Tie 230 Ig 0-00 En-Us

McAfee Threat Intelligence Exchange 2.3.
0
Installation Guide
COPYRIGHT
Copyright © 2018 McAfee, LLC
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,
McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,
LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
2 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

Contents
1 Installation overview 5
2 Planning your deployment 9

Designing your infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Sizing and performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 System requirements for Threat Intelligence Exchange 11

Threat Intelligence Exchange network overview . . . . . . . . . . . . . . . . . . . . . . . 11
Network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Environment requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Client operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4 First-time installation workflow 15

Deploy Active Response, DXL, and TIE server automatically . . . . . . . . . . . . . . . . . . . 16
Deploy the Active Response, DXL, and TIE server (manual) . . . . . . . . . . . . . . . . . . . 17
Install the server using an ISO file . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Deploy the Data Exchange Layer client . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Deploy the TIE client module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5 Post-installation tasks 27
Configure the TIE server extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configure the TIE server topology . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configure the TIE server policy . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Verify the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Verify registered servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Monitoring and making adjustments . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Building file prevalence and observing . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Managing TIE server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6 Upgrade to a newer software version 35

Deploy the Threat Intelligence Exchange products . . . . . . . . . . . . . . . . . . . . . . 37
Verify the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
7 Troubleshooting the installation 39

Verify installed components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Accessing the log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Reconfiguring the installation using scripts . . . . . . . . . . . . . . . . . . . . . . . . . 41
Troubleshoot the consolidated appliance deployment . . . . . . . . . . . . . . . . . . . . . 42
Index 43
McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 3

Contents

1 Installation overview
You must install the components for Threat Intelligence Exchange manually after Endpoint Security installation
is complete to manage Threat Intelligence Exchange features from VirusScan Enterprise.
The TIE server is a real-time adaptive prevention provider that gives customers the power of knowledge by
telling them what is malicious, trusted, and unknown in their environment, where it was used and when.
Installing the Threat Intelligence components as McAfee ePO extensions, you can manage TIE features for
enterprise-wide protection against new emerging and discovered threats within milliseconds.
Consider this basic first-time installation workflow.
The components are a client module for Endpoint Security, a server for file and certificate reputation storage,
and DXL brokers for bidirectional communication between managed systems on a network.
As a McAfee ePO administrator, you can install the TIE Server appliance using an OVA or an ISO file on a Virtual
Machine (VM) before you deploy the DXL brokers. For your endpoints, you install the TIE client module and the
DXL client you need. To complete the installation, you need to configure the operation mode of the TIE server
and assign its policies.

For a basic upgrade scenario consider this workflow.

Installation overview
1


2 Planning your deployment
Determine your infrastructure requirements before you deploy the TIE server.
Contents
Designing your infrastructure
Sizing and performance
Designing your infrastructure

Determine your DXL broker topology and TIE server database capacity to manage endpoint reputation request
loads.
See the McAfee Data Exchange Layer Architecture Guide for details about broker topology.

Determine your hardware requirements before your TIE server deployment by gathering reference metrics.
McAfee performed these tests on different server-class systems.
The metrics include:
• Resource usage and capacity — Measures CPU, RAM, disk, and network usage when using the TIE solution
over a few hours.
• Latency impact and scalability — Measures the throughput capacity differences when adding new secondary
server instances.
For detailed information about each item and sizing recommendations, see the sizing and performance guide
for Threat Intelligence Exchange.

2 Planning your deployment

3 System requirements for Threat Intelligence
Exchange
Make sure that your system environment meets the specific hardware and software requirements.
Contents
Threat Intelligence Exchange network overview
Network requirements
Environment requirements
Client operating systems

Threat Intelligence Exchange uses network protocols and ports to allow communication with its environment.
Make sure that these ports are open and available for use with Threat Intelligence Exchange.

3 System requirements for Threat Intelligence Exchange
This table describes the endpoints, network protocols, and ports of the diagram, from top to bottom, left to
right.
McAfee Web Gateway server and Advanced Threat Defense communicate with the TIE server through DXL.
Table 3-1 Default ports used with Threat Intelligence Exchange

Default port Protocol Description
22 TCP (SSH) SSH console to DXL/TIE appliances.
53 UDP/TCP Required for McAfee GTI lookups. If DNS server isn't available, or the current DNS
doesn't resolve public URLs, it should resolve to tie.gti.mcafee.com and
tieserver.rest.gti.mcafee.com
80 TCP See McAfee Agent KB66797.
80 TCP File upload from the TIE client to the TIE server for Advanced Threat Defense
analysis.
123 UDP Network time synchronization.
443 TCP Secure file upload from the TIE client to the TIE server for Advanced Threat Defense
analysis.
Required for TIE server 1.3.0 and later.

System requirements for Threat Intelligence Exchange
Network requirements 3
Table 3-1 Default ports used with Threat Intelligence Exchange (continued)
Default port Protocol Description
5432 TCP McAfee ePO connectivity applicable to the TIE server used for the McAfee ePO
reporting function only.
Monitoring and replication traffic sent from secondary TIE servers to primary TIE
servers.
8081 TCP See McAfee Agent KB66797.

8443 TCP Required only during the TIE server installation to configure the McAfee Agent
(outbound).
8883 TCP DXL messaging.
These are the default ports used with TIE server. The list might vary if you customize the ports.
For details about the default ports required for each component, see KB66797.
Network requirements
Make sure that the network environment is healthy and can reach Internet directly or through a web proxy, and
that DNS is available for both, servers and endpoints. NTP services are already available with known servers or
local ones (if available).
Make sure that there isn't Network Address Translation (NAT) among the TIE servers or between McAfee ePO
and the registered TIE server database.
Environment requirements
The TIE server is distributed as an OVA appliance optimized for VMware or as an ISO image used with compatible
hardware or other virtualization technologies.
For installing the appliance with an OVA or an ISO image, your Virtual Machine (VM) must meet the following
requirements:
• One CPU with eight cores.
• 16 GB of RAM.
• 120-GB disk (thick provisioning).
Products Components Version

VMware vSphere 5.5 or later
Threat Intelligence Threat Intelligence 1.3.0 or later for upgrades
Exchange Exchange server
TIE server 1.2.1 reached its EOL on December 31,
2017, and consider that 1.3.0 will on August 15,
2018.
See KB89670 for details.
DXL client 2.x or later

Consider that version 1.x reached its EOL on February
15, 2018, and 2.x and 3.0 will on October 16, 2018.

