We have McAfee agent 4.8, VSE 8.0 Patch 7 installed in our environment. The issue here is the roaming user machines like (The users who have laptops and visits different sites for the business) are getting DAT updates from different repositories rather than getting updates from there own repository or central ePO server.
Is this a common behavior? If Yes, My question here is If they are not able to get the updates from there local dedicated repositories they should contact ePO central server for the updates.
There is one more twist here, the machines which are contacting different repositories are downloading full DAT .gem file instead of downloading incremental DAT which is causing High CPU and bandwidth utilization for the users.
Suggestions on the above issue is much appreciated.
If DAT update from different repository is the issue - You can restrict the same through McAfee Agent Repository policy, Just enable the dedicated server and central ePO.
(McAfee ePO console - Menu - Polciy Catalog - McAfee Agent - Repository - New Policy - Configure the new policy with only dedicated server enabled)
Mariyappa, I appreciate your response.
We have around 250 repository servers and As you said the policy is only configured to take the updates from the dedicated repository server.
Even though it is configured for the dedicated server, for some reason the roaming users laptops are contacting different repository server to take the updates.
How do you handle pushing updates from your master repository to your distributed repositories? If a system goes to update, and the master repository is on a newer version of the DAT than some or all of your distributed repositories, the Agent will go to one of the repositories that's currently updated.
There is a option to replicate the Distributed repositories through server task by which all the current and latest updates will be updated in the distributed repository.
True, From the Master repository the updates will be replicated to distributeed via scheduled task.
HOWEVER, ever after we have defined for the particular machine/laptop to take update from particular repository in the policy the roaming users are contacting different distributed repositories instead on there own.
Right, but if your distributed repositories aren't fully synchronized with your master, when a client goes to download updates from the distributed repository, if it's not synchronized, it will go download updates from other repositories. Are you synchronizing to your distributed repositories immediately after updating your master?
Any chance that your VPN users are prevented from accessing some internal ports/IPs by firewall rules?
I don't remember the exact conditions but under certain conditions, after a certain number of failures to download gem files, the task reverts back to the full dat.
BTW, 250 repositories is a lot. Where most downloads from the repositories are gem files, it takes a few hundred downloads to offset the data transferred for a full dat file. I have environment with >10k devices with about 25 repositories.
Your configuration is somewhere between 250 repository policies and 1 repository policy. Hopefully you have a hybrid of this. With all repositories on the same list the agent pings for a minimum of 5 seconds all repositories, and by up to 3 methods (NetBIOS name, fqdn and ip). So 250 *5 *3 seconds is your worst case scenario for 1 policy.
So a quick fix would be to create a policy to update those devices from central only, tag for laptop devices and assign policy by tag with a policy assignment rule.