McAfee ePolicy Orchestrator ESP User Guide...This document provides a high-level description of ePO...
Transcript of McAfee ePolicy Orchestrator ESP User Guide...This document provides a high-level description of ePO...
ICS SHIELD
R 510.1
McAfee ePolicy Orchestrator ESP
User Guide
CS-ICSE609en-510A
August 2019
DocID CS-ICSE609en-510A 2
DISCLAIMER
This document contains Honeywell proprietary information. Information contained
herein is to be used solely for the purpose submitted, and no part of this document or
its contents shall be reproduced, published, or disclosed to a third party without the
express permission of Honeywell International Sàrl.
While this information is presented in good faith and believed to be accurate,
Honeywell disclaims the implied warranties of merchantability and fitness for a
purpose and makes no express warranties except as may be stated in its written
agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential
damages. The information and specifications in this document are subject to change
without notice.
Copyright 2019 – Honeywell International Sàrl
DocID CS-ICSE609en-510A 3
Notices
Trademarks Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered
trademarks of Honeywell International, Inc.
ControlEdge™ is a trademark of Honeywell International, Inc.
OneWireless™ is a trademark of Honeywell International, Inc.
Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon
International is a business unit of Honeywell International, Inc.
Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business
unit of Honeywell International, Inc.
Other trademarks Trademarks that appear in this document are used only to the benefit of the trademark
owner, with no intention of trademark infringement.
Third-party licenses This product may contain or be derived from materials, including software, of third
parties. The third party materials may be subject to licenses, notices, restrictions and
obligations imposed by the licensor.
The licenses, notices, restrictions and obligations, if any, may be found in the materials
accompanying the product, in the documents or files accompanying such third party
materials, in a file named third_party_ licenses on the media containing the product, or
at http://www.honeywell.com/ps/thirdpartylicenses.
Documentation feedback You can find the most up-to-date documents on the Honeywell Process Solutions
support website at:
http://www.honeywellprocess.com/support
If you have comments about Honeywell Process Solutions documentation, send your
feedback to:
Use this email address to provide feedback, or to report errors and omissions in the
documentation. For immediate help with a technical problem, contact your local
DocID CS-ICSE609en-510A 4
Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical
Assistance Center (TAC).
How to report a security vulnerability For the purpose of submission, a security vulnerability is defined as a software defect
or weakness that can be exploited to reduce the operational or security capabilities of
the software.
Honeywell investigates all reports of security vulnerabilities affecting Honeywell
products and services.
To report a potential security vulnerability against any Honeywell product, please
follow the instructions at:
https://honeywell.com/pages/vulnerabilityreporting.aspx
Submit the requested information to Honeywell using one of the following methods:
Send an email to [email protected].
or
Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or
Honeywell Technical Assistance Center (TAC) listed in the “Support” section of this
document.
Support For support, contact your local Honeywell Process Solutions Customer Contact Center
(CCC). To find your local CCC visit the website, https://www.honeywellprocess.com/en-
US/contact-us/customer-support-contacts/Pages/default.aspx.
Training classes Honeywell holds technical training classes that are taught by process control systems
experts. For more information about these classes, contact your Honeywell
representative, or see http://www.automationcollege.com.
DocID CS-ICSE609en-510A 5
About this Guide
This document provides a high-level description of ePO ESP, the solution for remotely
managing ePO (McAfee ePolicy Orchestrator). McAfee ePolicy Orchestrator is a unified
console that is included with the Enterprise edition of McAfee VirusScan, and can
control VirusScan and other McAfee products by installing updates and configure
settings for all client programs.
Scope This guide provides step-by-step instructions for configuring, distributing, and using
ePO ESP. at all levels, from the initial settings up to the deployment in the Security
Center and the VSEs.
Intended audience This guide is for people who are responsible for the configuration and operation of ePO
ESP on the Security Center and VSEs:
Initial Settings - Professional Services, Support, or IT personnel
• Security Center – Administrators and operators
• VSE – Administrators and operators
Prerequisite skills This guide assumes basic knowledge of the ICS Shield R 510.1 modules relevant to the
Security Center, the VSE, or both, depending on your specific role.
Related documents The following list identifies publications that may contain information relevant to the
information in this document.
