Loading...

Knowledge Center


FAQs for ePolicy Orchestrator 5.x
Technical Articles ID:   KB81534
Last Modified:  5/13/2019
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.x
McAfee ePolicy Orchestrator on AWS

Amazon Web Services (AWS)

Summary


Recent updates to this article:
 
Date Update
May 13, 2019 Updated the following FAQ in the "ePO on AWS" section: Can I use my existing license or do I need to purchase a new license to use the ePO on AWS offering?
April 4, 2019 Added FAQ to cover MSI error 1503 to the installation section.
January 2, 2019 Removed a link to an unpublished product document.
December 12, 2018 Multiple updates to some of the existing FAQs and several new additions in the ePO 5.10.0 Updater tool section.
October 9, 2018 Added a section that covers a new ePO 5.10.0 Updater Tool.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.


This article is a consolidated list of common questions and answers and is intended for users who are new to the product, but can be of use to all users.
Contents:

Click to expand the section you want to view:


What services does the McAfee ePO server use?
The McAfee ePO server uses the following services:
  • Application Server (Tomcat) service - The core responsibilities of this service are:
    • Provide your web browser with a Java-based webpage to remotely manage the McAfee ePO server through the ePO console
    • Manage extensions, notifications, policies, repositories, the System Tree, and dashboards
    • Enable SQUID (Structured Query User Interface) to provide the reporting user interface
    • Run the automatic response system
    • Provide user permissions and settings for the McAfee ePO server and components
  • Event Parser service - The core responsibilities of this service are:
    • Pass events to the Tomcat service
    • Store events in the ePO database
    • Normalize events using Common Event Format (CEF)
  • Apache service - The core responsibilities of this service are:
    • Handle communications from McAfee Agent to the McAfee ePO server
    • Cache policies to reduce database reads and speed up agent-server communication intervals (ASCI)
    • Manage events, groups, tags, and agent sorting
    • Pass events to the Event Parser service

Are there any tools available to help parse the log files?
McAfee recommends Notepad ++ and SMS Log Viewer. Microsoft Operations Manager (MOM) also has a log viewer where you can view logs in real time, much like SMS Log Viewer.


Is there any ePO console training available?
For a list of training courses, visit https://mcafee.netexam.com/catalog.html#center-panel:main-ui-training.
 
How do I upgrade to the latest ePO release or update?
See the ePolicy Orchestrator Installation Guide, ePolicy Orchestrator Release Notes, and known issues in the ePO installation / update upgrade checklist in KB71825.
For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.


How do I check in my products to ePO 5.x?
ePO 4.6 introduced the Software Manager. Since that version, you can automatically see updates (other than DATs and Engines) to your licensed products listed in the Software Manager. You can use the Software Manager to download:
  • Licensed software
  • Evaluation software
  • Software updates
  • Product documentation
To manually check in packages, see the ePolicy Orchestrator Product Guide for your version.


What is the minimum hard drive space required to upgrade an ePO database to a new version of ePO?
The minimum hard drive space required depends on the size of the ePO database. A safe estimate is about twice the size of your current ePO database. An upgrade requires a large amount of transaction log space that is used during the upgrade to hold a copy of the EPOEvents table (typically the largest table in an ePO database). Ensure that the transaction log is allowed to grow to a size at least as large as the EPOEvents table.

IMPORTANT: As with all ePO upgrades, perform a full backup of the McAfee ePO server and database before you upgrade. For instructions, see KB66616.

Does the ePO installer change the SQL Server during installation?
No, the ePO installer does not change the SQL Server installation.
  • The ePO installation does not use the database master and makes no SQL server-wide changes. It does not require System Administrator rights on the SQL Server itself to install, but it does require permissions to create and drop a database during the installation process.
  • The installer creates a database, uses the database, and then drops the database to verify it has the appropriate rights. The installer writes to two databases: Tempdb and the ePO database. After the installation is complete, DBO rights on the ePO database are sufficient for normal operation.
  • Master and MSDB are indirectly changed when the ePO database object and its Xact log are created, but the ePO installer makes no changes directly. Also, ePO executes the CREATE DATABASE invocations during installation from the context of dbo.master, but that is only because it has to start somewhere.

