53
Installation Guide Cloud Workload Discovery 4.5.1

Cloud Workload Discovery 4.5 - McAfee · Cloud Workload Discovery 4.5.1 Installation Guide 9 Enable traffic discovery After upgrading your Cloud Workload Discovery extension, enable

  • Upload
    lytuong

  • View
    220

  • Download
    1

Embed Size (px)

Citation preview

Installation Guide

Cloud Workload Discovery 4.5.1

COPYRIGHT

© 2017 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 Cloud Workload Discovery 4.5.1 Installation Guide

Contents

1 Introduction 5McAfee Public Cloud Server Security suite . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Installation of Cloud Workload Discovery 7Cloud Workload Discovery packages and McAfee suites . . . . . . . . . . . . . . . . . . . 7Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Installing the Cloud Workload Discovery extension . . . . . . . . . . . . . . . . . . . . . 8

Download and install the extension manually . . . . . . . . . . . . . . . . . . . . 8Install the extension through Software Manager . . . . . . . . . . . . . . . . . . . 8Upgrading the extension from your previous versions . . . . . . . . . . . . . . . . . 9Extension list on McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Uninstall the extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Configuring cloud accounts and your security products 11Configuring an AWS cloud account . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Create an AWS user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Create a user permission policy . . . . . . . . . . . . . . . . . . . . . . . . . 12Assign the policy to a user . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Create an IAM role with flow logs for your AWS account . . . . . . . . . . . . . . . 14Register an AWS account . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuring Microsoft Azure cloud accounts . . . . . . . . . . . . . . . . . . . . . . . 17Create an application in the Microsoft Azure console . . . . . . . . . . . . . . . . . 17Where to find Subscription ID, Tenant ID, and Client ID . . . . . . . . . . . . . . . 19Configure client key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Set delegated permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Assign the application to your subscription . . . . . . . . . . . . . . . . . . . . 20Register a Microsoft Azure account . . . . . . . . . . . . . . . . . . . . . . . 21Register Microsoft Azure classic account . . . . . . . . . . . . . . . . . . . . . 23

Register a VMware vSphere account . . . . . . . . . . . . . . . . . . . . . . . . . . 25Register an OpenStack cloud account . . . . . . . . . . . . . . . . . . . . . . . . . 27Registered cloud account details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Virtual machine details for AWS cloud account . . . . . . . . . . . . . . . . . . . 29Virtual machine details for Microsoft Azure account . . . . . . . . . . . . . . . . . 31Virtual machine details for VMware vCenter account . . . . . . . . . . . . . . . . 33Virtual machine details for OpenStack account . . . . . . . . . . . . . . . . . . . 36

Configuring your security products and viewing reports . . . . . . . . . . . . . . . . . . 37

4 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWS 39How McAfee ePO server and clients communicate . . . . . . . . . . . . . . . . . . . . . 39Managing AWS clients using McAfee ePO installed on AWS . . . . . . . . . . . . . . . . . 39

Managing instances in one geographic region . . . . . . . . . . . . . . . . . . . 40Managing instances in one geographic region with one VPC . . . . . . . . . . . . . . 40One geographic region deployment with multiple VPCs . . . . . . . . . . . . . . . . 41Multiple geographic region deployment . . . . . . . . . . . . . . . . . . . . . . 41Set up McAfee ePO and client communication . . . . . . . . . . . . . . . . . . . 42

Cloud Workload Discovery 4.5.1 Installation Guide 3

Managing AWS clients using McAfee ePO installed on-premise . . . . . . . . . . . . . . . . 43Set up McAfee ePO and client communication . . . . . . . . . . . . . . . . . . . 44

Using Cloud Workload Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Deploying McAfee security products on AWS cloud . . . . . . . . . . . . . . . . . . . . 45

Deploy McAfee Agent on AWS instances using AMIs . . . . . . . . . . . . . . . . . 46

5 Use DevOps scripts to deploy McAfee products 49Using Chef . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Using Puppet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Using Amazon OpsWorks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Using AWS UserData for McAfee Agent deployment . . . . . . . . . . . . . . . . . . . . 50

Index 51

Contents

4 Cloud Workload Discovery 4.5.1 Installation Guide

1 Introduction

This document provides guidelines for installing the Cloud Workload Discovery extension on McAfee®

ePolicy Orchestrator® (McAfee ePO™).

