McAfee ePolicy Orchestrator ESP User Guide...This document provides a high-level description of ePO...

ICS SHIELD

R 510.1

McAfee ePolicy Orchestrator ESP

User Guide

CS-ICSE609en-510A

August 2019

DocID CS-ICSE609en-510A 2

DISCLAIMER

This document contains Honeywell proprietary information. Information contained

herein is to be used solely for the purpose submitted, and no part of this document or

its contents shall be reproduced, published, or disclosed to a third party without the

express permission of Honeywell International Sàrl.

While this information is presented in good faith and believed to be accurate,

Honeywell disclaims the implied warranties of merchantability and fitness for a

purpose and makes no express warranties except as may be stated in its written

agreement with and for its customer.

In no event is Honeywell liable to anyone for any direct, special, or consequential

damages. The information and specifications in this document are subject to change

without notice.

Copyright 2019 – Honeywell International Sàrl


Notices

Trademarks Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered

trademarks of Honeywell International, Inc.

ControlEdge™ is a trademark of Honeywell International, Inc.

OneWireless™ is a trademark of Honeywell International, Inc.

Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon

International is a business unit of Honeywell International, Inc.

Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business

unit of Honeywell International, Inc.

Other trademarks Trademarks that appear in this document are used only to the benefit of the trademark

owner, with no intention of trademark infringement.

Third-party licenses This product may contain or be derived from materials, including software, of third

parties. The third party materials may be subject to licenses, notices, restrictions and

obligations imposed by the licensor.

The licenses, notices, restrictions and obligations, if any, may be found in the materials

accompanying the product, in the documents or files accompanying such third party

materials, in a file named third_party_ licenses on the media containing the product, or

at http://www.honeywell.com/ps/thirdpartylicenses.

Documentation feedback You can find the most up-to-date documents on the Honeywell Process Solutions

support website at:

http://www.honeywellprocess.com/support

If you have comments about Honeywell Process Solutions documentation, send your

feedback to:

[email protected]

Use this email address to provide feedback, or to report errors and omissions in the

documentation. For immediate help with a technical problem, contact your local

http://www.honeywell.com/ps/thirdpartylicenses

http://www.honeywellprocess.com/support

mailto:[email protected]


Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical

Assistance Center (TAC).

How to report a security vulnerability For the purpose of submission, a security vulnerability is defined as a software defect

or weakness that can be exploited to reduce the operational or security capabilities of

the software.

Honeywell investigates all reports of security vulnerabilities affecting Honeywell

products and services.

To report a potential security vulnerability against any Honeywell product, please

follow the instructions at:

https://honeywell.com/pages/vulnerabilityreporting.aspx

Submit the requested information to Honeywell using one of the following methods:

Send an email to [email protected].

or

Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or

Honeywell Technical Assistance Center (TAC) listed in the “Support” section of this

document.

Support For support, contact your local Honeywell Process Solutions Customer Contact Center

(CCC). To find your local CCC visit the website, https://www.honeywellprocess.com/en-

US/contact-us/customer-support-contacts/Pages/default.aspx.

Training classes Honeywell holds technical training classes that are taught by process control systems

experts. For more information about these classes, contact your Honeywell

representative, or see http://www.automationcollege.com.

https://honeywell.com/pages/vulnerabilityreporting.aspx

mailto:[email protected]

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx

http://www.automationcollege.com/


About this Guide

This document provides a high-level description of ePO ESP, the solution for remotely

managing ePO (McAfee ePolicy Orchestrator). McAfee ePolicy Orchestrator is a unified

console that is included with the Enterprise edition of McAfee VirusScan, and can

control VirusScan and other McAfee products by installing updates and configure

settings for all client programs.

Scope This guide provides step-by-step instructions for configuring, distributing, and using

ePO ESP. at all levels, from the initial settings up to the deployment in the Security

Center and the VSEs.

Intended audience This guide is for people who are responsible for the configuration and operation of ePO

ESP on the Security Center and VSEs:

Initial Settings - Professional Services, Support, or IT personnel

• Security Center – Administrators and operators

• VSE – Administrators and operators

Prerequisite skills This guide assumes basic knowledge of the ICS Shield R 510.1 modules relevant to the

Security Center, the VSE, or both, depending on your specific role.

Related documents The following list identifies publications that may contain information relevant to the

information in this document.