How do I troubleshoot installation failures?
The main ePO installer log is %temp%\McAfeeLog\EPOXXX‑Install‑MSI.log. This file contains all information about the installation including what the installer was doing and any failure information. Search from the bottom up for the word aborted. You can then see where the setup was aborted and the error messages are directly above.

 
What can I do when my installation fails with a 1603 error?
A 1603 error is a generic Microsoft MSI error code which can appear during an installation or upgrade of any McAfee product. The code on its own cannot determine the cause. Additional logs and symptoms can help a Technical Support Engineer investigate and resolve the issue.
 
How do I stop the web browser certificate warning from displaying when connecting to the ePO console?
The McAfee ePO server uses a self-signed certificate for SSL communication with the web browser, which, by default, the browser does not trust. This fact causes a warning message to display every time you connect to the ePO console. To prevent this warning message from displaying, you must do one of the following:
  • Add the McAfee ePO server certificate to the collection of trusted certificates used by the browser.
  • Replace the default McAfee ePO server certificate with a valid certificate that signed by a certificate authority (CA) that the browser trusts.

How do I change the McAfee ePO server SQL database connectivity settings?
You can change the SQL database connectivity settings using a webpage available at https://localhost:8443/core/config-auth, where 8443 is the console communication port. After installation, this method is the only way to configure the SQL database connectivity settings through a user interface.

What is the best method to monitor and be alerted of Failed or Terminated server tasks?
Automatic responses are generally the mechanism used to generate notifications to ePO administrators for these types of events. But, these responses are triggered from client and server events. Unfortunately, there is not a generic server event generated if there is a failed server task.

ePO does have a server event generated when the following tasks fail:
  • Replication
  • Pull
  • AD Discovery
  • NT Domain Sync
  • Computer Import
NOTE: Configure tasks by creating an Automatic Response for Notification Server events and filtering by event IDs that correspond to these specific server task failures.


Agent Handlers need to communicate directly with the ePO SQL Server. Is there a guide available to estimate the increased impact to the SQL Server for each Agent Handler added and number of clients it supports?
A general rule is the number of processor cores on the server x8 (or 16), whichever is greater. So, a system running two hyper-threaded Xeons allows 32-threads for the event parser work queue and 32 database connections. A single processor non-hyper-threaded system defaults to the minimum 16 threads and connections.


When is the best time to add additional Agent Handlers to an ePO environment?
Most commonly, it is recommended that you use Agent Handlers to connect clients in a DMZ, for network and application load balancing, or both. If you are seeing numerous server busy messages, it might be time to add an Agent Handler, increase your ASCI times on the agent policies, or both.

NOTE: Apache processes only 250 simultaneous connections, but the server typically processes these connections in milliseconds. McAfee determined that this low number is adequate even for enterprise environments.


We have seen many "server too busy" (245 connections) messages; does adding an Agent Handler resolve this problem?
It might, but if there is a problem on the backend SQL Server, it will not. Adding an Agent Handler only increases the load to the SQL Server.

There are many possible reasons for the server too busy message in the Agent log. Check to see whether the server recovers by itself after a short time without restarting the service. If the server does recover by itself, it is likely a configuration issue. Consider decreasing the frequency of the agent-server communication interval (ASCI), creating distributed repositories, or decreasing the number of client tasks or the frequency in which they are running. One Agent Handler can typically handle up to 50,000 client systems.


Do leap second issues affect ePO?
No. A leap second is a one-second adjustment sometimes applied to UTC to keep its time of day close to the mean solar time (UT1).

Leap second issues do not affect ePO and McAfee Agent.

General
What is ePO on AWS?
McAfee can now deploy ePO and other related infrastructure elements through AWS Quick Starts. The solution is known as ePO on AWS.


Where can I find more information about this solution?
From AWS Quick Starts at: https://aws.amazon.com/quickstart/architecture/mcafee-epolicy-orchestrator/


Can I use my existing license or do I need to purchase a new license to use the ePO on AWS offering?
You can use your existing ePO on-premises license to use the ePO on AWS offering (Bring Your Own License - BYOL). No new license or SKU purchase is required.