3 System requirements for Threat Intelligence Exchange
Products Components Version

McAfee Endpoint Security • For VirusScan Enterprise — 8.8 Patch 5 or later
®
Adaptive Threat
Protection (ATP) 10.5, or • For Endpoint Security — 10.1 or later
TIE client module for
VirusScan Enterprise or
for TI ENS 10.2
McAfee ePO server 5.3.x, 5.9.x, and 5.10.
(on-premise only)
See KB88491 for compatibility considerations with
McAfee ePO 5.9.
Consider that McAfee ePO 5.1 reached its EOL on

December 31, 2017, and McAfee ePO 5.3 will on
September 30, 2018. See KB88252 for details.
McAfee ePO product VirusScan Enterprise 8.8 Patch 5

extensions (installed in or 10.1 or later
Extensions)
Endpoint Security
McAfee Agent extension 5.5 or later

DXL Client Management 2.0 or later
DXL Client for McAfee ePO 2.0 or later
DXL Broker Management 2.0 or later
TIE server Extension 1.3.0 or later for upgrades

McAfee ePO product VirusScan Enterprise 8.8 Patch 5
packages (checked in to or 10.1 or later
the Master Repository)
Endpoint Security This package can be deployed as part of the Endpoint
Security deployment.
McAfee Agent 5.5 or later
For upgrades from previous versions of TIE server, see the release notes of previous releases.

Threat Intelligence Exchange server supports all operating systems that Endpoint Security supports.
See KB82761 for details about the operating systems supported by McAfee Endpoint Security.
See KB87945 for Windows Servers 2016 compatibility with McAfee products.

4 First-time installation workflow
Download the software, install the TIE server appliance and the TIE client module on your managed endpoints.
Before you begin

Make sure that the TIE server management extension is installed and that matches the version of
the server to be installed.
TIE server supports McAfee VirusScan Enterprise and Endpoint Security Threat Intelligence for endpoints.
Task
1 Download the software using one of these methods:
• Software Manager (Software Catalog in McAfee ePO 5.10) — Click McAfee Threat Intelligence Exchange, then
download or check in the components.
• Manually — Download the Threat Intelligence Exchange files from the McAfee product download
website at www.support.mcafee.com. Download the server appliance file and save it locally before
continuing.
2 Or run the software using an ISO file in XEN, Hyper-V, or bare metal. See KB86324 for details about these
virtualization platforms.
Tasks
• Deploy Active Response, DXL, and TIE server automatically on page 16
A single server can be used to host Active Response, TIE, and DXL services.
• Deploy the Active Response, DXL, and TIE server (manual) on page 17
Install and configure the TIE server, the Data Exchange Layer brokers, and the Active Response
server on a single appliance.
• Install the server using an ISO file on page 24
Deploy the TIE server using an auto-installable ISO file to run on bare metal or the virtualization
platforms XEN or Hyper-V.
• Deploy the Data Exchange Layer client on page 25
Deploy the DXL client to each of your managed systems.
• Deploy the TIE client module on page 25
Install the client module for the managed product.
See also
Deploy the Active Response, DXL, and TIE server (manual) on page 17
Contents
Deploy Active Response, DXL, and TIE server automatically
Deploy the Active Response, DXL, and TIE server (manual)
Install the server using an ISO file
Deploy the Data Exchange Layer client
Deploy the TIE client module


A single server can be used to host Active Response, TIE, and DXL services.
This deployment is for VMware infrastructure only.
Task
1 Log on to McAfee ePO as an administrator.
2 Select Menu | Automation | Server Deployment.
3 On the Server Deployment page, provide VMware vCenter access URL and credentials.
4 Click Validate Certificate and follow the instructions to verify whether the fingerprint matches the one on the
vSphere web client. This checkbox is displayed if the access URL starts with HTTPS.
If the access URL uses HTTP, then the Allow insecure connection (http) checkbox is displayed.
Select Allow insecure connection (http) checkbox to connect to this IP address at your own risk.
5 Provide VMware vCenter infrastructure details such as, the name of the data center, cluster, datastore, and
network.
The Folder and Virtual Machine Name fields have default values. You can change the default entries based on
your requirement.
Make sure that the names are unique and that the folder exists.
6 Provide your McAfee ePO credentials.

The Hostname, Port, and Wake up port fields are automatically populated.
7 Click Validate Certificate and follow the instructions to verify whether the fingerprint matches the one on
McAfee ePO.
8 Create a root password, user name, and password for the new server where you want to deploy the
services.
9 Enter a new host name and domain name of the server network through which the services are deployed.
The mode is set as DHCP by default. The NTP and DXL port fields are also populated. The DXL port field appears
when the DXL service option is selected.
10 Select the checkbox next to the respective services that you want to deploy to the server.
TIE and DXL checkboxes are selected by default. To deploy the Active Response services, select the MAR
checkbox.
When you select the MAR checkbox, both Active Response and TIE services are deployed to the server. As a
result, the TIE option is disabled.
11 Accept the license agreement and click Deploy.
12 Wait for the deployment process to complete.
13 Click the Check server health status here link to open the Active Response Health status page and verify whether
the status of Active Response, TIE, and DXL appear in green.
The time for the status for individual services to turn green can range from 5 minutes to 30 minutes.
For TIE health status checkups, select Menu | Server Settings | TIE Server Topology Management.

