3 Replies Latest reply on Jun 8, 2011 5:16 PM by Kary Tankink

    Pushing HIPS agents via SCCM; any inherent problems doing this?

      We need to push out HIPS agents to a few hundred servers, and our tools team would like to do this using SCCM, rather than using an ePO client task.

       

      Is there anything inherently risky about doing it this way?

       

      Also, we're on HIPS 7, patch 3 (I think it is). If deployed via SCCM, is the patch slipstreamed into the agent deployment or is it installed in a separate step?

       

      PG

        • 1. Re: Pushing HIPS agents via SCCM; any inherent problems doing this?
          Kary Tankink

          Other customers use these types of third party deployments, and they can provide their experiences, however, I would like to note a few things:

           

          1. Make sure the Host IPS product is being deployed by unzipping the entire HIPS client installer .zip file to the system and executing the McAfeeHIP_ClientSetup.exe; executing the .MSI file is not supported and has lead to installation issues.

           

          2. Third-party deployments are not supported by McAfee.  If you run into an issue, take the Host IPS installation out of SCCM and perform it manually, as documented in the installation guide.    If you still have the same problem, then please report that to McAfee Support.  If the issue only occurs within the third party deployment method, then you will need to troubleshoot this further.  It could be due to timing issues, or something specific that's being done by trying to automate a number of installation/updates.

           

          3. As discussed in earlier threads on this forum, you do want to monitor the Host IPS installations on servers where NIC teaming is involved.  It is suggested to disable NIC teaming before installation, then reteam after the installation.  Test your deployments throughly on a few different systems before a wide-spread push of the product.

           

          4. If the Host IPS version you stated is correct, then it advised to deploy the latest product version.  Currently Host IPS 7.0 is up to Patch 9.  The Patch 3 version is a couple of years old, and improvments in the drivers and installer, as well as the resolved issues fixed between these versions, will contribute to a better product deployment experience.

           

          5. It is recommended to install the later Host IPS builds by using the full installer, rather than installing an older version and upgrading.  Rather than installing Host IPS 7.0 P3, then immediately upgrading to Patch 9, it's recommended to utilize the Host IPS 7.0 Patch 9 full installer (McAfeeHIP_Client_700_with_P9_LEN.Zip), where the patch 9 version is built into the full installation package.

           

          Added #5 on 6/8/11 4:29:34 PM CDT
          • 2. Re: Pushing HIPS agents via SCCM; any inherent problems doing this?

            The patch version I reported is wrong; we're actually on HIPS 7, patch 7. Is patch 7 built into the full installation package on that one?

             

            Re: your step 1 above, we had a system go horribly wrong in a lab environment, but I believe we ran the MSI file for the manual install.

             

            Re: your step 3, as mentioned previously, that is logistically impossible to do on several hundred servers. Except for the lab experiment gone wrong just mentioned, we haven't had issues with the NIC teaming breaking on the servers with updated broadcomm drivers and a patched version of HIPS.

             

            My personal preference is not to use SCCM at all for HIPS agent deployment because there hasn't been issues using ePO client tasks, but some people up the food chain believe SCCM would be superior for deploying large numbers of agents.

            • 3. Re: Pushing HIPS agents via SCCM; any inherent problems doing this?
              Kary Tankink
              Re: your step 3, as mentioned previously, that is logistically impossible to do on several hundred servers. Except for the lab experiment gone wrong just mentioned, we haven't had issues with the NIC teaming breaking on the servers with updated broadcomm drivers and a patched version of HIPS.

              If you are not experiencing any Host IPS installation issues on servers with Teamed NICs, then continue to do that.  A majority of the time it will install just fine.  But if it fails, uninstall Host IPS, reboot, break the team, reinstall Host IPS, then reteam.

               

              corrections: ktankink on 6/8/11 5:16:00 PM CDT