Back

Patch 3 for Mcafee ePolicy Orchestrator 4.5 released

HTML clipboard

Release Notes - McAfee ePolicy Orchestrator Patch 3

Rating

McAfee considers this a critical release for all environments. This update should be applied at the earliest convenience. For more information, see KB article KB51560.

Purpose

This document is a supplement to the McAfee ePolicy Orchestrator 4.5 Readme file in the release package, and details fixes included in ePolicy Orchestrator 4.5 Patch 3. Refer to the online KnowledgeBase article KB65773 at https://mysupport.mcafee.com/ for the most current information regarding this release. ePolicy Orchestrator 4.5 Patch 3 provides security and other fixes and customer escalation resolutions. Please see the Resolved issues section for more information.

Known issues

Known issues in this release of the software are described below.
  • Issue: Disabling an Agent Handler on the ePolicy Orchestrator server does not refresh the list and display the Agent Handler as disabled. (Reference: 559188)

    Workaround: Refresh the browser after disabling an Agent Handler.
  • Issue: When you upgrade ePolicy Orchestrator 4.0 to 4.5 Patch 3 on Windows 2008 when using SQL 2005, SQL 2005 Backward Compatibility is not automatically installed, which prevents the ePolicy Orchestrator installation from starting.

    Workaround: On Windows Server 2008 32-bit, first install SQLServer2005_BC.msi from the Patch 3 installation package, then start the ePolicy Orchestrator installation. On Windows Server 2008 64-bit, first download the 64-bit version of SQLServer2005_BC.msi from Microsoft's website and install it on the ePO server, then start the ePolicy Orchestrator installation.
  • Issue: ePolicy Orchestrator stops functioning if, after having been installed on Windows Server 2003, the server is upgraded to Windows Server 2008. (Reference: 465799)

    Workaround: Users can edit the service entries in the registry to remove the dependencies on the service that no longer exists in 2008. See KB67388.
  • Issue: Not all characters are allowed with ePolicy Orchestrator or SQL usernames and passwords, specifically regarding use with the ePolicy Orchestrator installer. (Reference: 363939, 387883, 395890)

    Workaround: The following is a list of allowed and disallowed characters for usernames and passwords used by the ePolicy Orchestrator 4.5 Patch 3 installer. This list is valid only for the ePolicy Orchestrator Patch 3 installer and might not represent the character sets allowed for previous patch installers.
    • ePolicy Orchestrator username and password official character set for the Patch 3 installer
      • Allowed: All printable characters with a hex value of 0x20 - 0x7E (ASCII 32 through 126), except the following. (for both user names and passwords, unless otherwise noted)
        • No leading space, trailing spaces, or passwords made up of solely spaces
        • No double quotes (")
        • No leading backslashes, trailing backslashes, or passwords made up of solely backslashes ()
        • No dollar signs ($)
        • No percent signs (%)
        • Usernames cannot contain a colon (:)
        • Usernames cannot contain a semi-colon (;)
    • SQL user name and password official character set for the Patch 3 installer
      • Allowed: All printable characters with a hex value of 0x20 - 0x7E (ASCII 32 through 126), except the following. (for both user names and passwords, unless otherwise noted)
        • No leading space, trailing spaces, or passwords made up of solely spaces
        • No double quotes (")
        • No single quotes (')
        • No backslashes ()
        • Usernames cannot contain a dollar sign ($)
        • Usernames cannot contain a colon (:)
        • Usernames cannot contain a semi-colon (;)
  • Issue: After upgrading from McAfee Total Protection for Endpoint to ePolicy Orchestrator 4.5 Patch 3 the help links in the Tour Extension are no longer valid. (Reference: 475799)

    Workaround: Substitute by manually typing "_450" for "_400" in the Tour Extension help links.
  • Issue: ePolicy Orchestrator performance counters were not installed on Windows 2008 R2 systems. (Reference: 509211)

    Workaround: A workaround was not available for this issue at the time of this release.

ePolicy Orchestrator 4.5 Patch 3 Server and Agent Handler Installation instructions

Installing an ePolicy Orchestrator 4.5 Patch 3 Server and Agent Handler
  • Please see the ePolicy Orchestrator 4.5 Installation Guide for instructions on installing Patch 3 where no previous version of ePolicy Orchestrator has been installed.

