McAfeeePolicyOrchestrator(2)

McAfeeePOupdatesanexistingSystemTreerecordwiththenewpropertiesreceivedoraddsanewrecordtotheSystemTree,ifthereisnotalreadyanentrypresentforthesystem.ForadditionaldetailsonworkingwiththeSystemTree,seetheSystemTreesection.

ProductsthatarecheckedintotheMasterRepositorycanbedeployedfromMcAfeeePOtomanagedsystemsusingProductDeploymentClientTasksorbycreatingaProductDeploymentProject.

Deploymenttasksshouldbecompletedinaphasedrollouttoinstallproductstogroupsofsystemsatatime.ThesametaskcanhavemultipleassignmentsthroughouttheSystemTree,andeachassignmentdefinesthescheduleforthetask.

NOTE:AvoidcreatingtaskschedulesthatwillrepeatthetasktoofrequentlyorruntphetaskontoomanynodessimultaneouslybecausethiscouldpotentiallyoverloadtheMcAfeeePOserver.

WhenaclienttaskisassignedtoagroupornodeintheSystemTree,theagentdownloadsthetasksettingsduringitsnextcommunicationintervalandinvokesthetaskaccordingtothescheduledefined.Whentheclienttaskisinvoked,theagentdownloadsthecomponentsdefinedfromtheMcAfeeePOserverMasterRepository.AdditionalDistributedRepositoriescanbeconfiguredtohelpsplituptheload.

Asyoudeployproductstoeachgroup,monitorthedeployment,runreportstoconfirmsuccessfulinstallations,andtroubleshootanyproblemswithindividualsystems.

Productupdatesareatypeofclienttaskthatareusedtoapplycontentupdatestoproductsalreadyinstalledonmanagedsystems.Contentupdatesincludeantivirusdefinitions(.DATs),versionupdates,andhotfixes.

Thedefaultservertask“UpdateMasterRepository”runsdaily.Thistaskdownloadsthelatest.DATavailablefromtheMcAfeeSourceSiteandchecksthe.DATpackageintotheCurrentBranchoftheMasterRepository.Todeploythe.DATtothemanagedsystems:

Bestpractice:Automating.DATfiletesting

-->

Itispossibletotransferormovemanagedclients(Agents)fromoneMcAfeeePOserverinanenvironmenttoanotherviatheTransferSystemsmechanismbuiltintoMcAfeeePO.

Thisisdesirablewhen,insteadofupgradinganolderMcAfeeePOserver,theadministratorchoosestobuildanewenvironment.Thealternative,redeployingtheMcAfeeAgenttoallmanagedendpoints,canbeunwieldyinlargerenvironments.

NOTE:ThereareminimallimitationsregardingMcAfeeePOserverversionswhentransferringsystems.Forexample,itispossibletotransferfrommucholderversionsofMcAfeeePO(forexample,fromMcAfeeePO5.1.3to5.9.1).

Thereareseveralcriticalfactorstoconsiderwhentransferringsystems:

Astep-by-stepguidetoconfiguringsystemtransferisdetailedinKB79283.

MovingtheMcAfeeePOserver’sSQLdatabasetoanewserverorinstanceisnotadifficulttask,thoughitdoesrequiresomefamiliaritywithSQLconfiguration.

AbasicwalkthroughofthemigrationprocessisincludedinKB68427,includingstep-by-stepinstructionsforimplementingthebasicworkflow:

NOTE:Allhandlers,includingtheMcAfeeePOserveritselfandallremoteAgentHandlers,dependonafast,consistentconnectiontotheSQLdatabase.

Don’tforgettoupdateanyremotehandler’sdatabaseconfigurationtopointtothenewdatabase;otherwise,thehandlerwillbenonfunctionalandunabletoprocessincomingAgentcommunications.

AsimilarprocessistosimplymovetheSQLdatabasefilestoanewdriveorlocationontheSQLserver(instructionsareincludedinKB71055).ThisprocessmaybenecessaryiftheSQLserverrunsoutofdiskspace.

Inthepast,theprocessofmovingtheMcAfeeePOservertoanewmachinewasarduous(seetheDisasterRecoveryprocessinKB66616andKB71078).Thoseolderworkflowsarestillanoption,butwiththeadventoftheDisasterRecoverySnapshot,therecoveryandmigrationhasbeenconsolidatedintooneeasyprocess.

ConsiderationsfortheDisasterRecoverySnapshot:

NOTE:The“DisasterRecoverySnapshotServer”taskisdisabledbydefaultwhentheMcAfeeePOSQLdatabaseishostedonanSQLExpressinstance.ThisisduetotheSQLExpress10GBfilesizelimitationandhowmuchdataisstoredwithinthedatabaseinsidethesnapshottable.

IftheMcAfeeePOserverisrestoredtoanewmachine,physicalorvirtual,it’simportanttokeeponemethodofagent-servercommunicationintactifredeploymentoftheMcAfeeAgentisnotdesired.TheMcAfeeAgentinstalledonclientmachinesusesthreemethodsofcontactingtheMcAfeeePOserverorremotehandler:

IftheMcAfeeePOserverisrestoredtoanewmachinewithadifferentNetBIOSnameandFQDN,theMcAfeeAgentsintheenvironmentcancommunicateonlyiftheIPaddressremainsthesame.Ifallthreemethodsofcommunicationaredifferent,theendpointshavenowayofroutingtheirtraffictothenewserveroutsideofaDNSredirect.

McAfeeePO5.9.xandlatersupporttheSHA-2signingalgorithmforallitsself-signedcertificates.IfMcAfeeePO5.9.xor5.10.xareinstalledcleanly,allproductcertificatesautomaticallygenerateusingthisnewersigningalgorithm.IftheMcAfeeePOserverisupgradedfromapreviousversion,itisnecessarytousethenewfunctionalitymadepossiblebytheCertificateManager.

SHA-1toSHA-2migrationiscoveredextensivelyinKB87017.

NOTE:ItiscriticalthatthecertificatemigrationprocessdescribedinKB87017isnotfinalizedbeforeanacceptednumberofclientmachineshavecommunicatedandreceivedthenewagent-servercommunicationcertificates.InternaltrackingisavailablewithintheCertificateManagertoprovideforcompletevisibility.AfailuretofollowinstructionsduringthisstepwillresultinacompletefailureforallclientmachinesthathaveyettoreceivethenewcertificatetocommunicatewithMcAfeeePO—meaningthatredeploymentoftheMcAfeeAgentwillbetheonlysolution.

本文来自电脑杂谈，转载请注明本文网址：
http://www.pc-fly.com/a/jisuanjixue/article-120294-2.html