Document Name Document Number
ICS Shield R510.1 – Security Center Getting Started
Guide CS-ICSE400en-510A
ICS Shield R510.1 – VSE Administrator Guide CS-ICSE701en-510A
DocID CS-ICSE609en-510A 6
Revision history
Revision Supported Release
Date Description
A Release 510.1 August 2019 This software is an upgrade-only release
from Release 501.1
A Release 500.1 June 2019 First release of product to Honeywell
Enterprise customers
DocID CS-ICSE609en-510A 7
Contents 1. SECURITY CONSIDERATIONS ........................................................................................ 11
1.1 Physical security ...................................................................................................................................... 11
1.2 Secured zone ............................................................................................................................................. 11
1.3 Limiting access ........................................................................................................................................ 11 1.3.1 At the VSE level ...................................................................................................................... 11 1.3.2 At the directory or file level ............................................................................................... 12 1.3.3 Ports used by the application ........................................................................................ 12
1.4 Authorization measures ...................................................................................................................... 12
1.5 Encryption and validation .................................................................................................................. 12
1.6 ePO-specific measures for mitigating security risks ............................................................ 13
2. TERMS AND DEFINITIONS .............................................................................................. 14
3. SOLUTION OVERVIEW AND WORKFLOW .................................................................. 17
3.1 ePO update delivery ............................................................................................................................... 17
3.2 Remote execution of server tasks ................................................................................................... 18
3.3 Automatic Response ............................................................................................................................. 19
3.4 Remote activation of agent update ............................................................................................... 20
4. ACTIVATION PROCESS ...................................................................................................... 21
4.1 Updating ePO ESP ................................................................................................................................. 21 4.1.1 Enabling automatic updates .......................................................................................... 21 4.1.2 Performing manual update ............................................................................................. 22
4.2 Activating server tasks remotely ...................................................................................................... 23
5. SOFTWARE REQUIREMENTS ......................................................................................... 24
6. CONFIGURING THE UPSTREAM EPO ......................................................................... 25
6.1 HTTP repository ....................................................................................................................................... 25
6.2 ePO server ................................................................................................................................................... 26
6.3 SMTP server ............................................................................................................................................... 27
6.4 Configuring ePO ESP in the HQ ...................................................................................................... 27
7. CONFIGURING EPO ESP AT THE CUSTOMER SITE ............................................... 28
7.1 Distributing product lines ................................................................................................................... 28
7.2 Setting up the application tunnel ................................................................................................... 28
7.3 Adding ePO ESP device ....................................................................................................................... 29
7.4 Configuring the site SMTP Server relay ....................................................................................... 30
7.5 Adding SMTP Server device ............................................................................................................... 34
7.6 Setting up the downstream ePO ..................................................................................................... 36
DocID CS-ICSE609en-510A 8
7.6.1 Source sites and security keys ....................................................................................... 36 7.6.2 ePO mail server settings ................................................................................................... 37
A ERROR CODES ..................................................................................................................... 39
A.1 ePO update delivery ............................................................................................................................... 39
A.2 Run Server Task ....................................................................................................................................... 42
DocID CS-ICSE609en-510A 9
List of Figures FIGURE 3-1. EPO UPDATE DELIVERY .............................................................................................. 18
FIGURE 3-2. REVERSE TUNNEL EPO SMTP ................................................................................. 20
FIGURE 6-1. DISTRIBUTED REPOSITORY BUILDER SCREEN ............................................. 26
FIGURE 6-2. EXTRACTING PUBLIC KEYS ........................................................................................ 26
FIGURE 7-1. SMTP SERVER FEATURE ............................................................................................. 30
FIGURE 7-2. ADD REQUIRED FEATURES ....................................................................................... 31
FIGURE 7-3. BASIC AUTHENTICATION ............................................................................................ 32
FIGURE 7-4. BADMAIL DIRECTORY ................................................................................................... 33
FIGURE 7-5. OUTBOUND SECURITY SETTINGS ......................................................................... 34
DocID CS-ICSE609en-510A 10
List of Tables TABLE 1-1. LIST OF PORTS .................................................................................................................... 12
TABLE 4-1. THE PARAMETER SERVER TASKS ............................................................................. 23
SECURITY CONSIDERATIONS
DocID CS-ICSE609en-510A 11
1. Security Considerations
This chapter outlines the security measures for ePO ESP.
1.1 Physical security
CAUTION
ePO ESP is a mission-critical component.
Take all necessary physical measures to prevent attacks or disasters.
Ensure that the server where the product is installed is located in an approved
physically secure location that is accessible only to authorized personnel.
1.2 Secured zone ePO ESP contains sensitive information, the loss of which could have severe
consequences. Therefore, there is a need to protect the sensitive information and
prevent attacks against the product. To do that, the VSE software, as well as its related
extensions, must be installed in an internally secured zone such as the site’s layer 3
network, with strict access control lists and appropriate firewall/routing rules.
Ensure that ePO ESP is installed in a directory that is only accessible to authorized
personnel responsible for the product.
CAUTION
If ePO ESP is installed on one or more servers that are exposed to untrusted networks such as the Internet, protection against denial-of-service (DoS) attacks must be implemented.
1.3 Limiting access It is highly recommended to follow regulatory, industry, and enterprise standards for
limiting access to sensitive information as specified below.
1.3.1 At the VSE level The user management at the host running the VSE must follow the principles of need
to know and least privilege: Only users who absolutely must have access to the
computer are granted access, and these users are assigned the minimal set of
permissions allowing them to perform their job.
SECURITY CONSIDERATIONS
DocID CS-ICSE609en-510A 12
1.3.2 At the directory or file level Access to directories and files should also be granted in accordance with the principles
of need to know and least privilege: Only Users who absolutely must have access to the
requested directory and file are granted access, and these Users are assigned the
minimal set of permissions allowing them to perform their job.
Use the built-in file access audit logging of the OS to monitor unauthorized changes to
sensitive files.
