You are on page 1of 92

ePolicy Orchestrator 4.

0 Essentials
Based on the Beta 3 Release
ePO 201
Charles McFarland

2007 McAfee, Inc.

Welcome to ePolicy Orchastrator 4.0 Essentials training course.

ePolicy Orchestrator 4.0 Agenda

Introduction
Architecture
McAfee Agent
Console and Dashboard
System Tree
Policies
Point Products
Repostories
Notification
Server Tasks
Reporting
Troubleshooting
Log Files

8/31/2007

Introduction
Architecture
McAfee Agent
Console and Dashboard
System Tree
Policies
Point Products
Repostories
Notification
Server Tasks
Reporting
Troubleshooting
Log Files

Architecture
ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

Architecture

Architecture
ePO 3.6

ePO 4.0

8/31/2007

ePO 4.0 has made some major changes in its architecture from 3.6. Services such
as Apache and Tomcat have remained in tact but have been given more
responsibilities. One of the primary focuses on the architecture change was to
switch ePO from a two tier architecture to a three tier architecture. In essence,
what this means is that the User Interface, Functional process logic and data
storage have been split into separate modules. In effect communication to any
database only comes from the core ePO server component and not from the ePO
console. This reduces the number of SQL connections, the complexity of the
console as well as eases troubleshooting.

Tomcat

8/31/2007

Tomcat provides the most tangible services of the ePO core components. It
provides Everything from the front end of the user interface to extension
management. The following is a list of some of the core responsibilities of the
tomcat service.
Console UI Tomcat provides your internet browser with a webpage to remotely
manage the ePO server over a secure HTTPS connection by port 8443 by default.
This is the ONLY connection made to the ePO server from the console.
Reporting No longer using Crystal reports, the reporting feature instaed is
provided by SQUID and makes a connection to the database through tomcat. This
connection does not come from the console as in previous versions.
Extension Management The introductions of extensions allows for modular
changes to the ePO platform and Point Products management. Tomcat is
responsible for managing these files and Notifications, Policy Management,
Repository Management, System tree Management and Node Management.

User Management Provides User permission and settings.


Notifications Provides the UI, Rule engine and Actions of Notifications.
Policies Provides Policy management, the UI and point product management.
System tree management Provides the UI of the system tree, organization of
nodes, tags and policies of those nodes.
Repository Management Manages the Repository UI, check-in, pull tasks and
package management.
And Replication For replication of Repositories.

Apache

8/31/2007

As before, the Apache service is in charge of communication from the ePO Agent to
the ePO server. This is done by a proprietary SPIPE connection over port 80. The
importance of this SPIPE connection is that communication from the ePO agent and
Apache is encrypted with 3DES encryption and secured. The number of concurrent
connections to the apache service is 250. Once the maximum connections is
reached, the remaining agents are queued until an available spot is open.
When a agent connects it will be passed its current policies to be enforced. These
policies are cached by the Apache service to reduce the number of database reads
and speed up the ASC time. At the same time events from the agent get passed to
the APACHE service. Those events are then passed to the event parser service
and stored in the ePO database.

APACHE Server
Mod_epo SPIPE Handler

Handles the SPIPE traffic server-side tunnel and approves


communication to the naimserv.dll

Naimserv.dll

CACHE (Cached Policies)


DAL (Data Abstraction layer)

AGENT ASCI flow

Agent conection through SPIPE tunnel


Cached Policies are transferred
Events are passed to the Event Parser to be normalized.

8/31/2007

SPipe (Secure Pipe) is an extension of the mod_ssl package, which allows users to obtain the functionality of a web server
and a tunnel to another server. It is a simple solution, which allows the same corporate web server to be used as a secure
access door to internal servers that do not use HTTPS protocol, while also retaining its normal web server functionality for all
HTTP requests.
ePO Agents (Common Framework) use a propriatory SPIPE protocol to encapslate unsecured HTTP traffic in a secure
manner.
The ePO SPIPE Handler module (Mod_epo SPIPE Handler) forms the gateway on the server that the clients use to create
an SPIPE tunnel for the HTTP traffic to securely be sent.
Cache Policies are cached by Naimserv for faster delivery to agents during their ASCI cycles. When an agent requests a
policy from the server, it does so by a generic pointer. That pointer pulls the named policy from memory so that the
information does not have to be retrieved from the database each time that it is requested.
DAL (Data Abstraction Layer) A database abstraction layer commonly provides four functions that relate to the transfer or
retrieval of data between an application and a database.
ASCI Agent to Server Communication Interval Once the agent traffic passes through the SPIPE tunnel (mod_epo SPIPE
Handler), Apache takes the incoming traffic and parses the data to where it needs to go.
New policy requests are delivered from the Apache policy cache to the agents that request the policy package.
Events from the agent are passed to the ePolicy Orchestrator 3.6.x Event Parser service
Properties of the machine are handled within memory by the Naimserv ASCI component and committed to the database
through the DAL by using an ADO connection. If no node with those properties exists in the database, a new entry for that
machine will be created by the ASCI component of our Apache service.

McAfee Server Integration Platform (Orion)

8/31/2007

Orion is the server integration platform upon which ePO 4.0 is be based. ePO is
built on top of the Orion Platform as well as point product extensions.
Here are some important components to Orion:
Common DB Interface All connections in Tomcat go first through the Orion
platform via the common DB Interface component.
User Mangement manages user and their permissions (The actual roles of the
users are containted in the ePOcore component).
SQUID Structured Query User Interface Doohickey.
Dashboard Management Provides a means of orion to manage your dashboards
and monitors.
Server Scheduler Server scheduling and tasks.
Extension Management management of extensions which provide functionality
to ePO.

10

Event Parser Service.


Is in charge of parsing incoming events to the Database.
DAL (Data Abstraction Layer)
Event Parser Plugin

Normalizing events
Common Event Format (CEF)

Event Receptor AlertER.DLL

Parses event from the events directory or shared memory through the
DAL.
Parses events through AlertER.dll to send notifications based off policy.

8/31/2007

Included with the new changes to the Event Parser Service is the new Common
Event Format. The Common Event format is a standardization of the fields in an
event record. This type of normalization has a lot of benefits. It will provide:
-Much faster addition of events to the database
-Notifications of events become simplified
-And Event Processing becomes uniform with a standard list of fields.
The event parser plug-in, which used to be responsible for all processing and
database communication is only responsible for normalizing incoming events. Once
the events have been normalized the event Parser will then handle all processing
and database communication.

11

Database
Supported with MSDE 2000, SQL 2000 and SQL Server
2005
Not supported with SQL 7
SQL Server 2005 express may be installed during the
installation process.
Be aware that MSDE databases are limited to 2GB in size
and may not be usable for some organizations.
ePO ships with DBBak.exe tool to backup and restore
MSDE databases

8/31/2007

Microsoft updates and patches Update both the ePolicy Orchestrator server
and the database server with the latest Microsoft security updates. If you intend to
use MSDE 2000 or SQL 2000, which were previously installed, ensure that they
have been updated to Service Pack 3 and that they have not been installed on
backup domain controller (BDC).
Databases supported for use with ePolicy Orchestrator 4.0:
SQL Server 2005 Express. This database is included with ePolicy Orchestrator 4.0
for use in environments where no other database is available for use with ePolicy
Orchestrator, or where MSDE (version earlier than MSDE 2000) is the only
available database.
Be aware that MSDE databases are limited to 2GB in size and may not be usable
for some large organizations. SQL Server 2005 express is limited to 4GB in size.
If you are using Microsoft Data Engine (MSDE) you can use the Database Backup
Utility (DBBAK.EXE) to back up and restore ePolicy Orchestrator MSDE databases
on the database server. This utility can be used to backup and restore MSDE
databases to the same path on the same database server using this utility. You
cannot use it to change the location of the database.

12

Deployment Considerations
250+ Nodes you should have a dedicated ePO server.
5000+ Nodes you should have a dedicated SQL server
and network connection separate from the ePO server
Larger companies and companies with geographic
considerations should have multiple ePO servers and take
advantage of features such as Multi-server reporting and
the data-rollup server tasks.
For High availability use Microsoft Cluster Server (MSCS)
technology.

