Escolar Documentos
Profissional Documentos
Cultura Documentos
0
Installation Guide
COPYRIGHT
Copyright © 2018 McAfee, LLC
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,
McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,
LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
1 Installation overview 5
5 Post-installation tasks 27
Configure the TIE server extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configure the TIE server topology . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configure the TIE server policy . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Verify the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Verify registered servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Monitoring and making adjustments . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Building file prevalence and observing . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Managing TIE server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Index 43
You must install the components for Threat Intelligence Exchange manually after Endpoint Security installation
is complete to manage Threat Intelligence Exchange features from VirusScan Enterprise.
The TIE server is a real-time adaptive prevention provider that gives customers the power of knowledge by
telling them what is malicious, trusted, and unknown in their environment, where it was used and when.
Installing the Threat Intelligence components as McAfee ePO extensions, you can manage TIE features for
enterprise-wide protection against new emerging and discovered threats within milliseconds.
The components are a client module for Endpoint Security, a server for file and certificate reputation storage,
and DXL brokers for bidirectional communication between managed systems on a network.
As a McAfee ePO administrator, you can install the TIE Server appliance using an OVA or an ISO file on a Virtual
Machine (VM) before you deploy the DXL brokers. For your endpoints, you install the TIE client module and the
DXL client you need. To complete the installation, you need to configure the operation mode of the TIE server
and assign its policies.
Determine your infrastructure requirements before you deploy the TIE server.
Contents
Designing your infrastructure
Sizing and performance
• Resource usage and capacity — Measures CPU, RAM, disk, and network usage when using the TIE solution
over a few hours.
• Latency impact and scalability — Measures the throughput capacity differences when adding new secondary
server instances.
For detailed information about each item and sizing recommendations, see the sizing and performance guide
for Threat Intelligence Exchange.
Make sure that your system environment meets the specific hardware and software requirements.
Contents
Threat Intelligence Exchange network overview
Network requirements
Environment requirements
Client operating systems
Make sure that these ports are open and available for use with Threat Intelligence Exchange.
This table describes the endpoints, network protocols, and ports of the diagram, from top to bottom, left to
right.
McAfee Web Gateway server and Advanced Threat Defense communicate with the TIE server through DXL.
Table 3-1 Default ports used with Threat Intelligence Exchange (continued)
Default port Protocol Description
5432 TCP McAfee ePO connectivity applicable to the TIE server used for the McAfee ePO
reporting function only.
Monitoring and replication traffic sent from secondary TIE servers to primary TIE
servers.
These are the default ports used with TIE server. The list might vary if you customize the ports.
For details about the default ports required for each component, see KB66797.
Network requirements
Make sure that the network environment is healthy and can reach Internet directly or through a web proxy, and
that DNS is available for both, servers and endpoints. NTP services are already available with known servers or
local ones (if available).
Make sure that there isn't Network Address Translation (NAT) among the TIE servers or between McAfee ePO
and the registered TIE server database.
Environment requirements
The TIE server is distributed as an OVA appliance optimized for VMware or as an ISO image used with compatible
hardware or other virtualization technologies.
For installing the appliance with an OVA or an ISO image, your Virtual Machine (VM) must meet the following
requirements:
• One CPU with eight cores.
• 16 GB of RAM.
Adaptive Threat
Protection (ATP) 10.5, or • For Endpoint Security — 10.1 or later
TIE client module for
VirusScan Enterprise or
for TI ENS 10.2
McAfee ePO server 5.3.x, 5.9.x, and 5.10.
(on-premise only)
See KB88491 for compatibility considerations with
McAfee ePO 5.9.
For upgrades from previous versions of TIE server, see the release notes of previous releases.
See KB82761 for details about the operating systems supported by McAfee Endpoint Security.
See KB87945 for Windows Servers 2016 compatibility with McAfee products.
Download the software, install the TIE server appliance and the TIE client module on your managed endpoints.
TIE server supports McAfee VirusScan Enterprise and Endpoint Security Threat Intelligence for endpoints.
Task
1 Download the software using one of these methods:
• Software Manager (Software Catalog in McAfee ePO 5.10) — Click McAfee Threat Intelligence Exchange, then
download or check in the components.
• Manually — Download the Threat Intelligence Exchange files from the McAfee product download
website at www.support.mcafee.com. Download the server appliance file and save it locally before
continuing.
