Installing McAfee

ePolicy Orchestrator
software

McAfee ePolicy Orchestrator 5.10 Administration

Presented by: Doug Keller

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 67

© 2019 McAfee LLC M01 - 67 McAfee LLC Confidential

 Module goals
What you will learn

By the end of this module you should be able to:

 Identify installation requirements, recommendations, and best

practices

 Distinguish between a new installation and a recovery installation

 Identify and distinguish between the different deployment options for

a new installation

 Given a scenario, install the McAfee® ePolicy Orchestrator® (McAfee®

ePO™) software

 Perform post-installation tasks

 Identify configuration tools for the initial setup of the McAfee ePO
environment

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 68

There are two categories of McAfee® ePolicy Orchestrator® (McAfee® ePO™) software installations: a new
installation in an environment where no previous version of ePO software has been installed and an upgrade
where you are replacing an existing version of ePO software. Before you install your ePO server software, it is
important to know which method you plan to use and have a solid understanding of the corresponding workflow,
requirements, and procedures.
What You will Learn
In this module you will learn about ePolicy Orchestrator installations.
Module Goals
The module goals are:
 Identify installation requirements, recommendations, and best practices.
 Distinguish between a new installation and a recovery installation.
 Identify and distinguish between the different deployment options for a new installation.
 Given a scenario, install the McAfee ePO software.
 Perform post-installation tasks.
 Identify configuration tools for the initial setup of the McAfee ePO environment.

© 2019 McAfee LLC M01 - 68 McAfee LLC Confidential

 Planning your installation

 Can have custom settings, such destination folder / ports

Normal  Accept defaults for faster installation
 Separate SQL Server
Install ePO and
any applications in
a test
environment, prior
 MSCS cluster only
to the actual
Cluster  More complex deployment.
 Refer to the Microsoft documentation of MSCS With ePO 5.9 and
later, SQL Express
is no longer part of
the installer,
Federal Information  FIPS 140-2 compliant cryptographic models streamlining
Processing Standard  Standardized and independently evaluated cryptographic installation.
(FIPS) Mode modules

 Use Amazon Web Services to install McAfee ePO

Cloud Services
 Use Microsoft Azure server for McAfee ePO

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 69

There are different options when installing ePO software for the first time. Use these guidelines to determine which
initial installation option is right for your environment.
Normal
A normal install lets you accept or change the McAfee default settings.
Example: You can define a different destination folder for the software.
The default is C:\Program Files (x86)\McAfee\ePolicy Orchestrator. You can also specify different ports than
those ePO typically uses.
The SQL Server Express is not included in an EPO 5.9 or later installation. You will need to install a separate SQL
Server or use one that is already installed.
Cluster
The Cluster installation is intended for High Availability configurations, where Microsoft Cluster Server software
(MSCS) is already set up and running on a cluster of two or more servers, where one is active and the other
designated as passive. There are more prerequisites and steps than a typical install. Refer to the Microsoft
documentation for a successful cluster server installation.
Example:
 You must meet the requirements for a Microsoft Cluster Server environment before beginning the ePO
installation.
 There are special dialogs and fields that do not display.
 You must run the Cluster install on each node.

Continued on the next page….

© 2019 McAfee LLC M01 - 69 McAfee LLC Confidential

Planning your installation (continued)

FIPS Mode
McAfee ePO provides an operating mode with a higher level of security for environments that require it. This mode (FIPS
mode) follows security guidelines detailed in section 140 of the Federal Information Processing Standard (FIPS).
The United States Government developed the Federal Information Processing Standards (FIPS) to define procedures,
architecture, algorithms, and other techniques used in computer systems. FIPS 140-2 is a government standard for
encryption and cryptographic modules where each individual encryption component in the overall solution requires an
independent certification.
Federal Information Processing Standard 140-2 specifies requirements for hardware and software products that
implement cryptographic functionality. FIPS 140-2 is applicable to "all Federal agencies that use cryptographic-based
security systems to protect sensitive [but unclassified] information in computer and telecommunication systems
(including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996,
Public Law 104–106." The "-2" in FIPS 140-2 denotes the revision of the standard.
The full FIPS text is available online from the National Institute of Standards and Technology (NIST).An ePO server
running in FIPS mode is FIPS-compliant. The decision to run the ePO server in FIPS mode is made at installation and
cannot be changed.
In FIPS mode, McAfee ePO:
 Places extra constraints on the types of security methods allowed.
 Performs extra tests on startup.
 Allows connections only from FIPS-compliant versions of the McAfee Agent.
Reasons to Use ePO in FIPS Mode
Your organization might need to use McAfee ePO in FIPS mode if you fall into one of these categories:
 You are a US Government organization, required to operate FIPS 140-2 compliant cryptographic models per FISMA
or other Federal, State, or local regulations.
 Your organization requires the use of standardized and independently evaluated cryptographic modules, per
company policy.
Reasons Not to Use ePO in FIPS Mode
Do not use ePO in FIPS mode if you fall into one of these categories:
 You integrate with legacy systems or products that do not support ePO in FIPS mode.
 Your organizational polices allow you to choose which products or cryptographic modules to operate in FIPS mode,
Example: An organization might elect not to operate McAfee ePO in FIPS mode, and only operate McAfee Drive
Encryption on mobile computers in FIPS mode.

References: For an explanation of FIPS mode for ePolicy Orchestrator, see Installation Guide for ePO 5.10 PD27628.

Continued on the next page...

© 2019 McAfee LLC M01 - 70 McAfee LLC Confidential

Planning your installation (continued)

Using an AWS server for McAfee ePO

• You can use Amazon Web Services to install McAfee ePO.
• For more information, see [Link]

Using a Microsoft Azure server for McAfee ePO

• Installing McAfee ePO on a Microsoft Azure virtual server allows you to resize your server as your network
grows, eliminating the chance of hardware failure.
• An Azure virtual server provides the same features and performance as locally configured hardware. This
diagram shows the basic configuration of McAfee ePO installed on an Azure server.

Limitations
There are some limitations that you need to consider when a server initiated communication is required.
• If the McAfee ePO server or the Agent Handler can't communicate with the Agents in a private network, then
these features will not work.
• Push agent doesn't work — Use a VPN to overcome this limitation.
• Wake up agent using Agent Handler doesn't work — Use a VPN or configure DXL to overcome this limitation.
• Run client task using an Agent Handler doesn't work — Use a VPN or configure DXL to overcome this limitation.
• If the McAfee ePO server or the Agent Handler can't communicate with remote servers in private networks,
then these features will not work.
• Distributed repositories such as SuperAgent, FTP, HTTP, and UNC will not work.
• Registered server that cannot communicate with the McAfee ePO server will not work.
• If McAfee ePO can't reach the SMTP server, the email service doesn't work.

