MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
Page 9
Running reports ....... 259 Configuring Internet Explorer 8 to automatically accept McAfee ePO downloads ..259 Running a report with a server task .
Page 10
Changing SQL Server information ......312 Index ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Preface This guide provides the information you need to configure, use, and maintain your McAfee product. Contents About this guide Finding product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.
Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.
Get familiar with what ePolicy Orchestrator software is, the components of the software, and how they protect your environment. Then, review the configuration process overview. Chapter 1 Introducing McAfee ePolicy Orchestrator Software version 4.6.0 Chapter 2 Planning your ePolicy Orchestrator configuration ®...
Introducing McAfee ePolicy Orchestrator Software version 4.6.0 McAfee ePolicy Orchestrator software is a key component of the McAfee Security Management Platform which provides unified management of endpoint, network, and data security. It provides you with end-to-end visibility and powerful automation features that reduce incident response times, strengthens protection, and decreases the complexity of managing risk and security.
Database — The central storage component for all data created and used by ePolicy Orchestrator. You can choose whether to house the database on your McAfee ePO server or on a separate system, depending on the specific needs of your organization.
How the software works How the software works McAfee ePO software is designed to be extremely flexible. It can be set up in many different ways, to meet your unique needs. The software follows the classic client-server model, in which a client system (system) calls into your server for instructions.
Introducing McAfee ePolicy Orchestrator Software version 4.6.0 How to navigate the ePolicy Orchestrator interface Your ePolicy Orchestrator server connects to the McAfee update server to pull down the latest security content. The ePolicy Orchestrator database stores all the data about the managed systems on your network, including: •...
Introducing McAfee ePolicy Orchestrator Software version 4.6.0 How to navigate the ePolicy Orchestrator interface The Menu uses categories that comprise the various features and functionality of your ePolicy Orchestrator server. Each category contains a list of primary feature pages associated with a unique icon.
Your organization is distributed over a large geographic area, and uses a network connection with relatively low bandwidth such as a WAN, VPN, or other slower connections typically found between remote sites. For more information about bandwidth requirements, see the McAfee ePolicy Orchestrator Hardware Usage and Bandwidth Sizing Guide.
Orchestrator servers to your environment. The Agent Handler is the component of your server responsible for managing agent requests. Each McAfee ePO server installation includes an Agent Handler by default. Some scenarios in which you might want to use multiple remote Agent Handlers include: •...
Page 23
Configure essential features — ePolicy Orchestrator software has some essential features that you must configure for your server to function properly. Use the Guided Configuration tool to configure the essential features of your McAfee ePO server. Configure general server settings — Server settings in this group affect functionality that you do not need to modify for your server to operate correctly, but you can customize some aspects of how your server works.
Setting up permission sets Chapter 7 Configuring advanced server settings Chapter 8 Setting up repositories Chapter 9 Setting up registered servers Chapter 10 Setting up Agent Handlers Chapter 11 Other important server information ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
• The McAfee Agent — Enables management of a system on your network. Once deployed, the agent communicates status and all associated data to and from your server and the managed system. It is the vehicle through which security software is deployed, policies are enforced, and tasks are assigned.
• Select the security software you want to deploy to systems on your network. • Select the systems on your network you want manage with your McAfee ePO server, and add them to the System Tree. • Configure a Default policy to be assigned and enforced on your managed systems.
Page 29
2 Select a product from the Product list and click My Default to edit the default policy settings. 3 Click Next to move on to the next step. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 30
Select the location in the System Tree that contains the systems where you want to deploy your software, then click Next. The Software Deployment dialog box opens. Click OK to continue. Specify your settings for the McAfee Agent deployment, then click Deploy. Click Skip Agent Deployment if you want to wait until later to perform this action.
Orchestrator server is not required. However, before your server can send an automatically generated email in response to an event in your network, you must configure the Email Server settings your McAfee ePO server needs to connect to your email server.
Click Menu | Configuration | Server Settings, select Event Filtering, then click Edit at the bottom of the page. The Edit Event Filtering page appears. Select the events you want the agent to forward to the server, then click Save. Changes to these settings take effect after all agents have communicated with the McAfee ePO server. ® ®...
Global Updating server setting. Global updates are disabled by default. However, McAfee recommends that you enable and use them as part of your updating strategy. You can specify a randomization interval and package types to be distributed during the update.
Select Display custom login message, then type your message and click Save. McAfee Labs Security Threats The McAfee Labs Security Threats page informs you of the top ten medium-to-high-risk threats for corporate users. You no longer need to manually search for this information from the press (TV, radio, ®...
Use these task to mark threat notifications as read or unread or to delete them. Data is sorted by the date the threat was discovered. In addition, you can click the threat name to go to the McAfee Labs website to view information about each threat.
Select Image and browse to the image file, such as your company logo. • Select the default McAfee logo. Click OK to return to the Edit Printing and Exporting page. From the drop-down lists, select any metadata that you want displayed in the header and footer.
The browsers supported by McAfee ePO show a warning about a server’s SSL certificate if it cannot verify that the certificate is valid or signed by a source that the browser trusts. By default, the McAfee ePO server uses a self-signed certificate for SSL communication with the web browser, which, by default, the browser will not trust.
Page 38
Orchestrator for the change to take effect. Installing a trusted security certificate for the McAfee ePO browser Use these tasks to install a trusted security certificate for your McAfee ePO browser, to stop the server certificate warning from appearing every time you log on.
These are the default server settings categories available in ePolicy Orchestrator software. When you check in additional software to your McAfee ePO server, product-specific server settings are added to the Server settings category list. For information on product-specific server settings, see the associated product documentation.
Page 40
PDF exports. It also specifies the default location where the exported files are stored. Proxy Settings Specifies the type of proxy settings configured for your McAfee ePO server. Repository Packages Specifies whether any package can be checked in to any branch. Only agents later then version 3.6 can retrieve packages other than updates...
Page 41
Specifies which queries and systems properties are displayed in the System Details page for your managed systems. System Tree Sorting Specifies whether and how System Tree sorting is enabled in your environment. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
• Change server settings. • Add and delete user accounts. • Add, delete, and assign permission sets. • Import events into ePolicy Orchestrator databases and limit events that are stored there. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Select whether the new account uses McAfee ePO authentication,Windows authentication, or Certificate Based Authentication and provide the required credentials or browse and select the certificate.
Use this task to delete a user account. You must be a global administrator to delete user accounts. McAfee recommends disabling the Login status of an account instead of deleting it, until you are sure all valuable information associated with the account has been moved to other users.
Due to the interwoven nature of these objects, you might have to create and modify permission sets, groups, and users multiple times to get everything set up the way you want. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 48
You've now got an entire class of users (members of the "Dallas" Active Directory server) with access to a specific query group, and an individual with the ability to create and modify queries and reports within that group. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
If you have added any Active Directory servers you want to remove, select them in the Active Directory list box click Remove. Click Save to create the permission set. At this point, you have created the permission set but have not yet assigned permissions to it. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Orchestrator servers is to export them and import them onto other servers. Permission sets cannot be exported individually. You can only export the entire list of permission sets at one time. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Select the permission set(s) you want to export. Click Permission Sets Actions | Export All The McAfee ePO server sends an XML file to your browser. What happens next depends on your browser settings. By default, most browsers ask you to save the file.