First-time installation workflow
Deploy the Active Response, DXL, and TIE server (manual) 4

Install and configure the TIE server, the Data Exchange Layer brokers, and the Active Response server on a
single appliance.
Before you begin

Make sure the server extension is installed correctly and matches the version of the server before
you deploy the OVA appliance.
Store your root password in a secure location.
See KB83368 for details about supported platforms, environments, and operating systems.
Remember you can install the server appliance using an ISO file or an OVA. Choose one option.
The OVA meets the necessary requirements for installing the TIE server.
Task
1 Download the OVA component for the server appliance from Software Manager (or Software Catalog on McAfee
ePO 5.10) or from the McAfee download site. Extract the .zip file.
You can find the OVA component and an ISO file in Software Manager and the McAfee download site.
2 Open the VMware vSphere client, then click File | Deploy OVF Template. Browse to and select the *.ova (* —
name for the .ova file) file on your computer. Click Next and complete the steps in the wizard, then turn on
the virtual machine and open a Console window.

Read and accept the license agreement. Press C to view each page or E (End) to view the last page.
Press Y to accept the terms to continue.

Create a root password for the new server appliance. The password must be at least nine characters. Make
sure to store your password on a secure location. Press Y to continue.
Enter the operational account name, real name, and password, using the Tab key to move to the next field.
When finished, press Y to continue.
The account name is typically something like jsmith and is used to log on to the server and to the managed
services. The real name is your full name, for example, John Smith.

On the Network Selection page, press N to continue.
Select a configuration type, then press Y to continue.

• Manual IP address — Press M, then enter the remaining information.
• DHCP — Press D.

Enter the host name and domain name of the computer where you are installing the new server appliance.
Press Y to continue.
Enter up to three Network Time Protocol servers to synchronize the time of the new server. Use the default
servers listed, or enter the address for up to three servers.
Verify with your networking team that you can access the URLs from your network, or you can provide
internal or external NTP servers.
If the NTP servers are not synchronized, DXL and TIE handshake will not be completed immediately.

10
Enter the IP address or fully qualified domain name, port, and account information for your McAfee ePO
server. The user account must have administrator rights. Press Y to continue.
Before proceeding, verify the authenticity of the certificate fingerprint of your McAfee ePO. In a browser
navigate to McAfee ePO and verify that the fingerprint matches the one shown on the installation screen. If
it does, press Y to continue.
In Windows, Internet Explorer and Chrome show the certificate information about using a built-in SHA-1
thumbprint. Firefox implements its own cross-platform and shows the certificate SHA-256 fingerprint.
11
You can select the services that you want to run on the new server.
Consider that the Active Response server is optional.
You must deploy the Active Response server through McAfee ePO if you upgrade from TIE 2.2.0 or earlier
versions.
®
See the documentation for McAfee Active Response for more information about deploying the Active
Response server.

12
Configure the DXL Broker port, then press Y to continue.
13 Verify that the installation completes successfully.
All components must be in green to continue. If not, follow the suggestions to troubleshoot the issue.
14
When the logon screen appears, close it.

15 Verify that the new server is provisioned. In McAfee ePO, select Menu | System Tree | My organization | Preset |
This group and All subgroups to look in the domain where you installed the server appliance.
16 Verify that the registered server is provisioned correctly in McAfee ePO as a managed system. Select Menu |
Configuration | Registered Servers.
17 Verify that the operation modes are configured correctly. In McAfee ePO, select Menu | Server Settings | TIE
Server Topology Management.
The first two installed servers are assigned with an operation mode automatically. If you have more than two
servers, the third instance is left unassigned, for instance.
if you selected the MAR server, the appliance shows MARSERVER tag as well.
The appliance shows the MARSERVER, DXLBROKER or TIESERVER tag, depending on the products installed.
See section Monitor the health status of the TIE server for setting monitoring with the automatic responses from
McAfee ePO.
See also
First-time installation workflow on page 3

Deploy the TIE server using an auto-installable ISO file to run on bare metal or the virtualization platforms XEN
or Hyper-V.
Before you begin

Make sure the server extension is installed correctly and matches the version of the appliance
before you use the ISO.
Store your root password in a secure location.
You can also use an ISO file to create a VM in VMWare. We recommend using the OVA appliance as it
preconfigures virtual resources.
See KB83368 for details about supported platforms, environments, and operating systems.
®
The TIE server runs in its own McAfee Linux Operating System (MLOS) distribution based on CentOS 6 (x86_64).
To support different virtualization methods, initial scripts load different kernel modules depending on the
virtualization platform detected. Visit www.mcafeelinux.org for more information.
See KB86324 for details about supported platforms for TIE server.
The prerequisites and the installation steps described apply for XEN, Hyper-V, and bare metal. The installation is
automatic and doesn't need interaction with the user. Wait for the process to be completed.
Task
1 Create your VM and boot the ISO provided.
Wait to complete the process.
2 Remove the ISO file and turn on the VM.
The Intel microcode package must be installed on TIE Servers that are running on bare metal. See the
Installing the Intel microcode package in TIE Server running on bare metal section of KB90843 for details.
You can continue installing and configuring the TIE server.

Deploy the Data Exchange Layer client 4
Deploy the Data Exchange Layer client

Deploy the DXL client to each of your managed systems.
Task
1 In McAfee ePO, select Menu | Software | Product Deployment, then click New Deployment.
For details about deploying the DXL Client, see the product documentation for DXL.
2 Complete the new deployment information, then start the deployment.
For details about deploying software in McAfee ePO, see the McAfee ePolicy Orchestrator Product Guide.

Install the client module for the managed product.
For details about deploying the client module, see the product documentation for Endpoint Security.
• Make sure you install the corresponding client module.

• TIE Module for McAfee VirusScan Enterprise, or
• McAfee Endpoint Security Threat Intelligence (TI ENS) Module for 10.2, or
®
• McAfee Endpoint Security Threat Intelligence (TI ENS) for 10.5.

