mcafee public cloud server security suite

Installation Guide

McAfee Public Cloud Server Security Suite

COPYRIGHT

© 2016 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Public Cloud Server Security Suite Installation Guide

Contents

1 Introduction 5McAfee Public Cloud Server Security suite . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Installation of Cloud Workload Discovery 7Cloud Workload Discovery packages and McAfee suites . . . . . . . . . . . . . . . . . . . 7Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Installing the Cloud Workload Discovery extension . . . . . . . . . . . . . . . . . . . . . 8

Download and install the extension manually . . . . . . . . . . . . . . . . . . . . 8Install the extension through Software Manager . . . . . . . . . . . . . . . . . . . 8Upgrading the extension from your previous versions . . . . . . . . . . . . . . . . . 9Extension list on McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Uninstall the extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Configuring your security products and viewing reports . . . . . . . . . . . . . . . . . . 11

3 Launching the PCS suite AMI 13Products in PCS suite AMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Launch the PCS suite AMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Configure and deploy McAfee security products . . . . . . . . . . . . . . . . . . . . . 15Verifying McAfee security products . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4 Operating system support for McAfee products 17

5 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWS 19How McAfee ePO server and clients communicate . . . . . . . . . . . . . . . . . . . . . 19Managing AWS clients using McAfee ePO installed on AWS . . . . . . . . . . . . . . . . . 19

Managing instances in one geographic region . . . . . . . . . . . . . . . . . . . 20Managing instances in one geographic region with one VPC . . . . . . . . . . . . . . 20One geographic region deployment with multiple VPCs . . . . . . . . . . . . . . . . 21Multiple geographic region deployment . . . . . . . . . . . . . . . . . . . . . . 21Set up McAfee ePO and client communication . . . . . . . . . . . . . . . . . . . 22

Managing AWS clients using McAfee ePO installed on-premise . . . . . . . . . . . . . . . . 23Set up McAfee ePO and client communication . . . . . . . . . . . . . . . . . . . 24

Using Cloud Workload Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Deploying McAfee security products on AWS cloud . . . . . . . . . . . . . . . . . . . . 25

Deploy McAfee Agent on AWS instances using AMIs . . . . . . . . . . . . . . . . . 26

6 Use DevOps scripts to deploy McAfee products 29Using Chef . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Using Puppet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Using Amazon OpsWorks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Using AWS UserData for McAfee Agent deployment . . . . . . . . . . . . . . . . . . . . 30

Index 31

McAfee Public Cloud Server Security Suite Installation Guide 3

Contents


1 Introduction

This document explains about McAfee® Public Cloud Server Security (PCS) suite and providesguidelines for installing the Cloud Workload Discovery extension on McAfee® ePolicy Orchestrator®

(McAfee ePO™).

McAfee Public Cloud Server Security suiteThe PCS suite includes McAfee ePO and a set of extensions for managed products that install on theMcAfee ePO server. This suite was specifically designed to provide in one package all the products tomanage and secure a cloud environment.

• McAfee ePO • McAfee® Host Intrusion Prevention

• McAfee Agent • McAfee® Application Control

• Cloud Workload Discovery for public cloud • McAfee® Change Control

• McAfee® Firewall for Linux • McAfee® Deep Command Discovery andReporting

• McAfee® VirusScan Enterprise • McAfee® Data Exchange Layer

• McAfee® VirusScan Enterprise for Linux • McAfee® Rogue System Detection

For information about each one of these products in this suite, see the product guides of theseproducts.

1


1 IntroductionMcAfee Public Cloud Server Security suite


2 Installation of Cloud Workload Discovery

Install the Cloud Workload Security extension on the McAfee ePO server and deploy and configureyour McAfee products.

Contents Cloud Workload Discovery packages and McAfee suites Requirements Installing the Cloud Workload Discovery extension Uninstall the extensions Configuring your security products and viewing reports

Cloud Workload Discovery packages and McAfee suitesCloud Workload Discovery is packaged in public, hybrid, and private variants to support different cloudvendor accounts.

Table 2-1 Cloud Workload Discovery packages

Cloud WorkloadDiscovery variant

Support for vendoraccounts

Package names

Cloud Workload Discoveryfor Private cloud

VMware, OpenStack Cloud_Workload_Discovery_Private_4.5.0

Cloud Workload Discoveryfor Hybrid cloud

VMware, OpenStack, AWS,Microsoft Azure, andMicrosoft Azure classic

Cloud_Workload_Discovery_Hybrid_4.5.0

Cloud Workload Discoveryfor Public cloud

AWS, Microsoft Azure, andMicrosoft Azure classic

Cloud_Workload_Discovery_Public_4.5.0

Table 2-2 McAfee suites

Suite Cloud Workload Discovery package

McAfee Public Cloud Server Security Suite Cloud Workload Discovery for Public cloud

McAfee Server Security Suite Advanced Cloud Workload Discovery for Hybrid cloud

McAfee Server Security Suite Essentials Cloud Workload Discovery for Hybrid cloud

McAfee MOVE AntiVirus for Virtual Servers Cloud Workload Discovery for Private cloud

McAfee Security Suite for Virtual Desktop Infrastructure Cloud Workload Discovery for Private cloud

McAfee MOVE AntiVirus for Virtual Desktops Cloud Workload Discovery for Private cloud

2


RequirementsTo install the Cloud Workload Discovery extension, make sure that your environment meets theserequirements.

