Академический Документы
Профессиональный Документы
Культура Документы
This module covers the essential information on maintaining an ePO Server and database. The
information presented in this module is not all inclusive. Enterprise customers most often just need
to know where the must preserve data is located. From there, theyll usually throw the new setup
into their existing backup and recovery plan, already set forth by the organization.
The most crucial data for ePO is obviously the database. The entire system can be restored with a
recent copy of the database. But there is other data that can ease the process greatly in the event a
restoration is needed. Students will be shown how to manage ePO Security Keys, and review
important logs, along with utilizing database maintenance tools.
Several of the available ePO Server Tasks can assist with periodic server maintenance tasks like
maintaining System Tree synchronization, managing product licenses, purging old data, maintaining
repositories, and maintaining Rogue System Sensors.
Security Keys
ePolicy Orchestrator uses security keys to secure the agent-to-server communication, and to sign and
validate packages.
Agent-to-server secure communication keys
Agent-to-server secure communication (ASSC) keys are used by the agents to communicate securely
with the server. You can make any ASSC key pair the master, which is the one currently assigned to
agents deployed in the environment. The ePO agent key Updater needs to exist in Master repository,
and the McAfee Agent agent update task has to have the ePO agent key updater selected. Existing
agents using other keys in the list will change to the new master after their next update. It is
important to be sure to wait until all agents have updated to the new master before deleting any
older keys.
Master repository key pair
The master repository private key signs all unsigned content in the master repository. Agents use the
public key to verify the repository content originating from the master repository on the ePO server. If
the content is unsigned, or signed with an unknown repository private key, the downloaded content
is considered invalid and deleted.
This key pair is unique to each server installation. However, by exporting and importing keys, you can
use the same key pair in a multi-server environment.
Other repository public keys
These are the public keys that agents use to verify content from other master repositories in the
environment or McAfee source sites. Each agent reporting to this server uses the keys in this list to
verify content that originates from other ePO servers in the organization, or from McAfee owned
2013 McAfee, Inc. All Rights Reserved.
sources. If an agent downloads content that originated from a source for which the agent
does not have the appropriate public key, the agent will discard the content.
Customers in multi-server environments can choose to use the same ASSC key pair for all servers and
agents. You can export ASSC from on McAfee ePO server to a different ePO server, to allow agents to
access the new ePO server.
You can choose to make any ASSC key pair the master, which is the key pair currently assigned to all
deployed agents.
They can also choose to use a different ASSC key pair for each McAfee ePO server to ensure that all
agents can communicate with the required McAfee ePO servers in an environment where each server
must have a unique agent-to-server communication key pair.
NOTE: Agents can communicate with one server at a time. The ePO server can have multiple keys to
communicate with different agents, but the opposite is not true. Agents cannot have multiple keys to
communicate with multiple ePO servers.
You can view which systems are using a key-pair, when editing security keys, by highlighting the key
and selecting the View Agents button.
Before deleting the previous master key pair from the list, wait until all agents begin using the new
master key pair. Agents begin using the new key pair after the next update with ePO agent key
updater selected task the agent completes. At any time, you can see which agents are using any of
the ASSC key pairs in the list.
CAUTION: Do not delete any keys that are currently in use by any agents, or those agents are not able
to communicate with the server.
You cannot delete a key designated as a Master Key. You must make another key the Master before
deleting the old key.
In ePO 5.x you cannot delete a key that an agent is using.
10
The master repository key pair is unique for each installation. If you use multiple servers, each uses a
different key. If the agents are configured to allow the download of content that originates from
different master repositories, you must ensure that agents recognize the content as valid. You can
ensure this in two ways:
Use the same master repository key pair for all servers and agents
Ensure agents are configured to recognize any repository public key used in the environment
11
It is recommended that you back up all keys before making any changes to the key management
settings.
12
After installation you can change only two ports; Agent wake-up communication port, and Agent
broadcast communication port. If you need to change other ports, you must either reinstall the
server and reconfigure the ports in the installation wizard, or refer to available KnowledgeBase
articles.