®


5 Post-installation tasks
Once the server extension is configured, create, monitor, and adjust TIE server policies to determine what is
allowed and blocked.
Use the TIE server policies to run the TIE server in observation mode to build file prevalence (how often a file is
seen in your environment) and observe what the TIE server detects in your environment. You can monitor and
adjust the policies, or individual file or certificate reputations to control what is allowed in your environment.
Contents
Configure the TIE server extension
Verify the installation
Monitoring and making adjustments
Building file prevalence and observing
Managing TIE server database

Configure the TIE server extension for use with VirusTotal.
Before you begin

Request your VirusTotal credentials to configure your TIE server. Visit www.virustotal.com for more
information.
If you use VirusTotal, enter your public or private key to access additional file reputation information. VirusTotal
is a service that analyzes files and helps to detect viruses, trojans, and other malware. You can access VirusTotal
data directly from Threat Intelligence Exchange server when viewing file reputation information.
Task
1 In McAfee ePO, select Menu | Configuration | Server Settings | Threat Intelligence Exchange Server.
2 Click Edit and enter your VirusTotal key.
When viewing file reputations on the TIE Reputations page, click the VirusTotal tab to see additional file
information.
Tasks
• Configure the TIE server topology on page 28
TIE server appliances can run combined into different operation modes to offer scaling and fail-over
capabilities.
• Configure the TIE server policy on page 29
Specify McAfee GTI, McAfee Advanced Threat Defense and McAfee Cloud Threat Detection settings
for the server.

Configure the TIE server topology

TIE server appliances can run combined into different operation modes to offer scaling and fail-over
capabilities.
After completing the installation, configure your TIE server instances managed by your local McAfee ePO with
an operation mode.
Consider that the first two TIE servers installed have an operation mode assigned automatically, namely,
primary and secondary instances.
On the Server Settings page in McAfee ePO, configure the operation modes of the server appliances.
Table 5-1 Operation modes of TIE servers

Option Definition
Primary Holds and writes the TIE server database and replicates the updates to all the Secondary
instances.
We don't support and don't recommend multi-primary environments.

We support just one Primary server per DXL fabric.
Write-Only Primary Is responsible for writing, maintaining, and replicating the database.
It includes metadata and reputation update requests since it doesn't process endpoint
requests.
Secondary Processes DXL requests exactly like a Primary instance using a database that is replicated
from the Primary server.
Reporting Secondary Improves the McAfee ePO reporting services.
It doesn't process reputation requests.
Reputation Cache Is a in-memory cache synchronized through DXL to minimize network requirements.
Provides endpoint operational reputation services.
The Reputation cache rebuilds after rebooting because it resides in memory.
In an environment with multiple McAfee ePO servers, only TIE servers managed by a local McAfee ePO server
are editable. For an environment with a single McAfee ePO server, managed TIE servers are displayed in a tree
structure where the root is the instance operating in primary mode.
In fresh installations, the operation modes of the first two appliances are configured automatically.
Task
1 In McAfee ePO, select Menu | Configuration | Server Settings | TIE Server Topology Management, then click Edit.
2 For each server instance you want to edit:

a Select the TIE server instance to edit, then select the Operation Mode from the drop-down list.
b Click Save.
Changing a primary to a secondary operation mode during a disaster recovery might delete its database
content. Always promote a secondary to primary operation mode before attempting a synchronization from
another primary server.

Post-installation tasks
Configure the TIE server extension 5
In a single primary instance scenario, you can have only one primary instance managed by your local
McAfee ePO server after the update.
3 After you saved your changes, the background processing applies the changes on each TIE server instance.
This process can take several minutes. Wait a few minutes and press F5 or click Refresh in the browser to see
your new TIE server topology.
4 If your appliance wake-up port is filtered, manually restart the CMA service. Otherwise, it takes time for the
policy to reach the appliance.
See KB52707 for details about restarting the CMA service.
Tasks
• Edit the TIE Server topology on page 29
Change the operation mode of your TIE server instances managed by the local McAfee ePO server.
Edit the TIE Server topology

Change the operation mode of your TIE server instances managed by the local McAfee ePO server.
You can configure the operation mode of the server instances listed and enabled for editing in your local
McAfee ePO. Repeat this process for each server managed by your local McAfee ePO.
The server instances managed by another McAfee ePO appear disabled for editing.
Table 5-2 Option definitions

Option Definition
TIE Server Topology Management Shows the server instances in a tree structure. (Single McAfee ePO environment)
Edit Enables editing and changing the operation mode of the servers.
In a multiple McAfee ePO environment, only TIE servers managed by a local
McAfee ePO are editable.
Task
1 In the TIE Server Topology Management page, select the TIE server instance and click Edit.
2 From the drop-down list, select the Operation Mode. Click Save to finish.
The changes in topology can take several minutes to be applied.
If you leave a server instance as Unassigned, it remains non-operative.
If you promote your primary to a different instance, for example, primary to secondary and an unassigned to
primary, you might lose data because the new primary instance does not replicate the database.
The new topology of your TIE server instances is displayed when the changes are applied. Click Refresh to verify
the changes.
Configure the TIE server policy

Specify McAfee GTI, McAfee Advanced Threat Defense and McAfee Cloud Threat Detection settings for the
server.

Task
1 In McAfee ePO, select Menu | Policy | Policy Catalog.
2 From the Product drop-down list, select McAfee Threat Intelligence Exchange Server Management, then select a policy
name or an action.
You can create a policy using Default as a template, or copy an existing policy and change it as needed.
3 On the General page, complete these options:

• Proxy Settings for Internet — If you use a web proxy for Internet access and it requires authentication, enter
the proxy information.
• Product Improvement Program — Allow McAfee to collect anonymous data about certificates and file hashes.
This data helps McAfee learn about threats and prioritize what's allowed or blocked.
4 On the McAfee Global Threat Intelligence tab enable McAfee GTI to get file reputation. McAfee GTI is used if the
TIE server does not have reputation information for a file, or if the server is unavailable.
5 On the Sandboxing tab, specify whether to send file information to Advanced Threat Defense and/or to
McAfee Cloud Threat Detection for further evaluation.
a On the Advanced Threat Defense section, enter the server name and access credentials, available
servers, timeout settings, and the file types.
The file types you select are sent to Cloud Threat Detection when provided by the endpoint. Otherwise,
the selected file types are filtered.
You can enable certificate validation in the communication between the TIE server and Advanced Threat
Defense. See KB87692 for details before enabling Enforce Certificate Validation.
b On the McAfee Cloud Threat Detection section, enter the server name, the client and activation keys, and
the connection and timeout settings.
6 On the McAfee Web Gateway tab, accept or ignore incoming reports sent to the TIE server about potential web
threats.
7 On the Server Configuration tab, configure the logging level of the server, enable collecting information of DXL
traffic, enable or disable collecting metrics and modify the sampling period for collecting performance
metrics.
8 Select Menu | Configuration | Server Settings | Threat Intelligence Exchange Server. The VirusTotal service certificates
are validated. If you experience network filtering restrictions, click Edit to disable the Skip VirusTotal certificate
validations, then click Save.
You can configure the type of files that the TIE server recognizes and processes when accessing the TIE
server through McAfee Web Gateway and Advanced Threat Defense. You can add or remove file types from
the list.