Component Version

McAfee ePO 5.1.3, 5.3.1, and 5.3.2

McAfee Agent 5.X.0 and higher

Browser • Internet explorer 10, 11 + EDGE

• Mozilla Firefox 40 and higher

• Google Chrome 54.0 and higher

Amazon Web Services account

Microsoft Azure account

VMware vCenter account

Installing the Cloud Workload Discovery extensionYou can install the Cloud Workload Discovery extension with the Software Manager utility on McAfeeePO, or by manually downloading and installing the extension from McAfee download site.

Download and install the extension manuallyDownload and install the Public Cloud Security package on the McAfee ePO server.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 From the McAfee download site (http://www.mcafee.com/us/downloads/), use your grant numberand click McAfee Public Cloud Server Security suite or any other suite you have bought.

2 From the products listed, select and download Common UI 1.3 and your Cloud Workload Discoveryvariant.

3 Log on to the McAfee ePO server as an administrator.

4 Select Menu | Software | Extensions | Install Extension.

5 Browse to and select the extension file, then click OK.

Install the Common UI 1.3 first, then install Cloud Workload Discovery.

The Install Extension page displays the extension names and version details.

The Cloud Workload Discovery extension is installed.

Install the extension through Software ManagerUse McAfee ePO Software Manager to install the cloud workload discovery extension.

2 Installation of Cloud Workload DiscoveryRequirements


http://www.mcafee.com/us/downloads/



2 Select Menu | Software, then click Software Manager.

3 From the Software (by Label) | Messaging & Web Security, select Common UI 1.3 and then click Check In All.

4 From the Software (by Label) | Endpoint Security, select your Cloud Workload Discovery 4.5 variant andthen click Check In All.

The Cloud Workload Discovery extension is installed through the Software Manager.

Upgrading the extension from your previous versionsWe support upgrade from the previous versions of 3.6.1, 4.0.0 to the new version 4.5.0.

Before upgrading the extension from 3.6.1 to 4.5.0:

1 Remove the Assurance Information Module Linux client from the Master Repository. For details, seeConfigure a deployment task for Linux group of systems.

2 If you upgraded without this step, you can remove the Assurance Information Module from theLinux clients by manually running this command on all your Linux systems.

bash /opt/McAfee/McAIM/uninstall

You can also use a utility for installing the Linux clients automatically. For details, see KB87516.

3 After the upgrade, the Microsoft Azure connector in your earlier versions is now called MicrosoftAzure Classic connector.

4 After the upgrade, for your AWS accounts, you can enable traffic discovery to discover and viewtraffic flow logs for your instances.

When upgrading from 4.0.0 to 4.5.0, since the policy structure has changed in the latest version, yourprevious policies, policy settings, and policy assignments are lost.

Configure a deployment task for Linux group of systemsCreate a deployment task to remove the Assurance Information module Linux client from targetsystems in the System Tree.


1 From the System Tree, select the tab Assigned Client Tasks.

2 Select Actions | New Client Task Assignment.

3 Select Product as McAfee Agent, Task Type as Product Deployment.

4 Select a name for your task and click Create New Task.

5 Select the Target Platforms as Linux, Products and Components as Assurance Information Module 2.0.0.595, and Actionas Remove.

6 Click Save.

Installation of Cloud Workload DiscoveryInstalling the Cloud Workload Discovery extension 2


https://kc.mcafee.com/corporate/index?page=content&id=KB65863

Enable traffic discoveryAfter upgrading your Cloud Workload Discovery extension, enable traffic discovery for your AWS cloudaccounts to view IP traffic flows.



2 Select Menu | Configuration | Registered Cloud Accounts.

3 On the Registered Cloud Accounts page, select your AWS account and click View & Edit from Actions.

4 On the AWS Account Details page, select Enable Traffic Disvcovery.

5 Click Save.

Extension list on McAfee ePOAfter installing the Cloud Workload Discovery extension, you can see these extensions by selectingMenu | Extensions | McAfee | Data Center Security.

• AWS Connector • Data Center Assessment

• Azure Connector • Data Center Metering

• Azure Classic Connector • Data Center Visualization

• vSphere Connector • Data Protection for Cloud

• OpenStack Connector • MDCC

Uninstall the extensionsUninstall and remove the software extensions from the McAfee ePO server.

Best Practice: Delete your cloud account from the McAfee ePO server by selecting Menu | Configuration |Registered Cloud Accounts, and selecting Actions | Delete.