13
14
15
16
Customers may find themselves needing to migrate the database to another server, or they may want
to upgrade the hardware on the existing server. Before performing any migration, the first step is to
back up the database.
The steps involved in the migration process depend on many factors. Are they keeping the server
name and IP the same? Is one changing but not the other? Will there be any network
communication boundaries that need to be acknowledged and dealt with? Etcetera.
Additional information:
KB67605 - How to change the ePO 4.5.0 and 4.6.0 Agent-to-Server communication port 80
KB72936 - How to change ePO Agent-to-Server Communication secure port 443
KB52141 - How to change the ePolicy Orchestrator 4.x Console-to-Application Server
communication port 8443
KB68963 - How to change the ePolicy Orchestrator 4.x Client-to-server authenticated
communication Port 8444
17
Customer may also need to migrate their ePO server. This topic explains the process of migrating an
existing ePO Server to a new hardware platform according to recommended procedure. This
information is intended for use by network and ePO administrators only. These instructions are
intended guidelines for migration. All liability for use remains with the user.
The instructions in this topic can also be used for disaster recovery.
NOTE: The Agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO
server. If you change any one of these, ensure that the Agents have a way to locate the server. The
easiest way to do this would be to retain the existing DNS record and change it to point to the new IP
address of the ePO server. After the Agent is able to successfully connect to the ePO server, it
downloads an updated SiteList.xml with the current information. The procedure can also be used by
customers who want to migrate the ePO server to another system. For ePO 5.x users, it is preferable
to use the built-in Disaster Recovery feature to migrate the ePO server to another system.
18
In preparation for server migration, you will want to backup the folders shown here on the server.
There are multiple KB articles available on how to backup the SQL database.
19
20
You must reinstall ePO to the exact same directory path as the previous installation or the
initialization of extensions will fail when the restore is complete.
The server.ini file located in the previous installation (\Program Files (x86)\McAfee\ePolicy
Orchestrator\DB) stores the following information:
HTTPPort= 80 (Agent-to-Server communication port)
AgentHttpPort= 8081 (Agent Wake-Up communication port)
SecureHttpPort= 8443 (Console-to-Application Server communication port)
BroadcastPort= 8082 (Agent Broadcast communication port)
If you use the original SQL server, the installer will attempt to create a database called
ePO_<epo_servername>. Because the name of the original ePO server is retained, the original
database has to be backed up and detached. Otherwise, the installer prompts you to overwrite the
existing database.
21
22
Replace the existing folders for the paths listed above with the contents of the backed up copies.
23
1. Before you enable and start the ePO services, ensure that the contents (version numbers) of the
C:\Program Files\McAfee\ePolicy Orchestrator\server\extensions\installed folder match the
extensions listed in the OrionExtensions table.
To check the contents of the OrionExtensions table, access the SQL Tools and run the following TSQL command:
Select * from OrionExtensions
If there is a mismatch on server startup, the server removes each extension not listed in the
OrionExtensions table. If this happens, check in these extensions again and also restore the
database again.
2. Start the McAfee ePolicy Orchestrator 5.1.0 Application Server service.
NOTE: You must start this service for RunDllGenCerts to work.
3. Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty folder
named SSL.CRT in the same path, otherwise the setup will fail to create a new Cert:
