For use with McAfee ePolicy Orchestrator - Knowledge … · Product Guide McAfee Data Exchange...

Product Guide

McAfee Data Exchange Layer 2.2.0For use with McAfee ePolicy Orchestrator

COPYRIGHT

Copyright © 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Data Exchange Layer 2.2.0 Product Guide

http://www.intelsecurity.com

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Introduction 7Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Intel Software Guard Extensions . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Installing Data Exchange Layer 9System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Data Exchange Layer network overview . . . . . . . . . . . . . . . . . . . . . . . . . 10Install DXL 2.2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Install the extensions in McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . 11Check in the DXL packages . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Install the DXL brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Deploy the Data Exchange Layer client . . . . . . . . . . . . . . . . . . . . . . 17Verify the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Troubleshooting the installation . . . . . . . . . . . . . . . . . . . . . . . . . 19

Upgrade to DXL 2.2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Upgrade the extensions in McAfee ePO . . . . . . . . . . . . . . . . . . . . . . 20Check in the DXL packages . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Upgrade the DXL broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Verify the DXL broker upgrade . . . . . . . . . . . . . . . . . . . . . . . . . 21Upgrade the DXL client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Verify the DXL client upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3 Managing Data Exchange Layer 23Working with brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configure DXL policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Configure brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Add brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Add brokers to a DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

The DXL fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25View the DXL fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Bridging Data Exchange Layer fabrics . . . . . . . . . . . . . . . . . . . . . . . . . 26Create an outgoing bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Create an incoming bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Importing client certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Import a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Create a list of certificates used by DXL . . . . . . . . . . . . . . . . . . . . . . 29

Creating DXL queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29DXL server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

McAfee Data Exchange Layer 2.2.0 Product Guide 3

Index 31

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Find product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

PrefaceFind product documentation


https://support.mcafee.com

1 Introduction

The McAfee®

Data Exchange Layer (DXL) framework includes client software and brokers that allowbidirectional communication between endpoints on a network. It receives and sends encryptedmessages throughout your environment to track activity, risks, and threats in real time.

OverviewDXL works in the background, communicating with services, databases, endpoints, and applications.

The DXL client is installed on each managed endpoint, so that threat information can be sharedimmediately with all other services and devices.

A blocked threat attempt that reveals malware on an endpoint can be shared immediately to thegateway and other security components, isolating and stopping the threat before it spreads. You canview threat events that were discovered and stopped, so that you get a picture of your environment'ssecurity and possible areas of vulnerabilities.

DXL has these components:

• Brokers — Installed on managed systems and routes messages between connected clients. Anexample of a connected client is the Threat Intelligence Exchange module. The network of brokerstracks active consumers and dynamically adjusts the message routing as needed. When a clientrequests a service, or when an update is broadcast, brokers relay these messages. Brokers can beorganized into hubs and service zones.

DXL clients maintain a persistent connection to their brokers regardless of their location. Even if amanaged endpoint running the DXL client is behind a NAT (network address translation) boundary,it can receive updated threat information from its broker located outside the NAT.

• DXL Fabric — Consists of DXL clients and brokers. You can bridge DXL fabrics that are managedby different McAfee® ePolicy Orchestrator® (McAfee ePO™) servers to share services across fabrics.

• Hubs — Contain one or two brokers and provide failover protection in a multi-broker environment.If a hub has two brokers, both act simultaneously. If one is unavailable, the other continues tofunction.

• Clients — Clients receive and process messages from the brokers. An example of a client is theThreat Intelligence Exchange module. Clients subscribe and publish to the fabric without API-basedintegration.

• Service zones — A service zone is associated with brokers and hubs and routes requests fromclients. Service zones ensure that services are supplied by local resources. In the followingexample, service zones are organized into locations. When the TIE client sends a file or certificatereputation request, it attempts to find a TIE server in the Portland service zone first. If a server isnot available in that zone, it looks in the North America service zone, because the Portland hub ispart of the North America zone. Without specifying service zones, requests might be sent to theEurope or London hub first.

1


After installing the DXL brokers and client software, you create the hubs and zones for the brokers inyour environment. You can also bridge hubs and brokers managed by different instances of McAfeeePO so that the brokers can communicate information over the fabric.

Intel Software Guard ExtensionsData Exchange Layer supports Intel® Software Guard Extensions (SGX), an architecture extensiondesigned to increase the security of software using an "inverse sandbox" mechanism.