1.3.3 Ports used by the application The ports used for ePO ESP are listed in the table below, in relation to the VSE.
Table 1-1. List of Ports
Port Number Inbound/Outbound Used for
8000 Inbound Tunnel port – the VSE listens on this port
8443 Outbound ePO update port – the ePO listens on this port
1.4 Authorization measures It is strongly recommended to implement the following security measures:
• Change the default administrative password and delete/disable the default service
accounts as soon as new administrative accounts are created
• Disable any default Administrator/Root user on the computer
• Disable any default Guest user on the computer
• Disable any unauthenticated access to the computer via shared directories etc.
• Ensure that the OS is up to date with the latest security patches provided by the OS
vendor
1.5 Encryption and validation All cryptographic keys generated for the encrypted communication must follow the
current industry standards, including key size, encryption suites, certificate swapping
etc.
Operators and other personnel who have a low authorization level are advised to
ensure that they only run software provided from the Headquarters as a code-signed
SECURITY CONSIDERATIONS
DocID CS-ICSE609en-510A 13
execution file, such as Hyper Tunnel installer. A code-signed software displays the
signed by notification when it starts to run.
It is recommended to use a valid certificate issued by a trusted Certificate Authority
(CA), either the organization’s internal CA or an external CA.
1.6 ePO-specific measures for mitigating security risks
To mitigate possible security risks, you are advised to take the following measures:
• Follow MacAfee’s best practices for defining the ePO Admin role
• Allow the upstream ePO port used for connection to accept only connections from
the RAG
• Limit the RAG connections to specific servers only
TERMS AND DEFINITIONS
DocID CS-ICSE609en-510A 14
2. Terms and definitions
NOTE
The terms and definitions are listed in alphabetical order
Term Definition
add-on An umbrella term for product lines and ESPs
asset Any site component that is connected to the network and is
accessible from the VSE
Communication Server (CS)
The Communication Server provides secure communication
between the Security Center and the VSEs
compliance Whether the device meets the organization policy
corrective action An execution profile that performs an action to correct a
problem detected by other execution profiles; for example, if
a monitoring profile detected a low disk space issue, a
corrective action will delete obsolete and large temporary
files
DB Database server component
device A representation of a physical or virtual server or machine in
the VSE
diagnose routine (DR)
An execution profile that runs on demand when an issue is
encountered, and is intended to collect in-depth diagnostic
data
discovery engine A VSE utility that represents the ICS Shield Active Discovery
ESP, which detects and classifies network assets, and,
optionally, adds them as devices to the VSE
ePO McAfee ePolicy Orchestrator; a unified console that is
included with the Enterprise edition of McAfee VirusScan.
ePO can control VirusScan and other McAfee products by
installing updates and configure settings for all client
programs.
Essential security Essential Security Policy: A collection of scripts related to
TERMS AND DEFINITIONS
DocID CS-ICSE609en-510A 15
Term Definition
policy (ESP) one logical area, such as machine security status, hardware
information, event logs, or storage information; these scripts
can either be run on demand (Diagnose Routine or
Corrective Action) or based on a predefined schedule.
execution profile A collection of scripts related to one logical area, such as
machine security status, hardware information, event logs,
or storage information; these scripts can either be run on
demand (Diagnose Routine or Corrective Action) or based on
a predefined schedule.
exposure level The extent to which the specific device is critical to ongoing
site operation; the predefined value options for the exposure
levels are one of the following:
• High
• Medium
• Low
HQ Headquarters; the physical location of the Security Center
monitoring profile (MP)
An execution profile configured to run at set time intervals,
such as Every day at 18:00
product line A set of actions and scripts that together instruct the VSE to
perform certain procedures on devices that are defined in
the VSE
Remote Access Gateway (RAG)
The Remote Access Gateway is part of the ICS Shield’s
remote access solution.
When initiated, the Remote Access Gateway automatically
pulls the connection details from the Security Center
database.
reverse tunnel A secured connection initiated by the VSE to the Security
Center.
scan config Scan configuration; contains a set of network vulnerability
tests (NVTs) used to scan a machine in order to detect
vulnerabilities
TERMS AND DEFINITIONS
DocID CS-ICSE609en-510A 16
Term Definition
Security Center (SC) ICS Shield component that is installed at the corporate data
center. The security center is composed of various software
components, which enable to remotely collect, analyze, view,
manage, and store data retrieved from the VSEs. This data
refers to the monitored network assets and devices found at
the VSE’s sites.
site A remote physical location, such as an industrial plant,
which includes one or more network environments and has
at least one VSE
tunnel A secure connection established from the Security Center to
the VSE
VSE Virtual Security Engine; the ICS Shield component that is
installed at the remote site, monitors the devices at the site,
and provides additional functionalities such as remote
access
SOLUTION OVERVIEW AND WORKFLOW
DocID CS-ICSE609en-510A 17
3. Solution overview and workflow
This chapter provides a brief overview and workflow of the stages of implementing ePO
ESP, as described in the following sections:
3.1, ePO update delivery
• 3.2, Remote execution of server tasks
• 3.3, Automatic Response
• 3.4, Remote activation of agent
3.1 ePO update delivery The ePO ESP supports the automatic delivery of ePO ESP updates by using specially
designed utilities. The process requires the automatic activation of the pull function in
the downstream ePO ESP Server, thereby allowing the downstream ePO ESP to
synchronize with the upstream ePO ESP server.
