Transcription
2013 McAfee, Inc. All Rights Reserved.1ePolicy Orchestrator 5.1 Essentials
This module covers the essential information on maintaining an ePO Server and database. Theinformation presented in this module is not all inclusive. Enterprise customers most often just needto know where the “must preserve data” is located. From there, they’ll usually throw the new setupinto their existing backup and recovery plan, already set forth by the organization.The most crucial data for ePO is obviously the database. The entire system can be restored with arecent copy of the database. But there is other data that can ease the process greatly in the event arestoration is needed. Students will be shown how to manage ePO Security Keys, and reviewimportant logs, along with utilizing database maintenance tools. 2013 McAfee, Inc. All Rights Reserved.2ePolicy Orchestrator 5.1 Essentials
ePO is not an appliance-based solution. It is installed to the customer’s hardware. Therefore,customers need to maintain and protect their ePO Server and database. Obviously, failure to do sowill cost them a lot of downtime and headaches. They need to keep the server up-to-date on patchesand updates. This includes not only McAfee ePO patches, but also Microsoft patches for theoperating system and the SQL database and some sort of malware protection application (i.e.VirusScan Enterprise). 2013 McAfee, Inc. All Rights Reserved.3ePolicy Orchestrator 5.1 Essentials
Several of the available ePO Server Tasks can assist with periodic server maintenance tasks likemaintaining System Tree synchronization, managing product licenses, purging old data, maintainingrepositories, and maintaining Rogue System Sensors. 2013 McAfee, Inc. All Rights Reserved.4ePolicy Orchestrator 5.1 Essentials
Security KeysePolicy Orchestrator uses security keys to secure the agent-to-server communication, and to sign andvalidate packages.Agent-to-server secure communication keysAgent-to-server secure communication (ASSC) keys are used by the agents to communicate securelywith the server. You can make any ASSC key pair the master, which is the one currently assigned toagents deployed in the environment. The ePO agent key Updater needs to exist in Master repository,and the McAfee Agent agent update task has to have the ePO agent key updater selected. Existingagents using other keys in the list will change to the new master after their next update. It isimportant to be sure to wait until all agents have updated to the new master before deleting anyolder keys.Master repository key pairThe master repository private key signs all unsigned content in the master repository. Agents use thepublic key to verify the repository content originating from the master repository on the ePO server. Ifthe content is unsigned, or signed with an unknown repository private key, the downloaded contentis considered invalid and deleted.This key pair is unique to each server installation. However, by exporting and importing keys, you canuse the same key pair in a multi-server environment.Other repository public keysThese are the public keys that agents use to verify content from other master repositories in theenvironment or McAfee source sites. Each agent reporting to this server uses the keys in this list toverify content that originates from other ePO servers in the organization, or from McAfee owned 2013 McAfee, Inc. All Rights Reserved.5ePolicy Orchestrator 5.1 Essentials
sources. If an agent downloads content that originated from a source for which the agentdoes not have the appropriate public key, the agent will discard the content. 2013 McAfee, Inc. All Rights Reserved.‹#›ePolicy Orchestrator 5.1 Essentials
Customers in multi-server environments can choose to use the same ASSC key pair for all servers andagents. You can export ASSC from on McAfee ePO server to a different ePO server, to allow agents toaccess the new ePO server.You can choose to make any ASSC key pair the master, which is the key pair currently assigned to alldeployed agents.They can also choose to use a different ASSC key pair for each McAfee ePO server to ensure that allagents can communicate with the required McAfee ePO servers in an environment where each servermust have a unique agent-to-server communication key pair.NOTE: Agents can communicate with one server at a time. The ePO server can have multiple keys tocommunicate with different agents, but the opposite is not true. Agents cannot have multiple keys tocommunicate with multiple ePO servers. 2013 McAfee, Inc. All Rights Reserved.6ePolicy Orchestrator 5.1 Essentials
ASSC Keys in Multi-Server EnvironmentsYou can have both a 2048 and a 1024 bit key set as master. The ePO will talk to McAfee Agent 4.8with the stronger key. 2013 McAfee, Inc. All Rights Reserved.7ePolicy Orchestrator 5.1 Essentials
You can view which systems are using a key-pair, when editing security keys, by highlighting the keyand selecting the View Agents button. 2013 McAfee, Inc. All Rights Reserved.8ePolicy Orchestrator 5.1 Essentials
