The client transfer between epo servers guide. McAfee Drive Encryption 7.1.3

Transcription

1 The client transfer between epo servers guide McAfee Drive Encryption 7.1.3

2 COPYRIGHT Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, , TRADEMARK ATTRIBUTIONS Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence, McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Drive Encryption The client transfer between epo servers guide

3 Contents 1 Introduction 5 Overview About this document Client system transfer operation 7 Overview Terminology Fundamentals User directory Pre-requisites - Software Pre-requisites - Configuration Reporting Error handling Scalability Initiating system transfer Enable the system transfer feature Handling failures 13 Triage Troubleshooting Recovering systems after a failure Detailed workflow checklist 15 5 Frequently Asked Questions 17 McAfee Drive Encryption The client transfer between epo servers guide 3

4 Contents 4 McAfee Drive Encryption The client transfer between epo servers guide

5 1 1 Introduction This document describes how to manage the transfer of systems protected with McAfee Drive Encryption from one McAfee epolicy Orchestrator (McAfee epo ) server to another whilst preserving user assignments, user token, and other data. Contents Overview About this document Overview The client system transfer functionality is only available in Drive Encryption version and higher. With earlier versions, transferring a system from one McAfee epo server to another will replace the user assignments and user token data on the system with data from the destination server, potentially losing user assignments and changing user credentials in the preboot environment. About this document This document is broken into several sections. The initial sections describe how to manage the transfer of systems between McAfee epo servers, including pre-requisites and considerations of scalability to avoid server overload. The later sections give some helpful case studies to show how common Drive Encryption configurations can be managed. McAfee Drive Encryption The client transfer between epo servers guide 5

6 1 Introduction About this document 6 McAfee Drive Encryption The client transfer between epo servers guide

7 2 2 Client system transfer operation Drive Encryption (and above) provides the McAfee epo administrator with a new capability to allow systems to be transferred from one McAfee epo server to another whilst preserving user assignments and user data. Contents Overview Terminology Fundamentals User directory Pre-requisites - Software Pre-requisites - Configuration Reporting Error handling Scalability Initiating system transfer Enable the system transfer feature Overview If the feature is enabled, a system installed with Drive Encryption (or above) will detect a server change, and request that the new Drive Encryption (or above) managing server automatically McAfee Drive Encryption The client transfer between epo servers guide 7

8 2 Client system transfer operation Terminology assigns users to the system within the context of the new managing server. Once the assignment is successful, the system will send its user token data up to the new managing server. Terminology The original managing McAfee epo server is called the source server. The new managing epo server is called the destination server. Fundamentals The transfer process is a system-initiated process. During the first policy enforcement under the control of the destination server, the system receives a manifest of users that are already assigned to it in the context of the destination server. The system calculates the difference between the received manifest and the current set of users on the system (those that were assigned in the source server) to form List A. If List A contains at least one user (and fewer than a configurable maximum number), the system sends List A to the destination server, requesting that it assigns the users in List A directly to the system. An event is sent to the destination server at this point to state that a system transfer has started. Because the destination server will assign users directly to the system (and not to a parent branch), it is important that any required branch-level user assignments are made in the destination server prior to system transfer being instigated - failure to do so will result in these users being assigned directly to the system making future user management more complex. Once the assignment of the users in List A has been successfully made in the destination server, at the next ASCI the system will push user token data for the newly assigned users up to the destination server, along with system encryption and recovery keys, completing the user data transfer process. At this time, an event is sent to the destination server to state that the system transfer has completed successfully. If the number of assignments that need to be made exceed a configurable maximum, the transfer will fail and an appropriate error event will be sent up to the destination server. It is clearly important that the destination server has one or more appropriately configured Active Directory servers to ensure that users can be found and then assigned within the destination server. It is also equally important to configure the Drive Encryption policies in the destination server to ensure that they match those from the source server; failure to do so might lead to systems deactivating or changing their behavior. Environments that use policy-assignment rules to assign user-based policies based on complex rules should take extra care to ensure that rules are appropriately defined in the destination server; failure to do so might lead to changes in the logon experience for affected users. 8 McAfee Drive Encryption The client transfer between epo servers guide