8/31/2007

Deployment Consideration
The following is a list you should considerations when setting up your ePO 4.0
server.
At 250+ Nodes you should have a dedicated ePO server.
At 5000+ Nodes you should have a dedicated SQL server and network connection
separate from the ePO server.
Larger companies and companies with geographic considerations should have
multiple ePO servers and take advantage of features such as Multi-server reporting
and the data-rollup server tasks.
For High availability use Microsoft Cluster Server (MSCS) technology. MSCS
cannot provide zero downtime.

13

McAfee Agent (MA)


ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

The McAfee Agent

14

McAfee Agent
Agent

Gathers events from the managed systems and communicates them to


the ePO server
Installs point products and updates.
Enforces policies and tasks and sends notification of events to the
server.
Performs Scheduled Tasks.

8/31/2007

The agent is installed on the systems you intend to manage with ePolicy
Orchestrator. ePO 4.0 will use Agent 3.5.5, 3.6.0 and 4.0 when it is released.
While running silently in the background, the agent performs the following:
Gathers information and events from the managed systems and sends them to the
ePolicy Orchestrator server.
Installs products and updates on the managed systems.
Enforces policies and tasks on the managed systems and sends events back to the
ePolicy Orchestrator server.
You can deploy the agent from the user interface or copy the agent installation
package onto removable media or into a network share for manual or login script
installation on your systems.

15

The McAfee Agent is installed on target client computers and servers where it
gathers and reports data, installs products, enforces policies and tasks, and sends
events back to the ePolicy Orchestrator server. The agent runs in the background
on client computers. It retrieves incremental changes to policies and tasks from the
ePolicy Orchestrator server, then executes the policies, installs any downloaded
products on the client computer, and performs all scheduled tasks.
When activity relating to products occur on the client computer, the agent notifies
the server. For example, if a virus appeared on the client computer the information
is sent back to the ePolicy Orchestrator console. This activity normally is invisible to
the user.

16

Agent Command line


Installation

FramePkg.exe /Install=Updater /Product=<software ID>


/Install=agent
/Silent
/InstDir=<Value>

Un-install

FramePkg.exe /remove=agent
Removes the Agent but leaves the updater and Scheduler intact.

Force

/ForceInstall
/Forceuninstall

8/31/2007

The Following list is a list of commands via command line for your agent. It is provided for your reference.
Installation
FramePkg.exe /Install=Updater /Product=<software ID>
You may also choose to use /Install=agent.
Other switches to use with the installation command includes:
/silent
/InstDir=<value>
Un-install
FramePkg.exe /remove=agent
This command would remove the agent portion of the MA, but would leave the updater and scheduler intact.

17

Agent Command Line cont.


Specify update location

/SiteInfo=<path to sitelist.xml>

Disregard User

/IgnoreUser or /Silent IgnoreUser


<Installation path>\CmdAgent.exe /P

Switches

/P Create/Send properties and events to server


/E Enforce policies and execute tasks
/C Check for new polices
/S Show Agent Monitor

8/31/2007

Specification of specific update location for agent


/SiteInfo=<path to sitelist.xml>
The SiteList.XML is the file that specifies the update locations;
you can create specific files (sitelist.xmls) for an agent during installation.
Disregard user interaction
/IgnoreUser, or /Silent -IgnoreUser
A slash or a minus sign can be used interchangeably.
Initiate agent communication
<path>\CmdAgent.exe /P
Below is an explanation of the switches:
/P Create/Send properties and events to server
/E Enforce policies and execute tasks
/C Check for new polices
/S Show Agent Monitor

18

SuperAgent
SuperAgent Is like an agent except with two additional
features.

Super Agent Wakeup Call


Super Agent Repository

SuperAgent Wakeup Call

Broadcast to broadcast segment to send wakeup calls to existing


agents.

8/31/2007

Super Agent Wakeup Calls


A Super Agent can be placed in key parts of a network to help reduce the
bandwidth cost of performing an agent wake-up call and distributing software and
updates.
Consider this a large company receives an emergency update and needs to
distribute it across all nodes. Depending on the number of systems, sending an
agent wake-up call to all systems across the network could created numerous
problems especially considering bandwidth. To help distribute the bandwidth from a
centralized server to other parts of your network you can distribute SuperAgents to
different network segments. The SuperAgents can perform wake-up calls to agents
within its segment thereby taking the bandwidth overhead from the server. In case
of communication failure to the SuperAgent of a network segment, McAfee
recommend creating a redundant SuperAgent for each segment.

19

SuperAgent
Global Updating

In order to perform global updating you must first have a SuperAgent on


all segments.
The server will initialize a super agent wake up call to all segments which
will then perform a wakeup call to all nodes within the segments.

SuperAgent Repository

Folder locations are created automatically on the host system before


adding the repository to the repository list.
File sharing is enabled automatically on the SuperAgent repository folder.
And SuperAgent repositories dont require replication or updating
credential.

8/31/2007

Global Updating
In order to perform Global updating on all nodes on a network you must set your
network up properly with SuperAgents. Each segment on your network will need to
have at least one SuperAgent. When a Global update task is initialized a
SuperAgent wakeup call is performed to all SuperAgents, which will then perform an
Agent wakeup call to the nodes in its network segment.
Super Agent Repository:
A SuperAgent can also be used as a SuperAgent Repository. Here are some key
advantages of using this feature:
Folder locations are created automatically on the host system before adding the
repository to the repository list.
File sharing is enabled automatically on the SuperAgent repository folder.
And SuperAgent repositories dont require replication or updating credentials (if
using global updating).

20

Agent to Server Communication


Agent to Sever information is transferred using our
proprietary network protocol encrypted using 3DES.
Types of normal communications for the MA.

Agent ASCI send events


Agent uninstall Communication
Agent Wakeup Call

8/31/2007

During agent-server communication, the agent and server exchange information


using SPIPE, a proprietary network protocol used by ePolicy Orchestrator for
secure network transmissions. At each communication, the agent collects its current
system properties and sends them to the server. The server sends any new or
changed policies, tasks, and repository list to the agent. The agent then enforces
the new policies locally on the managed system.
Listed below are two types of normal communication:
Agent ASCI send events At the end of every Agent to Server Communication
Interval the Agent will look into its folder to see if there is anything to send to the
server. If there is, the Agent will initiate the communication to the server and send
its events. The server will then respond with a receive message and the
communication will close.

21

Agent Uninstall Communication When a node is deleted from the ePO system
tree and marked for installation the system will still remain in the database but with
a special flag. When the Agent initializes the ASCI it will receive the special flag,
respond to the server, the server will then send a final uninstallation response to the
agent and the agent will begin uninstallation.
Agent Wakeup Call This is the only form of communication that is initiated by the
ePO server.

22

Agent log files


Apache

Server.log

Tomcat

ePOApServer.log

Frameworkservice.exe

agent_<computer>.log
agent_<comp>._backup.log

Product Manager (naprdmnger.exe)

prdmgr_<computer>.log
prdmgr_<comp>._backup.log

8/31/2007

EpoApSvr.log - This is the Application Server log file. It will not be present until
after the service is started for the first time. The following output is contained in this
file:
server.log - This is the ePO Server agent handler and other C++ code log file. It will
not be present until after the service is started for the first time. The following output
is contained in this file: EPOServer; Mod_EPO
The following files are located on the local machine:
agent_<computer>.log
agent_<comp>._backup.log
prdmgr_<computer>.log
prdmgr_<comp>._backup.log

23

Agent-Server Secure Communication


Agent-server secure communication (ASSC) keys are
used by the agents to communicate securely with the
server.
You can make any ASSC key pair with the master, which
is the default currently used for agents checking in.
Agents previous to version 3.6, use a legacy key. If you
are upgrading from a previous version of ePolicy
Orchestrator, the legacy key is the master key by default.

8/31/2007

Agent-server secure communication (ASSC) keys are used by the agents to


communicate securely with the server. You can make any ASSC key pair the
master, which is the default currently used for agents checking in. Agents previous
to version 3.6, use a legacy key. If you are upgrading from a previous version of
ePolicy Orchestrator, the legacy key is the master key by default.

