1 Reply Latest reply on Dec 23, 2010 2:56 PM by Peter M

    McAfee Host Intrusion Prevention - Content Updates

      Hi All,


      We currently use VirusScan Enterprise 8.7 in "unmanaged" mode (ie no ePO); we have two computers also running VirusScan Enterprise 8.7 that run a mirror task; the mirrored folders are then made available to network PCs via FTP service.  This means that all clients fetch updates from these FTP servers.  It is highly resilient and load balanced;

      • have a DNS entry called "AV" that resolves to either FTP server (called AV1 and AV2)
      • AV1 refers to the first FTP server, AV2 refers to the second FTP server (naturally!)
      • the client is configured to fetch updates from
        • AV
        • AV1
        • AV2
        • McAfeeHTTP
      • this means it will first try AV, which will resolve to either AV1 or AV2's IPv4 address.  This gives crude but effective load balancing.  If this fails, it will try AV1, then AV2, then McAfeeHTTP
      • the two FTP servers are completely independent; they each fetch updates directly from McAfeeHTTP themselves.
      • This works really well.  A server, or even two servers, can fail, yet the clients will continue to get updates (the only scenario it doesn't help with is corrupted repositories; the client will successfully connect and attempt to update, but the repository is corrupted so the client can't update, but will not try the next repository.  Accept this)


      Anyway, we're looking to deploy McAfee HIPS 7.0.  We've been trialling this successfully.  Now looking for "production class" deployment.  According to "McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0", page 22, HIPS clients can only fetch updates from ePO server.  The spirit of ePO seems to be one ePO server in an environment, then use distributed repositories.  Fine for anti-virus DATs, no use for HIPS content updates.


      How do I design the system in order to give us highly available content updates? 

      - Register an additional ePO server?  the ePO product guide hints at what to do, but doesn't really elaborate why.  Further, it seems a fairly "intimate" relationship - using SQL database instances and passwords, etc.  This suggests they might be less than "independent"; what I have with the two McAfee VirusScan Enterprise 8.7 mirror-then-FTP-service boxes is completely independent boxes - one can fail and have absolutely zero impact on the other.  Am anxious this won't be the case with these ePO servers

      - have two, independent ePO servers, each with a master repository that is updated hourly, but then clients register and managed by only one of the ePO servers, but the second ePO server is an additional repository?  Is this even possible?  Would imagine I'd have to export keys from the first server and import them into the second to avoid authentication/trust issues.

      - accept this limitation?  Only one ePO server, and be prepared with short RPO/RTO?


      Another, related question - using ePO mainly because I have to: HIPS requires it.  Need to distribute updates and policies, and feedback about detections is nice, but keeping it for a long time is not really necessary.  Would it be appropriate for my backup/recovery strategy to simply backup the keys; then, to restore, rebuild from scratch, same server/IPv4 address, import the keys, connect to Active Directory.  Initially, all the clients would be unmanaged again.  However, within hours, McAfee Agent will connect to the newly-built server and become "managed" again.  While the server is down, the last known policies will be retained and continue


      Would be interested in how others have considered/approached/addressed this.


      Kind regards,