Release Notes for McAfee ePolicy Orchestrator 4.5 Release Candidate

About this document

Thank you for using McAfee® ePolicy Orchestrator® software version 4.5. This document contains important information about this release. We strongly recommend that you read the entire document.

CAUTION: We do not support automatic upgrading of a pre-release version of the software. To upgrade you must first uninstall the existing version of the software.

This is pre-release code. We strongly recommend that you do not install this software into a production environment.

NOTE: We do not support build to build upgrades of pre-release software. If you are running any version of the McAfee ePolicy Orchestrator 4.5 Beta software in your test environment, you must uninstall before installing the Release Candidate software.
NOTE: SQL 2000 is not supported in ePolicy Orchestrator 4.5. Users must use SQL 2005 or SQL 2008.

New features

This Release Candidate software supports the following languages:
  • Chinese (Simplified)
  • Chinese (Traditional)
  • English
  • French (Standard)
  • German (Standard)
  • Japanese
  • Korean
  • Russian
  • Spanish
New and enhanced features in the current release of the software are described below:

Scalability

The ePolicy Orchestrator 4.5 software supports enhanced scalability through the use of remote Agent Handlers. Agent Handlers can be installed on servers that agents can connect to in order to retrieve policies, client actions, or updates. Agents can also use Agent Handlers to send properties and events to your primary ePO server.

Support of multiple Agent Handlers enables one ePO server to manage a larger set of installed products on a larger set of managed systems. Agent Handlers can be deployed to strategic points in your network environment, enabling management of systems that cannot access the main ePO server directly. They can also be used in locations where the ePO server can be accessed directly.

Custom Data Channel

The custom data channel is a bi-directional channel for sending product-specific data between ePolicy Orchestrator and products on your managed systems. This new feature allows McAfee to provide UI Actions used when troubleshooting with real-time feedback. These actions are designed to operate on a single system, while providing real-time status to your ePO administrators. The Update Now is an example of this new feature.

Improved security for agent-to-server communication

Agent communication with the ePO server now uses TLS (Transport Layer Security) protocol for improved security.

Move agents between servers

You can move agents from one ePO server to another by telling them to report to a new ePO server using the Transfer Systems feature.

Navigation redesign

The navigation for the ePO console has been redesigned for the 4.5 release. Now you can access any of the ePolicy Orchestrators first level tabs from the new ePO Menu. You can also add the pages you use most frequently to the favorites bar by dragging any entry in the Menu and dropping it onto the bar to the right of the Menu.

Drag-and-drop

You can use drag-and-drop functionality to move certain objects in the interface. You can:
  • Add Menu items to the favorites bar.
  • Add commonly used actions from the Actions menu to the Action bar beneath a table.
  • Move selected systems or groups of systems from the Systems table to a different group in the System Tree.
  • Move groups and sub-groups into other groups in the System Tree.

Policy Assignment Rules

ePolicy Orchestrator 4.5 allows you to assign policies to unique groups, or individual users, through the use of Policy Assignment Rules. This feature enables policy assignment based on the Active Directory groups that users belong to, instead of the machine they are using. You can include individual users, groups, and Organizational Units (OUs) in a rule. You can also exclude specific users from a rule.

Automatic Responses

The new Automatic Responses feature improves upon, and consumes, the Notifications feature. This new feature allows you to create chainable rules for responding to events that are specific to your business environment. Available actions include sending email, sending SNMP traps, creating a new issue, and running a registered executable or server task.

IPv6 support

ePolicy Orchestrator 4.5 supports operating in an IPv6 environment.

Issues and ticketing

ePolicy Orchestrator 4.5 now provides basic issues management and bi-directional integration with two third-party ticketing systems: Service Desk and Remedy.

Multi-server roll up reporting improvements

The multi-server roll up reporting feature has been enhanced. You can now filter out unwanted items before performing a data roll up. New roll up reporting targets have been added, including policy assignments, and specific policy use across your network.

Active Directory improvements

The ePolicy Orchestrator 4.5 software supports closer integration with Active Directory. You can now:
  • Assign permission sets to users based on their Active Directory group.
  • Browse your AD server for users or groups when creating Policy Assignment Rules.
  • Automatically assign administrator rights to users when they log in with their AD domain credentials.