Upgrading an existing ePolicy Orchestrator server and Agent Handlers Installation instructions

ePolicy Orchestrator 4.5 Patch 3 Server upgrade prerequisites
  • You must have one of the following installed prior to upgrading to ePolicy Orchestrator 4.5 Patch 3:
    • McAfee ePolicy Orchestrator 3.6.1 Patch 4 (build 255)
    • McAfee ePolicy Orchestrator 4.0 Patch 5 (build 1298)
    • McAfee ePolicy Orchestrator 4.0 Patch 6 (build 1333)
    • McAfee ePolicy Orchestrator 4.5 (build 753)
    • McAfee ePolicy Orchestrator 4.5 Patch 1 (build 851)
    • McAfee ePolicy Orchestrator 4.5 Patch 2 (build 919)
    • McAfee Total Protection for Endpoint (build 1279)
  • You must be logged on to the ePolicy Orchestrator server as a Local Administrator on the system.
  • You must know the user name and password for at least one Global Administrator that is valid for the ePolicy Orchestrator server you are trying to upgrade.
  • The ePolicy Orchestrator and SQL Server services must be running during this upgrade (expect when the automated upgrade stops and starts your ePolicy Orchestrator services).
Before upgrading to ePolicy Orchestrator 4.5 Patch 3 Server
  1. Back up your ePolicy Orchestrator server and ePolicy Orchestrator database before upgrading to ePolicy Orchestrator 4.5 Patch 3. For more information, see KB articles KB51438 and KB66616.
  2. Be sure that there are no repository pulls or replications tasks currently running or scheduled to run during the installation.
    Note: If the master repository is locked, package check-ins fail, causing the installation to fail and roll back. This could be because a Master Repository pull is in progress.
  3. Shut down all remote Agent Handlers so that they do not attempt to communicate with the ePolicy Orchestrator server during the upgrade process.
  4. Warn other ePolicy Orchestrator users that during the installation process they might see changing content or be logged out of their current ePolicy Orchestrator console session.
Upgrading to ePolicy Orchestrator 4.5 Patch 3 Server
  1. Copy the upgrade installation zip file to a temporary directory.
  2. Extract the contents of the zip file into the temporary directory.
  3. In the extracted files, run Setup.exe.
  4. Click Next.
  5. Type the ePolicy Orchestrator credentials for a global administrator.
    Note: McAfee recommends you use an existing global administrator with a simple password when installing this Patch. If the user is not a global administrator or the password includes characters other than those listed in the official character set (see Known Issues above) the installation will fail.
  6. Click Next.
  7. The automated installation process starts.
  8. When the installation is complete, click Finish.
  9. Manually determine if any extension upgrades failed, because individual extension upgrade failures do not cause the ePolicy Orchestrator 4.5 Patch 3 installation to fail. A record of the failed extension check-ins can be found in %TEMP%McAfeeLogsEPO450-Checkin-Failure.log file. Any failed extensions can be checked in again through the management console after the Patch installation is complete.
ePolicy Orchestrator 4.5 Patch 3 Agent Handler upgrade prerequisites
  • The ePolicy Orchestrator 4.5 Patch 3 Agent Handler can be installed where no previous version of Agent Handler has been installed, or the release can be used to upgrade the following:
    • McAfee ePolicy Orchestrator 4.5 Agent Handler (build 753)
    • McAfee ePolicy Orchestrator 4.5 Agent Handler 4.5 Patch 1 (build 851)
Before upgrading to ePolicy Orchestrator 4.5 Patch 3 Agent Handler
  1. Shutdown all remote Agent Handlers.
  2. Upgrade your ePolicy Orchestrator server to ePolicy Orchestrator 4.5 Patch 3 prior to upgrading any remote Agent Handlers.
Upgrading to ePolicy Orchestrator 4.5 Patch 3 Agent Handler
  1. Copy the upgrade installation zip file to a temporary directory.
  2. Extract the contents of the zip file into the temporary directory.
  3. In the extracted files, browse to the Agent Handler folder and run Setup.exe.
  4. Click Update.
  5. The automated installation process starts.
  6. When the installation is complete, click Finish.
 

