Security Keys; Agent-Server Secure Communication Keys - McAfee EPOLICY ORCHESTRATOR 4.0.2 Product Manual

Distributing Agents to Manage Systems

Security Keys

Agent policy and distributed repositories
By default, the agent can update from any repository in its repository list (SITELIST.XML) file.
The agent can use a network ICMP ping command or the repository's subnet address to
determine the distributed repository with the fastest response time out of the top five repositories
in the list. Usually, this is the distributed repository that is closest to the system on the network.
For example, a managed system in a remote site far from the ePO server probably selects a
local distributed repository. By contrast, an agent in the same LAN as the server probably
updates directly from the master repository.
If you require tighter control over which distributed repositories the agents use, you can enable
or disable specific distributed repositories on the Repositories tab of the McAfee Agent policy
pages. Allowing agents to update from any distributed repository ensures they get the update
from some location. Using a network ICMP ping, the agent should update from the closest
distributed repository from the top five in the repository list.The agent selects a repository each
time the agent service (McAfee Framework Service) starts or when the repository list
changes.
Proxy settings
To access the McAfee update sites, the agent must be able to access the Internet. Use the
agent policy settings to configure proxy server settings for the managed systems.The Proxy
tab of the McAfee Agent policy pages includes settings to:
• Use Internet Explorer proxy settings.
• Configure custom proxy settings.
• Disable any proxy use.
The default setting is Use Internet Explorer Proxy Settings, allowing an agent to use the
current proxy server location and credential information currently configured in the Internet
Explorer browser installed on that system.However, you may need to use ePolicy Orchestrator
to configure custom proxy server settings for systems in your network. For example, maybe
they use a different browser and don't have Internet Explorer installed.
Security Keys
ePolicy Orchestrator and the agents use keys to secure agent-server communication and to
sign and validate unsigned packages.
Agents update changes to keys on the next Update client task for the agent.

Agent-server secure communication keys

Agent-server secure communication (ASSC) keys are used by the agents to communicate
securely with the server. You can make any ASSC key pair the master, which is the one currently
assigned to agents deployed. Exisiting agents using other keys in the list change to the new
master after the next update. Be sure to wait until all agents have updated to the new master
before deleting older keys.
Agents previous to version 3.6 use a legacy key. If you are upgrading from a previous version
of ePolicy Orchestrator, the legacy key may be the master key by default.
McAfee ePolicy Orchestrator 4.0.2 Product Guide 71