Page 52
Permission Sets list. Its details appear to the right. Click Actions | Delete, then click OK in the Action pane. The permission set no longer appears in the Permission Sets list. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
This process is accomplished by mapping McAfee ePO permission sets to Active Directory groups in your environment. This feature can reduce the management overhead when you have a large number of McAfee ePO users in your organization. To complete the configuration, you must work though the following process: Configure user authentication.
Page 54
Windows authentication server setting. Registered LDAP servers It is necessary to register LDAP servers with your McAfee ePO server to permit dynamically assigned permission sets for Windows users. Dynamically assigned permission sets are permission sets assigned to users based on their Active Directory group memberships.
Page 55
An Active Directory server that contains information about this user has been registered with ePolicy Orchestrator. • The user is a member of at least one Domain Local or Domain Global group that maps to an McAfee ePO permission set. Windows authentication and authorization strategies There are a variety of approaches you can take when planning how to register your LDAP servers.
Before more advanced Windows authentication can be used, the server must be prepared. To activate the Windows Authentication page in the server settings, you must first stop the ePolicy Orchestrator service. This task must be performed on the McAfee ePO server itself. Task For option definitions, click ? in the interface.
Page 57
Without any special configuration, users can authenticate using Windows credentials for the domain that the McAfee ePO server is joined to, or any domain that has a two-way trust relationship with the McAfee ePO server's domain. If you have users in domains that don't meet that criteria, you must configure Windows authentication.
Before users can log on with certificate authentication, ePolicy Orchestrator must be configured properly. Before you begin You must have already received a signed certificate in P7B, PKCS12, DER, or PEM format. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Server certificates can and should be removed if they are no longer used. Before you begin The server must already be configured for certificate authentication before you can remove server certificates. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
• Verify the user has not been disabled. • Verify the certificate has not expired or been revoked. • Verify the certificate is signed with the correct certificate authority. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
They specify the time-frame that determines the state of detected systems (Managed, Rogue, Exception, Inactive). • They control the visual feedback of the Rogue System Detection status monitors on the Detected Systems page. For option definitions, click ? in the interface. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 62
Edit the number of days to categorize Detected Systems as Managed or Inactive. The number of days in Rogue | Has Agent in McAfee ePO Database, but is older than__days is controlled by the number of days set in the Managed field.
Page 63
• Server location — Specifies a location on this McAfee ePO server where the OUI.txt file is located. • File upload — Type or browse to an OUI.txt file to upload to this McAfee ePO server for processing, then click Update.
The agent uses the server's public key to verify the agent's message. • You can have multiple secure communication key pairs, but only one can be designated as the master key. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
• If you are upgrading from ePolicy Orchestrator 4.0, the master key is unchanged. Whether or not you upgrade from version 4.0 or 4.5, the existing keys are migrated to your McAfee ePO 4.6 server. Local master repository key pairs •...
Page 66
Using one master repository key pair for all servers Use this task to ensure that all McAfee ePO servers and agents use the same master repository key pair in a multi-server environment. This consists of first exporting the key pair you want all servers to use, then importing the key pair into all other servers in your environment.
Configuring advanced server settings Managing security keys The following process exports the key pair from one McAfee ePO server to a target McAfee ePO server, then, at the target McAfee ePO server, imports and overwrites the existing key pair. For option definitions, click ? in the interface.
Page 68
Deleting agent-server secure communication (ASSC) keys on page 68 Use this task to delete unused keys in the Agent-server secure communication keys list. Make sure that the selected key is not being used by any agent that is managed by this McAfee ePO server.
Page 69
Importing ASSC keys Use this task to import agent-server secure communication keys that were exported from a different McAfee ePO server. This procedure allows agents from that server to access this McAfee ePO server. For option definitions, click ? in the interface.
Page 70
Back up all keys. Using the same ASSC key pair for all servers and agents Follow this process to ensure that all McAfee ePO servers and agents use the same agent-server secure communication (ASSC) key pair. If you have a large number of managed systems in your environment, McAfee recommends performing this process in phases so you can monitor agent updates.
Using a different ASSC key pair for each McAfee ePO server Use this task to ensure that all agents can communicate with the required McAfee ePO servers in an environment where each McAfee ePO server must have a unique agent-server secure communication key pair.
Page 72
Restoring security keys McAfee recommends periodically backing up all security keys. In the unexpected event any security keys are lost from the McAfee ePO server, you can restore them from the backup that you have stored in a secure network location.
You can edit settings, delete existing source and fallback sites, or switch between them. McAfee recommends using the default source and fallback sites. If you require different sites for this purpose, you can create new ones.
Page 74
• URL or path on the previous panel of the wizard. • The HTTP, FTP or UNC site on the system. Click Next. Review the Summary page, then click Save to add the site to the list. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 75
Select Source Sites, then click Edit. The Edit Source Sites page appears. Click Delete next to the required source site. The Delete Source Site dialog box appears. Click OK. The site is removed from the Source Sites page. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 77
Using SuperAgents as distributed repositories Creating and configuring FTP, HTTP, and UNC repositories Using local distributed repositories that are not managed Working with the repository list files Changing credentials on multiple distributed repositories ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Doing so causes the files on the master repository to become locked by users of the distributed repository, which can cause pulls and package check-ins to fail and leave the master repository in an unusable state. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Use pull tasks to copy source site contents to the master repository. McAfee update sites provide updates to detection definition (DAT) and scanning engine files, as well as some language packs. You must check in all other packages and updates, including service packs and patches, to the master repository manually.
You can create a UNC shared folder to host a distributed repository on an existing server. Be sure to enable sharing across the network for the folder, so that the McAfee ePO server can copy files to it and agents can access it for updates.
Backup and restore your distributed repositories and source sites if you need to reinstall the server. • Import the distributed repositories and source sites from a previous installation of the ePolicy Orchestrator software. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
McAfeeFtp sites as source and fallback sites. This section describes the steps for configuring the McAfee ePO master repository, the McAfee Agent, and McAfee Labs Security threats to connect to the download site directly or via a proxy. The default selection is Do not use proxy.
For option definitions, click ? in the interface. Task Click Menu | Policy | Policy Catalog, then from the Product list click McAfee Agent, and from the Category list, select Repository. A list of agents configured for the McAfee ePO server appears.
Click Save. Configuring proxy settings for McAfee Labs Security Threats Use this task to configure proxy settings for the McAfee Labs Security Threats. For option definitions, click ? in the interface. Task Click Menu | Configuration | Server Settings.
For option definitions, click ? in the interface. Task Click Menu | Policy | Policy Catalog, then from the Product list click McAfee Agent, and from the Category list, select General. A list of agents configured for the McAfee ePO server appears.
For option definitions, click ? in the interface. Task Open the desired McAfee Agent policy pages (in edit mode) from the desired assignment point in the System Tree or from the Policy Catalog page. On the General tab, deselect Use systems running SuperAgents as distributed repositories, then click Save.