"C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
Continued on next page
2013 McAfee, Inc. All Rights Reserved.
24
Default paths:
Program Files\McAfee\ePolicy Orchestrator\
6. Run the following command:
IMPORTANT:
- This command will fail if you have enabled User Account Control (UAC) on this server. If this is a
Windows Server 2008 or later, disable this feature. You can find more information about UAC
at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
- This command is case-sensitive. The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>)
provides information about whether the command succeeded or failed and will state if it used the
files located in the ssl.crt folder
Rundll32.exe ahsetup.dll RunDllGenCerts <eposervername> <console HTTPS port> <admin
username> <password> <"installdir\Apache2\conf\ssl.crt">
where:
<eposervername> is your ePO server NetBIOS Name
<console HTTPS port> is your ePO Console Port (default is 8443)
<admin username> is admin (use the default ePO admin account)
<password> is the password to the ePO Admin console account
<installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder; Default
installation path:
64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
Example:
Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password
"C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
7. Start the following services:
McAfee ePolicy Orchestrator 5.1.0 Event Parser
McAfee ePolicy Orchestrator 5.1.0 Server
25
Before backing up
If possible, shut down the McAfee ePolicy Orchestrator 5.1.0 Application Server service (Tomcat)
entirely when doing the backup. Otherwise just make sure no one is installing, uninstalling, or
upgrading an extension during the backup. Normally backups occur during non-peak times (which is
at night usually), so this shouldnt be a big concern.
26
McAfee advises that customers place the ePO Server and database into their backup
routines/schedules.
The folder paths shown here should be backed up on the ePO Server:
C:\Program Files\McAfee\ePolicy Orchestrator\SERVER\
All installed extensions and configuration information for the ePO Application Server service is found
here. Failure to backup and restore this directory results in a re-installation of ePO to create new ones
using a clean database installation.
C:\Program Files\McAfee\ePolicy Orchestrator\DB\SOFTWARE\
All Products that have been checked into the Master Repository are located here.
C:\Program Files\McAfee\ePolicy Orchestrator\DB\KEYSTORE\
The agent, Server, and Repository Keys that are unique to the installation are located here. Failing to
restore this folder, results in re-pushing the agent to all the systems, and checking in all of the
deployable packages again.
C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF
The Server configuration settings for Apache, the SSL Certificates needed to authorize the server to
handle agent requests, and Console Certificates are located here.
27
If the customer is concerned about the amount of data being backed up, or if the customer simply
wants to reduce the number of items to back up they can exclude the following subfolders from the
\SERVER folder:
C:\Program Files\McAfee\ePolicy Orchestrator \server\logs (server log files)
C:\Program Files\McAfee\ePolicy Orchestrator\server\cache (contains cached information
created and used by ePO, such as generated chart images)
C:\Program Files\McAfee\ePolicy Orchestrator\server\work (contains cached information
about web applications registered with Tomcat; Tomcat will regenerate that information, if
deleted)
28
A feature introduced in ePO 5.0 is Disaster Recovery. This feature will save to the database all the
required content needed for backup and restoration.
Disaster Recovery
The ePolicy Orchestrator Disaster Recovery feature uses a Snapshot process to save specific McAfee
ePO server database records to the ePolicy Orchestrator Microsoft SQL database.
The records saved by the Snapshot contain the entire ePolicy Orchestrator configuration at the
specific time the Snapshot is taken. Once the Snapshot records are saved to the database, you can
use the Microsoft SQL backup feature to save the entire ePolicy Orchestrator database and restore it
to a another SQL server for an ePolicy Orchestrator restore.
29
When the installation wizard starts, you can choose to restore ePO from an existing database
snapshot.
What is a snapshot?
ePO 5.x comes with a supported mechanism for disaster recovery which helps you quickly recover, or
reinstall the ePolicy Orchestrator software.
Disaster Recovery uses a Snapshot process that periodically saves the ePolicy Orchestrator
configuration, extensions, keys, and more, to Snapshot records in the ePolicy Orchestrator database.
30
Using the restored ePolicy Orchestrator SQL database server, that includes the Disaster Recovery
Snapshot, you can connect it to:
- Restored McAfee ePO server hardware with the original server name and IP address This allows
you to recover from, for example, a failed ePolicy Orchestrator software upgrade.
- New McAfee ePO server hardware with the original server name and IP address
- New McAfee ePO server hardware with a new server name and IP address This allows you to,
for example, move your server from one domain to another.
- This example can provide a temporary network management solution while you rebuild
and reinstall the McAfee ePO server hardware and software back to its original domain.