9 Client system transfer operation User directory 2 User directory The McAfee epo User Directory is a directory of users maintained by McAfee epo. The McAfee epo User Directory cannot be transferred from one McAfee epo server to another and for this reason, system transfer of User Directory users is not supported. Pre-requisites - Software For the system transfer and user assignment to be successful: the destination server must be a supported version of McAfee epo 5.1 (or higher). the source server may be any supported version of McAfee epo. the destination McAfee epo server must be running Drive Encryption or above. the systems must be running Drive Encryption or above. Pre-requisites - Configuration For the system transfer and user assignment to be successful: the destination server should have all relevant AD servers configured as registered servers. if chase referrals is enabled, ensure that all AD servers are reachable. the system transfer feature should be enabled on the destination server, using the web-api. an appropriate AD search order must be specified if the destination server has more than one LDAP server using the web-api. the maximum number of users that can be transferred may be specified through the web-api - if no limit is specified, a default limit is used. branch users should be pre-assigned within the destination server. Drive Encryption system policy should be appropriately configured in the destination server. Drive Encryption user-based policy should be appropriately configured in the destination server. appropriate Drive Encryption theme and simple words configuration should be made in the destination server. suitable policy-assignment rules should be configured (if applicable). any systems that inherit user/group assignments by system tree location should be pre-populated in the destination server, in the correct system tree location. Reporting In order to monitor the transfer of systems and detect any issues with the process, a canned query has been provided, that can be monitored from within the destination server McAfee epo console. This McAfee Drive Encryption The client transfer between epo servers guide 9

10 2 Client system transfer operation Error handling canned query reports any systems that have failed the McAfee epo system transfer process, along with an initial root cause analysis of the failure. It is recommended that this query be routinely checked during system transfers. A server task can be configured to automatically the results of the query at regular intervals, if desired. For more information, please see the McAfee epo Product Guide corresponding to your destination server version. Note that the report uses the standard property collection mechanism of McAfee epo, and as such will require systems to perform an agent-server communication in order to obtain the most up-to-date properties. For this reason, it is common for reports to show inconsistent data due to an expected lag in property collection. Error handling In the event that there is an error during the transfer process, the affected system's Drive Encryption service will go into an error state and not perform any further policy enforcement until the service is restarted or the system is restarted. This prevents the destination server becoming overloaded with many systems repeatedly requesting information in the event of a structural configuration issue. Possible causes of errors during the transfer process are: number of users being transferred is greater than the specified maximum. users cannot be assigned in the destination server because it cannot be found in the Active Directory. A suitable error event will be sent up to destination sever to allow administrators to identify affected systems. In the event of an error, the system can be returned to the control of the source server until the root cause is identified. For environments using chase referrals, failure of the referral (due to an unreachable AD server) will result in either user assignment failure (if the user cannot be found) or assignment of the user from an AD server lower in the search order (where the user exists in multiple directories). Scalability There is a direct correlation between the performance of the client transfer solution and the number of Drive Encryption users assigned to each system. The number of user assignments that needs to be made by the destination server in a single ASCI is: numassignments = numsystemstransferred x numusersneedingassignment Equally, the number of user data transfers that need to be made in a single ASCI is: numdatatransfers = numsystemstransferred x numuserspersystem Each system will also transfer its encryption and recovery keys during this ASCI, so systems should be transferred in batches. The McAfee epo infrastructure provides a limited bandwidth that could become overwhelmed if too many systems are transferred at once, or the number of users requiring to be assigned to each system in the destination server is excessive. 10 McAfee Drive Encryption The client transfer between epo servers guide

11 Client system transfer operation Initiating system transfer 2 When enabling the system transfer feature, it's possible to prevent the system transfer from occurring when the number of users that will be assigned to the system during the transfer exceeds a specified limit (configurable maximum number). In the example given above, if the number of users in List A exceeds the limit (configurable maximum number), then system transfer will be abandoned and a suitable error event sent up to the destination server. Note that the limit applies only to those users that are not currently assigned to the system (either explicitly or through inheritance from a branch) in the destination server when the transfer starts. Branch assignments of Drive Encryption users within the source server need to be configured manually within the destination server before systems are transferred. If this step is omitted, the system may fail to transfer if it reaches the maximum user assignment limit. Initiating system transfer In order to safely transfer systems that have McAfee Drive Encryption installed and activated on them, it is important to keep the system in the source McAfee epo server until the transfer process has been successfully completed. If the transfer process fails, the system may need to be moved back to the source server until the problem is resolved. This cannot be done, if the system is deleted from the source server, as all user assignments and user data may have been deleted. Note that systems must not be transferred using the McAfee epo system tree Agent System Transfer, because it deletes the system from the source McAfee epo server. Systems can be safely transferred by manually deploying the McAfee Agent FramePkg from the destination server to the system. For more information, see the McAfee Agent 5.0 Product Guide: FAQ: How can I redirect the communication from a McAfee Agent to a new McAfee epo server? Enable the system transfer feature Enabling system transfer must be performed using the web-api. An example python script to illustrate how this could be accomplished is included later in this document and is available via Software Manager. This section lists the two new web-apis included to enable this feature. Lists servers that have been registered with McAfee epo, (optionally) filtered by type. Returns a dictionary containing the ID, type, and registered server name for each of the current registered servers. Table 2-1 eeadmin.listregisteredservers Parameter Description Required servertype Allows for filtering of the registered server types. Known values: ldap McAfee epo Omit this parameter to list all registered servers. Enables/disables system transfer capability. Returns a dictionary that contains the values that have been saved. Omit all parameters to make no changes and list current settings. No McAfee Drive Encryption The client transfer between epo servers guide 11

