Deploy agent unable to download files directly from epo

The master repository is divided into three separate branches: Current, Evaluation, and Previous. The intention of the branches is to aid with product lifecycle management. Each point product you plan to manage with McAfee ePO also includes one or more management extensions. The extensions add controls for that point product, such as policies and client tasks.

Note: If a management extension is removed, the corresponding policies and tasks you created for that product are also removed.

The optional server setting Policy and Task Retention can be enabled to save policies and client task data if you remove the extension.

Building the System Tree involves two main objectives: 1. Creating and organizing groups and sub-groups 2. Adding systems. As part of the planning process, consider the best way to organize systems into groups before building the System Tree. Grouping systems with similar properties or requirements into these units allows you to manage policies and tasks for systems in one place, rather than setting policies for each system individually.

There are many methods to populate the System Tree. The Lost and Found Group: This group cannot be deleted or renamed. The sorting criteria cannot be changed from being a catchall group, although you can provide sorting criteria for any subgroups created in it. If no such group exists, one is created. When a product management extension is checked in, the policy catalog is updated with the policies for the corresponding point product. Before deploying the product to any systems, you should review the settings defined with the policy to ensure they are appropriate for your systems and make changes or create custom policies as needed.

Review the Product Guide for corresponding product information about the policy settings you are working with. When a policy has been created, it can be assigned to any group, subgroup, or individual node in the System Tree. All child subgroups in the System Tree hierarchy inherit policies set at their parent groups.

These inheritance rules simplify policy and task administration. For details review the Enforcing Policies section of the Product Guide.

During the agent-server communication interval, system properties and product events are collected and sent to McAfee ePO. The list of assigned client tasks is then downloaded and added to the agent scheduler, and assigned policies are enforced.

This process is repeated at every agent-server communication interval ASCI. McAfee ePO updates an existing System Tree record with the new properties received or adds a new record to the System Tree, if there is not already an entry present for the system.

For additional details on working with the System Tree, see the System Tree section. Deployment tasks should be completed in a phased rollout to install products to groups of systems at a time. The same task can have multiple assignments throughout the System Tree, and each assignment defines the schedule for the task. Note: Avoid creating task schedules that will repeat the task too frequently or run the task on too many nodes simultaneously because this could potentially overload the McAfee ePO server.

When a client task is assigned to a group or node in the System Tree, the agent downloads the task settings during its next communication interval and invokes the task according to the schedule defined. When the client task is invoked, the agent downloads the components defined from the McAfee ePO server Master Repository.

Additional Distributed Repositories can be configured to help split up the load. As you deploy products to each group, monitor the deployment, run reports to confirm successful installations, and troubleshoot any problems with individual systems. Product updates are a type of client task that are used to apply content updates to products already installed on managed systems. Content updates include antivirus definitions.

DATs , version updates, and hotfixes. This task downloads the latest. To deploy the. DAT to the managed systems:. Best practice: Automating. DAT file testing. This is desirable when, instead of upgrading an older McAfee ePO server, the administrator chooses to build a new environment.

The alternative, redeploying the McAfee Agent to all managed endpoints, can be unwieldy in larger environments. A step-by-step guide to configuring system transfer is detailed in KB A basic walkthrough of the migration process is included in KB , including step-by-step instructions for implementing the basic workflow:.

This process may be necessary if the SQL server runs out of disk space. Those older workflows are still an option, but with the advent of the Disaster Recovery Snapshot , the recovery and migration has been consolidated into one easy process. This is due to the SQL Express 10GB file size limitation and how much data is stored within the database inside the snapshot table.

If all three methods of communication are different, the endpoints have no way of routing their traffic to the new server outside of a DNS redirect.

McAfee ePO 5. If McAfee ePO 5. If the McAfee ePO server is upgraded from a previous version, it is necessary to use the new functionality made possible by the Certificate Manager. Note: It is critical that the certificate migration process described in KB is not finalized before an accepted number of client machines have communicated and received the new agent-server communication certificates. Internal tracking is available within the Certificate Manager to provide for complete visibility.

A failure to follow instructions during this step will result in a complete failure for all client machines that have yet to receive the new certificate to communicate with McAfee ePO —meaning that redeployment of the McAfee Agent will be the only solution. Because the SQL database for McAfee ePO is highly transactional in nature, the execution speed of those transactions directly relates to how fast the product is able to operate. The Recommended Maintenance Plan login required for the McAfee ePO database focuses primarily on several configuration options and a regularly scheduled maintenance plan that consists of three tasks.

