Section |
Page |
Contents |
3 |
Preface |
11 |
About this guide |
11 |
Audience |
11 |
Conventions |
11 |
What's in this guide |
12 |
Finding product documentation |
12 |
Introducing McAfee ePolicy Orchestrator Software version 4.6.0 |
13 |
1 Introducing McAfee ePolicy Orchestrator Software version 4.6.0 |
15 |
What is ePolicy Orchestrator software |
15 |
Components and what they do |
16 |
How the software works |
17 |
How to navigate the ePolicy Orchestrator interface |
18 |
About the ePolicy Orchestrator navigation Menu |
18 |
About the navigation bar |
19 |
2 Planning your ePolicy Orchestrator configuration |
21 |
About scalability |
21 |
When to use multiple ePolicy Orchestrator servers |
21 |
When to use multiple remote Agent Handlers |
22 |
Server configuration overview |
22 |
Setting up and configuring your ePolicy Orchestrator server |
25 |
3 Configuring essential features |
27 |
About essential features |
27 |
Using the Guided Configuration to configure essential features |
28 |
4 Configuring general server settings |
31 |
About general server settings |
31 |
Configuring general server settings |
31 |
Allowing agent deployment credentials to be cached |
31 |
Specifying default dashboards and dashboard refresh intervals |
32 |
Determining which events are forwarded to the server |
32 |
Choosing an ePO Notification Event interval |
33 |
Configuring settings for global updates |
33 |
Providing a license key |
34 |
Creating a custom login message |
34 |
McAfee Labs Security Threats |
34 |
Working with McAfee Labs Security Threats |
35 |
Controlling unsupported product policy visibility |
35 |
Changing agent communication ports |
36 |
Configuring the template and location for exported reports |
36 |
Using a proxy server |
36 |
SSL certificates |
37 |
Replacing the server certificate |
37 |
Installing a trusted security certificate for the McAfee ePO browser |
38 |
Installing the security certificate when using Internet Explorer |
38 |
Installing the security certificate when using Firefox 3.5 or higher |
38 |
Enabling System Tree sorting on the server |
39 |
ePolicy Orchestrator server settings categories and their descriptions |
39 |
5 Creating user accounts |
43 |
About user accounts |
43 |
Global administrators |
43 |
Working with user accounts |
44 |
Creating user accounts |
44 |
Editing user accounts |
44 |
Deleting user accounts |
45 |
6 Setting up permission sets |
47 |
How users, groups, and permission sets fit together |
47 |
Working with permission sets |
49 |
Creating a new permission set |
49 |
Modifying an existing permission set |
50 |
Duplicating a permission set |
50 |
Exporting permission sets |
50 |
Importing permission sets |
51 |
Removing a permission set |
51 |
Deleting permission sets |
51 |
7 Configuring advanced server settings |
53 |
Configuring Active Directory user login |
53 |
Managing ePolicy Orchestrator users with Active Directory |
53 |
Windows authentication and authorization strategies |
55 |
Configuring Windows authentication and authorization |
56 |
Enabling Windows authentication in ePO Server |
56 |
Configuring Windows authentication |
56 |
Configuring Windows authorization |
57 |
Authenticating with certificates |
58 |
When to use certificate authentication |
58 |
Configuring ePolicy Orchestrator for certificate authentication |
58 |
Uploading server certificates |
59 |
Removing server certificates |
59 |
Configuring users for certificate authentication |
60 |
Problems with certificate authentication |
60 |
Configuring Rogue System Detection server settings |
61 |
Configuring server settings for Rogue System Detection |
61 |
Editing Detected System Compliance |
61 |
Editing Detected System Exception Categories |
62 |
Editing Detected Systems Matching |
62 |
Editing Detected System OUIs |
63 |
Editing Rogue System Sensor settings |
63 |
Managing security keys |
64 |
Security keys and how they work |
64 |
Master repository key pair |
65 |
Other repository public keys |
65 |
Working with repository keys |
65 |
Using one master repository key pair for all servers |
66 |
Using master repository keys in multi-server environments |
66 |
Agent-server secure communication (ASSC) keys |
67 |
Working with ASSC keys |
67 |
Deleting agent-server secure communication (ASSC) keys |
68 |
Exporting ASSC keys |
68 |
Importing ASSC keys |
69 |
Generating and using new ASSC key pairs |
69 |
Designating an ASSC key pair as the master |
70 |
Using the same ASSC key pair for all servers and agents |
70 |
Using a different ASSC key pair for each McAfee ePO server |
71 |
Viewing systems that use an ASSC key pair |
71 |