Clustered Server ePolicy Orchestrator 3.6.1 to 4.5 Patch 3 installation instructions

Use the instructions in KB67757 to upgrade from ePolicy Orchestrator 3.6.1 Patch 4 to ePolicy Orchestrator 4.5 Patch 3 in a cluster environment.

Clustered Server ePolicy Orchestrator 4.0 to 4.5 Patch 3 installation instructions

ePolicy Orchestrator software provides high availability for server clusters with Microsoft Cluster Server (MSCS) software. Removing the Generic Service resources
  1. Click Start, Settings, Control Panel, Administrative Tools, Cluster Administrator.
  2. Right-click each of the resources below and select Take Offline:  
    • McAfee ePolicy Orchestrator 4.0.0 Application Server
    • McAfee ePolicy Orchestrator 4.0.0 Server
    • McAfee ePolicy Orchestrator 4.0.0 Event Parser
     
  3. Right-click each of the resources below and select Delete:  
    • McAfee ePolicy Orchestrator 4.0.0 Application Server
    • McAfee ePolicy Orchestrator 4.0.0 Server
    • McAfee ePolicy Orchestrator 4.0.0 Event Parser
     
    CAUTION: Do not remove the Data Drive, ePO IP Address, or ePO Network Name resources. These are required to upgrade successfully.
Installing ePolicy Orchestrator 4.5 Patch 3 on each node Run the ePolicy Orchestrator 4.5 Patch 3 setup on each of the nodes.
CAUTION: McAfee strongly recommends that you install ePolicy Orchestrator 4.5 Patch 3 on one node at a time, and that all other nodes are shut down.
  1. Ensure that the services below are running in the Service Control Manager:
    • McAfee ePolicy Orchestrator 4.0.0 Application Server
    • McAfee ePolicy Orchestrator 4.0.0 Server
    • McAfee ePolicy Orchestrator 4.0.0 Event Parser
    If they are not running, start each service manually.
  2. Run Setup.exe from the ePolicy Orchestrator 4.5 Patch 3 extracted upgrade installation files.
  3. Follow the steps in the installation wizard until the installation on the node is complete.
  4. Shut down the node.
  5. Bring up the next node and perform the ePolicy Orchestrator 4.5 Patch 3 installation. Repeat this action until all nodes are updated.
Creating the Generic Service resources
  1. In the Service Control Manager, ensure that the services listed below are set to Manual and not Automatic.  
    • McAfee ePolicy Orchestrator 4.5.0 Application Server
    • McAfee ePolicy Orchestrator 4.5.0 Server
    • McAfee ePolicy Orchestrator 4.5.0 Event Parser
     
  2. Add Generic Service resources for each of the services below in the following order:  
    • McAfee ePolicy Orchestrator 4.5.0 Application Server
    • McAfee ePolicy Orchestrator 4.5.0 Server (Dependency on Application Server)
    • McAfee ePolicy Orchestrator 4.5.0 Event Parser (Dependency on Server)  
      1. In the Cluster Administrator, right-click the ePO group and click New, Resource.
      2. Type the Name and Description of the resource. (Example: ePO 4.5 Server).
      3. From the Resource type drop-down list, select Generic Service.
      4. Ensure ePO is the selected group and click Next.
      5. In the Possible Owners dialog box, identify the owners of the resource. Select the desired node and click Add.
      6. Repeat until all owners are added and click Next.
      7. In the Dependencies dialog box, type the dependency specific to each service.
       
