Solved

ePolicy 4.5 - Autodetect new systems

Posted on 2010-11-10
33
5,951 Views
Last Modified: 2013-12-09
Hi

I'm looking to configure my installation of ePo 4.5 to automatically detect any new systems on our network, and then deploy the agent to these. What is the best way to do this? i've seen on a few forums that the Rogue System Detection is the way to go, but can't find any docs on how to configure it. I also have an AD sync running daily, so this might be another avenue to explore.

Any help would be greatly appreciated.
0
Comment
Question by:ITUCIRL
  • 16
  • 14
  • 2
  • +1
33 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
i simply add the subnet to the collection - then it will detect the machiens as they come online
0
 

Author Comment

by:ITUCIRL
Comment Utility
Thanks Pete

Would it be too much trouble to ask you to explain how i'd go about that?

I'm pretty much a novice with ePo!

Brian
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Brian,
Are you looking to simply add machines to your ePO installation when they are joined to the network, or are you looking to be alerted of any machines connecting to your network ?

What you will need to do at a base level would be to do this;

1.  Go to My Organisation and highlight your AD domain
2.  Click Group Details, then Synchronisation Type
3.  Configure the Sync settings as required
4.  Push Agents to new systems when they are discovered

Once you have set this up, set up a Client Task at the root of your AD Group to deploy the AV etc and set that to run immediately

What I also do is to run a query every day for machines that have not communicated back to ePO within 3 days and then use those results to deploy a new agent to them

let me know if you need anything else

Cheers
Si


0
 

Author Comment

by:ITUCIRL
Comment Utility
cool

I have that set up now. I'll add a new machine to the group tomorrow, and let you know how it goes.

Thanks!
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
Thank you for the above,I have done the above, managed to get EPO to discover the machine and I have the deloyment (McAfee Agent) Client task set to run immediately. Left it over night, the machine is on the network and switched on, but the agent isnt being pushed out to the client.

Any ideas?
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Probably because epo already knows about it

Is it a new machine ?
Ta
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
Yes i've just added it to the domain and EPO has found it after I did an AD sync. But it's not pushing out the Mcafee client agent even though there is client task for the container to deloy the agent.
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
OK, let's start by checking whether the credentials in the Synch Task with Deploy new agents are configured with the correct credentials


Can you dump the server task output for me ?

Cheers
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
Here you go, doesnt really give you much info.
Server-Task-Log.csv
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
OK, let's check some basics to rule them out...

Can you browse to the C$ share of the machine from the ePO server ?
Is the firewall turned on ?
Can you deploy an agent to the machine manually from ePO ?
Can you browse to http://machinename:8081 ?

Cheers
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
Ive managed to browse the C$ share of the machine i want to push the agent out to from the EPO server.

No firewall is turned on on the machine.

Yes if i manually deloy it deloys no problem.

From the EPO server i cannot browse to it via browser, but i can ping the hostname or ip address.
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Autodeployment Screenshot Push Agent Screenshot
OK, I've attached 2 screenshots of how it should be configured, does yours match mine ?

Cheers
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
Yup, all matching.
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
when i manually try to wake up the agent i look in the report and it says failed, when drilling down to find out why on the extended task details it says 1, waking up agent TESTRC2 using NetBIOS, 2, Unknown error contacting agent. 3, Wakeup agent failed.

But ive installed wireshark on the client in question and when i click on the wakeup agent, wireshark is picking up packets from my "EPO server ip":8080 and the client is sending back ACK's to it. So guessing it's not a layer 2 or 3 problem? Might be wrong though.
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Ahhhhh....

Have you created a Server Task to actually RUN the synchronisation ?

Cheers
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
Yeh in my Server tasks there is an AD sync,  see screenshot, or are you referring to some other sync?
server-tasks.JPG
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Nope, that's the one.....

If you drill down in to the AD Sync Task from the Server Task Log, can you post what it says under the task ?

Cheers
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
Here you go, the OU that the PC's im testing are in my organization\Test group
server-task-details.JPG
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
OK, looks interesting....the sync is working fine, but the autodeployment is not....

Can we delete the test machine from AD, run the Server Sync Task and then join the machine to the domain under a different name ?