2 Or run the software using an ISO file in XEN, Hyper-V, or bare metal. See KB86324 for details about these
virtualization platforms.
Tasks
• Deploy Active Response, DXL, and TIE server automatically on page 16
A single server can be used to host Active Response, TIE, and DXL services.
• Deploy the Active Response, DXL, and TIE server (manual) on page 17
Install and configure the TIE server, the Data Exchange Layer brokers, and the Active Response
server on a single appliance.
• Install the server using an ISO file on page 24
Deploy the TIE server using an auto-installable ISO file to run on bare metal or the virtualization
platforms XEN or Hyper-V.
• Deploy the Data Exchange Layer client on page 25
Deploy the DXL client to each of your managed systems.
• Deploy the TIE client module on page 25
Install the client module for the managed product.
See also
Deploy the Active Response, DXL, and TIE server (manual) on page 17
Contents
Deploy Active Response, DXL, and TIE server automatically
Deploy the Active Response, DXL, and TIE server (manual)
Install the server using an ISO file
Deploy the Data Exchange Layer client
Deploy the TIE client module
Task
1 Log on to McAfee ePO as an administrator.
3 On the Server Deployment page, provide VMware vCenter access URL and credentials.
4 Click Validate Certificate and follow the instructions to verify whether the fingerprint matches the one on the
vSphere web client. This checkbox is displayed if the access URL starts with HTTPS.
If the access URL uses HTTP, then the Allow insecure connection (http) checkbox is displayed.
Select Allow insecure connection (http) checkbox to connect to this IP address at your own risk.
5 Provide VMware vCenter infrastructure details such as, the name of the data center, cluster, datastore, and
network.
The Folder and Virtual Machine Name fields have default values. You can change the default entries based on
your requirement.
Make sure that the names are unique and that the folder exists.
7 Click Validate Certificate and follow the instructions to verify whether the fingerprint matches the one on
McAfee ePO.
8 Create a root password, user name, and password for the new server where you want to deploy the
services.
9 Enter a new host name and domain name of the server network through which the services are deployed.
The mode is set as DHCP by default. The NTP and DXL port fields are also populated. The DXL port field appears
when the DXL service option is selected.
10 Select the checkbox next to the respective services that you want to deploy to the server.
TIE and DXL checkboxes are selected by default. To deploy the Active Response services, select the MAR
checkbox.
When you select the MAR checkbox, both Active Response and TIE services are deployed to the server. As a
result, the TIE option is disabled.
13 Click the Check server health status here link to open the Active Response Health status page and verify whether
the status of Active Response, TIE, and DXL appear in green.
The time for the status for individual services to turn green can range from 5 minutes to 30 minutes.
For TIE health status checkups, select Menu | Server Settings | TIE Server Topology Management.
See KB83368 for details about supported platforms, environments, and operating systems.
Remember you can install the server appliance using an ISO file or an OVA. Choose one option.
The OVA meets the necessary requirements for installing the TIE server.
Task
1 Download the OVA component for the server appliance from Software Manager (or Software Catalog on McAfee
ePO 5.10) or from the McAfee download site. Extract the .zip file.
You can find the OVA component and an ISO file in Software Manager and the McAfee download site.
2 Open the VMware vSphere client, then click File | Deploy OVF Template. Browse to and select the *.ova (* —
name for the .ova file) file on your computer. Click Next and complete the steps in the wizard, then turn on
the virtual machine and open a Console window.
Read and accept the license agreement. Press C to view each page or E (End) to view the last page.
Create a root password for the new server appliance. The password must be at least nine characters. Make
sure to store your password on a secure location. Press Y to continue.
Enter the operational account name, real name, and password, using the Tab key to move to the next field.
When finished, press Y to continue.
The account name is typically something like jsmith and is used to log on to the server and to the managed
services. The real name is your full name, for example, John Smith.
• DHCP — Press D.
Enter the host name and domain name of the computer where you are installing the new server appliance.
Press Y to continue.
Enter up to three Network Time Protocol servers to synchronize the time of the new server. Use the default
servers listed, or enter the address for up to three servers.
Verify with your networking team that you can access the URLs from your network, or you can provide
internal or external NTP servers.
If the NTP servers are not synchronized, DXL and TIE handshake will not be completed immediately.
Press Y to continue.
10
Enter the IP address or fully qualified domain name, port, and account information for your McAfee ePO
server. The user account must have administrator rights. Press Y to continue.
