How to prevent DXL Clients from connecting to a Broker after you install McAfee Agent 5.6.0 and later

Technical Articles ID: KB91155
Last Modified: 2023-05-15 12:33:44 Etc/GMT

Environment

Data Exchange Layer (DXL) 6.x, 5.x
McAfee Agent (MA) 5.6.x

Summary

The approach provided below can also be used to support a phased rollout of a product that requires DXL.

IMPORTANT: Use this approach only if no other installed products depend on DXL.

NOTE: When you install a Threat Intelligence Exchange (TIE) Server (DXL Client), a connection to a DXL Broker is essential. If there's no connectivity, the TIE handshake process, which is part of the install process, doesn't complete. As a result, the installation process doesn't complete. The TIE handshake process needs a DXL Broker connection to complete the copy down of TIE certificate files. It's recommended that you create a specific DXL Client Policy for the certificate file copy action to retain DXL Broker connectivity.

Problem

When MA 5.6 or later is installed on a managed system, the DXL Client is also installed. The DXL Client automatically connects to an available DXL Broker.

In some environments, this feature can be problematic when there's only one broker and many managed systems.

Solution 1

DXL 5.x systems with MA 5.6.0 and later installed

To select systems that the DXL Client doesn't connect to a Broker when you install MA 5.6.0 or later, perform the steps below:

Log on to the ePolicy Orchestrator (ePO) console.
Click Menu, Configuration, Server Settings, DXL Topology. Use the DXL Topology command to create a DXL Hub and don't assign any brokers to it.
Create a DXL Client 5.0.0 Policy and apply the following Client Broker Connections settings to it:
1. Select the option Enable client broker preference.
2. Select the option Restrict to the selected broker or hub.
3. Select the hub that you created, which doesn't have any brokers assigned to it.
Click Save.
Assign the policy to the group of systems by the ePO tag or group. You might want to create different policies for different groups and tags and apply them as needed.

Solution 2

DXL 6.x systems with MA 5.6.2 and later installed
A new policy setting for DXL 6.x clients, allows users to disable DXL communication.

To disable the communication via policy, perform the steps below:

Log on to the ePO Console.
Navigate to Policy Catalog.
Select the product DXL Client 5.6.2.
Click Category: General.
Edit your policy or create a policy.
Under the Communication section, select the option Disable Communication.
Click Save.
Assign and only apply the policy to a group of systems for which DXL communication needs to be disabled.
When ready to re-enable communication, update the policy and deselect the option Disable Communication.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

How to prevent DXL Clients from connecting to a Broker after you install McAfee Agent 5.6.0 and later

Environment

Summary

Problem

Solution 1

Solution 2

Affected Products

Languages:

Title

Title

Knowledge Center

How to prevent DXL Clients from connecting to a Broker after you install McAfee Agent 5.6.0 and later

Environment

Summary

Problem

Solution 1

Solution 2

Affected Products

Languages:

Choose your region

Title

Title