1 2 Previous Next 12 Replies Latest reply on May 18, 2010 6:18 AM by konecnym

    EE6 in enterprise enviroment - some information and questions

    konecnym

      Hello.


      Our situlation (Only workstations. I don´t responsible for servers):

      12 000 users in LDAP

      (OU tree in AD by letter  A-> A1, A2, A3, next B-> B1, B2, B3  .....)

      1x ePO 4.5 Patch 1

      1x SQL 1x master
      3x distributed repositories (remote location)

       

      VirusScan Enterprise 8.7 Patch 2 (Patch 2 - because we use CheckPoint VPN) HotFix 517265 (error while PC is Shut Down)
      VirusScan Spyware Module 8.7 Host Intrusion Prevention Systems 7.0 Patch 6 (we expect Patch 7) + HotFix 514581
      Endpoint Agent 1.0
      Endpoint Encryption 6.0

       

      6500 PC (desktops)

      2500 NTB (notebook)

       

      Only NTB will be encrypted.

      1/2010 - We used competitive solutions on 2300 NTB.

               On 200 NTBs we have in pilot Endpoint Encryption 5.1.9

               (EE 5- there is bad management, more users can´t suddenly login.. Why ? Them Help only delete user and create new)

       

      Now we prepair deployment on 500 NTB new version EE6.

       

      There we have some problems....

       

      1) We want Synchronize ALL OU USERS (Recursive) from LDAP.
         Every NTB users will can work on every NTBs.

         We don´t know... Is it possible to synchronize 12.000 accounts ?

       

      2) In this version isn´t possible to show on-screen-keyboard. Maybe in 2/2010.

       

      3) Isn´t possible use right Alt+(..) for inserting special chararcter. Maybe in 2/2010.

       

      4) When we changed Background (from Default McAfee theme) and add new 1024x768 PNG with Corporate Identity sign.

          It was good on 4:3 screen but on NTB LCD with 16:9 was picture deform.

       

      Big "+"

      + high NTB performance

      + ePO management and policy (with ePO emergency and recovery for HelpDesk) LDAP synchronize

      + reporting in ePO

      + time of encrypt and decrypt (faster then other products)

      + emergency decrypt by USB WinTech (fast)

      + Win7 (autologon) support

      + database (keys and settings) in SQL DB

      + good licence model (in EE5 was horrible)

       

      - not present File And Folders (at this moment) for USB and extern HDD (maybe 2-3Q/2010 ?)

       

      I Am sorry, my ENG is bad. :-) but

       

      Michal

      I hope that you understand me :-)

        • 1. Re: EE6 in enterprise enviroment - some information and questions
          SCtbe

          Definitely, you can not assign 12000 users to one machine, because each user is "stored" in PBFS which is limited to 100MB, so they simply don't fit in it. Moreover there is 1000 users per machine limit.

          • 2. Re: EE6 in enterprise enviroment - some information and questions
            konecnym

            I have to create a more group by A1, A2 ...


            Then all users of A1 OU will be able login to A1 NTBs.

            A1 have to contain less than 1000 users.

             

            Michal

            • 3. Re: EE6 in enterprise enviroment - some information and questions

              Do you use (plan to use) EE SSO? Then test thoroughly with password changes and multiple machines.

              I still think that EE works best with one user per system...

              • 4. Re: EE6 in enterprise enviroment - some information and questions
                SCtbe

                Sorry, I misleaded you.

                There is a default aproximately 350 limit user, because of default 20MB PBFS size which can be resized up to 100MB.

                This give us space for aprox. 9000 users per machine, because each occupies approximately 8-10KB in PBFS. This should be confirmed by McAfee support, but I based my calculation on Endpoint Encryption version 5 and 6 Comparison Guide (FAQs) (KB66700).

                There is one hatch, because 1000 is a limit of batch size when importing users, this mean "only" 1000 users can by synchronized at one time. If you have so many users assinged to machine you should be aware that synchronization may take some time.

                • 5. Re: EE6 in enterprise enviroment - some information and questions
                  konecnym

                  ePO EA1 Settings

                  Product Settings:

                  Enable Policy

                  Encryption->Boot Only (PS Software)

                  LogOn->Display keyboard (will be OK in new patch 2/2010)

                  Enable SSO-> Must match user name, and Synchronize EE password with Windows
                  Require EE logon-> check

                  Recovery ->Enabled (medium)

                  Boot Options-> enable preBoot USB support and PCMCIA

                  Encryption providers->PC Software->User Compatible MBR, Fix OS boot record sides

                  User Based Policies:

                  Authentication: Password only

                  Password chase-> Prevent change (check)

                   

                  "EE works best with one user per system..."

                  It would have to add each NTB individual users.
                  (we have 2500 NTB and 12.000 users)
                  It is quite time consuming and should be one full-time person.  :-(

                   

                  Michal

                  • 6. Re: EE6 in enterprise enviroment - some information and questions

                    So you plan to use EE SSO. Therefore my suggestion about testing password changes holds.

                    It would have to add each NTB individual users.

                    What do you mean by that?

                    • 7. Re: EE6 in enterprise enviroment - some information and questions

                      Just use the option to assign local domain users - don't try to assign everyone to everything. That's really bad security for a start.

                       

                      No one really needs this, it's more of an indication of lack of controls, rather than a need.

                      • 8. Re: EE6 in enterprise enviroment - some information and questions
                        konecnym

                        The point of safety.
                        Users according to company policy : "Not to have any data on NTBs".
                        Need only copy of data on a business trip or some presentation.

                        I prefer a strategy that the company's resources (NTB) can use all employees (AD users).
                        ->
                        It would be like if I said : "The worker X can use hammer but worker Y not.
                        Why ? Its our corporate hammer and for us is better then worker X lend hammer another worker.

                         

                        Michal

                        • 9. Re: EE6 in enterprise enviroment - some information and questions
                          jkussow

                          SafeBoot wrote:

                           

                          Just use the option to assign local domain users - don't try to assign everyone to everything. That's really bad security for a start.

                           

                          No one really needs this, it's more of an indication of lack of controls, rather than a need.

                          I'm not sure which astounds me more Simon:  the ease with which you offend your customers or how out of touch you are with the real world.

                           

                          Michal--with EE (it really doesn't matter which version since the question is fundamentally an architecture issue) you must find the correct balance for your organization. Our organization has struggled with the same challenges as you describe. Since we don't view EE as a security tool, only a compliance tool, we also did not want the application to hamper any of our users' ability to login to any company laptop. The architecture of EE doesn't support this model well at all so it's a usability vs.cost issue.  We tried the one user per laptop model EE is designed for (we only encrypt laptops) and it proved so incredibly expensive for us we gave up.  We now have some logical groupings based on our Active Directory design of about 900 user accounts per laptop which seems to be just about right for us.  The deployment has been extremely painful but now that all is deployed everything is mostly running smoothly.  The only issues that remained, until yesterday, were several password sync problems for our support staff.  We resolved it by conforming our processes and procedures to the EE model: desktop support staff don't use SSO and a small custom app ensures their current password isn't overwritten easily by an old one that the EE server thinks is newer.  (Since V6 has no publicly available APIs we'll have to revisit this when/if we migrate to it if the sync architecture hasn't changed.)  The rest of our employees use SSO and all have an Sbfs size of 30 MB. Hope you can find the balance you are looking for.

                           

                          Sorry for the English, my čeština is very bad.

                          1 2 Previous Next