Before proceeding, verify the authenticity of the certificate fingerprint of your McAfee ePO. In a browser
navigate to McAfee ePO and verify that the fingerprint matches the one shown on the installation screen. If
it does, press Y to continue.
In Windows, Internet Explorer and Chrome show the certificate information about using a built-in SHA-1
thumbprint. Firefox implements its own cross-platform and shows the certificate SHA-256 fingerprint.
11
You can select the services that you want to run on the new server.
You must deploy the Active Response server through McAfee ePO if you upgrade from TIE 2.2.0 or earlier
versions.
®
See the documentation for McAfee Active Response for more information about deploying the Active
Response server.
Press Y to continue.
12
All components must be in green to continue. If not, follow the suggestions to troubleshoot the issue.
14
15 Verify that the new server is provisioned. In McAfee ePO, select Menu | System Tree | My organization | Preset |
This group and All subgroups to look in the domain where you installed the server appliance.
16 Verify that the registered server is provisioned correctly in McAfee ePO as a managed system. Select Menu |
Configuration | Registered Servers.
17 Verify that the operation modes are configured correctly. In McAfee ePO, select Menu | Server Settings | TIE
Server Topology Management.
The first two installed servers are assigned with an operation mode automatically. If you have more than two
servers, the third instance is left unassigned, for instance.
if you selected the MAR server, the appliance shows MARSERVER tag as well.
The appliance shows the MARSERVER, DXLBROKER or TIESERVER tag, depending on the products installed.
See section Monitor the health status of the TIE server for setting monitoring with the automatic responses from
McAfee ePO.
See also
First-time installation workflow on page 3
You can also use an ISO file to create a VM in VMWare. We recommend using the OVA appliance as it
preconfigures virtual resources.
See KB83368 for details about supported platforms, environments, and operating systems.
®
The TIE server runs in its own McAfee Linux Operating System (MLOS) distribution based on CentOS 6 (x86_64).
To support different virtualization methods, initial scripts load different kernel modules depending on the
virtualization platform detected. Visit www.mcafeelinux.org for more information.
See KB86324 for details about supported platforms for TIE server.
The prerequisites and the installation steps described apply for XEN, Hyper-V, and bare metal. The installation is
automatic and doesn't need interaction with the user. Wait for the process to be completed.
Task
1 Create your VM and boot the ISO provided.
Wait to complete the process.
The Intel microcode package must be installed on TIE Servers that are running on bare metal. See the
Installing the Intel microcode package in TIE Server running on bare metal section of KB90843 for details.
Task
1 In McAfee ePO, select Menu | Software | Product Deployment, then click New Deployment.
For details about deploying the DXL Client, see the product documentation for DXL.
For details about deploying software in McAfee ePO, see the McAfee ePolicy Orchestrator Product Guide.
• McAfee Endpoint Security Threat Intelligence (TI ENS) Module for 10.2, or
®
Once the server extension is configured, create, monitor, and adjust TIE server policies to determine what is
allowed and blocked.
Use the TIE server policies to run the TIE server in observation mode to build file prevalence (how often a file is
seen in your environment) and observe what the TIE server detects in your environment. You can monitor and
adjust the policies, or individual file or certificate reputations to control what is allowed in your environment.
Contents
Configure the TIE server extension
Verify the installation
Monitoring and making adjustments
Building file prevalence and observing
Managing TIE server database
If you use VirusTotal, enter your public or private key to access additional file reputation information. VirusTotal
is a service that analyzes files and helps to detect viruses, trojans, and other malware. You can access VirusTotal
data directly from Threat Intelligence Exchange server when viewing file reputation information.
Task
1 In McAfee ePO, select Menu | Configuration | Server Settings | Threat Intelligence Exchange Server.
When viewing file reputations on the TIE Reputations page, click the VirusTotal tab to see additional file
information.
Tasks
• Configure the TIE server topology on page 28
TIE server appliances can run combined into different operation modes to offer scaling and fail-over
capabilities.
• Configure the TIE server policy on page 29
Specify McAfee GTI, McAfee Advanced Threat Defense and McAfee Cloud Threat Detection settings
for the server.
Consider that the first two TIE servers installed have an operation mode assigned automatically, namely,
primary and secondary instances.
On the Server Settings page in McAfee ePO, configure the operation modes of the server appliances.
Write-Only Primary Is responsible for writing, maintaining, and replicating the database.
It includes metadata and reputation update requests since it doesn't process endpoint
requests.
