What services does the ePO server use?
The ePO server uses the following services:

• Application Server (Tomcat) service - The core responsibilities of this service are as follows:
  • Provides your web browser with a Java-based webpage to remotely manage the ePO server through the ePO console
  • Manages extensions, notifications, policies, repositories, System Tree, and dashboards
  • Enables Structured Query User Interface to provide the reporting user interface
  • Runs the automatic response system
  • Provides user permissions and settings for the ePO server and components
• Event Parser service - The core responsibilities of this service are as follows:
  • Passes events to the Tomcat service
  • Stores events in the ePO database
  • Normalizes events using Common Event Format
• Apache service - The core responsibilities of this service are as follows:
  • Handles communications from McAfee Agent (MA) to the ePO server
  • Caches policies to reduce database reads and speeds up agent-server communication intervals (ASCI)
  • Manages events, groups, tags, and agent sorting
  • Passes events to the Event Parser service

Are there any tools available to help parse the log files?
We recommend using Notepad ++ and SMS Log Viewer. Microsoft Operations Manager also has a log viewer where you can view logs in real time, similar to SMS Log Viewer.

Is there any ePO console training available?
For a list of training courses, see the Product training page.

When the ePO agent is uninstalled, how long is the data associated with the agent retained?
The retention limit in SQL is set to 365 days. This data isn't guaranteed to be removed after it crosses the age threshold, but merely becomes eligible for deletion.
 

How do I upgrade to the latest ePO release or update?
See the following documentation:

• ePolicy Orchestrator Installation Guide and Release Notes
• KB71825 - ePolicy Orchestrator installation and update checklist for known issues

How do I check in my products to ePO 5.x?
ePO 4.6 introduces the Software Manager. From this version onward, you can automatically see updates (other than DATs and Engines) to your licensed products listed in the Software Manager. You can use the Software Manager to download the following:

• Licensed software
• Evaluation software
• Software updates
• Product documentation

To manually check in packages, see the ePolicy Orchestrator Product Guide for your version. To view all ePO Documentation, see the Product Documentation page.

What's the minimum hard drive space needed to upgrade an ePO database to a new version of ePO?
The minimum hard drive space needed depends on the size of the ePO database. A safe estimate is about twice the size of your current ePO database. An upgrade requires a large amount of transaction log space that's used during the upgrade to hold a copy of the EPOEvents table (typically, the largest table in an ePO database). Make sure that the transaction log is allowed to grow to a size at least as large as the EPOEvents table.

IMPORTANT: As with all ePO upgrades, perform a full backup of the ePO server and database before you upgrade. For instructions, see KB66616 - ePolicy Orchestrator server backup and disaster recovery procedure.

Does the ePO installer change the SQL Server during installation?
No, the ePO installer doesn't change the SQL Server installation.

• The ePO installation doesn't use the primary database and makes no SQL server-wide changes. It doesn't require System Administrator rights on the SQL Server itself to install. But, it requires permissions to create and drop a database during the installation process.
• The installer creates a database, uses the database, and then drops the database to verify that it has the appropriate rights. The installer writes to two databases: Tempdb and ePO database. After the installation is complete, DBO rights on the ePO database are sufficient for normal operation.
• The Primary database and MSDB are indirectly changed when the ePO database object and its Xact log are created. But, the ePO installer makes no changes directly. Also, ePO executes the CREATE DATABASE invocations during installation from the context of dbo.master. But, that's only because it has to start somewhere.

How do I troubleshoot installation failures?
The main ePO installer log is %temp%\McAfeeLog\EPOXXX‑Install‑MSI.log. This file contains all information about the installation including what the installer was doing and any failure information. Search from the bottom up for the word aborted. You can then see where the setup was quit and the error messages are directly above.
 

How do I stop the web browser certificate warning from displaying when connecting to the ePO console?
The ePO server uses a self-signed certificate for SSL communication with the web browser, which, by default, the browser doesn't trust. This fact causes a warning message to display every time you connect to the ePO console. To prevent this warning message from displaying, you must do one of the following:

• Add the ePO server certificate to the collection of trusted certificates used by the browser.
• Replace the default ePO server certificate with a valid certificate that's signed by a certificate authority (CA) that the browser trusts.

How do I change the ePO server SQL database connectivity settings?
You can change the SQL database connectivity settings using a webpage available at https://localhost:8443/core/config-auth, where 8443 is the console communication port. After installation, this method is the only way to configure the SQL database connectivity settings through a user interface.
 