After installing the Threat Intelligence Exchange and Data Exchange Layer components, perform this task to
verify the installation.

Verify the installation 5
Task
1 In the System Tree, click the TIE server name, then click the Products tab. Verify that the following components
are listed with the corresponding version for the installation process:
• McAfee DXL Broker (if configured when deploying the appliance)
• McAfee DXL Client
• McAfee Threat Intelligence Exchange Server
• McAfee Active Response Server (if configured when deploying the appliance)
If you configured the Active Response server, see the McAfee Active Response documentation for details and
instructions about verifying its installation.
2 In the McAfee ePO System Tree, verify that the tags are applied correctly to the deployed systems.
3 Verify that the DXL Topology settings and the DXL Fabric are configured correctly.
4 Select Menu | Configuration | Server Settings, then click DXL Client for ePO.
5 Verify that the operation mode of your TIE server instances have changed based on your edit.
Select Menu | Server Settings | TIE Server Topology and verify that your changes were applied.
See the product guide for TIE for details about the health checks on the TIE Server Topology Management
6 Verify that all the servers are up and running. Select Menu | Server Settings, then click on a server.
7 In the System Tree, select the TIE server, then from the Actions menu, select DXL | Lookup in DXL.
Verify that the connection state is Connected
8 Verify that the DXL broker is now up and running. You can select Menu | Systems Section | TIE Reputations to
verify that you can search for files and certificates. It might take some time for reputation information to
populate the database..
Tasks
• Verify registered servers on page 31
Verify that the servers are registered correctly to view TIE server information in McAfee ePO reports
and dashboards.
Verify registered servers

Verify that the servers are registered correctly to view TIE server information in McAfee ePO reports and
dashboards.
Before you begin

You might have a registered server created automatically during the installation process. Make sure
that the dashboards are working properly. If they aren't, follow the instructions below.

Task
1 In McAfee ePO, select Menu | Configuration | Registered Servers, then click New Server if you don't have a
registered server. Click Edit to manually modify an existing registered server.
2 In the Server type drop-down list, select Database Server.
3 Enter a name, for example, TIE Server, then click Next.
4 On the Details page:

a Select Make this the default database for the selected database type.
This option is automatically selected when you create the first registered server. If you have more than
one Threat Intelligence Exchange database, select this option only for the database that you want as the
default.
b In the Database Vendor field, select TieServerPostgres.
c In the Host name or IP address field, enter the IP address of the system where you installed the server.
d Leave the Database server instance and Database server port fields blank (if they appear).
e For the Database name, enter tie.
f In the User name field, verify that the PostgreSQL user name is readonly.
5 Click Test Connection.
McAfee ePO communicates with the server and retrieves data for the reports and dashboards.
Register the servers again if you change the hostname or IP address of the appliance.

As the Threat Intelligence Exchange runs in your environment, reputation data is added to the database.
Use the McAfee ePO dashboards and event views to see the files and certificates that are allowed or blocked
based on the policies.
You can view detailed information by endpoint, file, rule, or certificate, and quickly see the number of items
identified and the actions taken. You can drill down by clicking an item, and adjust the reputation settings for
specific files or certificates so that the appropriate action is taken.
For example, if a file's default reputation is suspicious or unknown but you know it's a trusted file, you can
change its reputation to trusted. The application is then allowed to run in your environment without being
blocked or prompting the user for action. You might change the reputation for internal or custom files used in
your environment.
• Use the TIE Reputations feature to search for a specific file or certificate name. You can view details about
the file or certificate, including the company name, SHA-1 and SHA-256 hash values, MD5, description, and
McAfee GTI information. For files, you can also access VirusTotal data directly from the TIE Reputations
details page to see additional information (see About VirusTotal).
• Use the Reporting Dashboard page to see several types of reputation information at once. You can view the
number of new files seen in your environment in the last week, files by reputation, files whose reputations
recently changed, systems that recently ran new files, and more. Clicking an item in the dashboard displays
detailed information.

Building file prevalence and observing 5
• If you identified a harmful or suspicious file, you can quickly see which systems ran the file and might be
compromised.
• Change the reputation of a file or certificate as needed for your environment. The information is
immediately updated in the database and sent to all devices in your environment. Files and certificates are
blocked or allowed based on their reputation.
If you're not sure what to do about a specific file or certificate, you can block it from running while you learn
more about it. Unlike a VirusScan Enterprise Clean action, which might delete the file, blocking keeps the file
in place but doesn't allow it to run. The file stays intact while you research it.
• Import file or certificate reputations into the database to allow or block specific files or certificates based on
other reputation sources. This allows you to use the imported settings for specific files and certificates
without having to set them individually on the server.
• The Composite Reputation column on TIE Reputations page shows the most prevalent reputation and its provider.
• The Latest Applied Rule column on the TIE Reputations page shows and tracks reputation information based
on the latest detection rule applied for each file at the endpoint.
You can customize this page by selecting Actions | Choose Columns. See Customize queries in the Product Guide
for McAfee Threat Intelligence Exchange.
• The CTD Reputation column on the TIE Reputations page shows the most prevalent reputation obtained after
running and testing the file in a cloud-based sandbox server.
Building file prevalence and observing

You can see what is running in your environment and add file and certificate reputation information to the TIE
server database. This information also populates the graphs and dashboards available in the module where
you view detailed reputation information about files and certificates.
To get started, create one or more Threat Intelligence Exchange policies to run on a few systems in your
environment. The policies determine:
• When a file or certificate with a specific reputation is allowed to run on a system
• When a file or certificate is blocked
• When the user is prompted for what to do
• When a file is submitted to Advanced Threat Defense or McAfee Cloud Threat Detection for further analysis
While building file prevalence, you can run the policies in Observation mode. File and certificate reputations are
added to the database but no action is taken. You can see what the Threat Intelligence Exchange server blocks
or allows if the policy is enforced.
For details, see Create a new policy.