Secondary Processes DXL requests exactly like a Primary instance using a database that is replicated
from the Primary server.
Reporting Secondary Improves the McAfee ePO reporting services.
Reputation Cache Is a in-memory cache synchronized through DXL to minimize network requirements.
Provides endpoint operational reputation services.
In an environment with multiple McAfee ePO servers, only TIE servers managed by a local McAfee ePO server
are editable. For an environment with a single McAfee ePO server, managed TIE servers are displayed in a tree
structure where the root is the instance operating in primary mode.
In fresh installations, the operation modes of the first two appliances are configured automatically.
Task
1 In McAfee ePO, select Menu | Configuration | Server Settings | TIE Server Topology Management, then click Edit.
b Click Save.
Changing a primary to a secondary operation mode during a disaster recovery might delete its database
content. Always promote a secondary to primary operation mode before attempting a synchronization from
another primary server.
In a single primary instance scenario, you can have only one primary instance managed by your local
McAfee ePO server after the update.
3 After you saved your changes, the background processing applies the changes on each TIE server instance.
This process can take several minutes. Wait a few minutes and press F5 or click Refresh in the browser to see
your new TIE server topology.
4 If your appliance wake-up port is filtered, manually restart the CMA service. Otherwise, it takes time for the
policy to reach the appliance.
See KB52707 for details about restarting the CMA service.
Tasks
• Edit the TIE Server topology on page 29
Change the operation mode of your TIE server instances managed by the local McAfee ePO server.
The server instances managed by another McAfee ePO appear disabled for editing.
Task
1 In the TIE Server Topology Management page, select the TIE server instance and click Edit.
2 From the drop-down list, select the Operation Mode. Click Save to finish.
The changes in topology can take several minutes to be applied.
If you leave a server instance as Unassigned, it remains non-operative.
If you promote your primary to a different instance, for example, primary to secondary and an unassigned to
primary, you might lose data because the new primary instance does not replicate the database.
The new topology of your TIE server instances is displayed when the changes are applied. Click Refresh to verify
the changes.
Task
2 From the Product drop-down list, select McAfee Threat Intelligence Exchange Server Management, then select a policy
name or an action.
You can create a policy using Default as a template, or copy an existing policy and change it as needed.
• Product Improvement Program — Allow McAfee to collect anonymous data about certificates and file hashes.
This data helps McAfee learn about threats and prioritize what's allowed or blocked.
4 On the McAfee Global Threat Intelligence tab enable McAfee GTI to get file reputation. McAfee GTI is used if the
TIE server does not have reputation information for a file, or if the server is unavailable.
5 On the Sandboxing tab, specify whether to send file information to Advanced Threat Defense and/or to
McAfee Cloud Threat Detection for further evaluation.
a On the Advanced Threat Defense section, enter the server name and access credentials, available
servers, timeout settings, and the file types.
The file types you select are sent to Cloud Threat Detection when provided by the endpoint. Otherwise,
the selected file types are filtered.
You can enable certificate validation in the communication between the TIE server and Advanced Threat
Defense. See KB87692 for details before enabling Enforce Certificate Validation.
b On the McAfee Cloud Threat Detection section, enter the server name, the client and activation keys, and
the connection and timeout settings.
6 On the McAfee Web Gateway tab, accept or ignore incoming reports sent to the TIE server about potential web
threats.
7 On the Server Configuration tab, configure the logging level of the server, enable collecting information of DXL
traffic, enable or disable collecting metrics and modify the sampling period for collecting performance
metrics.
8 Select Menu | Configuration | Server Settings | Threat Intelligence Exchange Server. The VirusTotal service certificates
are validated. If you experience network filtering restrictions, click Edit to disable the Skip VirusTotal certificate
validations, then click Save.
You can configure the type of files that the TIE server recognizes and processes when accessing the TIE
server through McAfee Web Gateway and Advanced Threat Defense. You can add or remove file types from
the list.
Task
1 In the System Tree, click the TIE server name, then click the Products tab. Verify that the following components
are listed with the corresponding version for the installation process:
• McAfee DXL Broker (if configured when deploying the appliance)
• McAfee Active Response Server (if configured when deploying the appliance)
If you configured the Active Response server, see the McAfee Active Response documentation for details and
instructions about verifying its installation.