What's the best method to monitor and be alerted of Failed or Terminated server tasks?
Automatic responses are generally the mechanism used to generate notifications to ePO administrators for these types of events. But, these responses are triggered from client and server events. Unfortunately, there isn't a generic server event generated if there's a failed server task.

ePO has a server event generated when the following tasks fail:

• Replication
• Pull
• AD Discovery
• NT Domain Sync
• Computer Import
   

NOTE: Configure tasks by creating an Automatic Response for Notification Server events. Then, filter by event IDs that correspond to these specific server task failures.

Agent Handlers (AHs) need to communicate directly with the ePO SQL Server. Is there a guide available to estimate the increased impact to the SQL Server for each Agent Handler added and number of clients it supports?
A general rule is that the number of processor cores on the server should be x8 (or 16), whichever is greater. So, a system running two hyper-threaded Xeons allows 32 threads for the event parser work queue and 32 database connections. A single processor non-hyper-threaded system defaults to the minimum of 16 threads and connections.

When's the best time to add more AHs to an ePO environment?
Most commonly, it's recommended that you use AHs to connect clients in a DMZ. AHs help with network and application load balancing, or both. If you're seeing numerous server busy messages, it might be time to add an Agent Handler, increase your ASCI times on the agent policies, or both.

NOTE: Apache processes only 250 simultaneous connections, but the server typically processes these connections in milliseconds. We determined that this low number is adequate even for enterprise environments.

We've seen many "server too busy" (245 connections) messages; does adding an Agent Handler resolve this problem?
It might, but if there's a problem on the back-end SQL Server, it won't. Adding an Agent Handler only increases the load to the SQL Server.

There are many possible reasons for the server too busy message in the Agent log. Check whether the server recovers by itself after a short time without restarting the service. If the server recovers by itself, it's likely a configuration issue. Consider taking the following actions:

• Decreasing the frequency of the ASCI
• Creating distributed repositories
• Decreasing the number of client tasks or the frequency at which they're running. One Agent Handler can typically handle up to 50,000 client systems.

Do leap second issues affect ePO?
No. A leap second is a one-second adjustment sometimes applied to UTC to keep its time of day close to the mean solar time (UT1).

Leap second issues don't affect ePO and MA.

What is ePO on AWS?
We can now deploy ePO and other related infrastructure elements through AWS Quick Start. The solution is known as ePO on AWS.

Where can I find more information about this AWS solution?
See the AWS Quick Start page. 

Can I use my existing license or do I need to purchase a new license to use the ePO on AWS offering?
You can use your existing ePO on-premises license to use the ePO on AWS offering (Bring Your Own License (BYOL)). No new license or SKU purchase is needed.

What are the infrastructure elements that are part of the AWS Quick Starts stack?
ePO Application Server, AHs, DXL Brokers, and Relational Database Service (RDS) SQL Database are part of the AWS Quick Starts stack.

Who owns and pays for the infrastructural elements that run in AWS?
The customer owns and pays the running costs to AWS.

What versions are the stack elements (ePO/DXL brokers) based on?
They're based on the following:

I don't use DXL functionality and don't need it; why is there a DXL broker in the default stack configuration?
It's needed so that endpoints within the corporate network are reachable for operations such as Agent Wake Up or Run Client Task.
If you have an alternative such as AWS Direct Connect that ensures connectivity from your AWS Virtual Private Cloud (VPC) to your internal network, you can change the 'Auto scaling Groups' for DXL brokers. After the stack is set up, change these groups to have a Min and Max value of 0.

What are the products that are supported with ePO on AWS?
For the ePO 5.10.x minimum supported extension versions, see KB90383 - ePolicy Orchestrator 5.10.x minimum supported extension versions.

What AWS regions are supported with this solution?
For details about regional support for ePO on AWS, see KB90695 - Regional support for ePolicy Orchestrator in Amazon Web Services.

Why use 'Quick Starts' over designing and setting up an infrastructure myself?
Quick Starts is the gold standard for deployments in AWS. The architecture and stack elements have been designed in consultation with AWS. Using AWS Quick Starts also removes the complexity of sizing and designing the deployment architecture.

Does this offer use AWS Relational Database Service (RDS) for SQL?
Yes.

Does this Quick Starts solution support BYOSQL?
Yes, if it's an existing RDS instance; otherwise, no.

