9 Replies Latest reply on Sep 28, 2011 9:10 AM by JoeBidgood

    New to ePO 4.5

      Hi,

       

      I am new to ePO 4.5.  I have brought up a Windows Server 2008 32bit SP1 box and installed ePO 4.5.  I have synced my System Tree to our active directory and added users.  I have specified my e-mail server and tested successfully.  I am now ready to setup and install certificates and private keys.  This is have never done before.   Where do i obtain the keys (Mcafee site?)  There are Keys installed but when I view the server certificates I see the message "Click the 'Edit' button if you wish to update the server certificate used for HTTPS communication with browsers."  I have been searching the web for more info and this discussion is part of that process.  Any information/direction is appreciated.

       

      T

        • 1. Re: New to ePO 4.5
          oaker

          In the EPO GUI: Server Settings > Server Certificates

           

          Here you add your certificate you have previously created/acquired. After adding the certificate data you have to completely restart the EPO server. Now, that's all there is about EPO and HTTPS certificate. Everything else has nothing to do with EPO and must be done outside of it. You see, every computer has a certificate store locally (OS/browser) where all trusted certificate authorities are saved. If you come across a HTTPS site the certificate is then checked/compared with the local store to see if it is trusted.

           

          There are two ways to approach this. Either you have to create an official certificate with one of the authorities that are trusted by your clients/browsers or you have to create your own certificate but that would also force you to add your own root certificate to each and every system that so wishes to use your EPO GUI. If you are working in a big company you probably have your own authority or root certificate and in that case you simply need to request a certificate internally. If not, then you might need to use VeriSign, GoDaddy, Commodo or a similar provider and it mostly likely will cost you money and you have to be reviewed. So:

           

          - Create your own root/SSL certificate (clients using your epo need to install/add the root certificate)

          - Acquire an official SSL certificate by a trusted CA (costs money and you have to be reviewed)

          - Use your company CA and get a certificate from the people inside your company (only bigger companies have that)

           

          Pick your poison.

           

          Message was edited by: oaker on 23/09/11 11:39:55 IST
          1 of 1 people found this helpful
          • 2. Re: New to ePO 4.5

            Wow, A lot of great information, and just the type of information I'm looking for.

             

            Thanks

            • 3. Re: New to ePO 4.5
              Sailendra Pamidi

              There is a KB which discusses using a custom SSL certificate with ePO 4.6 - but most of the steps apply to ePO 4.5. Check KB72477 - "How to generate a custom SSL Certificate for use with ePO 4.6 using OpenSSL toolkit" for details.

              • 4. Re: New to ePO 4.5

                Thanks Spamidi, 

                 

                I am also unclear on another points.

                 

                1.  Is an Agent Handler required in every system.  Our server are all centrally located, with the exception of DR.

                 

                T.

                • 5. Re: New to ePO 4.5
                  oaker

                  No, but a McAfee Agent is obviously required on each managed system. An Agent Handler is only needed if you want to manage different geographic or logical locations that have no (or a very slow) direct connection to the EPO server or as an (worse) alternative to superagents or repositories to distribute the load of signature updating and unburden the EPO server. However, I'm managing EPO servers with about 5000 clients each scattered around our country without additional handlers or repositories. It works although it is not something I would recommend.

                   

                  So no, you probably don't need even one handler if all your managed systems are centralized and if there is no restrictive zone concept in effect with several VLANs, firewalls and other shenanigans.

                   

                  Message was edited by: oaker on 26/09/11 13:33:19 IST
                  • 6. Re: New to ePO 4.5
                    JoeBidgood
                    An Agent Handler is only needed if you want to manage different geographic or logical locations that have no (or a very slow) direct connection to the EPO server or as an (worse) alternative to superagents or repositories to distribute the load of signature updating and unburden the EPO server.

                     

                     

                    Hi - unfortunately this is incorrect (assuming that the SQL server is located close to the ePO server.) Agent handlers should never be used over slow links - they require a permanent, high-speed, low-latency connection to the SQL server hosting the ePO DB.  In extreme cases one AH over a very poor link can cripple the entire ePO installation, as it locks the DB for so long that nothing else gets done

                     

                    I agree that they are a much worse alternative to distributed repositories, though

                     

                    Regards -

                     

                    Joe

                    • 7. Re: New to ePO 4.5
                      utanurha

                      Thank you Joe, that is correct.

                       

                      Agent Handler require very good connectivity to the database!

                       

                      Typical use

                      1. scalability

                      2. Allow remote system to connect to local ePO server via Agent Handler in the DMZ

                       

                      Please see the following document for more information.

                      http://www.mcafee.com/us/resources/white-papers/wp-agent-handler-epo-4-5.pdf

                       

                      Best Regards,

                      Ulli

                      • 8. Re: New to ePO 4.5

                        Thanks to everyone who has posted.

                         

                        I have a basic question.  Can I operate successfully without an Agent Handler or distributed repositories?   Can I run my repository local to the ePO server and no Agent Handler loaded on remote servers.  If the answer is yes, I think I'm ready to move forward.

                         

                        Regards

                         

                        T.

                        • 9. Re: New to ePO 4.5
                          JoeBidgood

                          Absolutely. It depends to a large extent on how many client machines you will be managing, but it's entirely possible to run everything from one machine.

                          Agent handlers and distributed repositories are really there to take some of the load off the ePO server itself, but if that load is manageable by a single machine, they are not required.

                           

                          HTH -

                           

                          Joe