2 In the McAfee ePO System Tree, verify that the tags are applied correctly to the deployed systems.
3 Verify that the DXL Topology settings and the DXL Fabric are configured correctly.
4 Select Menu | Configuration | Server Settings, then click DXL Client for ePO.
5 Verify that the operation mode of your TIE server instances have changed based on your edit.
Select Menu | Server Settings | TIE Server Topology and verify that your changes were applied.
See the product guide for TIE for details about the health checks on the TIE Server Topology Management
6 Verify that all the servers are up and running. Select Menu | Server Settings, then click on a server.
7 In the System Tree, select the TIE server, then from the Actions menu, select DXL | Lookup in DXL.
Verify that the connection state is Connected
8 Verify that the DXL broker is now up and running. You can select Menu | Systems Section | TIE Reputations to
verify that you can search for files and certificates. It might take some time for reputation information to
populate the database..
Tasks
• Verify registered servers on page 31
Verify that the servers are registered correctly to view TIE server information in McAfee ePO reports
and dashboards.
Task
1 In McAfee ePO, select Menu | Configuration | Registered Servers, then click New Server if you don't have a
registered server. Click Edit to manually modify an existing registered server.
c In the Host name or IP address field, enter the IP address of the system where you installed the server.
d Leave the Database server instance and Database server port fields blank (if they appear).
f In the User name field, verify that the PostgreSQL user name is readonly.
McAfee ePO communicates with the server and retrieves data for the reports and dashboards.
Register the servers again if you change the hostname or IP address of the appliance.
Use the McAfee ePO dashboards and event views to see the files and certificates that are allowed or blocked
based on the policies.
You can view detailed information by endpoint, file, rule, or certificate, and quickly see the number of items
identified and the actions taken. You can drill down by clicking an item, and adjust the reputation settings for
specific files or certificates so that the appropriate action is taken.
For example, if a file's default reputation is suspicious or unknown but you know it's a trusted file, you can
change its reputation to trusted. The application is then allowed to run in your environment without being
blocked or prompting the user for action. You might change the reputation for internal or custom files used in
your environment.
• Use the TIE Reputations feature to search for a specific file or certificate name. You can view details about
the file or certificate, including the company name, SHA-1 and SHA-256 hash values, MD5, description, and
McAfee GTI information. For files, you can also access VirusTotal data directly from the TIE Reputations
details page to see additional information (see About VirusTotal).
• Use the Reporting Dashboard page to see several types of reputation information at once. You can view the
number of new files seen in your environment in the last week, files by reputation, files whose reputations
recently changed, systems that recently ran new files, and more. Clicking an item in the dashboard displays
detailed information.
• If you identified a harmful or suspicious file, you can quickly see which systems ran the file and might be
compromised.
• Change the reputation of a file or certificate as needed for your environment. The information is
immediately updated in the database and sent to all devices in your environment. Files and certificates are
blocked or allowed based on their reputation.
If you're not sure what to do about a specific file or certificate, you can block it from running while you learn
more about it. Unlike a VirusScan Enterprise Clean action, which might delete the file, blocking keeps the file
in place but doesn't allow it to run. The file stays intact while you research it.
• Import file or certificate reputations into the database to allow or block specific files or certificates based on
other reputation sources. This allows you to use the imported settings for specific files and certificates
without having to set them individually on the server.
• The Composite Reputation column on TIE Reputations page shows the most prevalent reputation and its provider.
• The Latest Applied Rule column on the TIE Reputations page shows and tracks reputation information based
on the latest detection rule applied for each file at the endpoint.
You can customize this page by selecting Actions | Choose Columns. See Customize queries in the Product Guide
for McAfee Threat Intelligence Exchange.
• The CTD Reputation column on the TIE Reputations page shows the most prevalent reputation obtained after
running and testing the file in a cloud-based sandbox server.
To get started, create one or more Threat Intelligence Exchange policies to run on a few systems in your
environment. The policies determine:
• When a file is submitted to Advanced Threat Defense or McAfee Cloud Threat Detection for further analysis
While building file prevalence, you can run the policies in Observation mode. File and certificate reputations are
added to the database but no action is taken. You can see what the Threat Intelligence Exchange server blocks
or allows if the policy is enforced.
This server task is now in McAfee ePO and checks the database size and compares it with a size threshold. If the
database exceeds the threshold, the cleanup is executed.
You can run the task as needed and configure the frequency from McAfee ePO on the Server Tasks page.
The task cleans the database of files that are old enough to keep the database under the configured file count.
By default, the task is executed every day at midnight for keeping the size of the database within 15 GB.
