EPO3, any way to change the MASTER repository location?

[mcse924]

In my previous EPO 2.5 setup, I had my AV server (NY), my admin desktop, and a PC in London configured via AutoUpdate Architect rather nicely. We do not allow our AV server access to the internet and do not want it to pull down updates from any websites. I had MY pc configured as the MASTER, and the London and local AV server would be the distributed repositories. Pc's in NY would grab updates from the AV server, PC's in London from the local PC in London. My PC grabbed the updates from Mcafee automatically, once every 2 days. It worked beautifully.

I now upgraded to EPO 3, and it makes my AV server the MASTER automatically. I don't want this. Is there anyway I can change this so that I can have my previous (flawless) setup again?

Carpe diem, procrastination is the thief of time...

 

[mtrits]

Yes you can.

You will need to create a new source repository by selecting the "repository" option under your server name. Then select "Add repository". Create a new source repository pointing to a folder on your PC or wherever.

Then select your server under EPO Orchestrator and create a new "Repository Pull" task.

Then delete the NAIFTP task.

 

[AVChap]

No you can't. In ePO 3.0, the ePO server is ALWAYS the master repository. You can add source repositories if you wish but the master will always be the ePO server.


AVChap
... WARNING: The Surgeon General says to take my advise at your own risk.

 

[mcse924]

So "No you can't" means there is no way around this? That stinks! Security-wise it means I need to open ports to allow my AV server to communicate with the Mcafee site, which I guess is do-able but I wish I didn't have to.

Any suggestions for a work-around would be appreciated.

Carpe diem, procrastination is the thief of time...

 

[TPNDK]

EXAMPLE:
DATSERVER=SERVER that communicates with Mcafee
EPOSERVER= you know what it is
NEWYORKSEPO1=Distributed Repository Server in New York
NEWYORKC1=Client in New York
LONDONSEPO1=Distributed Repository Server in London
LONDONC1=Client in London

1.
on DATSERVER=Install AutoUpdate Architect and configure it to dw from mcafee.

2.
On Eposerver Set the source repository to point at DATSERVER

3. On Eposerver configure the distributed repositories
to the server in London and New York.

4. Make a task to each group etc, LONDON, NEW YORK that gets the datfiles which country its belongs to.

this is what will happend.
MCAFEE -> DATSERVER
DATSERVER -> EPOSERVER
-> NEWYORKSEPO1
-> LONDONSEPO1

that should be easy to configure.

Regards,
Thomas Poppelgaard Nielsen
Networkadministrator
Municipality of Aarhus - Denmark

 

[mcse924]

TP,

Tried your suggestion, no good. The problem is that the machine with AUA creates it own site list. Also the Mcafee Auto Update piece is different than the one used by the EPO 3.x agent. I think AUA should only be used for shops NOT using EPO3.

It worked initially but then after schedule updates ran (and I guess EPO properties were updated), the sitelist pulled down to the AUA machine was the one from the EPO 3 server, causing major confusion. The next morning (today), I couldn't even open AUA, I got msta.exe errors.

I think I may just bite the bullet and have my firewall guy open up access to only the Mcafee HTTP and FTP download sites so my EPO server can do the auto updating. It's a design flaw on Mcafee's part if you ask me. Who purposely WANTS TO open up internal servers to the Internet???

Carpe diem, procrastination is the thief of time...

 

[steviebabes]

Chaps, I'd be interested to know if you had any progress with this, as I would like to set up a distributed update mechanism through our network.
I found the following article: [

http://www.myitforum.com/inc/upload/8292VS7 walkthrough guide.pdf

]
Section 5.1 positively recommends multiple master repositories, but it isn't clear if that is using multiple ePO servers or multiple MAA installations.

Hmmm

T.A.N.S.T.A.A.F.L.
(There Aint No Such Thing As A Free Lunch)

 

[AVChap]

Like I mentioned in my previous post, there will only be ONE master repository per ePO server and that will be THE ePO SERVER. You can have as many source (recommended you stick with the NAI sites) and distributed repositories as you want. It's just the way it is.

AVChap
... been there, done that, made that mistake too, see where I am now.

 

[steviebabes]

I have now figured out a way of doing this with ePO 3.0 using mirror tasks. Mail me for more info if you are interested.

T.A.N.S.T.A.A.F.L.
(There Aint No Such Thing As A Free Lunch)

 

[theboyhope]

Um, why?

Is it so top-secret that you can't just post it to the board?

 

[AVChap]

You can still do mirror tasks but it will NOT BECOME the Master Repository whatever you do. We just have to live with this for now.

Also, on the comment on why McAfee is opening up internal servers to the Internet, since when did downloading files from the Internet OPEN the machine up? You can control this using firewall rules IIRC. A ggod firewall admin can do this with his or her eyes closed.

AVChap
... been there, done that, made that mistake too, see where I am now.

 

[mcse924]

AVChap,

I can't disagree with you. But I work for a large financial institution, and we are internally audited twice a year. We are paranoid, and would rather not have internal servers communicate with any internet sites, if we can avoid it. An auditor ALWAYS comes up with crazy scenarios reagrding security. Like:

Q: What happens if the McAfee site was hacked and your EPO server starting downloading trojans/worms or malicious code?

Not likely to happen, but it's a question that's fair game to them. Yes, we have IDS, AV, and Mailsweeper in the DMZ, but they would ask us something like that anyway. Also, something similar just happened to the Microsoft SUS site over the summer.

Carpe diem, procrastination is the thief of time...

 

[AVChap]

Now since you put it that way, this is one suggestion you can probably consider.

The easiest way would be to set up a "download" machine on your DMZ. If possible, run the McAfee AutoUpdate Architect (MAA) on that machine to replicate the online update sites (either the FTP or HTTP site), and set up a distributed repository on the same machine.

Now, use this distributed repository as your source repository, instead of the FTP and HTTP sites.

BTW, AFAIK, McAfee has a validation routine built-in to the product to verify if it downloaded the valid updates. If the validation codes do not match, the downloads are discarded and the program goes to the next update site.

Also, I've never heard McAfee or NAI's site being hacked into; which is not the same for some other so-called "security" vendors.

My 2cents.

AVChap
... been there, done that, made that mistake too, see where I am now.

 

[mcse924]

Thanks AVCHAP, you are again on the money with your suggestion. I may have to implement that. However, NEVER say NEVER!

Remember the Titanic? How about 9/11?



Carpe diem, procrastination is the thief of time...

 

[AVChap]

I said I never "HEARD" McAfee's site being hacked into. Doesn't mean it won't.

AVChap

“I have not failed 700 times. I have not failed once.
I have succeeded in proving that those 700 ways will not work.
When I have eliminated the ways that will not work,
I will find the way that will work.”
--Thomas Edison