Manage your database size with data retention policies for avoiding service degradation during database
growth.
This server task is now in McAfee ePO and checks the database size and compares it with a size threshold. If the
database exceeds the threshold, the cleanup is executed.
You can run the task as needed and configure the frequency from McAfee ePO on the Server Tasks page.

The task cleans the database of files that are old enough to keep the database under the configured file count.
By default, the task is executed every day at midnight for keeping the size of the database within 15 GB.
The file selection criteria determines that files without an Enterprise reputation (or a reputation override) are
candidates for a purge, to avoid removing locally generated Threat Intelligence.

6 Upgrade to a newer software version
You must meet requirements and follow procedures to actually benefit from the new features and
enhancements of the newer software version.
Before you begin

If the TIE server properties or database configuration were modified, create a backup and reapply
changes after the upgrade.
Not all manual customization of the appliance configuration is preserved when upgrading.
Consider that TIE server 1.2.1 reached its EOL support on December 31, 2017, and 1.3.0 will on August 15, 2018.
See KB89670 for details.
Make sure the following URLs are white-listed in your enterprise firewall for the TIE server access the McAfee
GTI and McAfee CTD services (if they are enabled).
• tieserver.rest.gti.mcafee.com
• tie.gti.mcafee.com
• tieserver.analysis.gti.mcafee.com
In the Proxy settings section at the TIE server policy settings, only include the DOMAIN in the user name if your
proxy supports NTLM v1. See KB87782 for details.
When upgrading, consider the following.

• Procedures
• To minimize network disruption, schedule maintenance downtime for the upgrade and run a vacuum
analyze task for database maintenance (see KB86092 for details).
• The endpoint reputation cache is rebuilt when upgrading the components. Perform incremental
upgrades to minimize the impact on the TIE server capacity.
• Upgrade the TIE client and the DXL Client in the endpoints and the DXL broker appliance. See the release
notes for those products.
You can't upgrade the DXL client using a McAfee ePO Deployment task on a TIE server system. You can
only get an upgraded DXL client when installing a new TIE server.
• First upgrade the extension in McAfee ePO, then the TIE platform and the TIE server packages on the TIE
appliance.
• The build numbers of the platform and the server packages must match.

• Dependencies
• Upgrade the McAfee Agent for MLOS to version 5.5.0 or later before upgrading the TIE server appliance.
®
• McAfee Agent for MLOS 5.5.0 is only available at McAfee Downloads in the TIE server section. See
KB85586 for instructions to deploy the agent to the TIE server appliance. Do not install the McAfee
Agent for Linux because it is not compatible.
When upgrading the TIE server from a previous release, you must reboot your system after the upgrade.
Task
1 If you have a particular customization of the TIE server properties and database configuration, make sure
you save them before continuing.
Your customized configuration isn't saved after the upgrade.
2 Create a snapshot of your virtual machine (primary instance, if applicable) on the VMware vSphere client.
For instructions, see the VMware vSphere documentation.
If you are using a non-virtual environment, see KB86092 for instructions to create bare-metal backups.
3 In McAfee ePO, select Menu | Software | Software Manager.

The Updates Available tab lists the latest versions available for updates.
4 Click Threat Intelligence Exchange to see the available versions, then click Update.
5 If Software Manager doesn't show the TIE server packages, you must perform a manual upgrade.
a Download the Threat Intelligence Exchange files from the McAfee product download website, then check
in the files to the Master Repository in McAfee ePO.
b In McAfee ePO, select Menu | Software | Master Repository.

Click Check in Package, select Package type, then click Next.
On the Package Options tab, check the details of your package. Click Save to complete the check-in.
Perform these steps for each package that you want to check in. First check in the platform package,
then the server package.
6 Reboot the appliance so that the operating system picks up the new kernel provided by the new TIE platform
package.
Tasks
• Deploy the Threat Intelligence Exchange products on page 37
To deploy the TIE products to the server appliance, create a client task for deployment on the
McAfee ePO server.
• Verify the upgrade on page 38
Make sure the TIE components are configured correctly.
Contents
Deploy the Threat Intelligence Exchange products
Verify the upgrade

Upgrade to a newer software version
Deploy the Threat Intelligence Exchange products 6
Deploy the Threat Intelligence Exchange products

To deploy the TIE products to the server appliance, create a client task for deployment on the McAfee ePO
server.
For troubleshooting DXL Broker upgrades or installation, see the product guide and release notes for DXL.
If you plan to upgrade the DXL Brokers in your fabric, or if you plan to deploy new appliances with bundled TIE
server and DXL Broker from an ISO file or OVF images, first upgrade all DXL extensions in McAfee ePO.
The TIE server help extension build version is expected to be different from the other components because it is
built separately.
Task
1 Make sure that you have full connectivity in the DXL fabrics. In McAfee ePO, select Menu | Data Exchange Layer
Fabric, then click the Refresh button.
All your brokers must be listed in green.
2 In McAfee ePO, select Menu | Policy | Client Task Catalog.
3 Select McAfee Agent, then click New Task.
4 Select Product Deployment, then click OK.
5 Complete the new deployment information. For the Target platforms option, make sure that only McAfee Linux
OS is selected.
6 Upgrade the packages in this order:

a TIE platform
b TIE server
The DXL Platform package is not intended for the TIE appliance and isn't compatible with the TIE appliance.
The TIE server embedded DXL Client can't be upgraded.
7 Save and run the task on the TIE server.

