cancel
Showing results for 
Search instead for 
Did you mean: 
Starfish4711
Level 7

Endpoint Encryption v6.0 without AD, timeframe for v6.1

Hi,

our network does not have an Active Directory, it's eDirectory-based. Reading the docs of EC v6.0 it seems that this product is more or less useless in an non-AD-environment, because it demands that an AD exists. Or can I manage the endpoint systems without the user accounts that have been read from AD? Which features would not work in this case?

On the other hand I have found information that EC 6.1 might provide general LDAP and eDir suppport and should be near the end of beta right now. Can somebody confirm the eDir support and give an information when 6.1 shall be available for public?

Thanks in advance.

Frank

0 Kudos
16 Replies
peter_eepc
Level 15

Re: Endpoint Encryption v6.0 without AD, timeframe for v6.1

You might have better chances to get an answer if you ask the same question in EEPC Beta forum.

0 Kudos
Starfish4711
Level 7

Re: Endpoint Encryption v6.0 without AD, timeframe for v6.1

ok, I might be blind, but below "McAfee  Communities >                   Business >                   Data  Protection" I can not see any beta section... Can you provide a link?

0 Kudos
SafeBoot
Level 21

Re: Endpoint Encryption v6.0 without AD, timeframe for v6.1

for access to the beta, speak to your account manager - EEPC is not in public beta, it's private by invitation.

re Novell support though, no, it's not planned in 6.1 - the EPO team are working on Open LDAP at the moment, but that's different to Novell's implementation.

I hate passing stones, but directory support is a function of EPO, not of EEPC, so it's the EPO team who need to be convinced that your case is worthy.

0 Kudos
peter_eepc
Level 15

Re: Endpoint Encryption v6.0 without AD, timeframe for v6.1

I disagree with your comment:

I hate passing stones, but directory support is a function of EPO, not of EEPC, so it's the EPO team who need to be convinced that your case is worthy. 


EEPC transitions from 5.x to 6.x. So while multiple directory provider connectors were present in version 5.x, it is normat to assume this trend should have some continuation. That's nothing to do with ePO. This issue must be addressed by both teams (EEPC and ePO) now.

Of course EEPC team might just say: No support for legacy directory providers, and no future plans for them.

0 Kudos
SafeBoot
Level 21

Re: Endpoint Encryption v6.0 without AD, timeframe for v6.1

6 is not a new version of 5, it's a totally new product.

You can't assume anything - none of the v5 tech is portable into v6.

My point is, that if EPO does not offer support for a particular directory, neither will ANY EPO connected product. Conversely, when EPO supports a directory, EVERY connected product will also support that.

0 Kudos
peter_eepc
Level 15

Re: Endpoint Encryption v6.0 without AD, timeframe for v6.1

It is still named Endpoint Encryption for PC and has version continuation (5.x  -> 6.x) plus migration from 5.x module.

Completely new product should have different name, and start versioning from the scratch.

0 Kudos
Starfish4711
Level 7

Re: Endpoint Encryption v6.0 without AD, timeframe for v6.1

The problem may have to parts:

on the one hand EEPC  v6 is managed by ePo and therefor is makes sense that ePo is the one who  has to connect to the LDAP directory. Since we want only 1 connection  from the McAfee stuff to the general user database.

The  second part *may* be, whether EEPC itself is relying on AD somehow.  Maybe by assuming that a client has to be connected to AD and/or a  domain user account. That would be very very bad and I hope that this is  not the case!

I guess for Novell networks there is not need for a special  eDirectory connector, a standard LDAP connector should do (my experience  so far). In the opposite, it is always said that AD is not standard  LDAP (as always with that MS stuff).

For general use the LDAP connector should allow some  configuration (even it's a plain text config file) so that e.g.  attribute mappings can be done. Should not be much work to do.

Dropping support for any other directory service besides AD would be a bad idea.

Back to one of my questions: do I need the user import from the directory or can I use EEPC without them?

0 Kudos
peter_eepc
Level 15

Re: Endpoint Encryption v6.0 without AD, timeframe for v6.1

The  second part *may* be, whether EEPC itself is relying on AD somehow.  Maybe by assuming that a client has to be connected to AD and/or a  domain user account. That would be very very bad and I hope that this is  not the case!


Unfortunately this IS the case. Please read v6 release notes.

0 Kudos
SafeBoot
Level 21

Re: Endpoint Encryption v6.0 without AD, timeframe for v6.1

on the one hand EEPC  v6 is managed by ePo and therefor is makes sense that ePo is the one who  has to connect to the LDAP directory. Since we want only 1 connection  from the McAfee stuff to the general user database.

You are correct - EPO connected products use services in the McAfee agent etc - so it, and EPO handle things like user lookup, policy updates etc.

The  second part *may* be, whether EEPC itself is relying on AD somehow.  Maybe by assuming that a client has to be connected to AD and/or a  domain user account. That would be very very bad and I hope that this is  not the case!

In the sense that you get to set which attributes EEPC uses, (samaccountname) etc, yes, but in the sense of doing the actual connection to the directory, no - the client uses a data channel to talk to the EPO server itself, who goes and gets the data for the client. So, in effect, the client is divorced from the directory with EPO in the middle. 

I guess for Novell networks there is not need for a special  eDirectory connector, a standard LDAP connector should do (my experience  so far). In the opposite, it is always said that AD is not standard  LDAP (as always with that MS stuff).

Yeah, that's what I hoped as well, but the attribute layouts are different and there's no capacity in EPO at the moment to define custom attribute names. It will come though. The EEPC team are very keen on it.

For general use the LDAP connector should allow some  configuration (even it's a plain text config file) so that e.g.  attribute mappings can be done. Should not be much work to do.

Totally agree, and that's what we are working towards.

Dropping support for any other directory service besides AD would be a bad idea.

It's not so much dropping support, EPO has never supported eDirectory AFAIK?

Back to one of my questions: do I need the user import from the directory or can I use EEPC without them?

EEPC6, for the forthcoming future, can only work by virtue of users connected from an external identity management system (IE AD at the moment). There's no facility like there was in V5 to create ad-hock users yourself, and this is not planned for any near-future version of EPO.

Yes, I know this might bite you, but, overwhelmingly the McAfee customer base wanted full disk encryption managed by EPO - that means all the good things about EPO, and all the current limitations have to be swallowed together.

EPO will evolve (and quickly) to be a better general security management platform, but it's designed to manage a whole bunch of products from McAfee, and also 100 or so other SIA partner vendors - EEPC is only one of those.

0 Kudos