the agent confirms the products you want installed by this task are still installed at every policy enforcement interval.
Using Client and Server tasks in your managed environment Client tasks • Bandwidth • Which machines have the latest content for protection • The quality of your compliance reports 8 If a deployment task is being deployed to multiple point-products for the first time, you want to gradually roll out the products to some targeted test machines. The schedule you configure depends on the bandwidth available in your environment. For example, if you are upgrading from VirusScan Enterprise 8.7 to 8.
8 Using Client and Server tasks in your managed environment Client tasks The following formula calculates the bandwidth needed to move the 12 GB of data per repository randomly over a 9-hour workday. The total equals 1.33 GB of data per hour pulled from each repository. 12 GB (per repository) / 9 (hours) = 1.33 GB per hour Updating products Product updates use the agent to update content such as VirusScan Enterprise DAT files, engines, or product patches.
Using Client and Server tasks in your managed environment Client tasks 4 8 Choose the content to update using this task. In this example the Daily Master Update task downloads the VirusScan Enterprise DAT and Engine files. If you would like to deploy a product patch, make a separate client task designed to deploy that patch only. That makes it easier to keep track of your client tasks McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator versions 4.5.0 and 4.0.
8 Using Client and Server tasks in your managed environment Client tasks 5 Click Next to configure the schedule for this task. The key to a good update task is updating several times per day at completely random intervals. Many users think since McAfee releases its signatures once per day then configure the clients to only look for updates once per day. A client can check for updates several times per day at the nearest repository without any negative impact to bandwidth or the repositories.
8 Using Client and Server tasks in your managed environment Server tasks Server tasks Server tasks are any item that is scheduled to run on the McAfee ePO server itself. Using server tasks properly can significantly improve efficiency in your organization. Server tasks automate many of the common items you performed on a daily or weekly basis manually. Server tasks are automatically added as new extensions are added to ePolicy Orchestrator.
8 Using Client and Server tasks in your managed environment Server tasks Task For option definitions, click ? in the interface. 1 Click Menu | Automation | Server Tasks and click Actions | New Task. The Server Task dialog box appears. 2 Give the task a name, for example Manage Inactive Systems, and click Next. The Actions dialog box appears. 3 Configure a weekly report. • Click Run Query from the Actions list.
Using Client and Server tasks in your managed environment Server tasks 8 Task For option definitions, click ? in the interface. 1 Click Menu | Automation | Server Tasks, and click Actions | New Task. The Server Task dialog box appears. 2 Give the task a name, for example Manage Inactive Systems and click Next. The Actions dialog box appears. 3 Configure an email report. • Click Run Query from the Actions list.
8 Using Client and Server tasks in your managed environment Server tasks 1 Pull content from McAfee into your master repository, which is always the McAfee ePO server. 2 Replicate that content to your distributed repositories. This ensures multiple copies of the content is available and remains synchronized. This allows clients to update their content from their nearest repository. The most important content is the DAT files for VirusScan Enterprise released daily at approximately 11 a.m.
Using Client and Server tasks in your managed environment Server tasks 3 From the Repositories list, find the McAfee ePO server and click Disable in the Actions column. 4 Click Save to disable the McAfee ePO server repository. 8 Purge events automatically Every day hundreds or thousands of events are sent to your McAfee ePO server for processing from all your agents. These events can impact the performance of the McAfee ePO server and SQL Servers.
8 Using Client and Server tasks in your managed environment Server tasks Task For option definitions, click ? in the interface. 1 Click Menu | Automation | Server Tasks, then click Action | New Task. The Server Task Builder dialog box appears. 2 Give the task a name, for example Delete client events, and from the Actions tab configure the following from the Actions list: • Purge Audit Log — Purge after 6 months. • Purge Client Events — Purge after 6 months.
Using Client and Server tasks in your managed environment Server tasks 8 events is only 10 days because it collects all URLs that are visited by managed machines. This can save a lot of data in environments with greater than 10,000 nodes. Therefore this data is saved for a much shorter time compared to other event types. 3 Schedule the task to run every day during non-business hours, then click Save. Purging events by query You can use a custom configured query as a base to clear client events.
