Configuring Agent Policies

Posted: September, 14 2009

Agent policy settings

Before distributing a large number of agents throughout your network, consider carefully how you want the agent to behave in the segments of your environment.
Agent policy settings determine agent performance and behavior in your environment, including:

• How often the agent calls in to the server.
• How often the agent enforces policies on the managed system.
• How often the agent delivers event files to the server.
• Where the agent goes for product and update packages.


Although you can configure agent policy after agents are distributed, McAfee recommends setting agent policy prior to the distribution to prevent unnecessary resource impact. For complete descriptions of options on the agent policy pages, click ? on the page displaying the options. However, some of the most important policy settings are discussed here.

Priority event forwarding

The agent and security software on the managed system generate software events constantly during normal operation. These can range from information events about regular operation, such as when the agent enforces policies locally, to critical events, such as when a virus is detected and not cleaned. These events are sent to the server at each agent-server communication and stored in the database. A typical deployment of ePolicy Orchestrator in a large network can generate thousands of these events an hour.

Typically, you may want to know about higher severity events immediately. You can configure the agent to forward events that are equal to or greater than a specified severity immediately (specific event severity are determined by the product generating the events). If you plan to use Notifications, enabling immediate uploading of higher severity events is necessary for those features to function as intended.

You can enable immediate uploading of events on the Events tab of the McAfee Agent policy pages.

Agent policy and distributed repositories

By default, the agent can update from any repository in its repository list (SITELIST.XML) file.

The agent can use a network ICMP ping command or the repository’s subnet address to determine the distributed repository with the fastest response time out of the top five repositories in the list. Usually, this is the distributed repository that is closest to the system on the network.

For example, a managed system in a remote site far from the ePO server probably selects a local distributed repository. By contrast, an agent in the same LAN as the server probably updates directly from the master repository.

If you require tighter control over which distributed repositories the agents use, you can enable or disable specific distributed repositories on the Repositories tab of the McAfee Agent policy pages. Allowing agents to update from any distributed repository ensures they get the update from some location. Using a network ICMP ping, the agent should update from the closest distributed repository from the top five in the repository list.

The agent selects a repository each time the agent service (McAfee Framework Service) starts or when the repository list changes.

You may also be interested in:


McAfee Training
McAfee Home
About McAfee Training
Frequently asked questions
Contact Us
Sitemap
Training Courses
CA Threat Management Training
Network Instruments Training
McAfee EPO 4.5 Training
McAfee Endpoint Encryption
Customer Service
Request a Call back
ePO 4.5 Course Request
Sign Up
Contact Customer service
Articles
Making a dashboard active
Creating Dashboards
Business Connection deals
2GB of Vodafone data + free iPad 2
Monitoring with Dashboards