Ip Address Filters And Sorting - McAfee EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE Manual

®
ePolicy Orchestrator 3.6 Walkthrough Guide

IP address filters and sorting

Political
Many large networks are divided because different individuals or groups are
responsible for managing various portions of the network. Sometimes these borders
do not coincide with the topological or geographical borders. Who you want to access
and manage the various segments of the Directory can affect how you structure it.
Functional
Some networks are divided by the roles of the groups and individuals using the
network; for example, Sales and Engineering. Even if the network is not divided by
functional borders, you may need to organize the Directory by functionality if different
groups of users require different policies.
Different business groups may run different kinds of software that require special
anti-virus or security policies. For example, you may want to arrange your e-mail
exchange servers or SQL database servers into a group and set specific exclusions for
VirusScan Enterprise on-access scanning.
When planning, focus on the access individuals require or have to the ePolicy
Orchestrator server or nodes, and the borders you must accommodate.
In many networks, subnets and IP address information reflect organizational
distinctions, such as geographical location or job function. If these organizational units
reflect your needs to organize systems for policy management, consider using them to
create your Directory structure by setting IP address filters for sites and groups. ePolicy
Orchestrator provides tools, such as an IP sorting task that can automatically place
systems in the correct site or group according to IP address. This can be a very
powerful tool for automatically populating your Directory and making sure systems stay
in the intended locations.
If you use IP filters, you must set the IP filtering properties at each level of the Directory
properly. Know that:
To set an IP filter for a group, you must also set IP filters in parent groups or sites.
The IP ranges specified in lower-level groups must be a subset of the IP range of the
parent.
IP filters cannot overlap between different groups. Each IP range or subnet mask in
a given site or group must cover a unique set of IP addresses that cannot be
contained in other filter settings in other sites or groups.
After creating groups and setting your IP filters, run an IP integrity check task to make
sure your IP filter hierarchy is valid. This task alerts you if there are any conflicts or
overlaps between IP filters for different sites or groups.
You can assign IP ranges or IP subnet mask values to sites and groups as you create
them, or add or edit them at any time later.
IP filtering for the first time
When the agent calls into the server for the first time, the system is placed in the
Directory location to which it has been assigned. The server searches for the
appropriate site whose IP mask or range matches the agent's IP address.
ePolicy Orchestrator Directory: concepts and roles
23
Organizing the Directory and Repositories
3