Queries system improvements

The Queries system has been enhanced in several ways. The Queries page has been redesigned to group queries by result types, and more default queries have been added. Query targets have also been grouped in the Query Builder wizard. A stacked bar chart has been added to the available chart types, and the variables and parameters for use in configuring charts have been improved.

Rogue System Detection improvements

Rogue System Detection has been improved to fully leverage the power of ePolicy Orchestrator 4.x platform. Now you can categorize exceptions, update your OUI list, and optionally employ OS finger printing.

Searchable help

You can now search the context-sensitive help and product guides of those products for which you have installed the ePO Help extension.

Known Issues

Known issues in this release of the software are described below:

Installation and upgrade issues

  • Installation roll back fails. ePolicy Orchestrator 4.5 does not yet support the ability to down grade a product version. (383591)
  • Upgrading from ePolicy Orchestrator 4.0 Patch 3 might fail. To workaround the problem, delete the existing logs found at %TEMP%\MFELogs and %TEMP%\NAILogs and restart the upgrade.
  • Using a SQL NT authenticated user that is not a local admin on the ePO server causes the installation to fail. (367702)
  • Using complex characters (e.g. @, #, $) in the SQL server administrator password might prevent ePolicy Orchestrator from installing. For more information on accepted username and password formats, see ePolicy Orchestrator 4.5 and SQL server username and password considerations in this document. (363939)
  • Using complex characters (e.g. @, #, $) in the password for the administrator account when installing ePolicy Orchestrator 4.5, or upgrading from version 4.0 to version 4.5 might cause the installation to fail. For more information on accepted username and password formats, see ePolicy Orchestrator 4.5 and SQL server username and password considerations in this document. (459993, 460994)
  • When the SQL Server "Nested Triggers" option is disabled, policies assignment time stamps are not updated. This causes ePolicy Orchestrator to fail to deliver full policies to client systems. To work around this issue, verify that "Nested Triggers" option is enabled for the ePolicy Orchestrator database. For more information, see KB article: KB52512. (406765)

Migration issues

Migration from ePolicy Orchestrator 3.6.1 Patch 4 and ePolicy Orchestrator 4.0 Patch 3 or 4 is supported. However, some of your settings, such as Server Tasks, Client Tasks, Custom Policies, and Tags might not migrate properly. Refer to the following list for details on other, more specific known migration issues.

  • Migrated permissions for users other than global administrators might cause problems. These permissions can include permissions to unsupported products. If non-global administrators have permissions to these unsupported products, duplicating the permission results in an error and the duplication fails. (373127)

System Tree issues

  • When adding multiple systems to the System Tree, if one or more systems is a duplicate and the 'no' option is selected on the subsequent confirmation dialog, no systems are added. (457148)

Rogue System Detection issues

  • In the Rogue System Detection Detected Systems Details page, the Back and Next arrow buttons located above the Actions Taken pane might produce unexpected results. For example, clicking the Next arrow might not return the Detected Systems Details page for the next system in the list. (395571)

Browser issues

  • When accessing the ePO console using Internet Explorer 8, the log on dialog might not appear. This might occur when Enhanced Security is enabled in Internet Explorer 8. To work around this issue you must add your ePO console to the Trusted sites list in IE 8. Click Tools | Internet Options and open the Security tab. Then click Trusted Sites | Sites and Add the url for your ePO console. (457117)

Documentation issues

  • Product documentation for ePolicy Orchestrator 4.5 is currently in development. All pre-release documentation is delivered in a draft state.
  • Help topics fail to display with Windows Server 2008 Explorer Enhanced Security configured. Go to Server Manager and switch off Internet Explorer Enhanced Security and the ePolicy Orchestrator Help displays. (392671)

Resolved issues

Issues from previous Beta versions of the ePolicy Orchestrator 4.5 software that are resolved in this release are listed below.