On the Description page, type a unique name and select HTTP, UNC, or FTP, then click Next. The name of the repository does not need to be the name of the system hosting the repository. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 88
If credentials are incorrect, check the following: • User name and password • URL or path on the previous panel of the wizard • HTTP, FTP, or UNC site on the system ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
To disable the impending replication of a package, disable the replication task before checking in the package. Use this task to disable replication before checking in the new package. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Change configuration, authentication, and package selection options as needed. Click Save. Deleting distributed repositories Use this task to delete HTTP, FTP, or UNC distributed repositories. Doing this removes them from the repository list, and removes the distributed repository contents. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Configure an agent policy for managed systems to use the new unmanaged distributed repository: Click Menu | Policy | Policy Catalog, then select the Product as McAfee Agent and Category as Repository. Click on an existing agent policy or create a new agent policy.
• SiteList.xml — For use by the agent and supported products. • SiteMgr.xml — For use when reinstalling the McAfee ePO server, or for importing into other McAfee ePO servers that use the same distributed repositories or source sites. Tasks •...
McAfee ePO server, or when you want to share distributed repositories or source sites with another McAfee ePO server. You can export this file from either the Distributed Repositories or Source Sites pages. However, when you import this file to either page, it imports only the items from the file that are listed on that page.
The Repository Selection page appears. Select the desired distributed repositories, then click Next. The Credentials page appears. Edit the credentials as needed, then click Next. The Summary page appears. Review the information, then click Save. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Before you can retrieve data from a database server, you must register it with ePolicy Orchestrator. Registering McAfee ePO servers You can register additional McAfee ePO servers for use with your main McAfee ePO server to collect or aggregate data. ®...
Page 96
• Try to use SSL • Always use SSL • Never use SSL Verifies the connection for the detailed server. Test connection ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
When enabled, select Automatic sitelist import or Manual sitelist import. When choosing Manual sitelist import, it is possible to cause older versions of McAfee Agent (version 4.0 and earlier) to be unable to contact their Agent Handler. This may happen when •...
• If you select SNMPv1 or SNMPv2c as the SNMP server version, type the community string of the server under Security. • If you select SNMPv3, provide the SNMPv3 Security details. Click Send Test Trap to test your configuration. Click Save. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Enter the connection specifics and login credentials for the database server. To verify that all connection information and login credentials are entered correctly, click Test Connection. A status message indicates success or failure. Click Save. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Handler instead of to the main McAfee ePO server. The handler provides updated sitelists, policies, and policy assignment rules, just as the McAfee ePO server does. The handler also caches the contents of the master repository, so that agents can pull product update packages, DATs, and other necessary information.
In addition to assigning handler priority within a group of handlers, you can also set handler assignment priority across several groups of handlers. This adds an additional layer of redundancy to your environment to further ensure that your agents can always receive the information they need. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Task For option definitions, click ? in the interface. Click Menu | Configuration | Agent Handlers, then click Actions | New Assignment. Specify a unique name for this assignment. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Use this task to set up Agent Handler groups. Handler groups can make it easier to manage multiple handlers throughout your network, and can play a role in your fallback strategy. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Agent Handler assignment priority, or individually using the System Tree. Handler assignments can specify an individual handler or a list of handlers to use. The list that you specify can be made up of individual handlers or groups of handlers. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 106
Agent Handlers from the list (an Agent Handler can be included in more than one group). Use the drag-and-drop handle to change the priority of handlers. Priority determines which handler the agents try to communicate with first. Click Save. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 107
In the System Tree column, navigate to the system or group you want to move. Use the drag-and-drop handle to move systems from the currently configured system group to the target system group. Click OK. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
When IPv6 is enabled, it works in the mode in which it is configured. When the McAfee ePO server communicates with an Agent Handler or Rogue System Sensor on IPv6, address-related properties such as IP address, subnet address, and subnet mask are reported in IPv6 format.
Items exported from ePolicy Orchestrator are stored in XML files that describe the exported items in detail. Objects exported from an McAfee ePO server are displayed in your browser as XML. Your browser settings determine now the XML is displayed and saved.
• A browser dialog box opens where you can choose whether to Open or Save the file. • An Export page containing a link to the file opens. Left-click the link to view the file in your browser. Right-click the link to Save the file. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
The Audit Log Use the Audit Log to maintain and access a record of all McAfee ePO user actions. The Audit Log entries are displayed in a sortable table. For added flexibility, you can also filter the log so that it displays only failed actions, or only entries that are within a certain age.
Page 113
After Purge records older than, type a number and select the time unit to use before purging the Audit Log entries. Click Next. The Schedule page appears. Schedule the task as needed, then click Next. The Summary page appears. Review the task's details, then click Save. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
• Purge — The Purge dialog box appears. Type a number and a time unit to determine the number of task log entries to delete, then click OK. • Terminate Task — Stop a task that is in progress. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
The question mark must be used in one of these fields, but cannot be used in both. • Forward slashes (/) identify increments. For example, "5/15" in the minutes field means the task runs at minutes 5, 20, 35 and 50. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
• Detecting Product Version — Version number of • Threat Source IPv4 Address — IPv4 address of the detecting product. the system from which the threat originated. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 117
Event Received Time (UTC) — Time in Coordinated • Threat Type — Class of the threat. Universal Time that the event was received by the McAfee ePO server. • File Path — File path of the system which sent •...
Page 118
Click Next. The Schedule page appears. Schedule the task as needed, then click Next. The Summary page appears. Review the task's details, then click Save. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Orchestrator server Your ePolicy Orchestrator server makes deploying products to your systems and keeping them updated with the latest content from McAfee is an essential part of protecting your organization from threats. Chapter 12 Organizing the System Tree...
Working with tags Creating and populating groups Moving systems manually within the System Tree Transferring systems between McAfee ePO servers The System Tree structure The System Tree is a hierarchical structure that allows you to organize systems in your network into groups and subgroups.
Page 122
As part of the planning process, consider the best way to organize systems into groups prior to building the System Tree. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
System Tree only once. Because every network is different and requires different policies — and possibly different management — McAfee recommends planning your System Tree before implementing the McAfee ePO software. Regardless of the methods you choose to create and populate the System Tree, consider your environment while planning the System Tree.
These borders influence the organization of the System Tree differently than the organization of your network topology. McAfee recommends evaluating these borders in your network and organization, and whether they must be considered when defining the organization of your System Tree.
Use scheduled queries with chained tag actions to maintain tags on specific systems within the parts of the System Tree where they have access. • Configure sorting criteria based on tags to ensure that systems stay in the appropriate groups of the System Tree. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
System Tree according to the synchronization settings. Use an NT Domain/Active Directory Synchronization server task to regularly synchronize the systems (and possibly the Active Directory structure) with the System Tree according to the synchronization settings. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
If you move systems to other groups or subgroups of the System Tree, be sure to select to not add the systems when they already exist elsewhere in the System Tree. This prevents duplicate entries for systems in the System Tree. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
However, if you define sorting criteria after the initial agent-server communication, you must run the Sort Now action on those systems to move them immediately to the appropriate group, or wait until the next agent-server communication. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Disable System Tree sorting — If criteria-based sorting does not meet your security management needs and you want to use other System Tree features (like Active Directory synchronization) to organize your systems, select this setting to prevent other McAfee ePO users from mistakenly configuring sorting criteria on groups and moving systems to undesirable locations.
