Loading...

Knowledge Center


How to configure the TIE Server infrastructure in a multiple-ePO environment
Technical Articles ID:   KB88621
Last Modified:  6/20/2019
Rated:


Environment

McAfee Threat Intelligence Exchange (TIE) Server - all supported versions

For details about the TIE Server supported environments, see KB83368.

Summary

Before you begin
You must bridge the Data Exchange Layer fabric to enable communication between the hubs. For instructions, see the ​Data Exchange Layer Product Guide for your product version. To access product documentation, see the Related Information section below.

Minimum configuration requirements for setting up TIE in a multiple-ePO environment

  • Two ePO instances
  • Two DXL Hubs (one for each ePO instance)
  • DXL Broker Management, DXL Client, and DXL Client Management extensions that match the versions of each ePO instance
  • One TIE Server appliance
  • A TIE Server Management extension that matches the version of each ePO instance


General considerations
If you use DXL Broker and TIE Server bundle appliances, you would have four DXL Brokers and four TIE Servers. As a result, each ePO server manages two brokers and two servers.


Configure the TIE Server certificates

  1. Log on to the ePO console.
  2. Select Menu, Server Tasks, and click Actions.
  3. Run the TIE Server Synchronize CA task.
  4. Repeat this step on each ePO instance.

    NOTE: Wait a few minutes for the synchronization to take place.
     
  5. After synchronization completes, connect to each TIE Server appliance through SSH or a VMware Console.
  6. To obtain the CA updated from the ePO server, execute the reconfig-ca command in each TIE Server appliance.
  7. To verify that the tie_server_ca.crt and tie_server.jks files are updated, do the following:
    • Execute the ls command and check the dates. 
    • Execute the md5sum command and check whether the content has changed before and after running reconfiguration.
NOTE: The TIE Server appliances trust certificates are signed by either of the ePO instances, not exclusively by the ePO server that manages each appliance.


Synchronize the TIE Server topology between the ePO instances

  1. Log on to the ePO console.
  2. Select Menu, Server Tasks, and run the TIE Server Synchronize Topology task.
  3. Repeat the task on each ePO instance.

    The TIE Server topology information is now shared among all ePO instances.
     
  4. In each managing ePO instance, assign operation modes to the TIE Server instances:
    1. Select Menu, Server Settings, TIE Server Topology Management.
    2. Click Edit.
    3. Assign an operation mode to each TIE Server instance managed locally, then click Save.

      NOTE: Complete the assignments in one ePO instance before continuing to the next. The topology assignment persists and triggers the process in the servers.

      The TIE Servers that are managed by an ePO instance other than the local one, are grayed out in the list of server instances. You cannot change the operation mode or assign an ePO instance to TIE Servers that are managed by a different ePO server.
       
  5. Repeat the assignment on each ePO instance.

    You can only assign operation modes to the TIE Servers that are managed by the local ePO server.
     
  6. When the topology assignments are complete in both ePO servers, verify that the changes are displayed correctly:
    1. In each ePO instance, select Menu, Server Settings, TIE Server Topology Management.
    2. Click each TIE Server instance and verify that the operation mode displays correctly.


Manually configure the registered servers
To connect the TIE Server with the remote ePO server, perform these steps to use the database for dashboards, queries, and reports:

NOTE: Make sure that you have a Registered Server on each ePO instance, and that each is associated with the TIE Server instance. For instructions, see the Threat Intelligence Exchange Product Guide for your product version. To access product documentation, see the Related Information section below.
  1. From a VMware console or through SSH, connect to the Reporter McAfee TIE Server appliance.
  2. To connect to the database, execute the reconfig-pghba command, then add the IP address of the ePO server instance.
  3. To validate the configuration, test the connection:
    1. On the Registered Servers page, click Test Connection.
    2. Click Save to persist the changes, if the connection is successful.
       
  4. Verify the configuration of the registered servers:
    1. Select Menu and Dashboards.
    2. Select TIE Server Files or TIE Server Certificates. You can now see charts and tables with the files or certificate reputation information.


Validate the TIE Server configuration in the multiple-ePO environment
Verify that the TIE Server Management extensions managed by each ePO server retrieve information correctly from the TIE Server instances:

  1. In the ePO console, select Menu, TIE Reputations screen, and make sure the TIE Servers respond to Search queries. Also, make sure that the reputation information displays correctly.

    NOTE: Repeat this step for each ePO instance.
     
  2. In the ePO console, select Menu, Server Settings, TIE Server Topology Management.
  3. Verify that there are no errors or warning messages on any of the TIE Server appliances.
The outcome is a single DXL Fabric that allows communications among TIE Servers managed by a different ePO server, which uses Threat Intelligence information from a single TIE Server instance. This scenario is from several TIE Server Management Extensions installed in different ePOs, which communicate through the bridged fabric.
 

To upgrade the TIE Server in a multiple-ePO server environment
If you upgrade the TIE Server in an already-bridged environment, consider the following:

  1. Check the status of the DXL Fabric before you upgrade the TIE Server appliances. See DXL documentation for details about how to validate the bridge.
  2. For an upgrade, verify that the DXL Client in the ePO server is connected.
  3. If you have TIE Server 2.0.0 (or later), verify that there are no warning messages or errors displayed on the Heath Check status.
  4. Take the following actions, if you plan to either:
    • Upgrade DXL Brokers to version 3.0.1 or later
      Or
    • Add new DXL Brokers in the future. (The new DXL Brokers can be either bundled with a TIE Server appliance or standalone.)
Make sure that you upgrade the following before you upgrade any other component:
  • DXL Broker Management, DXL Client.
    And
  • DXL Client Management extensions in the ePO instance.
  1. If your environment is running TIE Server version 2.0.0 (or later), validate that the Health check status does not show any warning message or errors in TIE Server Topology Management. In the ePO console, select Menu, Server Settings, TIE Server Topology Management.

    NOTE: If you run a previous TIE Server version, run the replication-monitoring.sh script through SSH or a VMware Console. This action verifies that the Database Replication is running and is up to date on each TIE Server Slave or Reporter.
  2. Always upgrade the TIE Server Management extension in both ePolicy Orchestrators before you upgrade any of the TIE Server appliances.
  3. All TIE Server appliances must be running the same version, and that version must match the TIE Server Management extension version upgraded in every ePO instance in the previous step.

    NOTE: Running mixed versions of TIE Server appliances is not supported.
     
  4. After all TIE Server appliances are upgraded to the latest version, manually perform the following steps in the ePO instance with the DXL Outgoing Bridge configured:
    1. Click Menu, Server Tasks, then select the TIE Server Synchronize Topology task.
    2. Click Menu, Server Settings, TIE Server Topology Management, then click Edit, but make no changes.
    3. Click Save.

      NOTE: It is required that you create the new TIE Server topology policy and communicate it to all TIE Servers, if you have upgraded from previous versions of TIE Server.
       
    4. On the System Tree page, select all McAfee TIE server appliances and run a Wake-up Agent with Policy Enforcement.
    5. On the System Tree page, select each McAfee TIE server appliance. On the Products tab, verify that the Threat Intelligence Exchange Server version has been updated to the version you deployed.
    6. If you upgrade to TIE Server version 2.0.1 or later, verify that there are no new Health Check statuses that show warning messages or errors. Select Menu, Server Settings, TIE Server Topology Management.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.