Installation and upgrade

  • Installation no longer fails on Windows Server 2008. ePolicy Orchestrator 4.5 now installs without issue. (457681)
  • Installing in a cluster environment no longer fails. (428386)
  • The issue that prevented Rogue System Detection from being migrated to ePolicy Orchestrator when upgrading to ePolicy Orchestrator 4.5 from version 4.0 has been resolved. (459568)
  • When installing a remote Agent Handler using credentials that don't belong to an ePO global administrator, the error message that appears now states that "The specified user does not have global administrator privileges on the ePO server." To proceed, click OK, then supply global administrator credentials. (453007)

System Tree issues

  • Exporting the tree structure now functions properly. The file export action exports the tree structure so that you can import a tree structure file that was exported from ePolicy Orchestrator 4.5. (416014)
  • The View Effective Policy action in the System Tree | Systems tab Action menu is now functional.
  • When using Windows 2008 to add new systems to the system tree (Menu | System Tree | System Tree Actions | New Systems) using the Browse... action under Systems to add might deliver a blank Domain list in the Browse for Systems page. The work around this issue is published in KB53861. (391040)

Agent issues

  • Agent wake-up calls no longer report as failed in the Audit Log and Server Task Log when the action is successful. (458385, 458906)
  • Clicking Show Agent log for a managed system now shows the agent log file. If you are unable to view the agent log file verify that McAfee Agent policy settings are configured so that the Accept connections only from ePO server option is unchecked (General tab) and the Enable remote access to log option is checked (Logging tab). (423805)
  • When installing remote Agent Handlers in a domain outside the domain on which your main ePO server resides, you no longer must provide credentials that are valid for the ePO server as well as the Agent Handler. (434059, 449336)
  • Agents are removed from systems being deleted when using the Delete action in the Actions | Directory Management menu. (468683)

Repository issues

  • Importing master repository key pairs from another ePO server no longer removes the contents of the master repository. (465735)
  • When creating an FTP or HTTP Source Site with the Source Site Builder wizard, IP addresses are recognized as valid URLs. You can use the DNS name of the server or the IP addresses. (452754)
  • The Move existing package to previous branch functionality is working when performing repository pulls. (459776)

Registered Server issues

  • Newly registered ePO servers now retain the SSL communication with database server setting. The setting no longer resets itself to try to use SSL regardless of the option specified by the user. (456580)
  • New registered servers are created even if the ePO server being created used local SQL 2005 Express for its SQL Server. (460151)

Agent Handler issues

  • Installing remote Agent Handlers on servers running Microsoft IIS (Internet Information Services) requires advanced configuration. Both IIS and remote Agent Handlers use port 80 by default. If you attempt to install when your Microsoft IIS configured to use port 80 an installation message will inform you so that you can modify the ports accordingly. You can modify the default settings for either software to specify a different port in order to install an Agent Handler on the same system. The port used by Agent Handlers is specified while setting up ePolicy Orchestrator. (460862)
  • After restarting a remote Agent Handler no longer triggers the error stating that the "Apache HTTP Server encountered a problem and needed to close," and no longer requires you to restart the Apache service using the Services Management Console. (452181)
  • Deleting a system from the System Tree and removing the agent removes the agent from the Agents for Agent Handler list belonging to the Agent Handler where it was assigned. (440451)
  • Agent Handlers installed on remote systems do not appear in the Handler List page when the ePO server is installed on the same system as the SQL Server.(441322)
  • When creating a new master key, agents assigned to Agent Handlers would retain the old master key. The new master key is now added to the Agent Handler's key store. (458969)

Policy Assignment Rule issues

Creating a Policy Assignment Rule without specifying one or more of the following Directory Criteria from the Available Properties list no longer causes all agent communication to fail:
  • Group Membership
  • Organizational Unit
  • User

(460866)

Query issues

  • Default queries and dashboards are removed during downgrade of product extensions. These queries and dashboards no longer need to be removed manually.(447600)
  • Some queries do not return any results when run from the Queries page. If this occurs, running the query from the Edit Queries page does return results. Run the query from the Edit Queries page by clicking Edit, then click Run to see the results. If you'd like these results to populate a dashboard, you must save the Query after you run the query and the results are returned.(458522, 458036)

Rogue System Detection issues

  • Deploying an agent from the Detected Systems Interface Query results page is successful. (439731, 439879)

