cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

ePO upgrade to 5.10 from 5.3.3

I'm running ePO 5.3.3 currently.  The only product I manage under it is VSE 4.8.  I know I need to get upgraded on ePO and also need to upgrade to ENS.  I was kind of hoping the ePO upgrade would be easiest to tackle, so I'm working on that by running the auditor and trying to work with the upgrade checklist but ran into a couple of questions I thought I'd throw out here.

On the checks I get in information note on Supported TLS protocols for SQL Server communication. It says "Make sure your McAfee ePO server machine and SQL server machine supports communication over TLSv1.1 or TLSv1.2 protocols.".  So my epo server and my sql server are both server 2012 R2.  My install of SQL server is older (2008 r2).  In any case - it was unclear if any action is needed here.  From what I can read, everything CAN be TLS 1.2 compatible, but I couldn't determine if it was required?

On my product compatibilty check - I had several blocked extensions that were tied to CSR, which I messed with a little, but (thought) I had since removed.  So I went and removed the remaining bits of CSR and everything cleared up except "Analytics 2.2.0.159" is still listed as blocked, but for the life of me I can't figure out how to remove it.  Will it hurt anything to upgrade with that listed as blocked since I'm not using CSR?  


Thanks

 

 

 

17 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 18

Re: ePO upgrade to 5.10 from 5.3.3

Refer to KB51569 - epo 5.10 is not supported with sql 2008 any version.  Yes, tls 1.1 and 1.2 is required.  5.10 doesn't support tls 1.0, which is one of the reasons for not supporting sql 2008.  

You can't find the Analytics extension listed anywhere under all the categories under extensions?  I wouldn't attempt to upgrade until you remove that one.  It might cause upgrade to fail.  Please be sure to also go through KB71825 before upgrading.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: ePO upgrade to 5.10 from 5.3.3


@cdinet wrote:

Refer to KB51569 - epo 5.10 is not supported with sql 2008 any version.  Yes, tls 1.1 and 1.2 is required.  5.10 doesn't support tls 1.0, which is one of the reasons for not supporting sql 2008.  

You can't find the Analytics extension listed anywhere under all the categories under extensions?  I wouldn't attempt to upgrade until you remove that one.  It might cause upgrade to fail.  Please be sure to also go through KB71825 before upgrading.


Alright then - well originally I had planned on going to 5.9, but saw that 5.10 is out - it does look like sql server 2008 will work with 5.9, so I'm assuming that is my path forward at the moment then?  Are there the same TLS requirements?  I just couldn't tell from the auditor if there was a problem or information only.

I have now spoted analytics under shared components, so I'm guessing that it was more than just CSR that used it and rather than removing it, I likely need to upgrade it?

 

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 18

Re: ePO upgrade to 5.10 from 5.3.3

If there is a higher version to upgrade to that 5.10 or 5.9.1 supports, that would be the way to go.  5.9.1 supports tls 1.0, 1.1 and 1.2.  5.9.1 supports sql 2008 r2 and 2008 not R2 as long as it has sp1 or higher installed.

For the sql server, make sure to have the cipher suite ordered correctly for RSA compatibility, even if you don't use ssl certs to authenticate to the database.  If you download the free IISCrypto tool, run it on the sql server and under ciphers, choose best practices and apply that and it will order that for you.  If you don't do that, the upgrade will definitely fail.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

ArturXX
Level 7
Report Inappropriate Content
Message 5 of 18

Re: ePO upgrade to 5.10 from 5.3.3

According to article KB90222 ePO 5.10 can work as workaround with TLS 1.0 Using switch before upgrade.  Does it function correctly after upgrade ?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 18

Re: ePO upgrade to 5.10 from 5.3.3

Yes, it will function, but as advised in the kb:

CAUTION: McAfee strongly discourages enabling TLS 1.0 in ePO 5.10, because doing so reduces the security posture of your ePO server. These instructions are intended for use only as a last resort, and only temporarily until other servers in the environment are upgraded to a version that can consume a TLS 1.1 or 1.2 connection.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

ArturXX
Level 7
Report Inappropriate Content
Message 7 of 18

Re: ePO upgrade to 5.10 from 5.3.3

Understand that. Can you verify if ePO 5.3.2 by default uses TLS 1.0 ?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 8 of 18

Re: ePO upgrade to 5.10 from 5.3.3

Yes it does.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

ArturXX
Level 7
Report Inappropriate Content
Message 9 of 18

Re: ePO upgrade to 5.10 from 5.3.3

What would be drawback of using TLS 1.0 with ePO 5.10 ? Sorry that I ask but "security posture" from article explaination doesn't say much to me. 

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 10 of 18

Re: ePO upgrade to 5.10 from 5.3.3

You can check out some of the info on this site, but there are others that talk about the vulnerabilities of that protocol.

https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1/

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center