McAfee: Deploy McAfee Agents to domain computers

Pre-requisites
McAfee similar to Symantec uses SMB ports to deploy agents to domain computers.

McAfee ePolicy Orchestrator
McAfee ePolicy Orchestrator server must open Computer browser service in order to enumerate the domain/workgroup computers, without turning on this service administrator has to install the agents onto each and every domain/workgroup computers.

McAfee ePO unlike Symantec Endpoint Protection Manager cannot enumerate domain/workgroup computers by IP address. Hence on McAfee ePO server you have to turn on network discovery in order to enumerate domain/workgroup computer hostnames.

Domain computers
Usually windows domain computers have file and printer sharing service turn on by default, however on Windows 7 onwards the Windows Firewall block file and printer sharing by default. You have to allow the file and printer sharing and ICMPv4 echo request on the inbound connection of the Windows Firewall.

The allow ICMPv4 echo request on the inbound direction is for ping testing; it is not essential to allow ICMPv4 on the inbound direction.

Software and hardware specification
This section defines the software and hardware specifications.

McAfee ePO server specifications
1. McAfee Total Protection Suite, which includes McAfee ePO version 4.6
2. Windows 2008 R2 SP1 Enterprise Edition
3. Virtual Machine, 8GB RAM, Intel i7-3770K (2 processors)

Domain computer specifications
Two virtual machines are used. Both virtual machines have the same specifications.

1. Windows 7 Professional 32-bit
2. Virtual Machine, 1GB RAM, Intel i7-3770K (Single processor)

GPO for domain computers
There are two GPO for the domain computers:
1. MCF_FOR_DEPLOYMENT
2. FAST_GP_UPDATE

MCF_FOR_DEPLOYMENT GPO contains settings of the Windows Firewall rules on domain computers.
McAfee ePO 4.6 Server-2013-06-09-01-21-49

FAST_GP_UPDATE GPO contains group policy update interval settings. Default group policy update interval is 90 minutes, if you do not want to wait either use a GPO to reduce the interval or use gpupdate /force command on all domain computers.
McAfee ePO 4.6 Server-2013-06-09-01-25-50

The GPOs are linked to the OU that contains the domain computers.

Deploy agents to domain computers
Select System Tree
McAfee ePO 4.6 Server-2013-06-09-01-30-22

You can create meaningful subgroups to contain your domain computers.

To deploy agents to domain computers, select the subgroup then select New System.
agent deploy1

Click on browse button.

Click on browse button.

Enter the domain details.

Enter the domain details.

On domain drop down box select the domain, if your domain computers' Windows Firewall is configured to allow file and printer sharing and your ePO server has turn on network discovery and turn on Computer Browser service you will see the domain computers enumerated.

On domain drop down box select the domain, if your domain computers’ Windows Firewall is configured to allow file and printer sharing and your ePO server has turn on network discovery and turn on Computer Browser service you will see the domain computers enumerated.

Select all the computers in the domain then click OK button.

The account use for deploying agent is not administrator, I created an account that cannot be logon locally on all domain computers.

The account use for deploying agent is not administrator, I created an account that cannot be logon locally on all domain computers.

mcf_admin is the account with administrator rights but cannot logon locally on all domain computers. This is a service account for ePO server to deploy agents only.

Computer Configuration --> Policies --> Windows Settings --> Security Settings --> User Rights Assignment --> Deny log on locally

Computer Configuration –> Policies –> Windows Settings –> Security Settings –> User Rights Assignment –> Deny log on locally

The LOGON_DENY GPO is linked at the domain level, but the default default domain policy allows all users to log on locally so I need to arrange the sequence for LOGON_DENY to be at the top.
McAfee ePO 4.6 Server-2013-06-09-01-59-10

This is the error if you try to use mcf_admin to log on to any domain computer.

This is the error if you try to use mcf_admin to log on to any domain computer.

Server Task Log to track the progress of the deployment.

Server Task Log to track the progress of the deployment.

Server task log can be found in Menu > Automation > Server Task Log. You can drag Server Task Log widget to the dashboard for ease of access in the future.

When McAfee Agents have reported the information will be displayed in the system tree.

When McAfee Agents have reported the information will be displayed in the system tree.

Troubleshoot
The McAfee Agent installed on the ePO server can communicate to the server but the agents on the workstations could not.

Inbound connection rules on ePO server should be applied to domain profile.

Inbound connection rules on ePO server should be applied to domain profile.

Now the inbound connections from domain computers should be allowed and no communication problem between server and client should occur.

Now the inbound connections from domain computers should be allowed and no communication problem between server and client should occur.

McAfee automatically create Windows Firewall rules while installing McAfee agents. The firewall rules only permit programs and did not specify specific destination ports and specific source and destination IP address, you should optimize the rules to make firewall rules more specific.

This entry was posted in Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s