Document Name Document Number

ICS Shield R510.1 – Security Center Getting Started

Guide CS-ICSE400en-510A

ICS Shield R510.1 – VSE Administrator Guide CS-ICSE701en-510A


Revision history

Revision Supported Release

Date Description

A Release 510.1 August 2019 This software is an upgrade-only release

from Release 501.1

A Release 500.1 June 2019 First release of product to Honeywell

Enterprise customers


Contents 1. SECURITY CONSIDERATIONS ........................................................................................ 11

1.1 Physical security ...................................................................................................................................... 11

1.2 Secured zone ............................................................................................................................................. 11

1.3 Limiting access ........................................................................................................................................ 11 1.3.1 At the VSE level ...................................................................................................................... 11 1.3.2 At the directory or file level ............................................................................................... 12 1.3.3 Ports used by the application ........................................................................................ 12

1.4 Authorization measures ...................................................................................................................... 12

1.5 Encryption and validation .................................................................................................................. 12

1.6 ePO-specific measures for mitigating security risks ............................................................ 13

2. TERMS AND DEFINITIONS .............................................................................................. 14

3. SOLUTION OVERVIEW AND WORKFLOW .................................................................. 17

3.1 ePO update delivery ............................................................................................................................... 17

3.2 Remote execution of server tasks ................................................................................................... 18

3.3 Automatic Response ............................................................................................................................. 19

3.4 Remote activation of agent update ............................................................................................... 20

4. ACTIVATION PROCESS ...................................................................................................... 21

4.1 Updating ePO ESP ................................................................................................................................. 21 4.1.1 Enabling automatic updates .......................................................................................... 21 4.1.2 Performing manual update ............................................................................................. 22

4.2 Activating server tasks remotely ...................................................................................................... 23

5. SOFTWARE REQUIREMENTS ......................................................................................... 24

6. CONFIGURING THE UPSTREAM EPO ......................................................................... 25

6.1 HTTP repository ....................................................................................................................................... 25

6.2 ePO server ................................................................................................................................................... 26

6.3 SMTP server ............................................................................................................................................... 27

6.4 Configuring ePO ESP in the HQ ...................................................................................................... 27

7. CONFIGURING EPO ESP AT THE CUSTOMER SITE ............................................... 28

7.1 Distributing product lines ................................................................................................................... 28

7.2 Setting up the application tunnel ................................................................................................... 28

7.3 Adding ePO ESP device ....................................................................................................................... 29

7.4 Configuring the site SMTP Server relay ....................................................................................... 30

7.5 Adding SMTP Server device ............................................................................................................... 34

7.6 Setting up the downstream ePO ..................................................................................................... 36


7.6.1 Source sites and security keys ....................................................................................... 36 7.6.2 ePO mail server settings ................................................................................................... 37

A ERROR CODES ..................................................................................................................... 39

A.1 ePO update delivery ............................................................................................................................... 39

A.2 Run Server Task ....................................................................................................................................... 42


List of Figures FIGURE 3-1. EPO UPDATE DELIVERY .............................................................................................. 18

FIGURE 3-2. REVERSE TUNNEL EPO SMTP ................................................................................. 20

FIGURE 6-1. DISTRIBUTED REPOSITORY BUILDER SCREEN ............................................. 26

FIGURE 6-2. EXTRACTING PUBLIC KEYS ........................................................................................ 26

FIGURE 7-1. SMTP SERVER FEATURE ............................................................................................. 30

FIGURE 7-2. ADD REQUIRED FEATURES ....................................................................................... 31

FIGURE 7-3. BASIC AUTHENTICATION ............................................................................................ 32

FIGURE 7-4. BADMAIL DIRECTORY ................................................................................................... 33

FIGURE 7-5. OUTBOUND SECURITY SETTINGS ......................................................................... 34


List of Tables TABLE 1-1. LIST OF PORTS .................................................................................................................... 12

TABLE 4-1. THE PARAMETER SERVER TASKS ............................................................................. 23

SECURITY CONSIDERATIONS


1. Security Considerations

This chapter outlines the security measures for ePO ESP.

1.1 Physical security

CAUTION

ePO ESP is a mission-critical component.

Take all necessary physical measures to prevent attacks or disasters.

Ensure that the server where the product is installed is located in an approved

physically secure location that is accessible only to authorized personnel.

1.2 Secured zone ePO ESP contains sensitive information, the loss of which could have severe

consequences. Therefore, there is a need to protect the sensitive information and

prevent attacks against the product. To do that, the VSE software, as well as its related

extensions, must be installed in an internally secured zone such as the site’s layer 3

network, with strict access control lists and appropriate firewall/routing rules.

Ensure that ePO ESP is installed in a directory that is only accessible to authorized

personnel responsible for the product.

CAUTION

If ePO ESP is installed on one or more servers that are exposed to untrusted networks such as the Internet, protection against denial-of-service (DoS) attacks must be implemented.

1.3 Limiting access It is highly recommended to follow regulatory, industry, and enterprise standards for

limiting access to sensitive information as specified below.

