Hotfix version 1 Build 4.5.3.1026 McAfee epolicy Orchestrator 4.5 This document is a supplement to the McAfee epolicy Orchestrator 4.5 Patch 3 Release Notes in the release package, and details fixes included in epolicy Orchestrator 4.5 Patch 3 Hotfix 1. Refer to the online KnowledgeBase article KB65773 at https://mysupport.mcafee.com/ for the most current information regarding this release. epolicy Orchestrator 4.5 Patch 3 Hotfix 1 provides fixes to optimize the communication channel between Endpoint Encryption for PC 6.0 Patch 2 and epolicy Orchestrator to allow the management of up to 10,000 nodes per server. For more information see Resolved issues. Date October 12, 2010 Resolved issues Here is a list of issues that have been fixed in this release. 1. Issue: The DataChannel servlet stopped working if epolicy Orchestrator received a DataChannel message from clients when the DataChannel extension was not yet initialized. (Reference: 569943) Resolution: The DataChannel servlet no longer stops working, regardless of the state of the DataChannel extension. 2. Issue: DataChannel messages were not processed asynchronously. (Reference: 578474) Resolution: The DataChannel servlet now processes multiple messages at a time. 3. Issue: The epolicy Orchestrator server processed only one outgoing DataChannel messages per second. (Reference: 578474) Resolution: The processing speed of outgoing DataChannel messages has improved to five messages per second. 4. Issue: DataChannel messages in the work queue table expired prematurely. (Reference: 557458) Resolution: DataChannel messages no longer expire prematurely. 5. Issue: When an Agent Handler was too busy, the server.log file was filled with "server too busy" messages and was difficult to troubleshoot. (Reference: 578474) Resolution: The Agent Handler preserves the log files when a "server too busy" error occurs for the first time. 6. Issue: The Agent Handler sometimes stopped accepting new agent connections and reported as busy if DataChannel communication and agent-to-server communication occurred at the same time. (Reference: 578474) Resolution: The Agent Handler does not stop accepting new agent connections and report as busy if DataChannel communication and agent-to-server communication occurs at the same time. 7. Issue: When determining User Based Policy assignments, the wrong registered LDAP servers could have been
queried for user information, causing incorrect or incomplete policy assignments to be sent to end nodes. (Reference: 548292) Resolution: The correct LDAP server is queried for each user in order to obtain user information that is used to determine User Based Policy assignments for each end node. 8. Issue: User Based Policy assignments that use group membership rules were not applied when OpenLDAP registered servers were used. (Reference: 553792) Resolution: Group membership rules now work correctly when using OpenLDAP registered servers. 9. Issue: DataChannel messages were not picked up if agent wake-up calls failed. (Reference: 572552) Resolution: DataChannel messages are now picked up even if agent wake-up calls fail. 10. Issue: When User Based Policy assignments were defined, the performance of Agent Handlers and the epolicy Orchestrator Application Server would degrade over time, requiring the services to be restarted. (Reference: 610677) Resolution: The assignment of User Based Policies no longer causes the performance of the services to degrade over time. 11. Issue: epolicy Orchestrator binary components included version resources that lacked the patch number of each component. (Reference: 612988) Resolution: The patch number of each epolicy Orchestrator binary component is now included in its version resources. Installation instructions This section provides instructions for installing Hotfix 1 for epolicy Orchestrator version 4.5 Patch 3. Installing an epolicy Orchestrator 4.5 Patch 3 Hotfix 1 Server and Agent Handler epolicy Orchestrator 4.5 Patch 3 must be installed prior to installing this Hotfix. Please see the epolicy Orchestrator 4.5 Installation Guide and the epolicy Orchestrator 4.5 Patch 3 Release Notes for instructions on installing epolicy Orchestrator where no previous version has been installed. Upgrading an existing epolicy Orchestrator server and Agent Handlers installation instructions Server upgrade prerequisites You must have the following installed prior to upgrading to epolicy Orchestrator 4.5 Hotfix 1: McAfee epolicy Orchestrator 4.5 Patch 3 (build 937) You must be logged on to the epolicy Orchestrator server as a Local Administrator on the system. You must know the user name and password for at least one global administrator that is valid for the epolicy Orchestrator server you are trying to upgrade. The epolicy Orchestrator and SQL Server services must be running during this upgrade (except when the automated upgrade stops and starts your epolicy Orchestrator services).
