6 Replies Latest reply on Nov 27, 2012 2:57 PM by kjhurni

    EPO 4.6.x with VSE and HIPS-grouping?


      We're going to be introducing HIPS into our current VSE 8.8.1 environment on a new EPO 4.6.x server


      Our directory tree is organized by VLAN (IP ranges) and works very well for VSE


      But HIPS is a diff. story


      If we need to say, have a HIPS policy that's more "relaxed", is there an easy way to assign that policy to a group and then add/remove the agents from that group?


      It seems the only way to do that is you end up actually moving the agent from one spot in the directory to another which can mess up some of our VSE settings on certain VLANs.


      Or is there a better/different way to do that (I know you can override a single workstation to have a policy, but that's not going to work well when you need to do this to lots of devices potentially)



        • 1. Re: EPO 4.6.x with VSE and HIPS-grouping?


          You can create a tag and then use the functionallity in the Policy assignment rules to assign a spesific HIPS policy to the clients that have that tag.

          You can then tag the clients that you wish to have the more relaxed policy.


          Please be aware that there is a bug with this functionallity for HIPS 8 Patch 2 at the moment. This is probably caused by some issue with the extension.

          I have a case open in regards to this that has been escalated to dev. Hopefully they will fix it soon.

          • 2. Re: EPO 4.6.x with VSE and HIPS-grouping?

            This is going to sound stupid, but how does one get the tag on the client?  Do you manually assign that to the agent/client?


            I'm just wondering if the person who setup our EPO layout for HIPS simply made a directory group with the tag of say: XYZ

            Then created the policy assigned to tag XYZ


            and then moved the agents into that group so that they get the tag


            Although I guess it's the same amount of work to find the device, move it, as it is to find the device, and set its tag

            • 3. Re: EPO 4.6.x with VSE and HIPS-grouping?

              You can assign the tag manually, but the most efficient way is probably to create a query that will return the clients that you are interested in and then create a server tasks that assigns the tag to the clients returned in the queriy. You run the server task on a certain interval (Daily, hourly, etc) to update the clients that need the tag.


              If the option that you look at for determining if a client should have the tag is something easy, like the format of the name, then the filter might be available to be set directly on the tag so that whenever a client comunicates with the EPO server it will get the tag if it should have it. These filter options can bee seen when you create a  new tag.


              It all depends on what you will be using as the basis for determining if a client should have the tag or not.


              In regards to the directory group (if i understand your question correctly) The only way of assigning a tag by location (group) would be to create a query that returned all the computers in that group and then used a server task to set the tag on them. There is no way of directly setting the tag if the computers is in a certain location as far as i know.



              Please let me know if i made the situation clearer or just more confusing :-)

              • 4. Re: EPO 4.6.x with VSE and HIPS-grouping?

                Okay sorry for the long delay.  I see how easy it is to create tags and assign the tags to the devices.


                What I do NOT See is an easy way to assign a policy to a tag


                It seems you can only assign a policy to a GROUP in the hierarchy and that GROUP has a tag.


                Thus this kinda gets me back to the sorting issue where this will cause machines to be moved to different groups


                I THOUGHT there was a way to build a HIPS Firewall policy (for example) and assign it to the "root" of the System Tree and only apply to devices with TAG = BLAH


                But it seems you can only assign to a GROUP and have the GROUP (ie: folder) in the Tree sorting criteria based upon tagging.


                What I had wanted was a way to create a policy (Firewall-disabled), assign it to the entire tree, but only apply to devices that have a TAG of say: Firewall-Disabled that we can set manually.


                I know that the tags can be assigned manually, but I don't see a way to do the assignment.


                Or am I missing something?

                • 5. Re: EPO 4.6.x with VSE and HIPS-grouping?

                  Policy Assignment Rules


                  You can create a Policy Assignment Rule that says if machine X has the Firewall-Disabled tag then overide the default policy with the Firewall-diabled policy. All other policies will remain the same.


                  You could for instance assign your default policies at the top of the System Tree so that they are applied to all sub groups. Use Policy Assignment Rules and Tags for the exceptions. Then you can organize the System Tree anyway you want, since it no longer matters what group the machine is under, it get's any exceptions to the default policy based on its tags.

                  1 of 1 people found this helpful
                  • 6. Re: EPO 4.6.x with VSE and HIPS-grouping?

                    Thanks redbeardrc.  I will have to look more closely at the EPO 4.6 docs/admin console (in the process of migrating from 4.5 to 4.6)