Rather than attempting to identify and isolate all the malware on the platform, SGX enables legitimatesoftware to be sealed inside an enclave and protected from attack by the malware, irrespective of themalware's privilege level. SGX is installed and enabled with the DXL client on machines that areSGX-capable.

For more details about SGX, see Intel Software Guard Extensions.

1 IntroductionOverview


https://software.intel.com/en-us/isa-extensions/intel-sgx

2 Installing Data Exchange Layer

This chapter includes information about installing the DXL client and brokers for the first time, orupgrading DXL from a previous version.

Contents System requirements Data Exchange Layer network overview Install DXL 2.2.0 Upgrade to DXL 2.2.0

System requirementsMake sure that your system environment meets these requirements and that you have administratorrights.

Component Products Version

VMware vSphere ESXi 5.1 or later

McAfee ePO 5.1.1, 5.1.2, 5.1.3, 5.3.0, 5.3.1

McAfee ePO product extensions andpackages (checked in)

McAfee® Agent 5.0.0, 5.0.1, 5.0.2, 5.0.3

McAfee Agentextension

5.0.0, 5.0.1, 5.0.2, 5.0.3

Products installed on each of yourmanaged systems

McAfee Agent 5.0.0, 5.0.1, 5.0.2, 5.0.3

Operating system

You can install the Data Exchange Layer client on the following operating systems.

Microsoft Windows Windows 7 (32-bit and 64-bit), Windows Embedded 7

Windows 8.0 (32-bit and 64-bit), Windows Embedded 8

Windows 8.1 (32-bit and 64-bit)

Windows 8.1U1/U2 (32-bit and 64-bit)

Windows 10 (32-bit and 64-bit)

Windows 10.1 (32-bit and 64-bit)

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

2


Linux operating systems 32/64-bit Red Hat 6.x or later

32/64-bit CentOS 6.x or later

32/64-bit Debian 7.x or later

32/64-bit Ubuntu 12.x or later

Data Exchange Layer network overviewThe Data Exchange Layer framework uses these network protocols and ports.

Make sure these ports are open and available for use with DXL.

2 Installing Data Exchange LayerData Exchange Layer network overview


Install DXL 2.2.0Follow the steps in this section if you are installing the DXL client and brokers for the first time on asystem. If you are upgrading from a previous version of DXL, see the Upgrade to DXL 2.2.0 topic.

Tasks• Install the extensions in McAfee ePO on page 11

Install the Data Exchange Layer 2.2.0 extensions.

• Check in the DXL packages on page 11Check in the Data Exchange Layer packages to the Master Repository in McAfee ePO.

• Install the DXL brokers on page 11Download the DXL software, then install and configure DXL brokers using VMware vSphere.

• Deploy the Data Exchange Layer client on page 17Deploy the DXL client to each of your managed systems.

• Verify the installation on page 18After you complete the DXL broker appliance pages in VMware, verify that the installationwas successful.

• Troubleshooting the installation on page 19McAfee provides log files and scripts that can help you resolve common issues that mightoccur during installation.

Install the extensions in McAfee ePOInstall the Data Exchange Layer 2.2.0 extensions.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Select Menu | Software | Extensions.

2 Click Install Extension and install the extensions in the following order.

a DXL Broker Management

b DXL Client

c DXL Client Management

Check in the DXL packagesCheck in the Data Exchange Layer packages to the Master Repository in McAfee ePO.


1 Select Menu | Master Repository, then click Check In Package.

2 Check in these DXL 2.2.0 packages:

• DXL Broker

• DXL Client

• DXL Platform

Install the DXL brokersDownload the DXL software, then install and configure DXL brokers using VMware vSphere.

Installing Data Exchange LayerInstall DXL 2.2.0 2


Tasks• Download the DXL software on page 12

Download the DXL software manually from the McAfee product download website, or usethe McAfee Software Manager.

• Install the DXL appliance on page 12Install and configure the DXL brokers.

Download the DXL softwareDownload the DXL software manually from the McAfee product download website, or use the McAfeeSoftware Manager.


• Use one of these methods to download and install the DXL software:

• In the Software Manager, click McAfee Data Exchange Layer 2.2, then check in the DXL Bundle component.This automatically downloads and installs all necessary DXL extensions and packages.

