Professional Documents
Culture Documents
x
Installation Guide
Contents
Installation overview 6
Which type of installation do you need?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Single server installation workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Cloud services installation workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Cluster installation workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Upgrade installation workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Cluster installations 61
Perform cluster installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Install on Windows Server 2008. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Install on Windows Server 2012. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Test the McAfee ePO cluster installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Restore McAfee ePO software in a cluster environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Uninstall McAfee ePO from a cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Troubleshooting installation 79
Troubleshooting and log file reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Common installation messages with their causes and solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Log files for troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Installer logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Server logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
McAfee Agent logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
◦ Update McAfee ePO Server Public DNS in Server Settings with elastic IP address or DNS of virtual McAfee ePO server.
◦ Update Published DNS name or the IP address of Agent Handler (if any) with elastic IP address or DNS of virtual Agent
Handler server.
◦ Create a McAfee Agent deployment URL or extract the McAfee Agent deployment package.
7. Choose a deployment method to deploy McAfee Agent.
8. Confirm that systems are managed by ensuring that McAfee Agent can successfully connect to McAfee ePO.
1. Install Microsoft Cluster Server (MSCS) software on all your servers and configure these items:
◦ Shared data drive
◦ Quorum drive
◦ Failover group
2. Configure shared storage.
3. Configure SQL Server and database settings.
4. Download and install McAfee ePO software on all servers.
5. Choose a deployment method to deploy McAfee Agent.
6. Confirm that systems are managed by ensuring that McAfee Agent can successfully connect to McAfee ePO.
1,500–
<
1,500
10,000
10,000–25,000
Option systems 25,000–75,000 systems > 75,000 systems
When setting an IPv6 address for FTP or HTTP sources, no changes to the address are needed. But, when setting a Literal IPv6
address for a UNC source, you must use the Microsoft Literal IPv6 format. See Microsoft documentation for more information.
Dedicated server If managing more than 250 systems, use a dedicated server.
Domain controllers The server must have a trust relationship with the Domain
Controller on the network. For instructions, see the Microsoft
product documentation.
Microsoft .NET Framework 3.5 or later Required — This software is required for all versions of SQL
Server and SQL Server Express.
Microsoft Visual C++ 2008 Redistributable Package (x86) Required — Installed automatically.
Supported SQL Server Required — A supported version of SQL Server or SQL Server
Express is required to install McAfee ePO.
Configuration Details
Nested triggers The SQL Server Nested Triggers option must be enabled.
Database collation McAfee ePO software supports all Microsoft SQL Server
collations using the following two SQL collation properties:
• Case Insensitivity (CI)
TLS requirement
If you are using an older browser, make sure that you have TLS 1.1 or 1.2 enabled.
During installation The user account credentials for either Windows or SQL
authentication must have these server roles granted on the
target SQL Server:
• public
• dbcreator
Note: The dbcreator server role is required for the setup
program to create and add the requisite core McAfee ePO
database objects to the target SQL Server during installation.
After the database is installed The dbcreator server role can be removed from the McAfee
ePO SQL user.
Note: Revoking the dbcreator server role restricts the user
account to only those permissions granted to the db_owner
database role on the McAfee ePO database.
During installation The user account credentials for either Windows or SQL
authentication must have these server roles granted on the
target SQL Server:
• public
• db_owner
Component Requirements
Free disk space 400 MB minimum (800 MB recommended) on the drive where
the repository is stored. The required space depends on the
amount of data being served.
Note: The disk space requirement for the distributed
repositories on systems where agents are designated as
SuperAgents is equal to the disk space available for the Master
Repository.
Task
1. Set up SQL Server and make sure that you can communicate with the database server.
a. Verify that the SQL Browser Service is running.
b. Update the system that hosts your McAfee ePO server and your SQL Server with the latest Microsoft security updates. Then
turn off Windows updates during the installation process.
2. Enable TCP/IP protocol in the SQL Server Configuration Manager.
a. Start SQL Server Configuration Manager.
b. In the console pane, expand SQL Server Network Configuration.
c. In the details pane, right-click TCP/IP to open the TCP/IP Properties window.
d. Select the Protocol tab, click Enabled, and select Yes.
e. Click Apply and then OK to close the Warning dialog.
TCP/IP is enabled. You can now restart the service to make sure that your changes take effect.
f. In the console pane, click SQL Server Services.
g. In the details pane, right-click the SQL Server service and click Restart.
Your changes are now complete. Before continuing, make sure to capture the value for TCP Dynamic Ports.
h. Right-click TCP/IP to open the TCP/IP Properties window.
i. Select the IP Addresses tab.
Make sure Enabled is set to Yes for each active IP address.
j. Under IPAII, make note of the value for TCP Dynamic Ports.
For example, 49657. This information might be needed later in the installation.
3. Log on to the Windows Server computer to be used as the McAfee ePO server.
Use an account with local administrator permissions.
4. Locate the software you downloaded from the Intel website and extract the files to a temporary location. Right-click Setup.exe
and select Run as Administrator.
The executable is located in the downloaded McAfee ePO installation folder.
Caution: If you try to run Setup.exe without first extracting the contents of the .zip file, the installation fails.
The McAfee ePolicy Orchestrator - InstallShield Wizard starts.
5. Click Next to continue the installation.
Results
The installation is set up and started. Now configure the database, communication ports, and license to complete the
installation.
Task
1. In the Destination Folder step, click:
◦ Next — Install your McAfee ePO software in the default location (C:\Program Files\McAfee\ePolicy Orchestrator\).
◦ Change — Specify a custom destination location for your McAfee ePO software. When the Change Current Destination Folder
window opens, browse to the destination and create folders as needed, then click OK.
Database Server Select your server from the list. If it does not appear, enter
the information based on whether you are using SQL
Server or SQL Server Express:
◦ ServerName\SQLSERVER
◦ ServerName\SQLEXPRESS
Windows authentication 1. From the Domain menu, select the domain of the user
account for accessing the SQL Server, then type the user
name and password.
2. If using a previously installed SQL Server, make sure that
your user account has access.
SQL authentication Type the user name and password for your SQL Server.
Make sure that credentials you provide represent an
existing user on the SQL Server with appropriate rights.
Note: The Domain menu is grayed out when using SQL
authentication.
c. If needed, specify the value for the SQL Server TCP port.
Use the value from the TCP Dynamic Ports field you wrote down when you enabled TCP/IP. This port is used to communicate
between your McAfee ePO server and database server.
The Pre-Installation Auditor automatically starts.
3. In the HTTP Port Information step, review the default port assignment, then click Next to verify that the ports are not already in use
on this system.
Important: You can change some of these ports now. When your installation is complete, you can change only the Agent wake-
up communication port and Agent broadcast communication port.
4. In the Administrator Information step, type this information, then click Next.
a. Type the user name and password you want to use for your primary administrator account.
b. Type the server recovery passphrase.
The passphrase includes 14–200 characters, must not contain leading or trailing backslashes (\), spaces, double quotation
marks ("), or characters below ASCII 32 or above ASCII 65535.
Important: Keep a record of this passphrase; you need it to decrypt the Disaster Recovery Snapshot records and Intel can't
recover it.
5. In the Type License Key step, type your license key, click Enable Automatic Product Installation, then click Next.
If you don't have a license key, you can select Evaluation to continue installing the software. The Enable Automatic Product Installation
option is enabled by default and only available if you have a license key. The evaluation period is limited to 90 days. You can
provide a license key after installation is complete from the McAfee ePO Settings or Software Catalog.