1.3.1 At the VSE level The user management at the host running the VSE must follow the principles of need

to know and least privilege: Only users who absolutely must have access to the

computer are granted access, and these users are assigned the minimal set of

permissions allowing them to perform their job.



1.3.2 At the directory or file level Access to directories and files should also be granted in accordance with the principles

of need to know and least privilege: Only Users who absolutely must have access to the

requested directory and file are granted access, and these Users are assigned the

minimal set of permissions allowing them to perform their job.

Use the built-in file access audit logging of the OS to monitor unauthorized changes to

sensitive files.

1.3.3 Ports used by the application The ports used for ePO ESP are listed in the table below, in relation to the VSE.

Table 1-1. List of Ports

Port Number Inbound/Outbound Used for

8000 Inbound Tunnel port – the VSE listens on this port

8443 Outbound ePO update port – the ePO listens on this port

1.4 Authorization measures It is strongly recommended to implement the following security measures:

• Change the default administrative password and delete/disable the default service

accounts as soon as new administrative accounts are created

• Disable any default Administrator/Root user on the computer

• Disable any default Guest user on the computer

• Disable any unauthenticated access to the computer via shared directories etc.

• Ensure that the OS is up to date with the latest security patches provided by the OS

vendor

1.5 Encryption and validation All cryptographic keys generated for the encrypted communication must follow the

current industry standards, including key size, encryption suites, certificate swapping

etc.

Operators and other personnel who have a low authorization level are advised to

ensure that they only run software provided from the Headquarters as a code-signed



execution file, such as Hyper Tunnel installer. A code-signed software displays the

signed by notification when it starts to run.

It is recommended to use a valid certificate issued by a trusted Certificate Authority

(CA), either the organization’s internal CA or an external CA.

1.6 ePO-specific measures for mitigating security risks

To mitigate possible security risks, you are advised to take the following measures:

• Follow MacAfee’s best practices for defining the ePO Admin role

• Allow the upstream ePO port used for connection to accept only connections from

the RAG

• Limit the RAG connections to specific servers only

TERMS AND DEFINITIONS


2. Terms and definitions

NOTE

The terms and definitions are listed in alphabetical order

Term Definition

add-on An umbrella term for product lines and ESPs

asset Any site component that is connected to the network and is

accessible from the VSE

Communication Server (CS)

The Communication Server provides secure communication

between the Security Center and the VSEs

compliance Whether the device meets the organization policy

corrective action An execution profile that performs an action to correct a

problem detected by other execution profiles; for example, if

a monitoring profile detected a low disk space issue, a

corrective action will delete obsolete and large temporary

files

DB Database server component

device A representation of a physical or virtual server or machine in

the VSE

diagnose routine (DR)

An execution profile that runs on demand when an issue is

encountered, and is intended to collect in-depth diagnostic

data

discovery engine A VSE utility that represents the ICS Shield Active Discovery

ESP, which detects and classifies network assets, and,

optionally, adds them as devices to the VSE

ePO McAfee ePolicy Orchestrator; a unified console that is

included with the Enterprise edition of McAfee VirusScan.

ePO can control VirusScan and other McAfee products by

installing updates and configure settings for all client

programs.

Essential security Essential Security Policy: A collection of scripts related to



Term Definition

policy (ESP) one logical area, such as machine security status, hardware

information, event logs, or storage information; these scripts

can either be run on demand (Diagnose Routine or

Corrective Action) or based on a predefined schedule.

execution profile A collection of scripts related to one logical area, such as

machine security status, hardware information, event logs,

or storage information; these scripts can either be run on

demand (Diagnose Routine or Corrective Action) or based on

a predefined schedule.

exposure level The extent to which the specific device is critical to ongoing

site operation; the predefined value options for the exposure

levels are one of the following:

• High

• Medium

• Low

HQ Headquarters; the physical location of the Security Center

monitoring profile (MP)

An execution profile configured to run at set time intervals,

such as Every day at 18:00

product line A set of actions and scripts that together instruct the VSE to

perform certain procedures on devices that are defined in

the VSE

Remote Access Gateway (RAG)

The Remote Access Gateway is part of the ICS Shield’s

remote access solution.