What are the infrastructure elements that are part of the AWS Quick Starts stack?
ePO Application Server, Agent Handlers, DXL Brokers, and RDS SQL DB.


Who owns and pays for the infrastructural elements that run in AWS?
The customer owns and pays the running costs to AWS.


What versions are the stack elements (ePO/DXL brokers) based on?
They are based on:
  • ePO 5.10
  • DXL 4.1.0

I don't use DXL functionality and don't need it, why is there a DXL broker in the default stack configuration?
It is required so that endpoints within the corporate network are reachable for operations such as Agent Wake Up or Run Client Task.
If you have an alternative such as AWS Direct Connect that ensures connectivity from your AWS VPC to your internal network, you can change the 'Auto scaling Groups' for DXL brokers. After the stack is set up, change these groups to have a Min and Max value of 0.


What are the McAfee products that are supported with ePO on AWS?
For the ePolicy Orchestrator 5.10.x minimum supported extension versions, see KB90383.


What AWS regions are supported with this solution?
For details about regional support for ePolicy Orchestrator on Amazon Web Services, see KB90695.


Why use 'Quick Starts' over designing and setting up an infrastructure myself?
Quick Starts is the gold standard for deployments in AWS. The architecture and stack elements have been designed in consultation with AWS. Using AWS Quick Starts also removes the complexity of sizing and designing the deployment architecture.


Does this offer use AWS Relational Database Service (RDS) for SQL?
Yes.


Does this Quick Starts solution support BYOSQL?
Yes, if it is an existing RDS instance; otherwise no.


Is there a similar offering for Azure?
Not currently. If you want an offering, raise a Product Enhancement Request (PER). For information about logging PERs, see KB60021.


If I have a product that I use that is in the Product Compatibility List (PCL) 'block list', how do I get planning to support it?
Raise a Product Enhancement Request (PER). For information about logging PERs, see KB60021.


Is operation of the stack elements in FIPS mode supported?
No


Is AWS GovCloud supported with this solution?
Yes.


Initial Set-up and Configuration
 
For the Deployment Environment field (in the template), what is the difference between 'Production' and 'Development'?
The Development option enables customers to trial the solution at a lower cost. For example, the SQL instance that spun up when 'Development' option is selected, is RDS SQL Server Express edition.


Can I switch from 'Development to 'Production' mode?
No. You must create a new stack with 'Production' mode selected.


What do I have to do if the number of managed endpoints (or managed products) increases or decreases in my environment?
  • ePO Application Server - Create an AMI out of the running ePO instance. Shut down the original EC2 instance and remove it from the Load Balancer target groups. Start a new ePO instance from the AMI, configure the required capacity like EC2 instance type or storage. After the McAfee ePO server is up and running, add it to the Load balancer target group.
    See the table in the 'cost estimation' section for guidance on the recommended instance parameters.
  • Agent Handlers and DXL brokers - Auto scaling capabilities for these components ensures availability of an appropriate number of functional AHs and DXLs; no action is required.
  • RDS SQL - You have to manually change the Database instance specifications. See the table in the 'cost estimation' section for guidance on the recommended instance parameters.
 
Which of the template parameters can be changed at a later point in time?
See the following table for details:
 
Template Parameters that can be changed
McAfee Enterprise Security Management Platform Configuration None
Network Configuration External Bastion Access CIDR
On-premises Network Configuration None
ePO Application Server Configuration External Access CIDR
ePO Database - Amazon RDS (SQL Server) Configuration None
ePO Agents(Client) Configuration External Access CIDR
Administration Configuration All


What components of the stack does 'high availability' apply to?
It applies to:
  • Agent Handler
  • DXL Brokers
  • RDS SQL
 
Can the selected availability zones be of different regions, for example, Frankfurt and London?
No, high availability is restricted to availability zones within the same region.


Are the requests from the endpoint agents load balanced in a setup with high availability?
Yes.


Why is there a need to specify an AWS Key Pair? What is this used for?
The key pair is required to enable secure connection to the instances.