The delivery of McAfee ePO antivirus updates uses the application tunnel, which
enables the downstream ePO ESP Servers to securely connect to an upstream HTTP
Repository at the headquarters (data center) and download the updates. The
application tunnel provides the following update methods:
• Fully automated – update process is started based on a predefined schedule.
• Semi-Automated – update process is started on demand, via a diagnosis routine.
The activation can be initiated from the Security Center or the VSE at the remote
site.
• Manually - the application tunnel from the downstream ePO ESP server to the
upstream repository is generated by the VSE. Once active, you need to log in to the
downstream ePO ESP Server UI and manually click Pull Now. To end the operation
gracefully, terminate the application tunnel by running an execution profile at the
VSE.
SOLUTION OVERVIEW AND WORKFLOW
DocID CS-ICSE609en-510A 18
3.2 Remote execution of server tasks Remotely executing ePO ESP server tasks, as well as receiving reports via email, is
enabled either by using a local SMTP server at the remote site or by connecting to the
upstream SMTP server.
NOTE
To support this configuration, an SMTP relay needs to be installed at the remote site
Server tasks are configurable actions, which run on the ePO ESP server on a schedule
or on-demand. McAfee ePO ESP software includes preconfigured server tasks and
actions.
The remote activation of server tasks allows users to run several tasks at different
remote (downstream) sites and to view or receive their results from an upstream server
deployed at a central location (HQ).
Server tasks include the following:
• Performing an action by using the results of a query
• Emailing and exporting reports automatically on a regular basis
• Purging older events automatically from the McAfee ePO ESP server database
• Deleting inactive machines automatically from your system tree
The server tasks can send email messages from the downstream ePO ESP via the
SMTP server relay. The SMTP server relay uses the secure application tunnel to
transfer these messages to the upstream SMTP server for processing.
Figure 3-1. ePO update delivery
SOLUTION OVERVIEW AND WORKFLOW
DocID CS-ICSE609en-510A 19
3.3 Automatic Response The application tunnel to the upstream SMTP server enables using ePO ESP
Automatic Response functionality, as well as sending email notifications.
The following scenario provides an example of the Automatic Response process.
1. ePO ESP Automatic Response is triggered by a threat detection.
2. An alert email is sent to the SMTP relay server at the site.
3. The VSE periodically checks, through the SMTP Server Product Line, whether any
outgoing emails are queuing on the SMTP server relay. For details see section 7.4,
Configuring the site SMTP Server relay.
If any emails are found, the VSE opens the SMTP application tunnel between the
downstream and upstream SMTP servers.
4. Once the tunnel is open, the SMTP server relay passes on the emails to the
upstream SMTP server.
5. The upstream SMTP server delivers the email messages.
NOTE
The complete set of event types for which the user can configure an automatic response depends on the software products that are managed by the ePO ESP server. For additional information, see the ePO ESP documentation.
Using ePO ESP enables executing all ePO ESP server tasks, as well as receiving
automatic response notifications. Examples are the following:
• Creating issues
• Executing server tasks
• Running external commands
• Running system commands
• Sending email messages
• Sending SNMP traps
• Detecting threats by anti-virus software
• Outbreak situations (for example, 1000 virus-detected events received within five
minutes)
• High-level compliance of ePolicy Orchestrator server events (for example, failure of
a repository update or a replication task)
• Detection of new rogue systems
SOLUTION OVERVIEW AND WORKFLOW
DocID CS-ICSE609en-510A 20
3.4 Remote activation of agent update The system enables remotely invoking updates, scans, and policy updates.
The automatic activation of ePO ESP Agent update is supported by using the pull
function at the downstream ePO ESP server.
The delivery of McAfee ePO ESP antivirus updates uses the application tunnel, which
allows downstream ePO ESP agents to securely connect to an upstream ePO ESP
repository and download McAfee updates. The application tunnel is transparent to the
ePO ESP agent, and provides the following update methods:
• Fully automated – update process is started based on a predefined sschedule.
• Semi- automated – update process is started on demand by means of an execution
profile. The activation can be initiated either from the Security Center or the
downstream VSE.
Figure 3-2. Reverse tunnel ePO SMTP
ACTIVATION PROCESS
DocID CS-ICSE609en-510A 21
4. Activation Process
This chapter describes the flows detailed in the following sections:
• 4.1, Updating
• 4.2, Activating server tasks remotely
4.1 Updating ePO ESP The process of performing ePO ESP updates can be implemented either automatically
or manually, as specified below.
4.1.1 Enabling automatic updates Using the Daily Update of ePO ESP execution profile, the ePO ESP automatically
manages sync executions and monitoring as follows:
1. Once a day (23:30 VSE time), the ePO ESP opens the application tunnel to the
upstream repository.
2. Upon establishing the secure tunnel, ePO ESP web services are activated to pull
updates from the upstream repository.