24

Master Repository key


The master repository private key signs all unsigned
content in the master repository.
Agents version 4.0 or later use the public key to verify the
repository content originating from the master repository.
If the content was unsigned, or signed with a repository
private key of which they are unaware, the downloaded
content is considered invalid and deleted.
This key pair is unique to each server installation.
However, you can export and import keys for a multiserver environment.
These keys are a new feature and only agents 4.0 or later
are compliant with the new protocols.

8/31/2007

The master repository private key signs all unsigned content in the master
repository. Agents version 4.0 or later use the public key to verify the repository
content originating from the master repository on this ePO server. If the content was
unsigned, or signed with a repository private key of which they are unaware, the
downloaded content is considered invalid and deleted.
This key pair is unique to each server installation. However, by exporting and
importing keys, you can use the same key pair in a multi-server environment. These
keys are a new feature and only agents 4.0 or later are compliant with the new
protocols.

25

Repository Public Keys


These are the public keys that agents use to verify
content from other master repositories in your
environment or McAfee source sites.
Each agent that reports to this Repository server use the
public keys in the list to verify content originating from
other ePO servers in your organization, or from McAfee
owned sources.
Public keys are distributed to every agent.

8/31/2007

These are the public keys that agents use to verify content from other master
repositories in your environment or McAfee source sites. Each agent that reports to
this server uses the keys.
In this list to verify content originating from other ePO servers in your organization,
or from McAfee owned sources. If an agent downloads content that originated from
a source for which the agent does not have the appropriate public key, the agent
discards the content.

26

Multi-Server Key
Previous versions of ePolicy Orchestrator allowed agents
to easily roam between multiple ePO servers within an
organization.
Importing these keys into other ePO servers allows
agents version 3.6 or later to communicate with other ePO
servers.
There are two strategies to ensure agents can
communicate with multiple servers, these depend on
whether you prefer to use a common master ASSC key
pair for all ePO servers, or to use a different master
ASSCI key pair for each ePO server:

8/31/2007

Previous versions of ePolicy Orchestrator allowed agents to easily roam between


multiple ePO servers within an organization. Importing these keys into other ePO
servers allows agents version 3.6 or later that are managed by one ePO server to
successfully communicate with other ePO servers. There are two strategies to
ensure agents can communicate with multiple servers, these depend on whether
you prefer to use a common master ASSC key pair for all ePO servers, or to use a
different master ASSCI key pair for each ePO server.

27

Multi-Repository key
To ensure agents can use content originating from any
ePO Repository in your environment you must distribute
the keys of each server.
There are two methods of distribution.

Distributing one Master Key to all Repositories.


Distributing All Keys to all Repositories.

8/31/2007

To ensure agents can use content originating from any ePO Repository in your
environment you must distribute the keys of each server.
There are two methods of distribution. Both will accomplish the same goal.
Distributing one Master Key to all Repositories. This is where you would create
one key and distribute it among all desired servers.
Or distributing All Keys to all Repositories. This will allow each agent to have a
public key for each private key created by your ePO servers.

28

The Console and the Dashboard


ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

The Console and the Dashboard

29

ePO Console

8/31/2007

The ePO Console UI is processed completely from the Tomcat service. Previously,
the console was an installed application using MMC for the GUI and had
communications not only to Tomcat but to the ePO database as well. The current
structure of the Console is purely web-based hosted by Tomcat. You can access it
with a standard web browser such as Internet Explorer 6.0. Communications
between Tomcat and the Web browser is accomplished using HTTPS traffic through
port 8443 by default.
In previous versions of the Console it was required to make direct connections to
the ePO Database when using the reporting feature. This is no longer the case as
not only does Tomcat handle the database connection, but the crystal reports
component has been replaced by our new Query system and SQUID component.
This new system will allow us to use created Queries to replace reports as well as
provide new features such as actionable queries and Dashboard Monitors.
As youve seen in the introduction course the main sections of the ePO 4.0 UI are
as followed, Dashboard; Reporting; Software; Systems; Network; Automation;
Configuration.

30

Dashboard

8/31/2007

As mentioned in the Introduction course the Dashboard screen is a graphical


display of dashboard Monitors that are implemented either by ePO or an
installed Point Product. These views are used to display different types of
information simultaneously to the user in a small summarized module.
In the Dashboard you can display 6 or more monitors. Point products with
available dashboard options are found in the Navigation bar. In the upper
right corner the Select Active Dashboard button will allow you to choose
between different monitors to display on the grid.
The information displayed on the dashboard is available once the proper
extensions are checked-in. Either the ePO server or Point Product may
have an extension that allows certain graphical information to display on the
dashboard screen. Below the navigation bar you will notice several of the
point products you can select to display its monitor once you have enabled
its dashboard.

31

Permissions
A permission set is a group of permissions, divided in
sections, that can be granted to any user by assigning it to
a users account. One or more permission sets can be
assigned to any user that is not a global administrator
(global administrators have all permissions to all products
and features).
Permission sets grant permissions only no permission
set ever removes a permission.
When are permission sets assigned?
What happens during new product installations.

8/31/2007

A permission set is a group of permissions, divided in sections, that can be granted to any user by
assigning it to a users account. One or more permission sets can be assigned to any user that is not
a global administrator (global administrators have all permissions to all products and features).
Permission sets grant permissions only no permission set ever removes a permission.
When are permission sets assigned?
Global administrators can assign existing permission sets when creating or editing user accounts and
when creating or editing permission sets.
What happens when I install new products?
When a new extension is installed it may add one or more sections to the permission sets. For
example, when you install a VirusScan Enterprise extension, a VirusScan Enterprise section is
added to each permission set. Initially, the newly added section is listed in each permission set
with no permissions yet configured. The global administrators can then grant permissions in
the new section for any existing permission sets and create new permission sets with permissions
in the new section.

32

Global Administrator
Permissions exclusive to global administrators:

Create, edit, or delete source and fallback repositories.


Export or import the repository list from the server.
Schedule or perform pull tasks to update the Master Repository
Schedule or perform replication tasks to update distributed repositories
Check packages into the master repository, move packages between branches, or
delete packages from the master repository.
Change server settings.
Schedule Synchronize Domain server tasks.
Verify the integrity of IP management settings, or change group-level IP subnet
masks.
Run enterprise-wide reports.
Add and delete user accounts.
Import events into ePolicy Orchestrator databases and limit events that are stored
there.
Create, rename, or delete groups.

8/31/2007

The following are Permissions exclusive to global administrators:


Create, edit, or delete source and fallback repositories.
Export or import the repository list from the server.
Schedule or perform pull tasks to update the Master Repository
Schedule or perform replication tasks to update distributed repositories
Check packages into the master repository, move packages between
branches, or delete packages from the master repository.
Change server settings.
Schedule Synchronize Domain server tasks.
Verify the integrity of IP management settings, or change group-level IP
subnet masks.
Run enterprise-wide reports.
Add and delete user accounts.
Import events into ePolicy Orchestrator databases and limit events that are
stored there.
Create, rename, or delete groups.

33

System Tree
ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

System Tree

34

System Tree
Allows for easy management of policies, Tasks and
Organization of systems and groups.
Contains all of the systems managed by ePO.
Can be organized into logical groups

8/31/2007

The System tree allows for easy management policies, tasks and organization of
systems and groups. The UI and structure of the system tree is managed by the
Tomcat service. The System Tree contains all of the systems managed by ePolicy
Orchestrator; it is the primary interface for managing policies and tasks on these
systems. You can organize systems in the System Tree into logical groups (for
example, functional department or geographic location) or and sort them by IP
address or tags. You can manage policies (product configuration settings) and
schedule tasks (for example, updating virus definition files) for systems at any level
of the System Tree.
Inheritance is an important property that makes policy administration simpler.
Because of inheritance, child groups in the System Tree hierarchy inherit policies
that have been set at their parent groups. Inheritance is enabled by default for all
groups and individual systems that you add to the System Tree. This allows you to
set policies and schedule client tasks in fewer places. However, inheritance can be
broken (by applying a new policy) at any location of the System Tree (provided a
user has appropriate permissions) to allow for customization. You can also lock
policy assignments to prevent inheritance from being broken.

35

Inheritance
Child groups can inherit Policies from parent groups.
Is enabled by default for all groups
Inheritance can be broken by applying new policies.
Inheritance can be locked to prevent broken inheritance
by children.

