[duplicate posting of https://community.mcafee.com/message/166015#166015]
We currently use VirusScan Enterprise 8.7 in "unmanaged" mode (ie no ePO); we have two computers also running VirusScan Enterprise 8.7 that run a mirror task; the mirrored folders are then made available to network PCs via FTP service. This means that all clients fetch updates from these FTP servers. It is highly resilient and load balanced;
Anyway, we're looking to deploy McAfee HIPS 7.0. We've been trialling this successfully. Now looking for "production class" deployment. According to "McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0", page 22, HIPS clients can only fetch updates from ePO server. The spirit of ePO seems to be one ePO server in an environment, then use distributed repositories. Fine for anti-virus DATs, no use for HIPS content updates.
How do I design the system in order to give us highly available content updates?
- Register an additional ePO server? the ePO product guide hints at what to do, but doesn't really elaborate why. Further, it seems a fairly "intimate" relationship - using SQL database instances and passwords, etc. This suggests they might be less than "independent"; what I have with the two McAfee VirusScan Enterprise 8.7 mirror-then-FTP-service boxes is completely independent boxes - one can fail and have absolutely zero impact on the other. Am anxious this won't be the case with these ePO servers
- have two, independent ePO servers, each with a master repository that is updated hourly, but then clients register and managed by only one of the ePO servers, but the second ePO server is an additional repository? Is this even possible? Would imagine I'd have to export keys from the first server and import them into the second to avoid authentication/trust issues.
- accept this limitation? Only one ePO server, and be prepared with short RPO/RTO?
Another, related question - using ePO mainly because I have to: HIPS requires it. Need to distribute updates and policies, and feedback about detections is nice, but keeping it for a long time is not really necessary. Would it be appropriate for my backup/recovery strategy to simply backup the keys; then, to restore, rebuild from scratch, same server/IPv4 address, import the keys, connect to Active Directory. Initially, all the clients would be unmanaged again. However, within hours, McAfee Agent will connect to the newly-built server and become "managed" again. While the server is down, the last known policies will be retained and continue
Would be interested in how others have considered/approached/addressed this.
According to "McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0", page 22, HIPS clients can only fetch updates from ePO server. The spirit of ePO seems to be one ePO server in an environment, then use distributed repositories. Fine for anti-virus DATs, no use for HIPS content updates.
Host IPS clients can retrieve updates from a managed ePO repository (which can be the Master or Distributed Repositories). The McAfee Agent policy dictates what repository clients connect to in order to get updates.
Another, related question - using ePO mainly because I have to: HIPS requires it. Need to distribute updates and policies, and feedback about detections is nice, but keeping it for a long time is not really necessary.
The Host IPS product architecture requires ePO server (policy/update) functionality. The product is not supported in un-managed mode.
Thanks for your reply. The Product Guide does seem to insist content updates can only come from ePO master repository:
page 22: "Host Intrusion Prevention clients obtain updates only through communication with the ePO server, and not directly through FTP or HTTP protocols"
By implication, HIPS clients cannot obtain updates from distributed repositories (ie FTP, HTTP or UNC repositories). Have I misunderstood?
I am aware that HIPS requires ePO. I'm really suggesting I don't really need to backup or recover the ePO data store; in a restore situation, simply rebuild from scratch and restore the keys only. Wanted opinions on this approach.
Just to clarify,
- is the documentation wrong? HIPS clients can obtain content updates from either the master repository or distributed repositories?
- what are backup and recovery strategies for ePO?
You should be able to set up a distributed repositories using ePO. You can also specify how you want failover to occur for content. You might want to post this question on the ePO forum.
HIP only requires that it be managed by ePO. HIP content is not posted on an HTTP or FTP common updater site such as the case for VSE DATs.