Is there a similar offering for Azure?
Not currently. If you want an offering, raise a Product Enhancement Request (PER). For details, see KB60021 - How to submit a new Product Idea.

If I have a product that I use that's in the Product Compatibility List (PCL) 'block list', how do I plan to support it?
Raise a PER. For details, see KB60021 - How to submit a new Product Idea.

Is operation of the stack elements in FIPS mode supported?
No.

Is AWS GovCloud supported with this solution?
Yes.

For the Deployment Environment field (in the template), what's the difference between 'Production' and 'Development'?
The Development option enables customers to trial the solution at a lower cost. For example, the SQL instance that spins up when the 'Development' option selected is the RDS SQL Server Express edition.

Can I switch from 'Development to 'Production' mode?
No. You must create a stack with the 'Production' mode selected.

What do I have to do if the number of managed endpoints (or managed products) increases or decreases in my environment?

Which of the template parameters can be changed at a later point in time?
See the following table for details.

Template	Parameters that can be changed
Security Management Platform Configuration	None
Network Configuration	External Bastion Access CIDR
On-premises Network Configuration	None
ePO Application Server Configuration	External Access CIDR
ePO Database - Amazon RDS (SQL Server) Configuration	None
ePO Agents (Client) Configuration	External Access CIDR
Administration Configuration	All

What components of the stack does 'high availability' apply to?
It applies to the following:

Can the selected availability zones be of different regions, for example, Frankfurt and London?
No, high availability is restricted to availability zones within the same region.

Are the requests from the endpoint agents load balanced in a setup with high availability?
Yes.

Why's there a need to specify an AWS Key Pair? What's this used for?
The key pair is needed to enable secure connection to the instances.

How can I control access to my ePO? For example, to restrict access to only to a set of IPs?
Use the External Access CIDR field in the ePO Application Server Configuration template.

Can I apply an existing VPC to deploy my ePO infrastructure?
Yes. See the Quick Start deployment guide.

How do I connect my Active Directory (AD) infrastructure to ePO running on AWS?
Connect the AWS VPC to your internal network. Make this connection through either a Virtual Private Network (VPN) or AWS Direct Connect.

Are there any firewall ports that I need to open for communication with my on-premises infrastructure?
No. Outbound ports to DXL broker, ePO console, and AH are configured during stack creation.

Can I pair the stack with an existing RDS instance?
Yes.

How's the logon URL for ePO determined? Where can I get this information?
You can find this information using any of the following methods:

Can I export my existing Database (DB) and import it into RDS? Does this solution help?
No. This solution doesn't provide any Out of Bound (OOB) options to help with importing an existing DB.

Can I have AH or DXL brokers both on-premises and in AWS?
This situation isn't recommended. Latency between an AH and the Database needs to be as low as possible for better performance and scalability.

How do distributed repositories work with ePO and DXL brokers in AWS?
UNC and HTTP as distributed repositories are supported. With AWS VPN connectivity, you can use SuperAgent repositories on-premises with lazy caching and point-to-point relay as well.

Can I change the CFT template and does Technical Support it?
Yes. But we don't maintain any custom or customer changes. So, you might lose your custom work when creating an AMI.

WARNING: You might lose access to our 'update' feature for AH and DXL brokers, if the default templates aren't used.

How do I log on to the stack components (ePO, AHs, and DXL brokers)?
For details, see KB90847 - How to access ePO and Agent Handler Instances through a Bastion instance using PuTTY.

What if I don't provide a Load Balancer certificate Amazon Resource Name (ARN)? How will the communication work in this case?
If no certificate is provided, a self-signed certificate is created and used for communication.

How can I control access to the stack elements (ePO, AHs, and DXL brokers)?
Use the 'External Access CIDR' field within the Network Configuration template.

How quickly can the stack be set up?
The stack can be set up typically in less than an hour. The actual configuration of the template parameters is a small proportion of the total time.

Information about the instances that are spun as part of the stack.