      • Service ePolicy Orchestrator 4.5.0 Server depends on ePolicy Orchestrator 4.5.0 Application Server
      • Service ePolicy Orchestrator 4.5.0 Event Parser depends on ePolicy Orchestrator 4.5.0 Server
     
  3. For each of the following services, type the Service Name, leaving the Start Parameters field blank and click Finish.  
    • Service Server is Service Name MCAFEEAPACHESRV
    • Service Application Server is Service Name MCAFEETOMCATSRV200
    • Service Event Parser is Service Name MCAFEEEVENTPARSERSRV
     
  4. Test the ePolicy Orchestrator 4.5 Clustered Server Installation When the ePolicy Orchestrator cluster is set up, test its functionality by bringing the ePO group online.
    1. Turn on all nodes.
    2. Select the ePO group and click Bring online.
    3. Right-click any of the resources for the ePO group and click Initiate Failure.
      Note: A series of messages will report the progress of the failure of the resource and its restoration.

    4. Verify that you can restart the Cluster Service on the Active Node. This should cause the Passive Node to become the Active Node and the new owner of the resources.

Clustered Server ePolicy Orchestrator 4.5 to 4.5 Patch 3 installation instructions

ePolicy Orchestrator software provides high availability for server clusters with Microsoft Cluster Server (MSCS) software. Windows Server 2003 Removing the Generic Service resources
  1. In Cluster Administrator, take the ePolicy Orchestrator service resources offline by right-clicking each resource and selecting Take Offline.
    • McAfee ePolicy Orchestrator 4.5.0 Application Server
    • McAfee ePolicy Orchestrator 4.5.0 Server
    • McAfee ePolicy Orchestrator 4.5.0 Event Parser
     
  2. Delete the ePolicy Orchestrator service resources by right-clicking each resource and selecting Delete.
    CAUTION: Do not remove the Data Drive, ePolicy Orchestrator IP Address, or ePolicy Orchestrator Network Name resources; they are required to install the Patch successfully.
Installing ePolicy Orchestrator 4.5 Patch 3 Run the ePolicy Orchestrator 4.5 Patch 3 setup only on the primary node. This is the first node on which ePolicy Orchestrator 4.5.0 was originally installed. No installation is required on any other nodes on an upgrade over ePolicy Orchestrator 4.5.
  1. Make sure the following services are running in the Service Control Manager: (If they are not running, start them manually.)
    • McAfee ePolicy Orchestrator 4.5.0 Application Server
    • McAfee ePolicy Orchestrator 4.5.0 Server
    • McAfee ePolicy Orchestrator 4.5.0 Event Parser
     
  2. Run Setup.exe from the ePolicy Orchestrator 4.5 Patch 3 extracted upgrade installation files.
  3. Complete the installation wizard until the installation is complete on the node.
  4. Other nodes may be started at this point.
Creating the Generic Service resources
  1. Ensure that the three McAfee services listed below are set to Manual and not Automatic in the Service Control Manager.
  2. Add Generic Service resources for each of the services below in the following order:  
    • McAfee ePolicy Orchestrator 4.5.0 Application Server
    • McAfee ePolicy Orchestrator 4.5.0 Server
    • McAfee ePolicy Orchestrator 4.5.0 Event Parser
     
    1. In the Cluster Administrator, right-click the ePO group, then select New | Resource. The New Resource dialog box appears.
    2. Type the Name and Description of the resource. For example, ePO 4.5 Application Server.
    3. From the Resource type drop-down list, select Generic Service.
    4. Ensure ePO is the selected group and click Next.
    5. In the Possible Owners dialog box, identify the owners of the resource. Select the desired node and click Add.
    6. Repeat until all owners are added, then click Next.
    7. In the Dependencies dialog box, type the dependency specific to each service.
    • Service "McAfee ePolicy Orchestrator 4.5.0 Server" depends on "McAfee ePolicy Orchestrator 4.5.0 Application Server"
    • Service "McAfee ePolicy Orchestrator 4.5.0 Event Parser" depends on "McAfee ePolicy Orchestrator 4.5.0 Server"
     