Client Task issues

  • Client Tasks created at a single node are now displayed in the list of tasks created at that node. (465942, 466112)

Browser issues

  • The Menu and favorites bar no longer becomes distorted or unusable when viewing ePolicy Orchestrator with Firefox browser version 3.0.6. It is not necessary to clear the browser cache and restart Firefox when using ePolicy Orchestrator with this browser.. (466407)

Documentation issues

  • Hyperlinks in the context-sensitive help appear. You can still use the search feature or index to find topics about the products you have installed. (455248)

Other issues

  • The Automatic Response feature, new to ePolicy Orchestrator 4.5, consumes the Notifications feature. The Automatic Response feature includes permission sets and server settings for Notifications. The Event Notifications permission set controls whether users can view or create registered executables for use with Automatic Responses, and if they can view rules and automatic responses for the entire System Tree. (436988)

Installation, upgrade and migration considerations

Consider the following when planning to install and upgrade, or migrate to ePolicy Orchestrator 4.5.

Installation and upgrade considerations

  • The ePolicy Orchestrator 4.0 Notifications feature has been replaced by Automatic Responses. The notifications you created in version 4.0 are not supported or migrated to version 4.5 of the ePO software. McAfee recommends that you note the settings and purpose of your 4.0 notifications before upgrading to version 4.5 so that you can setup the Automatic Responses system based on your 4.0 notifications notes.
  • During installation, specify the machine name of the system that your database is installed on. Using "localhost" or the IP address causes the installation to fail.
  • After upgrading, some server tasks are disabled due to differences in server task functionality. For example, server tasks that were set to run immediately are disabled because this is no longer a schedule option. Be sure to review all server tasks, update their settings, and enable them as needed.
  • The following products are not yet supported on ePolicy Orchestrator 4.5. These products are migrated when you upgrade from a previous version of ePolicy Orchestrator in order to retain their data. However, they don't currently function correctly on ePolicy Orchestrator 4.5, and should not be used until an upgrade is available that supports the 4.5 software:
    • Endpoint Encryption 5.2.1
    • GroupShield Enterprise 6.0
    • GroupShield Enterprise 6.0.2 with SpamKiller Enterprise
    • LinuxShield 1.5
    • Non-Windows Agent 2.0
    • SecurityShield for Microsoft ISA Server
    • SiteAdvisor Enterprise 1.5
    • VirusScan 8.0i with McAfee AntiSpyware Enterprise
    • VirusScan for Mac 8.5
    • VirusScan for Mac 8.6
    • VirusScan Mobile Enterprise 2.0
  • The following products are not supported on ePolicy Orchestrator 4.5. Data associated with these products is not retained when upgrading to version 4.5:
    • ePO McAfee Agent (CMA) 3.5.5
    • ePO Agent for Linux
    • ePO Agent for Mac OS X
    • ePO Agent for Netware
    • LinuxShield 1.3
    • LinuxShield 1.4
    • McAfee Network Access Control 3.0
    • NetShield for NetWare 4.6.3
    • Policy Auditor 5.0
    • Policy Auditor 5.0.1
    • System Compliance Profiler
    • Virex 7.7

ePolicy Orchestrator 4.5 and SQL server username and password requirements

ePolicy Orchestrator 4.5 does not recognize some characters when used in ePolicy Orchestrator or SQL usernames and passwords.

ePolicy Orchestrator recognizes all printable characters in the CP1252 character set, except:
  • Leading spaces, trailing spaces, or passwords consisting of only spaces.
  • Double quotes (").
  • Leading backslashes, trailing backslashes, or passwords consisting only of backslashes (\).
  • Usernames containing a colon (:) or semi-colon (;).
SQL Server recognizes all printable characters in the CP1252 character set, except:
  • Leading spaces, trailing spaces, or passwords consisting of only spaces.
  • Double quotes (").
  • Single Quotes (').
  • Backslashes (\).
  • Usernames containing a colon (:) or semi-colon (;).
  • SQL passwords must not exceed 127 bytes in length.