8/31/2007

As mentioned before Inheritance is enabled by default for all groups and individual
systems that you add to the System Tree. This allows you to set policies and
schedule client tasks in fewer places. It is possible to break inheritance on your
current node as well as any nodes further down the tree. Likewise, in order to
protect your inheritance structure you can lock nodes from breaking inheritance to
prevent accidental changes.
We will talk more about Inheritance during the Policy section of this training.

36

Groups
Groups can be created by global administrators or users
with the appropriate permissions to that portion of the
System Tree.
A group can include both systems and other groups.
Groups are administered by a global administrator or a
user with appropriate permissions to the portion of the
System Tree to which the group belongs.

8/31/2007

The System Tree is a hierarchical tree structure that allows you to group your
systems within units called groups. Grouping systems with similar properties or
requirements into these units allows you to manage policies for collections of
systems in one place, rather than having to set policies for each system separately.
As part of the planning process, consider the best way to organize systems into
groups prior to building the System Tree.
Groups have the following characteristics:
Groups can be created by global administrators or users with the appropriate
permissions to that portion of the System Tree.
A group can include both systems and other groups.
Groups are administered by a global administrator or a user with appropriate
permissions to the portion of the System Tree to which the group belongs.

37

Lost & Found Group


It can't be deleted.
It can't be renamed.
Its sorting criteria can't be changed (although you can
provide sorting criteria for the subgroups you create within
it.)
It always appears last in the list and is not alphabetized
among its peers.
Users must have permissions to the Lost & Found group
to view the available machines.
When a system is sorted into Lost&Found, it is placed in a
subgroup whose name is the name of the computer's
domain. If no such group exists, one is created.

8/31/2007

Lost&Found group
The System Tree root (My Organization) includes a Lost&Found group. Depending
on the methods you use to create and maintain System Tree segments, the server
uses different characteristics to determine where to place systems within the
System Tree. The Lost&Found group stores systems whose locations could not be
determined by the server.
The Lost&Found group has the following characteristics:
It can't be deleted.
It can't be renamed.
Its sorting criteria can't be changed (although you can provide sorting criteria for
the subgroups you create within it.)
It always appears last in the list and is not alphabetized among its peers.
Users must have permissions to the Lost & Found group to view the available
machines.
When a system is sorted into Lost&Found, it is placed in a subgroup whose name
is the name of the computer's domain or workgroup. If no such group exists, one is
created.

38

Tags
Tags Without Criteria - These tags can only be applied to
selected systems in the System Tree (manually) and
systems listed in the results of a query (manually or on a
scheduled basis).
Tags With Criteria - These tags are applied to all nonexcluded systems at each agent-server communication.
Such tags use criteria based on any properties sent by
agent. They can also be applied to all non-excluded
systems on-demand.

8/31/2007

Tags
Tags are like labels you assign to one or more systems manually or based on
criteria at agent-server communication. With tags, you can automatically place
systems in the System Tree based on any combination of system properties by
using criteria-based tags and parallel sorting criteria. Additionally, you can create
and run queries on systems based on the tags applied to them.
There are two types of tags:
Tags without criteria - These tags can only be applied to selected systems in the
System Tree (manually) and systems listed in the results of a query (manually or on
a scheduled basis).
Criteria-based tags - These tags are applied to all non-excluded systems at each
agent-server communication. Such tags use criteria based on any properties sent
by agent. They can also be applied to all non-excluded systems on-demand.

39

Tags cont.
Apply one or more tags to one or more systems.
Apply tags manually.
Apply tags automatically, based on user-defined criteria,
when the agent calls in.
Exclude systems from tag application.
Run queries to group systems with certain tags, then take
direct actions on the resulting list of systems.
Base System Tree sorting criteria on tags to place
systems into desired System Tree groups automatically.

8/31/2007

With Tags, you have the ability to:


Apply one or more tags to one or more systems.
Apply tags manually.
Apply tags automatically, based on user-defined criteria, when the agent calls in.
Exclude systems from tag application.
Run queries to group systems with certain tags, then take direct actions on the
resulting list of systems.
Base System Tree sorting criteria on tags to place systems into desired System
Tree groups automatically.

40

Tags and Permissions


Apply and remove existing tags to systems in the groups
to which they have permissions.
Exclude systems from receiving specific tags.
Use queries to view and take actions on systems with
certain tags.
Use scheduled queries with chained tag actions to
maintain tags on the systems within their area of the
System Tree.
Configure sorting criteria based on tags to ensure
systems stay in the appropriate groups of the System
Tree.

8/31/2007

Who can use tags


Only global administrators can create or edit tags, but ePO users with permissions
to part of the System Tree can:
Apply and remove existing tags to systems in the groups to which they have
permissions.
Exclude systems from receiving specific tags.
Use queries to view and take actions on systems with certain tags.
Use scheduled queries with chained tag actions to maintain tags on the systems
within their area of the System Tree.
Configure sorting criteria based on tags to ensure systems stay in the appropriate
groups of the System Tree.

41

Active Directory
If part or all of your network runs Active Directory, you can
create, populate, and maintain branches or all of the
System Tree with Active Directory synchronization
settings.
Truly synchronize with your Active Directory structure, by
importing both systems and the Active Directory
subcontainers (as System Tree groups)
Import systems from the AD and its sub containers as a
flat list.
Control what to do with potential duplicate entries of the
systems.

8/31/2007

If part or all of your network runs Active Directory, you can create, populate, and
maintain branches or all of the System Tree with Active Directory synchronization
settings. Once defined, you can use the synchronization tasks to regularly ensure
your System Tree is up-to-date with any new systems (and subcontainers) in your
Active Directory.
Active Directory integration is enhanced with this release of ePolicy Orchestrator
4.0. In addition to previous functionality, you can now:
Truly synchronize with your Active Directory structure, by importing both systems
and the Active Directory subcontainers (as System Tree groups) and keeping them
up-to-date with Active Directory. At each synchronization, both systems and the
structure are updated in the System Tree to reflect the systems and structure of
Active Directory.
Import systems from the Active Directory container (and its subcontainers) as a
flat list into the synchronized group.
Control what to do with potential duplicate entries of systems.

42

Integrating the System tree with AD


Previous versions of ePO had two tasks.

Active Directory Discovery.


Synchronize Domains

Use the following process to integrate the System Tree with your
Active Directory systems structure:

Configure the synchronization settings on each group that is a mapping point in


the System Tree. At the same location, you can configure whether to:
Deploy agents to new systems.
Delete systems from the System Tree when they are deleted from Active Directory.
Allow or disallow duplicate entries of systems that already exist elsewhere in the System

Tree.

Use the Synchronize Now action to import the Active Directory systems (and
possibly structure) into the System Tree according to the synchronization settings.
Use the Synchronize Domain/AD server task to regularly synchronize the systems
(and possibly the Active Directory structure) with the System Tree according to the
synchronization settings.

8/31/2007

In previous versions of ePolicy Orchestrator, there were two tasks: Synchronize domains and Active
Directory Discovery.
Active Directory Discovery: Imports any new computers in Active Directory to the appropriate
Lost&Found directory in the ePolicy Orchestrator Directory. Agents are not added to the client at this
time.
Synchronize Domains: Works like Active Directory except it will install agents and place the system
in the approprited portion of the directory. It can also work in a non active directory environment.
Use the following process to integrate the System Tree with your Active Directory systems structure:
1. Configure the synchronization settings on each group that is a mapping point in the System Tree.
At the
same location, you can configure whether to:
Deploy agents to new systems.
Delete systems from the System Tree when they are deleted from Active Directory.
Allow or disallow duplicate entries of systems that already exist elsewhere in the
System Tree.
3. Use the Synchronize Now action to import the Active Directory systems (and possibly structure)
into the System Tree according to the synchronization settings.
4. Use the Synchronize Domain/AD server task to regularly synchronize the systems (and possibly
the Active Directory structure) with the System Tree according to the synchronization settings.

43

Synchronization
Two Types of Active Directory Synchronization

Synchronization of only Systems from Active Directory


Synchronization of System and structures from Active Directory.

NT Domain Synchronization

When you synchronize a group to an NT domain, all systems from the


domain are put in the group as a flat list.
You can either manage those systems in the single group, or you can
create subgroups and group them using sorting methods.