McAfee Public Cloud Server Security suiteThe McAfee Public Cloud Security (PCS) suite includes McAfee ePolicy Orchestrator and a set ofextensions for managed products that install on the McAfee ePolicy Orchestrator server. CloudWorkload Discovery is included in the PCS suite.

This suite is specifically designed to provide in one package all these products to manage and secure acloud environment.

• McAfee ePO • McAfee® Host Intrusion Prevention

• McAfee® Agent • McAfee® Application Control

• Cloud Workload Discovery for public cloud • McAfee® Change Control

• McAfee® Endpoint Security • McAfee® Application Control

• McAfee® Endpoint Security for Linux • McAfee® Data Exchange Layer (DXL)

• McAfee® Firewall for Linux • McAfee® Rogue System Detection

1

Cloud Workload Discovery 4.5.1 Installation Guide 5

1 IntroductionMcAfee Public Cloud Server Security suite

6 Cloud Workload Discovery 4.5.1 Installation Guide

2 Installation of Cloud Workload Discovery

Install the Cloud Workload Security extension on the McAfee ePO server and deploy and configureyour McAfee products.

Contents Cloud Workload Discovery packages and McAfee suites Requirements Installing the Cloud Workload Discovery extension Uninstall the extensions

Cloud Workload Discovery packages and McAfee suitesCloud Workload Discovery is packaged in public, hybrid, and private variants to support different cloudvendor accounts.

Table 2-1 Cloud Workload Discovery packages

Cloud WorkloadDiscovery variant

Supported cloud vendors Package names

Cloud Workload Discoveryfor Public cloud

AWS, Microsoft Azure, andMicrosoft Azure classic

Cloud_Workload_Discovery_Public_4.5.1

Cloud Workload Discoveryfor Private cloud

VMware, OpenStack Cloud_Workload_Discovery_Private_4.5.1

Cloud Workload Discoveryfor Hybrid cloud

VMware, OpenStack, AWS,Microsoft Azure, andMicrosoft Azure classic

Cloud_Workload_Discovery_Hybrid_4.5.1

Table 2-2 McAfee suites

Suite Cloud Workload Discovery package

McAfee Public Cloud Server Security Suite Cloud Workload Discovery for Public cloud

McAfee Server Security Suite Advanced Cloud Workload Discovery for Hybrid cloud

McAfee Server Security Suite Essentials Cloud Workload Discovery for Hybrid cloud

McAfee MOVE AntiVirus for Virtual Servers Cloud Workload Discovery for Private cloud

McAfee Security Suite for Virtual Desktop Infrastructure Cloud Workload Discovery for Private cloud

McAfee MOVE AntiVirus for Virtual Desktops Cloud Workload Discovery for Private cloud

2

Cloud Workload Discovery 4.5.1 Installation Guide 7

RequirementsTo install the Cloud Workload Discovery extension, make sure that your environment meets theserequirements.

Component Version

McAfee ePO 5.1.3, 5.3.1, 5.3.2, and 5.9

McAfee Agent See KB87465

Browser • Internet explorer 10, 11 + EDGE

• Mozilla Firefox 40 and later

• Google Chrome 54.0 and later

Amazon Web Services account

Microsoft Azure account

VMware vCenter account

Installing the Cloud Workload Discovery extensionYou can install the Cloud Workload Discovery extension with the Software Manager utility on McAfeeePO, or by manually downloading and installing the extension from McAfee download site.

Download and install the extension manuallyDownload and install the Public Cloud Security package on the McAfee ePO server.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 From the McAfee download site (http://www.mcafee.com/us/downloads/), use your grant numberand click McAfee Public Cloud Server Security suite or any other suite you have bought.