Note: If McAfee ePO can communicate with agents and remote servers, then these features work as expected; provided
the required ports are configured in Azure Security Rules.

© 2019 McAfee LLC M01 - 71 McAfee LLC Confidential

 FIPS ePO
What is FIPS about?

 McAfee ePO creates a separation or boundary that is either physical or logical between the
interfaces, by which critical security parameters enter and leave the cryptographic module
 Uses an approved set of interfaces to access modules inside the boundary
 No other mechanism to access these modules is allowed or provided, when in FIPS Mode
 Uses FIPS-validated security methods performing cryptography, hashing, and related services
 Startup and verification testing required by FIPS
 TLS connection management
 Cryptographic API wrapping

Alert: FIPS certification is a formal US government recognition for the effectiveness

of a level of security, not necessarily an indicator of greater security.

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 72

Installation (continued)
FIPS compliance requires a physical or logical separation between the interfaces by which critical security parameters
enter and leave the cryptographic module and all other interfaces. ePO creates this separation by creating a
boundary around the cryptographic module. An approved set of interfaces is used to access the modules inside the
boundary. No other mechanism to access these modules is allowed or provided, when in FIPS mode.
Modules within the boundary perform these processes:
 FIPS-validated security methods performing cryptography, hashing, and related services running within
McAfee ePO
 Startup and verification testing required by FIPS
 Extension and executable signature verification
 TLS connection management
 Cryptographic API wrapping utilities
Some older versions of McAfee products use non-FIPS-compliant ways to access McAfee ePO cryptography and
hashing services. Because these products violate the cryptographic boundary, they cannot be used in FIPS mode.
Check new versions of McAfee products for further information on FIPS compliance as they are released.

Alert: FIPS certification is a formal government recognition for the effectiveness of a level of security, not necessarily
an indicator of greater security.

See Product Documentation for ePO 5.10: PD27628.

© 2019 McAfee LLC M01 - 72 McAfee LLC Confidential

 Installation
Workflow: Normal installation

Manually install Gather information Verify SQL can ping

Verify installation
SQL server and (SQL server name, the server ePO will
prerequisites
create accounts ports) be installed on

Download ePO
Install updates, Make sure TCP/IP
Verify SQL Browser software & extract
then turn off Protocol is enabled
Service is running to temporary
Windows Updating on SQL server
directory

Launch [Link]
Reboot, then verify
Disable on-access with administrative Install ePO with
the ePO console is
scan on the server privileges and existing SQL server
accessible
follow wizard

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 73

In this flow chart, notice you can specify a separate SQL Server, provided it is already installed. You can also
customize some of the settings, such as destination folder and ports. For demonstration purposes, this is the
installation type used.
If you are using a new SQL Server, installed manually or an existing SQL Server, you must provide these details
(depending on your configuration) on the Database Information page:
 The name of your SQL Server. This name should be formatted using the SQL Server name or the SQL
Server name with instance name.
 The dynamic port number used by your SQL Server.

© 2019 McAfee LLC M01 - 73 McAfee LLC Confidential

 SQL server guidelines
SQL server named instances

Type of Instance Explanation

 Operates like earlier versions of SQL server

Default instance  Identified solely by the name of computer on which it is running
 No separate instance name

 Defined during installation

 Requires specific format: computer_name\instance_name
Named instances
 Applications must provide both computer and instance name when they
attempt to connect

 Can run concurrently on same computer

Multiple instances SQL  System and user databases are not shared between other instances
Server Database Engine  Applications connect to each SQL server database engine similar to how they
connect to SQL server database engines running on different computers

User access is limited to only the named instance and database.

For more information, see Technical Article KB75766 SQL permissions required to install and use ePO.
McAfee LLC Confidential 2019 McAfee Tech Forum Americas 74

There are two types of SQL Server instances: Default and Named.
Default Instance
The default instance of the SQL Server database engine operates the same way as the database engines in earlier
versions of SQL Server. It is identified solely by the name of the computer on which it is running. It has no separate
instance name.
When applications specify only the computer name in their requests to connect to SQL Server, the client
components attempt to connect to the default instance of the database engine. This preserves compatibility with
existing SQL Server applications.
Named Instances
All instances other than the default are identified by an instance name specified during installation. The computer
name and instance name are specified in a specific format: computer_name\instance_name.
Applications must provide both the computer and instance name when they attempt to connect.
Multiple Instances of SQL Server Database Engine
Multiple instances of the SQL Server database engine can run concurrently on the same computer. Each instance
has its own set of system and user databases that are not shared between other instances. Applications can
connect to each SQL Server database engine instance on a computer in much the same way they connect to SQL
Server database engines running on different computers.
For more information, see the Microsoft Developer Network site ([Link]

© 2019 McAfee LLC M01 - 74 McAfee LLC Confidential

 SQL server guidelines (continued)
Using a separate SQL server

Verify the following

before installing ePO Verify SQL
server
service is
running

Verify
TCP/IP is
enabled

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 75

If you plan to use a separate SQL Server as the ePO database, launch SQL Server Configuration Manager, and verify
the following before installing ePO. You will need to log in using a user account with local administrator
permissions.
 Verify that the SQL Server service is running. For instructions, see the Microsoft product documentation.
 Verify TCP/IP is enabled.
Note: If the TCP/IP port is not enabled, enable it, and then restart the SQL Server service before beginning the
installation. If this port is disabled on a local SQL Server, the installation fails.
Before continuing, make sure to capture the value for TCP Dynamic Ports.
1. Right click TCP/IP to open the TCP/IP Properties window.
2. Select the IP Addresses tab.
3. Under IPAII, make note of the value for TCP Dynamic Ports.
For example, 49657. This information might be needed later in the installation.