2 Select Menu | Software | Extensions

3 In the left pane, select Data Center Security group, then select the extensions in this order and clickRemove.1 Data Center Visualization 6 Azure Classic Connector

2 Data Center Assessment 7 vSphere Connector

3 Data Protection for Cloud 8 OpenStack Connector

4 AWS Connector 9 Data Center Metering

5 Azure Connector 10 MDCC

2 Installation of Cloud Workload DiscoveryUninstall the extensions


Configuring your security products and viewing reportsAfter installing the Cloud Workload Discovery extension, complete these tasks to configure theproducts in the software extension on your McAfee ePO server.

1 Register your AWS cloud account with McAfee ePO, so that McAfee ePO discovers, imports,displays, assesses, and displays your cloud account information. For details, see Cloud WorkloadDiscovery Product Guide.

2 Register your Microsoft Azure cloud account with McAfee ePO, so that McAfee ePO discovers,imports, displays, assesses, and displays your cloud account information. For details, see CloudWorkload Discovery Product Guide.

3 Register your VMware vCenter account with McAfee ePO, so that McAfee ePO discovers, imports,displays, assesses and displays your cloud account information. For details, see Cloud WorkloadDiscovery Product Guide.

4 Configure your firewall policies in Policy Catalog and assign them to required systems.

5 After configuring and registering the cloud accounts with McAfee ePO, you can view your cloudaccount information from Menu | Systems | Cloud Workload Discovery. This graphical visualization of yourcloud accounts gives you visibility into your cloud infrastructure assets and their hierarchy. The leftIssues pane highlights any immediate issues or violations on your firewall settings or your IP trafficsettings.

6 After visualizing cloud account structure and seeing which systems are at risk, you can activate anymissing protection with a few clicks.

• Manage your instances by installing McAfee Agent.

• Install other McAfee products on your instances. For details, see Activate missing protectionwith few clicks in Cloud Workload Discovery Product Guide.

7 Secure the instances in your network by correcting your firewall settings. For details, seeRemediation in Cloud Workload Discovery Product Guide.

8 You can see the encryption status of your AWS volumes in the Cloud Workload Discoverydashboard.

9 To encrypt volumes, deploy McAfee Data Protection for Cloud to your managed systems with theproduct deployment client task. For details, see Deploy Data Protection to the client system in theMcAfee Data Protection for Cloud Product Guide.

10 Select Data Protection for Cloud to see that it displays all zones from your registered AWS cloud account.You can encrypt volumes from here. For details, see Performing encryption in McAfee DataProtection for Cloud Product Guide.

11 Track the usage of AWS and Microsoft Azure cloud VMs using the metering feature. You can get amonthly report of your usage hours for your cloud instances. You can also create custom queries todisplay this information. For details, see Cloud Workload Discovery Product Guide.

12 Select Dashboard | Public Cloud to see the security summary of your EC2 instances and EBS volumes.You can also see details about Data Centers, OS Distribution, Anti-Malware Status, Security Incidents, Host FirewallStatus, File Integrity Monitoring Status, Data Protection Per Cloud VM, Instance Assesment Report, and Usage MeteringReport. For details, see Dashboards and monitors in Cloud Workload Discovery Product Guide.

Installation of Cloud Workload DiscoveryConfiguring your security products and viewing reports 2


2 Installation of Cloud Workload DiscoveryConfiguring your security products and viewing reports


3 Launching the PCS suite AMI

You can use the McAfee Public Cloud Server Security Suite (PCS) AMI from the AWS marketplace to launchMcAfee ePO with all the PCS products to secure your cloud instances.

Contents Products in PCS suite AMI Launch the PCS suite AMI Configure and deploy McAfee security products Verifying McAfee security products

Products in PCS suite AMILaunch this AMI to have your McAfee ePO server set up with these McAfee products, andpreconfigured with policies and tasks.

• McAfee ePO 5.3.2

• McAfee Agent 5.0.3

• Cloud Workload Discovery 4.5.0

• McAfee Data Protection for Cloud 4.5.0

• Cloud Usage Metering 4.0.0

• McAfee VirusScan Enterprise 8.8 patch 7

• McAfee VirusScan Enterprise for Linux 1.9.2

• McAfee VirusScan Enterprise for Linux 2.0.3

• McAfee Host Intrusion Prevention for Servers 8.0 patch 7

• McAfee Host Intrusion Prevention for Linux 8.0 patch 8

• McAfee Firewall for Linux 8.0.0

• McAfee Application Control 6.2.0 (for Windows)

• McAfee Application Control 6.1.7 (for Linux)

• McAfee Change Control 6.2.0 (for Windows)

• McAfee Change Control 6.1.7 (for Linux)

This AMI makes the McAfee ePO deployment process simple and easy. This AMI also has Common UI1.3 extension.

This is bring your own license PCS AMI with 30 day trial.

3


Launch the PCS suite AMILaunch McAfee ePO preconfigured with McAfee security products.

Before you beginYou must have power user permissions for EC2 (Elastic Cloud Compute) and EBS (ElasticBlock Store) web service.

Task1 From the AWS Marketplace, select McAfee Public Cloud Server Security Suite (PCS) AMI, then select Launch.