When initiated, the Remote Access Gateway automatically

pulls the connection details from the Security Center

database.

reverse tunnel A secured connection initiated by the VSE to the Security

Center.

scan config Scan configuration; contains a set of network vulnerability

tests (NVTs) used to scan a machine in order to detect

vulnerabilities



Term Definition

Security Center (SC) ICS Shield component that is installed at the corporate data

center. The security center is composed of various software

components, which enable to remotely collect, analyze, view,

manage, and store data retrieved from the VSEs. This data

refers to the monitored network assets and devices found at

the VSE’s sites.

site A remote physical location, such as an industrial plant,

which includes one or more network environments and has

at least one VSE

tunnel A secure connection established from the Security Center to

the VSE

VSE Virtual Security Engine; the ICS Shield component that is

installed at the remote site, monitors the devices at the site,

and provides additional functionalities such as remote

access

SOLUTION OVERVIEW AND WORKFLOW


3. Solution overview and workflow

This chapter provides a brief overview and workflow of the stages of implementing ePO

ESP, as described in the following sections:

3.1, ePO update delivery

• 3.2, Remote execution of server tasks

• 3.3, Automatic Response

• 3.4, Remote activation of agent

3.1 ePO update delivery The ePO ESP supports the automatic delivery of ePO ESP updates by using specially

designed utilities. The process requires the automatic activation of the pull function in

the downstream ePO ESP Server, thereby allowing the downstream ePO ESP to

synchronize with the upstream ePO ESP server.

The delivery of McAfee ePO antivirus updates uses the application tunnel, which

enables the downstream ePO ESP Servers to securely connect to an upstream HTTP

Repository at the headquarters (data center) and download the updates. The

application tunnel provides the following update methods:

• Fully automated – update process is started based on a predefined schedule.

• Semi-Automated – update process is started on demand, via a diagnosis routine.

The activation can be initiated from the Security Center or the VSE at the remote

site.

• Manually - the application tunnel from the downstream ePO ESP server to the

upstream repository is generated by the VSE. Once active, you need to log in to the

downstream ePO ESP Server UI and manually click Pull Now. To end the operation

gracefully, terminate the application tunnel by running an execution profile at the

VSE.



3.2 Remote execution of server tasks Remotely executing ePO ESP server tasks, as well as receiving reports via email, is

enabled either by using a local SMTP server at the remote site or by connecting to the

upstream SMTP server.

NOTE

To support this configuration, an SMTP relay needs to be installed at the remote site

Server tasks are configurable actions, which run on the ePO ESP server on a schedule

or on-demand. McAfee ePO ESP software includes preconfigured server tasks and

actions.

The remote activation of server tasks allows users to run several tasks at different

remote (downstream) sites and to view or receive their results from an upstream server

deployed at a central location (HQ).

Server tasks include the following:

• Performing an action by using the results of a query

• Emailing and exporting reports automatically on a regular basis

• Purging older events automatically from the McAfee ePO ESP server database

• Deleting inactive machines automatically from your system tree

The server tasks can send email messages from the downstream ePO ESP via the

SMTP server relay. The SMTP server relay uses the secure application tunnel to

transfer these messages to the upstream SMTP server for processing.

Figure 3-1. ePO update delivery



3.3 Automatic Response The application tunnel to the upstream SMTP server enables using ePO ESP

Automatic Response functionality, as well as sending email notifications.

The following scenario provides an example of the Automatic Response process.

1. ePO ESP Automatic Response is triggered by a threat detection.

2. An alert email is sent to the SMTP relay server at the site.

3. The VSE periodically checks, through the SMTP Server Product Line, whether any

outgoing emails are queuing on the SMTP server relay. For details see section 7.4,

Configuring the site SMTP Server relay.

If any emails are found, the VSE opens the SMTP application tunnel between the

downstream and upstream SMTP servers.

4. Once the tunnel is open, the SMTP server relay passes on the emails to the

upstream SMTP server.

5. The upstream SMTP server delivers the email messages.

NOTE

The complete set of event types for which the user can configure an automatic response depends on the software products that are managed by the ePO ESP server. For additional information, see the ePO ESP documentation.

Using ePO ESP enables executing all ePO ESP server tasks, as well as receiving

automatic response notifications. Examples are the following:

• Creating issues

• Executing server tasks

• Running external commands

• Running system commands

• Sending email messages

• Sending SNMP traps

• Detecting threats by anti-virus software

• Outbreak situations (for example, 1000 virus-detected events received within five

minutes)

• High-level compliance of ePolicy Orchestrator server events (for example, failure of

a repository update or a replication task)

• Detection of new rogue systems



3.4 Remote activation of agent update The system enables remotely invoking updates, scans, and policy updates.

The automatic activation of ePO ESP Agent update is supported by using the pull

function at the downstream ePO ESP server.

The delivery of McAfee ePO ESP antivirus updates uses the application tunnel, which

allows downstream ePO ESP agents to securely connect to an upstream ePO ESP

repository and download McAfee updates. The application tunnel is transparent to the

ePO ESP agent, and provides the following update methods:

• Fully automated – update process is started based on a predefined sschedule.