© 2019 McAfee LLC M01 - 75 McAfee LLC Confidential

 SQL server guidelines (continued)
SQL server accounts and roles: KB75766

Account Required Abilities Server Roles

 Create a new database, set permissions on tables and stored

procedures, and create SQL Jobs  sysadmin
Install ePO  Modify, Delete, Rename, Create, Use, Read, Write, and Change  Dbcreator
Permissions on any/all Tables, Stored Procedures, Columns, Rows,  public
Fields, Views on the Master, TempDB, MSDB, and ePO Database

 Create a new database, set permissions on tables and stored

procedures, and create SQL Jobs  sysadmin
Upgrade or Patch
 Modify, Delete, Rename, Create, Use, Read, Write, Change  db_owner
installations
Permissions on any/all Tables, Stored Procedures, Columns, Rows,  public
Fields, Views on the Master, TempDB, MSDB, and ePO Database

 Modify, Delete, Rename, Create, Use, Read, Write, Change  db_owner

General day to day
Permissions, on any/all Tables, Stored Procedures, Columns, Rows,
operations  public
Fields, Views on the ePO Database

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 76

Install ePO
The account used to install ePO must have the ability to:
 Create a new database, set permissions on tables and stored procedures, and create SQL jobs.
 Modify, Delete, Rename, Create, Use, Read, Write, Change Permissions on any and/or all Tables, Stored
Procedures, Columns, Rows, Fields, Views on the Master, TempDB, MSDB, and ePO Database.
These abilities are given to sysadmin and dbcreator.
Upgrade ePO
The account used to upgrade ePolicy Orchestrator must have rights to:
 Create a new database, set permissions on tables and stored procedures, and create SQL jobs.
 Modify, Delete, Rename, Create, Use, Read, Write, Change Permissions on any, and/or all Tables, Stored
Procedures, Columns, Rows, Fields, Views on the Master, TempDB, MSDB, and ePO Database.
These abilities are given to sysadmin and db_owner.
Administration and Viewing Reports
The account used for administration and viewing reports requires Modify, Delete, Rename, Create, Use, Read,
Write, Change Permissions on any and/or all Tables, Stored Procedures, Columns, Rows, Fields, Views on the ePO
Database. These abilities are given to db_owner.
Notes: For more information, see Technical Article KB75766 - SQL permissions required to install and use ePO
(McAfee Technical Support portal, [Link] If the ePO server is in a workgroup, using
Microsoft Windows authentication on remote database servers might prevent the installation from completing
successfully. To resolve this issue, use SQL authentication.

© 2019 McAfee LLC M01 - 76 McAfee LLC Confidential

 Preparing for ePO installation
Overview

 Install latest Microsoft updates

 Ensure ports to be used by ePO are available

 To be well prepared, run the pre-installation auditor

prior to installation

 If ENS is installed, for performance reasons, disable

on-access scan during installation

 After ePO installation, install firewall software (for

example, Endpoint Security)

For more information, see Technical Article KB75766 – SQL permissions required to
install and use ePO.

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 77

Best practices for the ePO installation are:

 Install the latest Microsoft operating system updates.
 Update the ePO database server with the latest Microsoft security updates for the database software you
use.
 Ensure that the ports to be used by the ePO server are available. Notify the network staff of the ports you
intend to use for HTTP and HTTPS communication via ePO.
 To be well prepared, run the pre-installation auditor prior to installation
 If you have Endpoint Security (ENS) installed on the system on which you plan to install ePO, for
performance reasons, disable on-access scan during installation.
 After the ePO installation, install firewall software (for example, ENS) on the ePO server. (Refer to the HIPS
documentation for configuration.)
 Update your software with the most current intrusion detection signature files.

© 2019 McAfee LLC M01 - 77 McAfee LLC Confidential

 Preparing for ePO installation (continued)
Prerequisites

 Local administrator credentials

 Microsoft NET Framework 3.5 or later
(installed automatically with full versions of
SQL Server; install manually with SQL
Express)
 Updates/patched installed,
Windows Updating off
 McAfee Product License Key
(Not required for evaluation)
 Available ports
(if conflicts are detected during installation)
 Destination folder for ePO software
 Authentication credentials
 SQL Server details

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 78

Have this information available during the installation:

 Local administrator account credentials: An account with local administrator permissions is required
to log on to the Windows server computer to be used as the ePO server.
 McAfee Product License Key: If you don't have a license key, you can select Evaluation to continue
installing the software. The evaluation period is limited to 90 days. You can provide a license key after
installation is complete from within the application. For more information, see the product guide or Help.
 Authentication credentials: Supports Windows and SQL authentication.
 Microsoft Windows authentication: Credentials for a domain administrator user account.
 SQL authentication: Required SQL Server permissions (Discussed later in this module.)
 Destination folder for ePO software, if different than the default (C:\Program Files (86)\McAfee \ePolicy
Orchestrator\).
 Supported SQL Server: It is important to know if you plan to install SQL Server or plan to use a manually
installed or existing SQL server.
 SQL Server details:
 Name of the SQL Server (This name should be formatted using the SQL Server name or the SQL
Server name with instance name.)
 Dynamic port number used by your SQL Server.

© 2019 McAfee LLC M01 - 78 McAfee LLC Confidential

 PIA Video

Install Video

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 79

© 2019 McAfee LLC M01 - 79 McAfee LLC Confidential

 Downloading ePO software
Valid grant number required

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 80

A grant number is required to obtain ePO software and documentation from the McAfee Download Site (Business
Home > Products & Solutions > Product Downloads or [Link]/us/downloads/[Link]).
Note: Some products, such as Stonesoft and Next Generation Firewall (NGFW), require different types of
credentials for download permissions.
For more information, contact McAfee Customer Service.

© 2019 McAfee LLC M01 - 80 McAfee LLC Confidential

 Installing ePO software
Getting started

 Extract software to temporary

folder

 Double click on Setup

 Wait while program prepares for

installation

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 81

1. From the ePO server, extract your ePO software files to a temporary directory, then browse to the temporary
directory and double click on the Setup icon ([Link]), or select File > Open. Wait while the program
prepares for the install. Do not attempt to run [Link] without first extracting the .zip file.
You may be alerted about RAM or monitor requirements. With ePO 5.10, 8 GB available RAM minimum is
recommended. The monitor should be 1024x768, 256-color, VGA.
2. Click OK to continue.

© 2019 McAfee LLC M01 - 81 McAfee LLC Confidential

 Installing ePO software (continued)

 Click Next to begin

 If prompted, click Next to install missing

software

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 82

3. A Welcome window opens. Read the information on the window, then click Next to begin.
If any prerequisite software is needed, click Next to install the software. Wait while the software is installed.

© 2019 McAfee LLC M01 - 82 McAfee LLC Confidential

 Installing ePO software (continued)

 Optionally, change default destination

 Click Next to continue

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 83

4. In the Destination Folder step, click:

 Next to install the ePO software in the default location (C:\Program Files\McAfee\ePolicy Orchestrator\).
 Change to specify a custom destination location for your McAfee ePO software. When the Change
Current Destination Folder window opens, browse to the destination and create folders if needed. After
specifying the new destination, click Next to continue.