- Restored or new McAfee ePO server hardware with multiple network interface cards (NICs) You
must confirm the correct IP address is configured for the McAfee ePO server NIC.
The Snapshot is configured, depending on your SQL database version, to automatically run every day.
If you configure a script to automatically run the SQL Backup and to copy the SQL backup file to your
restore SQL database server, then you can more easily restore your McAfee ePO server. In addition,
you can manually take a Snapshot or run your scripts to quickly save and backup particularly complex
or important ePolicy Orchestrator changes.
31
The ePolicy Orchestrator software installation using the Disaster Recovery Snapshot file includes
these general steps performed on the McAfee ePO restore server:
1. Find the SQL database backup file, copied in step 3, of the previous section, and use either the
Microsoft SQL Server Management Studio or the RESTORE (Transact-SQL) command-line process
to restore the primary SQL server configuration to the restore SQL server.
2. During the ePolicy Orchestrator database software installation:
a. On the Software Welcome dialog box, click Restore ePO from an existing Disaster Recovery
database Snapshot.
b. Select Microsoft SQL Server to link the ePolicy Orchestrator software to the restore SQL
database that had the primary McAfee ePO server configuration restored in step 1.
After the ePolicy Orchestrator software installation is started, the database records saved during the
Snapshot process are used in the software configuration instead of creating new records in the
database.
3. If you changed the last known IP address, DNS name, or NetBIOS name of the primary McAfee
ePO server, when creating the restore McAfee ePO server the McAfee Agents will not be able to
connect to the restored McAfee ePO server. The easiest way to do this is to create a CNAME
record in DNS that points requests from the old IP address, DNS name, or NetBIOS name of the
primary McAfee ePO server to the new information for the restore McAfee ePO server.
Now the McAfee ePO restore server is running with the exact same configuration as the primary
server. The clients can connect to the restore server and you can manage them exactly as before the
2013 McAfee, Inc. All Rights Reserved.
32
To quickly reinstall a McAfee ePO server, configure a Disaster Recovery snapshot to save, or confirm a
snapshot is being saved to the SQL database. Then back up that SQL database, which includes the
snapshot, and copy the database backup file to a restore SQL Server.
Disaster Recovery can be performed via:
Dashboard monitor
Scheduled Server Task
The ePO Server Snapshot monitor, found on your ePolicy Orchestrator dashboard, allows you to
manage and monitor your Snapshots in one place.
33
Click See details of last run to open the Server Task Log Details page.
34
This page displays information and log messages about the most recent Snapshot saved.
35
Confirm the date and time the last Snapshot was saved to the SQL database, next to Last Run At.
36
Click the Disaster Recovery link to launch the Help page with Disaster Recovery information.
37
The color and title of the Snapshot monitor tells you the status of your latest Snapshot.
For example:
- Green, Snapshot Saved to Database Snapshot process completed successfully and it is up to
date.
- Blue, Saving Snapshot to Database Snapshot process is in progress.
- Red, Snapshot Failed An error occurred during the Snapshot process.
- Orange, Snapshot Out of Date Changes to the configuration have occurred and a recent
Snapshot has not been saved. Changes that trigger a Snapshot Out of Date status include:
Any extension changed. For example updated, removed, deleted, upgraded, or downgraded
The "Keystore" folder changed.
The "conf" folder changed.
The Disaster Recovery passphrase changed in Server Settings.
And finally the - Grey, No Snapshot Available No Disaster Recovery Snapshot has been saved.
38
You can use the Disaster Recovery Snapshot Server Task to disable and enable the Snapshot server
task schedule.
The Snapshot server task schedule is enabled, by default, for the Microsoft SQL Server database and
disabled, by default, for the Microsoft SQL Server Express Edition database.
39
Using Disaster Recovery to restore the ePolicy Orchestrator software requires certain hardware,
software, access privileges, and information.
You need two hardware server platforms:
- The existing McAfee ePO server hardware, referred to as the "primary" McAfee ePO server.