Instance	Number of Managed Endpoints
	1–10K	10–25K	25–75K	75–150K	150–250K	250–400K	400–500K
ePO Server Instance type	m5.large	m5.xlarge			m5.2xlarge
ePO Server storage	256 GB	512 GB			512 GB
DB Server RDS type	sqlserver-se				sqlserver-ee
RDS Instance type	db.m4.large	db.m4.xlarge	db.r4.2xlarge	db.r4.4xlarge	db.r4.8xlarge	db.r4.16xlarge
RDS IOPS	2,000	5,000	>10,000	>30,000	>90,000
RDS DB Storage	250 GB	500 GB			1,000 GB		2,000 GB
RDS IOPS	1,000				1,500	2,000	3,500
AH Instance type	c4.large 128 GB
No. of remote AH instances	1 (2 with HA)	1 (2 with HA)	2 (4 with HA)	2 (4 with HA)	3 (6 with HA)	4 (8 with HA)	4 (8 with HA)
DXL Broker Instance type	c4.large 64 GB
No. of DXL Broker instances	1 (2 with HA)	1 (2 with HA)	2	4	7	10	13

NOTE: For how to measure the bandwidth of the MA Handlers in an ePO (on-premises) environment, see KB90826 - How to measure bandwidth usage of Agent Handlers in an ePolicy Orchestrator environment.
 

NOTE: Remote AHs and DXL Brokers are located under the Auto-scaling group. If they're closed and created with new instances, you might have to perform the patching again.

What's the process for applying hotfixes to the ePO Application Server?
You must accomplish the task manually; run the ePO installer.

What's the process for upgrading and applying a hotfix for an AH and DXL Broker?
Perform either of the steps below:

What components are the 'Updates for Stack Components' relevant to?
They're relevant to AHs and DXL Brokers.

NOTE: Customers using the GovCloud region have to use the CloudFormation template Actions and perform an Update Stack.

How does the update mechanism for the AH and DXL Brokers work when 'Updates for Stack Components' is selected?
New instances of AHs and DXL Brokers are spun up. When the health of these new instances is determined to be appropriate, the old instances are closed.

What if I opt out of 'Updates for Stack Components'?
You have to update the stack components manually.

Is there a similar AutoUpdate mechanism for the ePO Application Server?
No.

Is the Disaster Recovery process different from what it is for ePO on-premises today?
No. It's similar to the ePO on-premises. For details, see KB90845 - ePolicy Orchestrator server on Amazon Web Services disaster recovery procedure.

Is Database Snapshots turned on by default and how frequent is it?
The DB snapshots are turned on by default, and the backups are daily. More information can be found at the AWS webpage.

How about database snapshots when an existing instance is used?
If an existing RDS is used, it follows the same backup schedule for the existing RDS.

What if Application Server goes down? What would be the recovery process?
Follow the ePO disaster recovery process.

If I've changed the template, for example, for DXL brokers, can I still use 'easy updates' for AHs made available through the CI or CD pipeline?
No, changing the template isn't supported.

Is the migration process for transferring endpoints to ePO on AWS similar to on-premises?
Yes. A VPN connection is needed to establish connection to the database that's on premises.

What is Auto Scaling and how does it work?
Based on the use of stack elements, AHs, and DXL Brokers are added or removed. This action translates to optimal resource consumption and money spent. Auto Scaling is handled behind the scenes by monitoring parameters. For example, as active connections and latency between AHs and the database.

What components does Auto Scaling extend to?
Auto Scaling extends to AHs and DXL Brokers.

Can I disable Auto Scaling?
Yes. Manually set minimum and maximum values for the 'Auto scaling Groups' for AH and DXL Brokers.

Where can I find the ePO log and is it available in real time?
The ePO, AH, and other logs can be found in CloudWatch under /mcafee/.

Is the solution integrated with CloudWatch?
The ePO, AH, and DXL provision logs can be found in CloudWatch. The solution also provides an OOB dashboard that provides information about the health of the stack components.

How do I determine whether there's an event relating to Auto Scaling or update of AH or DXL broker?
The information is available in the Auto Scaling group history.

What happens if I manually close any ePO, AH or DXL instances from within the AWS console?

WARNING: Don't manually close any instances of the ePO solution from within the AWS console. It results in unintended consequences.

How do I reset or recover the ePO, RDS or DR password?
You can reset the password from the parameter store under Systems Manager Service. If you've forgotten the password to your ePO console, ePO database, or DR passphrase, you can retrieve them from within the parameter store of your stack.

How are ePO 5.10.0 Cumulative Updates different from previously released patches?
Updates, for example ePO 5.9.1, are full installer packages.
Cumulative Updates, for example ePO 5.10.0 Update 2, are a rollup of fixes that contain only the delta needed for the fixes.

Are there any considerations for applying an ePO update when ePO is installed in FIPS mode?
There are no special considerations when the ePO servers are installed in FIPS mode.