6. Accept the McAfee End User License Agreement and click OK.
7. From the Ready to install the Program dialog box, decide if you want to allow Intel to collect system and software telemetry data,
then click Install to begin installing the software.
8. When the installation is complete, click Finish to exit the Setup program.
Results
Your McAfee ePO software is now installed. Double-click the Launch ePolicy Orchestrator icon on your desktop to start using your
McAfee ePO server, or browse to the server from a remote web console (https://servername:port).
Configuration checklist
Use this checklist to make sure that you have completed the configuration steps to configure your McAfee ePO server.
• Install the McAfee ePO software.
• Log on to the user interface.
• Download and install the Intel product software using one of these methods:
◦ Use Automatic Product Installation in the first 24 hours after initial logon. After the initial 24 hours, Automatic Product Installation
is no longer available and you must use one of the other methods.
Note: The Product Installation Status page starts only if you selected Enable Automatic Product Installation option during the
McAfee ePO installation.
◦ Use Customize Software Installation from the Dashboard.
◦ Use ePolicy Orchestrator Guided Configuration from the Dashboard.
◦ Use Software Manager found at Menu → Software.
• Add system to manage using one of these methods:
◦ Create a Smart Installer URL and distribute it to the systems.
◦ Deploy FramePkg.exe manually or use a logon script.
Task
1. Click the Launch ePolicy Orchestrator icon on your McAfee ePO server desktop, to open the Log On screen.
2. Type your credentials and pick a language.
The Product Installation Status software automatically starts downloading and installing the licensed software available to your
organization. You can monitor the process using:
◦ Products — Displays all licensed software and the latest available version.
◦ Status — Displays one of these values:
◦ Updating — The software is downloading and installing.
◦ Completed — The software is successfully installed.
◦ Failed — An error occurs during the download or installation process.
◦ Stopped — You clicked Stop at the top of the page.
You can click Menu → Software → Software Manager at any time to see details of the software installation process.
Note: You can also use the McAfee ePO user interface to configure other elements while the automatic software installation
process is running.
3. Complete the software installation process using the automatic or manual method.
On the Product Installation Status page, wait for the Status listed 1. On the Product Installation Status page, click Stop and click OK in
for each product to change to Complete. the dialog box that tells you that you must complete the
software installation process using Software Manager.
Results
Your McAfee ePO server is now protecting your managed systems.
Task
1. Click the Launch icon on your McAfee ePO server desktop, to see the Log On screen.
2. Type your user name, password, and select a language, if needed, then click Log On. McAfee ePO starts and displays the
Dashboard dialog box.
3. Use either automatic Product Installation Status or Software Manager to install your product software.
4. Select Menu → Reporting → Dashboards, select Guided Configuration from the Dashboard drop-down, then click Start.
5. Review the Guided Configuration overview and instructions, then click Start.
6. On the Software Selection page:
a. Under the Software Not Checked In product category, click Licensed or Evaluation to display available products.
b. In the Software table, select the product that you want to check in. The product description and all available components are
displayed in the table that is displayed.
c. Click Check In All to check in product extensions to your McAfee ePO server, and product packages to your Master Repository.
d. Click Next at the top of the screen when you're finished checking in software.
7. On the System Selection page:
a. Select the group in your System Tree where you want to add your systems. If you don't have any custom groups defined,
select My Organization, then click Next to open the Adding your systems dialog box.
b. Select a method to add your systems to the System Tree.
AD Sync Synchronize your McAfee ePO server 1. In the AD Sync dialog box, select the
with your Active Directory (AD) server or synchronization type and specify the
Domain Controller (DC). AD Sync is the appropriate settings.
quickest way to add your systems to the 2. Click Synchronize and Save.
System Tree.
Manual Manually add systems to your System 1. On the New Systems page, type system
Tree by specifying names or selecting names in the Target systems field, or
from a list of systems by domain. click Browse to add individual systems
from a domain, then click OK
Accept Defaults Use the My Default policy setting for the This step is complete.
software you deploy and continue your
configuration.
Configure Policy Specify custom policy settings now for 1. In the Policy Configuration dialog box,
each software product you checked in. click OK.
2. Select a product from the Product list
and click My Default to edit the default
policy settings.
3. Click Next.
Set Task Schedule Manually configure the schedule for 1. Using the Client Task Assignment Builder,
your product update client task. specify a product and task name for
your product update task.
Important: Do not change the Task
Type selection. It must be set to
Product Update.
2. Configure the Lock task inheritance and
Tags options, then click Next.
3. Specify the schedule for the update
task, then click Next.
4. Review the summary, then click Save.
Results
Your McAfee ePO server is now protecting your managed systems.
Task
1. Select Menu → Configuration → Server Settings, select Proxy Settings from the Setting Categories, then click Edit.
2. Select Configure the proxy settings manually, provide the specific configuration information your proxy server uses for each set of
options, then click Save.
Task
1. Select Menu → Configuration → Server Settings, select License Key from the Setting Categories, then click Edit.
2. Type your License Key and click Save.
Task
1. Open the Edit Server Certificate page.
Task
1. From your browser, open McAfee ePO. The Certificate Error: Navigation Blocked page appears.
2. Click Continue to this website (not recommended) to open the logon page. The address bar is red, indicating the browser cannot verify
the security certificate.
3. To the right of the address bar, click Certificate Error to display the Certificate Invalid warning.
4. At the bottom of the warning, click View certificates to open the Certificate dialog box.
Caution: Do not click Install Certificate on the General tab. If you do, the process fails.
5. Select the Certification Path tab, then select Orion_CA_<servername>, and click View Certificate. Another dialog box opens to the General
tab, displaying the certificate information.
6. Click Install certificate to open the Certificate Import Wizard.
a. Click Next to specify where the certificate is stored.
b. Select Place all certificates in the following store, then click Browse to select a location.
c. Select the Trusted Root Certificate Authorities folder from the list, click OK, then click Next.
d. Click Finish. In the Security Warning that appears, click Yes.
7. Close the browser.
8. Change the target of the McAfee ePO desktop shortcut to use the NetBIOS name of the McAfee ePO server instead of
"localhost."
9. Restart McAfee ePO.
Results
Now when you log on to McAfee ePO, you are no longer prompted to accept the certificate.
Task
1. From your browser, open McAfee ePO. The This Connection is Untrusted page appears.
2. Click I Understand the Risks at the bottom of the page.
3. Click Add Exception.
4. Click Get Certificate. The Certification Status information is populated and the Confirm Security Exception button is enabled.
5. Make sure that Permanently store this exception is selected, then click Confirm Security Exception.
Results
Now when you log on to McAfee ePO, you are no longer prompted to accept the certificate.
For large networks, you might choose to use one of these methods to add an initial group of system, confirm the configuration,
then use other methods to add additional systems.
Deploying agents
The McAfee Agent is a 5-MB executable file that you can execute manually per client or deploy on a larger scale to hundreds or
thousands of nodes.
The McAfee Agent can be deployed to your client systems using any of these methods:
• An Agent Deployment URL or Intel Smart installer
• A logon script
• An image that includes the McAfee Agent
• Manual execution
• The McAfee ePO server
• Third-party tools
See the McAfee Agent Product Guide for details about these deployment methods.