How can I control access to my ePO? For example, to restrict access to only to a set of IPs?
Use the 'External Access CIDR' field in the ePO Application Server Configuration template.


Can I apply an existing Virtual Private Cloud (VPC) to deploy my ePO infrastructure?
Yes. See the Quick Starts deployment guide at:https://aws-quickstart.s3.amazonaws.com/quickstart-mcafee-epo/doc/mcafee-epo-on-the-aws-cloud.pdf


How do I connect my Active Directory (AD) infrastructure to ePO running on AWS?
Connect the AWS VPC to your internal network. Make this connection through either a Virtual Private Network (VPN) or AWS Direct Connect.


Are there any firewall ports that I need to open for communication with my on-premises infrastructure?
No. Outbound ports to DXL broker, ePO console, and Agent Handler (AH) are configured during stack creation.


Can I pair the stack with an existing RDS instance?
Yes.


How is the logon URL for ePO determined? Where can I get this information?
You can find this information using any of the following methods:
  • Under CloudWatch, Dashboards (select stack), Quick Links.
  • Under Stacks, Select the root stack. The information is in the Outputs tab.
  • Through the Welcome email.

    NOTE: The Welcome email is not sent to customers that use the GovCloud region.

Can I export my existing Database (DB) and import it into RDS? Does this solution help?
No. This solution does not provide any Out of Bound (OOB) options to help with importing an existing DB.


Can I have AH/DXL brokers both on-premises and in AWS?
This situation is not recommended. Latency between an Agent Handler and the Database needs to be as low as possible for better performance and scalability.


How do distributed repositories work with ePO and DXL brokers in AWS?
UNC and HTTP as distributed repositories are supported. With AWS VPN connectivity, you can use SuperAgent repositories on-premises with lazy caching, and point-to-point relay as well.


Can I change the CFT template and does Technical Support it?
Yes. But McAfee does not maintain any custom or customer changes. So, you might lose your custom work when creating an Amazon Machine Image (AMI).
WARNING: You might lose access to the McAfee 'update' feature for AH and DXL brokers, if the default templates are not used.


How do I log on to the stack components (ePO, AHs, and DXL brokers)?
For details, see KB90847.


What if I do not provide a Load Balancer certificate Amazon Resource Name (ARN)? How will the communication work in this case?
If no certificate is provided, a self-signed certificate is created and used for communication.


How can I control access to the stack elements (ePO, AHs, and DXL brokers)?
Use the 'External Access CIDR' field within the Network Configuration template.


Cost Estimation
 
How quickly can the stack be set up?
Typically in less than an hour. The actual configuration of the template parameters is a small proportion of the total time.

Information about the instances that are spun as part of the stack:
 
Instance Number of Managed Endpoints
1-10k 10k -25k 25K-75K 75K-150K 150K-250K 250K-400K 400K-500K
ePO Server Instance type m5.large m5.xlarge m5.2xlarge
ePO Server storage 256 GB 512 GB 512 GB
DB Server RDS type sqlserver-se sqlserver-ee
RDS Instance type db.m4.large db.m4.xlarge db.r4.2xlarge db.r4.4xlarge db.r4.8xlarge db.r4.16xlarge
RDS DB Storage 250 GB 500 GB 1000 GB 2000 GB
RDS IOPS 1000 1500 2000 3500
AH Instance type c4.large 128 GB
No. of remote AH instances 1
(2 with HA)
1
(2 with HA)
2
(4 with HA)
2
(4 with HA)
3
(6 with HA)
4
(8 with HA)
4
(8 with HA)
DXL Broker Instance type c4.large 64 GB
No. of DXL Broker instances 1
(2 with HA)
1
(2 with HA)
2 4 7 10 13

NOTE: For how to measure bandwidth usage of Agent Handlers in an ePolicy Orchestrator (on-premises) environment, see KB90826.
 
Ongoing maintenance in AWS
As a customer, do I have the responsibility of patching the base operating system for the stack elements? How do I do that?
NOTE: Remote Agent Handlers and DXL Brokers are located under the Auto-scaling group. If they are closed and created with new instances, you might have to do the patching again.