  3. For each of the following services, type the Service Name, leave the Start Parameters field blank, then click Finish.  
    • Service Server Service Name MCAFEEAPACHESRV
    • Service Application Server Service Name MCAFEETOMCATSRV200
    • Service Event Parser Service Name MCAFEEEVENTPARSERSRV
Windows Server 2008 Removing the Generic Service resources
  1. In Failover Cluster Management, take the ePolicy Orchestrator service resources offline by right-clicking each resource and selecting Take this resource offline.  
    • McAfee ePolicy Orchestrator 4.5.0 Application Server
    • McAfee ePolicy Orchestrator 4.5.0 Server
    • McAfee ePolicy Orchestrator 4.5.0 Event Parser
     
  2. Delete the ePolicy Orchestrator service resources by right-clicking each resource and selecting Delete.
    CAUTION: Do not remove the Data Drive or Client Access Point; they are required to install the Patch successfully.
Installing ePolicy Orchestrator 4.5 Patch 3 Run the ePolicy Orchestrator 4.5 Patch 3 setup only on the primary node. This is the first node on which ePolicy Orchestrator 4.5.0 was originally installed. Unlike a Windows Server 2003 environment, all nodes need to be running during the upgrade process in a Windows Server 2008 environment. Make sure the primary node on which you are installing ePolicy Orchestrator Patch 3 is also the active node and has exclusive access to both the Data and Quorum drives.
  1. Make sure the following services are running in the Service Control Manager: (If they are not running, start them manually.)  
    • McAfee ePolicy Orchestrator 4.5.0 Application Server
    • McAfee ePolicy Orchestrator 4.5.0 Server
    • McAfee ePolicy Orchestrator 4.5.0 Event Parser
     
  2. Run Setup.exe from the ePolicy Orchestrator 4.5 Patch 3 extracted upgrade installation files.
  3. Complete the installation wizard only on the first node.
Creating the Generic Service resources
  1. Ensure that the three McAfee services listed below are set to Manual and not Automatic in the Service Control Manager.
  2. Add Generic Service resources in the following order:  
    • McAfee ePolicy Orchestrator 4.5.0 Application Server
    • McAfee ePolicy Orchestrator 4.5.0 Server
    • McAfee ePolicy Orchestrator 4.5.0 Event Parser
     
    1. In Failover Cluster Management, right-click the ePO Application group, then select Add a resource | Generic Service. The New Resource Wizard appears.
    2. Select the ePolicy Orchestrator service that you want to add and click Next. For example, McAfee ePolicy Orchestrator 4.5.0 Application Server.
    3. The Confirmation page displays. Click Next to allow the Generic Service to be created. Click Finish when the Wizard is complete.
    4. Right-click each service resource and select Properties. The Properties dialog appears.
    5. Click the Dependencies tab and add the appropriate dependencies for each service resource.
    6. Dependencies specific to each service are:
    • Service "McAfee ePolicy Orchestrator 4.5.0 Server" depends on "McAfee ePolicy Orchestrator 4.5.0 Application Server"
    • Service "McAfee ePolicy Orchestrator 4.5.0 Event Parser" depends on "McAfee ePolicy Orchestrator 4.5.0 Server"

  3. Right-click the McAfee ePolicy Orchestrator 4.5.0 Server resource and choose Properties. The Properties dialog appears.
  4. On the General tab, remove the Startup parameters and add a blank space.
Note: Apache will not start with any startup parameters specified and an empty entry is not permitted, so that is why a blank space is needed.
Testing ePolicy Orchestrator 4.5.0 Patch 3 clustered server installation When the ePolicy Orchestrator cluster is set up and online, use this task to ensure that ePolicy Orchestrator functions in a failover situation.
  1. Restart the system functioning as the active node. The passive node automatically becomes the active node and you are automatically logged out.
  2. When ePolicy Orchestrator then prompts you to log in, you can conclude that it has continued to function during the failover.

Finding release notes and documentation for McAfee enterprise products

  1. Go to https://mysupport.mcafee.com and select Read Product Documentation under Self Service.
  2. Select <Product Name> | <Product Version> and select the required document from the list of documents.