• Semi- automated – update process is started on demand by means of an execution

profile. The activation can be initiated either from the Security Center or the

downstream VSE.

Figure 3-2. Reverse tunnel ePO SMTP

ACTIVATION PROCESS


4. Activation Process

This chapter describes the flows detailed in the following sections:

• 4.1, Updating

• 4.2, Activating server tasks remotely

4.1 Updating ePO ESP The process of performing ePO ESP updates can be implemented either automatically

or manually, as specified below.

4.1.1 Enabling automatic updates Using the Daily Update of ePO ESP execution profile, the ePO ESP automatically

manages sync executions and monitoring as follows:

1. Once a day (23:30 VSE time), the ePO ESP opens the application tunnel to the

upstream repository.

2. Upon establishing the secure tunnel, ePO ESP web services are activated to pull

updates from the upstream repository.

3. Once the sync process is complete, the application tunnel is terminated.

NOTE

The above can also be executed on demand by activating the diagnosis routine

Update ePO ESP.

ACTIVATION PROCESS


4.1.2 Performing manual update ePO ESP allows the manual activation of ePO ESP update.

To manually activate an ePO ESP update, an operator needs to:

1. Activate the Diagnosis Routine Open ePO ESP Update Tunnel, thereby

establishing an application tunnel between the downstream ePO ESP and the

upstream repository.

2. Log into the downstream ePO ESP and click pull now from the master repository

page.

3. Once the updating process is complete, activate the Terminate ePO ESP Update

Tunnel diagnosis routine, thus terminating the application tunnel.

Summary:

Option Process Comments

Fully Automated Activate the

monitoring profile

Daily Update of ePO

ESP

Currently it is scheduled to run every

day.

Note:

You can create an additional profile, to

meet other requirements.

Semi-Automated From the Security

Center or the

downstream VSE,

activate the

monitoring profile

Update ePO ESP

ePO ESP update is performed as

follows:

1. An application tunnel opens to

upstream repository

2. Windows Server on ePO ESP is

activated and pulls updates

from the repository.

3. The application tunnel is

terminated

Manually 1. Activate the

monitoring profile

Open ePO ESP Update Tunnel

2. Log into the

downstream ePO

ACTIVATION PROCESS



ESP and click pull now

3. Activate the

monitoring profile

Terminate ePO Update Tunnel

4.2 Activating server tasks remotely The activation workflow below allows the remote execution of ePO server tasks, by

using a daily monitoring profile that activates the server tasks based on the parameter

Server Tasks in custom protocols.

Table 4-1. The parameter Server Tasks

Parameter Description Values

Server Tasks A comma-separated list of server tasks that

need to be executed on the downstream site’s

ePO

Task1,Task 2

Activation of server tasks is done by performing calls to ePO web services.

NOTE

Server tasks can also be run on demand by activating the execution profile Run

Server Task.

Summary:


Fully Automated Activate the execution

profile Daily Activation of Server Tasks

Currently this profile is scheduled to

run every day; additional profiles cab

be created to accommodate for any

other frequency.

Semi-Automated Activate the execution

profile Run Server Task, either from the

Security Center or

from the downstream

VSE

Run Server Tasks performs the

following operations:

1. Activating Windows Server on

ePO, to activate Server Tasks

2. Sending email messages to the

downstream SMTP server relay

SOFTWARE REQUIREMENTS


5. Software requirements

The following software versions are required to set up ePO ESP:

• VSE version 4.6.33 and later

If SMTP Server relay is used, then VSE should be installed on Windows Server

2003 or later

• McAfee ePolicy Orchestrator version 4.6.2 and later

CONFIGURING THE UPSTREAM EPO


6. Configuring the Upstream ePO

This chapter describes the required configuration of upstream ePO, namely: the ePO at

the HQ/Security Center side.

NOTES

• This configuration is a one-time operation, which should be performed with the assistance of a support personnel.

• If the ePO is installed with local apache server (default), it has a configuration file (XML) that controls access to any resource. Review this file to ensure that the access to root directory and serve master repository content is permitted.

CAUTION

Before configuring the upstream ePO ensure that you disable the MacAfee firewall. If this firewall is enabled it will block connection to the server in the ports of its services, which results in connectivity issues in the reverse tunnel process from the downstream to upstream ePO servers.

6.1 HTTP repository ePO distributed repository is a local access point, which is strategically placed

throughout your environment to enable agents or other ePO elements to receive

signatures, product updates, and product installations with minimal bandwidth

impact.

NOTE

A Web Server such as IIS or Apache must be installed and configured prior to the

creation of a Distributed HTTP Repository in ePO.

Setting up a distributed HTTP repository for the upstream ePO requires administrator

privileges. If needed, support personnel can assist with the configuration.