2 From the products listed, select and download Common UI 1.3 and your Cloud Workload Discoveryvariant.

3 Log on to the McAfee ePO server as an administrator.

4 Select Menu | Software | Extensions | Install Extension.

5 Browse to and select the extension file, then click OK.

Install the Common UI 1.3 first, then install Cloud Workload Discovery.

The Install Extension page displays the extension names and version details.

The Cloud Workload Discovery extension is installed.

Install the extension through Software ManagerUse McAfee ePO Software Manager to install the cloud workload discovery extension.

2 Installation of Cloud Workload DiscoveryRequirements

8 Cloud Workload Discovery 4.5.1 Installation Guide

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Software, then click Software Manager.

3 From the Software (by Label) | Messaging & Web Security, select Common UI 1.3 and then click Check In All.

4 From the Software (by Label) | Endpoint Security, select your Cloud Workload Discovery 4.5 variant andthen click Check In All.

The Cloud Workload Discovery extension is installed through the Software Manager.

Upgrading the extension from your previous versionsWe support upgrade from the previous versions of 3.6.1, 4.0.0, and 4.5.0 to the new version 4.5.1.

Before upgrading the extension from 3.6.1 to 4.5.1:

1 Remove the Assurance Information Module Linux client from the Master Repository. For details, seeConfigure a deployment task for Linux group of systems.

2 If you upgraded without this step, you can remove the Assurance Information Module from theLinux clients by manually running this command on all your Linux systems.

bash /opt/McAfee/McAIM/uninstall

You can also use a utility for uninstalling the Linux clients automatically. For details, see KB87516.

3 After the upgrade, the Microsoft Azure connector in your earlier versions is now called MicrosoftAzure Classic connector.

4 After the upgrade, for your AWS accounts, you can enable traffic discovery to discover and viewtraffic flow logs for your instances.

When upgrading from 4.0.0 to 4.5.x, since the policy structure has changed in the latest version, yourprevious policies, policy settings, and policy assignments are lost.

Configure a deployment task for Linux group of systemsCreate a deployment task to remove the Assurance Information module Linux client from targetsystems in the System Tree.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 From the System Tree, select the tab Assigned Client Tasks.

2 Select Actions | New Client Task Assignment.

3 Select Product as McAfee Agent, Task Type as Product Deployment.

4 Select a name for your task and click Create New Task.

5 Select the Target Platforms as Linux, Products and Components as Assurance Information Module 2.0.0.595, and Actionas Remove.

6 Click Save.

Installation of Cloud Workload DiscoveryInstalling the Cloud Workload Discovery extension 2

Cloud Workload Discovery 4.5.1 Installation Guide 9

Enable traffic discoveryAfter upgrading your Cloud Workload Discovery extension, enable traffic discovery for your AWS cloudaccounts to view IP traffic flows.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Configuration | Registered Cloud Accounts.

3 On the Registered Cloud Accounts page, select your AWS account and click View & Edit from Actions.

4 On the AWS Account Details page, select Enable Traffic Disvcovery.

5 Click Save.

Extension list on McAfee ePOAfter installing the Cloud Workload Discovery extension, you can see these extensions by selectingMenu | Extensions | McAfee | Data Center Security.

• AWS Connector • Data Center Assessment

• Azure Connector • Data Center Metering

• Azure Classic Connector • Data Center Visualization

• vSphere Connector • Data Protection for Cloud

• OpenStack Connector • MDCC

Uninstall the extensionsUninstall and remove the software extensions from the McAfee ePO server.

Best Practice: Delete your cloud account from the McAfee ePO server by selecting Menu | Configuration |Registered Cloud Accounts, and selecting Actions | Delete.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Software | Extensions

3 In the left pane, select Data Center Security group, then select the extensions in this order and clickRemove.1 Data Center Visualization 6 Azure Classic Connector

2 Data Center Assessment 7 vSphere Connector

3 Data Protection for Cloud 8 OpenStack Connector

4 AWS Connector 9 Data Center Metering

5 Azure Connector 10 MDCC

2 Installation of Cloud Workload DiscoveryUninstall the extensions

10 Cloud Workload Discovery 4.5.1 Installation Guide

3 Configuring cloud accounts and yoursecurity products

You must register cloud accounts with McAfee ePO to establish a connection to the McAfee ePO server.McAfee ePO then discovers, imports, and displays the cloud asset information.