- Duplicate ePO server hardware, referred to as the "restore" server, running Microsoft SQL that
matches the primary McAfee ePO server database.
- This restore server should be kept up to date with the latest primary McAfee ePO SQL database
server configuration using Snapshot and Microsoft SQL backup processes.
To avoid backup and restore problems, the primary and restore server hardware and SQL versions
should closely match.
40
Hardware Requirements
1. The server hardware requirements are determined by the number of systems managed
2. This server hardware should closely mirror your primary McAfee ePO server hardware.
3. This primary server should be up and running correctly with a recent Snapshot saved in the SQL
database.
4. The primary SQL database, stores the McAfee ePO server configuration, client information, and
Disaster Recovery Snapshot records.
Software Requirements
1. Using either the Microsoft SQL Server Management Studio or the BACKUP (Transact-SQL)
command-line, you can create a backup file of the primary database including the Snapshot
records.
2. Using either the Microsoft SQL Server Management Studio or the RESTORE (Transact-SQL)
command-line, you can restore the primary database including the Snapshot records on the
restore SQL database server to duplicate the configuration of the primary SQL database.
3. This software, downloaded from the McAfee website, is used to install and configure the restore
McAfee ePO server.
Information Requirements
1. This passphrase was added during the initial installation of the ePolicy Orchestrator software and
decrypts sensitive information stored in the Disaster Recovery Snapshot.
2. You must be able to access both the primary and restore servers and the SQL database as, for
example, DBOwner and DBCreator.
3. If you change any one of these during the McAfee ePO server restore, ensure that the McAfee
Agents have a way to locate the server. The easiest way to do this is to create a Canonical Name
(CNAME) record in DNS that points requests from the old IP address, DNS name, or NetBIOS name
2013 McAfee, Inc. All Rights Reserved.
41
of the primary McAfee ePO server to the new information for the restore McAfee ePO
server.
Using Disaster Recovery to create an ePolicy Orchestrator server Snapshot provides you with a quick
recovery method for the McAfee ePO server.
Configure Disaster Recovery Server Settings
You can change the Keystore encryption passphrase used when you installed the ePolicy Orchestrator
software and link it to an SQL database restored with Disaster Recovery Snapshot records.
42
43
backup is made.
Every database in SQL is made up of MDF and LDF files. The ePO database will have its own MDF and
LDF files.
The MDF file contains the actual database content.
The LDF file records all transactions that occur. Each data modification in a SQL Server database is
immediately recorded to disk in a transaction log file with an LDF extension. In the event of a server
problem, such as the server losing power, SQL Server can scan its logs for any data modifications that
were committed and write them to permanent storage in the database. It also rolls back or undoes
any modifications that were not committed by the client program. This architecture ensures that the
data in the database remains consistent.
44
The ePO databases require regular maintenance to promote optimal performance and to protect the
data. Use the Microsoft management tool appropriate for the version of SQL being used:
SQL 2008 and 2012: SQL Server Management Studio
SQL Express: SQL Server Management Studio Express
Depending on the deployment of the ePolicy Orchestrator software, customers should plan on
spending a few hours each week on regular database backups and maintenance. Perform these tasks
regularly, either weekly or daily. However, these tasks are not the only maintenance tasks available.
See the SQL documentation for details on what else you can do to maintain the database.
Important: Use the ePO Disaster Recovery Snapshot feature to periodically save the ePO
configuration, extensions, keys, and more to Disaster Recovery Snapshot records in the SQL database.
This allow you to quickly recover if the hardware hosting the McAfee ePO server ever fails.
45
When ePO is installed it creates a primary data file that represents the ePO database and a
transaction log file. The Primary file name is ePO_<ServerName>.MDF. Customers should monitor
the size of this file to determine how large the ePO database is growing.