The following are required:

• HTTP repository agent credentials for downloading files (can also be anonymous

login)

• The URL (IP or DNS name), port and Replication UNC Path, taken from the

Distributed Repository Builder screen in the upstream ePO as shown in the figure

below

6.2 ePO server The distributed repository at the downstream ePO is configured by using the public

keys that are exported as a zip file from the upstream ePO, as shown in the figure

below.

Figure 6-1. Distributed Repository Builder screen

Figure 6-2. Extracting public keys



6.3 SMTP server The SMTP server is needed only if email responses from the downstream ePO are

required. Like the HTTP repository, the SMTP Server also needs to be accessible from

the RAG (default port 25). The configuration for sending email messages requires the

server IP address (or DNS name) and credentials.

6.4 Configuring ePO ESP in the HQ The network needs to be configured to allow the connection to the distributed

repository (and SMTP server if required) from the site ePO. This step is a one-time

operation that is performed only by support personnel. ePO ESP requires the HTTP

repository information and the SMTP Server information. For details see section 6.1,

HTTP repository, and section 6.3, SMTP server.

CAUTION


CONFIGURING EPO ESP AT THE CUSTOMER SITE


7. Configuring ePO ESP at the Customer Site

This chapter describes the process of deploying and configuring ePO ESP at a

customer’s site.

The deployment and configuration are performed by using the steps described in the

following sections:

• 7.1, Distributing product lines

• 7.2, Setting up the application tunnel

• 7.3, Adding ePO ESP device

• 7.4, Configuring the site SMTP Server relay

• 7.5, Adding SMTP Server

• 7.6, Setting up the downstream ePO

7.1 Distributing product lines Distribute the following product lines to the VSE:

• ePO ESP

• SMTP Server Product Line – opens a reverse tunnel that enables email forwarding

from the local SMTP server to the HQ SMTP Server

NOTE

SMTP Server Product Line is needed only if automatic responses via email are

required.

7.2 Setting up the application tunnel The application tunnel from the VSE to the upstream ePO HTTP repository and SMTP

server need to be configured in the VSE. To do so, distribute the software package Add

ePO Reverse Tunnel Services (SMTP and ePO) provided during the installation. This

package automatically adds the required settings for creating the application tunnel.



7.3 Adding ePO ESP device

To configure the ePO ESP device in the VSE:

1. Log into the VSE as administrator

2. Go to Operations > Device Management > New

3. Use the following definitions:

Product Line - ePO ESP

Model – ePO model

Version – ePO version

Unique ID – automatic

Device Address – address of the downstream ePO

Device name – <VSE site name>_ePO

4. Enter the following Custom protocol parameters:

Parameter Name Value Default Value (example)

UI_Port The UI Port of the VSE 8449

VSE User Name The username of the VSE (UI) -

needed to create the

application tunnel

admin

VSE User Password

The password of the VSE user,

which is needed for creating

the application tunnel

admin

Service ID The Service ID for the Update ePO

7

EPO Port Default port of the ePO 8443

EPO User Name ePO Admin username Admin

EPO Password ePO Admin Password pass

EPO Source Repository

The source repository name,

defined in the downstream

HQ_HTTP_REPO




ePO under server settings >

source repository

Tunnel Port Port used by the secure tunnel 8000

Server Tasks A comma-separated list of

server tasks that need to be

executed in the downstream

ePO

RunServerReport,Daily

report

EPO SSL VERIFY HOSTNAME

Specify if validation for a SSL

certificate on the ePO server is

required

• 0 – Do not Verify SSL certificate installation on ePO server

• 1 -Verify SSL certificate installation on ePO server

5. Click Save to save the new device in the downstream VSE.

7.4 Configuring the site SMTP Server relay

To configure the site SMTP Server relay:

1. Install IIS SMTP Server on the VSE machine

a. Add the SMTP Server feature (from Server Manager)

Figure 7-1. SMTP Server feature



b. Click Add Required Features.

c. Ensure that IIS 6 Metabase Compatibility and IIS 6 Management Console

are selected.

d. Click Next and then Install.

2. Open IIS Manager 6.0

3. Right-click SMTP virtual server and select Properties

4. Change the listening port as follows:

a. Go to the General tab

b. Click Advanced and change the listening port from 25 to 25001

5. Harden the authentication as follows:

a. Go to the Access tab.

b. Click Authentication.

c. In the Authentication dialog box, select the Basic authentication check box.

Figure 7-2. Add Required Features



NOTE

To configure the ePO ESP to send email messages (Email Server

Settings), valid Windows user credentials must be provided. These

credentials are of a Windows user on the SMTP Relay server.