Backing up and restoring keys |
71 |
Backing up all security keys |
72 |
Restoring security keys |
72 |
Restoring security keys from a backup file |
73 |
Configuring source and fallback sites |
73 |
Working with source and fallback sites |
73 |
Creating source sites |
74 |
Switching source and fallback sites |
75 |
Editing source and fallback sites |
75 |
Deleting source sites or disabling fallback sites |
75 |
8 Setting up repositories |
77 |
Repository types and what they do |
78 |
Types of distributed repositories |
79 |
Repository branches and their purposes |
80 |
Repository list file and its uses |
81 |
How repositories work together |
82 |
Ensuring access to the source site |
82 |
Configuring proxy settings |
83 |
Configuring proxy settings for the McAfee Agent |
83 |
Configuring proxy settings for McAfee Labs Security Threats |
84 |
Using SuperAgents as distributed repositories |
84 |
Creating SuperAgent repositories |
85 |
Selecting which packages are replicated to SuperAgent repositories |
86 |
Deleting SuperAgent distributed repositories |
86 |
Creating and configuring FTP, HTTP, and UNC repositories |
86 |
Creating a folder location on an FTP, HTTP server or UNC share |
87 |
Adding the distributed repository to ePolicy Orchestrator |
87 |
Avoiding replication of selected packages |
89 |
Disabling replication of selected packages |
89 |
Enabling folder sharing for UNC and HTTP repositories |
90 |
Editing distributed repositories |
90 |
Deleting distributed repositories |
90 |
Using local distributed repositories that are not managed |
91 |
Working with the repository list files |
92 |
Exporting the repository list SiteList.xml file |
92 |
Exporting the repository list SiteMgr.xml file for backup or use by other servers |
93 |
Importing distributed repositories from the SiteMgr.xml file |
93 |
Importing source sites from the SiteMgr.xml file |
93 |
Changing credentials on multiple distributed repositories |
94 |
9 Setting up registered servers |
95 |
Registering servers |
95 |
Registering McAfee ePO servers |
95 |
Registering LDAP servers |
97 |
Registering SNMP servers |
98 |
Registering a database server |
99 |
10 Setting up Agent Handlers |
101 |
Agent Handlers and what they do |
101 |
How Agent Handlers work |
101 |
Handler groups and priority |
102 |
Working with Agent Handlers |
103 |
Assigning agents to Agent Handlers |
103 |
Managing Agent Handler assignments |
104 |
Setting up Agent Handler groups |
104 |
Managing Agent Handler groups |
105 |
Moving agents between handlers |
105 |
Grouping agents using Agent Handler assignments |
106 |
Grouping agents by assignment priority |
107 |
Grouping agents using the System Tree |
107 |
11 Other important server information |
109 |
About Internet Protocols in managed environment |
109 |
Exporting objects from ePolicy Orchestrator |
110 |
Importing items into ePolicy Orchestrator |
110 |
Exporting objects and data from your ePolicy Orchestrator server |
111 |
ePolicy Orchestrator Log Files |
112 |
The Audit Log |
112 |
Working with the Audit Log |
112 |
Viewing the Audit Log |
112 |
Purging the Audit Log |
113 |
Purging the Audit Log on a schedule |
113 |
The Server Task log |
114 |
Working with the Server Task Log |
114 |
Viewing the Server Task Log |
114 |
Filtering the Server Task Log |
115 |
Purging the Server Task Log |
115 |
Allowed Cron syntax when scheduling a server task |
115 |
The Threat Event Log |
116 |
Working with the Threat Event Log |
117 |
Viewing the Threat Event Log |
117 |
Purging Threat Events |
117 |
Purging the Threat Event Log on a schedule |
118 |
Managing your network security with your ePolicy Orchestrator server |
119 |
12 Organizing the System Tree |
121 |
The System Tree structure |
121 |
Considerations when planning your System Tree |
123 |
Administrator access |
123 |
Environmental borders and their impact on system organization |
124 |
Subnets and IP address ranges |
124 |
Tags and systems with similar characteristics |
124 |
Operating systems and software |
125 |
Tags and how they work |
125 |
Active Directory and NT domain synchronization |
126 |
Active Directory synchronization |
126 |
Types of Active Directory synchronization |
127 |
Systems and structure |
127 |
Systems only |
127 |
NT domain synchronization |
127 |
Criteria-based sorting |
128 |
How settings affect sorting |
129 |
IP address sorting criteria |
129 |
Tag-based sorting criteria |
130 |
Group order and sorting |
130 |
Catch-all groups |
130 |
How a system is added to the System Tree when sorted |
130 |
Working with tags |
132 |
Creating tags with the Tag Builder |
132 |
