4 Replies Latest reply on Feb 13, 2013 10:13 AM by mathr601

    Rogue detection with 2 ePO servers

      Hi,

       

      We have 2 ePO servers, one inside the network and one in the DMZ to manage home PCs and laptops that are used in and out.

      The rogue detection will be enabled on the internal ePO server only and sensors will also be deployed on the internal network.

       

      I have registered the secondary (external) ePO server into the primary ePO server. The "Test connection" of the database is successful.

      In server settings/Detected System Compliance I added the secondary ePO server in the section: "Systems detected with an Agent that belong to these ePO Servers should not be considered Rogue". I put in the name of the server.

       

      Now when a sensor detect a computer that is not in the primary ePO server it should look into the secondary server's database to find it?

      Is that the way it works?

       

      The only way I can achieve it is by turning on an automatic response "Attempts to query the a newly detected rogue system for a McAfee Agent".

      I would like to avoid it for that reason: If the computer has an agent, but is not present in the system tree (not reporting or defective), it will be reported as an Alien, but in fact it should be detected Rogue.

       

      Thanks

        • 1. Re: Rogue detection with 2 ePO servers
          jstanley

          My  first suggestion would be to do away with the ePO server in the DMZ and use an agent handler for this purpose instead. Then both external and internal clients can be managed by the same ePO server.

           

          By definition any client machine on your network with a McAfee Agent installed which is not managed by your ePO server is an Alien so that part sounds like its working properly...it should be detected as an alien not a rogue. Now if you want this client to be detected as a Managed client and NOT a rogue or alien agent then you need to modify the settings in Menu | Configuration | Server Settings | Detected System Compliance. At the bottom of this page you can enter the name of other ePO servers. If you enter the name of the ePO server in the DMZ then going forward if an agent managed by your DMZ ePO server is detected by RSD upon a successful agent query this client will then be classified as Managed rather than as an Alien.

          • 2. Re: Rogue detection with 2 ePO servers

            Thanks for the informations.

             

            I already put the name of the DMZ ePO server in "Menu | Configuration | Server Settings | Detected System Compliance". That part is fine.

             

            My question is on how the ePO server on which the rogue detection is activated works with the other ePO servers. Since I registered the secondary ePO server, the main one can look in the secondary ePO server's database for all the nodes in the server. If I don't query the agent on the detected PC, it looks like it won't look into the other ePO server's database to see if the PC is present. It should match the matching criteria set (MAC, hostname, etc)  Is it supposed to work that way??

             


            • 3. Re: Rogue detection with 2 ePO servers
              jstanley

              That is not the way it works. First ePO uses the detected system matching algorithm (defined in menu | configuration | server settings | Detected System Matching) to determine if the detected client is managed by the ePO server hosting RSD. Then it checks to see if it matches any existing detections or exceptions. If it does not then its flagged as a new rogue. If it matches an existing RSD detection then it simply updates the "last detected time" of the existing detection.

               

              If the machine (existing or new detectin) is marked as a rogue and you query the agent that is where the settings in "Menu | Configuration |Server Settings | Detected System Compliance" come in. If the agent query indicates the client has an agent managed by another ePO server its flagged as an "alien agent". If however the client is managed by another ePO server but that other ePO server is listed in the Detected System Compliance page then it is flagged as a managed agent.

               

              You can query the agent yourself and see what information it is returning by viewing the remote agent log (if you have that enabled in the agent policy). Simply open a browser and go to http://<IP_Address_of_detected_client>:8081(assuming the wakeup call port is the default 8081) and at the very top in the red box it should display the name of the ePO server which manages that agent. This is (partially at least ) the same data the query agent retrieves from the client.

               

              Registering an ePO server is not used by RSD. It is useful for other functions such as sharing policies, rolling up data or transferring systems.

              • 4. Re: Rogue detection with 2 ePO servers

                Again thank you for the quick, very useful and well explained information.

                 

                Let's say a system is detected as rogue, the agent is queried and it appears to be managed by the other

                ePO server then it's flagged as managed or alien, fine. Now what happen when the system is detected in

                the future, does the agent need to be queried again so the ePO server knows the system is managed

                by the other ePO server?

                 

                 

                I created an automated task that runs a query that lists all the rogue detected systems and a subtask to deploy the agent. Even if the query

                displays 12 rogues, the task doesn't deploy the agent on any of those. I think this is caused by the "Computer Name" field being blank in the report.

                ePO must rely on it to deploy the agent. I don't want to created an automatic response to deploy the agents because I want to sort the rogues first.

                Is there any way to achieve it?

                 

                 

                I noticed that the option "Policy | McAfee Agent | General | Logging | Enable remote access to log" must be checked in order

                to the "query agent" to work. We had turned that option off for the home PC to avoid opening a port for security purpose. We also

                run HIPS on home PC so I will make a rule so that only the IP of the server can access that port. I just wanted to mention it

                in case someone else read it in the future.

                 

                Thanks