Installation Guide Revision B McAfee ePolicy Orchestrator 5.1.
COPYRIGHT Copyright © 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc.
Contents 1 2 Preface 5 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 6 Installation requirements and recommendations 7 Hardware requirements and recommendations . . . . . . . . . . . . . . . . . . . . . .
Contents 4 Upgrading McAfee ePO software 41 Upgrade overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Complete pre-upgrade tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Make sure you can upgrade your McAfee ePO server . . . . . . . . . . . . . . . . Review products and known issues . . . . . . . . . . . . . . . . . . . . . . . Back up McAfee ePO databases and directories . . . . . . . . . . . . . . . . . . . Disable remote Agent Handlers . . . . . . . . . . . .
Preface This guide provides the information you need to work with your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience.
Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
1 Installation requirements and recommendations Your environment needs to include specific hardware and software to run McAfee® ePolicy Orchestrator® 5.1.0. Review these requirements and recommendations before installing your McAfee ePO™ software to make sure that your installation is successful.
1 Installation requirements and recommendations Software requirements and recommendations Component Requirements and recommendations Network Interface Card (NIC) 100 MB or higher If using a server with more than one IP address, McAfee ePO software uses the first identified IP address. If you want to use more IP addresses for agent-server communication, we recommend creating more Agent Handler groups for each IP address.
Installation requirements and recommendations Operating system requirements Software Requirements and recommendations Security software Recommended. 1 • Install and/or update the anti-virus software on the server and scan for viruses. • Install and/or update firewall software on the server. Supported browser Recommended — Although it is not a prerequisite for installation, ePolicy Orchestrator software requires the use of a supported browser.
1 Installation requirements and recommendations Supported virtual infrastructure software • French (Standard) • Spanish • German (Standard) • Swedish • Italian • Turkish Supported virtual infrastructure software ePolicy Orchestrator software supports use of several types of virtual infrastructure software. Supported virtual infrastructure software includes: • Microsoft Hyper-V Server 2008 R2 • VMware ESX 5.1 • Microsoft Hyper-V Server 2012 • XenServer 6 • VMware ESX 5.
1 Installation requirements and recommendations Supported Internet browsers Supported Internet browsers ePolicy Orchestrator software requires the use of one of these supported Internet browsers. • Internet Explorer 8.0 and later (Includes full support for Compatibility Mode) • Chrome 17 and later • Firefox 10.0 and later • Safari 6.
1 Installation requirements and recommendations Things to know before installation • • If you are restoring your McAfee ePO server, you must: • Have previously restored the SQL Server database using one of the Microsoft SQL restore processes. See the McAfee ePolicy Orchestrator Product Guide for details. • Know the Keystore encryption passphrase used with your Disaster Recovery Snapshot records. This passphrase is used to decrypt the sensitive information stored in the SQL Snapshot records.
1 Installation requirements and recommendations Things to know before installation For more information about the specific standard SQL database roles required for your McAfee ePO server to operate once installed, see the product guide or Help. For a complete discussion of SQL Server roles and permissions, see the product documentation for the supported SQL Server you are using.
1 Installation requirements and recommendations Automatic product configuration About HTTP port options The ports used by ePolicy Orchestrator software are predefined, and populated by default. Most port designations can be changed only during the installation process. Review this table for details about which port assignments you can modify.
Installation requirements and recommendations Distributed repository requirements 1 Distributed repository requirements Distributed repositories are used throughout your environment to provide access to important content used by your McAfee ePO server. Your distributed repositories must conform to these minimum requirements. Component Requirements Free disk space 400 MB minimum (800 MB recommended) on the drive where the repository is stored.
1 Installation requirements and recommendations Supported products and known issues 16 McAfee ePolicy Orchestrator 5.1.
2 Installing McAfee ePolicy Orchestrator You can install the ePolicy Orchestrator software either as a first-time initial installation or as a recovery installation where your Microsoft SQL Server already includes an ePolicy Orchestrator configuration from a previous installation. See Restoring McAfee ePolicy Orchestrator if this is a recovery installation where your Microsoft SQL Server already includes an ePolicy Orchestrator configuration from a previous installation.
2 Installing McAfee ePolicy Orchestrator Perform Express installation Installation option Details Express The most direct installation path. Use this option if you want to accept the McAfee default installation settings. Custom Customize your installation. Use this option when you want to specify the details of your software installation, including: • The destination folder where the software is installed (C:\Program Files\McAfee \ePolicy Orchestrator\ by default). • The ports used.