© 2019 McAfee LLC M01 - 83 McAfee LLC Confidential

 Installing ePO software (continued)
Database information

 Supply database information

 Click Next to continue

 Wait while program searches for SQL

servers

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 84

5. Complete the Database Information window, then click Next.

 Database server: Select from drop-down list.
 Database Name: Populated automatically.
 Database Server credentials: Select and define the authentication type.
 Windows authentication: Select the domain of the user account to be used to access the SQL Server. If
using a previously-installed SQL server, also type the User name and Password. If you are using a
previously installed SQL Server, make sure your user account has access.
 SQL authentication: Type the User name and Password for your SQL Server. Make sure that the
credentials you provide represent an existing user on the SQL Server, with appropriate rights.
 Username / Password: Enter user name and password that ePO will use to connect to the SQL server.
Note: The installation wizard detects whether a supported SQL Server is installed on the server system where you
are installing your software. If no SQL Server is present, the wizard prompts you to install a SQL Server, or select an
existing SQL Server. In this example, SQL Server is already installed on a separate server; therefore, you must enter
the SQL Server credentials.

© 2019 McAfee LLC M01 - 84 McAfee LLC Confidential

 Installing ePO software (continued)
Pre-Installation Auditor: Database credentials

 Pre-Installation Auditor starts automatically

 Click Next to continue

The flow of the Pre-Install Auditor requires the

appropriate account and password information to
access the SQL database in your ePO
environment.

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 85

6. The Pre-Installation Auditor starts automatically. Click Next.

© 2019 McAfee LLC M01 - 85 McAfee LLC Confidential

 Installing ePO software (continued)
Pre-Installation Auditor: Running checks

 Pre-Installation Auditor runs checks to

determine compliance with all
requirements

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 86

6. The Pre-Installation Auditor begins running checks to on all the components to determine compliance with
requirements.

© 2019 McAfee LLC M01 - 86 McAfee LLC Confidential

 Installing ePO software (continued)
Pre-Installation Auditor: Check Results

 A warning appears if the system does not

pass all the checks
 Click OK and resolve the issues as needed

The assessment provides the description of the

components reviewed, as well as any remediation
steps, if needed.

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 87

7. A warning appears if the system does not pass all the checks.
8. Click OK and resolve issues as needed.

The workflow of the Pre-Installation Auditor provides what needs to be resolved prior to upgrading, as well as KB
articles to reference and review as part of the process.

© 2019 McAfee LLC M01 - 87 McAfee LLC Confidential

 Installing ePO software (continued)
Pre-Installation Auditor: Fix SQL issue

 Arithmetic
Abort
Enabled must
be set to
False in the
Database
Properties

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 88

© 2019 McAfee LLC M01 - 88 McAfee LLC Confidential

 Installing ePO software (continued)
Pre-Installation Auditor: Rerun and finish

 Rerun the auditor after corrections

 Once all checks have passed, click Finish
 You can also export the results to a CSV file
for offline analysis

Export the results to a CSV

file for offline analysis

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 89

9. Rerun the auditor after making all the necessary corrections.

10. Once all checks have passed, click Finish.

You can also export the results to a CSV file for offline analysis.

© 2019 McAfee LLC M01 - 89 McAfee LLC Confidential

 Installing ePO software (continued)
Default ports displayed – Adjust as needed

 Default ports display Avoid using Ports 80 and 8443.

If SQL Server is installed on the same server as ePO, then ePO uses the dynamically
 Change ports as needed
assigned local SQL Server port. The port for the remote SQL server remains 1433.
 Click Next to continue
McAfee LLC Confidential 2019 McAfee Tech Forum Americas 90

The ports that ePO uses are predefined and populated by default.
Avoid using ports 80 and 8443 for HTTP communication. Although port 8443 is the default port, it is the primary
port used by many web-based activities. This port is a frequent target for malicious exploitation, so system
administrators are likely to disable the port in response to a security violation or outbreak.
ePO uses the dynamically assigned local SQL Server port If an SQL Server is installed on the same server as ePO;
otherwise, the port for the remote SQL server remains 1433. In the example, the local port assignment is shown.
See the slide SQL server guidelines: Using a separate SQL Server for further information on dynamic ports.
After your installation is complete, you can change only the Agent wake-up communication port and Agent
broadcast communication port. If you need to change your other port settings later, reinstall your ePO software.
Refer to the Installation Guide on the dynamic ports that are assigned to the SQL Server by the SQL Server.

11. Click Next to continue.

© 2019 McAfee LLC M01 - 90 McAfee LLC Confidential

 Installing ePO software (continued)
Keystore Encryption Passphrase

 Enter username of primary administrator

account

 Enter Keystore Encryption Passphrase

 14 - 200 characters
 Required for Disaster Recovery

 Click Next

After installation, you can reset the Keystore Encryption Passphrase

from the Server Settings page
(Menu > Server Settings > Disaster Recovery > Edit).

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 91

12. Complete the Administrative Information window, then click Next.

 Username / Password: Enter the Username and Password for primary global administrator account.
 Keystore Encryption Passphrase: Enter passphrase (14–200 characters).

Keystore Encryption Passphrase

The Disaster Recovery feature uses a Snapshot process to save specific ePO server database records to the ePO
SQL Server database.

The Keystore Encryption Passphrase is used

to encrypt and decrypt the sensitive
information stored in the server Snapshot.
This passphrase is required during the ePO
server Disaster Recovery Snapshot.

After installation, you can change the

passphrase, if required, provided you have
administrator privileges.
Select Menu > Configuration > Server
Settings > Disaster Recovery > Edit.

© 2019 McAfee LLC M01 - 91 McAfee LLC Confidential

 Installing ePO software (continued)
License Key

 Enter the License Key or select Evaluation

 Optionally, disable
Automatic Product Installation

 Click Next

If you stop the Automatic Product Setup confirmation dialog box,

you must use the Software Catalog to install your products.