• To install manually, download the McAfee Data Exchange Layer 2.2 files from the McAfeeproduct download website. Then check in the Data Exchange Layer extensions and packages toMcAfee ePO.

The broker appliance is installed using VMware vSphere (.ova file) or by running the DXL broker file(.iso file). Download one of the broker appliance files and save it locally before continuing.

Install the DXL applianceInstall and configure the DXL brokers.

Before you beginThe DXL appliance is available on the Software Manager and the McAfee download site.There are two options, an OVA and an ISO. Both are packaged as a zip file and must beextracted before installing.

Task1 Depending on which appliance option you downloaded, do one of the following:

• If you downloaded the DXL broker ISO component, use the .iso file to install the appliance on asupported platform.

• If you downloaded the DXL broker OVA component, open the VMware vSphere client, then clickFile | Deploy OVF Template. Browse to and select the DXL .ova file on your computer. Click Next andcomplete the steps in the wizard, then turn on the virtual machine and open a Console window.

The first page of the installation appears.

2 Installing Data Exchange LayerInstall DXL 2.2.0


2 Read and accept the license agreement. Press Enter to view each page.



3 Create a root password for the appliance. The password must be at least nine characters.

4 Enter the operational account name, real name, and password, using the Tab key to move to thenext field. When finished, press Y to continue.

The account name is typically something like jsmith and is used to log on to and administer theappliance. The real name is your full name, for example, John Smith.



5 On the Network Selection page, enter N to continue.

6 Select a configuration type, then enter Y to continue.

• DHCP — Enter D.

• Manual IP address — Enter M, then enter the remaining information.



7 Enter the host name and domain name of the computer where you are installing the appliance.Enter Y to continue.

8 Enter up to three Network Time Protocol servers to synchronize the time of the appliance. Use thedefault server listed, or enter the address for up to three servers. Enter Y to continue.



9 Enter the IP address or fully qualified domain name, port, and account information for your McAfeeePO server. The user account must have administrator rights. Enter Y to continue.

10 Specify the port that DXL uses. Use the default port, or enter a port number within the rangeshown, then enter Y to continue.

11 When the logon screen appears, close it.

See Verify the installation to make sure that the DXL broker was installed successfully.

Deploy the Data Exchange Layer clientDeploy the DXL client to each of your managed systems.

Before you beginIf deploying the DXL client on a supported Linux 64-bit system, perform these steps on thesystem before deploying:

• On CentOS and Red Hat systems, enter sudo yum install glibc.i686 libstdc++.i686



• On Debian and Ubuntu systems, enter sudo apt-get install lib32stdc++6


1 Select Menu | Software | Product Deployment, then click New Deployment.

2 Complete the new deployment information, then start the deployment.

For details about deploying software in McAfee ePO, see the McAfee ePolicy Orchestrator ProductGuide.

Verify the installationAfter you complete the DXL broker appliance pages in VMware, verify that the installation wassuccessful.


1 On the System Tree main page, verify that the broker is listed and tagged as DXLBROKER.

If the broker is not tagged as DXLBROKER, run the Manage DXL Brokers server task.

2 In the System Tree, select the DXL broker name, then click the Products tab. Verify that the DXLbroker and version are listed.

a If the DXL broker and version are not listed, click Wake Up Agents.

b On the Wake Up McAfee Agent page, select Force complete policy and task update, then click OK.

It might take a few minutes for the broker properties to be sent to the appliance.

When the installation is successful, the installed brokers are tagged as DXLBROKER and the correctDXL version is displayed in the Products tab. You can also click the McAfee shield icon in the Windowstaskbar and look for the McAfee Data Exchange Layer heading to see if the broker is connected.

Tasks• Verify status of Intel Software Guard Extensions on page 18

The Intel Software Guard Extensions (SGX) is installed and enabled with the DXL client.

Verify status of Intel Software Guard ExtensionsThe Intel Software Guard Extensions (SGX) is installed and enabled with the DXL client.

SGX is installed only on SGX-capable machines running a Windows operating system. You can verifywhether a machine is SGX-capable, and if so, whether SGX is enabled.

• To see if SGX is installed on a particular machine, open the Windows Control Panel on that machineand in the Programs and Features list, look for Intel Software Guard Extensions Platform Software.