After registering the cloud accounts, you can view:

• Virtual networks, templates, firewall (security group) information of your virtual machines in CloudWorkload Discovery.

• Imported VMs and virtualization properties on the McAfee ePO System Tree.

Contents Configuring an AWS cloud account Configuring Microsoft Azure cloud accounts Register a VMware vSphere account Register an OpenStack cloud account Registered cloud account details Configuring your security products and viewing reports

Configuring an AWS cloud accountConfigure and register your AWS cloud accounts on McAfee ePO.

Create an AWS userOn the Amazon Web Services management console, create an AWS user with Access Key ID andSecret Access Key configured.

Task1 Log on to your Amazon Web Services management console.

2 Select IAM to load the Identity and Access Management (IAM) dashboard.

3 From the Users section, click Create New Users.

4 Type a name for the user and select Generate an access key for each user.

5 Click Create.

6 Click Download Credentials and save the CSV file. These credentials contain both the Access Key ID andthe Secret Access Key.

3

Cloud Workload Discovery 4.5.1 Installation Guide 11

Create a user permission policyCreate a policy with minimum required permissions for a user to use Cloud Workload Discovery.

Task1 Log on to your Amazon Web Services management console.

2 From Policies section, click Create New Policy.

3 From the Create Policy, click Create Your Own Policy.

3 Configuring cloud accounts and your security productsConfiguring an AWS cloud account

12 Cloud Workload Discovery 4.5.1 Installation Guide

4 Type a name and description.

5 Copy and paste this policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:CreateLogStream", "logs:PutLogEvents"

], "Resource": [ "*" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateFlowLogs", "ec2:CreateSecurityGroup", "ec2:DeleteFlowLogs", "ec2:DeleteSecurityGroup", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:AttachVolume", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteVolume", "ec2:DetachVolume" ], "Resource": [ "*" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "iam:GetUser" ], "Resource": [ "*" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Encrypt", "kms:List*" ], "Resource": [ "*" ]

Configuring cloud accounts and your security productsConfiguring an AWS cloud account 3

Cloud Workload Discovery 4.5.1 Installation Guide 13

} ]}

Assign the policy to a userAssign the required permissions policy to the user on the Amazon Web Services management console,so that you can register the AWS account with McAfee ePO.

Before you begin• You must have required user.

• You must have created a required permissions policy.

Task1 Log on to your Amazon Web Services management console.

2 From the Users section, and select the user.

3 Select the policy that you made and then click Attach Policy.

Create an IAM role with flow logs for your AWS accountYou must create an IAM role with flow log policies to access the IP traffic flow in your virtual networks.Then you can view the IP traffic flows of your Virtual networks in Cloud Workload Discovery.

Task1 Log on to your Amazon Web Services management console.

2 Select IAM to load the Identity and Access Management (IAM) dashboard.

3 Enter this name McafeeFlowLogger for your role, and then choose Next.

The name of the role has to be McafeeFlowLogger and it is case sensitive.

4 On the Select Role Type page next to Amazon EC2, click Select.

5 On the Attach Policy page, click Next Step.

6 On the Review page, make a note of the ARN for your role. When you are ready, choose Create Role.

7 Type a name for your role.

8 Under Permissions, expand the Inline Policies section, and then select Click here.

9 Select Custom Policy, and then choose Select.

3 Configuring cloud accounts and your security productsConfiguring an AWS cloud account

14 Cloud Workload Discovery 4.5.1 Installation Guide

10 Copy this policy and paste it in the Policy Document window. Enter a name for your policy in PolicyName, and then click Apply Policy.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "*" } ]}

11 Select Edit Trust Relationship. Delete any existing policy document. Copy and paste this policy, and clickUpdate Trust Policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ]}

Register an AWS accountRegister an AWS account with McAfee ePO so that McAfee ePO can communicate with the AWS cloud.