Why has the Update model for ePO 5.10.0 been introduced?
This model has been introduced to make it easy for customers to stay current and secure. The Update model enables a lightweight two-step approach for applying fixes in a customer environment.

Are Cumulative Updates the preferred model for delivering fixes for ePO 5.10.0?
Yes. Cumulative Updates replace the earlier model for delivering defect fixes via updates.

Are ePO 5.10.0 updates cumulative?
Yes. As the name suggests, Cumulative Updates for ePO 5.10.0 are cumulative in nature.
Example: ePO 5.10.0 Cumulative Update 2 contains all fixes available in Update 1. You need to apply only the latest Cumulative Update to get to a current state.

What versions of ePO are supported for Cumulative Update 2?
General Availability releases:

I've done a Disaster Recovery of my ePO setup after applying a Cumulative Update; do I need to apply the Cumulative Update?
Yes. Run the updater tool included in the Cumulative Update and select Repair to reapply the fixes.

Where can I find updates for ePO 5.10.0?
You can find the updates either in the ePO Software Catalog or on the Product Downloads site.

Where can I find the version of the update installed via the ePO console?
The version of the update installed is found in the Server Settings page under ePO and Database Server Information.
Example: Server Information:

Why am I able to see ePO 5.10.0 Update 2, but not Update 1 on the Product Downloads site or in the Software Catalog?
Update 1 was only Released to Support (RTS) and wasn't made available on the Product Downloads site or in the Software Catalog.

How do I install an ePO 5.10.0 update in my environment?
The ePO 5.10.0 Update # package also includes the ePO Updater Tool. The tool is intended to guide and simplify the application of fixes in customer environments.

Is it possible to run ePO Updater on Remote AH servers?
Yes. But, you need to execute the ePO update first on the ePO Server and Local AH before trying to execute it on the Remote AH server.

What can I do when the ePO services aren't stopping when executing an ePO update?
One of the following actions must be implemented if you see a pop-up message while running the ePO Updater tool. The message states that the services aren't stopped.
To complete the update, perform one of the following actions:

Is it possible to revert the changes applied from an ePO update?
Yes. Click Rollback in the updater tool to restore ePO to its previous state.

Will the ePO Updater work on non-English operating systems?
Yes. But the updater locale is in English only.

Is a cluster environment supported?
Yes. But, you must execute the ePO Updater tool on a data drive when ePO is installed in a cluster environment.

Can I run the ePO Updater when the SQL Server encryption option is set to ON?
No. When the SQL Server encryption is set to ON, you see the following error: "Failed to connect to database."

Workaround: Enable the flag in \resources\app\config\settings.json. By default, it's set to false.
Change the following value to true: "encryptedDBConnection": true.

Where can I find information about the fixes that an update contains?
See, KB51569 - Supported platforms for ePolicy Orchestrator.
In the article, under the "Release Information" section, you can find a list of all ePO updates and their corresponding release notes. The ePO Updater Tool also provides information about the included fixes.

Where can I find instructions for running the ePO Updater Tool?
See the ePolicy Orchestrator 5.10.0 Release Notes.

Are security vulnerability fixes delivered in the ePO updates?
Yes. Updates are the preferred approach for delivering fixes for security vulnerabilities.

Which versions of ePO are updates available for?
Cumulative Updates are available for ePO 5.10.0 and later.

I'm a customer upgrading from ePO 5.3.x or 5.9.x; how can I get to a current state?
Follow the steps below:

I've already upgraded to 5.10.0. How can I continue to stay current?
Download and apply the latest updates as they're released. If you would like to be notified when an ePO update is released, subscribe to SNS notifications.
For details, see KB51560 - Trellix on-premises product release cycle.

Where in the ePO console can I find the version of ePO that I've currently installed?
Log on to the ePO console, and navigate to Server settings, Server information.

Back to top

What is ePO on GCP?
ePO on GCP deploys and configures ePO 5.10.0 Update 10 or later on a supported VM server that runs in the GCP platform.

Can I use my existing license, or do I need to purchase a new license to use the ePO on GCP offering?
You can use your existing ePO on-premises license (BYOL). No new license or SKU purchase is needed.

What are the minimum infrastructure elements that are needed to deploy in GCP?
An ePO Application Server, AHs, RDS, and SQL Database.

Who owns and pays for the infrastructural elements that run in GCP?
The customer owns and pays for the running costs to host ePO on GCP.