3. Once the sync process is complete, the application tunnel is terminated.
NOTE
The above can also be executed on demand by activating the diagnosis routine
Update ePO ESP.
ACTIVATION PROCESS
DocID CS-ICSE609en-510A 22
4.1.2 Performing manual update ePO ESP allows the manual activation of ePO ESP update.
To manually activate an ePO ESP update, an operator needs to:
1. Activate the Diagnosis Routine Open ePO ESP Update Tunnel, thereby
establishing an application tunnel between the downstream ePO ESP and the
upstream repository.
2. Log into the downstream ePO ESP and click pull now from the master repository
page.
3. Once the updating process is complete, activate the Terminate ePO ESP Update
Tunnel diagnosis routine, thus terminating the application tunnel.
Summary:
Option Process Comments
Fully Automated Activate the
monitoring profile
Daily Update of ePO
ESP
Currently it is scheduled to run every
day.
Note:
You can create an additional profile, to
meet other requirements.
Semi-Automated From the Security
Center or the
downstream VSE,
activate the
monitoring profile
Update ePO ESP
ePO ESP update is performed as
follows:
1. An application tunnel opens to
upstream repository
2. Windows Server on ePO ESP is
activated and pulls updates
from the repository.
3. The application tunnel is
terminated
Manually 1. Activate the
monitoring profile
Open ePO ESP Update Tunnel
2. Log into the
downstream ePO
ACTIVATION PROCESS
DocID CS-ICSE609en-510A 23
Option Process Comments
ESP and click pull now
3. Activate the
monitoring profile
Terminate ePO Update Tunnel
4.2 Activating server tasks remotely The activation workflow below allows the remote execution of ePO server tasks, by
using a daily monitoring profile that activates the server tasks based on the parameter
Server Tasks in custom protocols.
Table 4-1. The parameter Server Tasks
Parameter Description Values
Server Tasks A comma-separated list of server tasks that
need to be executed on the downstream site’s
ePO
Task1,Task 2
Activation of server tasks is done by performing calls to ePO web services.
NOTE
Server tasks can also be run on demand by activating the execution profile Run
Server Task.
Summary:
Option Process Comments
Fully Automated Activate the execution
profile Daily Activation of Server Tasks
Currently this profile is scheduled to
run every day; additional profiles cab
be created to accommodate for any
other frequency.
Semi-Automated Activate the execution
profile Run Server Task, either from the
Security Center or
from the downstream
VSE
Run Server Tasks performs the
following operations:
1. Activating Windows Server on
ePO, to activate Server Tasks
2. Sending email messages to the
downstream SMTP server relay
SOFTWARE REQUIREMENTS
DocID CS-ICSE609en-510A 24
5. Software requirements
The following software versions are required to set up ePO ESP:
• VSE version 4.6.33 and later
If SMTP Server relay is used, then VSE should be installed on Windows Server
2003 or later
• McAfee ePolicy Orchestrator version 4.6.2 and later
CONFIGURING THE UPSTREAM EPO
DocID CS-ICSE609en-510A 25
6. Configuring the Upstream ePO
This chapter describes the required configuration of upstream ePO, namely: the ePO at
the HQ/Security Center side.
NOTES
• This configuration is a one-time operation, which should be performed with the assistance of a support personnel.
• If the ePO is installed with local apache server (default), it has a configuration file (XML) that controls access to any resource. Review this file to ensure that the access to root directory and serve master repository content is permitted.
CAUTION
Before configuring the upstream ePO ensure that you disable the MacAfee firewall. If this firewall is enabled it will block connection to the server in the ports of its services, which results in connectivity issues in the reverse tunnel process from the downstream to upstream ePO servers.
6.1 HTTP repository ePO distributed repository is a local access point, which is strategically placed
throughout your environment to enable agents or other ePO elements to receive
signatures, product updates, and product installations with minimal bandwidth
impact.
NOTE
A Web Server such as IIS or Apache must be installed and configured prior to the
creation of a Distributed HTTP Repository in ePO.
Setting up a distributed HTTP repository for the upstream ePO requires administrator
privileges. If needed, support personnel can assist with the configuration.
CONFIGURING THE UPSTREAM EPO
DocID CS-ICSE609en-510A 26
The following are required:
• HTTP repository agent credentials for downloading files (can also be anonymous
login)
• The URL (IP or DNS name), port and Replication UNC Path, taken from the
Distributed Repository Builder screen in the upstream ePO as shown in the figure
below
6.2 ePO server The distributed repository at the downstream ePO is configured by using the public
keys that are exported as a zip file from the upstream ePO, as shown in the figure
below.
Figure 6-1. Distributed Repository Builder screen
Figure 6-2. Extracting public keys
CONFIGURING THE UPSTREAM EPO
DocID CS-ICSE609en-510A 27
6.3 SMTP server The SMTP server is needed only if email responses from the downstream ePO are
required. Like the HTTP repository, the SMTP Server also needs to be accessible from
the RAG (default port 25). The configuration for sending email messages requires the
server IP address (or DNS name) and credentials.