• To see if SGX is enabled or disabled on a particular DXL client system, in the McAfee ePO SystemTree, select the system where the DXL client is installed, then click the Products tab. The SGX sectionshows whether the system is SGX-capable, and whether SGX is enabled.



Troubleshooting the installationMcAfee provides log files and scripts that can help you resolve common issues that might occur duringinstallation.

Accessing log files

To troubleshoot installation problems, view the log files.

The DXL broker log files are at /var/McAfee/dxlbroker/logs/dxlbroker.log. Have these filesavailable if you contact technical support.

Reconfiguring the installation using scripts

You can use scripts to reconfigure the DXL brokers and the McAfee Agent. The scripts are located inthe /home/<username> directory. They must be executed with sudo permissions, for example, sudo /home/myname/reconfig‑dxl.

Script name Description Reboot?

change-hostname Changes the host name of the current DXL broker appliance. Itrestarts the McAfee Agent and the broker.

Recommended

change-services Enables or disables the DXL broker.

If the broker was initially disabled during first boot, the scriptprompts for broker configuration information.

No

reconfig-dxl Reconfigures the DXL port. No

reconfig-ma Reconfigures the McAfee Agent.

The agent and DXL broker services are restarted. Newkeystores are generated when the service starts.

Before using this script, read this KnowledgeBase article forimportant information: KB85043

Recommended

reconfig-network Reconfigures the current network interface (from DHCP tomanual, or from manual to DHCP).

Required

reconfig-ntp Reconfigures the Network Time Protocol servers. No

Upgrade to DXL 2.2.0Use this information to upgrade from a previous version of Data Exchange Layer.

Before upgrading to Data Exchange Layer 2.2.0, create a snapshot of your virtual machine in theVMware vSphere client. For instructions, see the VMware vSphere documentation.

Use one of these methods to install the 2.2.0 product files:

• In the Software Manager, click McAfee Data Exchange Layer 2.2, then check in the DXL Bundle component. Thisautomatically downloads and installs all necessary DXL extensions and packages.

• To install manually, download the Data Exchange Layer 2.2.0 files from the McAfee productdownload website. Check in the packages to the Master Repository, and the extensions using theExtensions page.

Complete the tasks in the order shown to ensure a successful upgrade.

Installing Data Exchange LayerUpgrade to DXL 2.2.0 2


https://kc.mcafee.com/corporate/index?page=content&id=KB85043

Tasks• Upgrade the extensions in McAfee ePO on page 20

Install the Data Exchange Layer 2.2.0 extensions.

• Check in the DXL packages on page 11Check in the Data Exchange Layer packages to the Master Repository in McAfee ePO.

• Upgrade the DXL broker on page 20To upgrade the DXL 2.2.0 brokers on the appliance, create a client task that includes aproduct deployment task in McAfee ePO.

• Verify the DXL broker upgrade on page 21After you complete the DXL upgrade, verify that the upgrade was successful.

• Upgrade the DXL client on page 22Upgrade the DXL client to 2.2.0 on each of your managed systems.

• Verify the DXL client upgrade on page 22After you complete the DXL client upgrade, verify that the upgrade was successful.

Upgrade the extensions in McAfee ePOInstall the Data Exchange Layer 2.2.0 extensions.


1 Select Menu | Software | Extensions.

2 Click Install Extension and install the extensions in the following order.

a DXL Broker Management

b DXL Client

c DXL Client Management

Check in the DXL packagesCheck in the Data Exchange Layer packages to the Master Repository in McAfee ePO.


1 Select Menu | Master Repository, then click Check In Package.

2 Check in these DXL 2.2.0 packages:

• DXL Broker

• DXL Client

• DXL Platform

Upgrade the DXL brokerTo upgrade the DXL 2.2.0 brokers on the appliance, create a client task that includes a productdeployment task in McAfee ePO.

2 Installing Data Exchange LayerUpgrade to DXL 2.2.0



1 Select Menu | Policy | Client Task Catalog.

2 Select McAfee Agent, then click New Task.

3 In the New Task window, select Product Deployment, then click OK.

4 Complete the new deployment information for the DXL broker. For the Target platforms option, makesure that only McAfee Linux OS is selected. Create a task for each package. Packages must be updatedin this order:

If you initially installed the broker appliance using the TIE .ova file, upgrade only the broker (theplatform updates come from Threat Intelligence Exchange). If you installed the broker applianceusing the DXL .ova or .iso file, upgrade both the platform and the broker.

a DXL Platform

b DXL Broker

5 Save the task and run it against the DXL broker.

6 In the System Tree, select a DXL broker name, then click the Properties tab.

7 Click Wake Up Agents and select Force complete policy and task update. It might take a few minutes for thebroker properties to be sent to the appliance.