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 92

13. Enter the License Key or select Evaluation, then click Next. The evaluation period expires after 90 days.

Automatic Product Configuration

During an automatic configuration, your McAfee ePO server downloads and installs all the McAfee products entitled
to you by your site license. In most cases, during an automatic configuration, you never see the Automatic Product
Configuration process run. It starts running as soon as you finish installing the ePO software and is usually finished
before you log on.
If the Automatic Product Configuration page appears when you initially log on to ePO, an error occurred while
downloading or installing your products.
Example: If your Internet connection is interrupted.
Make a note of the product that failed to install and click Retry to attempt the product installation again.
To stop the automatic product installation, click Stop. A confirmation dialog box asks you to confirm that you want
to use Software Manager to install your products.
Important: Once you click OK in the Stop Automatic Product Setup confirmation dialog box, you must use the
Software Manager to install your products. The Automatic Product Configuration is available only once during your
initial configuration. If a product continues to fail during Automatic Product Configuration, contact McAfee Technical
Support, or click OK to exit the Automatic Product Configuration page and begin setting up the ePO server. For
future product installation status information, open the Software Manager (Menu > Software > Software
Catalog).

© 2019 McAfee LLC M01 - 92 McAfee LLC Confidential

 Using Automatic Product Configuration Tool
 Quickly deploys and installs/check-in products to ePO and managed systems
 Automatic download component is only available once; requires ePO server to have internet
access; starts running as soon install is complete and is usually finished before first login to ePO
 If stopped, Software Catalog is used for future product installs

ePO 5.1.0 and later

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 93

If you installed ePO by double clicking on the [Link], the Automatic Product Configuration page displays once
the installation completes.
During an automatic download component, your ePO server downloads and installs/check-in all the McAfee
products entitled to you by your site license.
In most cases, during an automatic download component, you never see the Automatic Product Configuration
process run. It starts running as soon as you finish installing the ePO software and is usually finished before you log
on.
If the Automatic Product Installation page appears when you initially log on to McAfee ePO, an error occurred while
downloading or installing your products. For example, if your Internet connection is interrupted. Make a note of the
product that failed to install/check-in and click Retry to try the product installation again.
For future product installation status information, use the Software Manager: Menu > Software > Software
Manager.
Important: To stop the automatic product installation, click Stop and then OK to confirm. A confirmation dialog
box asks you to confirm that you want to use Software Manager to install your products. You must then use the
Software Manager to install your products. Automatic Product Configuration is available only once during your
initial configuration.
If a product continues to fail during Automatic Product Installation, contact Technical Support, or click OK to exit the
Automatic Product Installation page and begin setting up the McAfee ePO server.
For future product installation status information, open the Software Catalog: Menu > Software > Software
Catalog.
Note: Internet access is required for the automatic download.

© 2019 McAfee LLC M01 - 93 McAfee LLC Confidential

 Installing ePO software (continued)
Accept license agreement and begin installation
 Accept McAfee End User License Agreement,
then click OK

 Optionally, check the option to allow McAfee

to collect system and software telemetry
data, then click Install

Click the More Information button to learn about

the McAfee Product Improvement Program.

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 94

14. You must accept the McAfee End User License Agreement to continue the installation. Optionally, change the
location if different than United States. Click OK to continue.
15. The Ready to Install the Program window appears. Optionally, disable the option to allow McAfee to collect
system and software telemetry data, then click Install.

McAfee Product Improvement Program

McAfee® Product Improvement Program collects the data from the client systems where McAfee products are
installed and that are managed by ePO. It helps improve McAfee products.
The McAfee Product Improvement Program collects these types of data:
 System environment (software and hardware details)
 Effectiveness of installed McAfee product features
 McAfee product errors and related Microsoft Windows events
The collected data is aggregated on the McAfee ePO server, then sent to the McAfee Product Improvement
Program server once a day (default collection period) and stored at \TelemetryData. McAfee uses the data that is
collected by the program to analyze and improve the product experience for customers. The collected data is
analyzed by McAfee to improve product features and customers' experiences with the product. It is also used by
McAfee Technical Support for troubleshooting.
To learn about this program, click the More Information button. (Requires internet access). In addition, go to this
URL: [Link]
Privacy Protection
The collected data is used only for product improvement and technical support. The system-specific data is filtered
or used in aggregate form, unless it is required for technical support.

© 2019 McAfee LLC M01 - 94 McAfee LLC Confidential

 Installing ePO software (continued)
Complete installation
 Wait while ePO software is installed

 When prompted, click Finish

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 95

16. Wait while the installation program installs ePO. This may take some time.
The InstallShield Wizard dialog appears after the installation is complete. Click Finish.

Recommendation: It is recommended to restart the ePO server after the installation is complete.

© 2019 McAfee LLC M01 - 95 McAfee LLC Confidential

 Post-installation tasks
Overview

√ Verify McAfee services are installed/started

√ Make sure Startup type for SQL Server Agent (EPOSERVER) service is Automatic
√ Make sure pop-up blocker is off
√ Log in to ePO for first time
√ Import root certificate
√ Install required updates for McAfee security products (if appropriate)
√ Configure ePO for multiple NICs (if appropriate)
√ View port assignments

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 96

Some post-installation tasks are:

1. Verify the appropriate McAfee services are started.
2. Make sure Startup type for SQL Server Agent (EPOSERVER) service is set to Automatic.
3. Make sure pop-up blocker is off on your browser.
4. Log in to ePO for first time as the administrator.
5. Import the root certificate.
6. Install required updates for McAfee security products (if appropriate).
Example:
 McAfee Security for Domino (Windows)
 McAfee Host Intrusion Prevention System (HIPS)
 McAfee Policy Auditor
 McAfee Quarantine Manager
 McAfee Security for Microsoft SharePoint
 McAfee Security for Exchange
 McAfee Endpoint Security (ENS)
 McAfee Vulnerability Manager (MVM) ePO extension
7. Configure ePO for multiple NICs (if appropriate).
8. Review the port assignments.

© 2019 McAfee LLC M01 - 96 McAfee LLC Confidential

 Verify services are installed and started

Rely on constant,
high-speed connection
to ePO SQL Server
database

Start > Programs > Administrative Tools > Services

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 97

Verify that the required McAfee services are installed and have been added to the server.
1. Select Start > Programs > Administrative Tools > Services.
2. Identify the McAfee services installed on the server and started. Pay special attention to these services:
 McAfee ePO Application Server Service (Tomcat): Responsible for displaying the ePO console and
running extensions, as well as other background functions.
 McAfee ePO Event Parser Service: Takes events uploaded from clients in your environment and
parses them into the SQL database.
 McAfee ePO Server Service (Apache): Processes and receives all agent-server communication.
Verify services are installed and started (continued)
Log Files for Application Server, Event Parser, and Server Services
The following are the primary log locations for these services:
 Application Server service (Tomcat): [Link] or orion_servername.log located in:
...\<epoinstallationdirectory>\server\logs\
 Event Parser service: [Link] or eventparser_servername.log located in:
...\<epoinstallationdirectory>\db\logs\
 Server service (Apache): [Link] or server_servername.log located in:
...\<epoinstallationdirectory>\db\logs\
List of McAfee Services
 McAfee ePO Application Server Service (Tomcat)
 McAfee ePO Event Parser Service
 McAfee ePO Server Service (Apache)
 McAfee Product Improvement Program Service (optional)
 SQL Server
 SQL Server Browser

