The Host IPS product is not cluster-aware, but just follow the same installation instructions as documented in the Host IPS Installation guide. Install the software on each physical node of the cluster.
I'd been warned by someone high up in DISA that installing HIPS agents on clusters was tricky. Are you saying it's just like installing it on any other system?
The installation of the Host IPS software on servers that are clustered is no different that non-clustered servers or workstations. The installation (execution of the McAfeeHIP_ClientSetup.exe) is the same for any Windows-based system.
KB58954 - Host Intrusion Prevention 7.0 Server is not cluster environment aware
Now, you do have to be aware that when installing the Host IPS 7.0 product on a system, it will tear down the network stack to install the NDIS drivers. This network loss might cause the cluster to perform a failover. Perform the install during a maintanence window to avoid any non-scheduled outages. That may be what you're referring to. But the installation of the HIPS software itself is no different on physical nodes of a cluster.
Is there any recommended order to installing; i.e. install to passive first, failover to passive; then install to other system?
Just a quick follow up question that came to mind this morning, Kary. You said "(execution of the McAfeeHIP_ClientSetup.exe)" which seems to imply manually running installing HIPS (as opposed to using a client task?).
Is there any problem using an ePO client task to install to the passive node first, then a client task again for the remaining node?
Deploying via ePO executes the McAfeeHIP_ClientSetup.exe. I was referring mainly to installing HIPS via non-ePO deployment tasks, i.e., to run the .EXE vs. installing via the .MSI file.
Installing via the .MSI file only is not supported; unzip all files from the client installer zip file and the .EXE must be run (if performing a non-ePO install).