McAfee similar to Symantec uses SMB ports to deploy agents to domain computers.
McAfee ePolicy Orchestrator
McAfee ePolicy Orchestrator server must open Computer browser service in order to enumerate the domain/workgroup computers, without turning on this service administrator has to install the agents onto each and every domain/workgroup computers.
McAfee ePO unlike Symantec Endpoint Protection Manager cannot enumerate domain/workgroup computers by IP address. Hence on McAfee ePO server you have to turn on network discovery in order to enumerate domain/workgroup computer hostnames.
Usually windows domain computers have file and printer sharing service turn on by default, however on Windows 7 onwards the Windows Firewall block file and printer sharing by default. You have to allow the file and printer sharing and ICMPv4 echo request on the inbound connection of the Windows Firewall.
The allow ICMPv4 echo request on the inbound direction is for ping testing; it is not essential to allow ICMPv4 on the inbound direction.
Software and hardware specification
This section defines the software and hardware specifications.
McAfee ePO server specifications
1. McAfee Total Protection Suite, which includes McAfee ePO version 4.6
2. Windows 2008 R2 SP1 Enterprise Edition
3. Virtual Machine, 8GB RAM, Intel i7-3770K (2 processors)
Domain computer specifications
Two virtual machines are used. Both virtual machines have the same specifications.
1. Windows 7 Professional 32-bit
2. Virtual Machine, 1GB RAM, Intel i7-3770K (Single processor)
GPO for domain computers
There are two GPO for the domain computers:
MCF_FOR_DEPLOYMENT GPO contains settings of the Windows Firewall rules on domain computers.
FAST_GP_UPDATE GPO contains group policy update interval settings. Default group policy update interval is 90 minutes, if you do not want to wait either use a GPO to reduce the interval or use
gpupdate /force command on all domain computers.
The GPOs are linked to the OU that contains the domain computers.
Deploy agents to domain computers
Select System Tree
You can create meaningful subgroups to contain your domain computers.
To deploy agents to domain computers, select the subgroup then select New System.
Select all the computers in the domain then click OK button.
mcf_admin is the account with administrator rights but cannot logon locally on all domain computers. This is a service account for ePO server to deploy agents only.
The LOGON_DENY GPO is linked at the domain level, but the default default domain policy allows all users to log on locally so I need to arrange the sequence for LOGON_DENY to be at the top.
Server task log can be found in Menu > Automation > Server Task Log. You can drag Server Task Log widget to the dashboard for ease of access in the future.
The McAfee Agent installed on the ePO server can communicate to the server but the agents on the workstations could not.
McAfee automatically create Windows Firewall rules while installing McAfee agents. The firewall rules only permit programs and did not specify specific destination ports and specific source and destination IP address, you should optimize the rules to make firewall rules more specific.
One thought on “McAfee: Deploy McAfee Agents to domain computers”
Thanks for your help. I just want to ask one qns, my scenario is i have separate DC, and ePO server and want to push McAfee agents to the 200 domain clients. Can i follow the same rule?i tried once but it shown the error like ” Failed to enumerate domains, Authentications required ” in NT authentication. Why this issue came? i applied the AD user with full admin privilege.
hope for ur response.