© 2019 McAfee LLC M01 - 97 McAfee LLC Confidential

 Logging into ePO for the first time
 Connect to the ePO server
 Double click on Launch McAfee ePolicy Orchestrator Console
desktop icon
OR
 Enter URL in supported browser address bar
 Log in with default admin credentials (case-sensitive)

Log on

Remote ePO
computer Server

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 98

After the installation is complete, connect to the ePO server and verify the ePO console is accessible. Because the
console is web-based, you can also access the console remotely using a supported browser at one of these
addresses:
 [Link] port (default 8443)
 [Link] port (default 8443)
After connecting to the server, log in with default admin account credentials. These credentials are case-sensitive.
(Later, you will add accounts for other ePO users.)
 Preferred language (NOTE: Choose English UK as the language for European date and time format. )
 User name: admin (default)
 Password: as specified during the install
Guidelines
 You can log on to multiple ePO servers by opening a new browser session or tab for each ePO server.
 The computer must exist in the same domain, (or a domain that has a trust relationship with that
domain) as the ePO server.
 If a system name contains an underscore (_) character, log on using the ePO server’s IP address, rather
than the machine name.
 Console communication is secured with industry standard Secure Socket Layer (SSL).
 If desired, you can change the default login banner to meet your own needs.
Click Menu > Configuration > Server Settings, select Login Message from the Settling Categories, then
click Edit. Select Display custom login message, then enter your message and click Save.

© 2019 McAfee LLC M01 - 98 McAfee LLC Confidential

 Viewing/editing port assignments
Avoid using port 80 for Agent-Server communication

Filtered list

Default port
assignments
changed during
ePO software
installation

Menu > Configuration > Server Settings

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 99

Use this page to review and change selected port assignments for communication between the server, the agent,
and other components.
 Agent broadcast communication port: This is the port that is used to send SuperAgent wake-up calls.
The default port is 8082. This port can be changed after installation.
 Agent-to-Server communication port: This is the port that the agent uses to communicate with the
server. The default port is 80. This port cannot be changed after installation.
Note: McAfee strongly recommends that you avoid using port 80 due to potential conflicts in many
environments.
 Agent-to-server communication secure port: This is the port that the agent uses for secure
communication with the server. The default port is 443.
 Agent wake-up communication port: This is the port that is used to send agent wake-up calls. The
default port is 8081. This port can be changed after installation.
 Client-to-server authenticated communication port: This port is used for client certificate
authenticated communication.
 Console-to-application server communication port: This port is used by supported client browsers,
such as Internet Explorer, to access the ePO user interface. The default port is 8443. This port cannot be
changed after installation.

© 2019 McAfee LLC M01 - 99 McAfee LLC Confidential

 Viewing/editing port assignments (continued)

Ports you can

change post install

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 100

The figure shows which ports you can change from this screen. Changes take up to one minute to take effect.
For information about changing ports, see these Technical Articles:
 KB72936: How to change ePO Agent-to-Server Communication secure port.
 KB52141: How to change the ePolicy Orchestrator Console-to-Application Server communication port.

© 2019 McAfee LLC M01 - 100 McAfee LLC Confidential

 Basic troubleshooting
Overview

√ Ensure minimum installation requirements are met

√ Review Release Notes

√ Review relevant Technical Articles

√ Verify account and permissions

√ Collect exact text of all messages

√ Write down any message codes

√ Review any installer log files (%temp%\McAfeeLogs\)

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 101

Should you have problems with your install, use this methodology to help identify the cause.
 Verify you have met the minimum installation requirements.
 Review McAfee ePolicy Orchestrator Release Notes.
 Review any Technical Articles posted on the McAfee support site.
 Verify the account you used to log on to the computer where you are installing the software has full
administrator permissions to that computer.
 Collect the exact text of all messages, and make sure to write down any message codes that appear.
 Review the installer logs (%temp%\McAfeeLogs\), which include details about installation path, user
credentials, database used, and communication ports configured.
Some other helpful logs are:
 Server logs: Include details about server functionality, client event history, and administrator
services.
 Agent logs: Include details about agent installation, wake-up calls, updating, and policy
enforcement.

© 2019 McAfee LLC M01 - 101 McAfee LLC Confidential

 Upgrading ePO
What has changed with 5.10 ePO

 The is no direct upgrade path from ePO 4.x to

ePO 5.10
 The Pre-Installation Auditor (embedded in the
ePO 5.10 installer) verifies the ePO and SQL
Database readiness for upgrade to ePO 5.10
 The Pre-Installation Auditor utility provides
remediation steps for any conflicts found
 The Pre-Installation Auditor utility file ([Link]) is
also provided in the extracted folder and can be
executed outside of the ePO installer file
([Link])

After upgrading to ePO 5.10, you may need to rebuild the indexes of the SQL database
if index fragmentation gets too high or the built-in task fails. See KB87769 for assistance.

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 102

Changes in Product Compatibility Check

Product Compatibility Check tool
The Product Compatibility Check confirms if your managed products are compatible with the latest version of
McAfee ePO. It runs automatically during the upgrade.
If it finds discrepancies, the tool creates a list of blocked or disabled extensions.
Blocked extensions prevent the McAfee ePO software upgrade. Disabled extensions do not block the upgrade, but
the extension is not initialized until a known replacement extension is installed.
An initial Product Compatibility List is included in the McAfee ePO software package that you download from the
McAfee website.

The Pre-Installation Auditor is used to validate the readiness of the ePO and SQL environment, prior to moving to
ePO 5.10. The utility includes remediation steps for any conflicts found.
Pre-Installation Auditor
Run the McAfee ePO Pre-Installation Auditor to reduce or prevent upgrade McAfee ePO issues.
Run a pre-installation audit to make sure that your environment meets the minimum requirements for a successful
installation. For information about downloading and using the Pre-Installation Auditor, see the tool’s release notes.

Note: After upgrading to ePolicy Orchestrator 5.10, you might need to rebuild indexes if index fragmentation gets
too high or the built-in task fails to rebuild those indexes. Rebuilding the indexes is beneficial for better ePO
performance. See KB87769 for details.