Before upgrading the Server 1. Back up your epolicy Orchestrator server and epolicy Orchestrator database before upgrading to epolicy Orchestrator 4.5 Patch 3 Hotfix 1. For more information, see KB article KB66616. 2. Be sure that there are no repository pulls or replications tasks currently running or scheduled to run during the installation. Note: If the master repository is locked, package checkins fail, causing the installation to fail and roll back. This could be because a Master Repository pull is in progress. 3. Shut down all remote Agent Handlers so that they do not attempt to communicate with the epolicy Orchestrator server during the upgrade process. 4. Warn other epolicy Orchestrator users that during the installation process they might see changing content or be logged out of their current epolicy Orchestrator console session. Upgrading the Server 1. Copy the upgrade installation zip file to a temporary directory. 2. Extract the contents of the zip file into the temporary directory. 3. In the extracted files, run Setup.exe. 4. Click Next. 5. Type the epolicy Orchestrator credentials for a global administrator. Note: McAfee recommends you use an existing global administrator with a simple password when installing this Hotfix. If the user is not a global administrator or the password includes characters other than those listed in the official character set (see Known Issues in the Release Notes for epolicy Orchestrator 4.5 Patch 3) the installation will fail. 6. Click Next to start the automated installation process. 7. When the installation is complete, click Finish. 8. Manually determine if any extension upgrades failed, because individual extension upgrade failures do not cause the epolicy Orchestrator 4.5 Patch 3 Hotfix 1 installation to fail. A record of the failed extension check-ins can be found in %TEMP%\McAfeeLogs\EPO450-Checkin-Failure.log file. Any failed extensions can be checked in again through the management console after the Hotfix installation is complete. Agent Handler upgrade prerequisites The epolicy Orchestrator 4.5 Patch 3 Hotfix 1 Agent Handler can be installed where no previous version of Agent Handler has been installed, or the release can be used to upgrade the following: McAfee epolicy Orchestrator 4.5 Agent Handler 4.5 Patch 3 (build 937) Before upgrading Agent Handler 1. Shut down all remote Agent Handlers. 2. Upgrade your epolicy Orchestrator server to epolicy Orchestrator 4.5 Patch 3 Hotfix 1 prior to upgrading any remote Agent Handlers. Upgrading Agent Handler 1. Copy the upgrade installation zip file to a temporary directory. 2. Extract the contents of the zip file into the temporary directory. 3. In the extracted files, browse to the Agent Handler folder and run Setup.exe. 4. Click Update to start the automated installation process. 5. When the installation is complete, click Finish.
Clustered Server installation instructions epolicy Orchestrator software provides high availability for server clusters with Microsoft Cluster Server (MSCS) software. Windows Server 2003 Removing the Generic Service resources 1. In Cluster Administrator, take the epolicy Orchestrator service resources offline by right-clicking each resource and selecting Take Offline. 2. Delete the epolicy Orchestrator service resources by right-clicking each resource and selecting Delete. CAUTION: Do not remove the Data Drive, epolicy Orchestrator IP Address, or epolicy Orchestrator Network Name resources; they are required to install the Hotfix successfully. Installing epolicy Orchestrator 4.5 Patch 3 Hotfix 1 Run the epolicy Orchestrator 4.5 Patch 3 Hotfix 1 setup only on the primary node. This is the first node on which epolicy Orchestrator 4.5.0 was originally installed. No installation is required on any other nodes on an upgrade over epolicy Orchestrator 4.5. 1. Make sure the following services are running in the Service Control Manager: If these services are not running, start them manually. 2. Run Setup.exe from the epolicy Orchestrator 4.5 Patch 3 Hotfix 1 extracted upgrade installation files. 3. Complete the installation wizard until the installation is complete on the node. 4. Start other nodes. Creating the Generic Service resources 1. Ensure that the three McAfee services listed below are set to Manual and not Automatic in the Service Control Manager. 2. Add Generic Service resources for each of the services below in the following order: a. In the Cluster Administrator, right-click the epo group, then select New Resource. The New Resource dialog box appears. b. Type the Name and Description of the resource. For example, epo 4.5 Application Server. c. From the Resource type drop-down list, select Generic Service. d. Ensure epo is the selected group and click Next. e. In the Possible Owners dialog box, identify the owners of the resource. Select the desired node and click Add. f. Repeat until all owners are added, then click Next.
