Few engineers will tell you that software updates are their favorite part of the job, but they’re a critically important part of endpoint security. Unfortunately, they do sometimes come with hassles—in particular, dealing with traffic surges over the WAN whenever many endpoints need to download large software packages at the same time.
In my last blog, I talked about a sometimes-overlooked tagging feature in McAfee ePolicy Orchestrator (ePO) that can dramatically simplify management of your endpoint environment. Now, I’m going to cover some of ePO’s software deployment capabilities that you may not be using, but that can make the task a lot simpler and less bandwidth-intensive.
Distributing Software Deployments
Using ePO, you can distribute software deployment capabilities throughout your environment, and eliminate scenarios where thousands of endpoints are downloading large software packages from a central location. In this way, you can ensure that endpoints always have the latest McAfee software—without saturating site-to-site links or consuming a huge amount of bandwidth connecting to the Internet.
ePO offers two ways to do this: peer-to-peer (P2P) distribution and “SuperAgent” distributed repositories. When you use P2P (enabled by default in ePO), the first endpoint to request a software update downloads it from the centralized master repository and then distributes it to other endpoints within the local broadcast domain. All endpoints receive the update, but most no longer have to go back out over the site-to-link to do it.
P2P software distribution can be extremely efficient, since every system in the environment can act as a distribution node. And if you’re using it and experiencing no link saturation problems, then you don’t need to do anything else.
There may be cases, however, where you’re still experiencing issues. For example, in environments where mobile laptops are frequently moving across locations and networks, it can be hard to ensure that each endpoint connects with other systems in its local group in a timely manner. You may also have systems with older versions of the McAfee ENS agent that don’t support P2P. In these cases, you may have more endpoints than you’d like falling back to the central repository when they need to update software, and saturating site-to-site links. For situations like these, ePO offers an additional distribution option: SuperAgent distributed repositories.
SuperAgents are endpoint systems that can be automatically configured to act as distributed software repositories. Typically, you would choose systems that don’t move and that are already being used as file servers or software distribution servers for a given physical location (such as a server being used to push out Microsoft software updates at a remote site).
To use SuperAgents, you need to ensure that each subgroup in your system tree contains a system from each remote site you want to configure as a remote distribution node. Then, follow these steps:
- In the Policy Catalog, create a new McAfee Agent General Policy tool and enable SuperAgents.
- Use the ePO Tag Console to create a “SuperAgent” tag to assign to systems you plan to use as remote distribution nodes. (For detailed instructions, see my previous blog Using Tags to Simplify Endpoint Security Management)
- In the Policy Assignment Rule settings, assign the SuperAgent policy configuration to all systems tagged as “SuperAgent.”
- In the System Tree, manually apply the “SuperAgent” tag to the file servers or software distribution servers at your remote sites.
Now, ePO will treat those servers as a Distributed Repository in the McAfee Agent Repository Policy.
For the final step, you create a McAfee Agent Repository Policy for each remote site. Here’s how:
- Create a new McAfee Agent Repository Policy for the specified location in the System Tree Subgroup. You’ll need to do this for each location subgroup.
- Select the radio button “Use order in repository list.”
- Ensure that the box “Automatically allow clients to access newly-added repositories,” is not
- Enable the local system that is the SuperAgent, the Master Repository, and the Fallback repository for each remote site, and ensure that all other remote sites are disabled.
- Make sure that the SuperAgent Distributed Repository is listed at number 1
One more aspect needs to be in place to ensure that endpoints at remote sites pull software from their local SuperAgent: systems in the ePO system tree must be organized by remote site. Fortunately, ePO makes it easy to do this. There are three options for sorting systems at remote sites:
- By IP address: If each remote location has a specific IP address range, you can use a sorting criteria based on IP address to sort systems into the correct subgroups in the system tree.
- Using tags: If the systems have attributes that identify them as operating at a specific remote site, you can use those attributes to automatically apply tags to those systems to sort them in the system tree. Attributes like “System Name,” “Custom Property,” or “Is Laptop” can all be used to automatically apply tags for the purpose of sorting each system according to its location.
- Using Active Directory: If your systems in Active Directory are organized by location, you can synchronize Active Directory with the ePO system tree.
Simplify Your Environment
Software deployments don’t have to cause headaches. With ePO distribution features, you can even use P2P and SuperAgents in conjunction, configuring endpoints to use P2P if it’s available and fall back to the local SuperAgent if it’s not. In either case, all endpoints still get timely software updates—without over-saturating the WAN.
To learn more about McAfee ePolicy and optimizing software developments, follow us on Twitter at @McAfee.