Task
1. Use one of these methods to create the McAfee Agent installer.
◦ Create the McAfee Agent URL installer.
Results
Your McAfee ePO server is now providing protection and managing your clients.
Task
1. Select Menu → Systems Section → System Tree, then click the Agent Deployment tab.
2. From the Actions menu, click Create agent deployment Url.
3. Specify the URL name, the agent version, and whether the URL applies to all Agent Handlers, or only specific Agent Handlers.
Results
When a user opens the URL, they are prompted to download or run the McAfee Agent installer. The installation executable can
also be saved and then included in a log-on script.
Task
1. Select Menu → Systems → System Tree, then click New Systems on the System Tree page.
2. From the New Systems page, click Push agents and add systems to the current group and Browse.
3. From the NT Domain Credentials dialog box, type this information and click OK.
◦ Domain — Type the domain name with your target systems.
◦ User Name — Type your domain user name.
◦ Password — Type your domain password.
4. On the Browse for Systems page, select the domain server from the Domain list.
The Systems in Selected Domain table appear in the list of systems installed on that domain server.
5. Select the systems or groups of systems to add to the System Tree, then click OK.
The systems you selected appear in the Target Systems field, separated by commas.
6. In Agent Version, select the Windows or Non-Windows and the version from the list.
7. In Credentials for agent installation:
◦ Type the domain name.
◦ Type your domain user name.
◦ Type and confirm the domain password.
◦ Click Remember my credentials for future deployments.
8. Use the defaults for the final settings and click OK.
Results
The systems you selected are added to the System Tree and appear as Unmanaged in the Managed State column. After multiple agent-
server communications to install the product software and update tasks and policies, the Managed State changes to Managed. This
process can take several hours to complete.
Disadvantage
Advantage
IfIfyou let the McAfee Agent pull multiple endpoint products, it can use too much bandwidth. If you have bandwidth
constraints,
the make the products part of your original image.
endpoint
products
are
part
of
your
imaging
process,
your
build
process
can
occur
on
a
network
where
your
imaged
systems
don't
have
Once
If you install the McAfee Agent on a client it takes several more minutes to download, install, and update the products
using
timinga client task. This lag occurs even though the first agent-server communication occurs almost immediately.
is
a
concern,
make
the
Intel
products
part
of
your
image.
This
avoids
the
15–
20
minute
wait
for
the
products
to
install,
when
your
systems
might
be
vulnerable
to
threats.
Confirm that you deleted the McAfee Agent GUID before freezing the image
Make sure that you delete the McAfee Agent GUID before freezing the image when you make the McAfee Agent part of your
image.
Note: If the registry key is not deleted, systems with the same image also use the same GUID. These duplicate registry keys can
cause conflicts in your environment. See the McAfee Agent Product Guide for details.
Failure to delete the McAfee Agent GUID from the registry before finalizing your image can make it hard to manage the images in
larger environments. You might have several imaging teams involved or an outsourcing organization might be building the
images. Make sure that your imaging teams understand how to reset the GUIDs if the computers are not displayed in the McAfee
ePO directory.
Note: See KnowledgeBase article: How to reset the agent GUID if computers are not displayed in the McAfee ePO directory,
KB56086 for details.
My Organization group
The My Organization group, the root of your System Tree, contains all systems added to or detected on your network (manually or
automatically).
Until you create your own structure, all systems are added by default to My Group. This group name might have been changed
during the initial software installation.
The My Organization group has these characteristics:
My Group subgroup
My Group is a subgroup of the My Organization group and is added by default during the Getting Started initial software installation.
This group name might have been changed during the initial software installation.
When your network computers run the installation URL, they are grouped by default in My Group.
To rename the group, select Menu → Systems → System Tree, in the System Tree groups list click My Group, then click System Tree Actions →
Rename Group.
Group inheritance
All child subgroups in the System Tree hierarchy inherit policies set at their parent groups. These inheritance rules simplify policy
and task administration.
• Policies set at the My Organization level of the System Tree apply to all groups.
• Group policies apply to all subgroups or individual systems in that group.
• Inheritance is enabled by default for all groups and individual systems that you add to the System Tree.
Default inheritance allows you to set policies and schedule client tasks in fewer places.
• To allow for customization, inheritance can be broken by applying a new policy at any location of the System Tree.
You can lock policy assignments to preserve inheritance.
In this example, Windows users under the Server group for Los Angeles automatically inherit the Server group policies. Users
under the Server group for San Francisco inherit a different set of policies.
My Top-level group
Organization
Los Child subgroup of My Organization
Angeles
Desktop Child subgroup of Los Angeles
Task
1. Select Menu → Systems → System Tree, then click the Systems tab to show a list of managed systems.
Note: If no systems appear, click This Group and All Subgroups in the Preset list.
2. In the Managed State column for each row of systems, confirm that Managed appears.
If Unmanaged appears in the Managed State column, the system was added to the System Tree but the McAfee Agent and product
software are not installed on the system.
3. To display details about a system on the Systems Information page, double-click the system row.
Deployment summary Lists the product deployments and allows you to filter them
by type and status to quickly view their progress. Click a
deployment to view its details. Those details are displayed in
the deployment details area.
Deployment details Lists the details of the selected deployment. For example,
Start Date, Type, Status, and more.
System Actions Displays the filtered list of systems in a dialog box with more
detail and allows you to perform actions on the systems, such
as update and wake-up.
This table lists the commands and actions available you can take when organizing the system tree.
New Systems Opens the New Systems page where you can add systems to the
System Tree.
System Tree Action • New Subgroups — Creates a subgroup in the System Tree.
• Rename Group — Renames the selected group.
• Delete Group — Deletes the selected group or groups.
• Export Systems — Exports a list of systems from the System Tree
to a .txt file for later use.
• Sort Now — Sorts selected systems into groups with criteria-
based sorting enabled.
Table Actions • Choose Columns — Opens the Choose Columns page, where you
can select the columns to display on the System Tree page.
• Export Table — Allows you to export this table.
• Tag — Allows you to change the tags in the Tags column.
• Agent — Specifies the actions that can be taken on agents on
the selected systems.
• Directory Management — Specifies the actions that you can use
to manage systems in your directory.
This table lists the policy changes available on the Policy Catalog page.
Share or Unshare Click to share or unshare the policy with other McAfee ePO
servers.
View or change Double-click the policy name to view or change the policy
configuration.
To record policy revisions, type a comment in the text field
next to Duplicate, in the footer of the Policy Catalog page.
When you change a policy, the number of affected systems is
listed at the top of the page.
Import or Export Imports or exports all policies and categories selected for the
product.
New Policy Opens the Create a New Policy dialog box, where you can create
a policy of the selected product and category type.
New Task Opens the Create a New Policy dialog box, where you can create
a client task for the selected product.
Task Catalog actions • Import — Opens the Import page, where you can import Client
Task objects from an XML file.
• Export All — Opens the Export page, where you can export an
XML file with all client task objects for the products listed in
the Task Type pane.
Client task row actions • View — double-click the client task name to view the
configuration.
• Delete — Deletes the client task.
• Duplicate — Duplicates the client task so that you can change
it.
• Assign — Opens the Select a group task page, where you can
identify a group in your System Tree to assign this task.
• Share or Unshare — Click to share or unshare the client task
with other servers running McAfee ePO.
New Task Starts the Server Task Builder, where you can create and schedule
a server task.
Import Tasks Opens the Import Scheduled Task, page where you can select the
file to be imported.