Figure 7-3. Basic authentication



6. Go to the Messages tab and ensure that the Badmail directory is defined as

shown below.

Figure 7-4. Badmail directory



7. Go to the Delivery tab and click Outbound Security to set the credentials of the

headquarters SMTP in the Basic authentication section.

8. Change the outbound connections TCP port to 8025.

9. Click Advanced and change smart host to the VSE IP or hostname.

7.5 Adding SMTP Server device

NOTE

Configure the SMTP Server device only if automatic email responses are required

To configure the SMTP Server device:

1. Log into the VSE as an administrator

2. Go to Operations > Device Management > New

3. Use the following definitions:

a. Product Line –SMTP Server

b. Model:

c. SMTP on VSE – SMTP server is installed on the same machine as the VSE

d. Dedicated SMTP – SMTP server is installed on a dedicated server

e. Version – 1.0

f. Unique ID – Automatic

g. Device Address – address of the downstream SMTP server

Figure 7-5. Outbound security settings



h. Device name – <VSE site Name>_SMTP

4. Enter the following Custom protocol parameters:


VSE User Name The username of the VSE (UI) –

needed for creating the application

tunnel

admin

VSE User Password

The password of the VSE user, which

is needed for creating the application

tunnel

admin

SMTP Service ID The Service ID for the SMTP server 8

SMTP Tunnel Port Port that is not used by any other

application on the downstream VSE

8025

SMTP Tunnel Timeout

Application Tunnel Timeout in

minutes

10

SMTP Server IP IP of the downstream SMTP server x.x.x.x

SMTP Mailroot Mailroot of the downstream SMTP

server

C:\inetpub\mailroot

5. Click Save to save the new device in the remote site VSE.



7.6 Setting up the downstream ePO This section provides instructions for setting up the downstream ePO.

NOTES

• This configuration is a one-time operation, which should be performed with the assistance of a support personnel.

• If the ePO is installed with local apache server (default), it has a configuration file (XML) that controls access to any resource. Review this file to ensure that the access to root directory and serve master repository content is permitted.

CAUTION


7.6.1 Source sites and security keys

To add the upstream HTTP repository as a source site:

1. Log into the downstream ePO user interface (administrator user is required)

2. Go to Menu > Configuration > Server Settings

3. Select Source Sites and click Edit.

4. Click on Add Source Site and use the following settings:

a. Repository name – use the same name defined in the ePO ESP device for the

EPO Source Repository parameter

b. Type – select HTTP

c. URL – select IPv4 and add the IP address of the VSE. Make sure to use

directory name of the HTTP repository is defined with a virtual directory (e.g.,

10.10.10.10/ePO-HTTP)

d. Port – use the same port as defined in the ePO ESP device for the Tunnel Port

parameter (default: 8000)

e. Download credentials – select Anonymous or HTTP authentication if the HTTP

repository was configured with specific credentials

f. Review the settings and click Save to complete the setup

g. Click Enable Fallback on the new site’s row

h. Click Save.

5. Select Security Keys and click Edit.



6. Click Import and browse to the public key ZIP file extracted from the upstream

ePO (see section 6.2, ePO server), and then click Next.

7. Click Save to import the public keys and then click Save again.

7.6.2 ePO mail server settings ePO mail server settings are required for Server Tasks and Automatic Responses

functions in the ePO server (refer to ePO documentation for configuration

information).

To configure the ePO mail server:

1. Log into the downstream EPO UI (administrator user is required)

2. Navigate to Menu > Configuration > Server Settings.

3. Select Email Server and click Edit.

4. Use the following settings:

a. Server Name – hostname or IP address for the site SMTP server

b. SMTP Server Port – downstream SMTP server port (default is 25001)

c. Username – downstream SMTP Server username

d. Password – downstream SMTP server password

e. From address – Enter the address

5. Click Save.

APPENDICES


Appendices

This guide includes the following appendices:

• A, Error codes

ERROR CODES


A Error codes

This chapter specifies the error codes displayed when performing the following tasks:

• ePO update delivery

• Run Server Task

A.1 ePO update delivery

Error Code Message Possible Issues

706 Tunnel was not opened.

VSE credentials are incorrect.

Examine VSE User Name and

VSE. Password parameters in

Custom protocol

The VSE Username and

password combination is

incorrect. Verify that the

credentials are defined correctly

in Custom protocol

476 Tunnel is already open, no need

to re-open

Application tunnel is already

open. The script has not

performed any action. No need

to resolve.

472 Unable to open Tunnel, Sync will

not continue. Make sure that

service id:$ServiceID is defined

properly in VSE, Database and

protocol settings–>custom

Service ID might not be defined

properly in the VSE or in the

Security Center database.