The file selection criteria determines that files without an Enterprise reputation (or a reputation override) are
candidates for a purge, to avoid removing locally generated Threat Intelligence.
You must meet requirements and follow procedures to actually benefit from the new features and
enhancements of the newer software version.
Not all manual customization of the appliance configuration is preserved when upgrading.
Consider that TIE server 1.2.1 reached its EOL support on December 31, 2017, and 1.3.0 will on August 15, 2018.
See KB89670 for details.
Make sure the following URLs are white-listed in your enterprise firewall for the TIE server access the McAfee
GTI and McAfee CTD services (if they are enabled).
• tieserver.rest.gti.mcafee.com
• tie.gti.mcafee.com
• tieserver.analysis.gti.mcafee.com
In the Proxy settings section at the TIE server policy settings, only include the DOMAIN in the user name if your
proxy supports NTLM v1. See KB87782 for details.
• The endpoint reputation cache is rebuilt when upgrading the components. Perform incremental
upgrades to minimize the impact on the TIE server capacity.
• Upgrade the TIE client and the DXL Client in the endpoints and the DXL broker appliance. See the release
notes for those products.
You can't upgrade the DXL client using a McAfee ePO Deployment task on a TIE server system. You can
only get an upgraded DXL client when installing a new TIE server.
• First upgrade the extension in McAfee ePO, then the TIE platform and the TIE server packages on the TIE
appliance.
• The build numbers of the platform and the server packages must match.
• Dependencies
• Upgrade the McAfee Agent for MLOS to version 5.5.0 or later before upgrading the TIE server appliance.
®
• McAfee Agent for MLOS 5.5.0 is only available at McAfee Downloads in the TIE server section. See
KB85586 for instructions to deploy the agent to the TIE server appliance. Do not install the McAfee
Agent for Linux because it is not compatible.
When upgrading the TIE server from a previous release, you must reboot your system after the upgrade.
Task
1 If you have a particular customization of the TIE server properties and database configuration, make sure
you save them before continuing.
2 Create a snapshot of your virtual machine (primary instance, if applicable) on the VMware vSphere client.
For instructions, see the VMware vSphere documentation.
If you are using a non-virtual environment, see KB86092 for instructions to create bare-metal backups.
4 Click Threat Intelligence Exchange to see the available versions, then click Update.
5 If Software Manager doesn't show the TIE server packages, you must perform a manual upgrade.
a Download the Threat Intelligence Exchange files from the McAfee product download website, then check
in the files to the Master Repository in McAfee ePO.
6 Reboot the appliance so that the operating system picks up the new kernel provided by the new TIE platform
package.
Tasks
• Deploy the Threat Intelligence Exchange products on page 37
To deploy the TIE products to the server appliance, create a client task for deployment on the
McAfee ePO server.
• Verify the upgrade on page 38
Make sure the TIE components are configured correctly.
Contents
Deploy the Threat Intelligence Exchange products
Verify the upgrade
If you plan to upgrade the DXL Brokers in your fabric, or if you plan to deploy new appliances with bundled TIE
server and DXL Broker from an ISO file or OVF images, first upgrade all DXL extensions in McAfee ePO.
The TIE server help extension build version is expected to be different from the other components because it is
built separately.
Task
1 Make sure that you have full connectivity in the DXL fabrics. In McAfee ePO, select Menu | Data Exchange Layer
Fabric, then click the Refresh button.
5 Complete the new deployment information. For the Target platforms option, make sure that only McAfee Linux
OS is selected.
b TIE server
The DXL Platform package is not intended for the TIE appliance and isn't compatible with the TIE appliance.
The TIE server embedded DXL Client can't be upgraded.
8 If you have already configured a registered server, follow these steps to verify connectivity.
a In McAfee ePO, select Menu | Registered Servers.
b Select the server from Database Servers, then select TIE Server.
9 Reboot the appliance so that the operating system picks up the new kernel provided by the new TIE platform
package.
10 Upgrade the Intel microcode package on TIE Servers that are running on bare metal. See the Installing the
Intel microcode package in TIE Server running on bare metal section of KB90843 for details.
If you enabled Active Response server during the TIE server deployment on the appliance, see the documentation
for McAfee Active Response for information about verifying the upgrade of Active Response.
Task
• In McAfee ePO, select Menu | Server Settings | TIE Server Topology Management and verify that your server
instances are configured correctly. You can also view connectivity status on this page.