2 On the Choose an instance type screen, select the hardware configuration.

For McAfee ePO, the recommended minimum setting is type m4 large with 2 vCPUs, and a minimum7.5 GB of memory.

3 Click Next: Configure instance Details and specify any configuration details.

4 Click Next: Add Storage and specify any storage details. We recommend General Purpose SSD for VolumeType.

5 Click Next: Tag Instance and specify a tag for your instance.

6 Click Next: Configure Security Group. We recommend that you leave the default settings. Ports 8443 and80 must be available for McAfee ePO.

To create a more secure Security Group, see the product guide for your version of McAfee ePO forport configuration specifications.

7 Click Launch.

8 In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair, to select akey pair that you already created, or create a new key pair.

9 Select the acknowledgment checkbox, then click Launch Instances.

It can take approximately 45 minutes to launch McAfee ePO.

A confirmation page lets you know that your instance is launching. Click View Instances to close theconfirmation page and return to the console.

10 From Instances, right-click the instance and select Instance Settings | Get System Log.

The system log shows you the success or failure messages of launching your instance. The systemlog also shows the URL and credentials for your McAfee ePO account.

If there are failures, you can contact us through this group https://community.mcafee.com/groups/pcs.

The system log shows this message after McAfee ePO installation is complete.McAfee-ePO has been installed successfully. The ePO admin console password is xxxxxxxxxx. Loginto ePO via the url https://<public-ip>:8443 with a user of admin and the password mentionedabove.

3 Launching the PCS suite AMILaunch the PCS suite AMI


https://community.mcafee.com/groups/pcs

https://community.mcafee.com/groups/pcs

11 To log on to McAfee ePO, open a web browser and type https://<McAfee ePO IP address>:8443.The default user name is Admin and the password is specified in the system log.

The password specified in the system log is the password for McAfee ePO admin console and alsofor the SQL database. The default SQL authentication user is sa.

You must change the McAfee ePO admin console and the SQL database password. See the McAfeeePO product guide to change the admin console password. See Microsoft SQL documentation tochange the default database password.

12 Update the configuration file using the link https://<McAfee ePO IP address>:8443/core/config with the new SQL database password. This makes sure that the McAfee ePO serverconnects to the database.

Configure and deploy McAfee security products Configure security products on your McAfee ePO server. Register your cloud accounts, encryptvolumes, and view reports for your systems.


1 Install the extension for McAfee Host Intrusion Prevention for Servers on your McAfee ePO server.This extension McAfee_HostIPS_Extension_924 is available on the desktop of your instance. Youcan remotely log on to your instance and install this extension.

2 Install the hotfix 1063194 for McAfee ePO server. The files for this hotfix and the installationinstructions are available in the folder EPOHF1063194 on the desktop of your instance. You canremotely log on to your instance and install this hotfix.


4 Select Menu | Software | Extensions | Install Extension, then browse to and selectMcAfee_HostIPS_Extension_924. Click OK.

Your McAfee Host Intrusion Prevention for Servers extension is installed on the McAfee ePO server.

5 Register your cloud account and discover your AWS cloud assets. Select Menu | Configuration |Registered Cloud Accounts and register your AWS account. For details, see Cloud Workload DiscoveryProduct Guide.

6 Select Menu | Systems | Cloud Workload Discovery to view your cloud asset information. This graphicalvisualization of your cloud accounts gives you visibility into your cloud infrastructure assets andtheir hierarchy. The left Issues pane highlights any immediate issues or violations on your firewallsettings or your IP traffic settings.

7 Secure the instances in your network by correcting your firewall settings. For details, seeRemediation in Cloud Workload Discovery Product Guide.

8 Download and install McAfee Agent on the systems that you want to secure. For details, see theproduct guide of McAfee Agent.

If you have Active Directory available in your cloud, you can install McAfee Agent on your instanceswhile you register your AWS cloud account. For details see Register AWS account in CloudWorkload Discovery Product Guide.

Systems are changed to Managed on the System Tree.

Launching the PCS suite AMIConfigure and deploy McAfee security products 3


9 To deploy the PCS suite products to your group of systems, select Menu | Policy | Client Task Catalog.Select Deploy PCS-Windows or Deploy PCS-Linux.

For example, you can deploy PCS suite products to your AWS group of systems. All McAfeeproducts in the PCS suite are installed on all the systems in this group.

10 Select Data Protection for Cloud to see that it displays all zones from your registered AWS cloud account.You can encrypt volumes from here. For details, see Performing encryption in McAfee DataProtection for Cloud Product Guide.

11 From Volume Tree, select Data Protection for Cloud to see the encryption status of EBS volumes. Fordetails, see McAfee Data Protection for Cloud Product Guide.

12 Select Dashboard | Public Cloud to see the security summary of your EC2 instances and EBS volumes.Your instances are now protected with anti-virus, anti-malware, intrusion prevention, and fileintegrity monitoring.