The transaction log file is named ePO_<ServerName>_log.LDF. As transactions are sent to the SQL
Server it records every transaction in a transaction log to maintain database consistency and aid in
recovery. The log is a storage area that automatically tracks changes to a database. As modifications
are executed they are written to disk within this log, before they are written to the database.
It is extremely important that you backup the database in order to reduce the size of the transaction
log file, otherwise it continues to expand and fill up the hard drive.
You can find these files on the database server.
The default location is: C:\Program Files\Microsoft SQL Server\MSSQLx.x\MSSQL\DATA\
46
You must have a proper database maintenance plan configured to ensure that the ePO database
performance is healthy. There are two ways to create a maintenance plan:
Maintenance Plan Wizard: Recommended for creating basic maintenance plan.
New Maintenance Plan: Allows you to utilize enhanced workflow.
To create or manage Maintenance Plans, you must be a member of the sysadmin fixed server role.
Note that this section provides a high-level view of how to create a basic Maintenance Plan for the
ePO SQL database. For detailed information, including supported procedures, refer to the
documentation or help for the
SQL Server edition installed for your ePO environment, as well as the Microsoft TechNet site
(http://technet.microsoft.com).
47
To create a maintenance plan for the ePO database, complete the following steps. For demonstration
purposes, the SQL Server instance hosting the ePO database in this example, is running SQL Server
2008 R2.
1. Click All Programs > Microsoft SQL Server <version >.
2. Expand the Microsoft SQL Server <version > folder, then click SQL Server Management Studio.
A Connect to Server dialog opens.
3. Make sure Authentication is set to Windows Authentication, then click Connect. Note that the
User Name and Password fields are grayed out, when Windows Authentication is select.
48
49
50
51
52
53
54
55
56
57
58
59
McAfee recommends that customers back up their ePO SQL databases regularly, to protect data and
guard against hardware and software failure.
Archiving Data
One successful strategy adopted by customers is to refresh their database every 6 months in the
following way:
1. Back up the database according to their requirements for being able to restore data (e.g.
every week, two weeks etc.).
2. Every six months, restore a copy from the most current backup, (typically the night before),
but restore it under a different name, (e.g. ePO_JanJun13, ePO_JulDec13 or similar.
3. Verify that the restored database is working correctly, (i.e. reports function, etc.)
4. Delete all events from the live database from January to June (or July to December if the
backup represents the second half of the year).
5. Then detach the database and bring it up when required.
Using this method ensures that the backups are functional and that the backup plan is working
appropriately.
60
61
The following, are steps for using test.udl to confirm the database credentials outside of ePO:
1. Create a file on the ePO server called test.udl.
2. Double-click the test.udl file.
3. Click the Provider tab.
4. Select Microsoft OLE DB Provider for SQL Server.
5. Click Next.
6. On the Connection tab, enter the same information entered in ePO's core/config page for the
database connection:
In the Select or enter a server name field, type the SQL server name in the
following format: <servername>\<instancename>,<port>
NOTE: If no named instance is in use, use the following format: <servername>,<port>
62
You should be aware that Microsoft recommends using Windows Authentication for best security.
McAfee recommends however, in utilizing SQL authentication, if using Remote Agent Handlers.
As always, http://technet.microsoft.com is an excellent resource for information and articles for all
versions of MS SQL Server.
63
sqlcmd Utility
The sqlcmd utility lets you enter Transact-SQL statements, system procedures, and script files at the
command prompt, in Query Editor in SQLCMD mode, in a Windows script file or in an operating
system (Cmd.exe) job step of a SQL Server Agent job. This utility uses OLE DB to execute Transact-SQL
batches.
sqlcmd replaces osql for initiating command-line transactions in SQL server and can be used to
perform such actions as initiating a backup from a command line.
For detailed information please see:
sqlcmd Utility http://technet.microsoft.com/en-us/library/ms162773(SQL.90).aspx
Transact-SQL Syntax Conventions (Transact-SQL) (SQL 2008 and SQL 2012)
http://technet.microsoft.com/en-us/library/bb510741.aspx
64
65