Log files are located here:

/var/log/dxlbroker‑2.2.0‑<build_number>.log

/var/log/DXLPlatform‑2.2.0‑<build_number>.log

Verify the DXL broker upgradeAfter you complete the DXL upgrade, verify that the upgrade was successful.


1 In the System Tree main page, verify that the updated broker is listed and tagged as DXLBROKER. Ifit isn't, run the Manage DXL Brokers server task.

2 In the System Tree, select the DXL broker name, then click the Products tab. Verify that the updatedDXL broker and version are listed.

a If the DXL broker and version are not listed, click Wake Up Agents.

b Select Force complete policy and task update, then click OK. It might take a few minutes for the brokerproperties to be sent to the appliance.

c If the DXLBROKER tag does not appear in the System Tree, run the Manage DXL Brokers server taskagain.

When the installation is successful, the correct DXL version is displayed in the Products tab, and theinstalled brokers are tagged as DXLBROKER.

Installing Data Exchange LayerUpgrade to DXL 2.2.0 2


Upgrade the DXL clientUpgrade the DXL client to 2.2.0 on each of your managed systems.


1 Select Menu | Policy | Client Task Catalog.

2 Select McAfee Agent, then click New Task.

3 Select Product Deployment, then click OK.

4 Complete the new deployment information: From the Products and components list, select Data ExchangeLayer Client.

5 Save the task and run it on each of your managed systems. You might have to wait severalminutes for the task to complete, depending on how busy your McAfee ePO server is.

6 In the System Tree, select the DXL client system, then click the Products tab.

7 Click Wake Up Agents and select Force complete policy and task update. It might take a few minutes for theclient properties to be sent to the McAfee ePO server.

Verify the DXL client upgradeAfter you complete the DXL client upgrade, verify that the upgrade was successful.


1 In the System Tree, select a DXL client system, then click the Products tab.

2 Verify that the updated DXL 2.2.0 client and version are listed.

3 Select a DXL client system, and from the Actions menu, select DXL | Lookup in DXL. Make sure that theconnection state is Connected.

4 You can also click the McAfee shield icon in the Windows taskbar and look for the McAfee DataExchange Layer heading to see if the broker is connected.

2 Installing Data Exchange LayerUpgrade to DXL 2.2.0


3 Managing Data Exchange Layer

Data Exchange Layer includes a client and brokers that allow bidirectional communication betweenendpoints on a network. You can add and organize brokers as needed for your environment.

Contents Working with brokers The DXL fabric Bridging Data Exchange Layer fabrics Importing client certificates Creating DXL queries DXL server tasks

Working with brokersThe Data Exchange Layer brokers can be organized into hubs and service zones to determine howbrokers are accessed.

Brokers are installed on managed systems and communicate messages between security products thatare integrated with the DXL fabric. The network of brokers tracks active clients and dynamicallyadjusts the message routing as needed.

Organizing brokers

Brokers can be organized into hubs that manage how brokers are accessed and provide failoverprotection in a multi-broker environment. If a hub has two brokers, both act simultaneously. If one isunavailable, the other continues to function. You can create as many hubs as needed. A broker,however, can be assigned to only one hub.

You can organize brokers and hubs into service zones to further determine how servers are accessed.For example, if you have multiple Threat Intelligence Exchange servers and brokers in differentgeographical locations, you can create service zones of servers and brokers. Clients in a service zoneaccess servers in that zone first. If those servers are not available, the clients access the servers inother zones. If you don't use service zones, client requests can be sent to any server at any location.

Tools for working with brokers

Use the Data Exchange Layer Fabric feature to view the broker topology in your environment. You canquickly see how brokers are connected and managed. You can also see the number of clients that areconnected to a specific broker. This can help you determine if you need more brokers in yourenvironment.

To increase or decrease the number of clients that can connect to a broker, change the Client ConnectionLimit settings in the McAfee DXL Broker Management policy.

3


Configure DXL policiesDXL policy settings are used by the DXL client on managed systems where the policy is assigned.