Parent groups of a criteria-based subgroup must have either no criteria or matching criteria. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 131
10 If the server cannot sort the system into any group, it is placed in the Lost&Found group within a subgroup that is named after its domain. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
If the tag has criteria, this page displays the number of systems that will receive this tag when evaluated against its criteria. The tag is added to the list of tags on the Tag Catalog page. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Verify the desired systems are in the list. Applying criteria-based tags automatically to all matching systems Use these tasks to apply criteria-based tags automatically to all systems that match its criteria. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 134
Click Menu | Automation | Server Tasks, then click Actions | New Task. The Server Task Builder page appears. On the Description page, name and describe the task and select whether the task is enabled once it is created, then click Next. The Actions page appears. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
System Tree in a text file and import it into your System Tree. If you have a smaller network, you can create your System Tree by hand and add each system manually. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
• From the System Tree page (Menu | Systems | System Tree) click System Tree Actions | New Subgroup. The New Subgroup dialog box appears. You can create more than one subgroup at a time. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Next to Target systems, type the NetBIOS name for each system in the text box, separated by commas, spaces, or line breaks. Alternatively, click Browse to select the systems. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
It can be useful to have a list of the systems in your System Tree. You can import this list into your McAfee ePO Server to quickly restore your previous structure and organization. This task does not remove systems from you System Tree. It creates a .txt file that contains the names and structure of systems in your...
Page 139
Click Menu | Systems | System Tree, then click System Tree Actions and select New Systems. The New Systems page appears. Select Import systems from a text file into the selected group, but do not push agents. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Select Systems that match any of the criteria below, then the criteria selections appear. Although you can configure multiple sorting criteria for the group, a system only has to match a single criterion to be placed in this group. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 141
Otherwise, they can only be sorted with the Sort Now action. Sorting systems manually Use this task to sort selected systems into groups with criteria-based sorting enabled. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Active Directory container. You cannot synchronize the Lost&Found group of the System Tree. Figure 12-3 Synchronization Settings page Next to Synchronization type, click Edit. The Synchronization Settings page for the selected group appears. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 143
Select whether to deploy agents automatically to new systems. If you do, be sure to configure the deployment settings. McAfee recommends that you do not deploy the agent during the initial import if the container is large. Deploying the 3.62 MB agent package to many systems at once may cause network traffic issues.
Set up IP address or tag sorting criteria on subgroups to automatically sort the imported systems. • Schedule a recurring NT Domain/Active Directory Synchronization server task for easy maintenance. For option definitions, click ? in the interface. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 145
Select whether to deploy agents automatically to new systems. If you do so, be sure to configure the deployment settings. McAfee recommends that you do not deploy the agent during the initial import if the domain is large. Deploying the 3.62 MB agent package to many systems at once may cause network traffic issues.
Prevents or allows duplicate entries of systems that still exist in the System Tree that you've moved to other locations. The agent cannot be deployed to all operating systems in this manner. You might need to distribute the agent manually to some systems. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
In addition to the steps below, you can also drag-and-drop systems from the Systems table to any group in the System Tree. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Select the group in which to place the systems, then click OK. Transferring systems between McAfee ePO servers Use this task to transfer systems between McAfee ePO servers. For option definitions, click ? in the interface. Task Click Menu | Systems | System Tree, then select the systems you want to transfer.
Working with the agent from the McAfee ePO server The McAfee ePO interface includes pages where agent tasks and policies can be configured, and where agent properties can be viewed. Contents Agent-server communication Viewing agent and product properties Responding to policy events...
The agent-server communication interval determines how often the agent calls in to the server. The agent-server communication interval (ASCI) is set on the General tab of the McAfee Agent policy page. The default setting of 60 minutes means that the agent contacts the server once every hour.
No package to receive (status code from McAfee ePO) • Agent needs to regenerate GUID (status code from McAfee ePO) Other results such as connection refused, failed to connect, connection timeout, or other errors causes the agent to retry immediately using the next connection method in the list.
The SuperAgent caches the contents of its repository in a specific manner designed to minimize wide-area network (WAN) usage. If an agent has been converted to a SuperAgent, it can cache content from its McAfee ePO server to distribute locally to other agents, reducing WAN bandwidth. To activate this, turn on LazyCaching in the McAfee Agent | General policy options page which you access from Menu | Policy | Policy Catalog.
When a SuperAgent receives a request for content that might be outdated, the SuperAgent attempts to contact the McAfee ePO server and other sites listed in Sitelist.xml to see if new content is available. If the connection attempts time out, the SuperAgent distributes content from its own repository instead.
Running client tasks immediately When ePolicy Orchestrator 4.6 is communicating with McAfee Agent 4.6, you can run client tasks immediately using the run tasks now feature. ePolicy Orchestrator puts tasks into a queue when they are scheduled to run instead of immediately executing them.
Working with the agent from the McAfee ePO server Sending manual wake-up calls to systems Sending manual wake-up calls to systems Manually sending an agent or SuperAgent wake-up call to systems in the System Tree is useful when you make policy changes and you want agents to call in for an update before the next agent-server communication.
10 Click OK to send the agent or SuperAgent wake-up call. Locate inactive agents An inactive agent is one that has not communicated with the McAfee ePO server within a user-specified time period. Some agents might become disabled or be uninstalled by users. In other cases, the system hosting the agent might have been removed from the network.
This list shows the kinds of product data that are reported to ePolicy Orchestrator by the McAfee software installed on your system. If you find errors in the reported values, review the details of your products before concluding that they are incorrectly reported.
Checking in, updating, and removing software using the Software Manager What's in the Software Manager The Software Manager eliminates the need to access the McAfee Product Download website to obtain new McAfee software and software updates. You can use the Software Manager to download: •...
Notes can also be downloaded from the Software Manager. About software component dependencies Many of the software products you can install for use with your McAfee ePO server have predefined dependencies on other components. Dependencies for product extensions are installed automatically.
Page 161
• Software Not Checked in — Displays any software that is available, but not installed on this server. • Software (by Label) — Displays software by function as described by McAfee product suites. When you've located the correct software, click: •...
Creating Policy Management queries Working with the Policy Catalog Working with policies Viewing policy information Sharing policies among McAfee ePO servers Frequently asked questions Policy management A policy is a collection of settings that you create, configure, then enforce. Policies ensure that the managed security software products are configured and perform accordingly.
Page 164
Once the policy settings are in effect on the managed system, the agent continues to enforce policy settings locally at a regular interval. This enforcement interval is determined by the Policy enforcement interval setting on the General tab of the McAfee Agent policy pages. This interval is set to occur every five minutes by default.
Policy sharing is another way to transfer policies between servers. Sharing policies allows you to manage policies on one server, and use them on many additional servers all through the McAfee ePO console. For more information, see Sharing policies among McAfee ePO servers.
Therefore, if you wish to use a policy owned by a different user, McAfee recommends that you first duplicate the policy, then assign the duplicate to the desired locations. This provides you ownership of the assigned policy.