For troubleshooting, use the Minimum Escalation Requirements (MER) tool to collect product data from the
server and contact technical support. See KB82850.
If initializing the TIE server takes longer than expected, consider the following options for troubleshooting.
• Verify that the TIE server extension is installed in McAfee ePO.
• In McAfee ePO, run again the server task Apply TIESERVER tags. Verify that the tags are applied correctly in all
installed products.
• In McAfee ePO, wake up the agents and all appliances that have DXL brokers to gather policies.
• Verify the connectivity status and the operation modes of several components using the TIE Server Topology
Management page.
• Verify that the DXL Topology settings and the DXL Fabric are configured correctly.
• Verify the DXL Connectivity in the DXL Client for McAfee ePO.
Find solutions for common issues that might occur during installation.
You can also access scripts for reconfiguring the TIE server, DXL brokers, and the McAfee Agent.
Contents
Verify installed components
Accessing the log files
Reconfiguring the installation using scripts
Troubleshoot the consolidated appliance deployment
Task
1 Navigate to the TIE Server Topology Management page and verify the health check status of the server instances
managed locally by McAfee ePO server.
c On the Wake Up McAfee Agent page, select Force complete policy and task update, then click OK.
This option sends the server properties from the TIE server appliance to McAfee ePO.
d Select Menu | Automation | Server Task Log to verify that the task completed.
e In the System Tree, click the server name, click the Products tab, then verify that these components are
listed:
• McAfee DXL Broker
b Select Menu | Automation | Server Task Log to verify that the task completed.
c In the System Tree, verify that the TIESERVER tag was applied to the system.
b Select Menu | Automation | Server Task Log to verify that the task completed.
c In the System Tree, click the server name and verify that the DXLBROKER tag was applied to the system.
c On the Wake Up McAfee Agent page, select Force complete policy and task update, then click OK.
d Select Menu | Automation | Server Task Log to verify that the task completed.
8 In the System Tree, select the TIE server, and from the Actions menu, click DXL | Lookup in DXL.
Verify that the connection state is Connected.
10 With the DXL broker up and running successfully, verify that you can search for files and certificates.
a Select Menu | Systems Section | TIE Reputations.
c Select any file from the result and verify that the TIE File Reputations Information is displayed.
• /var/McAfee/tieserver/logs/tieserver‑start.log
• /var/McAfee/tieserver/logs/tieserver‑lib.log
See KB82850 for details about using the Minimum Escalation Requirements (MER) tool to collect product data
from the server and contact technical support. This tool runs in the server appliance.
See KB59385 for details about using the MER tool with other McAfee products.
reconfig-network Reconfigures the current network interface (from DHCP to manual, or Recommended
from manual to DHCP).
reconfig-cert Generates a new certificate and sends a signing request to McAfee ePO No
through the TIE server extension.
Task
1 If the Active Response service is deployed on a Secondary or Reporting Secondary TIE server instance and
doesn't work, verify that the TIE Primary server is up and running.
2 If the Active Response service is deployed on a Reputation Cache mode, it will not work until you transition
the TIE server to a Secondary or Reporting Secondary operation mode.
A M
Advanced Threat Defense settings 29 McAfee Agent
installation requirements 11
C reconfiguring using scripts 41
configuration McAfee ePO registered server, creating 31
scripts, reconfiguring the server 41 migration tool 9
server policy settings 29 module for VirusScan Enterprise
VirusTotal, file reputation information 27 installation requirements 11
supported operating systems 11
troubleshooting the installation 39
D
verifying the installation 30
Data Exchange Layer
deploying 25
N
reconfiguring using scripts 41
troubleshooting the installation 39 network overview 11
verifying the installation 30
Data management 33 O
deployment operating systems, supported 11
Data Exchange Layer client 25 operation mode 28
OVF template 17
P
G performance 9
Global Threat Intelligence policies
server settings 29 policy settings 29
ports used 11
Product Improvement Program
H
settings 29
hardware requirements 9 protocols used 11
I R
installation reconfiguring using scripts 41
components 5 registered server, creating 31
log files for troubleshooting 40 reports, creating a registered server 31
overview 5 requirements for installation 11
requirements 11
server appliance 17 S
troubleshooting 39
scripts for reconfiguring 41
verifying the installation 30
server
policy settings 29
L server appliance, installing 17
log files, troubleshooting the installation 40 settings, configuring the server policy 29
sizing 9
supported operating systems 11