2 Installing McAfee ePolicy Orchestrator Perform Express installation Task 1 Using an account with local administrator permissions, log on to the Windows server computer to be used as the McAfee ePO server. 2 From software downloaded from the McAfee website: extract files to a temporary location and double-click Setup.exe. The executable is located in the downloaded ePolicy Orchestrator installation file. Do not attempt to run Setup.exe without first extracting the contents of the .zip file.
2 Installing McAfee ePolicy Orchestrator Perform Custom installation 4 If any of the default port assignments are in conflict, resolve them by providing alternative ports in the HTTP Port Information step. If no conflicts exist, you cannot modify default port assignments. Select the Custom installation option if you need to modify port assignments 5 In the Administrator Information step, type this information, then click Next.
Installing McAfee ePolicy Orchestrator Perform Custom installation 2 Set up Custom installation When you set up the ePolicy Orchestrator Custom installation you download the software, choose the installation type, and start the installation. Before you begin Make sure that you have read, understood, and complied with the information in Installation requirements and recommendations.
2 Installing McAfee ePolicy Orchestrator Perform Custom installation b To configure Product Compatibility List downloads: • To disable automatic downloading of the Product Compatibility List from the McAfee website — Type setup.exe DISABLEPRODCOMPATUPDATE=1. • To specify an alternate Product Compatibility List file — Type setup.exe PRODCOMPATXML= Multiple command line options can be used together in a command string.
2 Installing McAfee ePolicy Orchestrator Perform Custom installation You cannot install SQL Server 2008 Express locally if the server system you are installing on meets any of these conditions: 2 • 16 or more named instances exist on the locally installed SQL Server. • Any version of the locally installed SQL Server contains an instance with the name EPOSERVER. • SQL Server 2008 Express is already installed locally. In the Install additional software step, any remaining prerequisites are listed.
2 Installing McAfee ePolicy Orchestrator Perform cluster installation • 7 Restore installation — Type the password to decrypt the Disaster Recovery Snapshot records. See the McAfee ePolicy Orchestrator Product Guide for details. In the Type License Key step, type your license key, then click Next. If you don't have a license key, you can select Evaluation to continue installing the software. The evaluation period is limited to 90 days.
Installing McAfee ePolicy Orchestrator Perform cluster installation 2 Table 2-1 Cluster installation terminology (continued) Term Definition ePO Virtual Network Name resource The Network Name resource that you create as part of the ePolicy Orchestrator cluster installation. This virtual Network Name represents the McAfee ePO cluster installation as a whole. References to this Network Name point to the currently active node in your cluster.
2 Installing McAfee ePolicy Orchestrator Perform cluster installation Tasks • Create the ePolicy Orchestrator application group on page 26 The ePolicy Orchestrator application group is required to separate the ePolicy Orchestrator application from the Microsoft Cluster Services in your cluster environment.
Installing McAfee ePolicy Orchestrator Perform cluster installation 2 Add the data drive The data drive is the location where you install the ePolicy Orchestrator software. Use a remote drive that all nodes in your cluster can access. Task 1 Right-click the ePO Application Group and select Add Storage. 2 In the Add Storage dialog box, select the data drive to be used for your ePolicy Orchestrator installation then click OK.
2 Installing McAfee ePolicy Orchestrator Perform cluster installation Resource Properties: General tab Properties: Dependencies tab ePolicy Orchestrator 5.1.0 Application Server No changes necessary. Data drive ePolicy Orchestrator 5.1.0 Server Remove the Startup parameters and add a blank space. ePolicy Orchestrator 5.1.0 Application Server Apache will not start with any startup parameters specified, and an empty entry is not permitted. Therefore, a blank space is required.
2 Installing McAfee ePolicy Orchestrator Perform cluster installation Create the ePolicy Orchestrator application role The ePolicy Orchestrator application role is required to separate the ePolicy Orchestrator application from the Microsoft Cluster Services in your cluster environment. Task 1 Open the Failover Cluster Manager: click Server Manager | Tools | Failover Cluster Manager. 2 Right-click Roles in the System Tree, then select Create Empty Role. 3 Click OK.
2 Installing McAfee ePolicy Orchestrator Perform cluster installation 4 On the first node only of the Set Virtual Server Settings page, provide this identifying information for the McAfee ePO cluster: • The ePolicy Orchestrator Virtual Server IP address • The ePolicy Orchestrator Virtual Cluster name • The ePolicy Orchestrator Virtual Cluster FQDN This information is automatically provided on subsequent nodes.