About user-based policy assignments User-based policy assignment rules give you the ability to create user specific policy assignments. These assignments are enforced at the target system when a user logs on. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
System-based policies which specify tags as criteria work in a similar fashion to user-based policies. They are assigned based on selection criteria you define using the Policy Assignment Builder. Any system you can tag, you can apply a specific policy to, based on that tag. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Click Next. The Selection Criteria page opens. Specify the criteria you want to use in this rule. Your criteria selection determines which systems or users are assigned this policy. Review the summary and click Save. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Select the type of chart or table to display the primary results of the query, then click Next. The Columns page appears. If you select Boolean Pie Chart, you must configure the criteria you want to include in the query. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Before deleting a policy, review the groups and systems where it is assigned. If you don’t want the group or system to inherit the policy from the parent group, assign a different policy . ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Type the name of the new policy in the field, then click OK. The new policy appears on the Policy Catalog page. Click on the new policy in the list. Edit the settings as needed, then click Save. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
If you don’t want the group or system to inherit the policy from the parent group, assign a different policy . If you delete a policy that is applied to the My Organization group, the McAfee Default policy of this category is assigned.
Use this task to customize how agents select distributed repositories. Task For option definitions, click ? in the interface. Click Menu | Policy | Policy Catalog, then select the Product as McAfee Agent and Category as Repository. Click on the required existing agent policy. Select the Repositories tab.
Exporting a single policy Use this task to export a policy to an XML file. Use this file to import the policy to another McAfee ePO server, or to keep as a backup of the policy.
Right-click the link to download and save the file. Name the policy XML file and save it. If you plan to import this file into a different McAfee ePO server, ensure that this location is accessible to the target ePolicy Orchestrator server.
Assigning a policy to multiple managed systems within a group Use this task to assign a policy to multiple managed systems within a group. You can assign policies before or after a product is deployed. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Select the desired Product, then click Enforcing next to Enforcement status. The Enforcement page appears. If you want to change the enforcement status you must first select Break inheritance and assign the policy and settings below. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
OK. Pasting policy assignments to a group Use this task to paste policy assignments to a group. You must have already copied policy assignments from a group or system. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
(Enforce Policies and Tasks). This policy controls the enforcement status of other policies. Confirm the replacement of assignments. Viewing policy information Use these tasks to view detailed information about the policies, their assignments, inheritance, and their owners. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
On the Assignments page, each group or system where the policy is assigned appears with its Node Name and Node Type. Viewing the settings of a policy Use this task to view the specific settings of a policy. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Click Menu | Systems | System Tree | Assigned Policies, then select a group in the System Tree. All assigned policies, organized by product, appear in the details pane. Click any policy to view its settings. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Using policies to manage products and systems Sharing policies among McAfee ePO servers Viewing policies assigned to a specific system Use this task to view the policies assigned to a specific system. Task For option definitions, click ? in the interface.
Use this task to designate a policy to be shared among multiple McAfee ePO servers. • Scheduling server tasks to share policies on page 185 Use this task to schedule a server task so that policies are shared among multiple McAfee ePO servers. Registering servers for policy sharing Use this task to register the servers that will share a policy.
Using policies to manage products and systems Frequently asked questions Scheduling server tasks to share policies Use this task to schedule a server task so that policies are shared among multiple McAfee ePO servers. Task For option definitions, click ? in the interface.
Page 186
(for that particular policy category) from its parent, which might be a different policy than the one that was inherited onto the source. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
The ePolicy Orchestrator software deployment infrastructure supports deploying products and components, as well as updating both. Each McAfee product that ePolicy Orchestrator can deploy provides a product deployment package zip file. The zip file contains product installation files, which are compressed in a secure format. ePolicy Orchestrator can deploy these packages to any of your managed systems, once they are checked in to the master repository.
Page 188
A key is used to encrypt or decrypt sensitive data. You are notified when you check in packages that are not signed by McAfee. If you are confident of the content and validity of the package, continue with the check-in process. These packages are secured in the same manner described above, but are signed by ePolicy Orchestrator when they are checked in.
Product and update deployment The McAfee ePO repository infrastructure allows you to deploy product and update packages to your managed systems from a central location. Although the same repositories are used, there are differences.
McAfee ePO software includes preconfigured server tasks and actions by default. Most of the additional software products you manage with your ePolicy Orchestrator server also add preconfigured server tasks.
Page 191
SuperAgent wake-up call to alert agents that new updates are available. • Distributed repositories are set up and configured throughout your environment. McAfee recommends SuperAgent repositories, but they are not required. Global updating functions with all types of distributed repositories.
Use pull tasks to update your master repository with DAT and engine update packages from the source site. DAT and engine files must be updated often. McAfee releases new DAT files daily, and engine files less frequently. Deploy these packages to managed systems as soon as possible to protect them against the latest threats.
New distributed repositories are added to the repository list file containing all available distributed repositories. The agent of a managed system updates this file each time it communicates with the McAfee ePO server. The agent performs repository selection each time the agent (McAfee Framework Service) service starts, and when the repository list changes.
Replicate Now task for immediate replication. Using pull tasks to update the master repository Use either of these tasks to update the contents of the master repository from the McAfee update site or from a user-configured source site.
Page 195
Use this task to initiate a pull task that updates the master repository from the source site immediately. With this release, you can select which packages in the source site are copied to the master repository. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 196
For option definitions, click ? in the interface. Task Click Menu | Software | Distributed Repositories, then click Actions | Schedule Replication. The Server Task Builder wizard opens. On the Description page, name and describe the task. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 197
On the Repositories page, select which distributed repositories participate in the replication, then click Next. If you are not sure which distributed repositories need to be updated, replicate to them all. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Question marks (?) are allowed to specify no specific value in the Day of Week or Day of Month fields. The question mark must be used in one of these fields, but cannot be used in both. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Orchestrator allows you to create and schedule client tasks to help automate management of systems in your managed network. Which extension files are installed on your McAfee ePO server determines which client tasks are available. Client tasks are commonly used for: •...
As you deploy to each group, monitor the deployment, run reports to confirm successful installations, and troubleshoot any problems with individual systems. If you are deploying McAfee products or components that are installed on a subset of your managed systems: Use a tag to identify these systems.
Page 201
Task For option definitions, click ? in the interface. Click Menu | Policy | Client Task Catalog, select McAfee Agent | Product Deployment as Client Task Types, then click Actions | New Task. The New Task dialog box appears. Ensure that Product Deployment is selected, then click OK.
Page 202
For option definitions, click ? in the interface. Task Click Menu | Policy | Client Task Catalog, select McAfee Agent | Product Deployment as Client Task Types, then click Actions | New Task. The New Task dialog box appears. Ensure that Product Deployment is selected, then click OK.
Task For option definitions, click ? in the interface. Click Menu | Policy | Client Task Catalog, select McAfee Agent | Product Update as Client Task Types, then click Actions | New Task. The New Task dialog box appears. Ensure that Product Update is selected, then click OK.
Click Actions | New Client Task Assignment. The Client Task Assignment Builder wizard appears. On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then select the task you created for deploying product update.
Click Delete next to the desired client task. Click OK. Confirming that clients are using the latest DAT files Use this task to check the version of DAT files on managed systems. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
For additional information, see Deploying update packages with pull and replication tasks. Create or select a group in the System Tree to serve as an evaluation group, and create a McAfee Agent policy for the systems to use only the Evaluation branch (in the Repository Branch Update Selection section of the Updates tab).