Table Actions after you select a server task • Choose Columns — Opens a dialog box that allows you to
select which columns to display.
• Delete — Deletes the server task.
• Duplicate — Duplicates the server task so that you can change
it.
• Edit — Opens the Server Task Builder page with the settings of
the selected server task loaded, so that you can edit and
save the settings.
• Enable or Disable — Enables or disables the selected tasks.
When a task is disabled, it does not run, even if scheduled.
• Export Table — Opens the Export page. Use this option to
specify the format and the package of files to be exported.
You can save or email the exported file.
• Export Tasks — Opens the Export page. Use this option to
specify the format and the package of files to be exported.
You can save or email the exported file.
• Run — Immediately runs the server task,
• View — Allows you to view the server task configuration.
Server task row Actions • View — Allows you to view the server task configuration.
• Edit — Opens the Server Task Builder page with the settings of
the selected server task loaded, so that you can edit and
save the settings.
• Run — Immediately runs the server task.
Dashboard example
The initial dashboard that appears depends on which phase of initial configuration you are in. For the first 24 hours, after you log
on to McAfee ePO, the Getting Started with McAfee ePolicy Orchestrator dashboard appears. After that time the ePO Summary
dashboard is the default.
To familiarize yourself with dashboards configuration, in the Dashboards list, click Executive Dashboard, Guided Configuration, or any of
the dashboards added for your product software.
This table lists the actions available on the Dashboards page.
New Starts the New Dashboard dialog box where you can create a
dashboard.
Import Starts the Import Dashboard page where you can choose a
dashboard XML file to import.
Add Monitor Displays a list of dashboard categories where you can add a
previously saved monitor to the display.
To familiarize yourself with queries and how they work, select the Queries tab in the Queries and Reports page. In the Groups list, click All
to expand the list. You can now view queries in the Queries tab. For example, Agent Communication Summary. In the Agent Communication
Summary row Actions column, click Run.
A pie chart displays the number of managed systems and how many are compliant with the default McAfee ePO policy.
This table lists the options available on the Queries and Reports page. The queries and report options are similar to the options
available when you click the Queries or Reports tab.
New Query or New Report Opens the Query Builder page or reports toolbox so that you
can start creating your own query or report.
Import Query or Import Report Imports a previously saved XML file to the selected group.
Group Actions • New Group — Opens the Edit Group page where you can edit
the name and visibility of the selected group.
• Delete Group — Deletes all queries or reports in the selected
group.
• Edit Group — Opens the New Group dialog box where you can
create a query group.
Table Actions after you select a query or report • Delete — Deletes the query or report.
• Duplicate — Duplicates the query or report so that you can
change it.
• Edit — Opens the configuration page with the settings of the
duplicated or new query or report loaded, so that you can
edit and save the settings.
• Export Queries or Export Reports — Exports the selected queries
or reports as XML files.
• Export Query Data — Opens the Export page where you can
configure the export file options.
• Move to different group — Moves the selected query to the
specified query group. Or you can drag and drop the query
to any query group.
Task
1. Select Menu → Systems → System Tree, then click the Systems tab to show a list of managed systems.
If no systems appear, click This Group and All Subgroups in the Preset list.
2. Click a system in the System Name column to open the System Information page.
3. Scroll down the list to find the information you need to remotely log on to the test system. For example, you can use this
information:
◦ DNS Name
◦ IP Address
◦ System Description
4. Click the Products tab to see a list of products and versions installed on the test system.
5. Confirm that Endpoint Security Threat Prevention is installed on the test system.
Results
You now have the information to remotely log on to the test system and run the anti-malware test file.
Task
1. To log on to the test system with administrator rights.
You can log on to the test system by:
◦ Going to the system and logging on.
◦ Using a remote connection process, for example Windows Remote Desktop Connection, to log on.
2. Using a web browser, connect to the EICAR site to download the anti-malware test file from:
http://www.eicar.org/86-0-Intended-use.html
Task
1. Log on to the McAfee ePO and click Menu → Reporting → Dashboards.
2. In the title bar of the Dashboards list, select one of the dashboards described in this table.
ePO Summary Displays recent threats in the Malware Detection History line
chart.
3. Click Menu → Reporting → Threat Event Log to see a description the recent threat.
Information in the table includes:
◦ Event Generated Time
◦ Event ID
◦ Event Description
◦ Event Category
◦ Threat Target IPv4 Address
◦ Action Taken
◦ Threat Type
4. Click the event in the table to see all details about the threat.
5. At the end of the threat details, click Go to related Systems to see the detailed information about the affected system.
What to do next
After you have performed all initial configuration and made sure that your managed systems are protected, you might want to
consider other configuration steps, depending on your network security needs.
Simple additional steps to help you manage McAfee ePO include:
• Add other McAfee ePO users and permissions.
• Organize your System Tree to reflect the geographic, political, or functional borders.
• Add Tags to identify and sort systems.
• Configure an automatic response to occur when certain rules are met.
For more complex or larger managed networks:
• Create custom server or client tasks.
2. Set the AWS data center region to the location closest to most of the client systems you manage with McAfee ePO. To select
the region, click the list on the right side of the navigation pane on the AWS Console page.
3. Under Compute, double-click EC2 (Amazon Elastic Compute Cloud) to continue.
In this example, the server instance is a 64-bit server with a Microsoft Server 2012 with SQL Standard Edition already installed.
Always select an AMI with a SQL database included.
4. Scroll to the image you want, then click Select, to continue.
22. Confirm your settings, then click Launch to Create a new key pair.
23. Create a security key pair, with these settings, to generate an encrypted password when you first log on to this AWS server.
24. On the Launch Status page, click View Instances to confirm the status of the AWS server.
Once you click Launch instance, it might take 20–30 minutes before your instance is ready to access. During that time, Initializing
displays under Status Checks.
Results
You have created your AWS server. Continue with the connection process and create a static IP address for your AWS server.
Task
1. Log on to the AWS console.
Results
You have created a static IP address to use with Microsoft Remote Desktop Connection to log on to the AWS server and install
McAfee ePO.
Task
1. Connect to the AWS server using Remote Desktop Connection and the configured static IP address or DNS name.
2. Start the McAfee ePO installation process using the McAfee ePolicy Orchestrator Installation Guide and the Perform Custom
installation process.
3. In the Database Information, configure the Microsoft SQL Server using the AWS server name.
By default, the McAfee ePO SQL Server name is <AwsServerName>\EPOSERVER.
4. Complete the McAfee ePO server installation.
5. Create a backup image of your AWS server.
a. Log on to the AWS console.
b. Click Instances to see a list of your AWS servers.
c. Right-click the AWS server that you created, then from the lists that appears, click Image, and Create Image.
Results
You have a McAfee ePO server installed and configured that you can connect to from a remote browser using this format:
https://<AwsServerName>:<port>
Results
You have everything needed to create a McAfee Agent URL and start connecting your managed systems to your AWS McAfee ePO
server.
Term Definition
Data drive One of the two drives required by Microsoft Cluster Server
and McAfee ePO. The data drive is a remote drive that is
accessible to all nodes in the cluster, and is the location
where you install the McAfee ePO files.
ePO Virtual IP address resource The IP address resource that you create as part of the McAfee
ePO cluster installation. This virtual IP address represents the
McAfee ePO cluster installation as a whole. References to this
IP address point to the currently active node in your cluster.
ePO Virtual Network Name resource The Network Name resource that you create as part of the
McAfee ePO cluster installation. This virtual Network Name
represents the McAfee ePO cluster installation as a whole.