Before deleting the previous master key pair from the list, wait until all agents begin using the newmaster key pair. Agents begin using the new key pair after the next update with ‘ePO agent keyupdater selected’ task the agent completes. At any time, you can see which agents are using any ofthe ASSC key pairs in the list. 2013 McAfee, Inc. All Rights Reserved.9ePolicy Orchestrator 5.1 Essentials
CAUTION: Do not delete any keys that are currently in use by any agents, or those agents are not ableto communicate with the server.You cannot delete a key designated as a Master Key. You must make another key the Master beforedeleting the old key.In ePO 5.x you cannot delete a key that an agent is using. 2013 McAfee, Inc. All Rights Reserved.10ePolicy Orchestrator 5.1 Essentials
The master repository key pair is unique for each installation. If you use multiple servers, each uses adifferent key. If the agents are configured to allow the download of content that originates fromdifferent master repositories, you must ensure that agents recognize the content as valid. You canensure this in two ways: Use the same master repository key pair for all servers and agents Ensure agents are configured to recognize any repository public key used in the environment 2013 McAfee, Inc. All Rights Reserved.11ePolicy Orchestrator 5.1 Essentials
It is recommended that you back up all keys before making any changes to the key managementsettings. 2013 McAfee, Inc. All Rights Reserved.12ePolicy Orchestrator 5.1 Essentials
After installation you can change only two ports; Agent wake-up communication port, and Agentbroadcast communication port. If you need to change other ports, you must either reinstall theserver and reconfigure the ports in the installation wizard, or refer to available KnowledgeBasearticles. 2013 McAfee, Inc. All Rights Reserved.13ePolicy Orchestrator 5.1 Essentials
Purge the Audit LogThe Audit Log page is used to find and view actions taken by all users. Here, you can maintain andaccess records of all McAfee ePO user actions. The entries are displayed in a sortable table.Customers can delete entries from the Audit Log based on a user-specified age. This action purges allaudit log entries older than the specified age. 2013 McAfee, Inc. All Rights Reserved.14ePolicy Orchestrator 5.1 Essentials
Purge the Threat Event LogThe Threat Event Log page allows you to view and manage the event files in the database. You canpurge events from the log based on a user-specified age. The action deletes the all the event logentries older that the specified age. 2013 McAfee, Inc. All Rights Reserved.15ePolicy Orchestrator 5.1 Essentials
Purge Old DataThe idea is that customers should be purging data on a regular basis. Here’s an example of a task thatthey should run every single day.Review the 9 actions setup in this example server task. Notice the 8th action is configured to purge byquery. This is just an example, but it illustrates the power behind server tasks, and represents amodest approach to keeping the database clean. 2013 McAfee, Inc. All Rights Reserved.16ePolicy Orchestrator 5.1 Essentials
Customers may find themselves needing to migrate the database to another server, or they may wantto upgrade the hardware on the existing server. Before performing any migration, the first step is toback up the database.The steps involved in the migration process depend on many factors. Are they keeping the servername and IP the same? Is one changing but not the other? Will there be any networkcommunication boundaries that need to be acknowledged and dealt with? Etcetera.Additional information: KB67605 - How to change the ePO 4.5.0 and 4.6.0 Agent-to-Server communication port 80 KB72936 - How to change ePO Agent-to-Server Communication secure port 443 KB52141 - How to change the ePolicy Orchestrator 4.x Console-to-Application Servercommunication port 8443 KB68963 - How to change the ePolicy Orchestrator 4.x Client-to-server authenticatedcommunication Port 8444 2013 McAfee, Inc. All Rights Reserved.17ePolicy Orchestrator 5.1 Essentials
Customer may also need to migrate their ePO server. This topic explains the process of migrating anexisting ePO Server to a new hardware platform according to recommended procedure. Thisinformation is intended for use by network and ePO administrators only. These instructions areintended guidelines for migration. All liability for use remains with the user.The instructions in this topic can also be used for disaster recovery.NOTE: The Agent uses either the last known IP address, DNS name, or NetBIOS name of the ePOserver. If you change any one of these, ensure that the Agents have a way to locate the server. Theeasiest way to do this would be to retain the existing DNS record and change it to point to the new IPaddress of the ePO server. After the Agent is able to successfully connect to the ePO server, itdownloads an updated SiteList.xml with the current information. The procedure can also be used bycustomers who want to migrate the ePO server to another system. For ePO 5.x users, it is preferableto use the built-in Disaster Recovery feature to migrate the ePO server to another system. 2013 McAfee, Inc. All Rights Reserved.18ePolicy Orchestrator 5.1 Essentials