Click Menu | Software | Master Repository, then click Actions | Check In Package. The Check In Package wizard opens. Select the package type, then browse to and select the desired package file. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Available only when you select Current in Branch. • Package signing — Specifies if the package is signed by McAfee or is third-party package. Click Save to begin checking in the package, then wait while the package is checked in.
Click Save to begin checking in the package. Wait while the package is checked in. The new package appears in the Packages in Master Repository list on the Master Repository page. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Prepare the components and permissions used with Automatic Responses, including: • Automatic Responses permissions — Create or edit permission sets and ensure that they are assigned to the appropriate McAfee ePO users. • Email server — Configure the email (SMTP) server at Server Settings.
If the conditions of any such rule are met, designated actions are taken, per the rule’s configurations. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Specify the email server (click Menu | Configuration | Server Settings) from which the notification messages are sent. • Ensure the recipient email address is the one you want to receive email messages. This address is configured on the Actions page of the wizard. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Use these tasks to determine when events are forwarded and which events are forwarded immediately. The server receives event notifications from McAfee Agents. You can configure agent policies to forward events either immediately to the server or only at agent-to-server communication intervals.
If the currently applied policy is not set for immediate uploading of events, either edit the currently applied policy or create a new McAfee Agent policy. This setting is configured on the Threat Event Log page. For option definitions click ? in the interface.
Assigning permissions to Notifications Use this task to ensure that all desired administrators and users have the appropriate permissions to Notifications. The permissions to Notification enables McAfee ePO users to add registered executables. For option definitions click ? in the interface.
Assigning permissions to Automatic Responses Use this task to ensure that all desired administrators and users have the appropriate permissions to Responses. The permissions to Responses enables McAfee ePO users to create response rules for different event types and groups.
Page 218
Use this task when setting up rules to send notification messages to an SNMP server via an SNMP trap. Editing SNMP servers Use this task to edit existing SNMP server entries. For option definitions click ? in the interface. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
"unlimited strength" version from Sun's Java SE Downloads site. Find the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 download. To apply the unlimited strength policies to the McAfee ePO server, replace the policy jar files in directory EPO_DIR/jre/lib/security with those downloaded in the jce_pocliy-6.zip, and restart the McAfee ePO server.
The EPO-MIB.mib file depends on the other two files to define the following traps: • epoThreatEvent — This trap is sent when an Automatic Response for an McAfee ePO Threat Event is triggered. It contains variables that match properties of the Threat event.
Page 221
Click Menu | Configuration | Registered Executables, then click Duplicate next to the desired registered executable. The Duplicate Registered Executable dialog box appears. Type a name for the registered executable, then click OK. The duplicated registered executable appears in the Registered Executables list. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Specify the language used by the response. • Specify the event type and group that triggers this response. • Enable or disable the rule. For option definitions click ? in the interface. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Use this task to define when the event triggers the rule on the Aggregation page of the Response Builder wizard. A rule’s thresholds are a combination of aggregation, throttling, and grouping. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
You can configure the rule to trigger multiple actions by using the + and - buttons, located next to the drop-down list for the type of notification. For option definition click ? in the interface. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 225
Select the State, Priority, Severity, and Resolution for the issue from the respective drop-down list. Type the name of the assignee in the text box. Click Next if finished, or click + to add another notification. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
• Email (including standard SMTP, SMS, and text pager) • SNMP servers (via SNMP traps) • Any external tool installed on the ePolicy Orchestrator server • Issues • Scheduled server tasks ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Chapter 19 Monitoring with Dashboards Chapter 20 Querying the database and reporting on system status Chapter 21 Detecting Rogue Systems Chapter 22 Managing Issues and Tickets ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Keeping constant watch on your environment is a difficult task. Dashboards help you do this. Dashboards are collections of monitors. A monitor can be anything from a chart-based query, to a small web application like McAfee Labs Security Threats. A monitor's behavior and appearance is configured individually.
Click Add Monitor. The Monitor Gallery appears at the top of the screen. Select a monitor category from the View drop-down list. The available monitors in that category appear in the gallery. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
OK. The duplicated dashboard will now open. The duplicate is an exact copy of the original dashboard including all permissions. Only the name is changed. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
The imported dashboard is displayed. Regardless of their permissions at the time they were exported, imported dashboards are given private permissions. You must explicitly set their permissions after import. Exporting dashboards Exporting dashboards saves them for later import on the same or a different system. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Task For option definitions, click ? in the interface. Click Menu | Reporting | Dashboards, then select a dashboard from the Dashboard drop-down list. Click Dashboard Actions | Edit. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
When you have completed modifying the monitor's settings, click OK. If you decide to not make changes, click Cancel. If you decide to keep the resulting changes to the dashboard, click Save, otherwise click Discard. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
McAfee ePO users can view them. Audit dashboard The Audit dashboard provides an overview of access-related activities occurring on your McAfee ePO server. The monitors included in this dashboard are: •...
Page 236
• McAfee Labs Threat Advisory — Displays the protection available, any new threats reported, latest DAT and engine available and, if they are in My Repository, a link to the McAfee Labs Security Threats page and the time last checked.
Page 237
• Active Sensor Responses — Displays a Boolean pie chart of active Rogue System Sensors that have or haven't communicated with the McAfee ePO server in the last 24 hours. • Subnet Coverage — Subnets that are or aren't covered by Rogue System Sensors.
Server Task log • Threat Event log To get you started, McAfee includes a set of default queries that provide the same information as the default reports of previous versions. Are you setting up queries and reports for the first time? When setting up queries and reports for the first time: Understand the functionality of queries, reports, and the Query Builder.
Most queries can also be used as dashboard monitors, enabling near real-time system monitoring. Queries can also be combined into reports, giving a more broad and systematic look at your ePolicy Orchestrator software system. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
CSV — Use the data in a spreadsheet application (for example, Microsoft Excel). • XML — Transform the data for other purposes. • HTML — View the exported results as a web page. • PDF — Print the results. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Query results can be exported to a variety of formats including HTML, PDF, CSV, and XML. Creating custom queries You create new queries with the Query Builder. Queries can access system properties, product properties, many of the log files, repositories, and more. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Private group (My Groups) • Public group (Shared Groups) • Existing Group — Select the group from the list of Shared Groups. Click Save. Running an existing query You can run saved queries on-demand. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
The list of groups you see within the ePolicy Orchestrator software is the combination of groups you have created and groups you have permission to see. You can also create private query groups while saving a custom query. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Type a name for the duplicate and select a group to receive a copy of the query, then click OK. Deleting queries Queries can be deleted when they are no longer needed. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Click Actions | Export Definitions. The McAfee ePO server sends an XML file to your browser. What happens next depends on your browser settings. By default, most browsers ask you to save the file. The exported XML file contains a complete description of all settings required to replicate the exported query.
Click Export. The files are created and either emailed as attachments to the recipients, or you are taken to a page where you can access the files from links. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Click Menu | Automation | Server Tasks, then click Actions | New Task. On the Description page, type a name and description for the task, and select whether to enable it, then click Next. Click Actions and select Roll Up Data. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Review the settings, then click Save. Creating a query to define compliance Compliance queries are required on McAfee ePO servers whose data is used in rollup queries. Task For option definitions, click ? in the interface. Click Menu | Reporting | Queries & Reports , then click Actions | New .