8/31/2007

Synchronization of System and structures from Active Directory:


When using this synchronization type, changes in the Active Directory structure are
carried over into your System Tree structure at the next synchronization. When
systems or containers are added, moved, or removed in Active Directory, they are
added, moved, or removed in the corresponding locations of the System Tree.
Synchronization of Systems only from Active Directory:
Use this procedure to import systems from an Active Directory container, including
those in non-excluded subcontainers, as a flat list to a mapped System Tree group.
You can then move these (manually or by sorting) to the desired locations in the
System Tree by assigning.

44

Criteria based sorting


Disabling System Tree sorting Disable the Criteria
based sorting if your security structures does not allow for
it or you wish to use other sorting methods such as AD.
On each agent-server communication Sorting is done at
every ASC communication.
Sort systems once Systems are sorted only once
however sort now will still continue to work appropriately.

8/31/2007

The server has three settings from which to choose:


Disable System Tree sorting If criteria-based sorting does not fill your security
management needs and you want to use other System Tree features (like Active
Directory synchronization) to organize your systems, turn this feature off here to
prevent other ePO users from mistakenly configuring sorting criteria on groups and
moving systems to undesirable locations.
On each agent-server communication Systems are sorted again at each
agent-server communicatoin. When you change sorting criteria on groups, systems
move to the new group at their next agent-server communication.
Sort systems once Systems are sorted at the next agent-server communication
and marked to never be sorted again at agent-server communication as long as this
setting is selected. However, selecting such a system and clicking Sort Now does
sort the system.

45

How a System is Sorted


On each ASC the server checks the GUID for its location
in the system tree.
If no match is found it is sorted into the appropriate group.
Systems can be sorted into any criteria based group in the
system tree, however; parents must either be unrestrictive
groups or criteria-based groups that match those of the
subgroup.
Top Level Groups are evaluated first according to the
sorting order in the group tab.

8/31/2007

On each agent-server communication, the server attempts to locate the system in


the System Tree by agent GUID (only systems whose agents have already called
into the server for the first time have an agent GUID in the database). If a matching
system is found, it is left in its existing location.
The server uses an algorithm to sort the systems into the appropriate groups.
Systems can be sorted into any criteria-based group in the System Tree, no matter
how deep it is in the structure, as long as no parent groups have non-matching
criteria. Parent groups of a criteria-based subgroup, must either be unrestricted
groups or criteria-based groups with criteria that matches those of the subgroup.

46

Policies
ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

Policies

47

Policies
A Policy is a collection of software settings that you
create, configure and enforce on managed systems.
Can be found in the Systems / System Tree / Policy page
Creation and management is available through Tomcat
Policy enforcement is done by the MA and updated by the
Apache service.
Current known Policies will be enforced until a successful
ASC.

8/31/2007

A policy is a collection of software settings that you create, configure, then enforce
on managed systems. Policies ensure that the security software products on
managed systems are configured as you want them. For example, if end users
disable anti-virus scans, you can set a policy that re-enables the scan at the policy
enforcement interval (five minutes by default).
For some products, policy settings are the same as the settings you configure in the
interface of the product. For other products and components, the policy pages are
the primary interface for configuring the product or component. The ePolicy
Orchestrator console allows you to configure policy settings for all your systems
from a central location.
You can find the Policy settings in the Systems, System Tree, Policy Page.

48

Policy creation and management is part of the Tomcat service, however; policy
enforcement is done through the MA. It receives its current policies from the
Apache service during normal ASCI communication. The agent will not update its
policy until that server communication has been initiated. This means, any policy
that the McAfee Agent has in effect will be enforced until it makes a successful call
to the Apache service and its policies are updated. If the Agent is unable to
connect to the Apache service during this time it will reinforce the its current known
policies until a successful ASC is initiated.

49

Named Policy
ePO 4.0 retains the ability to create named Policies and
assign them to any node of the directory.
In previous versions you had to break inheritance at the
group level, now you can break inheritance for each policy
category.
Inheritance still applies when you copy policies from one
group to the next.

8/31/2007

ePolicy Orchestrator 4.0 retains the ability to create named policies and assign
them to any node of the Directory for which you have permissions. Named policies
allow you to define policy settings once for a specific need, then apply the named
policy to multiple locations. This allows for easier management of policies and
reduces the need to work with individual nodes. In previous versions, you had to
break inheritance at the group level. With ePO 4.0 policies, you can break
inheritance at the category level.
It is important to note that inheritance still applies when copying Policies from one
node to another. When you assign a new policy to a particular node of the Directory,
then all systems under that node with inheritance intact, inherit the new policy.

50

Inheritance
Policy assignments can be copied and pasted from one
group to another.
These policies will retain the same characteristics of the
original source policy.
Be careful as Inheritance will also be copied and some
policies might have been inherited by a parent.

8/31/2007

Inheritance
Policy assignments can be copied and pasted from one group to another. When a
the copy is complete, the target system should have all the policy assignments of
the original. When dealing with inheritance keep this in mind. As noted before when
you copy and paste policy assignments it will retain the characteristics of the source
policy. If the source location was inheriting a policy that you selected to copy, then it
is the inheritance characteristic that was pasted to the target. This may lead to a
discrepancy in the policy itself. The original policy may have inherited different
policy attributes than the policy being pasted.

51

Viewing broken Inheritance


Go to Systems | System Tree | Policies. All assigned
policies, grouped under products, are available in the
details pane.
On the desired policy row, under Broken Inheritance, is
the number of nodes to which this policys inheritance is
broken.
Click the blue text indicating the number of child nodes
that do not inherit. The View broken inheritance page
appears with a list of the names of these nodes.
To reset the inheritance of any of these nodes, select the
checkbox next the node name, then click Reset
Inheritance.

8/31/2007

To view broken inheritance follow the steps below:


Go to Systems | System Tree | Policies page. All assigned policies, grouped
under products, are available in the details pane.
On the desired policy row, under Broken Inheritance, is the number of nodes to
which this policys inheritance is broken.
Click the blue text indicating the number of child nodes that do not inherit. The View
broken inheritance page appears with a list of the names of these nodes.
To reset the inheritance of any of these nodes, select the checkbox next the node
name, then click Reset Inheritance.

52

Repositories
ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

Repositories

53

Repositories
Master Repository
Distributed Repository
Source Repository
Fallback Repository

8/31/2007

Repositories host the files you need to deploy products and update. There are 4
different types of Repositories. Master Repository, Distributed Repository, Source
Repository and Fallback Repository.
The Master repository:
The master repository maintains the latest versions of security software and
updates for your environment. This repository is the source of software and updates
for the rest of your environment. There is one master repository for each ePolicy
Orchestrator server. The master repository is configured when installed. However,
you must ensure that proxy server settings are configured correctly. By default,
ePolicy Orchestrator uses Microsoft Internet Explorer proxy settings.
Distributed repositories:
Distributed repositories host copies of your master repositorys contents. Consider
using distributed repositories and placing them throughout your network strategically
to ensure managed systems are updated while network traffic is minimized,
especially across slow connections.

54

Source repository:
The source repository provides all updates for your master repository. The default
source repository is the McAfee HTTP update site (HttpSite), but you can change
the source repository or create multiple source repositories if you require. McAfee
recommends using the McAfee HTTP (HttpSite) or FTP (FTPSite) update sites as
your source repository.
Fallback repository:
The fallback repository is a source repository thats been enabled as the fallback,
from which managed systems can retrieve updates when their usual repositories
are inaccessible. For example, when network outages or virus outbreaks occur,
accessing the established location may be difficult. Therefore, managed systems
can remain up-to-date in such situations. The default fallback repository is the
McAfee FTP download site (McAfeeFtp). You can only enable one fallback
repository. You must configure agent policy settings for managed systems to use
proxy servers when accessing this fallback site.

55

Repository Branches
Current
Evaluation
Previous
Update tasks can retrieve updates from any branch of the
repository, but deployment tasks use the Current branch
only.
You can enable the Previous branch by selecting Move
existing packages to Previous branch when you add
new files to your master repository. The option is available
both when you pull updates from a source repository and
when you manually check in packages to your master
repository.