Migration considerations

  • Extended task details for the deploy agent and wake-up agent server tasks are not migrated.
  • Packages installed in your repository using version 3.6 or 4.0 of the ePO software have a blank value in the Signed by column. This value will get updated after updates are downloaded and installed.

Installing SQL Server 2005 Express or 2008 Express on Windows Server 2008

SQL Server 2005 Express or 2008 Express must be installed manually on Windows Server 2008. You must setup and verify the following before installing ePolicy Orchestrator:
  1. Verify that the SQL Browser Service is running.
  2. Ensure that TCP/IP Protocol is enabled in the SQL Server Configuration Manager.
  3. You might need to provide the name of your SQL Server in the ePolicy Orchestrator installer Database Information page. Depending on the configuration of your SQL server, this name should be formatted using the SQL server name or the SQL server name with instance name.
  4. If you are using a dynamic port for your SQL server make note of it. You must specify this port number on the Database Information page. You can find this port number in the SQL Server Configuration Manager in the TCP/IP Properties on the IP Addresses tab. The port number is specified in the Dynamic Port field.

Installing optional product documentation

This Release Candidate software installs the McAfee Agent 4.5 and Virus Scan Enterprise 8.7 product extensions by default, along with the appropriate help files. If you optionally choose to install the McAfee Agent 4.5 or Virus Scan Enterprise 8.5 product extensions you must install the help separately. These files are included in the ePolicy Orchestrator software .zip file in the extensions-help folder. In default installations, this folder is located at C:\Program Files\McAfee\ePolicy Orchestrator\Extensions-Help. To install the help extension:
  1. In the ePolicy Orchestrator interface click Menu | Software | Extensions and click Install Extension.
  2. Browse to the help extension you want to install and click Open and then click OK.
    NOTE: You must install the product extension before installing the associated help extension.

Considerations when uninstalling ePolicy Orchestrator

If you have Agent Handlers in your environment, you must uninstall them before uninstalling ePolicy Orchestrator. Uninstalling ePolicy Orchestrator without uninstalling the Agent Handlers in your environment can prevent the ePO database from being deleted.

Other Information

This section provides additional information about ePolicy Orchestrator 4.5 not included in other ePO documentation that you might find useful.

ePO error pages

  • When an error occurs in the ePO console, clicking "OK" opens the Dashboards page. This occurs when the page being acted on contains information that cannot be accessed after the error occurs. For example, this might occur while scheduling a new server task. When the error occurs, the user specified information in the previous page is not retained. You can attempt to use the back button to return to a page that is not causing an error. If your attempt to "go back" is not successful you must begin the process again.

Where to find McAfee enterprise product information

The McAfee documentation is designed to provide you with the information you need during each phase of product implementation, from evaluating a new product to maintaining existing ones. Depending on the product, additional documents might be available. After a product is released additional information regarding the product is entered into the online KnowledgeBase available on McAfee ServicePortal.

Evaluation Phase

Installation Phase

Setup Phase

Maintenance Phase

How can my company benefit from this product?

Evaluation Tutorial

  • Preparing for, installing and deploying software in a test environment.
  • Detailed instructions for common tasks.

Before, during, and after installation.

Release Notes

  • Known issues in the current release.
  • Issues resolved since the last release.
  • Last-minute changes to the product or its documentation.

Installation Guide

  • Preparing for, installing and deploying software in a production environment.

Getting up-and-running with the product.

Product Guide and Online Help

  • Setting up and customizing the software for your environment.

Online Help

  • Managing and deploying products through ePolicy Orchestrator.
  • Detailed information about options in the product.

Maintaining the software.

Online Help

  • Maintaining the software.
  • Reference information.
  • All information found in the product guide.

KnowledgeBase (knowledge.mcafee.com)

  • Release notes and documentation.
  • Supplemental product information.

  • Workarounds to known issues.

Finding release notes and documentation for McAfee enterprise products

Use this task to go to the release notes and other product documentation for McAfee enterprise products.

  1. Go to knowledge.mcafee.com and select Product Documentation under Useful links.
  2. Select <Product Name> | <Product Version> and select the required document from the list of documents.

License attributions

COPYRIGHT

COPYRIGHT

Copyright © 2009 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.