Click browse (...) next to the Query field and select a query. The Select a query from the list dialog box appears with the My Groups tab active. Select the compliance-defining query. This could be a default query, such as McAfee Agent Compliance Summary in the Shared Groups section, or a user-created query, such as one described in Creating a query to define compliance.
These tasks create, edit, and manage reports. Reports can provide a large amount of useful data, but there are many tasks to complete to create a collection of reports that is useful to you. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Reports must be run before examining their results. • Configuring Internet Explorer 8 to automatically accept McAfee ePO downloads on page As a security measure, Microsoft Internet Explorer might block ePolicy Orchestrator downloads from occurring automatically. This behavior can be changed with an Internet Explorer configuration change.
Page 254
Configuring image report elements You can upload new images and modify the images used within a report. Before you begin You must have a report open in the Report Layout page. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 255
Configuring query table report elements Some queries are better displayed as a table when inside a report. Before you begin You must have a report open in the Report Layout page. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 256
Headers and footers provide information about the report. There are six fixed locations within the header and footer that can contain different data fields. Three are in the header, three in the footer. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 257
Click the arrow in the top left corner of the element you want to delete, then click Remove. The element is removed from the report. To save changes to the report, click Save. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
For option definitions, click ? in the interface. Click Menu | Reporting | Queries & Reports, then select the Report tab. Select a report and click Actions | Edit. Click Name, Description and Group. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Last Run Result column in the report list is updated with a link to the PDF containing those results. Configuring Internet Explorer 8 to automatically accept McAfee ePO downloads As a security measure, Microsoft Internet Explorer might block ePolicy Orchestrator downloads from occurring automatically.
Select the report(s) you want to export, then click Actions | Export. The McAfee ePO server sends an XML file to your browser. What happens depends on your browser settings. By default, most browsers will ask you to save the file.
You might need to register several different server types to accomplish tasks within ePolicy Orchestrator. These can include authentication servers, Active Directory catalogs, ePolicy Orchestrator servers, and database servers that work with specific extensions you have installed. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Modify the information as appropriate. If you need to verify the database connection, click Test Connection. Click Save to save your changes. Removing a registered database You can remove databases from the system when they are no longer needed. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 263
When the confirmation dialog appears, click Yes to delete the database. The database has been deleted. Any queries, reports, or other items within ePolicy Orchestrator that used the deleted database will be marked invalid until updated to use a different database. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Even in a managed network environment, some systems might not have an active McAfee Agent on them. These can be systems that frequently log on and off the network, including test servers, laptops, or wireless devices.
Exceptions • Inactive • Managed • Rogue The percentage of compliant systems is the ratio of systems in the Managed and Exceptions categories to those in the Rogue and Inactive categories. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 267
Rogue systems are systems that are not managed by your McAfee ePO server. There are three rogue states: • Alien agent — These systems have a McAfee Agent that is not in the local McAfee ePO database, or any database associated with additional McAfee ePO servers you have registered with the local server.
Page 268
Passive Passive sensors check in with the McAfee ePO server, but do not report information about detected systems. They wait for instructions from the McAfee ePO server to replace other sensors that become passive.
As a result, if you deploy sensors to DHCP servers without enabling DHCP monitoring during your initial configuration, those sensors report limited information to the McAfee ePO server. If you deploy sensors before you configure your policies, you can update them to change sensor functionality.
Detecting Rogue Systems What are rogue systems The Reporting time for active sensors determines how often active sensors report to the McAfee ePO server. Setting this value too low can have the same effect as setting the value for the sensor’s detected system cache lifetime.
Whether the Rogue System Sensor is enabled. The server IP address default value is the address of the McAfee ePO server that you are using to install sensors. Rogue System Detection reports system detections to the specified server. When this server detects a system that has an agent deployed by an McAfee ePO server with a different IP address, that system is detected as a rogue because the agent is considered an alien agent.
Sensors detect systems, routers, printers, and other devices connected to your network. They gather information about the devices they detect, and forward the information to the McAfee ePO server. The sensor is a Win32 native executable application that runs on any NT-based Windows operating system, including: •...
If the system has been previously detected, Rogue System Detection automatically matches it to the existing record in the McAfee ePO database. When a detected system is not matched automatically, you can manually merge the system with an existing detected system.
Use this task to query Agents installed on detected systems. Not all detected systems have a McAfee Agent installed. The results of this task indicate whether an Agent is installed and provides links to details about the system and the agent, if available.
• New Category — Displayed with the new category name you type. • Select Category — Displayed with the category selected from the list. To configure categories, see Editing Detected System Exception Categories. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Overall System Status monitor, then click any system. Detected Systems page. Click Menu | Systems | Detected Systems, then click any detected system category in the Overall System Status monitor. For option definitions, click ? in the interface. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Select the systems you want to merge. Click Actions, then select Detected Systems | Merge Systems. The Merge Systems page appears. Click Merge. When the merge warning message appears, click OK. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
For option definitions, click ? in the interface. Select the systems whose Agents you want to query. Click Actions | Detected Systems | Query Agent or Actions | Query Agent. The Query McAfee Agent Results page opens. Removing systems from the Detected Systems list Use this task to remove systems from the Detected Systems list.
The Detected Systems Details page displays some information that is unique to Rogue System Detection. Working with sensors Use these tasks when working with sensors, for example, to change install or remove a sensor. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
• In the Systems Details page, you can install the sensor only from the system you are viewing. • In the Systems page, select the desired group in the System Tree, and select the systems where you want to install sensors. In the Action pane, click OK. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 282
Run. Click Save and specify the name of your query and any notes, then click Save again. McAfee recommends using a product-specific prefix when naming your queries, to keep them organized and make them easier to find. For example, RSD: QueryName.
Systems Details page Click Menu | Systems | System Tree | Systems, then click any system. Systems page Click Menu | Systems | System Tree. For option definitions, click ? in the interface. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Click Menu | Systems | Detected Systems, then in the Subnet Status monitor, click Add Subnet. The Add Subnets page appears. Choose the method you want to use to add subnets, specify the subnets you want to add, then click Import. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Ignored Subnets page. Click the Ignored link in the Subnet Status monitor on the Detected Systems page to see the list of ignored subnets, where you can optionally choose to include one or more ignored subnets. For option definitions, click ? in the interface. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Forces the sensor to run as a normal command-line executable; otherwise it must be run as an NT service. Prints the Help screen and lists available command-line options. --help --install Registers the sensor with the Windows Service Control Manager. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Rogue Systems, By OUI (Last 7 Days) in the last seven days, grouped by organizationally unique identifier, in pie chart format. Subnet Coverage Returns the details of detected subnets on your network, in pie chart format. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Issues are action items that can be prioritized, assigned, and tracked. Issues Users can create basic issues manually or the McAfee ePO server can automatically create issues in response to product events. For example, users with the proper permissions can configure ePolicy Orchestrator to automatically create a Benchmark Rule Compliance issue if a noncompliant system is discovered during an audit.