What is the process for applying hotfixes for the ePO Application Server?
You must accomplish the task manually; run the ePO installer.


What is the process for upgrading and applying a hotfix for an Agent Handler (AH) and DXL Broker?
Either:
  • Apply updates delivered by McAfee via CI/CD pipeline by selecting Yes for 'Updates for Stack Components' in the template.
    OR
  • If 'Updates for Stack Components' is set to No, you manually update the stack from the CloudFormation template Actions and perform an Update Stack. The action replaces the older versions and AMIs of AHs and DXL Brokers with the newer versions

    NOTE: Customers that use the GovCloud region, have to use this option.

What components are the 'Updates for Stack Components' relevant to?
Agent Handlers and DXL Brokers.

NOTE: Customers using the GovCloud region, have to use the CloudFormation template Actions, and perform an Update Stack.

How does the update mechanism for the Agent Handler and DXL Brokers work, when 'Updates for Stack Components' is selected?
New instances of AHs and DXL Brokers are spun up. When the health of these new instances is determined to be appropriate, the old instances are closed.


What if I opt out of 'Updates for Stack Components'?
You have to update the stack components manually.


Is there a similar AutoUpdate mechanism for ePO Application Server?
No.

Is the Disaster Recovery process different from what it is for ePO on-premises today?
No. It is similar to the ePO on-premises. For details, see the ePO onAWS Disaster Recovery article KB90845.


Is Database Snapshots turned on by default, and how frequent is that?
The DB snapshots are turned on by default, and the backups are daily. More information can be found at:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html


How about database snapshots, when an existing instance is used?
If an existing RDS is used, it follows the same backup schedule for the existing RDS.


What if Application Server goes down? What would be the recovery process?
Follow the ePO disaster recovery process.


If I have changed the template, for example, for DXL brokers, can I still use 'easy updates' for AHs made available through the CI/CD pipeline?
No, changing the template is not supported


Is the migration process for transferring endpoints to ePO on AWS similar to on-premises?
Yes. A VPN connection is required to establish connection to the database that is on premise.


What is Auto Scaling and how does it work?
Based on the use of the stack elements, Agent Handlers, and DXL Brokers are added or removed. This action translates to optimal resource consumption and money spent. Auto Scaling is handled behind the scenes by monitoring parameters such as active connections and latency between Agent Handlers and the database.


What components does Auto Scaling extend to?
Agent Handlers and DXL Brokers.


Can I disable Auto Scaling?
Yes. Manually set minimum and maximum values for the 'Auto scaling Groups' for AH and DXL Brokers.


Where can I find the ePO log and is it available in real time?
The ePO, Agent Handler, and other logs can be found in CloudWatch under /mcafee/.


Is the solution integrated with CloudWatch?
The ePO, AH, and DXL provision logs can be found in CloudWatch. The solution also provides an out-of-band (OOB) dashboard that provides information about the health of the stack components.


How do I determine whether there is an event relating to Auto Scaling or update of AH or DXL broker?
The information is available in the Auto Scaling group history.


What happens if I manually close any ePO, AH or DXL instances from within the AWS console?
WARNING: Do not manually close any instances of the ePO solution from within the AWS console. It results in unintended consequences.


How do I reset or recover the ePO, RDS or DR password?
From the parameter store under Systems Manager Service. If you have forgotten the password to your ePO console, ePO database or the DR passphrase, you can retrieve them from within the parameter store of your stack
Back to top
How are ePO 5.10.0 Cumulative Updates different from previously released patches?
Patches, for example ePO 5.9.1, are full installer packages. ePO 5.10.0
Cumulative Updates, for example ePO 5.10.0 Update 2, are a rollup of fixes that contain only the delta required for the fixes.


Why has McAfee introduced the Update model for ePO 5.10.0?
This model has been introduced to make it easy for customers to stay current and secure. The Update model enables a lightweight two-step approach for applying fixes in a customer environment.


Will Cumulative Updates be the McAfee preferred model for delivering fixes going forward for ePO 5.10.0?
Yes. Cumulative Updates replace the earlier model for delivering defect fixes via patches.