Installing McAfee ePolicy Orchestrator Installing remote Agent Handlers 2 2 Manually refresh your browser session. If failover is successful, you are redirected to the ePolicy Orchestrator log on page. Installing remote Agent Handlers Each McAfee ePO server contains a master Agent Handler. Installing more remote Agent Handlers can help manage an increased number of products and systems managed by a single, logical McAfee ePO server in situations where the CPU on the database server is not overloaded.
2 Installing McAfee ePolicy Orchestrator Complete a first-time installation 7 c Type the ePO Admin User name and ePO Admin Password of a user with ePolicy Orchestrator Global Administrator rights. d Click Next to use the ePO Admin credentials to access the database as well; make sure they are assigned the appropriate SQL Server role and permissions. e Deselect Use ePO Server's database credentials, then click Next to use different credentials to access the database.
3 Restoring McAfee ePolicy Orchestrator You can restore the ePolicy Orchestrator software as a recovery installation where your Microsoft SQL Server already includes an ePolicy Orchestrator configuration from a previous installation. See Installing McAfee ePolicy Orchestrator if this is a first-time installation.
3 Restoring McAfee ePolicy Orchestrator Install ePolicy Orchestrator software on the restore server Installation option Details Express The most direct installation path. Use this option if you want to accept the McAfee default installation settings. Custom Customize your installation. Use this option when you want to specify the details of your software installation, including: • The destination folder where the software is installed (C:\Program Files \McAfee\ePolicy Orchestrator\ by default).
3 Restoring McAfee ePolicy Orchestrator Install ePolicy Orchestrator software on the restore server Task 1 If you have remote Agent Handlers configured, log on to the systems where the Agent Handlers are installed, then open the Windows Services panel and stop the McAfee Event Parser and McAfee Apache services. See your Microsoft software product documentation for more information on using the Windows Services panel.
3 Restoring McAfee ePolicy Orchestrator Restore McAfee ePO software in a cluster environment 10 Type the Keystore encryption passphrase you saved during the initial installation of the previously existing McAfee ePO server, or changed in the Server Settings. The Keystore encryption passphrase decrypts the sensitive files stored in the Disaster Recovery Snapshot. 11 In the Type License Key step, type your license key, then click Next.
Restoring McAfee ePolicy Orchestrator Restore McAfee ePO software in a cluster environment 3 When you select the existing SQL Server, gather this information and complete these steps before beginning your installation to make sure that your McAfee ePO software can communicate with the database server: 1 Verify that the SQL Browser Service is running. 2 Make sure that the TCP/IP Protocol is enabled in the SQL Server Configuration Manager.
3 Restoring McAfee ePolicy Orchestrator Restore remote Agent Handler connections 6 Restore the McAfee ePO software on each node using these steps. Run the Cluster installation on each of the nodes. To make sure that each node has exclusive access to the quorum and data drives during installation, shut down all other nodes in the cluster. a Using an account with local administrator permissions, log on to the Windows server computer used as the restore McAfee ePO server.
Restoring McAfee ePolicy Orchestrator Restore remote Agent Handler connections 3 Task For option definitions, click ? in the interface. 1 On the Agent Handler server system find the Agent Handler folder you extracted from the ePolicy Orchestrator software installation package. 2 Double-click Setup.exe to launch the McAfee Agent Handler InstallShield wizard. After some installation activities take place in the background, the InstallShield wizard opens. Click Next to begin the modify process.
3 Restoring McAfee ePolicy Orchestrator Restore remote Agent Handler connections 40 McAfee ePolicy Orchestrator 5.1.
4 Upgrading McAfee ePO software You can upgrade specific McAfee ePO versions to version 5.1.0. See Make sure you can upgrade your McAfee ePO server for upgrade versions. Contents Upgrade overview Complete pre-upgrade tasks Upgrade your McAfee ePO server Migrating from a 32-bit to a 64-bit platform Upgrade your McAfee ePO cluster server Upgrade your remote Agent Handlers McAfee ePolicy Orchestrator 5.1.
4 Upgrading McAfee ePO software Upgrade overview Upgrade overview The process of upgrading your McAfee ePO server to version 5.1.0 depends on your current environment. Factors include whether you are upgrading a McAfee ePO 32-bit or 64-bit server, using Agent Handlers, or installing McAfee ePO in a cluster environment. Figure 4-1 McAfee ePO upgrade process 42 McAfee ePolicy Orchestrator 5.1.