Excluding systems from automatic tagging |
133 |
Applying tags to selected systems |
133 |
Applying criteria-based tags automatically to all matching systems |
133 |
Applying criteria-based tags to all matching systems |
134 |
Applying criteria-based tags on a schedule |
134 |
Creating and populating groups |
135 |
Creating groups manually |
136 |
Adding systems manually to an existing group |
137 |
Exporting systems from the System Tree |
138 |
Importing systems from a text file |
138 |
Creating a text file of groups and systems |
139 |
Importing systems and groups from a text file |
139 |
Sorting systems into criteria-based groups |
140 |
Adding sorting criteria to groups |
140 |
Enabling System Tree sorting on the server |
141 |
Enabling and disabling System Tree Sorting on Systems |
141 |
Sorting systems manually |
141 |
Importing Active Directory containers |
142 |
Importing NT domains to an existing group |
144 |
Synchronizing the System Tree on a schedule |
146 |
Updating the synchronized group with an NT domain manually |
147 |
Moving systems manually within the System Tree |
147 |
Transferring systems between McAfee ePO servers |
148 |
13 Working with the agent from the McAfee ePO server |
149 |
Agent-server communication |
149 |
Agent-server communication interval |
150 |
Agent-server communication interruption handling |
150 |
Wake-up calls and tasks |
151 |
SuperAgents and broadcast wake-up calls |
151 |
SuperAgent caching and communication interruptions |
152 |
Viewing agent and product properties |
153 |
Responding to policy events |
153 |
Running client tasks immediately |
154 |
Sending manual wake-up calls to systems |
155 |
Sending manual wake-up calls to a group |
155 |
Locate inactive agents |
156 |
Queries provided by McAfee Agent |
156 |
Windows system and product properties reported by the agent |
157 |
14 Using the Software Manager to check in software |
159 |
What's in the Software Manager |
159 |
Checking in, updating, and removing software using the Software Manager |
160 |
15 Using policies to manage products and systems |
163 |
Policy management |
163 |
Policy application |
165 |
How policy assignment rules work |
166 |
Policy assignment rule priority |
166 |
About user-based policy assignments |
167 |
About system-based policy assignments |
168 |
Using tags to assign system-based policies |
168 |
Working with policy assignment rules |
169 |
Creating policy assignment rules |
169 |
Managing policy assignment rules |
170 |
Creating Policy Management queries |
170 |
Working with the Policy Catalog |
171 |
Creating a policy from the Policy Catalog page |
172 |
Duplicating a policy on the Policy Catalog page |
172 |
Editing a policy’s settings from the Policy Catalog |
173 |
Renaming a policy from the Policy Catalog |
173 |
Deleting a policy from the Policy Catalog |
173 |
Working with policies |
173 |
Configuring agent policies to use a distributed repository |
174 |
Changing the owners of a policy |
175 |
Moving policies between McAfee ePO servers |
175 |
Exporting a single policy |
175 |
Exporting all policies of a product |
176 |
Importing policies |
176 |
Assigning a policy to a group of the System Tree |
176 |
Assigning a policy to a managed system |
177 |
Assigning a policy to multiple managed systems within a group |
177 |
Enforcing policies for a product on a group |
178 |
Enforcing policies for a product on a system |
178 |
Copying and pasting assignments |
179 |
Copying policy assignments from a group |
179 |
Copying policy assignments from a system |
179 |
Pasting policy assignments to a group |
179 |
Pasting policy assignments to a specific system |
180 |
Viewing policy information |
180 |
Viewing groups and systems where a policy is assigned |
181 |
Viewing the settings of a policy |
181 |
Viewing policy ownership |
182 |
Viewing assignments where policy enforcement is disabled |
182 |
Viewing policies assigned to a group |
182 |
Viewing policies assigned to a specific system |
183 |
Viewing a group’s policy inheritance |
183 |
Viewing and resetting broken inheritance |
183 |
Sharing policies among McAfee ePO servers |
183 |
Setting up policy sharing for multiple McAfee ePO servers |
184 |
Registering servers for policy sharing |
184 |
Designating policies for sharing |
184 |
Scheduling server tasks to share policies |
185 |
Frequently asked questions |
185 |
16 Using tasks to manage products and systems |
187 |
Deployment packages for products and updates |
187 |
Product and update deployment |
189 |
First time product and update deployment overview |
189 |
Server tasks and what they do |
190 |