8/31/2007

The current branch is the main repository branch for the latest packages and
updates. Product deployment tasks only use the current branch.
Evaluation branch. You may want to test new DAT and engine updates with a small
number of network segments or systems before deploying them to your entire
organization. Specify the Evaluation branch when checking in new DATs and
engines to the master repository, then deploy them to a small number of test
systems. After monitoring the test systems for several hours, you can add the new
DATs to your Current branch and deploy them to your entire organization.
Use the Previous branch to save and store the prior weeks DAT and engine files
before adding the new ones to the Current branch. In the event that you experience
an issue with new DAT or engine files in your environment, you have a copy of
previous versions that you can re-deploy to your systems if necessary. ePolicy
Orchestrator saves only the most immediate previous version of each file type.

56

Sitelist.XML
Can be used to Backup your repository list
Import to a product at installation
Import to an agent at installation
Import an existing repository list

8/31/2007

The repository list (SITELIST.XML) file contains the names of all the repositories
you are managing. The repository list includes the location and encrypted network
credential information that managed systems used to select the repository and
retrieve updates. The server sends the repository list to the agent during agentserver communication. If needed, you can export the repository list to an external
(SITELIST.XML) file, then distribute and apply it to managed systems using
command-line options. An exported repository list file can be used to:
Back up your repository list if you need to reinstall the server.
Import to a product at installation. (For example, VirusScan Enterprise.)
Import to an agent at installation.
Import an existing repository list from a previous installation of ePolicy Orchestrator
or from another McAfee product.

57

Point Products
ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

Point Products

58

Extensions
Product Extension - a ZIP file containing JSP pages,
Java classes, SQL scripts, help files, and/or localized
strings that add functionality to ePO. Extensions replace
both NAPs and Extended NAPs. Deployment packages
are still installed separately. When the user installs an
extension, ePO runs the extension's install file, which can
perform actions such as running SQL scripts, copying
files, etc.
Deployment Package - a ZIP file containing all the files
the agent needs to install a point product on a client
computer. Deployment packages are checked into the
master repository so that ePO can deploy the product.

8/31/2007

Product Extension - a ZIP file containing JSP pages, Java classes, SQL scripts,
help files, and/or localized strings that add functionality to ePO. Extensions replace
both NAPs and Extended NAPs. Deployment packages are still installed
separately. When the user installs an extension, ePO runs the extension's install
file, which can perform actions such as running SQL scripts, copying files, etc.
Deployment Package - a ZIP file containing all the files the agent needs to install a
point product on a client computer. Deployment packages are checked into the
master repository so that ePO can deploy the product.

59

Checking in an Extension

8/31/2007

Checking in an Extension
Extensions can be found in the configuration screen of the ePO console. The
managed products extensions or Point Product extension are located on the top left
while the server extensions are located underneath them.
When checking in an extension you will need access to the Product extension file
(ZIP file) in order to check it into the ePO server. In the lower left corner you will
see the Install Extensions button which will open a dialog box to select the file.
Once the file has been successfully installed you will now see the extension
populated in the extension list and be able to manage the component.
As like before in order to fully manage any product you will need to import two files.
Earlier versions required a NAP and a package.z file. ePO 4.0 requires the
extension ZIP file and then the deployment package file which is also a ZIP file.
The extension is required for managing the product while the deployment package
is required in the repository for deployment tasks.

60

Checking in a Package file

8/31/2007

Checking in a package file is done much the same way as checking in an extension
except you will be checking it into the repository. You can manage the repository in
the Software screen of the Console.
To check in a package click the Check In Package at the bottom left of the screen.
This will bring up a dialog box in which you can select your ZIP package. Once
selected finish the check in process. If your extension file for the product is checked
in then you will now be able to deploy the product to nodes in your system tree.

61

Notifications
ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

Notifications

62

Notifications
Detection of threats by your anti-virus software product.
Outbreak situations.
Compliance events from McAfee System Compliance
Profiler.
High-level compliance of ePolicy Orchestrator server
events.

8/31/2007

Notifications alerts you to any events that occur on the managed systems in your
environment or on the ePolicy Orchestrator server itself. The ability to specify the
event categories that generate a notification message and the frequencies with
which such messages are sent are highly configurable.
Notification can be triggered in the following situations:
During detection of threats by your anti-virus software product - Although
almost any anti-virus software product is supported, events from VirusScan
Enterprise 8.0i and 8.5i include the IP address of the source attacker so that you
can isolate the system infecting the rest of your environment.
In the event of an Outbreak situations specified by a outbreak threshold.
During compliance events from McAfee System Compliance Profiler - This will
be triggered when a system does not meet the compliance criteria.

63

During High-level compliance of ePolicy Orchestrator server events - This is


triggered if a server event is having issues and does not complete.

64

Throttling and Aggregation


You can use aggregation to specify thresholds for
notification messages. You can create a rule in which
notification messages are send for multiple purposes.
Throttling can be used to limit the amount of messages
you may receive.

8/31/2007

Aggregation:
You can use aggregation to specify thresholds for notification messages. You can
create a rule in which notification messages are send for multiple purposes. For
example, you can configure the same rule to notify you when you have received
100 viruses detections as well as when it has received 1000 virus detections.
Throttling:
Throttling can be used to limit the amount of messages you may receive. For many
organization, especially in the event of an outbreak situation, hundred and even
thousands of messages might be received in a short amount of time. With throttling
you will be limit the number of messages in a given amount of time for each
Notification rule.

65

Default Rules
Daily Unknown Product Notification
Daily unknown category notification
Virus detected and not removed
Virus detected heuristics and not removed
Repository update or replication failed
Non-compliant computer detected

8/31/2007

Here is a list of the default rules for Notifications:


Daily Unknown Product Notification - Any events from any unknown products.
Daily unknown category notification - Any event of an unknown category.
Virus detected and not removed - Virus Detected and Not Removed events from
any product.
Virus detected heuristics and not removed - Virus Detected (Heuristics) and Not
Removed events from any product.
Repository update or replication failed Repository update task or replication
tasks has failed to complete.
Non-compliant computer detected - Non-compliant Computer Detected events.

66

Server Tasks
ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

Server Tasks

67

Server Tasks
Server Tasks have made some important changes
Server tasks are now more configurable, allowing you to
chain multiple actions and sub-actions within a single
task.

8/31/2007

Sever Tasks
Server Tasks have made some important changes in the latest ePO release. For
example Server tasks are now more configurable, allowing you to chain multiple
actions and sub-actions within a single task. You can create repository pulls,
manage NT or Active Directory synchronization among other server related options.
When dealing with the system tree, you can perform a server task to evaluate tags
and sorting the nodes accordingly.

68

Server Tasks
Inactive Agent Maintenance
NT Domain/Active Directory Synchronization
Repository Replication
Repository Pull
Data Rollup: ePO Computers
Data Rollup: Import Events
Purge Event Rollup Records
Purge Event Logs
Purge Audit Logs

8/31/2007

Here is a list of the available server tasks and their description:


NT Domain/Active Directory Synchronization Synchronizes select Windows
NT domains and Active Directory containers that are mapped to System Tree
groups. This task can also be performed manually.
Repository Replication Updates distributed repositories from the master
repository.
Repository Pull Retrieves packages from the source repository, then places
them in the master repository.
Data Rollup: ePO Computers Imports summary data from other registered ePO
servers.

69

Data Rollup: Import Events Imports summary event data from other registered
ePO servers.
Data Rollup: Compliance History Imports summary compliance data from
other registered ePO servers.
Purge Event Rollup Records Deletes event information that was imported from
other registered ePO servers.
Purge Event Logs Deletes events from the database based on user-configured
criteria.
Purge Audit Logs Deletes entries from the Audit Log on user-configured age.

70

Server Tasks
Purge Task Logs
Purge Notification Logs
Event Migration
Run Tag Criteria
Run Query

8/31/2007

Purge Task Logs Deletes entries from the Server Task Log by user-configured
age.
Purge Notification Logs Deletes entries from the Notification Log by userconfigured time.
Event Migration If you upgrade from a previous ePolicy Orchestrator
installation, use this task to migrate events from the old database to the new
database, so that you can run queries against your historical data,
Run Tag Criteria Evaluates all managed systems against a selected tags
criteria, and applies the tag to all matching systems.
Run Query Runs a selected query and allows you to chain sub actions related to
the query results. For example, you can email the results to someone in your
organization, or deploy agents to all systems in the query results.