The policy settings allow you to determine a specific broker or hub that the DXL client connects to.Policies enable you to control which brokers are accessed for specific managed systems.


1 Select Menu | Policy | Policy Catalog.

2 From the Product list, select McAfee DXL Client.

3 On the My Default line, click Duplicate to create a policy.

4 Enter a name and a brief description for the new policy, then click OK.

5 Complete the fields on the Policy Catalog page. See the online Help for details about each field.

After you create a policy, assign it to managed systems to control how the DXL client on thosesystems communicates with brokers and hubs.

Configure brokersIf you installed DXL brokers on more than one system, you can create a hierarchy of brokers toprovide failover protection if any brokers are unavailable.


1 Select Menu | Configuration | Server Settings | DXL Topology.

2 Select Edit to create hubs, service zones, and assign brokers.

The options on the page depend on whether you selected a broker or a hub. Unassigned brokersare listed below the hubs.

3 Select an item from the Actions menu to create or delete a hub, or to detach a broker from itscurrent hub.

For details about connecting DXL brokers that are managed by different McAfee ePO servers, seeBridging DXL brokers.

Add brokersYou might want to install more brokers throughout your environment as you add new endpoints andsystems.


1 Run the DXL appliance installation.

You can install brokers on a system already running brokers, or on a different system.

2 On the Service Selection page, select DXL Broker and complete the broker installation.

For details about installing brokers, see Installing Data Exchange Layer.

3 Managing Data Exchange LayerWorking with brokers


Add brokers to a DMZYou can install Data Exchange Layer brokers in a demilitarized zone (DMZ) where publicly accessibleservers are not allowed.

Installing a broker in the DMZ allows remote users to access information from products that use theDXL, such as Threat Intelligence Exchange.

You must have an Agent Handler in the DMZ and your network must be configured to support this.McAfee ePO communicates with the DXL broker to share configuration, policy, and performanceinformation via the agent on the broker.

To use a DXL broker in a DMZ, firewall rules are necessary. Also, the DXL framework must bestructured in a way to allow communication from brokers in the DMZ to brokers in the internalnetwork. The DXL Topology page enables you to create this structure. (To access the DXL Topologypage, select Menu | Configuration | Server Settings | DXL Topology.)

This diagram shows the default ports used.

The DXL fabricQuickly see all DXL brokers in your environment. You can see their status, how they are connected,clients they support, and other details.

There are several views that allow you to see the broker fabric in different ways:

• The current connection status for all brokers

• Brokers managed by different instances of McAfee ePO

• Brokers by hub

• Brokers by connected clients

Managing Data Exchange LayerThe DXL fabric 3


For all brokers in the fabric, you can see detailed properties, bridging information, registered services,and more.

View the DXL fabricView all brokers in your environment and see connection, status, and detailed information.

Before you beginThe DXL fabric page is view-only and requires permissions to access it. To set permissionsto access the fabric, use the McAfee DXL Fabric permission set in McAfee ePO.


1 Select Menu | Systems | Data Exchange Layer Fabric.

2 Use the View drop-down list to select how you want the information to be organized.

• To resize the items on the page to zoom in our out, use the mouse wheel.

• To fit all items on the fabric view on the page, double-click the mouse.

3 Use the Label drop-down list to select the type of labels that you want to see.

4 Click a broker to see detailed information about it on the Properties, Bridges, and Services tabs.

Bridging Data Exchange Layer fabrics Bridging DXL fabrics allows DXL brokers that are managed by different McAfee ePO servers tocommunicate with each other to share clients and services.

For example, if you have Threat Intelligence Exchange and at least one DXL broker managed bymultiple instances of McAfee ePO, you can connect the brokers by bridging their fabrics. You can thensee the files that are running at all locations and share their reputation information.

To connect DXL broker fabrics, you create incoming and outgoing bridges to and from the brokers thatare managed by different McAfee ePO servers.

Process for bridging DXL fabrics

Bridging DXL fabrics is a multi-step process to ensure that the DXL brokers that are managed bydifferent McAfee ePO servers can connect and communicate with each other. The bridged systemsmust export and import each other's broker information.