Global updating |
190 |
Deploying update packages automatically with global updating |
191 |
Pull tasks |
192 |
Replication tasks |
193 |
Repository selection |
193 |
Deploying update packages with pull and replication tasks |
194 |
Using pull tasks to update the master repository |
194 |
Running a pull task on a schedule |
194 |
Running a Pull Now task |
195 |
Replicating packages from the master repository to distributed repositories |
196 |
Running a Repository Replication server task on a schedule |
196 |
Running a Replicate Now task |
197 |
Avoiding replication of selected packages |
198 |
Allowed Cron syntax when scheduling a server task |
198 |
About the pull and replication task information in the Server Task log |
199 |
Client tasks and what they do |
199 |
How the Client Task Catalog works |
200 |
Deployment tasks |
200 |
Using the Product Deployment task to deploy products to managed systems |
200 |
Configuring the Deployment task for groups of managed systems |
201 |
Configuring the Deployment task to install products on a managed system |
202 |
Update tasks |
203 |
Updating managed systems regularly with a scheduled update task |
203 |
Working with client tasks |
204 |
Creating and scheduling client tasks |
204 |
Editing client tasks |
205 |
Deleting client tasks |
205 |
Confirming that clients are using the latest DAT files |
205 |
Evaluating new DATs and engines before distribution |
206 |
17 Managing packages and extensions manually |
207 |
Bringing products under management |
207 |
Checking in packages manually |
207 |
Deleting DAT or engine packages from the master repository |
208 |
Manually moving DAT and engine packages between branches |
208 |
Checking in engine, DAT and ExtraDAT update packages manually |
209 |
18 Responding to events in your network |
211 |
About using Automatic Responses |
212 |
Automatic Responses and how it works |
212 |
Throttling, aggregation, and grouping |
213 |
Default rules |
213 |
Planning |
214 |
Determining how events are forwarded |
214 |
Determining which events are forwarded immediately |
215 |
Determining which events are forwarded |
215 |
Configuring Automatic Responses |
216 |
Assigning permission sets to access Automatic Responses |
216 |
Assigning permissions to Notifications |
216 |
Assigning permissions to Automatic Responses |
217 |
Working with SNMP servers |
217 |
Editing SNMP servers |
218 |
Deleting an SNMP server |
219 |
Importing .MIB files |
220 |
Working with registered executables and external commands |
220 |
Adding registered executables |
221 |
Editing registered executables |
221 |
Deleting registered executables |
221 |
Duplicating registered executables |
221 |
Creating and editing Automatic Response rules |
222 |
Describing the rule |
222 |
Setting filters for the rule |
223 |
Setting thresholds of the rule |
223 |
Configuring the action for Automatic Response rules |
224 |
Frequently asked questions |
226 |
Monitoring and reporting on your network security status |
227 |
19 Monitoring with Dashboards |
229 |
Working with dashboards |
229 |
Creating dashboards |
230 |
Adding monitors to dashboards |
230 |
Removing monitors from dashboards |
231 |
Duplicating dashboards |
231 |
Deleting dashboards |
232 |
Importing dashboards |
232 |
Exporting dashboards |
232 |
Changing the system default dashboard |
233 |
Assigning permissions to dashboards |
233 |
Working with dashboard monitors |
234 |
Configuring dashboard monitors |
234 |
Moving and resizing dashboard monitors |
235 |
Default dashboards and their monitors |
235 |
20 Querying the database and reporting on system status |
239 |
Query and report permissions |
240 |
About queries |
240 |
Query Builder |
242 |
Working with queries |
243 |
Creating custom queries |
243 |
Running an existing query |
244 |
Running a query on a schedule |
245 |
Creating a query group |
245 |
Moving a query to a different group |
246 |
Duplicating queries |
246 |
Deleting queries |
246 |
Exporting a query |
247 |
Importing a query |
247 |
Exporting query results to other formats |
248 |
Multi-server rollup querying |
249 |
Creating a Rollup Data server task |
249 |
Creating a query to define compliance |
250 |
Generating compliance events |
250 |
About reports |
251 |
Structure of a report |
251 |
Working with reports |
252 |
Creating a new report |
253 |
Editing an existing report |
253 |
Adding elements to a report |
254 |
Configuring image report elements |
254 |
Configuring text report elements |
255 |
Configuring query table report elements |
255 |
Configuring query chart report elements |
256 |
Customizing report headers and footers |