Microsoft SQL Express is only recommended for use in environments with less than 1, managed systems. Rebuilding and reorganizing indexes improves SQL performance. When the database is well-maintained, database size alone does not negatively affect query performance.

In addition to what is outlined here, the Maintenance Plan document includes an SQL script optimized for rebuilding and reorganizing indexes in production environments.

When determining the hardware specifications required for acceptable SQL performance in a McAfee ePO environment, consider the following:. Note: The SQL database can be hosted on the same machine that is responsible for hosting McAfee ePO, but this configuration is only recommended in environments with less than 10, managed nodes. In environments greater than 25, managed nodes , the SQL server should not only be separate, but also on a physical as opposed to virtual machine.

Hardware recommendations are difficult to estimate based on the factors described above, but in general, the SQL server should have similar, if not greater, hardware granted to it than the McAfee ePO server itself—especially memory in large environments. Blocking within the SQL database occurs when two transactions require access to the same resource—essentially, the transactions form a chain. When the head blocker is complete, the resource is made available again and the next transaction can move ahead.

Blocking, like SQL deadlocks, is a normal occurrence in a busy database. But, there are extreme scenarios that can arise when a blocking transaction runs for a long time.

In that case, especially if the locked resource is commonly used for example, the tables responsible for storing McAfee ePO System Tree data , the number of transactions waiting on the head blocker can grow. This condition can cause the McAfee ePO console to be unresponsive. Note: Blocking issues are most frequently caused by inefficiencies in the design of objects within the SQL database—for example, a large table that has no index.

Upgrades to McAfee ePO itself, or the point-product extension responsible for the database object, are often the first step. Some more common blocking scenarios include:.

Note: In general, index fragmentation can make a significant difference in the amount of time it takes for a transaction and how long it locks a specific resource. An SQL deadlock is a condition where two transactions are both blocked, waiting for the other transaction to complete its work and release a lock.

Note: Deadlocks, while preferably avoided entirely, are in general a natural occurrence in a busy SQL database. Deadlocks must be addressed when they are consistent or impede McAfee ePO functionality. Deadlocks are not clearly displayed from within the McAfee ePO console.

Instead, the console might display an unexpected error or other similar problem. KB login required describes the three methods of enabling and capturing deadlock trace information, which is necessary to provide to McAfee Support when troubleshooting a persistent deadlock problem. Note: Database file size does not itself lead to performance problems, even in very large environments, if the SQL database is properly maintained and defragmented.

SQL Express instances are commonly responsible for administrators experiencing disk size problems. With SQL Express it is necessary to first identify what is responsible for taking up the most space in the database and then remove the responsible events manually or, preferably, via McAfee ePO-configured Server Tasks.

Disk space is also a concern during a McAfee ePO upgrade—the database can double in size during the installation process because of schema changes especially when upgrading from McAfee ePO 5.

KB covers important considerations for preparing the database to reduce the impact of the database growth before an upgrade. The McAfee Agent is the client-side software that facilitates management of endpoints. Agent-server communication is the method by which system properties are uploaded to the server and new policies and client tasks are requested.

When agent-server communication interval ASCI fails, the system is essentially unmanaged. Note: McAfee Agent 5. For detailed information on Agent log locations including non-Windows platforms, see KB Use KB for instructions on how to read the logs.

Commonly encountered problems with ASCI:. How to troubleshoot agent-server communication failures in McAfee Agent 5. When navigating or taking action in the McAfee ePO console is slow, there are several simple but critical checks to verify:.

Note: The minimum requirements detailed in documentation are just that—minimum. Depending on environment size and complexity or number of products installed and managed, your McAfee ePO or SQL server might need to be significantly more powerful than the minimum requirements.

Beyond these initial checks, troubleshooting a McAfee ePO console performance issue can be a daunting task, and will likely involve contacting McAfee Technical Support. If the administrator is comfortable working with SQL queries, see KB login required for advanced troubleshooting and data collection techniques, including identifying the cause of SQL blocking and enabling the configuration necessary to track SQL deadlock issues.

Distributed repositories are used to provide additional sources for clients to receive both content updates. DATs and product deployments. When repository replication fails on a consistent basis, the impacted repositories do not match the McAfee ePO Master Repository. As a failsafe mechanism, update attempts from said repository are blocked and fail.