6.4 Configuring ePO ESP in the HQ The network needs to be configured to allow the connection to the distributed
repository (and SMTP server if required) from the site ePO. This step is a one-time
operation that is performed only by support personnel. ePO ESP requires the HTTP
repository information and the SMTP Server information. For details see section 6.1,
HTTP repository, and section 6.3, SMTP server.
CAUTION
Before configuring the upstream ePO ensure that you disable the MacAfee firewall. If this firewall is enabled it will block connection to the server in the ports of its services, which results in connectivity issues in the reverse tunnel process from the downstream to upstream ePO servers.
CONFIGURING EPO ESP AT THE CUSTOMER SITE
DocID CS-ICSE609en-510A 28
7. Configuring ePO ESP at the Customer Site
This chapter describes the process of deploying and configuring ePO ESP at a
customer’s site.
The deployment and configuration are performed by using the steps described in the
following sections:
• 7.1, Distributing product lines
• 7.2, Setting up the application tunnel
• 7.3, Adding ePO ESP device
• 7.4, Configuring the site SMTP Server relay
• 7.5, Adding SMTP Server
• 7.6, Setting up the downstream ePO
7.1 Distributing product lines Distribute the following product lines to the VSE:
• ePO ESP
• SMTP Server Product Line – opens a reverse tunnel that enables email forwarding
from the local SMTP server to the HQ SMTP Server
NOTE
SMTP Server Product Line is needed only if automatic responses via email are
required.
7.2 Setting up the application tunnel The application tunnel from the VSE to the upstream ePO HTTP repository and SMTP
server need to be configured in the VSE. To do so, distribute the software package Add
ePO Reverse Tunnel Services (SMTP and ePO) provided during the installation. This
package automatically adds the required settings for creating the application tunnel.
CONFIGURING EPO ESP AT THE CUSTOMER SITE
DocID CS-ICSE609en-510A 29
7.3 Adding ePO ESP device
To configure the ePO ESP device in the VSE:
1. Log into the VSE as administrator
2. Go to Operations > Device Management > New
3. Use the following definitions:
Product Line - ePO ESP
Model – ePO model
Version – ePO version
Unique ID – automatic
Device Address – address of the downstream ePO
Device name – <VSE site name>_ePO
4. Enter the following Custom protocol parameters:
Parameter Name Value Default Value (example)
UI_Port The UI Port of the VSE 8449
VSE User Name The username of the VSE (UI) -
needed to create the
application tunnel
admin
VSE User Password
The password of the VSE user,
which is needed for creating
the application tunnel
admin
Service ID The Service ID for the Update ePO
7
EPO Port Default port of the ePO 8443
EPO User Name ePO Admin username Admin
EPO Password ePO Admin Password pass
EPO Source Repository
The source repository name,
defined in the downstream
HQ_HTTP_REPO
CONFIGURING EPO ESP AT THE CUSTOMER SITE
DocID CS-ICSE609en-510A 30
Parameter Name Value Default Value (example)
ePO under server settings >
source repository
Tunnel Port Port used by the secure tunnel 8000
Server Tasks A comma-separated list of
server tasks that need to be
executed in the downstream
ePO
RunServerReport,Daily
report
EPO SSL VERIFY HOSTNAME
Specify if validation for a SSL
certificate on the ePO server is
required
• 0 – Do not Verify SSL certificate installation on ePO server
• 1 -Verify SSL certificate installation on ePO server
5. Click Save to save the new device in the downstream VSE.
7.4 Configuring the site SMTP Server relay
To configure the site SMTP Server relay:
1. Install IIS SMTP Server on the VSE machine
a. Add the SMTP Server feature (from Server Manager)
Figure 7-1. SMTP Server feature
CONFIGURING EPO ESP AT THE CUSTOMER SITE
DocID CS-ICSE609en-510A 31
b. Click Add Required Features.
c. Ensure that IIS 6 Metabase Compatibility and IIS 6 Management Console
are selected.
d. Click Next and then Install.
2. Open IIS Manager 6.0
3. Right-click SMTP virtual server and select Properties
4. Change the listening port as follows:
a. Go to the General tab
b. Click Advanced and change the listening port from 25 to 25001
5. Harden the authentication as follows:
a. Go to the Access tab.
b. Click Authentication.
c. In the Authentication dialog box, select the Basic authentication check box.
Figure 7-2. Add Required Features
CONFIGURING EPO ESP AT THE CUSTOMER SITE
DocID CS-ICSE609en-510A 32
NOTE
To configure the ePO ESP to send email messages (Email Server
Settings), valid Windows user credentials must be provided. These
credentials are of a Windows user on the SMTP Relay server.
Figure 7-3. Basic authentication
CONFIGURING EPO ESP AT THE CUSTOMER SITE
DocID CS-ICSE609en-510A 33
6. Go to the Messages tab and ensure that the Badmail directory is defined as
shown below.
Figure 7-4. Badmail directory
CONFIGURING EPO ESP AT THE CUSTOMER SITE
DocID CS-ICSE609en-510A 34
7. Go to the Delivery tab and click Outbound Security to set the credentials of the
headquarters SMTP in the Basic authentication section.