3 Managing Data Exchange LayerBridging Data Exchange Layer fabrics


In this example, McAfee ePO 1 has a top-level hub with two brokers. It also has a broker used by theTIE service, where managed endpoints connect. McAfee ePO 2 has a hub with two brokers that areused by the TIE service and managed endpoints. To bridge the brokers so that they can share clientsand services, you create an incoming bridge on McAfee ePO 1 and an outgoing bridge on McAfee ePO2.

Bridging must be completed at the hub level. You cannot create a bridge from an individual broker.

Bridging existing TIE servers and databases

If you have existing TIE servers and databases managed by different McAfee ePO servers, you canbridge them to share reputation information. You can have only one TIE master or one primary TIEdatabase for the DXL fabric. For details, see KnowledgeBase article: KB83896.

Create an outgoing bridgeWhen you designate a DXL hub as an outgoing bridge, brokers in that hub can connect to the brokersthat are managed by a different McAfee ePO server.

Each McAfee ePO server can have only one hub that is designated as an outgoing bridged hub. Andthat hub must be the top-level hub in the DXL topology with at least one broker assigned to it.



2 On the DXL Topology page, select Edit.

3 From the topology tree, select the top-level hub, and from the Actions menu, select Create OutgoingBridge - Remote ePO Hub.

The hub is highlighted in red (invalid state) until it is bridged with a hub on a remote system.

4 Click Export Local Hub Information to create a file that contains information about the hub's brokers.Save this file in a location that's available to remote systems.

Managing Data Exchange LayerBridging Data Exchange Layer fabrics 3


https://kc.mcafee.com/corporate/index?page=content&id=KB83896

5 On the remote McAfee ePO server where you are bridging to:

a From the Actions menu, select Create Incoming Bridge - Remote ePO Hub.

b Select a hub to bridge to the outgoing hub, then click Import Remote Hub Information and navigate tothe file. This creates an incoming bridge.

c Click Export Local Hub Information to create a file containing information about the brokers.

6 On the local system, click Import Remote Hub Information and navigate to the file created by the remotesystem.

The local and remote hubs now have the broker information necessary to communicate and shareinformation via the DXL framework.

Create an incoming bridgeDesignating a hub as an incoming bridge enables brokers that are managed by a remote McAfee ePOsystem to connect its brokers to local DXL brokers.



2 On the DXL Topology page, click Edit.

3 From the topology tree, select the top-level hub, and from the Actions menu, select Create IncomingBridge - Remote ePO Hub to create an empty hub under the top-level hub.

This is a placeholder for the broker topology information that will come from remote McAfee ePOsystems when they are bridged with the local system. The hub is highlighted in red (invalid state)until the information from a remote system is uploaded.

4 Click Import Remote Hub Information and navigate to the outgoing bridge file created by the remoteMcAfee ePO server.

This file contains information about its brokers. You can import files from several McAfee ePOservers.

5 Click Export Local Hub Information to create a file that contains information about the brokers in the localhub. The remote system (outgoing bridge) imports this file.

Both hubs now have the broker information necessary to communicate and share information viathe DXL fabric.

6 To complete the bridge, run the Send DXL State Event server task on both the incoming and outgoingsystems.

Importing client certificatesWhen using a third-party certificate with DXL clients, you must import a Certificate Authority, orself-signed certificate, for those clients.

The DXL brokers use certificates to recognize and validate clients. After a certificate is created, importit into McAfee ePO.

3 Managing Data Exchange LayerImporting client certificates


Import a certificateImport third-party client certificates into McAfee ePO to validate the clients for use with DXL.For Python clients: In an environment with multiple McAfee ePO servers and bridged DXL fabrics,you must import the certificates that you create into each McAfee ePO server.


1 Select Menu | Configuration | Server Settings | DXL Certificates.

2 On the Client Certificates page, click Edit.

3 Click Import to browse to the certificate, then click OK.

The certificate is added to the Client Certificates list used by DXL.

Create a list of certificates used by DXLCreate a file that lists the certificates used by DXL clients.You can create a list of the broker certificates currently in use, or a list of the managed DXL brokersthat show broker information.


1 Select Menu | Configuration | Server Settings | DXL Certificates.

2 On the Client Certificates page, click Edit.

3 Create a file:

• For a list of broker certificates currently in use, click Export All next to Broker Certificates. The filecreated is brokerlist.properties with the broker information shown in the following format:broker guid=broker guid;port;host name;ipaddress. You can use this file to validate thebrokers that clients are connecting to.