The dashboard is automatically updated to reflect the detailed security posture of new instances asthey are launched on AWS. If the dashboard shows green on all charts, your instances and volumesare fully protected from threats. For details about dashboard, see Dashboards and monitors in CloudWorkload Discovery Product Guide. For details about EBS volumes, see McAfee Data Protection forCloud Product Guide.

Verifying McAfee security productsVerify that McAfee security products are installed correctly on your McAfee ePO instance so that yoursystems are secure.

• To test anti-virus: run the Eicar test on the endpoint and verify that the file is blocked. For detailsabout Eicar, see http://www.eicar.org/86-0-Intended-use.html.

• To test McAfee Data Protection for Cloud: from the Volume Tree, select a volume that is notencrypted and select the Encrypt action. You can see that the volume gets encrypted.

• To test McAfee Host Firewall for Linux: check the status on the client by using this command./opt/McAfee/mfw/bin/mfw --fw status

If the application is installed, the status is shown as Enabled or Disabled.

• To test File Integrity Monitoring status: make a change to the hosts file to see that the change isreported on the McAfee ePO server.

3 Launching the PCS suite AMIVerifying McAfee security products


http://www.eicar.org/86-0-Intended-use.html

4 Operating system support for McAfeeproducts

These are the supported operating systems for the products in the PCS suite.

Operating system VSE/ENS

HostFirewall

HostIntrusionPrevention

ApplicationControl

ChangeControl

DataProtectionfor Cloud

Windows Windows2016

Windows2008/R2

Windows2012/R2

Linux(64-bit)

RHEL 6 andvariants(Cent OS,Oracle EL,AmazonLinux)

(exceptOEL)

(exceptAmazon Linux) (except

AmazonLinux)

RHEL 7 andvariants(Cent OS,Oracle EL,AmazonLinux)

(SP1)(except OEL)

(exceptAmazon Linux) (except

AmazonLinux)

SLES 11SP2

SLES 12

UbuntuServer12.04

UbuntuServer14.04

4


Operating system VSE/ENS

HostFirewall

HostIntrusionPrevention

ApplicationControl

ChangeControl

DataProtectionfor Cloud

UbuntuServer15.10

UbuntuServer16.04

• See KB84007 for details about RHEL6 support for McAfee Data Protection for Cloud.

• See KB51109 for details about supported environments for different products.

4 Operating system support for McAfee products




5 Best practices: Using McAfee ePO andCloud Workload Discovery with AWS

To secure endpoints or assets on AWS, install McAfee ePO in an AWS environment or a hybrid cloudenvironment.

Contents How McAfee ePO server and clients communicate Managing AWS clients using McAfee ePO installed on AWS Managing AWS clients using McAfee ePO installed on-premise Using Cloud Workload Discovery Deploying McAfee security products on AWS cloud

How McAfee ePO server and clients communicateMcAfee ePO is deployed on-premise or in the cloud.

McAfee ePO communicates with client systems across networks in these ways:

• Client-initiated communication — McAfee Agent is installed on each client system. It periodicallyconnects to the McAfee ePO server to check for updates such as new policy information, assignedtasks, and product updates. For client systems to connect to McAfee ePO:

• Client systems must have outbound access to McAfee ePO.

• McAfee ePO server must have inbound access on TCP ports 80 and 443.

TCP ports 80 and 443 are the default ports used for communication between McAfee ePO and theMcAfee Agent. You can change the ports while installing McAfee ePO.

• McAfee ePO server-initiated communication — McAfee ePO can wake up and force client systems topull down the latest security content. For McAfee ePO to connect to the client systems:

• McAfee ePO must have outbound access to client systems.

• Client instances must have inbound access on port 8081.

The AWS Security Group must allow this communication. For details about port requirements, seeKB66797.

Managing AWS clients using McAfee ePO installed on AWSTo manage client systems outside your organization's network, install McAfee ePO on an AWS instancewith a compatible operating system.

For information about compatible operating systems, see KB51569.

5




To manage client instances in AWS cloud, McAfee ePO can be deployed:

• In one geographic region

• In one geographic region with one Amazon Virtual Private Cloud (VPC)

• In one geographic region with multiple Amazon VPCs

• In multiple geographic regions

Managing instances in one geographic regionMcAfee ePO can be installed to manage instances in one geographic region with multiple availabilityzones.

This type of deployment supports client-initiated and McAfee ePO server-initiated communication. Youmust create a separate AWS security group for McAfee ePO that allows outbound connections to clientinstances (server-initiated communication) and inbound connections (agent-initiated communication).Once you deploy McAfee ePO, you can view the available systems in the System Tree under AWS.

Managing instances in one geographic region with one VPCA virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolatedfrom other virtual networks in the AWS Cloud. You can launch your AWS resources, such as AmazonEC2 instances, into your VPC.

In one geographic region with a single VPC, each instance that you launch in a non-default subnet hasa private IP address. When you install McAfee ePO in the VPC, client instances in the same VPCcommunicates with the McAfee ePO server or with other instances across the private network. Forinformation about VPCs and subnets, see AWS documentation.