© 2019 McAfee LLC M01 - 102 McAfee LLC Confidential

 Upgrading ePO checklist
Plan the upgrade

 Read the release notes

 Review Knowledge Base articles for ePO 5.10:

Known Issues: KB90382
Upgrade Paths: KB86693
Minimum Supported Extensions/Versions: KB90383
Policy and System Migration: KB88822

 Have a solid backup of ePO databases and directories

 Gather required information

Grant Number
License Key
Database server and Database name
DB Server credentials for ePO
Primary administrator account credentials for ePO
Keystore encryption passphrase

 Run the Pre-Installation Auditor

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 103

Perform these tasks to understand the upgrade process and the specific upgrade steps your environment requires.

 Read the release notes:

The release notes describe important information about your McAfee ePO upgrade, and we recommend
that you read the whole document.
 Review known issues, upgrade paths, and supported products:
Before you upgrade your software, review known issues and the latest information about supported
upgrade paths and products.
 Gather required information:
Make sure that you have this information before you start the upgrade process.
 Run the Pre-Installation Auditor

© 2019 McAfee LLC M01 - 103 McAfee LLC Confidential

 Pre-Installation Auditor
Introduction screen

 The Pre-Installation Auditor runs in the

5.10 installer by default
 It can also be run on its own to determine
if an environment is ready for an in-place
upgrade
 The Pre-Installation auditor pre-checks the
environment based on the information
provided in KB71825

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 104

 The Pre-Installation Auditor runs in the 5.10 installer by default

 It can also be run on its own to determine if an environment is ready for an in-place upgrade

What does Pre-Installation Auditor validate?

ePO server validations
 Verifies Operating System supported
 Verifies disk space and RAM meets hardware requirements
 Verifies Windows 8.3 naming convention is enabled
 Checks if there are any pending file rename operations
 Verifies that the McAfee ePO Services can be stopped and restarted as required
 Checks if there are any open handles on McAfee ePO files and folders. No other process should be
using these while upgrading ePO.
 Checks if there are any pending Windows schedule tasks that will block the installation or upgrade
 Checks whether any Windows updates require a system reboot
 Checks if there is support for SHA-2 certificates

© 2019 McAfee LLC M01 - 104 McAfee LLC Confidential

What does Pre-Installation Auditor validate? (continued)

SQL server validations

 Verifies the SQL instance that McAfee ePO uses
 Verifies ePO’s SQL user account has necessary database permissions
 Verifies that the SQL Server is Express Edition and that it’s database size limits meet the database size
requirements
 Verifies SQL Server database recovery model is set to Simple
 Verifies the status of the Auto Close connection setting of the SQL Server. Recommendation is to set it
to False.
 Verifies SQL Server is compatible with RSA BSAFE keys
 Verifies that Arithmetic Abort Enabled is set to True
 Verifies that the Database Compatibility level is set to 100 or higher
 Verifies that the database index fragmentation is below the recommended limit
 Verifies the SQL browser service is running

© 2019 McAfee LLC M01 - 105 McAfee LLC Confidential

 Upgrading ePO checklist (continued)
Prepare the environment

 Perform any updates as recommended by the Pre-Installation Auditor for the ePO server
 Back up McAfee ePO databases and directories
 Update registered server certificates
 Disable McAfee Agent installation tasks set to Run Immediately
 Disable scheduled server tasks and Windows tasks
 Disable third-party software

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 106

Perform these tasks to avoid problems during the upgrade process.

• Back up McAfee ePO databases and directories - Before you upgrade your software, back up all McAfee ePO
databases, as well as the McAfee ePO directory.
• Update registered server certificates - Make sure that the certificates for any registered servers that McAfee
ePO communicates with are supported by McAfee ePO.
• Make sure that your Windows Server has enough disk space - Verify that the system temp drive and the
McAfee ePO installation drive have sufficient disk space for the upgrade.
• Make sure that the Windows 8.3 naming convention is enabled - Enable Windows 8.3 naming convention
on the drive where McAfee ePO is installed.
• Disable McAfee Agent installation tasks set to run immediately - Before you upgrade the McAfee Agent
extension, disable any McAfee Agent installation tasks that are scheduled to Run Immediately.
• Disable scheduled server tasks - Disable any tasks that might interfere with the upgrade (such as: purge
events, pull tasks, and replication tasks).
• Disable third-party software - Disable any software that automatically restarts services on your McAfee ePO
server.

© 2019 McAfee LLC M01 - 106 McAfee LLC Confidential

 Upgrading ePO checklist (continued)
Prepare SQL database

 Perform any updates for the SQL Server, as recommended by the Pre-Installation Auditor
assessment of the SQL database
 Update your Windows Server to the latest Microsoft Service Packs and hotfixes
 Make sure that IPv6 is enabled

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 107

To avoid upgrade problems and reduce upgrade times, run the Pre-Installation Auditor and perform any updates,
as recommended by the assessment.

© 2019 McAfee LLC M01 - 107 McAfee LLC Confidential

 Upgrading ePO checklist (continued)
Perform the upgrade

√ Download and extract the ePolicy Orchestrator software

√ Disable automatic Windows updates
√ Stop the remote Agent Handlers’ services
√ Stop McAfee ePO services
√ Start and complete the InstallShield wizard
√ Reinstall the remote Agent Handler software on all Agent Handlers
The Agent Handler version MUST match the version of the ePO server
√ Upgrade to Product Improvement Program/Telemetry extension build [Link]

ePO upgrade from 5.3.x to 5.10 fails if the Product Improvement

Program / Telemetry extension version is 1.6.x (under "Extension Page").
To work around this issue, refer to KB89439.

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 108

Stop updates and services, and start the InstallShield wizard.

• Download and extract the software - Download the McAfee ePO software to your Windows Server.
• Stop automatic updates - Disable Windows updates to ensure they do not interfere with your McAfee ePO
installation or upgrade.
• Stop remote Agent Handlers services before upgrading - If you use remote Agent Handlers in your
environment, you must stop two McAfee services on each remote Agent Handler server to successfully
complete your upgrade.
• Stop McAfee ePO services - Perform these steps to make sure that the Apache Tomcat service stops.
• Start and complete the InstallShield wizard - Use [Link] to upgrade your McAfee ePO server.
• Upgrade your remote Agent Handlers - When you upgrade your McAfee ePO server software, you must
manually reinstall the Agent Handler software on any remote Agent Handlers installed throughout your
environment. Agent Handlers are not automatically updated to the latest version when the ePO server is
upgraded.