8. Change the outbound connections TCP port to 8025.
9. Click Advanced and change smart host to the VSE IP or hostname.
7.5 Adding SMTP Server device
NOTE
Configure the SMTP Server device only if automatic email responses are required
To configure the SMTP Server device:
1. Log into the VSE as an administrator
2. Go to Operations > Device Management > New
3. Use the following definitions:
a. Product Line –SMTP Server
b. Model:
c. SMTP on VSE – SMTP server is installed on the same machine as the VSE
d. Dedicated SMTP – SMTP server is installed on a dedicated server
e. Version – 1.0
f. Unique ID – Automatic
g. Device Address – address of the downstream SMTP server
Figure 7-5. Outbound security settings
CONFIGURING EPO ESP AT THE CUSTOMER SITE
DocID CS-ICSE609en-510A 35
h. Device name – <VSE site Name>_SMTP
4. Enter the following Custom protocol parameters:
Parameter Name Value Default Value (example)
VSE User Name The username of the VSE (UI) –
needed for creating the application
tunnel
admin
VSE User Password
The password of the VSE user, which
is needed for creating the application
tunnel
admin
SMTP Service ID The Service ID for the SMTP server 8
SMTP Tunnel Port Port that is not used by any other
application on the downstream VSE
8025
SMTP Tunnel Timeout
Application Tunnel Timeout in
minutes
10
SMTP Server IP IP of the downstream SMTP server x.x.x.x
SMTP Mailroot Mailroot of the downstream SMTP
server
C:\inetpub\mailroot
5. Click Save to save the new device in the remote site VSE.
CONFIGURING EPO ESP AT THE CUSTOMER SITE
DocID CS-ICSE609en-510A 36
7.6 Setting up the downstream ePO This section provides instructions for setting up the downstream ePO.
NOTES
• This configuration is a one-time operation, which should be performed with the assistance of a support personnel.
• If the ePO is installed with local apache server (default), it has a configuration file (XML) that controls access to any resource. Review this file to ensure that the access to root directory and serve master repository content is permitted.
CAUTION
Before configuring the upstream ePO ensure that you disable the MacAfee firewall. If this firewall is enabled it will block connection to the server in the ports of its services, which results in connectivity issues in the reverse tunnel process from the downstream to upstream ePO servers.
7.6.1 Source sites and security keys
To add the upstream HTTP repository as a source site:
1. Log into the downstream ePO user interface (administrator user is required)
2. Go to Menu > Configuration > Server Settings
3. Select Source Sites and click Edit.
4. Click on Add Source Site and use the following settings:
a. Repository name – use the same name defined in the ePO ESP device for the
EPO Source Repository parameter
b. Type – select HTTP
c. URL – select IPv4 and add the IP address of the VSE. Make sure to use
directory name of the HTTP repository is defined with a virtual directory (e.g.,
10.10.10.10/ePO-HTTP)
d. Port – use the same port as defined in the ePO ESP device for the Tunnel Port
parameter (default: 8000)
e. Download credentials – select Anonymous or HTTP authentication if the HTTP
repository was configured with specific credentials
f. Review the settings and click Save to complete the setup
g. Click Enable Fallback on the new site’s row
h. Click Save.
5. Select Security Keys and click Edit.
CONFIGURING EPO ESP AT THE CUSTOMER SITE
DocID CS-ICSE609en-510A 37
6. Click Import and browse to the public key ZIP file extracted from the upstream
ePO (see section 6.2, ePO server), and then click Next.
7. Click Save to import the public keys and then click Save again.
7.6.2 ePO mail server settings ePO mail server settings are required for Server Tasks and Automatic Responses
functions in the ePO server (refer to ePO documentation for configuration
information).
To configure the ePO mail server:
1. Log into the downstream EPO UI (administrator user is required)
2. Navigate to Menu > Configuration > Server Settings.
3. Select Email Server and click Edit.
4. Use the following settings:
a. Server Name – hostname or IP address for the site SMTP server
b. SMTP Server Port – downstream SMTP server port (default is 25001)
c. Username – downstream SMTP Server username
d. Password – downstream SMTP server password
e. From address – Enter the address
5. Click Save.
APPENDICES
DocID CS-ICSE609en-510A 38
Appendices
This guide includes the following appendices:
• A, Error codes
ERROR CODES
DocID CS-ICSE609en-510A 39
A Error codes
This chapter specifies the error codes displayed when performing the following tasks:
• ePO update delivery
• Run Server Task
A.1 ePO update delivery
Error Code Message Possible Issues
706 Tunnel was not opened.
VSE credentials are incorrect.
Examine VSE User Name and
VSE. Password parameters in
Custom protocol
The VSE Username and
password combination is
incorrect. Verify that the
credentials are defined correctly
in Custom protocol
476 Tunnel is already open, no need
to re-open
Application tunnel is already
open. The script has not
performed any action. No need
to resolve.
472 Unable to open Tunnel, Sync will
not continue. Make sure that
service id:$ServiceID is defined
properly in VSE, Database and
protocol settings–>custom
Service ID might not be defined
properly in the VSE or in the
Security Center database.