12 2 Client system transfer operation Enable the system transfer feature Table 2-2 eeadmin.enablesystemtransfer Parameter Description Required enable True if the feature should be enabled; false if the feature should be disabled. Default is false. No maxusers Determines the maximum number of users that will be assigned in the destination epo server (1-200). Default is 10. Increasing this value could negatively impact the performance of McAfee epo and AD Servers. No searchorder Determines the LDAP search order in the form of a comma separated list of registered server IDs. A search order is mandatory where there is more than one registered LDAP server. The search order allows Drive Encryption to match a user that was assigned in the source server context to a user in the destination server context in a controlled preferential order. Default is none. No If more than one LDAP server is registered in the destination McAfee epo and no search order has been defined, system transfers will fail. 12 McAfee Drive Encryption The client transfer between epo servers guide

13 3 Handling 3 failures This chapter explains about recovering systems and troubleshooting methods. Contents Triage Troubleshooting Recovering systems after a failure Triage In the event of a failure, further transfers should be postponed until the cause is determined. A canned query is provided for detection within the destination server of systems that have failed the transfer. This query can be monitored whilst transferring batches of systems, in order to quickly detect failures. Any failures will also generate an audit event that will be reported to the destination server and also logged to the Drive Encryption log file on the system. Recommended investigation Check the McAfee epo product client events audit for the system and their details Check the Drive Encryption log (MfeEpe.log) Check the McAfee epo orion log Check the agent handler logs Once the issue has been resolved, the Drive Encryption service on the system should be restarted in order to kick off the process again; this can also be accomplished by restarting the system. Troubleshooting The following are the troubleshooting methods for some of the commonly occurring errors: User policy not enforced after transfer has completed This can occur because of one of the following reasons: McAfee Drive Encryption The client transfer between epo servers guide 13

14 3 Handling failures Recovering systems after a failure A policy assignment rule has been defined. The user was assigned to a branch that the system is a child of, however the system was not known by the destination server at the moment when the user was configured for UBP enforcement. At the point when the user was configured for UBP enforcement, the system was not known to the destination server or the user was not assigned to the system. Resolutions Run the DE: Force update for UBP enforcement users from the Server Tasks page in the destination server and wait for the task to complete. Then wake up the system to obtain the latest policies. It is possible to use an automatic response to trigger the DE: Force update for UBP enforcement users when {x} number of events have been received, by using the event ID For more information, see the product documentation for your version of McAfee epo. {x} must be a level that your McAfee epo server can handle; numbers below 200 could cause scalability issues on both McAfee epo and AD servers due to the number of policies that might need to be recalculated. User cannot logon to a system that they were assigned to after transfer completes This can occur because the transferred system user data is sent on the subsequent policy enforcement and the user has already been assigned to another system during that period in the context of the destination server. In this scenario, the user will be treated as an uninitialized user and the default password could be used (if the user has been configured to use a password token). However, if the default password is used, the latest user data will overwrite any existing user data. User is prompted to enter a new password This can occur because the transferred system user has been assigned to another system before the migrated system has sent the user data to destination server and UBP has been configured to 'Do not prompt for default password'. Recovering systems after a failure You can recover your system in the following ways: Exporting recovery keys It is still possible to export the recovery keys from the source server by selecting the system and exporting the key or by providing the keycheck value. Administrator recovery The policy of the destination server will not be enforced on the system in a failure case. Administrator recovery is therefore only possible from the source server. Repatriation of failed systems If a system fails the transfer, transfer the system back to the source server - policy enforcement will start again until the problem is identified and solved. 14 McAfee Drive Encryption The client transfer between epo servers guide