© 2019 McAfee LLC M01 - 108 McAfee LLC Confidential

 Upgrading ePO checklist (continued)
Restart processes and verify upgrade

 To remediate vulnerabilities in your McAfee ePO environment, migrate SHA-1 certificates to

SHA-2 or higher; refer to KB87017
 Verify the upgrade
1. Run a query or server task
2. Perform an Agent wake-up call with one or more managed systems
3. Verify registered servers are communicating with the ePO server

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 109

Verify that the upgrade was successful.

1. To verify McAfee ePO is operating correctly, run a query or server task.
2. To verify connectivity, perform a McAfee Agent wake-up call with one or more managed systems.
3. Make sure that your registered servers are communicating with McAfee ePO.

© 2019 McAfee LLC M01 - 109 McAfee LLC Confidential

 Migrate SHA-1 certificates to SHA-2 or higher
Certificate Manager

 The Certificate Manager allows you to:

 Migrate certificates that are signed by older signing algorithm to the new algorithm, such as SHA-1 to
SHA-256
 Regenerate your certificates when your existing certificates are compromised, due to vulnerabilities in
your environment
 Migrate or regenerate certificates for managed products that are derived from McAfee ePO root CA
 This task replaces certificates that are used for all these McAfee ePO operations:
 Agent-server communication
 Authenticating to browsers
 Certificate-based user authentication

Read the instructions carefully before proceeding with the steps. If you activate the new
certificates before they are populated on the systems in your network, those systems won't be
able to connect to your McAfee ePO server, until the agents on those systems are re-installed.

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 110

To remediate vulnerabilities in your McAfee ePO environment, migrate your existing certificates to more secure
algorithm certificates or regenerate them.

The SHA-1 algorithm has reached end-of-life (EOL). Many organizations are deprecating TLS/SSL certificates signed
by the SHA-1 algorithm. If you continue to use SHA-1 certificates, browsers such as Google Chrome or Microsoft
Internet Explorer will flag the McAfee ePO console as an unsecure HTTPS site.

If you have upgraded McAfee ePO from an older version, migrate McAfee ePO certificates to the latest hash
algorithm. A fresh installation of McAfee ePO installs the latest hash algorithm certificates.

© 2019 McAfee LLC M01 - 110 McAfee LLC Confidential

 Using Certificate Manager

Click Regenerate Certificate

Click OK

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 111

1. Log on as an administrator, then click Menu > Configuration > Certificate Manager. The Certificate Manager
page provides information about the installed Root Certificate, Agent Handler certificates, server certificates,
and other certificates that are derived from McAfee ePO root Certificate Authority (CA).
2. Click Regenerate Certificate, then click OK to confirm the certificate generation. The McAfee ePO root CA and
other certificates, that are derived from the root CA, are regenerated and stored in a temporary location on the
server. The time required to complete the regeneration process depends on the number of Agent Handlers
and extensions that derive certificates from McAfee ePO root CA.
3. After the certificates regenerate, wait for sufficient saturation of the new certificates throughout your
environment. As agents communicate to the McAfee ePO server, they are given the new certificate. The
percentage of agents that have received the newly-generated certificates is provided in the Certificate
Manager under Product: Agent Handler > Status. This distribution percentage is based on the number of
agent-server communications that have occurred since the certificates were regenerated. Unmanaged inactive
systems will affect this percentage.
Note: Make sure that the distribution percentage is as close to 100% as possible before you continue.
Otherwise, any pending systems will not receive the newly generated certificates and will be unable to
communicate with the McAfee ePO after the certificates are activated. You can stay in this state for as long as is
necessary to achieve sufficient saturation.
4. Once you've achieved a distribution percentage close to 100%, click Activate Certificates to carry out all
future operations using the new certificates. A backup of the original certificates is created, and a message
appears.

Continued on the next page….

© 2019 McAfee LLC M01 - 111 McAfee LLC Confidential

 Activation of the new Root Certificate
Saturation is the key

IMPORTANT
Before activation of the newly
generated certificate, all endpoints
need to have communicated with ePO
to receive the updated certificate.
See KB87107 for additional details.

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 112

Using Certificate Manager (continued)

5. Click OK. You must reinstall any agents that still use the old certificates to restore agent-to-server communication.
6. Once activation of certificates is complete, perform these steps:
a. Stop the Agent Handler services (including the Remote Agent Handler services).
b. Restart the McAfee ePO services.
c. Start the Agent Handler services.
7. Monitor your environment and make sure that your agents are successfully communicating. You can cancel the
migration at this point to roll back the certificate and restore agent-to-server communication.
However, after you’ve completed the next step, you can no longer cancel the certification migration.
8. Click Finish Migration to complete the certificate migration. The certificate backup, taken during activation, is deleted.

For any issues during the migration, click Cancel Migration to revert to the previous certificates. If you cancel the
migration, stop the Agent Handler services, restart the McAfee ePO service, and start the Agent Handler service again. You
can start the certificate migration again after fixing any issues.

© 2019 McAfee LLC M01 - 112 McAfee LLC Confidential

 Review
Key points

√ There are different options when installing ePO software for the first time: normal,
cluster, and FIPS mode

√ You will need to use a SQL Server as the ePO database

Launch SQL Server Configuration Manager, and verify the following before installing ePO
 Verify that the SQL Server service is running. For instructions, see the Microsoft product documentation
 Verify TCP/IP is enabled

√ Follow best practices for installing ePO software

√ The Pre-Installation Auditor now runs automatically as part of the installation process to
validate that your existing configuration is ready for the upgrade

√ After the installation is complete, connect to the ePO server and verify the ePO console is
accessible

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 113

This slide highlights key points of this module.

© 2019 McAfee LLC M01 - 113 McAfee LLC Confidential

 Lab exercises
Lab: Login to and navigate the ePO Interface

 Goals:
 Log in to and navigate ePO interface
 Identify ports in use on the ePO server
 Duration: 15 minutes
 See the lab guide for instructions

McAfee LLC Confidential 2019 McAfee Tech Forum Americas 114

See the lab guide for instructions.

© 2019 McAfee LLC M01 - 114 McAfee LLC Confidential

 McAfee and the McAfee logo, and McAfee® ePolicy Orchestrator® (McAfee® ePO™) are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others. Copyright © 2019 McAfee LLC

McAfee Confidential. McAfee restricts the re-distribution of this training material to unauthorized audiences.

© 2019 McAfee LLC M01 - 115 McAfee LLC Confidential