71

Reporting
ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

Reporting

72

Reporting
Previously all reporting was done through the use of
crystal reports and is now implemented through queries
Queries can be exported to different file formats.
Some Queries can also be used as monitors

8/31/2007

Previously all reporting is done through the use of crystal reports. Now, reporting is
managed through queries by use of our query Interface, SQUID. Each query is
configurable and can display its results in a graphical format such as a chart or a
table. All queries can be exported as a reports or an email message and some of
the reports can also be used as a monitor on the dashboard.

73

Public and private Queries


Queries can be private or public. Private queries exist in
the users My Queries list, and are only available to the
creator.
Public queries exist in the Public Queries list, and are
available to everyone who has permissions use public
queries.
Global administrators and users with appropriate
permissions can make their personal queries private.

8/31/2007

Queries can be private or public. Private queries exist in the users My Queries list,
and are only available to the creator. Pubic queries exist in the Public Queries list,
and are available to everyone who has permissions use public queries. Global
administrators and users with appropriate permissions can make their personal
queries private.

74

Query Permissions
Use query permissions to assign specific levels of access
to query functionality to permission sets, which are
assigned to individual users.
No permissions
Use public queries.
Use public queries; create and edit personal queries
Edit public queries; create and edit personal queries;
make personal queries

8/31/2007

Query Permissions
No permissions Grants no permissions. The Query tab is unavailable to a user
with no permissions.
Use public queries Grants permission to use the default queries and any
queries that have been created
and made public by users with such permissions.
Use public queries; create and edit personal queries Grants permission to
use the default queries
and any that have been created and made public by users with such permissions,
as well as the ability to
use the Query Builder wizard to create and edit personal queries.
Edit public queries; create and edit personal queries; make personal queries
Grants permission
to use and edit any public queries with the Query Builder wizard, create and edit
any personal queries
with the Query Builder wizard, as well as the ability to make any personal query
available to anyone with
access to public queries.

75

Importing and exporting Queries


Exporting

Go to Reporting | Queries, then select the desired query from the


Queries list.
Click Export, then OK in the Action panel. The File Download dialog
box appears.
Click Save, select the desired location for the XML file, then click OK.
The file is saved in the desired location.

Importing

Go to Reporting | Queries, then click Import Query. The Import Query


dialog box appears.
Click Browse. The Choose File dialog box appears.
Select the desired exported file, then click OK.
Click OK.
The query is added to the My Queries list.

8/31/2007

Exporting
Go to Reporting | Queries, then select the desired query from the Queries
list.
Click Export, then OK in the Action panel. The File Download dialog box
appears.
Click Save, select the desired location for the XML file, then click OK.
The file is saved in the desired location.
Importing
Go to Reporting | Queries, then click Import Query. The Import Query
dialog box appears.
Click Browse. The Choose File dialog box appears.
Select the desired exported file, then click OK.
Click OK.
The query is added to the My Queries list.

76

Queries
Result Types

Repositories
Managed System
Compliance History
Rolled up Managed Systems
Audit Log Entries
Rolled up Compliance History
Events
Notifications
Rolled up Events

8/31/2007

Here is a list and their description of different query types:


Repositories Select Repositories to retrieve data on repositories and their
status.
Managed Systems Select Managed Systems to retrieve information about
systems running the McAfeeSecurity Agent.
Compliance History Select Compliance History to retrieve information on
compliance counts over time. This query type and its results depend on a Run
Query server task that generates compliance events from the results of a (Boolean
pie chart) query. Additionally, when creating a Compliance History query, be sure
the time unit matches the schedule interval for the server task. McAfee
recommends creating the Boolean pie chart query first, followed by the server task
that generates the compliance events, and finally the Compliance History query.
Rolled-up Managed Systems Select Rolled-up Managed Systems to retrieve
summary information on systems from registered servers.
Audit Log Entries Select Audit Log Entries to retrieve information on changes
and actions made by ePO users.

77

Rolled-up Compliance History Select Rolled-up Compliance History to retrieve


information on compliance counts over time from registered servers.
Events Select Events to retrieve information on events sent from managed
systems.
Notifications Select Notifications to retrieve information on sent notifications.
Rolled-up Events Select Rolled-up Events to retrieve summary event data from
registered servers.

78

Default Queries

Compliance Summary query


Compliance History query
Managed Systems History query
Detection History query
Todays Detections per Product query
Systems Tagged as Server query
Systems per Top-Level Group query
Failed Audited Actions query
Failed Logon Attempts query
Distributed Repository Status query
Agent Communication Summary query
Agent Version Summary query

8/31/2007

The following is a list of the default queries that are provided by the ePO server:
Compliance Summary query Displays the results of a compliant or noncompliant systems in a Boolean pie chart. This query only considers systems who
have had Agent-Server communication in the last 24 hours.
Compliance History query - Use this query, with its default settings, to view the
percentage of systems (over time) in your environment which are non-compliant.
This query and its results depend on the Data Rollup: Compliance History server
task. Schedule the Data Rollup: Compliance History server task to run at a regular
interval and be sure that the Save results checkbox is selected. Additionally, when
creating a query of this type be sure the time unit matches the schedule interval for
the server task.
Detection History query Use this query, with its default settings, to view a line
chart of the number of internal virus detections over the past quarter.
Todays Detections per Product query Use this query, with its default settings,
to view a pie chart of detections within the last 24 hours organized by detecting
product.

79

Systems Tagged as Server query Use this query, with its default settings, to
view a Boolean pie chart of the systems in your environment divided according to
whether they have the Server tag.
Systems per Top-Level Group query Use this query, with its default settings, to
view a bar chart of your managed systems organized by top-level System Tree
group.
Failed User Actions query Use this query, with its default settings, to view a
table of all failed actions from the Audit Log.
Failed Logon Attempts query Use this query, with its default settings, to view a
Boolean pie chart of all logon attempts in the Audit Log, divided according to
whether they were successful.
Distributed Repository Status query Use this query, with its default settings, to
view a Boolean pie chart of your distributed repositories, divided according to
whether their last replication was successful.
Agent Communication Summary query Use this query, with its default settings,
to view a Boolean pie chart of managed systems, divided according to whether they
have communicated with the server in the last day.
Agent Version Summary query Use this query, with its default settings, to view
a pie chart of managed systems organized by the version of the agent they are
running.

80

Actionable Queries

Email File
Move To
Change Sorting Status
Exclude Tag
Generate Compliance Event
Repository Replication
Clear Tag
Assign Policy
Export to File
Apply Tag
Edit Description
Deploy Agents
Wake Up Agents

8/31/2007

Unlike the previous ePO reporting solution, query results are actionable. For
example, you can deploy agents to systems in a table of query results. Actions are
available at the bottom of the results page. The following is a list of actions that can
follow a query:
Email File Sends the results of the query to a specified recipient, in a userconfigured format (PDF, XML, CSV, or HTML).
Move To Moves all systems in the query results to a group in the System Tree.
This option is only valid for queries that result in a table of systems.
Change Sorting Status Enables or disables System Tree sorting on all systems
in the query results. This option is only valid for queries that result in a table of
systems.
Exclude Tag Excludes a specified tag from all systems in the query results. This
option is only valid for queries that result in a table of systems.

81

Generate Compliance Event Generates an event based on a percentage or


actual number threshold of systems that do not match the criteria in query. This
action is intended for use with compliance-based Boolean pie chart queries (for
example, the Compliance History and Compliance Summary default queries).
This action is part of the replacement of the Compliance Check server task of
previous versions.
Repository Replication Replicates master repository contents to the distributed
repositories in the query results. This is valid queries that return a list of repositories
whose last update task failed (for example, the Distributed Repository Status
default query).
Clear Tag Removes a specified tag from all systems in the query results. This
option is only valid for queries that result in a table of systems.
Assign Policy Assigns a specified policy to all systems in the query results. This
option is only valid for queries that result in a table of systems.
Export to File Exports the query results to a specified format to a specified
directory.
Apply Tag Applies a specified tag to all systems (that are not excluded from the
tag) in the query results. This option is only valid for queries that result in a table of
systems.
Edit Description Overwrites the existing system description in the database for
all systems in the query results. This option is only valid for queries that result in a
table of systems.
Deploy Agents Deploys agents, according to the configuration on this page, to
systems in the query results. This option is only valid for queries that result in a
table of systems.
Wake Up Agents Sends an agent wake-up call, according to the configuration
on this page, to all systems in the query results. This option is only valid for queries
that result in a table of systems.