References to this Network Name point to the currently active
node in your cluster.
Quorum drive One of the two drives required by Microsoft Cluster Server
software. The quorum drive is where the MSCS files are
installed. Don't install any of the McAfee ePO files on this
drive.
Task
1. Open the Failover Cluster Management tool on the active node by clicking Start → Programs → Administrative Tools → Failover Cluster
Manager.
2. Right-click Services and Applications in the cluster management tree, then select More Actions → Create Empty Service or Application.
3. Rename the Application Group to epo: right-click New service or application, select Rename, then type ePO.
Task
1. Right-click the ePO group and select Add a resource → Client Access Point.
2. Type the McAfee ePO virtual name in the Name field and specify the McAfee ePO virtual name in the Address field, then click Next.
The Confirmation page appears.
3. Click Next to allow the Client Access Point to be configured, then click Finish when the wizard is complete.
4. If the Client Access Point is offline, right-click the name and select Bring this resource online.
Task
1. Right-click the ePO Application Group and select Add Storage.
2. In the Add Storage dialog box, select the data drive to be used for your installation, then click OK.
Task
1. Double-click Setup.exe in the installation folder.
2. Follow the wizard until you reach the Setup Type page, select the Cluster option, and click Next.
3. On the Choose Destination Location page, specify the path for the shared data drive, then click Next.
Note: Use this same path for each node.
Task
1. In the Cluster Administrator, right-click ePO Application Group and select Add a resource → Generic Service.
2. On the Select Service Wizard, select a resource, then click Next.
3. On the Confirmation page, click Next to allow the service to be created.
4. When the wizard is complete, click Finish.
5. Right-click the resource you created and select Properties.
6. From the McAfee ePO Application Server, select the Dependencies tab, then set the Data drive so it's dependent on the McAfee ePO
server.
7. From the McAfee ePO server, select the General tab, then remove the Startup parameters and add a blank space.
Important: Apache HTTP Server does not start with any startup parameters specified, and an empty entry is not permitted. A
blank space is required to start Apache HTTP Server.
8. From the McAfee ePO Event Parser, select the Dependencies tab, then set the service so it's dependent on the McAfee ePO
Application Server.
Task
1. Open the Failover Cluster Manager: click Server Manager → Tools → Failover Cluster Manager.
2. Right-click Roles in the System Tree, then select Create Empty Role.
3. Click OK.
4. Right-click the empty role, then select Properties.
5. In the New Role dialog box, type a name for the role. For example, ePO.
6. Click OK.
Task
1. Right-click the ePO application role, then select Add a resource → Client Access Point.
The Client Access Point Wizard appears.
2. Type the ePolicy Orchestrator Virtual Name in the Name field and specify the ePolicy Orchestrator Virtual IP address in the Address field, then
click Next.
The Confirmation page appears.
3. Click Next to apply the Client Access Point changes, then click Finish when the wizard is complete.
4. If the Client Access Point is offline, right-click the name and select Bring Online.
Task
1. Right-click the ePO application role, then select Add Storage.
2. In the Add Storage dialog box, select the data drive to use for your McAfee ePO installation, then click OK.
Install McAfee ePO software on each node (Windows Server 2012 and 2016)
Run the Cluster installation on each of the nodes.
Task
1. Double-click Setup.exe in the installation folder.
2. Follow the wizard until you reach the Setup Type page, select the Cluster option, then click Next.
3. On the Choose Destination Location page, specify the path for the shared data drive, then click Next.
If you specify a folder that does not exist, the installation process creates a folder with that name in the designated location.
Note: Use this same path for each node.
4. On the first node of the Set Virtual Server Settings page, provide this identifying information for the McAfee ePO cluster:
◦ The McAfee ePO Virtual Server IP address
◦ The McAfee ePO Virtual Cluster name
◦ The McAfee ePO Virtual Cluster FQDN
◦ Create the McAfee ePO Cluster Configuration Passphrase and Verify Cluster Configuration Passphrase
On subsequent nodes, the Virtual Server IP address, Virtual Cluster name, and Virtual Cluster FQDN are automatically provided. You must
add the Cluster Configuration Passphrase to each subsequent node.
5. Complete the installation on the first node.
6. For each node in your cluster, repeat this task.
Task
1. In the Failover Cluster Manager, right-click the ePO application role, then select Add Resource → Generic Service.
2. On the New Resource Wizard, select the ePolicy Orchestrator Application Server service, then click Next.
3. On the Confirmation page, click Next to create the service, then click Finish to create the generic service.
Task
1. Restart the system functioning as the active node. The passive node automatically becomes the active node.
The amount of time required for the passive node to become active depends on your unique environment.
2. Manually refresh your browser session. If failover is successful, you are redirected to the McAfee ePO logon page.
Task
1. If you have Agent Handlers configured, log on to the systems where the Agent Handlers are installed, then open the Windows
Services panel and stop the McAfee Event Parser and McAfee Apache services.
See your Microsoft software product documentation for more information about using the Windows Services panel.
2. Using an account with local administrator permissions, log on to the Windows Server (the first node of the cluster) used as the
restore McAfee ePO server.
3. If needed, in the Failover Cluster Manager, create the McAfee ePO application role, Client Access Point, and shared data drive
resources.
For more information, see Installing Software in a Cluster environment .
4. Extract the files to a temporary location, and double-click Setup.exe.
The version of McAfee ePO being restored must be the same as the version used to create the snapshot in the database. You
can download the correct version from the Intel website.
Important: If you try to run Setup.exe without first extracting the contents of the .zip file, the installation fails.
The McAfee ePolicy Orchestrator - InstallShield Wizard starts.
5. Select Restore ePO from an existing database snapshot and click Next to begin the installation process.
6. In the Install additional software step, any remaining prerequisites are listed. To install them, click Next.
Results
After completing these steps, your McAfee ePO software is restored.
Task
1. To set all McAfee ePO services to offline, open the Windows Cluster Administrator/Management tool, then click Start → Programs →
Administrative Tools → Failover Cluster Manager.
Upgrade checklist
This checklist includes all steps to upgrade one standalone McAfee ePO server.
Additional upgrade steps are required if you installed McAfee ePO in a cluster environment.
Task
View these KnowledgeBase articles:
• Supported upgrade paths — KB86693
Note: If upgrading from your current version of McAfee ePO is not supported, upgrade to an interim version first.
• Supported products — KB87142
• List of McAfee ePO known issues — KB87673
Task
1. Download the McAfee ePO Pre-Installation Auditor from the McAfee ePO Downloads page: secure.mcafee.com/apps/
downloads/my-products/login.aspx.
2. Double-click ePIP.exe to launch the auditor.
Task
Notify your McAfee ePO administrators about the upcoming downtime.
Task
Follow the McAfee ePO server backup and disaster recovery procedure (see KB66616).
Make sure that your Windows Server has enough disk space
Verify that the system temp drive and the McAfee ePO installation drive have sufficient disk space for the upgrade.
• System temp drive — Requires 2 GB or more of free disk space
• Installation drive — Requires up to three times the size of the Intel\ePolicy Orchestrator folder or 20 GB, whichever is greater.