Are ePO 5.10.0 updates cumulative?
Yes. As the name suggests, Cumulative Updates for ePO 5.10.0 are cumulative in nature.
Example: ePO 5.10.0 Cumulative Update 2 contains all fixes available in Update 1. You need to apply only the latest Cumulative Update to get to a current state.


What versions of McAfee ePO are supported for Cumulative Update 2?
General Availability releases:
  • McAfee ePO build 5.10.0.2408.4
  • McAfee ePO build 5.10.02428.5 (Repost)

I have done a Disaster Recovery of my McAfee ePO setup after applying a Cumulative Update; do I need to apply the Cumulative Update?
Yes. Run the updater tool included in the Cumulative Update and select Repair to reapply the fixes.


Where can I find updates for ePO 5.10.0?
You can find the updates either in the ePO Software Catalog or on the Product Downloads site at http://mcafee.com/us/downloads/downloads.aspx.


Where can I find the version of the update installed via the ePO console?
The version of the update installed is found in Server Settings page under McAfee ePO and Database Server Information.
Example: Server Information:
  • Version: 5.10.0.2428
  • Update Installed: Update 2


Why am I able to see ePO 5.10.0 Update 2, but not Update 1 on the Product Downloads site or in the Software Catalog?
Update 1 was only Released to Support (RTS) and was not made available on the Product Downloads site or in the Software Catalog.


How do I install an ePO 5.10.0 update in my environment?
The ePO 5.10.0 Update # package also includes the ePO Updater Tool that is intended to guide and simplify the application of fixes in customer environments.


Is it possible to run ePO Updater on Remote Agent Handler servers?
Yes. But, you need to execute the ePO update first on the ePO Server and Local Agent Handler, before trying to execute it on the Remote Agent Handler server.


What can I do when the ePO services are not stopping when executing an ePO update?
One of the following actions must be implemented if you see a pop-up message while running the ePO Updater tool stating the services are not stopped.
To complete the update, take one of the following actions:
  • Stop the services manually.
    Or
  • Perform an End task operation of the McAfee services via the Task Manager and click Repair.

Is it possible to revert the changes applied from an ePO update?
Yes. Click Rollback in the updater tool to restore ePO to its previous state.


Will the ePO Updater work on non-English operating systems?
Yes. But the updater locale is in English only.


Is a cluster environment supported?
Yes. But, you must execute the ePO Updater tool on a data drive when McAfee ePO is installed in a cluster environment.


Can I run the ePO Updater when the SQL Server encryption option is set to ON?
No. When the SQL Server encryption is set to ON, you see the following error: "Failed to connect to database".

Workaround: Enable the flag in \resources\app\config\settings.json. By default, it is set to false.
Change the following value to true: "encryptedDBConnection" : true,

Where can I find information about the fixes that an update contains?
See the article "Supported platforms, environments, and operating systems for ePolicy Orchestrator" (KB51569)
In the article, under the Release Information section, you find a list of all ePO updates and their corresponding release notes. The ePO Updater Tool also provides information about the included fixes.


Where can I find instructions for running the ePO Updater Tool?
See the ePolicy Orchestrator 5.10.0 Update 2 Release Notes (PD28102).


Are security vulnerability fixes delivered in the ePO updates?
Yes. Updates are the preferred approach for delivering fixes for security vulnerabilities.


Which versions of ePO are updates available for?
Cumulative Updates are available for ePO 5.10.0 and later.


I am a customer upgrading from ePO 5.3.x or 5.9.x; how can I get to a current state?
Follow the steps below:
  1. Upgrade to ePO 5.10.0 (GA). For details, see the ePolicy Orchestrator 5.10.0 Installation Guide (PD27628).
  2. Apply the latest available update.

I have already upgraded to 5.10.0. How can I continue to stay current?
Download and apply the latest updates as they are released. If you would like to be notified when and ePO update is released, subscribe to SNS notifications. For details, see KB51560.


Where in the ePO console can I find the version of ePO I currently have installed?
In the ePO console, navigate to Server settings, Server information.


Back to top

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.