Ten Things You Need to Know About McAfee ePO

Whether you’re new to ePolicy Orchestrator (ePO) or a seasoned pro, you may not know all the ins and outs of this security management software. Here are ten things you need to know — directly from our ePO Support engineers.

1. The Components that Make up ePO

ePO is composed of three server-side services and a Microsoft SQL database, each of which serves a different purpose:

• The Application Server Service, or Tomcat, is responsible for displaying the ePO console GUI and running extensions as well as other background functions
• The Event Parser Service takes events uploaded from clients in your environment and parses them into the SQL database
• The Server Service, or Apache, processes and receives all Agent-Server communication in the environment

It is important to note that all three services require and depend on a constant, high-speed connection to the SQL database. See KB81641Description and primary log locations for the ePO services for the primary log locations.

2. Remotely Deploy McAfee Agent to Clients

Agent deployment is the first step to managing systems and installing McAfee products on your endpoints. The deployment process is primarily based on Windows file sharing — first an executable file is placed on the system’s admin and then executed remotely utilizing the Remote Registry service.

In order for this process to complete, it is necessary to first verify that all environmental requirements are met. For more information, check KB56386Environmental requirements for agent deployment from the ePO 4.x server.

3. Create a plan to Regularly Back Up ePO Servers and SQL Databases

As with any mission-critical software, it is important to keep regular backups on hand in the event of a disaster. KB66616ePO server backup and disaster recovery procedure. contains information on how and what to backup, along with information on how to restore from the backups in the event of a critical ePO problem.

In ePO 5.x and up, it is also possible to utilize the new Disaster Recovery Snapshot functionality — this simplifies the process by storing the ePO files within the database. If your Disaster Recovery Snapshot Server Task is running regularly (recommended nightly) it is only necessary to schedule database backups, cutting your work in half.

4. Db Connectivity and Core/Config

There are several symptoms that can indicate whether or not the ePO services are unable to connect to the database (most common reasons for this: changed SQL password, changed SQL port). The Event Parser service is particularly sensitive to database connectivity issues. If you find that the Event Parser service has stopped and is unable to start, it is most likely that the database connection has been broken.

In order to restore the connection, use ePO’s built-in database configuration page. To access this configuration page, add “core/config” to the end of your normal ePO console URL. For example, https://localhost:8443/core/config. From here, it is important to input your database connection credentials and information and test the connection before saving the changes and restarting the ePO services. For more information, reference KB69850Unable to log on to the ePO 4.x console (issue: Wrong password in account used to log on to SQL)

5. Avoid Configuring Product Deployment Client Tasks to “Run at Every Policy Enforcement

As discussed previously, this option will force Agents to invoke these tasks every five minutes by default — which commonly leads to performance issues on the ePO server. Additionally, if “run at every policy enforcement” is set for a large number of systems in the environment, this can quickly lead to the ePO server reaching a max-connection state in which some or most Agent-Server communication will be rejected.

See KB80060Deployment tasks configured to "Run at every policy enforcement" lead to max connections in ePO (Agent to server communication fails) for additional information.

6. Hardware Sizing and Bandwidth

McAfee has performed tests on different server-class systems to help users determine the hardware requirements for ePO. PD23282ePO Hardware Sizing and Bandwidth Usage Guide has information on how to calculate hardware requirements, bandwidth usage, and database sizing.

7. Update Point Product Extensions when Updating Client-Side Point Product Package

Often, it’s easy to miss updating the point product extension when upgrading the point product on the client side. However, this can cause a variety of issues including not reporting back to ePO server the correct point product information, point product events from that client failing to be parsed, and newly created client tasks for point products failing to invoke on the client.

Almost always, point product extensions are backwards compatible with the point product package version on the client so there is typically no impact on the client side by upgrading your server side extension. As with any change on the server side, please be sure to take a backup of your ePO server and database before making a change to your extensions (see Must Know #1). Please read the product documentation including the Release Notes as well before upgrading your extension. For more information, see p. 195 of PD24808ePO 5.1 Product Guide.

8. Keep performance in mind when configuring Automatic Responses

Configuring your Automatic Responses correctly is vital to maintaining good ePO server performance. If your Automatic Response is configured to trigger on every event — without aggregation for an Event ID that you typically already have many of in ePO, Application Server Service (Tomcat) will be overwhelmed with trying to process all the automatic responses.

This can lead to unresponsiveness, out of memory errors in your ePO server, or just very slow console GUI responsiveness. Please see the ePO Product Guide for more information. Please see KB81642"Automatic Responses and ePO Performance" or PD24808ePO 5.1 Product Guide for more information.

9. Connecting to the ePO server over a VPN Connection

ePO depends partly on a computer’s MAC address information in order to identify the machine as either a new unique system or a node which already exists within the System Tree. Machines communicating in over a VPN connection will often report the MAC address of the VPN itself — which is likely the same across all machines utilizing that same VPN.

For this reason, it is necessary to add the Vendor ID (first six digits of the MAC address) to ePO’s ePOVirtualMacVendor table within the SQL database. Once this is in place, the MAC address will still be reported to ePO, however MACs matching the one inserted will no longer be used for matching purposes.

For information on the SQL query necessary to insert the value, please see KB52949Clients communicating with ePO 4.6/4.5/4.0 via VPN disappear from ePO tree.

10. Documents to review before Upgrading

To help ensure a successful upgrade of your ePO server, our Support Engineers recommend reviewing KB71825ePO 4.x installation/patch upgrade checklist for known issues, and ePO Release Notes and Known Issue KB articles related to your specific release. These can be found on the McAfee ServicePortal.


Leave a comment!

You must be logged in to post a comment.

Introducing SSLCloud HRMS Suite Customized and cost-effective IT solutionsClick here for SSLCloud HR solution