Cheers
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
Ok deleted machine from AD, removed client from domain, ran EPO server sync task. Renamed the client placed the client in the test OU within AD, ran the sync again and EPO is showing the new machine name TESTRC3.  (see screenshots)

But yet again autodeployment is not working. ive made sure that windows firewall is turned off and made sure the windows fireewall/Internet connection sharing (ICS) service is stopped.
server-audit-log.JPG
system-tree.JPG
0
 
LVL 16

Accepted Solution

by:
legalsrl earned 500 total points
Comment Utility
OK, I've just re-read this post again for the nth time and found this

Thank you for the above,I have done the above, managed to get EPO to discover the machine and I have the deloyment (McAfee Agent) Client task set to run immediately. Left it over night, the machine is on the network and switched on, but the agent isnt being pushed out to the client.

This Client task needs to be VirusScan Enterprise deployment, not McAfee Agent (something I missed earlier)

Can you just check that there is no McAfee directory on the client under C:\Program Files ?

Cheers
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
Hi,

Im looking at the client task now and ive got (see screenshots) no VirusScan enterprise deployment
client-task.JPG
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
and here are my current client tasks under my test group.
client-tasks.JPG
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
sorry for the 3rd post, didnt mean to submit each time,

I have no mcafee directory within my C:\program files\
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
OK, on the page after the Product Deployment (McAfee Agent), presumably you have the option to choose what software needs to be deployed....this is where I'd expect to see VirusScan Enterprise as an option.....

Go back in to the Server Task Log and in to the AD Sync task that added the new machine and click on the Subtasks button (next to where it says Log Messages) and drill down in to the next tasks and drag the logs out of all of the tasks that you see

Cheers
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
Yeh sorry i got McAfee agent for windows 4.0.0 Install, HIPS Install and VirusScan Enterprise 8.5.0 Install all are set to install under my client task.

Interesting ive drilled down and ive found this but im on the EPO server and i can browse to the client's C$ share. see screenshot, ive also attached screenshot of the failed to push agent to my client.
remote-network-path.JPG
failed-to-push-agent.JPG
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Interesting.....

This is normally a firewall issue but you can ping the client, and access the C$ Share....can you access the ADMIN$ share ?

Can you retype the credentials that you use to deploy the Agent in the Sync Task setting

What Client OS are we talking ?

Cheers
Si


0
 

Expert Comment

by:BusinessSolutions
Comment Utility
yes to the admin$ share yes to the C$ share. Client is running win xp sp3.

Interesting, ive removed it from the domain, changed the name of the client to TESTRC5 and placed back on the domain and now it's deployed the agent? What would have changed for EPO to push out the client now?
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
ePO might have already known about it's SID, or GUID of the machine.....

The way it's set  up should work for all new machines....

Remove the agent from it

Run NewSid on the machine

and give it a new name and  new SID and then join it to the domain again

Let me know what happens

Cheers
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
It seems like it will try to add it once and never try to add the agent to the client again after it's failed. Because when i readd it to the domain as a new name and SID it pushes it out just fine. I have set the client task to run immediately and have ticked it to run at every windows enforcement. but it only tries the once.
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Yes, that's correct......the task will only run once when it's sync'd...

To combat this, I normally write a query to deploy a new agent to machines that haven't checked in to ePO ever and then deploy a new agent on the back of that query

Glad it's working normally though :-)

Cheers
Si
0
 

Expert Comment

by:BusinessSolutions
Comment Utility
I have found the solution!!!!!!!

Basically when i place a machine on the domain it takes a few mins to flush the dns on the EPO server. I found that when it was trying to push out the agent to the client I couldnt ping the client name only the address so figured it was a dns issue, sure enough when i flushed the DNS on the EPO it ping'd the client name it resolved the IP. The reason i didnt figure this out before was because when i was pinging the client after EPO tried to push out the agent the dns had added this entry already.

So now ive scheduled a task on the EPO server to flush the DNS every 5 mins.

Thank you for all your help Legalsrl, you have been more than helpful!!!!!!!! You're a star!
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
No worries, well spotted.....glad it all works :-)

Cheers for the points
Ta
Si
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now