Upgrading McAfee ePO software Complete pre-upgrade tasks 4 Read through the upgrade information completely to make sure that you understand the upgrade tasks required for your McAfee ePO server.
4 Upgrading McAfee ePO software Complete pre-upgrade tasks See also Upgrade overview on page 42 Migrating from a 32-bit to a 64-bit platform on page 46 Review products and known issues Before you install or upgrade your software, review information about supported products and known issues. Task View the supported products and known issues KnowledgeBase articles. • View these KnowledgeBase articles: • McAfee ePO 5.1.0 Supported Products — KB79169 (https://kc.mcafee.
Upgrading McAfee ePO software Upgrade your McAfee ePO server 4 Upgrade your McAfee ePO server Use Setup.exe to upgrade your McAfee ePO server to version 5.1.0. Before you begin Update the system that hosts your McAfee ePO server with the latest Microsoft security updates, then turn off Windows updates during the installation process. If your existing McAfee ePO server is installed on a 32-bit platform, you must run the McAfee ePO 32-bit Upgrade Compatibility Utility.
4 Upgrading McAfee ePO software Migrating from a 32-bit to a 64-bit platform 7 In the Administrator Information step: a For the Username, replace the default admin and type your primary Administrator account user name. b For the Password, type your primary Administrator account password. c For the Keystore encryption password, type a password to encrypt Disaster Recovery Snapshot records. Keep a record of this password.
4 Upgrading McAfee ePO software Migrating from a 32-bit to a 64-bit platform This figure shows the interface of the Upgrade Compatibility Utility. Figure 4-2 Upgrade Compatibility Utility user interface 1 Converts your 32-bit McAfee ePO software configuration to your new 64-bit version 5.1.0 platform. This utility does not move the existing McAfee ePO SQL database to a new database server. See the Microsoft documentation to move your database.
4 Upgrading McAfee ePO software Migrating from a 32-bit to a 64-bit platform See also Upgrade overview on page 42 48 McAfee ePolicy Orchestrator 5.1.
4 Upgrading McAfee ePO software Migrating from a 32-bit to a 64-bit platform Run the Upgrade Compatibility Utility Run the Upgrade Compatibility Utility to convert your existing 32-bit McAfee ePO version 4.x configuration to a new 64-bit version 5.1.0 configuration file. Before you begin 1 Back up your McAfee ePO database. 2 Extract the McAfee ePO 5.1.0 installation software and find the UpgradeCompatibility folder, which contains the UpgradeCompatibility.exe file. 3 Microsoft .NET Framework 3.
4 Upgrading McAfee ePO software Migrating from a 32-bit to a 64-bit platform e Click Migrate or Product Compatibility Check. One of these appears in the ePO Product Compatibility Check dialog box: • No incompatible products were found — Continue to step 3. The compression process can take several minutes on an enterprise McAfee ePO server. • A list of incompatible products — This is a list of blocked and disabled extensions.
Upgrading McAfee ePO software Migrating from a 32-bit to a 64-bit platform 4 See also Upgrade your McAfee ePO server on page 45 Connect your upgraded McAfee ePO server to an existing 32-bit SQL Server When you upgrade your existing 32-bit McAfee ePO server to a 64-bit McAfee ePO 5.1.0 platform, you can connect back to the previous 32-bit McAfee ePO SQL database. The existing database connection information is included in the Migrate.zip file you created using the Upgrade Compatibility Utility.
4 Upgrading McAfee ePO software Upgrade your McAfee ePO cluster server Upgrade your McAfee ePO cluster server Upgrading your McAfee ePO software in a cluster environment requires special consideration. Before you begin If your current environment is not supported by version 5.1.0, you must upgrade your environment before upgrading your McAfee ePO software. You can't use the McAfee ePO 32-bit Upgrade Compatibility Utility when upgrading to version 5.1.0 in a cluster server environment.
Upgrading McAfee ePO software Upgrade your remote Agent Handlers 4 Upgrade your remote Agent Handlers When you upgrade your McAfee ePO server software, upgrade any remote Agent Handlers installed throughout your environment. Agent Handlers must be upgraded separately. Remote Agent Handlers installed with previous versions of your software are not compatible with this new version, and are not upgraded automatically.
4 Upgrading McAfee ePO software Upgrade your remote Agent Handlers 54 McAfee ePolicy Orchestrator 5.1.
5 Uninstalling ePolicy Orchestrator software You might need to uninstall the ePolicy Orchestrator software if, for example, you are reinstalling it on another server. Use these topics to complete the uninstall process. If you intend to reinstall ePolicy Orchestrator software later, and want to manage agents deployed by the current installation, back up your agent-server communication keys. You cannot restore these keys later.