8 Using Client and Server tasks in your managed environment Server tasks As systems are decommissioned, or disappear because of extended travel, users on leave, or other reasons, remove them from the System Tree. Removing these systems ensures the reports you run are returning data on systems that have recently communicated with the McAfee ePO server, not outdated systems that have not communicated in weeks. An example of a skewed report might be your DAT report on compliance.
Using Client and Server tasks in your managed environment Server tasks 3 8 Optional. Instead of using the default subaction Delete Systems, you can select Move Systems to another Group. This moves the systems found by the query to a designated group in your System Tree in case you want to investigate these systems further. You might be concerned about deleting systems out of your System Tree because you think that the system will never report back to the McAfee ePO server if it returns to the network.
9 Reporting on your managed environment with Queries ePolicy Orchestrator provides built in querying and reporting capabilities. These are highly customizable, flexible and easy to use. The Query Builder and Report Builder creates and runs queries and reports that result in user-configured data in user-configured charts and tables. The data for these queries and reports can be obtained from any registered internal or external database in your ePolicy Orchestrator system.
9 Reporting on your managed environment with Queries Custom queries See McAfee ePolicy Orchestrator 4.5 Product Guide and McAfee ePolicy Orchestrator 4.5 Reporting Guide for details. The following example shows some of the categories of preconfigured queries provided with the ePolicy Orchestrator software. Custom queries Creating custom queries is a straightforward process on the McAfee ePO server, plus you can duplicate and modify existing queries to change the output and reports.
Reporting on your managed environment with Queries Custom queries • Have not communicated with the McAfee ePO server in a while • Are suspected of not working properly when you attempt to wake them up • Need a new agent deployed to them directly from the McAfee ePO server McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator versions 4.5.0 and 4.0.
9 Reporting on your managed environment with Queries Custom queries Creating custom event queries Create a custom query. Task 1 Click Menu | Reporting | Queries, then Actions | New Query. The Query Wizard appears starting with the Result Types tab. The result types are organized into groups on the left hand side of the page. Depending on what extensions have been checked into ePolicy Orchestrator these groups vary.
Reporting on your managed environment with Queries Custom queries 9 McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator versions 4.5.0 and 4.0.
9 Reporting on your managed environment with Queries Custom queries 3 You must choose the label or variable that you want the report to display. There are many variables you can choose to have the McAfee Agent reports display. Many times the report does not have to return data on McAfee products. For example you can report on the operating system versions used in your environment. In the Labels are list, click OS Type.
Reporting on your managed environment with Queries Custom queries 4 9 You can choose the columns that you want to see if you drill down on any of the variables in your report. This is not a critical component when building your query and can be adjusted at a later time. You can also drag and drop your columns from left to right and add and remove columns that you want displayed. Click Next to use the default columns. You can filter the data that you want the query to return.
9 Reporting on your managed environment with Queries Custom queries 5 Click Next to not create any filters and display all of the operating system types. 6 Click Run to generate the report and see the results. After you create the reports and display the output you can fine tune your report without starting again from the beginning. To do this, click Edit Query. This allows you to go back and adjust your report and run it again within seconds.
Reporting on your managed environment with Queries Custom queries 9 3 Click Events in the Features Group and Client Events in the Result Type. Click Next to continue to the Chart dialog box. 4 Under Summary, click Single Group Summary Table, to display a total count of all the client events in the events table. McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator versions 4.5.0 and 4.0.
9 Reporting on your managed environment with Queries Custom queries 5 Click Event Description, in the Labels are list, under Threat Event Descriptions to create a filter with a good human readable description of the events. Optionally, you can also filter on the Event ID which is the number that represents client event data in ePolicy Orchestrator. See McAfee Point Product generated Event IDs listed in ePO, KnowledgeBase Article KB54677.
Reporting on your managed environment with Queries Custom queries 8 9 Click Run to display the query report. In this example there are 308 client events total. If you want, you can click one event and drill down on it to find out more information. 9 Click Save and give the report an appropriate name. For example, All Client Events by Event Description. Creating threat events summary query Create a threat events summary query.