• Check that the service and port are defined properly in the VSE File: DefaultRRAConfiguration.xml
• Check that the service is defined properly in DB table RMA_INBOUND_SERVICE_T
• Check that the RAG is connected to the HTTP repository in the NNGateway.log
ERROR CODES
DocID CS-ICSE609en-510A 40
Error Code Message Possible Issues
401 Unable to Sync ePO, Wrong
Credentials
ePO admin username and
password combination is
incorrect. Verify that the
credentials are defined correctly
in Custom protocol
ePO Code: 500
ePO Code:500
Content: Can't connect to ip:port
(No connection could be made
because the target machine
actively refused it.)
Unable to connect to the ePO
server. Verify the following
Custom protocol parameters:
EPO Server IP, EPO Port
ePO Code: 500
Content: Can't connect to ip:port
(certificate verify failed)
The ePO server does not have a
valid SSL certificate that was
issued by a trusted third
certificate authority.
To ignore and continue without
valid certificate change EPO SSL VERIFY HOSTNAME
parameter in Custom Protocols
to 0
ePO Code:1 ePO sync failed, Unable to
download files from repository.
please check Server Settings–
>Source Sites Settings in the site
ePO
Unable to connect the
downstream ePO to the
upstream HTTP repository.
Verify the following Custom
protocol parameter:
Tunnel Port
111 Unable to open Tunnel. Sync will
not continue.
Verify the following Custom
protocol parameter:
VSE IP
ePO Code: 2 ePO sync failed, ePO source site
name was invalid.
Check VSE > Custom Protocols >
EPO Source Repository
ePO repository name is
incorrect. Verify the following
Custom protocol parameter:
EPO Source Repository
ERROR CODES
DocID CS-ICSE609en-510A 41
Error Code Message Possible Issues
2063 Tunnel was not opened, make
sure that the Remote Access
Bridge service is working
properly.
Check If the Remote Access
Bridge service is running.
2064 Tunnel was not opened, make
sure that the service is not
disabled in the Security Center
Check if the ePO service is
enabled in the database
2039 Tunnel was not opened, make
sure that the Tunnel Port
parameter in Custom protocol is
not negative
Verify that the tunnel Port
parameter in Custom Protocols
is >0
ERROR CODES
DocID CS-ICSE609en-510A 42
A.2 Run Server Task
Error Code Message Possible Issues
706 Tunnel was not opened; VSE
credentials are incorrect
Examine VSE User Name and
VSE Password parameters in
Custom protocol
The VSE Username and password
combination is incorrect. Verify
that the credentials are defined
correctly in Custom protocol
476 SMTP Tunnel is already open,
no need to re-open
Application Tunnel is already
open. The script has not
performed any action. No need to
resolve.
472 Unable to open Tunnel, Sync
will not continue. Make sure
that service id:$ServiceID is
defined properly in VSE,
Database and protocol
settings–>custom
SMTP Service ID might not be
defined properly in the VSE or in
the Security Center database.
• Check that the service and port are defined properly in the VSE File: DefaultRRAConfiguration.xml
• Check that the service is defined properly in DB table RMA_INBOUND_SERVICE_T
• Check that the RAG is connected to the HTTP repository in the NNGateway.log
401 Unable to Sync ePO, Wrong
Credentials
ePO admin username and
password combination is
incorrect. Verify that the
credentials are defined correctly
in Custom protocol
ePO Code: 500
Can't connect to ip:port (No
connection could be made
because the target machine
actively refused it.)
Unable to connect to the ePO
server
Consider changing the following
in custom Protocols
EPO Server IP, EPO Port
ERROR CODES
DocID CS-ICSE609en-510A 43
Error Code Message Possible Issues
ePO Code: 500
Can't connect to ip:port
(certificate verify failed)
The ePO server does not have a
valid SSL certificate that was
issued by a trusted third
certificate authority.
To ignore and continue without
valid certificate change EPO SSL VERIFY HOSTNAME parameter
in Custom Protocols to 0
ePO Code: 3 ePO Server Task error. Server
task:$task was not found
Make sure that the Server
Tasks parameter in system
Parameters->custom was
defined properly
Server Task Name does not exist
in the downstream ePO server
Check the following Custom
Protocols settings:
Server Tasks
111 Unable to open Tunnel. Sync
will not continue.
Verify the following Custom
protocol parameter:
VSE IP
1301 SMTP Tunnel was not
terminated: 1301
Error Message: Failed to
terminate Reverse Remote
Access connection.
Not all the selected remote
activities were aborted
Occur when trying to terminate
SMTP tunnel when the Tunnel
does not exist.
CS-ICSE609en-510A July 2019 © 2019 Honeywell International Sàrl
Honeywell Process Solutions
1250 W Sam Houston Pkwy S #150, Houston,
TX 77042
Honeywell House, Skimped Hill Lane
Bracknell, Berkshire, RG12 1EB Building #1, 555 Huanke Road, Zhangjiang
Hi-Tech Park,
Pudong New Area, Shanghai, China 201203
www.honeywellprocess.com