cancel
Showing results for 
Search instead for 
Did you mean: 
t-baker
Level 7
Report Inappropriate Content
Message 1 of 10

New to ePO 4.5

Jump to solution

Hi,

I am new to ePO 4.5.  I have brought up a Windows Server 2008 32bit SP1 box and installed ePO 4.5.  I have synced my System Tree to our active directory and added users.  I have specified my e-mail server and tested successfully.  I am now ready to setup and install certificates and private keys.  This is have never done before.   Where do i obtain the keys (Mcafee site?)  There are Keys installed but when I view the server certificates I see the message "Click the 'Edit' button if you wish to update the server certificate used for HTTPS communication with browsers."  I have been searching the web for more info and this discussion is part of that process.  Any information/direction is appreciated.

T

1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: New to ePO 4.5

Jump to solution

Absolutely. It depends to a large extent on how many client machines you will be managing, but it's entirely possible to run everything from one machine.

Agent handlers and distributed repositories are really there to take some of the load off the ePO server itself, but if that load is manageable by a single machine, they are not required.

HTH -

Joe

9 Replies
oaker
Level 9
Report Inappropriate Content
Message 2 of 10

Re: New to ePO 4.5

Jump to solution

In the EPO GUI: Server Settings > Server Certificates

Here you add your certificate you have previously created/acquired. After adding the certificate data you have to completely restart the EPO server. Now, that's all there is about EPO and HTTPS certificate. Everything else has nothing to do with EPO and must be done outside of it. You see, every computer has a certificate store locally (OS/browser) where all trusted certificate authorities are saved. If you come across a HTTPS site the certificate is then checked/compared with the local store to see if it is trusted.

There are two ways to approach this. Either you have to create an official certificate with one of the authorities that are trusted by your clients/browsers or you have to create your own certificate but that would also force you to add your own root certificate to each and every system that so wishes to use your EPO GUI. If you are working in a big company you probably have your own authority or root certificate and in that case you simply need to request a certificate internally. If not, then you might need to use VeriSign, GoDaddy, Commodo or a similar provider and it mostly likely will cost you money and you have to be reviewed. So:

- Create your own root/SSL certificate (clients using your epo need to install/add the root certificate)

- Acquire an official SSL certificate by a trusted CA (costs money and you have to be reviewed)

- Use your company CA and get a certificate from the people inside your company (only bigger companies have that)

Pick your poison.

Message was edited by: oaker on 23/09/11 11:39:55 IST
t-baker
Level 7
Report Inappropriate Content
Message 3 of 10

Re: New to ePO 4.5

Jump to solution

Wow, A lot of great information, and just the type of information I'm looking for.

Thanks

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: New to ePO 4.5

Jump to solution

There is a KB which discusses using a custom SSL certificate with ePO 4.6 - but most of the steps apply to ePO 4.5. Check KB72477 - "How to generate a custom SSL Certificate for use with ePO 4.6 using OpenSSL toolkit" for details.

t-baker
Level 7
Report Inappropriate Content
Message 5 of 10

Re: New to ePO 4.5

Jump to solution

Thanks Spamidi, 

I am also unclear on another points.

1.  Is an Agent Handler required in every system.  Our server are all centrally located, with the exception of DR.

T.

oaker
Level 9
Report Inappropriate Content
Message 6 of 10

Re: New to ePO 4.5

Jump to solution

No, but a McAfee Agent is obviously required on each managed system. An Agent Handler is only needed if you want to manage different geographic or logical locations that have no (or a very slow) direct connection to the EPO server or as an (worse) alternative to superagents or repositories to distribute the load of signature updating and unburden the EPO server. However, I'm managing EPO servers with about 5000 clients each scattered around our country without additional handlers or repositories. It works although it is not something I would recommend.

So no, you probably don't need even one handler if all your managed systems are centralized and if there is no restrictive zone concept in effect with several VLANs, firewalls and other shenanigans.

Message was edited by: oaker on 26/09/11 13:33:19 IST
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 10

Re: New to ePO 4.5

Jump to solution
 An Agent Handler is only needed if you want to manage different geographic or logical locations that have no (or a very slow) direct connection to the EPO server or as an (worse) alternative to superagents or repositories to distribute the load of signature updating and unburden the EPO server. 

Hi - unfortunately this is incorrect (assuming that the SQL server is located close to the ePO server.) Agent handlers should never be used over slow links - they require a permanent, high-speed, low-latency connection to the SQL server hosting the ePO DB.  In extreme cases one AH over a very poor link can cripple the entire ePO installation, as it locks the DB for so long that nothing else gets done

I agree that they are a much worse alternative to distributed repositories, though

Regards -

Joe

Re: New to ePO 4.5

Jump to solution

Thank you Joe, that is correct.

Agent Handler require very good connectivity to the database!

Typical use

1. scalability

2. Allow remote system to connect to local ePO server via Agent Handler in the DMZ

Please see the following document for more information.

http://www.mcafee.com/us/resources/white-papers/wp-agent-handler-epo-4-5.pdf

Best Regards,

Ulli

t-baker
Level 7
Report Inappropriate Content
Message 9 of 10

Re: New to ePO 4.5

Jump to solution

Thanks to everyone who has posted.

I have a basic question.  Can I operate successfully without an Agent Handler or distributed repositories?   Can I run my repository local to the ePO server and no Agent Handler loaded on remote servers.  If the answer is yes, I think I'm ready to move forward.

Regards

T.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: New to ePO 4.5

Jump to solution

Absolutely. It depends to a large extent on how many client machines you will be managing, but it's entirely possible to run everything from one machine.

Agent handlers and distributed repositories are really there to take some of the load off the ePO server itself, but if that load is manageable by a single machine, they are not required.

HTH -

Joe