9 Reporting on your managed environment with Queries Custom queries 5 Click Event Description, in the Labels are list, under Threat Event Descriptions to create a filter with a good human readable description of the events. Optionally, you can also filter on the Event ID which is the number that represents client event data in ePolicy Orchestrator. See McAfee Point Product generated Event IDs listed in ePO, KnowledgeBase Article KB54677.
Reporting on your managed environment with Queries Custom queries 8 9 Click Run to display the query report. The McAfee ePO server displays approximately 8,000 threat events total. The data shown in this example comes from a McAfee ePO server that is only managing a few dozen nodes so these numbers are relatively small. A real production ePolicy Orchestrator database may have millions of threat and client events.
9 Reporting on your managed environment with Queries Custom queries 9 To determine approximately how many events you should have on your network use the following formula: (10,000 nodes) x (1 to 2 million events) = estimated number of events For example, if you have 50,000 nodes you should be in the range of 5 to 10 million total client and threat events. This number will vary greatly based on the number of products and policies you have and your data retention rate.
Reporting on your managed environment with Queries Custom queries 4 9 If the event is important, make sure you are monitoring the number of events using the Creating event summary queries and Purging events automatically appropriately. So if you are not looking at these events in the first place then you may consider disabling the event completely in the VirusScan Enterprise access protection policy to stop the event from being sent to the McAfee ePO server in the first place.
9 Reporting on your managed environment with Queries Custom queries 5 Click Next to skip the Columns dialog box. You can choose the columns you want to analyze. You can skip this step because the McAfee ePO server does not use the columns you choose in the server task. 6 Click Event ID in Available Properties under Client Events to create an Event ID filter. An Event ID row is added in the Filter pane.
Reporting on your managed environment with Queries Custom queries 9 11 Find the custom query you just created and click it in the list. 12 Schedule the task to run every night, then click Save. You can use this technique to purge other threat events based on the custom table queries you create. McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator versions 4.5.0 and 4.0.
10 FAQs and common scenarios This chapter contains some frequently asked questions (FAQs) and some common scenarios that an ePolicy Orchestrator administrator might have when configuring the McAfee ePO server.
10 FAQs and common scenarios Determining if your server has performance problems Task 1 Click Menu | Automation | Server Tasks to open the Server Tasks Builder. 2 Click Edit for one of the following tasks. 3 • Duplicate Agent GUID — Clear error count. • Duplicate Agent GUID — Remove systems with potentially duplicated GUIDs. In the Description page, select Enabled, then click: • Save — To enable the server task and run it from the Server Task dialog box.
FAQs and common scenarios Determining if your server has performance problems 10 Task 1 Under Reliability and Performance, click Monitoring Tools | Performance Monitoring, then click the plus sign (+). The Add Counters dialog box appears. 2 In the Available counters list, browse to the computer to test, or scroll down to the ePolicy Orchestrator Server counters selection, then click the plus sign (+) to expand the list of counters.
10 FAQs and common scenarios Understand product version numbers You can also check how quickly your ePolicy Orchestrator server processes events from agents by looking in the Events folder on the McAfee ePO server. This folder is where all events are processed by ePolicy Orchestrator and sent to the SQL database. You can find this folder at: C:\Program Files\McAfee\ePolicy Orchestrator\DB\Events At any time, this folder might display a few dozen or a few hundred events.
FAQs and common scenarios Determining the best upgrade strategy • "4.0.0" — Is the product revision number • "1421" — Is the build number. That build number indicates this is "Patch 2" 10 To determine the build number-to-patch number relationship you must go to the KnowledgeBase (KB) articles for each product. See Reference documentation. ePolicy Orchestrator server and McAfee Agent revisions The two most relevant products for this document are the McAfee ePO server and the McAfee Agent.
10 FAQs and common scenarios 1051 and 1059 events • Because the scan timed out due to the size of the file, which is a 1059 event • The file was not scanned because it was inaccessible due to a password or encryption on the file, which is a 1051 event Disable these two events under event filtering to prevent a flood of these events into your database. By disabling these events you are effectively telling the agent to stop sending these events to ePolicy Orchestrator.
