How to use Smart Installer in an air-gapped network
Technical Articles ID:
KB93405
Last Modified: 2023-07-11 09:35:17 Etc/GMT
Environment
ePolicy Orchestrator (ePO) 5.10.x, 5.9.x
ePolicy Orchestrator (ePO) - SaaS
McAfee Agent 5.6.x
Summary
Background details
Smart Installer is a customized URL-based installer that can be created with ePO or ePO - SaaS.
Network connectivity is essential for the Smart Installer to download the required MA configuration files. These files are directly downloaded from the ePO on-premises or ePO - SaaS servers.
Problem
The Smart Installer script fails to download the required MA in either of the following:
- An air-gapped network
- On a system that doesn't have direct network access to connect to the ePO on-premises server or the ePO - SaaS URLs configuration files.
As a result, the Smart Installer fails to install MA. The following messages are generated in the Smart Installer user interface:
- Trying to download files directly from ePO
- Trying to download files directly from ePO, Using Proxy
- Unable to download files directly from ePO using proxy
- Unable to download files via Proxy, Using Relay
- Unable to download files via relay, download files failed
- Error occurred during agent McAfeeSmartInstall operations
In the above scenarios, the Smart Install can use any of the following to download the required configuration files needed to install MA.
- Peer-to-peer serving
- Relay servers
- Proxy server
These alternate methods are automatically tried via the Smart Installer script, in the event that it's unable to connect to ePO or ePO - SaaS directly.
To configure your environment, see the following articles:
Solution
1
Option 1 - Configure Peer-to-Peer Serving
You must define at least one managed system per broadcast domain to be a peer server. The Smart Installer automatically tries to discover and download the required Agent configuration files from peer servers. It does so in the same broadcast domain of the system where the smartinstall.exe is executed.
- Navigate to Menu, Systems, System Tree, Systems.
- Select a group under System Tree. All systems within this group now appear in the Details pane.
- Select a system, and then click Actions, Agent, Modify Policies on a Single System. The Policy Assignment page for that system appears.
- From the product drop-down list, select McAfee Agent. The policy categories under MA are listed with the system's assigned policy. If the policy is inherited, click Break inheritance, and then assign the policy and settings below.
- From the Assigned policy drop-down list, select a General policy.
NOTE: In this location, you can edit the selected policy, or create a policy. Choose whether to lock the policy inheritance. Locking the policy prevents any systems that inherit this policy from having another one assigned in its place.
- On the Peer-to-Peer tab, click Enable Peer-to-Peer Serving. This option enables MA to serve content to the Smart Installer and peer agents.
- Click Save.
- Send a wake-up call to the target systems.
Recommendations for peer-to-peer communication:
- It's not recommended to enable a peer-to-peer server on laptops or other mobile devices.
- Disable peer-to-peer servers on systems that have poor network connectivity or are connected using VPN.
- Peer-to-peer communication is enabled by default. If your organization restricts peer-to-peer communication, disable the Peer-to-Peer policy. Consider using Relay Servers as an alternative solution.
- Configure the Max disk quota to always be greater than the size of the sum of commonly used application and updates. For example, if the DAT file size is 150 MB and the average product update size is 100 MB, the peer-to-peer disk quota must be more than 250 MB.
Solution
2
Option 2 - Configure a System Proxy
If the client system is unable to find peer-to-peer servers in its broadcast domain, it tries to connect directly to ePO or ePO - SaaS to download the Agent configuration files. If the connection succeeds, the client system downloads, and installs MA.
If the installer is unable to connect to ePO or ePO - SaaS directly, it uses the Proxy Server Settings. The installer uses the proxy settings configured on the client system to download and install MA. The Smart Installer uses the proxy server settings configured in Internet Explorer for Windows, or System Preferences for Macintosh OS X client systems.
NOTES:
- Download using Proxy Server is supported only on Windows and Macintosh operating systems.
- For Macintosh client systems, the installer uses System Preferences.
- You must provide the proxy server credentials, if your client system requires authentication to connect to the proxy server.
Solution
3
Option 3: - Configure MA Relay Servers
You must define at least one managed system per broadcast domain to be a Relay Server. The Smart Installer automatically tries to discover and download the required Agent configuration files from Relay Servers. It does so in the same broadcast domain of the system that the smartinstall.exe is executed on.
- Navigate to Menu, Systems, System Tree, Systems.
- Select a group from System Tree. All systems within the group appear in the Details pane.
- Select a system and then click Actions, Agent, Modify Policies on a Single System. The Policy Assignment page for that system appears.
- From the product drop-down list, select McAfee Agent. The policy categories under MA are listed with the system's assigned policy. If the policy is inherited, click Break inheritance, assign the policy, and settings below.
- From the Assigned policy drop-down list, select a General policy.
NOTE: From this location, you can edit the selected policy or create a policy. Choose whether to lock policy inheritance. Doing so prevents any systems that inherit the policy from having another one assigned in its place.
- On the Super Agent tab, click Enable Relay Server. This option enables the relay capability on MA.
- Click Save.
- Send a Wake-up Call to the target systems.
NOTES:
- A Relay Server can't connect to ePO using proxy settings.
- The Smart Installer relies on UDP broadcast (discovery), which is required to find a Relay Server in the client network. But, after MA is installed and it completes the first agent to server communication interval (ASCI), the agent can continue to use discovery to locate a Relay Server on the network. Or, it can use a manually defined Relay Server, which can be set in the assigned MA General policy.
|