Task
1. Stop the McAfee ePO services.
a. Press Windows+R, type services.msc, then click OK.
b. Right-click the following services and select Stop:
◦ McAfee ePolicy Orchestrator Application Server
◦ McAfee ePolicy Orchestrator Server
◦ McAfee ePolicy Orchestrator Event Parser
2. Delete the files in these folders:
◦ <McAfee ePO installation directory>\Server\Logs
◦ <McAfee ePO installation directory>\DB\Logs
◦ <McAfee ePO installation directory>\Apache2\Logs
◦ <McAfee ePO installation directory>\Server\Temp
3. Start the McAfee ePO services.
a. Press Windows+R, type services.msc, then click OK.
b. Right-click the following services and select Start:
◦ McAfee ePolicy Orchestrator Application Server
◦ McAfee ePolicy Orchestrator Server
◦ McAfee ePolicy Orchestrator Event Parser
Task
• Check the SQL Server service name: (SQL Server (SQLEXPRESS)) or (SQL Server (EPOSERVER)).
• In SQL Server Management Studio, run this query:
select @@servername
go
Task
1. Start the SQL Server Management Studio: Click Start → Programs → Microsoft SQL Server → SQL Server Management Studio.
2. Make sure that the default database is set to master.
a. Expand Security → Logins.
b. Right-click the account and select Properties.
c. Make sure that the default database is set to master.
d. Expand User Mapping and make sure that the account has dbo in the schema for the database.
3. Make sure that your account is the db_owner in the database security properties.
a. Expand Databases → [your ePO database] → Security → Users.
b. Right-click the dbo account and select Properties.
c. Ensure that the account has dbo in the Default schema for the database.
4. If you use an NT account to authenticate to the McAfee ePO database, make sure that the account has local administrator
rights on the McAfee ePO server.
For detailed information about required SQL permissions, see KB75766.
Task
1. Start the SQL Server Management Studio: Click Start → Programs → Microsoft SQL Server → SQL Server Management Studio.
2. Make sure that Auto Close is set to False (right-click the McAfee ePO database, select Properties, then click Options).
3. Make sure that Arithmetic Abort is set to True (right-click the McAfee ePO database, select Properties, then click Options).
4. Make sure that the Compatibility Level is set to 100 (right-click the McAfee ePO database, select Properties, then click Options).
5. Make sure that the correct database collation is set in the Collation field on the General page (in Object Explorer, expand Databases
and right-click the McAfee ePO database, then select Properties).
McAfee ePO uses SQL_Latin1_General_CP1_CI_AS as the default collation for the database when an upgrade or fresh
installation of McAfee ePO is performed.
For detailed information about supported collation types for McAfee ePO, see KB73717.
Task
1. Use your Grant Number to log on to the My Products page.
2. Click the link for your product suite. On the Current Versions tab, click McAfee ePolicy Orchestrator.
3. On the Software Downloads tab, click the download link.
4. Extract the downloaded .zip file to a temporary location.
Caution: If you try to run Setup.exe before extracting the contents of the .zip file, the installation fails.
Task
1. Press Windows+R, type services.msc, then click OK.
2. Stop these services:
◦ ePolicy Orchestrator Server Service
◦ ePolicy Orchestrator Event Parser Service
3. Restart the McAfee ePO Application Server service.
Task
1. Log on to the system using an account with local administrator permissions, and find the Setup.exe file.
The executable is located in the folder where it was extracted.
Important: If you try to run Setup.exe before extracting the contents of the .zip file, the installation fails.
2. To start the McAfee ePO InstallShield wizard, right-click the Setup.exe file, and right-click Run as Administrator.
3. In the Welcome dialog box of the installation wizard, click Next.
Results
Your McAfee ePO software is now updated. Double-click the Intel icon on your desktop to start using your McAfee ePO server, or
browse to the server from a remote web console (https://<servername>:<port>)
Task
1. Copy the Agent Handler folder, included in the McAfee ePO software installation package, to the target system.
2. Right-click Setup.exe and select Run as Administrator to start the McAfee ePO Agent Handler InstallShield Wizard.
3. Click Next to begin the upgrade process.
4. Accept the license agreement, then click OK.
The Destination Folder step opens.
Task
1. Enable Windows updates to ensure that your servers receive the latest updates and patches.
2. Make sure that your policies, tasks, product deployments, and repositories are accurate and reflect your choices and
customizations.
3. To verify McAfee ePO is operating correctly, run a query or server task.
4. To verify connectivity, perform a McAfee Agent wake-up call with one or more managed systems.
5. Make sure that your registered servers are communicating with McAfee ePO.
Results
For any issues during the migration, click Cancel Migration to revert to the previous certificates. If you cancel the migration, stop the
Agent Handler services, restart the McAfee ePO service, and start the Agent Handler service again.
You can start the certificate migration again after fixing any issues.
Task
1. From the active node, open the ePO group in Failover Cluster Manager.
2. Make sure that the primary node is the active server.
3. Take this Generic Service resource offline, then delete it:
◦ ePolicy Orchestrator Application Server
Do not change these resources, which are required for a successful upgrade:
◦ Data drive
◦ McAfee ePO virtual IP address
◦ McAfee ePO virtual Network Name
4. Open the Services Control Manager and start each of these services on the primary node:
◦ ePolicy Orchestrator Server
Task
1. Open the folder where you extracted the contents of the McAfee ePO software installation package.
2. Copy the Agent Handler folder to the intended Agent Handler server system.
3. Right-click Setup.exe and select Run as Administrator to start the Intel Agent Handler InstallShield wizard.
After some installation activities take place in the background, the InstallShield wizard opens. Click Next to begin the
installation process.
4. Accept the terms in the license agreement.
The Destination Folder step opens
5. Accept the default destination or click Change to select a different destination, then click Next.
Important: The destination path must not contain double-byte characters. The path characters are a limitation of the Apache
web server. Using double-byte characters causes the installation to fail and the Apache web server service to fail on startup.
6. Configure the server information.
a. Type the system name of the McAfee ePO server with which the Agent Handler must communicate.
b. Specify which port to use for Agent Handler-to-server communication. The default port is 8443, the same port used for
client-to-server authenticated communication.
c. Type the name and password of a user with McAfee ePO Global Administrator rights, and click Next.
d. Provide the password for access to the McAfee ePO SQL database, then click Next.
The Database Information page is populated with these McAfee ePO server settings.
◦ Database Server with instance name. For example, DB-SERVER\SERVERNAME.
◦ Authentication type.
◦ Domain name where the database server is hosted.
◦ User name and Password.
◦ Database name if not provided automatically.
7. Click Install to start the installation.
8. When installation is complete, enable your Agent Handler from the McAfee ePO interface.
Solution
Cause
Message
No
Select
You an appropriate installation option.
version
are
ofattempting
McAfee
to
ePO
upgrade
software
from
has
a
been
product
installed
version
on
that
this
is
computer.
not
You
supported.
can
only
upgrade
from
a
supported
version
of
McAfee
ePO
server.
Install
The
Internet
a supported Internet browser before continuing.
computer
Explorer
where
8.0
you
or
are
later,
The
Allow
Another
the first instance of the installer to finish, or stop the first instance and restart your installation.
McAfee
instance
ePO
of
setup
the
program
McAfee
isePO
already
installer
running.
is
You
already
can't
running.
run
more
than
one
instance
of
the
installer
at
a
time.
The
Specify
For the password of the user account that you want to use.
security
Password
box
reasons,
isIntel
blank.
does
not
allow
blank
passwords.