82

Troubleshooting
ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

Troubleshooting

83

Troubleshooting intro
Troubleshooting ePO is about understanding the
components and how they work together.
When something goes wrong, you must understand which
components play a part in the event and search out the
respective log files.

8/31/2007

Troubleshooting ePO is about understanding the components and how they work
together. When something goes wrong, you must understand which components
play a part in the event and search out the respective log files. For this trouble
shooting section, I will describe each of the major log files and explain their use.

84

Troubleshooting tips for installation


If you are unable to resolve an issue using the information
in this table, be sure you have done the following.

Verify that you have met the minimum installation requirements.


Review the ePolicy Orchestrator 4.0 Release Notes (README.TXT) for
any known installation issues.
Verify that the user account you used to log on to the computer on which
you are installing the software has full administrator permissions to that
computer. (Also verify your credentials for the server are correct)
Collect the exact text of all messages, and be sure to take note of any
message codes that appear.
Gather the installation log files and look for any suspicious log occurring
at or around the time of the error. The Logs directly BEFORE an error
are often more useful than the error itself.

8/31/2007

If you are unable to resolve an issue using the information in this table, be sure you
have done the following.
Verify that you have met the minimum installation requirements.
Review the ePolicy Orchestrator 4.0 Release Notes (README.TXT) for any
known installation issues.
Verify that the user account you used to log on to the computer on which you
are installing the software has full administrator permissions to that
computer. (Also verify your credentials for the server are correct)
Collect the exact text of all messages, and be sure to take note of any
message codes that appear.
Gather the installation log files and look for any suspicious log occurring at or
around the time of the error. The Logs directly BEFORE an error are often
more useful than the error itself.

85

Troubleshooting Log File locations


%temp%\Nailogs

EPO400-DBINIT.log
EPO400-TRACE.log
licensing.log
MSXML6Inst.Log
MSXML6PatchInst.Log
SQLSTP.Log

%temp%\Nailogs\OutputFiles

ePO##.tmp

8/31/2007

The following log files are created in the %temp%\Nailogs folder:


EPO400-DBINIT.log - This is the main DB log file for the ePO 4.0.0 installer. This log
contains any output captured by NaiLog.Dll during installation.
EPO400-TRACE.log - This is the main log file for the ePO 4.0.0 installer.
licensing.log - This is the log used by the Common License Application. It is created by the
NaiLite.Dll during the EULA
MSXML6Inst.Log - This is the MSI log file created when ePO installs MSXML 6.0.
MSXML6PatchInst.Log - This is the MSI log file created when ePO installs the MSXML 6.0
Patch.
SQLSTP.Log - This is the MSI log file created when ePO installs MSDE. This file will NOT
be present unless MSDE was installed by the ePO installer.
The following log files are created in the %temp%\Nailogs\OutputFiles folder:
NOTE: Once the installation is successful the "%temp%\Nailogs\OutputFiles" folder will be removed.
ePO##.tmp - This is a file created by the ePO installer and contains the command to send to
the Remote-Client to check in Plug-ins, Point Products, and Agent packages. This file is
removed by default unless the DebugLogs is set to 1 in the Setup.Ini file.

86

Log Files Cont.


[InstallDir]\Installer\core

core-install.log

[InstallDir]\Installer\ePO

epo-install.log

[InstallDir]\DB\Logs

EpoApSvr.log
eventparser.log
server.log

8/31/2007

The following log files are created in the [InstallDir]\Installer\core folder:


core-install.log - This is the log file created when the ePO installer calls the Orion installer.
The following log files are created in the [InstallDir]\Installer\ePO:
epo-install.log - This is the log file created when the ePO installer calls the ePO installer.
The following log files are created in the [InstallDir]\DB\Logs:
EpoApSvr.log - This is the Application Server log file. It will not be present until after the
service is started for the first time. The following output is contained in this file: RManJNI;
DalPolicy; SiteMgr; SiteMgrWrap
eventparser.log - This is the Event Parser log file. It will not be present until after the service
is started for the first time. The following output is contained in this file: EventParser
server.log - This is the ePO Server agent handler and other C++ code log file. It will not be
present until after the service is started for the first time. The following output is contained in
this file: EPOServer; Mod_EPO

87

Log Files Cont.


[InstallDir]\Apache2\logs

errorlog.####-##-##-##_##_##

[InstallDir]\Server\logs

jakarta_service_########.log
localhost_access_log.####-##-##.txt
orion.log
stderr.log

8/31/2007

The following log files are created in the [InstallDir]\Apache2\logs: Apache Logs
errorlog.####-##-##-##_##_## - This is the Apache2 log file for the Apache service. It will
not be present until after the service is started for the first time.
The following log files are created in the [InstallDir]\Server\logs: Tomcat logs
jakarta_service_########.log -This is the Tomcat log file for the Tomcat service. It will not
be present until after the service is started for the first time.
localhost_access_log.####-##-##.txt - This is the Tomcat log file for the Tomcat service. It
will not be present until after the service is started for the first time.
orion.log - This is the Log4J log file used by the Orion Platform and by default all loaded
extensions. It will not be present until after the service is started for the first time. The
following output is contained in this file: Orion; Orion extensions; ePO extensions
stderr.log - This is the Tomcat log file for the Tomcat service. It will not be present until after
the service is started for the first time. The file contains any Standard Error output that the
Tomcat service captures.

88

Understanding the Log files


Agent Log file

Column 1: Date and Time


Column 2: Type
Column 3: Component
Column 4: Message

8/31/2007

To understand the log files you must understand what the information in the log file means. Provided
below is a description on the various columns of the Agent Log file.
Column 1 Date and Time
Displays the date and time in YYYYMMDDHHMMSS format. For example 20021231113407 is
December, 31, 2002 at 11:34:07AM
Time uses the 24-hour format.
Column 2 Component
Displays the type of message. The table below describes message types and the logging level in
which they are recorded.
e Translated user error message Logging level 1
w Translated user warning message Logging level 2
i Translated user information message Logging level 3
x Translated user extended information message Logging level 4
E Debug error message in English only Logging level 5
W Debug warning message in English only Logging level 6
I Debug information message in English only Logging level 7
X Debug extended information message in English only Logging level 8
Column 3 Component
The agent, server, or console component. For example, Scheduler, DOMSYNCH.
Column 4 Message
Displays the message itself. For example, Enforcing policies.

89

Setting the log level.


HKEY_LOCAL_MACHINE\SOFTWARE\Network
Associates\ePolicyOrchestrator\LogLevel
1 - Localized user error message
2 - Localized user warning message
3 - Localized user information message
4 - Localized user extended information message
5 - Unlocalized debug error message
6 - Unlocalized debug warning message
7 - Unlocalized debug information message
8 - Unlocalized debug extended information message

8/31/2007

To set the log level you can change the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Network
Associates\ePolicyOrchestrator\LogLevel
Here are the possibly values and their description. The changes in this list take
place immediiatly.
1 - Localized user error message
2 - Localized user warning message
3 - Localized user information message
4 - Localized user extended information message
5 - Unlocalized debug error message
6 - Unlocalized debug warning message
7 - Unlocalized debug information message
8 - Unlocalized debug extended information message

90

Summary

Introduction
Architecture
McAfee Agent
Console and Dashboard
System Tree
Policies
Point Products
Repostories
Notification
Server Tasks
Reporting
Troubleshooting
Log Files

8/31/2007

Introduction
Architecture
McAfee Agent
Console and Dashboard
System Tree
Policies
Point Products
Repostories
Notification
Server Tasks
Reporting
Troubleshooting
Log Files

91

ePolicy Orchestrator 4.0 Essentials


ePO 201
Charles McFarland

2007
2007McAfee,
McAfee,Inc.
Inc.

This Concludes the ePolicy Orchestrator 4.0 Essentials Course.

92