In preparation for server migration, you will want to backup the folders shown here on the server.There are multiple KB articles available on how to backup the SQL database. 2013 McAfee, Inc. All Rights Reserved.19ePolicy Orchestrator 5.1 Essentials
It is important to back up the ePO Key-Store pairs.The task shown here backs up the repository and agent communication keys.These are stored in the following folder by default: .\Program Files\McAfee\ePolicyOrchestrator\DB\Keystore\ 2013 McAfee, Inc. All Rights Reserved.20ePolicy Orchestrator 5.1 Essentials
You must reinstall ePO to the exact same directory path as the previous installation or theinitialization of extensions will fail when the restore is complete.The server.ini file located in the previous installation (\Program Files (x86)\McAfee\ePolicyOrchestrator\DB) stores the following information: HTTPPort 80 (Agent-to-Server communication port) AgentHttpPort 8081 (Agent Wake-Up communication port) SecureHttpPort 8443 (Console-to-Application Server communication port) BroadcastPort 8082 (Agent Broadcast communication port)If you use the original SQL server, the installer will attempt to create a database calledePO epo servername . Because the name of the original ePO server is retained, the originaldatabase has to be backed up and detached. Otherwise, the installer prompts you to overwrite theexisting database. 2013 McAfee, Inc. All Rights Reserved.21ePolicy Orchestrator 5.1 Essentials
1. Log on to the new ePO server.2. On the new ePO server, click Start, Run, type services.msc, and click OK. Right-click each of the following services and select Stop: McAfee ePolicy Orchestrator 5.1.0 Application Server McAfee ePolicy Orchestrator 5.1.0 Event Parser McAfee ePolicy Orchestrator 5.1.0 Server3. Click Start, Run, type cmd and click OK.4. If you backed up the database using OSQL commands, to restore the ePO database type thefollowing command and press ENTER:sqlcmd -E -S servername\instancename -Q "RESTORE DATABASE ePO4 servername FROM DISK 'c:\backupdirectory\test“NOTE: Where c:\backupdirectory\test is the location where the database backup is located.5. Close the command prompt window. 2013 McAfee, Inc. All Rights Reserved.22ePolicy Orchestrator 5.1 Essentials
Replace the existing folders for the paths listed above with the contents of the backed up copies. 2013 McAfee, Inc. All Rights Reserved.23ePolicy Orchestrator 5.1 Essentials
1. Before you enable and start the ePO services, ensure that the contents (version numbers) of theC:\Program Files\McAfee\ePolicy Orchestrator\server\extensions\installed folder match theextensions listed in the OrionExtensions table.To check the contents of the OrionExtensions table, access the SQL Tools and run the following TSQL command:Select * from OrionExtensionsIf there is a mismatch on server startup, the server removes each extension not listed in theOrionExtensions table. If this happens, check in these extensions again and also restore thedatabase again.2. Start the McAfee ePolicy Orchestrator 5.1.0 Application Server service.NOTE: You must start this service for RunDllGenCerts to work.3. Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty foldernamed SSL.CRT in the same path, otherwise the setup will fail to create a new Cert:"C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"Continued on next page 2013 McAfee, Inc. All Rights Reserved.24ePolicy Orchestrator 5.1 Essentials
4. Click Start, Run, type cmd, and click OK.5. Change directories to your ePO installation directory.Default paths:Program Files\McAfee\ePolicy Orchestrator\6. Run the following command:IMPORTANT:- This command will fail if you have enabled User Account Control (UAC) on this server. If this is aWindows Server 2008 or later, disable this feature. You can find more information about UACat: 1(WS.10).aspx.- This command is case-sensitive. The ahsetup.log (found in installdir\Apache2\conf\ssl.crt )provides information about whether the command succeeded or failed and will state if it used thefiles located in the ssl.crt folderRundll32.exe ahsetup.dll RunDllGenCerts eposervername console HTTPS port adminusername password "installdir\Apache2\conf\ssl.crt" where: eposervername is your ePO server NetBIOS Name console HTTPS port is your ePO Console Port (default is 8443) admin username is admin (use the default ePO admin account) password is the password to the ePO Admin console account installdir\Apache2\conf\ssl.crt is your installation path to the Apache folder; Defaultinstallation path:64-bit: "C:\Program Files (x86)\McAfee\ePolicy .exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password"C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"7. Start the following services:McAfee ePolicy Orchestrator 5.1.0 Event ParserMcAfee ePolicy Orchestrator 5.1.0 Server 2013 McAfee, Inc. All Rights Reserved.25ePolicy Orchestrator 5.1 Essentials