Please
type
a
valid
password
to
continue.
The
Change
We the monitor resolution to 1024x768 or higher, then continue the installation. Otherwise, you might not be able to
computer
view
recommend
the whole screen after you start the software. For instructions on changing the monitor resolution, see the Windows
where
that file (click Start, then select Help).
Help
you
you
are
set
trying
the
tovideo
install
display
the
resolution
software
to
does
1366x768
not
or
meet
higher.
the
minimum
monitor
resolution
requirement.
The
Add
We more memory to your system or select a different system for installation that has at least 8 GB of RAM.
computer
recommend
where
that
you
you
are
install
trying
the
tosoftware
install
on
the
a
software
computer
does
with
not
at
meet
least
the
8 GB
minimum
of
memory
RAM.
requirement.
The
Use
McAfee
a supported server-class operating system.
computer
ePO
where
software
you
requires
are
that
trying
your
tocomputer
install
is
the
running
software
Windows
isServer
using
2008,
aWindows
non-
Server
supported
2012,
version
or
Specify
The
Enter the port number (default is 8082) that the McAfee ePO server uses to send wake-up calls to SuperAgents.
a
Agent
value
Broadcast
in
communication
the
port
box
“Agent
isBroadcast
blank.
communication”
field.
The
Specify
Enter the port number that the agent uses to communicate with the server.
a
Agent-
to-value
in
Server
the
communication
“Agent-
port
box
to-
isServer
blank.
communication”
field.
The
Specify
Enter the port number (default is 8081) that the McAfee ePO server uses to send McAfee Agent wake-up calls.
a
Agent
value
Wake-
Upin
the
communication
“Agent
port
box
Wake-
isUp
blank.
communication”
port.
The
McAfee
Click Browse to select a location. The default location is: C\Program Files\McAfee\ePolicy Orchestrator.
ePO
Destination
must
Folder
box
be
isinstalled
blank
in
ora
shows
folder.
the
Enter
root
a
ofDestination
aFolder
drive.
to
continue.
The
Specify
Enter the user name of the account that you want to use.
a
User
value
name
box
in
isthe
blank.
“User
Name”
field.
Contact
Setup
The Technical Support.
isLicense
unable
file
tois
read
missing
the
or
license
corrupt.
information
Contact
required
Technical
toSupport
install
for
the
assistance.
software.
The
Use
Thea supported server-class operating system.
computer
operating
where
system
you
or
are
Service
trying
Pack
toyou
install
are
the
using
software
is
isnot
using
currently
asupported.
non-
supported
version
of
the
operating
system.
Specify
The
The the password of the account that you want to use.
value
passwords
you
you
typed
typed
indo
not
Password
and
match.
Type
Confirm
a
Password
Contact
Your
The your administrator or designated Intel representative.
license
McAfee
toePO
use
license
the
has
software
expired.
has
expired.
The
Specify
This a static IP address for use with your McAfee ePO server.
computer
system
where
is
you
not
are
currently
trying
configured
towith
install
a
the
static
software
IP
does
address,
not
which
use
is
arecommended
static
for
IPthe
address.
McAfee
WeePO
recommend
server.
using
static
IP
addresses
for
McAfee
ePO
servers
to
improve
performance
and
reduce
bandwidth
use.
AUnable
1.
toVerify that the Domain, User Name, and Password you provided are typed correctly.
connection
2. Verify that the database server is running.
could
make
3.
a Verify that the user account you provided is valid for the database server.
not
The
Unable
1.
toVerify that the Domain, User Name, and Password you provided are typed correctly.
user
2. Verify that the account you used to log on to this computer has access to this domain.
account
connect
that
using
you
the
specified
information
could
you
not
provided.
be
Verify
accessed.
that
you
entered
the
correct
information
and
try
again.
Installer logs
Installer log files list details about the McAfee ePO installation process.
These logs provide information about:
• Actions taken by specific components
AH5100-Install-MSI.log Agent Handler C:\ProgramData\McAfee\ePO This file logs all Agent Handler
installation installation details including:
• Installer actions
• Installation failures
AH5100-ahetupdll.log Temporary %temp% (on the Agent Handler Logs Agent Handler back‑end
server) events.
Server logs
Server log files contain details about server functionality and various administrator services used by McAfee ePO.
Jakarta_service_<DATE>_<serverName>.log
Tomcat [InstallDir]\Server\logs Contains McAfee ePO Application
(1) Server service details.
Note: This file is not present until
after the initial Tomcat service
startup.
<AgentGuid>_<Timestamp>_Server_manifest.xml
Policy [InstallDir]\DB\DEBUG Contains details about policy
updating issues. To enable this file:
masvc_<hostname>.log
Server [Agent DATA Path]\logs Generated when masvc.exe is used.
The file contains information
related to:
macmnsvc_<hostname>.log
McAfee Agent [Agent DATA Path]\logs Generated when macmnsvc.exe is
used. The file contains information
related to:
• Peer-to-Peer server
• SuperAgent
• Wake-up
• RelayServer
macompatsvc_<hostname>.log
McAfee Agent [Agent DATA Path]\logs Generated when macompatsvc.exe
is used. The file contains
information related to the
compatibility of managed products
with McAfee Agent services.
masvc_<hostname>_backup_<backupcountnumber>.log
McAfee Agent [Agent DATA Path]\logs Generated as backup files for agent
services.
FrmInst_<hostname>.log
McAfee Agent %temp%\McAfeeLogs Generated when FrmInst.exe is
used to install the McAfee Agent.
This file contains:
• Informational messages
• Progress messages
• Failure messages if installation
fails
mcScript.log McAfee Agent Debug [Agent DATA Path]\logs Contains the results of script
commands used during agent
deployment and updating. To
enable the DEBUG mode for this
log, set this DWORD value on the
client’s registry key:
HKEY_LOCAL_MACHINE\SOFTWARE
\NETWORK ASSOCIATES\TVD\SHARED
COMPONENTS\FRAMEWORK
\DWDEBUGSCRIPT=2
Note: Delete this key when you
finish troubleshooting.
UpdaterUI_<system>.log
McAfee Agent %temp%\McAfeeLogs Contains details about the updates
to managed products on the client
system.
Task
1. When you select the existing SQL Server, gather this information and complete these steps before beginning your installation.
These steps ensure that your McAfee ePO software can communicate with the database server:
◦ Verify that the SQL Browser Service is running.
◦ Make sure that the TCP/IP Protocol is enabled in the SQL Server Configuration Manager.
◦ Update the system that hosts your McAfee ePO server and your SQL Server with the latest Microsoft security updates, then
turn off Windows updates during the installation process.
◦ Confirm the SQL backup file that you copied from the primary server was restored using the Microsoft SQL process.
◦ Stop Remote Agent Handler services on all systems, before restoring the McAfee ePO software.
2. If you have remote Agent Handlers configured, log on to the systems where the Agent Handlers are installed, then open the
Windows Services panel. Stop the McAfee Event Parser and McAfee Apache services.
Note: See your Microsoft software product documentation for more information about using the Windows Services panel.
3. Using an account with local administrator permissions, log on to the Windows Server computer used as the restore McAfee
ePO server.
4. Downloaded from the Intel website, extract the files to a temporary location, and double-click Setup.exe.
Important: If you try to run Setup.exe without first extracting the contents of the .zip file, the installation fails.
The McAfee ePolicy Orchestrator - InstallShield Wizard is started.