5 Uninstalling ePolicy Orchestrator software Uninstall cluster installations Uninstall cluster installations Uninstalling McAfee ePO from a cluster environment requires that you take specific steps, depending on which server-class operating system you are running. Task 56 1 To set all McAfee ePO services to offline, open the Windows Cluster Administrator/Management tool, then click Start | Programs | Administrative Tools | Failover Cluster Manager.
6 Troubleshooting and log file reference The most common messages that appear while installing McAfee ePolicy Orchestrator during an installation and their solutions are listed here. Use this information to troubleshoot problems with your installation. If you are unable to resolve an issue using the information in this table, contact McAfee Technical Support after you have taken these steps: 1 Verify that you have met the minimum installation requirements.
6 Troubleshooting and log file reference Common installation messages and their causes and solutions Message Cause Solution Another instance of the ePolicy Orchestrator installer is already running. The ePolicy Orchestrator 5.1 Setup program is already running. You cannot run more than one instance of Setup at a time. Allow the first instance of the installer to complete, or stop the first instance and restart your installation. For security reasons, McAfee The Password box is blank.
Troubleshooting and log file reference Log files for troubleshooting Message Cause The ePolicy Orchestrator license Your license to use the has expired. software has expired. 6 Solution Contact your administrator or designated McAfee representative. This system is not currently configured with a static IP address, which is recommended for the McAfee ePO server. The computer where you are Specify a static IP address for use attempting to install the with your McAfee ePO server.
6 Troubleshooting and log file reference Log files for troubleshooting File name Log type Location Description AH500‑Install‑MSI.log Agent Handler installation %temp%\McAfeeLogs This file logs all Agent Handler installation details including: • Installer actions • Installation failures AH500‑ahetupdll.log Temporary %temp% (on the Agent Handler server) Logs Agent Handler back‑end events. core‑install.
6 Troubleshooting and log file reference Log files for troubleshooting File name Log type Location Description .cmd Temporary %temp%\McAfeeLogs \ePO500 ‑troubleshoot \OutputFiles Created by the ePolicy Orchestrator installer. Contains the command (sent to Remote‑Client) to check in extensions. If the installation succeeds, these files are deleted. MFS500‑CommonSetup.log Installation %temp%\McAfeeLogs Contains MFS installer details.
6 Troubleshooting and log file reference Log files for troubleshooting File name Log type Location Description Replication .log Server The McAfee ePO server replication log file. This file is only generated when all these are true: [InstallDir]\DB \Logs • There are distributed repositories. • A replication task has been configured. • A replication task has run. Server.
6 Troubleshooting and log file reference Log files for troubleshooting File name Log type Location Description FrmInst _.log Agent %temp% \McAfeeLogs Generated when the FrmInst.exe is used to install the McAfee Agent. This file contains: • Informational messages. • Progress messages. • Failure messages if installation fails. MCScript.log Agent Debug [Agent DATA Path]\DB Contains the results of script commands used during agent deployment and updating.
6 Troubleshooting and log file reference Log files for troubleshooting 64 McAfee ePolicy Orchestrator 5.1.
Index 32-bit to 64-bit platform conversion utility 45, 49, 51 64-bit server-class operating systems supported ePolicy Orchestrator 9 A about this guide 5 Agent Handlers authenticate domain credentials 11 disabling 44 installation 31 operating systems 11 restore connections 38 upgrading 53 application group in a cluster installation 26 Automatic Product Configuration disable command line parameter 21 overview 14 database servers communication port 14 support for 10 upgrade from 32-bit version 4.
Index K S keystore encryption passphrase 11, 21, 22 Safari browser 11 servers installation 17, 33 SQL permissions 13 uninstalling 55 upgrading 45 virtual infrastructure 10 ServicePortal, finding product documentation 6 Snapshot 34 SQL Servers backup file 34 backup file in cluster 36 configuration requirements 10 installation 12 installation requirements 12 roles 12 support for 10 upgrade scenarios 12 support for Agent Handler operating systems 11 Internet browsers 11 operating systems 9 SQL Servers 10 v
Index W Windows Server 2008 cluster installation 25 support for Agent Handlers 11 support for ePolicy Orchestrator 9 Windows Server 2012 cluster installation 28 McAfee ePolicy Orchestrator 5.1.
0B00