Before backing upIf possible, shut down the McAfee ePolicy Orchestrator 5.1.0 Application Server service (Tomcat)entirely when doing the backup. Otherwise just make sure no one is installing, uninstalling, orupgrading an extension during the backup. Normally backups occur during non-peak times (which isat night usually), so this shouldn’t be a big concern. 2013 McAfee, Inc. All Rights Reserved.26ePolicy Orchestrator 5.1 Essentials
McAfee advises that customers place the ePO Server and database into their backuproutines/schedules.The folder paths shown here should be backed up on the ePO Server:C:\Program Files\McAfee\ePolicy Orchestrator\SERVER\All installed extensions and configuration information for the ePO Application Server service is foundhere. Failure to backup and restore this directory results in a re-installation of ePO to create new onesusing a clean database installation.C:\Program Files\McAfee\ePolicy Orchestrator\DB\SOFTWARE\All Products that have been checked into the Master Repository are located here.C:\Program Files\McAfee\ePolicy Orchestrator\DB\KEYSTORE\The agent, Server, and Repository Keys that are unique to the installation are located here. Failing torestore this folder, results in re-pushing the agent to all the systems, and checking in all of thedeployable packages again.C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONFThe Server configuration settings for Apache, the SSL Certificates needed to authorize the server tohandle agent requests, and Console Certificates are located here. 2013 McAfee, Inc. All Rights Reserved.27ePolicy Orchestrator 5.1 Essentials
If the customer is concerned about the amount of data being backed up, or if the customer simplywants to reduce the number of items to back up they can exclude the following subfolders from the\SERVER folder: C:\Program Files\McAfee\ePolicy Orchestrator \server\logs (server log files) C:\Program Files\McAfee\ePolicy Orchestrator\server\cache (contains cached informationcreated and used by ePO, such as generated chart images) C:\Program Files\McAfee\ePolicy Orchestrator\server\work (contains cached informationabout web applications registered with Tomcat; Tomcat will regenerate that information, ifdeleted) 2013 McAfee, Inc. All Rights Reserved.28ePolicy Orchestrator 5.1 Essentials
A feature introduced in ePO 5.0 is Disaster Recovery. This feature will save to the database all therequired content needed for backup and restoration.Disaster RecoveryThe ePolicy Orchestrator Disaster Recovery feature uses a Snapshot process to save specific McAfeeePO server database records to the ePolicy Orchestrator Microsoft SQL database.The records saved by the Snapshot contain the entire ePolicy Orchestrator configuration at thespecific time the Snapshot is taken. Once the Snapshot records are saved to the database, you canuse the Microsoft SQL backup feature to save the entire ePolicy Orchestrator database and restore itto a another SQL server for an ePolicy Orchestrator restore. 2013 McAfee, Inc. All Rights Reserved.29ePolicy Orchestrator 5.1 Essentials
When the installation wizard starts, you can choose to restore ePO from an existing databasesnapshot.What is a snapshot?ePO 5.x comes with a supported mechanism for disaster recovery which helps you quickly recover, orreinstall the ePolicy Orchestrator software.Disaster Recovery uses a Snapshot process that periodically saves the ePolicy Orchestratorconfiguration, extensions, keys, and more, to Snapshot records in the ePolicy Orchestrator database. 2013 McAfee, Inc. All Rights Reserved.30ePolicy Orchestrator 5.1 Essentials
Using the restored ePolicy Orchestrator SQL database server, that includes the Disaster RecoverySnapshot, you can connect it to:- Restored McAfee ePO server hardware with the original server name and IP address — This allowsyou to recover from, for example, a failed ePolicy Orchestrator software upgrade.- New McAfee ePO server hardware with the original server name and IP address- New McAfee ePO server hardware with a new server name and IP address — This allows you to,for example, move your server from one domain to another.- This example can provide a temporary network management solution while you rebuildand reinstall the McAfee ePO server hardware and software back to its original domain.- Restored or new McAfee ePO server hardware with multiple network interface cards (NICs) — Youmust confirm the correct IP address is configured for the
The ePO agent key Updater needs to exist in Master repository, and the McAfee Agent agent update task has to have the ePO agent key updater selected. Existing agents using other keys in the list wil