15 4 Detailed workflow checklist This section highlights a suggested workflow. Make sure that you do not use the McAfee epo transfer system feature to transfer Drive Encryption systems using the process documented in this document. This feature removes the system from the existing McAfee epo server during the transfer, resulting in total loss of user assignments from that server. Table 4-1 Preparation of the destination server Step 1 Ensure that the destination server is running Drive Encryption or above. 2 Ensure that systems to be transferred are running Drive Encryption or above. 3 Ensure that the required AD servers are configured within the destination server, and are reachable from the server. 4 If any of the AD servers have been configured for Chase referrals, ensure that all child domains are reachable before the transfer starts. 5 Ensure that the system tree is appropriately configured in the destination server. 6 Ensure that all Drive Encryption branch users are appropriately configured in the destination server. 7 Ensure that Drive Encryption system policy is correctly configured in the destination server. 8 Ensure that Drive Encryption user-based policy is correctly configured in the destination server. 9 Ensure that policy-assignment rules are correctly configured in the destination server (if used). 10 Ensure that Drive Encryption theme and simple words settings are appropriately configured in the destination server. Table 4-2 Enable the feature on the destination server Check Step 1 Determine the AD search order required to optimize search times for users (ensure that the most frequently used AD server is the first in the list, and the least frequently used AD server is last in the list). 2 Enable the feature in the destination server using the web-api, specifying the appropriate search order. 3 [Optional Step] Setup automatic responses to tag system based on audit event 30090, which is sent up once the system transfer is completed. Check McAfee Drive Encryption The client transfer between epo servers guide 15

16 4 Detailed workflow checklist Table 4-3 Create replica of source system tree in destination server Step 1 Export the system tree from the source server. For more information, see the product documentation for your version of McAfee epo. 2 Manually edit the file to remove unwanted branches/systems. It is recommended that My Organization and Lost&Found are removed. Failure to do so could result in nested branches after the import. Check 3 Import the system tree file into destination server. 4 Validate that the branches and systems have been imported correctly before proceeding. Table 4-4 Create policies Step 1 Export relevant policies (Product/User Based/ALDU [Add Local domain User(s)]) from the source server. 2 Import relevant policies into the destination server. Table 4-5 Create policy assignment rules (if used) Step 1 Export relevant policy assignment rules from source server. 2 Import relevant policy assignment rules into the destination server. 3 Manually assign specific users/groups to relevant policy assignment rules in the destination server. 4 Manually create any user based policy rules required in the destination server. 5 Manually Configure UBP enforcement for the relevant users to ensure user(s) receive the correct user-based policy. 6 Reduce the number of ASCIs needed for the user-based policy to be received on the client, assign the users/groups to the relevant systems/branches, and then run the server task DE: Force update for UBP enforcement users. 7 If users are assigned explicitly to the system during the transfer process, then the DE: Force update for UBP enforcement users will need to be triggered manually after receiving the event ID If there are a large number of systems that require this step, run the task after transferring a number of systems. It is recommended that systems are transferred in batches to reduce excessive load on destination and AD servers; each transferred system will escrow its keys to the destination server during the transfer process which places load on the epo server. Check Check On successful assignment, the encryption keys and user data will be transferred to the destination server at which point the new McAfee epo policy will be enforced. Table 4-6 Transfer systems to destination server Step 1 Obtain McAfee Agent package from the destination server. 2 Deploy McAfee Agent to systems to be transferred. For more information, see the McAfee Agent 5.0 Product Guide: FAQ: How can I redirect the communication from a McAfee Agent to a new McAfee epo server? Check 16 McAfee Drive Encryption The client transfer between epo servers guide

17 5 Frequently Asked Questions Here are answers to frequently asked questions. I use ALDU for automated domain user assignment. How does system transfer affect me? You need to enable the system transfer feature to ensure that the user token data is preserved after the transfer is completed. One or more systems has reached the limit on the maximum number of user assignments that can be made. What should I do? The principle of Least Privilege requires that access is controlled to the smallest group of users. If the limit on user assignments has been reached, McAfee recommends that the user assignments be reviewed. You can use this opportunity to set up the destination environment appropriately, with groups assigned to branches. It is preferable to create groups in the AD server and assign these groups to branches rather than directly to systems, to allow easier management. This will minimize the number of users that need to be assigned during the system transfer process. I have multiple branch-level user and group assignments in the source server. What should I do? You will need to ensure that the destination server is setup with equivalent branch assignments before system transfer begins. How do I know if systems are being transferred successfully? A canned query can be run in the destination server that lists any systems that fail the system transfer. Can I use the McAfee epo system tree "Transfer System" action? No. This system tree action removes the system from the source server. For Drive Encryption, this results in a loss of user assignments and user data. The system cannot then be reverted to the source server, if problems occur during system transfer. Instead, the McAfee Agent corresponding to the destination server should be manually deployed to the systems. Do I need to pre-populate the systems in the destination server, before transferring them? Only if those systems inherit user assignments through their parent branch(es), or if any users on the system require UBP assignment rules. Is there any further support for this feature? While support for this product feature is available using the normal channels, customers may also consider engaging Professional Services for in-depth assistance with planning, setup, testing and execution of the client transfer within their environment. McAfee Drive Encryption The client transfer between epo servers guide 17

18 5 Frequently Asked Questions 18 McAfee Drive Encryption The client transfer between epo servers guide

19 0-00