• Check that the service and port are defined properly in the VSE File: DefaultRRAConfiguration.xml

• Check that the service is defined properly in DB table RMA_INBOUND_SERVICE_T

• Check that the RAG is connected to the HTTP repository in the NNGateway.log

ERROR CODES



401 Unable to Sync ePO, Wrong

Credentials

ePO admin username and




in Custom protocol

ePO Code: 500

ePO Code:500

Content: Can't connect to ip:port

(No connection could be made

because the target machine

actively refused it.)

Unable to connect to the ePO

server. Verify the following

Custom protocol parameters:

EPO Server IP, EPO Port

ePO Code: 500

Content: Can't connect to ip:port

(certificate verify failed)

The ePO server does not have a

valid SSL certificate that was

issued by a trusted third

certificate authority.

To ignore and continue without

valid certificate change EPO SSL VERIFY HOSTNAME

parameter in Custom Protocols

to 0

ePO Code:1 ePO sync failed, Unable to

download files from repository.

please check Server Settings–

>Source Sites Settings in the site

ePO

Unable to connect the

downstream ePO to the

upstream HTTP repository.

Verify the following Custom

protocol parameter:

Tunnel Port

111 Unable to open Tunnel. Sync will

not continue.


protocol parameter:

VSE IP

ePO Code: 2 ePO sync failed, ePO source site

name was invalid.

Check VSE > Custom Protocols >


ePO repository name is

incorrect. Verify the following

Custom protocol parameter:


ERROR CODES



2063 Tunnel was not opened, make

sure that the Remote Access

Bridge service is working

properly.

Check If the Remote Access

Bridge service is running.


sure that the service is not

disabled in the Security Center

Check if the ePO service is

enabled in the database


sure that the Tunnel Port

parameter in Custom protocol is

not negative

Verify that the tunnel Port

parameter in Custom Protocols

is >0

ERROR CODES


A.2 Run Server Task


706 Tunnel was not opened; VSE

credentials are incorrect

Examine VSE User Name and

VSE Password parameters in

Custom protocol

The VSE Username and password

combination is incorrect. Verify

that the credentials are defined

correctly in Custom protocol

476 SMTP Tunnel is already open,

no need to re-open

Application Tunnel is already

open. The script has not

performed any action. No need to

resolve.

472 Unable to open Tunnel, Sync

will not continue. Make sure

that service id:$ServiceID is

defined properly in VSE,

Database and protocol

settings–>custom

SMTP Service ID might not be

defined properly in the VSE or in

the Security Center database.

• Check that the service and port are defined properly in the VSE File: DefaultRRAConfiguration.xml

• Check that the service is defined properly in DB table RMA_INBOUND_SERVICE_T

• Check that the RAG is connected to the HTTP repository in the NNGateway.log

401 Unable to Sync ePO, Wrong

Credentials

ePO admin username and




in Custom protocol

ePO Code: 500

Can't connect to ip:port (No

connection could be made

because the target machine

actively refused it.)

Unable to connect to the ePO

server

Consider changing the following

in custom Protocols

EPO Server IP, EPO Port

ERROR CODES



ePO Code: 500

Can't connect to ip:port

(certificate verify failed)

The ePO server does not have a

valid SSL certificate that was

issued by a trusted third

certificate authority.

To ignore and continue without

valid certificate change EPO SSL VERIFY HOSTNAME parameter

in Custom Protocols to 0

ePO Code: 3 ePO Server Task error. Server

task:$task was not found

Make sure that the Server

Tasks parameter in system

Parameters->custom was

defined properly

Server Task Name does not exist

in the downstream ePO server

Check the following Custom

Protocols settings:

Server Tasks

111 Unable to open Tunnel. Sync

will not continue.


protocol parameter:

VSE IP

1301 SMTP Tunnel was not

terminated: 1301

Error Message: Failed to

terminate Reverse Remote

Access connection.

Not all the selected remote

activities were aborted

Occur when trying to terminate

SMTP tunnel when the Tunnel

does not exist.

CS-ICSE609en-510A July 2019 © 2019 Honeywell International Sàrl

Honeywell Process Solutions

1250 W Sam Houston Pkwy S #150, Houston,

TX 77042

Honeywell House, Skimped Hill Lane

Bracknell, Berkshire, RG12 1EB Building #1, 555 Huanke Road, Zhangjiang

Hi-Tech Park,

Pudong New Area, Shanghai, China 201203

www.honeywellprocess.com

McAfee ePolicy Orchestrator ESP User Guide...This document provides a high-level description of ePO...

Documents

Transcript of McAfee ePolicy Orchestrator ESP User Guide...This document provides a high-level description of ePO...