Initial steps to begin troubleshooting a replication failure:. Common causes of repository replication failures include:. McAfee ePO includes an internal, hidden server task called the dbclean task, which is responsible for terminating tasks that have reached their expiration time.

There are several common issues with the dbclean task that can lead to the same symptom, such as many Server Tasks running indefinitely or far past their standard expiration time. These tasks function differently than other server tasks—namely, they are dependent on receiving a DataChannel message from the endpoint to report on status.

If this message fails to be sent or received, the tasks can stay in progress until the McAfee ePO Application Server service is restarted. For details on what this looks like and why it happens, see KB It requires an unobstructed connection to three McAfee hosted sites over port to download the installers, updates, and extensions listed:.

Note: Not every release is listed in the Software Manager. Often new releases are posted only to the Product Downloads site until published at a later date to the Software Manager. Contact support if packages are expected to be listed but do not appear or downloads fail, but not if the package has simply never been posted to the Software Manager. General tips for Software Manager navigation and usage are described in KB , including descriptions of easily misunderstood UI behavior.

Most of these quirks have been addressed in McAfee ePO 5. For a link to download the certificate and steps to import it manually, see KB There are several reasons for duplicate systems—some legitimate, some not.

The first step when looking into the root cause of a duplicate systems issue is to determine if the duplicate entries are managed or unmanaged. Managed duplicates most often arise from a situation where McAfee ePO receives properties from a managed endpoint and is unable to associate it with an existing entry in the System Tree.

In other words, McAfee ePO believes the system to be new. To isolate what property is at fault, reset the column view to default Actions — Choose Columns — Use Default. The Master Repository Pull server task is a critical default action that is responsible for downloading content updates.

DATs, etc. It is considered a best practice to schedule the Master Repository pull to run multiple times throughout the day to lessen the impact of a single failure. If the next pull succeeds,. DAT deployment in the environment is delayed only an hour, for example, instead of an entire day. In the rare event of a failed repository pull leading to repository corruption unable to view packages listed in the Master Repository page, for example , consider rebuilding the Master Repository.

Note: Rebuilding the repository removes all content files and installer packages. Policies and client tasks are not impacted because this data is stored in the McAfee ePO database and tied to extensions, not the repository. It will be necessary, though, to replicate to all distributed repositories after completing a repository rebuild. If the administrator has chosen to install McAfee ePO in an air-gapped environment, or one without access to our public repository on the web, it may be necessary to configure McAfee ePO to update from another internal server.

Another commonly requested configuration is allowing client machines to update from any McAfee ePO server in the environment. This can be disabled entirely though it is not recommended or done so on an OUI-basis, as described in KB Duplicated MAC addresses can lead to issues that are often the exact opposite of a duplicate systems issue. Starting with McAfee ePO 5. If access to the console is impossible, so is management of the environment.

At each interval the Agent polls McAfee ePO to upload client events and retrieve any policy or task changes, or new installation instructions. With an ASCI of minutes, an agent that polled the server 30 minutes ago will not pick up any new policies for another 90 minutes. However, you can always force systems to poll the server with an Agent Wake Up Call. The Wake Up Call is useful when you need to force a policy change sooner than the next communication would occur.

It can also be used to force clients to run tasks on demand, such as an immediate update or scan. If this happens, simply copy the agent installer, Framepkg. Verify that a host or network firewall is not blocking agent communication to the server. There are many additional ways to deploy the McAfee Agent, such as login scripts or third-party deployment tools. The McAfee Agent Policies. Click the System Tree button on the favorites bar. Highlight My Organization.

Click the Assigned Policies tab. From the Product drop-down menu, select McAfee Agent. On the line that lists General, click Edit Assignment. For Inherit from, select Break inheritance and assign the policy and settings below. Click Save. The policy is now assigned to that group and all its subgroups.

This demonstrates that the server can resolve client names to an IP address. If an active firewall is running on any client systems, you may need to create an exception for Framepkg. Alternatively, you can disable the client firewall temporarily. Deploying the McAfee Agent As previously mentioned, a Windows domain is not a requirement to use McAfee ePO, but there are certain advantages when used in the context of a domain.

Highlight the My Organization group. Click the Systems tab. Check the box next to the column heading System Name. This selects all the systems. Click Actions Agent Deploy Agents.