• For a list of managed brokers, click Export All next to Broker List. The file created is brokerlist.properties with broker information shown in the following format: broker guid=brokerguid;port;host name;ipaddress. This list can be passed to a client when connecting to theDXL broker fabric.

Creating DXL queriesYou can create queries in McAfee ePO to see property information for DXL broker systems, clientsystems, and SGX systems.Use the Queries and Reports feature in McAfee ePO to create managed systems queries. You can thenselect column headings from the DXL Broker Systems and DXL Client Systems categories to include inthe query. For details, see the McAfee ePolicy Orchestrator Product Guide.

DXL server tasksServer tasks are configurable actions that run on McAfee ePO at scheduled times or intervals.Use server tasks to automate repetitive tasks. Each task has actions and can be scheduled to occur atspecific intervals. For details, see the McAfee ePolicy Orchestrator Product Guide.

Managing Data Exchange LayerCreating DXL queries 3


DXL server tasks

DXL includes these server tasks.

Server task Description

Manage DXL Brokers Assigns the DXLBROKER tag to all fully configured DXL brokers and updates theDXL broker policies.Use this task if you install a new broker and want to immediately identify it inthe DXL fabric.

Send DXL State Event Sends the current DXL State Event to the DXL fabric.Use this task when you make changes to bridged brokers to incorporate thosechanges on the DXL fabric page.

Update DXL ClientStatus

Updates the DXL Client connection status for all systems where DXL is installed.It runs once a day by default.

3 Managing Data Exchange LayerDXL server tasks


Index

Aabout this guide 5

Bbridging Data Exchange Layer brokers 26

broker appliance 12

brokers for Data Exchange Layerabout 7adding 24

adding brokers to a DMZ 25

bridging 27, 28

broker status 25

configuring policies 24

connecting with multiple McAfee ePO servers 26

creating service zones 24

determining which broker to use 24

fabric 23, 25

how brokers are connected 25

organizing 23

tagged in McAfee ePO 18

view broker properties 29

Cclient certificates

create a list used by DXL 29

importing 29

configurationbrokers 23

determining which broker to use 24

using scripts 19

connecting Data Exchange Layer broker fabrics 26

conventions and icons used in this guide 5

DData Exchange Layer

deploying 17

view client and broker properties 29

deploymentData Exchange Layer client 17

DMZadding Data Exchange Layer brokers 25

documentationaudience for this guide 5

documentation (continued)product-specific, finding 6typographical conventions and icons 5

Eexport client certificates 29

Ffabric

about 7, 25

viewing 26

failover protection, organizing brokers 23

Hhubs

about 7bridging 27, 28

creating 23

determining which hub to use 24

organizing brokers 23

Iimport client certificates 29

installationbrokers using the appliance 12

downloading software 12

first-time installation 11

log files for troubleshooting 19

requirements 9troubleshooting 19

upgrading from a previous version 19

verify the installation 18

Intel Software Guard Extensions 8Intel® Software Guard Extensions

verify SGX status on a machine 18

Llist client certificates 29

log files, troubleshooting the installation 19


MMcAfee Agent

installation requirements 9McAfee ePO and Data Exchange Layer 26

McAfee ServicePortal, accessing 6

Nnetwork overview 10

Ooperating systems, supported 9

Ppolicies, configuring for Data Exchange Layer 24

ports used 10

protocols used 10

Qquery Data Exchange Layer properties 29

Rreconfiguration using scripts 19

Sscripts

reconfiguring the installation 19

Server tasks 29

service zonesabout 7

service zones (continued)creating 24

organizing brokers 23

ServicePortal, finding product documentation 6SGX 8

verify SGX status on a machine 18

viewing properties for SGX systems 29

Software Guard Extensions 8supported operating systems 9system requirements 9

Ttechnical support, finding product information 6third-party clients

certificate authority 29

import certificate authority 29

topology, broker 25

troubleshootinginstallation 19

Uupgrade DXL from a previous version 19

using Data Exchange Layer with multiple McAfee ePO servers 26

Vverify the installation 18

SGX status 18

VMware vSpheredeploying the OVF template 12

Index


For use with McAfee ePolicy Orchestrator - Knowledge … · Product Guide McAfee Data Exchange...

Documents

Transcript of For use with McAfee ePolicy Orchestrator - Knowledge … · Product Guide McAfee Data Exchange...