5. Click Restore ePO from an existing database snapshot and Next to begin the restore installation process.
6. In the Install additional software step, any remaining prerequisites are listed. To install them, click Next.
7. In the Destination Folder step, click:
◦ Next — Install your McAfee ePO software in the default location (C:\Program Files\McAfee\ePolicy Orchestrator (x86)\).
◦ Change — Specify a custom destination location for your McAfee ePO software. When the Change Current Destination Folder
window opens, browse to the destination and create folders if needed. When finished, click OK.
8. In the Database Information step, select the Microsoft SQL Server name from the Database Server list. Specify which type of Database
Server Credentials to use, then click Next.
◦ Windows authentication — From the Domain menu, select the domain of the user account you're going to use to access the SQL
Server. Type the User name and Password of your restored SQL database.
◦ SQL authentication — Type the User name and Password for your SQL Server. Make sure that credentials you provide represent an
existing user on the SQL Server with appropriate rights.
The Domain menu is grayed out when using SQL authentication.
Note: You might need to type the SQL server TCP port to use for communication between your McAfee ePO server and database
server. The McAfee ePO installation tries to connect using the default ports, 1433 and 1434. If those ports fail, you are
prompted to type an SQL Server TCP port.
9. In the HTTP Port Information step, review the default port assignments. Click Next to verify that the ports are not already in use on
this system.
10. In the Administrator Information step, type the Username and Password you used for your previously existing server administrator
account.
11. Type the Keystore encryption passphrase you saved during the initial installation of the previously existing McAfee ePO server, or
changed in the Server Settings.
The Keystore encryption passphrase decrypts the sensitive files stored in the Disaster Recovery Snapshot.
12. In the Type License Key step, type your license key, then click Next.
Results
Your McAfee ePO software is now restored. If needed, double-click on your desktop to start using your McAfee ePO server,
or browse to the server from a remote web console (https://<server_name>:<port>).
Task
1. If you have Agent Handlers configured, log on to the systems where the Agent Handlers are installed, then open the Windows
Services panel and stop the McAfee Event Parser and McAfee Apache services.
See your Microsoft software product documentation for more information about using the Windows Services panel.
2. Using an account with local administrator permissions, log on to the Windows Server (the first node of the cluster) used as the
restore McAfee ePO server.
3. If needed, in the Failover Cluster Manager, create the McAfee ePO application role, Client Access Point, and shared data drive
resources.
For more information, see Installing Software in a Cluster environment .
4. Extract the files to a temporary location, and double-click Setup.exe.
The version of McAfee ePO being restored must be the same as the version used to create the snapshot in the database. You
can download the correct version from the Intel website.
Important: If you try to run Setup.exe without first extracting the contents of the .zip file, the installation fails.
The McAfee ePolicy Orchestrator - InstallShield Wizard starts.
5. Select Restore ePO from an existing database snapshot and click Next to begin the installation process.
6. In the Install additional software step, any remaining prerequisites are listed. To install them, click Next.
7. In the Destination Folder step, click Change to specify a custom destination location for your McAfee ePO software. When the
Change Current Destination Folder window opens, browse to the destination and create folders as needed. When finished, click OK.
Important: Make sure that you specify a destination folder that is accessible from all nodes of the cluster.
8. In the Set Virtual Server Settings step, provide the Virtual Server IP address, McAfee ePO Virtual Cluster Name, McAfee ePO
Virtual Cluster FQDN, and Cluster Configuration Passphrase, then click Next.
Results
After completing these steps, your McAfee ePO software is restored.
FIPS basics
The United States Government developed the Federal Information Processing Standards (FIPS) to define procedures,
architecture, algorithms, and other techniques used in computer systems.
FIPS 140-2 is a government standard for encryption and cryptographic modules where each individual encryption component in
the overall solution requires an independent certification.
Federal Information Processing Standard 140-2 specifies requirements for hardware and software products that implement
cryptographic functionality. FIPS 140-2 is applicable to "all Federal agencies that use cryptographic-based security systems to
protect sensitive [but unclassified] information in computer and telecommunication systems (including voice systems) as defined
in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104–106." The "-2" in FIPS 140-2
denotes the revision of the standard.
The full FIPS text is available online from the National Institute of Standards and Technology (NIST).
Certificate
Cryptographic
Link
number
Module
2056
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#2056
RSA
BSAFE
Crypto-
C
Micro
Edition
(Crypto-
C
ME)
4.0.1
2057
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#2057
RSA
BSAFE
Crypto-
J
JSAFE
and
JCE
(JCM)
6.2.1
1747
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
OpenSSL
FIPS
Object
Module
2.0.8
Note:
This
module
FIPS mode
A McAfee ePO server runs in FIPS mode after a clean installation with FIPS mode enabled.
In FIPS mode, McAfee ePO:
• Places extra constraints on the types of security methods allowed
• Performs additional tests on startup
• Allows connections only from a FIPS-compliant version of the McAfee Agent
Your organization might need to use McAfee ePO in FIPS mode if you fall into one of these categories:
• You are a US Government organization required to operate FIPS 140-2 compliant cryptographic models per FISMA or other
Federal, State, or local regulations.
• Your organization requires the use of standardized and independently evaluated cryptographic modules per Company policy.
Don't use McAfee ePO in FIPS mode if you fall into one of these categories:
• You integrate with legacy systems or products that do not support McAfee ePO in FIPS mode.
• Your organizational polices allow you to choose which products or cryptographic modules to operate in FIPS mode. For
example, an organization might elect not to operate McAfee ePO in FIPS mode, and only operate McAfee® Drive Encryption on
mobile computers in FIPS mode.
Mixed mode
This mode is a standard McAfee ePO installation not running in FIPS mode.
In Mixed mode, McAfee ePO does not follow the constraints and tests described for FIPS mode, and is not compliant with FIPS
levels of security.
Note: Your managed systems are still secure, but the certificates and Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols are different.
Task
1. In a command window, change directories to the folder that include the McAfee ePO installer.
2. Invoke the installer with the command setup.exe ENABLEFIPSMODE=1.
3. Continue with the installation.
Important: Do not change the default setting for the agent-server secure communication (ASSC) port. Leave it set as enabled
on port 443. In FIPS mode, the agents communicate with the McAfee ePO server using this ASSC secure port.
Task
1. In a command window, change directories to the folder with the new McAfee ePO installer.
2. Invoke the installer with the command setup.exe ENABLEFIPSMODE=1.
3. Continue with the upgrade.
Task
1. Use a text editor to open the server.ini file.
The server.ini file is located in your McAfee ePO installation directory: <epoinstalldirectory>\DB\server.ini
2. Look for the FipsMode value.
This value indicates the server operating mode:
◦ FipsMode=0 — The server is in Mixed (normal) mode. To put your server in FIPS mode, repeat the installation or upgrade
process.
◦ FipsMode=1 — The server is in FIPS mode.
Task
1. Close all database management software.
2. On the system where your McAfee ePO server is installed, open the Windows Control Panel, then click Programs and Features →
McAfee ePolicy Orchestrator → Uninstall/Change.
The Remove McAfee ePolicy Orchestrator dialog box opens.
3. Select whether to Also remove the ePolicy Orchestrator database, then click Remove.
Note: Supply credentials to grant sufficient permissions to remove the database. If the provided credentials are not sufficient,
you can complete the uninstall process without removing the database.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.