If any of the packages doesn't deploy successfully, try to deploy them again for avoiding network issues. If
they don't, collect logs and contact support. See KB82850.
8 If you have already configured a registered server, follow these steps to verify connectivity.
a In McAfee ePO, select Menu | Registered Servers.
b Select the server from Database Servers, then select TIE Server.
c From the Actions drop-down list, select Edit.
d After the edit is complete, click Next and Save.
9 Reboot the appliance so that the operating system picks up the new kernel provided by the new TIE platform
package.
10 Upgrade the Intel microcode package on TIE Servers that are running on bare metal. See the Installing the
Intel microcode package in TIE Server running on bare metal section of KB90843 for details.

Verify the upgrade
Verify the upgrade

Make sure the TIE components are configured correctly.
If you enabled Active Response server during the TIE server deployment on the appliance, see the documentation
for McAfee Active Response for information about verifying the upgrade of Active Response.
Task
• In McAfee ePO, select Menu | Server Settings | TIE Server Topology Management and verify that your server
instances are configured correctly. You can also view connectivity status on this page.
For troubleshooting, use the Minimum Escalation Requirements (MER) tool to collect product data from the
server and contact technical support. See KB82850.
If initializing the TIE server takes longer than expected, consider the following options for troubleshooting.
• Verify that the TIE server extension is installed in McAfee ePO.
• In McAfee ePO, run again the server task Apply TIESERVER tags. Verify that the tags are applied correctly in all
installed products.
• In McAfee ePO, wake up the agents and all appliances that have DXL brokers to gather policies.
• Verify the connectivity status and the operation modes of several components using the TIE Server Topology
Management page.
• Verify that the DXL Topology settings and the DXL Fabric are configured correctly.
• Verify the DXL Connectivity in the DXL Client for McAfee ePO.
• Go to /data/tieserver_pg/postgresql.conf and /opt/McAfee/tieserver/conf/tie.properties

to reapply your settings, if they were manually customized.

7 Troubleshooting the installation
Find solutions for common issues that might occur during installation.
You can also access scripts for reconfiguring the TIE server, DXL brokers, and the McAfee Agent.
Contents
Verify installed components
Accessing the log files
Reconfiguring the installation using scripts
Troubleshoot the consolidated appliance deployment
Verify installed components

If you experience problems installing and accessing the TIE client module or the Data Exchange Layer client,
follow these steps.
Task
1 Navigate to the TIE Server Topology Management page and verify the health check status of the server instances
managed locally by McAfee ePO server.
2 Verify that NTP is configured correctly.

The McAfee ePO time server must match the NTP server used during the installation, or, minimum, McAfee
ePO date and time must match TIE server's date and time.
3 Wake up the agent on the TIE server.

a In McAfee ePO, select Menu | System Tree, then select the checkbox for the TIE server.
b Click Wake Up Agents.
c On the Wake Up McAfee Agent page, select Force complete policy and task update, then click OK.
This option sends the server properties from the TIE server appliance to McAfee ePO.
d Select Menu | Automation | Server Task Log to verify that the task completed.
e In the System Tree, click the server name, click the Products tab, then verify that these components are
listed:
• McAfee DXL Broker
• McAfee DXL Client
• McAfee Threat Intelligence Exchange Server

4 Apply the TIESERVER tag to the TIE server.

a Select Menu | Automation | Server Tasks, then run Apply TIESERVER tags to TIE Server.
b Select Menu | Automation | Server Task Log to verify that the task completed.
c In the System Tree, verify that the TIESERVER tag was applied to the system.
5 Run the Manage DXL Brokers task.

a Select Menu | Automation | Server Tasks, then run Manage DXL Brokers.
b Select Menu | Automation | Server Task Log to verify that the task completed.
c In the System Tree, click the server name and verify that the DXLBROKER tag was applied to the system.
6 Wake up the agent on the TIE server.

a In McAfee ePO, select Menu | System Tree, then select the checkbox for the TIE server.
b Click Wake Up Agents.
c On the Wake Up McAfee Agent page, select Force complete policy and task update, then click OK.
d Select Menu | Automation | Server Task Log to verify that the task completed.
7 Verify the DXL configuration.

a Select Menu | Configuration | Server Settings, then click DXL ePO Client.
b Verify that the connection state is Connected.

If it isn't, repeat steps 2–4.
8 In the System Tree, select the TIE server, and from the Actions menu, click DXL | Lookup in DXL.
Verify that the connection state is Connected.
9 Verify that the DXL and TIE services are running:

a On the virtual machine, open a Console window and log on.
b Enter service cma status
c Enter service dxlbroker status
d Enter service tieserver-policy-listener status
e Enter service tieserver status
10 With the DXL broker up and running successfully, verify that you can search for files and certificates.
a Select Menu | Systems Section | TIE Reputations.
b Enter * in the Quick find box, then click Apply.
c Select any file from the result and verify that the TIE File Reputations Information is displayed.
d If it isn't, repeat steps 2–4.

To troubleshoot installation problems, see the following directories and access the log files.
Endpoint Security Threat Intelligence server — /var/McAfee/tieserver/logs/tieserver.log

Troubleshooting the installation
Reconfiguring the installation using scripts 7
Endpoint Security Threat Intelligence module — \ProgramData\McAfee\EndpointSecurity\Logs

\ThreatIntelligence_Activity.log
TIE client module for VirusScan Enterprise — \ProgramData\McAfee\TIEM\TIEMVe.log
TIE server — /var/McAfee/tieserver/logs/tieserver.log
Threat Intelligence Exchange server —

• /var/McAfee/tieserver/logs/tieserver.log
• /var/McAfee/tieserver/logs/tieserver‑start.log
• /var/McAfee/tieserver/logs/tieserver‑lib.log
• /tmp/reconfig‑tie.log (for operation mode transitions)
Endpoint Security Threat Intelligence — %programdata%\McAfee\Endpoint Security\Logs

\ThreatIntelligence_Activity and ThreatIntelligence_Debug
Data Exchange Layer Client — %programdata%\McAfee\Data_eXchange_Layer
Data Exchange Layer Broker — /var/McAfee/dxlbroker/logs/dxlbroker.log
Active Response — /opt/McAfee/marserver/apache‑tomcat/logs/catalina.out
See KB82850 for details about using the Minimum Escalation Requirements (MER) tool to collect product data
from the server and contact technical support. This tool runs in the server appliance.
See KB59385 for details about using the MER tool with other McAfee products.
Reconfiguring the installation using scripts