5 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSManaging AWS clients using McAfee ePO installed on AWS


One geographic region deployment with multiple VPCsWhen multiple VPCs are present in one geographic region, you can use VPC peering to connect theVPCs.

For information about VPC peering and setting one VPC as private and another VPC as public, see AWSdocumentation.

When you configure VPC peering, McAfee ePO server and client instances communicate via the privatenetwork. VPC peering supports client-initiated and McAfee ePO server-initiated communication.

You can configure VPC routes to restrict communication between VPCs only to McAfee ePO and clientinstances if other applications do not require VPC peering on the same infrastructure.

Set up VPC peering for McAfee ePO server and client communication wherever possible.

Multiple geographic region deploymentIn multiple geographic region deployment, you can use an architecture where client instances connectto McAfee ePO using a public IP address via the Internet.

Use this architecture if:

• Your organization uses multiple regions with multiple VPCs

• You can't use VPC peering to connect multiple VPCs in a region

This architecture supports only client-initiated communication. To use this architecture:

Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSManaging AWS clients using McAfee ePO installed on AWS 5


• All client instances must have outbound access to McAfee ePO. Configure the AWS security groupsaccordingly.

• The AWS security group of the McAfee ePO server must be configured to accept communicationfrom the client instances.

Set the agent-server communication interval to 60 minutes so that client instances can get product,policy, and task updates frequently without affecting performance.

Set up McAfee ePO and client communicationConfigure McAfee ePO and Agent Handler to set up communication for McAfee ePO and the client onAWS.


1 Install McAfee ePO in the region with the highest number of instances.

This ensures optimized communication between McAfee ePO and client instances.

2 Assign an elastic IP address to the McAfee ePO instance.

This ensures that the public IP address of the McAfee ePO instance does not change.

For details about assigning an elastic IP address, see AWS documentation.

5 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSManaging AWS clients using McAfee ePO installed on AWS


3 Configure a virtual Agent Handler on the McAfee ePO server for your managed client instances toconnect to the McAfee ePO server.

a Open the Agent Handlers page: Menu | Configuration | Agent Handlers, then in Handler Groups, click NewGroup to open the Add/Edit Group.

b Specify a virtual Agent Handler group name.

c In the Included Handlers section, select Use load balancer and specify the details.

• Virtual DNS Name — Type the DNS name assigned to the static public IP address associated withthis AWS server.

• Virtual IP Address — Type the static public IP address associated with this AWS server.

4 Enable the new virtual Agent Handler.

a Select Menu | Configuration | Agent Handlers, then click the Handler Groups monitor.

b Find the new virtual Agent Handler, then click Actions | Enable.

5 Assign the virtual Agent Handler group.

a Select Menu | Configuration | Agent Handlers, then click New Assignment.

b Specify a unique name for this assignment.

c In the Agent Criteria section, browse to and select My Organization from the System Tree location.

d In the Handler Priority section, click Use custom handler list and select the new virtual Agent Handler.

Use + to add additional Agent Handlers to the list.

The created virtual Agent Handler publishes McAfee ePO on its public IP address and all clientinstances communicate using this address.

Managing AWS clients using McAfee ePO installed on-premiseInstall McAfee ePO on an on-premise server and the Agent Handler in the DMZ with a public IPaddress for easy connectivity and scalability.

This architecture is best if:

• You use McAfee ePO in a hybrid cloud environment.

• Your organization requires McAfee ePO to be installed on-premise rather than in the cloud.

To use this architecture:

Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSManaging AWS clients using McAfee ePO installed on-premise 5


• Install McAfee ePO on an on-premise server to manage systems on-premise. Assign an internalprivate IP address to McAfee ePO.

• Install Agent Handler on an on-premise server in the DMZ to manage instances on AWS. You mustassign a public IP address to the Agent Handler.

• You must connect McAfee ePO server and the Agent Handler through a low latency andhigh-bandwidth network.

This architecture supports client-initiated communication, but McAfee ePO can't wake up the McAfeeAgent on a managed AWS instance. To use McAfee ePO initiated communication (wake up agent)feature, AWS instances must use a VPN to connect to the on-premise network.

For information about the ports required for McAfee ePO and client instance communication, seeKB66797. For information about port guidelines, see the McAfee ePolicy Orchestrator Product Guide.

Set up McAfee ePO and client communicationConfigure McAfee ePO and the Agent Handler to set up communication between McAfee ePO and theclient.

Task1 Install McAfee ePO on an on-premise server.

2 Install the Agent Handler on another on-premise server in the DMZ.

5 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSManaging AWS clients using McAfee ePO installed on-premise



3 Configure the Agent Handler.

a Open the Agent Handlers page: Menu | Configuration | Agent Handlers, then in Handler Status, click AgentHandler.

b From the Handler List, click the Agent Handler that is installed in the DMZ.

c Specify the public IP address of the Agent Handler to connect to AWS EC2 instances in thePublished IP Address field.

Using Cloud Workload DiscoveryConsider these best practices to set up Cloud Workload Discovery to monitor and manage AWS EC2resources.