Responses also allow multiple events to be aggregated into a single issue so that the McAfee ePO server is not overwhelmed with large numbers of issues. Issues can be deleted manually, and closed issues can be manually purged based on their age and automatically purged through a user-configured server task.
The Description page of the Response Builder appears. Use this... To do this... Type a meaningful name for the response. Name Description Type a description of the response. Select the language in which the response will appear. Language ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 292
Next to Throttling, select the maximum time period that you want this response to occur. Click Next. Select Create issue from the drop-down list, then select the type of issue to create. This choice determines the options that appear on this page. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 293
Assign a state to the issue: • Unknown • New • Assigned • Resolved • Closed Priority Assign a priority to the issue: • Unknown • Lowest • Low • Medium • High • Highest ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Select the checkbox next to each issue you want to assign, then click Assign to user. Display required Click Actions | Choose Columns. Select columns of data to be displayed on the columns on Issues page. Issues page ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
This function affects all closed issues; not just those in the current view. Purging closed issues on a schedule You can schedule a task to periodically purge the database of closed issues. This keeps the database smaller. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
After the steps for integrating a ticketing server are completed, all subsequent issues are ticketed automatically McAfee recommends always adding an assignee to an issue before the ticket is created. If an assignee is added manually to a ticketed issue, you must add tickets manually to any issues that existed prior to the integration.
New if the registered server for the ticketing server is deleted. Integration with ticketing servers Integration of a ticketing server forces the creation of tickets associated with issues that were created in products. The ePolicy Orchestrator software supports these ticketing servers: ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Mapping is a two-way process. These examples demonstrate how to map an issue to a ticket and to map the ticket's status back to the issue's status. For example, if the ticket is marked as closed, the issue status will be updated to show that it is closed. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 299
Because this section only maps the ticket's status, you are not prompted to add the ID of the issue's status field. This field is implied. • Operation: Substitution • Source field: Status • Values: Default Value: TICKETED Source Value Mapped Value CLOSED ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 300
In this example, "External" specifies that the ticket was created by a product external to the ticketing server. You can type the name of the product instead, to indicate which product created the ticket. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
A ticket can be added in a similar way when viewing the details of an issue. When a ticket is added, a new ticket is created automatically in the ticketing server. Issues with existing tickets are ignored. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Schedule the server task as needed, then click Next. Review the details of the server task, then click Save. Working with ticketing servers These tasks integrate your ticketing server with ePolicy Orchestrator. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Orchestrator depend on your ticketing system. Task Go to Start | Control Panel | Administrative Tools, then double-click Services. In the Name column, double-click McAfee Policy Auditor Application Server. Select the General tab. Under Service status, click Stop.
Page 304
Working with ticketing servers Task In Windows, click Start | Control Panel | Administrative Tools, then double-click Services. In the Name column, locate then double-click McAfee Policy Auditor Application Server. Select the General tab. Under Service status, click Stop. The server is now stopped.
Managing Issues and Tickets Working with ticketing servers Task Copy the following required files to the \Server\bin folder of your ePolicy Orchestrator software installation. For example, C:\Program Files\McAfee\ePolicy Orchestrator\Server\bin. Remedy API Version Required Files Remedy 5.1 • arapi51.dll • arjni51.dll •...
The system running the ticketing extension must be able to resolve the address of the Service Desk system. Task On the McAfee ePO server that is integrated with the ticketing system, use a text order to open the hosts file. The hosts file should be located in the c:\windows\system32\drivers\etc\ folder.
Page 307
Because this section only maps the ticket's state/status, you are not prompted to add the ID of the issue's status (state) field. This field is implied. Source values, mapped values, and field IDs are case-sensitive. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
If this occurs, complete this task, then manually add tickets to all previously ticketed issues. This causes the reopen function to run. For more details, see the section in this guide about how tickets are reopened. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 309
For more details, see the sections in this guide about integrating ticketing servers, installing ticketing server extensions, and registering and configuring a ticketing server. After you have configured the integration with the upgraded ticketing server, enable the server task, which synchronizes ticketed issues. ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
SQL Express SQL Server Management Studio Express Depending on your deployment of McAfee ePO software, plan on spending a few hours each week on regular database backups and maintenance. The tasks discussed in this section should be performed on a regular basis, either weekly or daily. However, these are not the only maintenance tasks available.
Orchestrator database. Primarily for this reason, McAfee recommends using simple recovery mode for the ePolicy Orchestrator database. If you use full recovery mode, ensure you have a good backup plan for both your ePolicy Orchestrator database and transaction log.
Page 313
Things to know about this page: • Authentication — If the database is up, this page uses normal McAfee ePO user authentication and only a global administrator can access it. If the database is down, a connection is required from the system running the SQL server.
GUID and System Tree location viewing action history inactive, on rogue systems working with maintenance authentication McAfee Agent, ePolicy Orchestrator components configuring for Windows properties, viewing authentication, configuring for Windows responses and event forwarding authorization wake-up calls configuring for Windows...
Page 316
RSD sensors deleting objects export sharing granting permissions to working with import ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 317
SuperAgent repositories management tools replicating to McAfee ePO, systems listed in SuperAgent, tasks multi-server querying types ports and communication unmanaged queries and retrieving data unmanaged, copying content to...
Page 318
NT domains exporting systems moving systems manually extension files operating systems and installing pasting policy assignments to Rogue System Detection policies, inheritance of policy enforcement for a product sorting criteria sorting, automated ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 319
LDAP servers, registering defined license key viewing for policies local distributed repositories installation log files Rogue System Sensor server task log intelligent filtering and Rogue System Sensor login messages ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 320
Exceptions list monitors, Rogue System Detection global updating and overall system status installing products on status monitors policy assignment multiple McAfee ePO servers policy management on policy sharing Rogue Sensor Blacklist My Default policy rogue system status frequently asked questions...
Page 321
McAfee ePO servers inheritance registering server ownership using registered server settings, viewing using server tasks sharing between McAfee ePO servers ports using tags to assign agent communication verifying changes RSD sensor-to-server port viewing server settings working with Policy Catalog...
Page 322
Internet Explorer registered servers configuring for master repository adding SNMP servers McAfee Agent enabling policy sharing server settings LDAP servers, adding pull tasks registering considerations for scheduling supported by ePolicy Orchestrator...
Page 323
Response Builder wizard setting up for notifications, SNMP servers response rules Run Tag Criteria action creating and editing Description page setting filters for scalability setting thresholds about responses horizontal assigning permissions planning ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 324
LDAP servers, registering avoid replication of master repository key pair disabling replication of registering sensor-to-server port registering additional McAfee ePO servers server certificate server task log, about removing settings and controlling behavior replacing sharing policies server settings...
Page 325
Top 25 Subnets list System Tree sorting subnets, as grouping criteria default settings SuperAgent repositories enabling about IP address creating on agent-server communication deleting ordering subgroups global updating requirements ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...
Page 327
Windows user accounts authentication, configuring about Authorization, configuring changing passwords Windows authentication creating configuring deleting enabling editing strategies working with Windows authorization user-based policies configuring about ® ® McAfee ePolicy Orchestrator 4.6.0 Software Product Guide...