Scripts are available to reconfigure the TIE server, the DXL brokers, and the McAfee Agent.
Accessing the scripts

The scripts are located in the /home/<username> directory. They must be executed with sudo permissions, for
example, sudo /home/myname/change‑hostname.
Script name Description Reboot?

change-hostname Changes the host name of the current appliance. It restarts the McAfee Recommended
Agent and the broker.
change-services Enables or disables the DXL broker and the TIE server services. No
If the broker was initially disabled during first boot, the script prompts
for broker configuration information.
reconfig-dxl Reconfigures the DXL port. No

reconfig-ma Reconfigures the McAfee Agent. Recommended
The agent, the DXL broker, and the TIE server services are restarted. New
keystores are generated when the service starts.
reconfig-network Reconfigures the current network interface (from DHCP to manual, or Recommended
from manual to DHCP).
reconfig-ntp Reconfigures the Network Time Protocol servers. No

Script name Description Reboot?

reconfig-ca Obtains an updated Certificate Authorities chain from McAfee ePO and No
stores it in the TIE server.
reconfig-cert Generates a new certificate and sends a signing request to McAfee ePO No
through the TIE server extension.

For troubleshooting Active Response service, see the product documentation for McAfee Active Response at
www.docs.mcafee.com.
Task
1 If the Active Response service is deployed on a Secondary or Reporting Secondary TIE server instance and
doesn't work, verify that the TIE Primary server is up and running.
2 If the Active Response service is deployed on a Reputation Cache mode, it will not work until you transition
the TIE server to a Secondary or Reporting Secondary operation mode.
3 You can access Active Response log files at /opt/McAfee/marserver/apache‑tomcat/logs/catalina

.out.

Index
A M
Advanced Threat Defense settings 29 McAfee Agent
installation requirements 11
C reconfiguring using scripts 41
configuration McAfee ePO registered server, creating 31
scripts, reconfiguring the server 41 migration tool 9
server policy settings 29 module for VirusScan Enterprise
VirusTotal, file reputation information 27 installation requirements 11
supported operating systems 11
troubleshooting the installation 39
D
verifying the installation 30
Data Exchange Layer
deploying 25
N
reconfiguring using scripts 41
troubleshooting the installation 39 network overview 11
Data management 33 O
deployment operating systems, supported 11
Data Exchange Layer client 25 operation mode 28
OVF template 17
P
G performance 9
Global Threat Intelligence policies
server settings 29 policy settings 29
ports used 11
Product Improvement Program
H
settings 29
hardware requirements 9 protocols used 11
I R
installation reconfiguring using scripts 41
components 5 registered server, creating 31
log files for troubleshooting 40 reports, creating a registered server 31
overview 5 requirements for installation 11
requirements 11
server appliance 17 S
troubleshooting 39
scripts for reconfiguring 41
server
policy settings 29
L server appliance, installing 17
log files, troubleshooting the installation 40 settings, configuring the server policy 29
sizing 9
supported operating systems 11

Index
system requirements 11 troubleshooting (continued)

viewing log files for installation issues 40
T
Threat Intelligence Exchange V
installing 5 verification, installation success 30
troubleshooting the installation 39 VirusTotal, accessing file reputation information 27
Threat Intelligence Exchange server VMware vSphere
Advanced Threat Defense settings 29 deploying the OVF template 17
configuring 27 installation requirements 11
Global Threat Intelligence settings 29
policy settings 29
W
Product Improvement Program settings 29
reconfiguring using scripts 41 workflow examples
server appliance 17 build file prevalence and observe 33
troubleshooting the installation 39
TIE server topology 28
troubleshooting
installation issues 39

0-00

Tie 230 Ig 0-00 En-Us

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Tie 230 Ig 0-00 En-Us

Enviado por

Direitos autorais:

Formatos disponíveis

McAfee Threat Intelligence Exchange 2.3.

2 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

2 Planning your deployment 9

3 System requirements for Threat Intelligence Exchange 11

4 First-time installation workflow 15

6 Upgrade to a newer software version 35

7 Troubleshooting the installation 39

McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 3

4 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

Consider this basic first-time installation workflow.

McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 5

For a basic upgrade scenario consider this workflow.

6 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 7

8 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

Designing your infrastructure

Sizing and performance

The metrics include:

McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 9

10 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

Threat Intelligence Exchange network overview

McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 11

Table 3-1 Default ports used with Threat Intelligence Exchange

12 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

8081 TCP See McAfee Agent KB66797.

• 120-GB disk (thick provisioning).

Products Components Version

See KB89670 for details.

DXL client 2.x or later

McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 13

Products Components Version

Consider that McAfee ePO 5.1 reached its EOL on

McAfee ePO product VirusScan Enterprise 8.8 Patch 5

McAfee Agent extension 5.5 or later

TIE server Extension 1.3.0 or later for upgrades

McAfee Agent 5.5 or later

Client operating systems

14 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

Before you begin

McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 15

Deploy Active Response, DXL, and TIE server automatically

This deployment is for VMware infrastructure only.

2 Select Menu | Automation | Server Deployment.

6 Provide your McAfee ePO credentials.

11 Accept the license agreement and click Deploy.

12 Wait for the deployment process to complete.

16 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

Deploy the Active Response, DXL, and TIE server (manual)

Before you begin

Store your root password in a secure location.

McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 17

Press Y to accept the terms to continue.

18 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 19

On the Network Selection page, press N to continue.

Select a configuration type, then press Y to continue.

20 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

McAfee Threat Intelligence Exchange 2.3.0 Installation Guide 21

Consider that the Active Response server is optional.

22 McAfee Threat Intelligence Exchange 2.3.0 Installation Guide

Configure the DXL Broker port, then press Y to continue.

13 Verify that the installation completes successfully.

When the logon screen appears, close it.