Task1 Install McAfee ePO based on your infrastructure requirements.

2 Install the Cloud Workload Security extension on the McAfee ePO server.

3 Make sure that you set up a user on AWS with Read only privileges on EC2 for all regions thatrequires management.

4 Register your AWS cloud account with McAfee ePO, so that McAfee ePO discovers, imports,assesses and displays your cloud account information. For details, see Cloud Workload DiscoveryProduct Guide.

5 Specify the sync interval for McAfee ePO to AWS synchronization.

Sync interval determines how often new instances are discovered. For details, see Cloud WorkloadDiscovery Product Guide.

6 While deploying McAfee Agent, select Auto deploy Mcafee Agent on VMs when all your EC2 instances are inthe same region and support Active Directory based deployment. For details, see Cloud WorkloadDiscovery Product Guide.

See also Installing the Cloud Workload Discovery extension on page 8

Deploying McAfee security products on AWS cloudTo deploy McAfee security products on AWS instances, deploy a McAfee Agent on each of the AWSinstances.

Once you deploy McAfee Agent, you can use McAfee ePO to manage product installation and networksecurity of the AWS instances.

You must have credentials for each of the AWS instances. Currently, only password-basedauthentication is supported on Windows and Linux.

To deploy McAfee security products easily and efficiently:

• Use Active Directory-based authentication. For deployment instructions, see Register an AWSaccount in the Cloud Workload Discovery Product Guide.

• Create secure client Amazon Machine Image (AMIs) with the McAfee Agent and products installed.

Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSUsing Cloud Workload Discovery 5


Deploy McAfee Agent on AWS instances using AMIsTo ensure security of the AWS instances as they start, create secure client Amazon Machine Images(AMIs) using standard AMIs. The AMIs include McAfee Agent and VirusScan Enterprise.

Before you begin

• If you are using Amazon Elastic Compute Cloud (Amazon EC2), start a Windows orLinux instance.

• Install the McAfee Agent and VirusScan Enterprise extensions in the McAfee ePO server.VirusScan Enterprise protects instances from malware.

• Check in the client packages.

• Make sure that you don't have duplicate McAfee Agent GUIDs, which can affect productinstallation, policy enforcement, and prevent properties from being recorded correctly.

• To secure instances that are not started from secure AMIs, use AWS security groups.

• Make sure that AWS instances are only accessible from McAfee ePO until the AWSinstances are compliant with the organization's IT security standards.

Tasks

• Create secure client AMIs with a known McAfee ePO IP address on page 26Start a secure client AMI on a Windows EC2 or Linux instance.

• Create secure client AMIs with an unknown McAfee ePO address on page 27Start a secure client AMI on a Windows EC2 or Linux instance.

• Configure McAfee Agent with McAfee ePO details on page 27After creating a secure client AMI, configure McAfee Agent.

• Install McAfee Agent over an existing McAfee Agent on the AWS instance on page 28Install McAfee Agent and VirusScan Enterprise on AWS instances running Windows orLinux.

Using McAfee Agent deployment URL featureThe McAfee Agent deployment URL contains a link to an installer. The installer downloads and installsMcAfee Agent and deploys McAfee products to AWS instances.

For instructions about deploying McAfee Agent on AWS instances, see KB85233.

Create secure client AMIs with a known McAfee ePO IP addressStart a secure client AMI on a Windows EC2 or Linux instance.

Task

1 Depending on the operating system that you use, start a Windows EC2 or a Linux instance on theAWS console.

2 Log on to the instance.

3 Deploy McAfee Agent on the instance.

• Use McAfee ePO for Windows and Linux operating system.

• Use FramePkg.exe for Windows operating system.

• Use install.sh for Linux operating system.

For details, see the McAfee Agent Product Guide.

5 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSDeploying McAfee security products on AWS cloud



4 Install VirusScan Enterprise on the instance using McAfee ePO. For details, see the McAfeeVirusScan Enterprise Installation Guide.

5 Delete the AgentGUID registry key.

• For Windows, see KB56086.

• For Linux, see KB66456.

6 On the AWS console:

• Select the instance and click Create Image.

• Select the AMI and click Launch.

This starts a new secure client AMI with McAfee Agent and VirusScan Enterprise installed on it.

Create secure client AMIs with an unknown McAfee ePO addressStart a secure client AMI on a Windows EC2 or Linux instance.

Task1 Depending on the operating system that you use, start a Windows EC2 or a Linux instance on the

AWS console.

2 Log on to the instance.

3 Download and install VirusScan Enterprise on the instance.

4 On the AWS console:

• Select the instance and click Create Image.

• Select the AMI and click Launch.

This starts a new secure client AMI with VirusScan Enterprise installed on it. To manage the instance,you can manually configure McAfee Agent or override the existing McAfee Agent with McAfee ePOdetails.

Configure McAfee Agent with McAfee ePO detailsAfter creating a secure client AMI, configure McAfee Agent.

Task1 Log on to the McAfee ePO server.

