Issue #1 - Windows Systems

On Windows endpoint systems, if you run a combination of the following products, it results in the communication between MA 5.x and ePO being blocked.

• Host IPS 8.0 Patch 4 or earlier
  And
• MA 5.x or later

The above occurs when the following two conditions are met before an upgrade or install of MA 5.x:

• Host IPS firewall is enabled.
• Allow McAfee Signed Applications is not enabled and there are no explicit firewall rules allowing traffic between MA and ePO.

Windows endpoint systems could encounter this issue in one of two ways:

• Existing deployments of Host IPS 8.0 Patch 4 or earlier and MA 4.x are upgraded to MA 5.x or later.
• New deployments receive a combination of Host IPS 8.0 Patch 4 or earlier and MA 5.x or later.

NOTES:

• The default behavior of the Host IPS firewall is to block all traffic.
• All network traffic between MA and ePO is blocked when the Host IPS firewall rules that allow traffic are deleted. These rules might be intentionally or unintentionally deleted.

Solution:
Host IPS 8.0 Patch 5 and later resolve this issue. This fix includes an updated default firewall policy and other firewall rules to make sure communication between MA 5.x and ePO 5.x. 

Workarounds for the above issue on Windows systems:

1. Apply the Host IPS October 2014 Content package version #6015 to all systems running Host IPS 8.0.
2. After the Host IPS Content has been updated, you can use one or more of the following workarounds to avoid this issue:
   • Add a Host IPS firewall rule Allow McAfee Signed Applications to the Firewall Rules policy that are currently being assigned to all endpoints. For an example of how to create a rule to allow McAfee Signed Applications, review the McAfee Default policy under Trusted Applications. The first rule, All McAfee Signed Applications, has executable criteria defined that you can use as an example. 
      
   • Make sure that the McAfee Default policy under the Host IPS Trusted Applications policy is assigned to all endpoints. The first rule under this policy, All McAfee Signed Application. This option makes sure that MA can communicate with ePO.
     
     NOTE: This rule is a unidirectional. It allows MA to ePO communication, but not from ePO to MA. So, this rule does not allow an agent wake-up call.
      
   • Create explicit Host IPS firewall rules that allow traffic to and from the ePO server by doing one of the following:
     • Specify the IP address of the ePO server in a firewall rule.
     • Specify the IP address of the ePO server in the Host IPS firewall "Trusted Networks" policy.

NOTE: When you apply these workarounds, McAfee recommends that you validate them first on test systems. This validation enables you to make sure that the configured policy works, before you deploy them to production systems in your organization.

If the endpoints are locked down because of this issue, do the following:

1. Get local access to the computer.
2. Open and unlock the Host IPS client console.
3. Do one of the following:
   • Disable the firewall.
   • Create local firewall rules as described in the Workarounds section above.

Issue #2 - Linux Systems

Upgrade to MA 5.x might fail on Linux systems running Host IPS 8.0 Linux Patch 5 or earlier versions.


Solution:
Host IPS 8.0 for Linux Patch 6 or later support MA 5.x and ePO 5.x.  
NOTE: Make sure that either version also has Host IPS security content 6708 or later.

Workaround for Issue #2 on Linux systems: 
Configure a Host IPS policy with "IPS disabled" before an MA 5.x upgrade. After you upgrade to MA to 5.x, configure a Host IPS policy to enable "IPS" again.