11 Maintaining your SQL database For your McAfee ePO server to function correctly it is very important to have a well performing SQL database. It is the central storage place for all the data your McAfee ePO server uses and it requires maintenance and care. ePolicy Orchestrator SQL database maintenance The SQL database used by the McAfee ePO server requires regular maintenance and back ups to ensure ePolicy Orchestrator functions correctly.
11 Maintaining your SQL database ePolicy Orchestrator SQL database maintenance Setting up a maintenance task to automatically reindex and rebuild your ePolicy Orchestrator SQL database only takes a few minutes and is essential to maintain proper performance on the McAfee ePO server. You can include the re-indexing as part of your regular backup schedule to combine everything in one task. Do not shrink your database.
12 Disaster recovery Many ePolicy Orchestrator users want to know how to set up ePolicy Orchestrator for a disaster recovery scenario. There are a few options available depending on your tolerance of risk and budget available for the additional hardware. Many users think if the McAfee ePO server fails the McAfee Agents on the endpoints and the installed point products stop working properly or malfunction in some way.
12 Disaster recovery Use server clusters for disaster recovery Use server clusters for disaster recovery If you require zero downtime if a hardware failure occurs you can cluster your ePolicy Orchestrator and SQL servers. But, this requires additional hardware and increases the cost of implementation. You might chose to only cluster the SQL Servers, which is a more common option, and SQL should have zero downtime.
Disaster recovery Use cold and hot spares on two physical sites 12 Now, if the primary site fails you must make all the agents previously communicating with the primary McAfee ePO server start communicating with the secondary McAfee ePO server located at another physical site that has a different IP address and different DNS name. Remember, the agents find the McAfee ePO server by communicating to its IP address first and if that fails they use its DNS name.
Reference documentation Following are several informative and valuable links for your McAfee implementation.
Reference documentation Other Informative Articles Deploying SQL Server 2005 with SAN #1 Deploying SQL Server 2005 with SAN #2 Deploying SQL Server 2005 with SAN #3 SQL Storage Top 10 Best Practices Microsoft SQL Technical Documentation Comparing RAID Implementations for SQL Is RAID 5 Really a Bargain? Battle Against Any RAID Five-BAARF Viewing and Fixing SQL DB Fragmentation 106 McAfee® ePolicy Orchestrator® Best Practices Guide for use with ePolicy Orchestrator versions 4.5.0 and 4.0.
Index A C about this guide 5 Active Directory organizing the System Tree 47 clients moving with Transfer Systems 38 asks, deploying products 59 converting to SuperAgents 21 tasks, about 59 configuration agent to server communication interval 54 client event summary queries 82 custom queries 76, 78 disabling 1051 and 1059 events 98 email and export reports from queries 66 event purging 69 event purging with a query 71 Global Updating limitations 31 hard disks 12 inactive system deletion 71 policy enforce
Index databases (continued) installed with ePolicy Orchestrator 11 maintaining 99 recommended hardware 15 reindex 99 restoring 101 server clusters for disaster recovery 102 sharing hardware with ePolicy Orchestrator 12 spares on physical sites 102 deployment agents overview and troubleshooting 44 agents with third-party tools 45 calculating repository bandwidth 29 databases on storage area networks 15 packages 56 products 59 to repositories 25 detection definition files, See DAT files disaster recovery 101
Index IP address (continued) used to sort the System Tree 48 L LDF file 12 M master repository default 26 disabling from ePolicy Orchestrator server 68 on ePolicy Orchestrator 20 McAfee Agents, See agents McAfee ePolicy Orchestrator, See ePolicy Orchestrator McAfee ServicePortal, accessing 6 MDF file 12 Microsoft IIS server 20 Microsoft SQL database, See database N NAT, See Network Address Translation Network Address Translation, Agent Handlers 33 node counts and repositories 21 hard disks 12 questions
Index server tasks (continued) acting on a query 65 servers combining ePolicy Orchestrator and database 11 disaster recovery 101 finding performance problems 94 platform, questions 11 recommended hardware 15 ServicePortal, finding product documentation 6 shell machines, about 44 SIA, See Security Innovation Alliance SiteAdvisor, about 7 SQL database, See databases SQL replication, required with spare database 102 SSL, See Secure Sockets Layer certificates storage area networks, configuring 15 SuperAgents c