2 Select Menu | Master Repository.

3 Export the Sitelist.xml file, then copy the file to a location on your AWS instance.

4 From the McAfee ePO server, copy the bin files from C:\Program Files (x86)\McAfee\ePolicyOrchestrator\DB\Software\Current\EPOAGENT3000\Install\0409 (srpubkey.bin,req2048seckey.bin, reqseckey.bin, sr2048pubkey.bin), to the same folder where you copied theSitelist.xml file.

5 Open the command prompt, then navigate to C:\Program Files (x86)\McAfee\CommonFramework.

Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSDeploying McAfee security products on AWS cloud 5




6 Configure McAfee Agent with these commands.

• For Windows: frameinst.exe /install=agent /siteinfo=<full path to sitelist.xml> .

• For Linux: <McAfee Agent install path>/bin/msaconfig ‑m ‑d Path=<full path toSitelist.xml>.

These commands configure McAfee Agent.

7 Click OK when McAfee Agent configuration is complete.

Install McAfee Agent over an existing McAfee Agent on the AWS instanceInstall McAfee Agent and VirusScan Enterprise on AWS instances running Windows or Linux.

Task1 For instances running Windows:

a Copy the McAfee Agent installation package, FramePkg.exe, from your McAfee ePO server to thetarget instance.

The default location for the installation package is C:\Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\EPOAGENT3000\Install\0409\.

b Double-click FramePkg.exe.

If a Security Warning appears, click Run to continue.

For Windows Vista, Windows 7, or Windows 2008 R2 with User Access Control (UAC) enabled,right-click FramePkg.exe and select Run as Administrator.

c When McAfee Agent installation is complete, click OK.

2 For instances running Linux:

a Start a Linux instance on the AWS console.

b Log on to the instance.

c Install VirusScan Enterprise on the instance using McAfee ePO. For details, see the McAfeeVirusScan Enterprise Installation Guide.

d On the AWS console, select the instance and click Create Image to create the AMI.

e Select the AMI and click Launch.

This starts a new secure client AMI with McAfee AgentandVirusScan Enterprise installed on it.

5 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSDeploying McAfee security products on AWS cloud


6 Use DevOps scripts to deploy McAfeeproducts

You can use automation platforms like Chef and Puppet to deploy McAfee products on the virtualinstances without using McAfee ePO.

Contents Using Chef Using Puppet Using Amazon OpsWorks Using AWS UserData for McAfee Agent deployment

Using ChefChef is an automation platform used for managing and automating large-scale infrastructure.

For details about using Chef to configure security solutions provided by McAfee, see this McAfeeKnowledgeBase article KB82584.

Using PuppetPuppet is an automation platform used for managing and automating large-scale infrastructure.Puppet relies on the manifests and modules created in a custom declarative language.

For details about using Puppet to configure security solutions provided by McAfee, see this McAfeeKnowledgeBase article KB82585.

Using Amazon OpsWorksAWS OpsWorks features an integrated management experience for the entire application lifecycleincluding resource provisioning, configuration management, application deployment, monitoring, andaccess control. It works with applications of any level of complexity and is independent of anyparticular architectural pattern

For details about using Amazon OpWorks to configure security solutions provided by McAfee, see thisMcAfee KnowledgeBase article KB82586.

6





Using AWS UserData for McAfee Agent deploymentYou can create an Agent deployment URL and use AWS UserData to install McAfee Agent on AWSinstances.

For details, see this McAfee KnowledgeBase article: KB85233.

6 Use DevOps scripts to deploy McAfee productsUsing AWS UserData for McAfee Agent deployment



Index

Aaccounts, registering

AWS 11

Azure 11

Amazon Machine Imageconfiguring products 15

deploying McAfee Agent 26

deploying products 15

Amazon OpsWorks, product deployment 29

automation platformchef 29

puppet 29

AWS account, registering 11

Azure account, registering 11

CChef, product deployment 29

cloud usage metering 11

cloud workload discovery extensionrequirements 8

Cloud Workload Discovery extensionproducts 5

configurationoverview 11, 15

security products 11, 15

Ddashboards, public cloud

anti-malware status 11, 15

application reputation 11

Data Center 11

File Integrity Monitoring Status 11, 15

Firewall Status 11

OS Distribution 11

security incidents 11

Data Center Connectors 15

deployment methodsDevOps scripts 29

McAfee Agent 25

McAfee ePO 7PCS AMI 13

DevOps scripts for product deployment 29

Eencrypting volumes 11

extensionsdownloading 8installing 8products included in package 5

Mmanage AWS clients

McAfee ePO installed on AWS 19

McAfee ePO installed on-premise 19

McAfee ePO-Agent communicationport access 19

PPCS AMI

hardware configuration 14

launching 14

password 14

ports 14

products 13

security group 14

products included in package 5Public Cloud Security extension

about 5downloading, installing 8using Software Manager 8

Public Cloud Server Security suiteabout 5products 5

Puppet, product deployment 29

Rrequirements 8

Sscripts, product deployment 29

Software Manager, installation 8


mcafee public cloud server security suite

Documents