Windows Server 2008 g. In the Dependencies dialog box, type the dependency specific to each service. Service "" depends on "McAfee epolicy Orchestrator 4.5.0 Application Server" Service "" depends on "McAfee epolicy Orchestrator 4.5.0 Server" h. For each of the following services, type the Service Name, leave the Start Parameters field blank, then click Finish. Removing the Generic Service resources Service Server Service Name MCAFEEAPACHESRV Service Application Server Service Name MCAFEETOMCATSRV200 Service Event Parser Service Name MCAFEEEVENTPARSERSRV 1. In Failover Cluster Management, take the epolicy Orchestrator service resources offline by right-clicking each resource and selecting Take this resource offline. 2. Delete the epolicy Orchestrator service resources by right-clicking each resource and selecting Delete. CAUTION: Do not remove the Data Drive or Client Access Point; they are required to install the Patch successfully. Installing epolicy Orchestrator 4.5 Patch 3 Hotfix 1 Run the epolicy Orchestrator 4.5 Patch 3 Hotfix 1 setup only on the primary node. This is the first node on which epolicy Orchestrator 4.5.0 was originally installed. Unlike a Windows Server 2003 environment, all nodes need to be running during the upgrade process in a Windows Server 2008 environment. Make sure the primary node on which you are installing epolicy Orchestrator Hotfix 1 is also the active node and has exclusive access to both the Data and Quorum drives. 1. Make sure the following services are running in the Service Control Manager (if they are not running, start them manually): If these services are not running, start them manually. 2. Run Setup.exe from the epolicy Orchestrator 4.5 Patch 3 Hotfix 1 extracted upgrade installation files. 3. Complete the installation wizard only on the first node. Creating the Generic Service resources 1. Ensure that the three McAfee services listed below are set to Manual and not Automatic in the Service Control Manager. 2. Add Generic Service resources in the following order:
a. In Failover Cluster Management, right-click the epo Application group, then select Add a resource Generic Service. The New Resource Wizard appears. b. Select the epolicy Orchestrator service that you want to add and click Next. For example, McAfee epolicy Orchestrator 4.5.0 Application Server. c. The Confirmation page displays. Click Next to allow the Generic Service to be created. Click Finish when the Wizard is complete. d. Right-click each service resource and select Properties. The Properties dialog appears. e. Click the Dependencies tab and add the appropriate dependencies for each service resource. f. Dependencies specific to each service are: Service "" depends on "McAfee epolicy Orchestrator 4.5.0 Application Server" Service "" depends on "McAfee epolicy Orchestrator 4.5.0 Server" 3. Right-click the resource and choose Properties. The Properties dialog appears. 4. On the General tab, remove the Startup parameters and add a blank space. Note: Apache will not start with any startup parameters specified and an empty entry is not permitted, so that is why a blank space is needed. Testing epolicy Orchestrator 4.5.0 Patch 3 Hotfix 1 clustered server installation When the epolicy Orchestrator cluster is set up and online, use this task to ensure that epolicy Orchestrator functions in a failover situation. 1. Restart the system functioning as the active node. The passive node automatically becomes the active node and you are automatically logged out. 2. When epolicy Orchestrator then prompts you to log in, you can conclude that it has continued to function during the failover. Important information The attached files are provided as is, and with no warranty either expressed or implied as to their suitability for any particular use or purpose. McAfee, Inc. assumes no liability for damages incurred either directly or indirectly as a result of the use of these files, including but not limited to the loss or damage of data or systems, loss of business or revenue, or incidental damages arising from their use. Hotfix files should be applied only on the advice of McAfee Technical Support, and only when you are actually experiencing the issue being addressed by the Hotfix. Hotfix files should not be proactively applied in order to prevent potential product issues. You are responsible for reading and following all instructions for preparation, configuration, and installation of Hotfix files. Hotfix files are not a substitute or replacement for product Service Packs which may be released by McAfee, Inc. It is a violation of your software license agreement to distribute or share these files with any other person or entity without written permission from McAfee, Inc. Further, posting of McAfee Hotfix files to publicly available Internet sites is prohibited. McAfee, Inc. reserves the right to refuse distribution of Hotfix files to any company or person guilty of unlawful distribution of McAfee software products. Questions or issues with McAfee Hotfix files should be directed to McAfee Technical Support. Copyright 2010 McAfee, Inc. All Rights Reserved.