256 |
Removing elements from a report |
257 |
Reordering elements within a report |
258 |
Viewing report output |
258 |
Grouping reports together |
258 |
Running reports |
259 |
Configuring Internet Explorer 8 to automatically accept McAfee ePO downloads |
259 |
Running a report with a server task |
260 |
Exporting reports |
260 |
Importing reports |
261 |
Deleting reports |
261 |
Using database servers |
261 |
Working with database servers |
262 |
Modifying a database registration |
262 |
Removing a registered database |
262 |
21 Detecting Rogue Systems |
265 |
What are rogue systems |
265 |
Rogue System Detection states |
266 |
Overall system status |
266 |
Rogue System Sensor status |
267 |
Subnet status |
268 |
Top 25 Subnets |
268 |
Rogue Sensor Blacklist |
269 |
Rogue System Detection policy settings |
269 |
Considerations for policy settings |
269 |
Rogue System Detection permission sets |
271 |
How the Rogue System Sensor works |
272 |
Passive listening to layer-2 traffic |
272 |
Intelligent filtering of network traffic |
272 |
Data gathering and communications to the server |
273 |
Systems that host sensors |
273 |
How detected systems are matched and merged |
274 |
Working with detected systems |
274 |
Configuring Rogue System Detection policy settings |
275 |
Adding systems to the Exceptions list |
276 |
Adding systems to the Rogue Sensor Blacklist |
277 |
Adding detected systems to the System Tree |
277 |
Editing system comments |
277 |
Exporting the Exceptions list |
278 |
Importing systems to the Exceptions list |
278 |
Merging detected systems |
278 |
Pinging a detected system |
279 |
Querying detected system Agents |
279 |
Removing systems from the Detected Systems list |
279 |
Removing systems from the Exceptions list |
280 |
Removing systems from the Rogue Sensor Blacklist |
280 |
Viewing detected systems and their details |
280 |
Working with sensors |
280 |
Installing sensors |
281 |
Installing sensors on specific systems |
281 |
Using queries and server tasks to install sensors |
282 |
Using client task to install sensors |
282 |
Editing sensor descriptions |
283 |
Removing sensors |
283 |
Working with subnets |
284 |
Adding subnets |
284 |
Deleting subnets |
285 |
Ignoring subnets |
285 |
Including subnets |
285 |
Renaming subnets |
286 |
Viewing detected subnets and their details |
286 |
Rogue System Detection command-line options |
286 |
Default Rogue System Detection queries |
287 |
22 Managing Issues and Tickets |
289 |
Issues and how they work |
290 |
Working with issues |
290 |
Creating basic issues manually |
290 |
Configuring responses to automatically create issues |
291 |
Managing issues |
294 |
Purging closed issues |
295 |
Purging closed issues manually |
295 |
Purging closed issues on a schedule |
295 |
Tickets and how they work |
296 |
Ways to add tickets to issues |
296 |
Assignment of ticketed issues to users |
296 |
How tickets and ticketed issues are closed |
296 |
Benefits of adding comments to ticketed issues |
297 |
How tickets are reopened |
297 |
Ticketed issue synchronization |
297 |
Integration with ticketing servers |
297 |
Considerations when deleting a registered ticketing server |
298 |
Required fields for mapping |
298 |
Sample mappings |
298 |
Sample mapping for Hewlett-Packard Openview Service Desk |
299 |
Sample mapping for BMC Remedy Action Request System |
300 |
Working with tickets |
301 |
Adding tickets to issues |
301 |
Synchronizing ticketed issues |
302 |
Synchronizing ticketed issues on a schedule |
302 |
Working with ticketing servers |
302 |
Installing extensions for ticketing server |
303 |
Stopping and starting the server |
303 |
Copying the Hewlett-Packard Openview Service Desk files |
304 |
Copying the BMC Remedy Action Request System files |
304 |
Installing the ticketing server extensions |
305 |
Registering and mapping a ticketing server |
305 |
Configuring the DNS for Hewlett-Packard Openview Service Desk 4.5 |
306 |
Registering a ticketing server |
306 |
Configuring the field mappings |
306 |
Mapping issues to tickets |
307 |
Mapping tickets back to issue status |
307 |
Upgrading a registered ticketing server |
308 |
A Appendix: Maintaining ePolicy Orchestrator Databases |
311 |
Perform regular maintenance of SQL Server databases |
311 |
Backup and restore ePolicy Orchestrator databases |
312 |
Changing SQL Server information |
312 |
Index |
315 |
A |
315 |
B |
316 |
C |
316 |
D |
316 |
E |
317 |
F |
318 |
G |
318 |
H |
319 |
I |
319 |
K |
319 |
L |
319 |
M |
320 |
N |
320 |
O |
320 |
P |
321 |
Q |
322 |
R |
322 |
S |
323 |
T |
326 |
U |
326 |
V |
327 |