Before you begin• Make sure that you have your AWS account and its details ready.

• AWS users must have an access key ID and a secret access key set up for them in theAWS console.

• AWS users must have permissions to use Cloud Workload Discovery.

• To view IP traffic flows in your virtual network, the account you are registering withMcAfee ePO should have an IAM role with flow log policies.

• You must have installed the Cloud Workload Discovery extension on McAfee ePO.

• Make sure that your McAfee ePO system date and time is synchronized with internetdate and time.

Configuring cloud accounts and your security productsConfiguring an AWS cloud account 3

Cloud Workload Discovery 4.5.1 Installation Guide 15

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account to open the AddCloud Account page.

3 From the Choose Cloud Provider drop-down list on the Description page, select Amazon Web Service, thenclick OK.

4 On the AWS account details page, type these details:

• Name — Type a name for the AWS account in McAfee ePO. Account names can include charactersa-z, A–Z, 0–9, and [_.-], without space.

• Access Key Id — Type the access key ID to log on to AWS.

• Secret Access Key — Type the secret access key to log on to AWS.

Each user can be configured to have an access key ID and secret access key in the AWS console.

3 Configuring cloud accounts and your security productsConfiguring an AWS cloud account

16 Cloud Workload Discovery 4.5.1 Installation Guide

• Tags — List of McAfee ePO tags that are applied on VMs discovered for this AWS account. Tagname can include characters a-z, A–Z, 0–9, and [_.-], with space. For details about Tag usage,see the product documentation for your version of McAfee ePO.

• Sync interval (In Minutes) — Specify the interval for McAfee ePO to AWS synchronization (the defaultvalue is 5 minutes. The maximum value is 60 minutes). If you specify the sync interval as 5minutes, the next sync is scheduled 5 minutes after the completion of the current sync.

5 Enable GovCloud option if the AWS account belongs to the AWS GovCloud (US) region. For otherusers, leave it deselected.

6 Select Enable Traffic Discovery to discover and view traffic flow logs for instances in your AWS accounts.

7 Click Validate Parameters to validate the account details and verify the connection to the AWS cloud.

8 (Optional) Deploy McAfee Agent to the registered VMs, select Auto deploy Mcafee Agent on VMs, and typethe credentials to deploy the McAfee Agent package.

Make sure that the McAfee ePO server and the VMs in the AWS cloud can communicate with eachother.

9 Click Save to register the cloud account.

This action registers the AWS cloud and imports all discovered VMs, which are unmanaged, into theSystem Tree. The instances are imported with the structure and hierarchy of the AWS cloud. TheVMs that are already added and managed by McAfee ePO are retained with the existing policysettings.

10 View the imported VMs:

• Select Menu | Systems | Cloud Workload Discovery on McAfee ePO to view, assess, and remediate yourcloud asset information.

• Select Menu | System Tree in McAfee ePO. You can find your AWS account under the group AWS. Thevirtual machines from AWS are logically grouped with the hierarchy AWS | Cloud account name |Region | Availabilty zone | instances.

Configuring Microsoft Azure cloud accountsConfigure and register your Microsoft Azure cloud accounts on McAfee ePO.

You can configure and register both Microsoft Azure classic account and Microsoft Azure account onMcAfee ePO.

• For Microsoft Azure account: You can view your cloud account details in System Tree and on theCloud Workload Discovery dashboard.

• For Microsoft Azure classic account: You can view your cloud account details in System Tree.

Create an application in the Microsoft Azure consoleCreate an application in Microsoft Azure Active Directory to access the resources in your subscription.

You can also get your client ID, tenant ID, and configure your Client key after creating the application.

You can create application by

• Logging in to Microsoft Azure portal and following our steps.

• By running the power shell scripts. For details, see KB87316. We have automated the steps tocreate application, get tenant ID, client ID and your client key. You can access these details fromthe file MicrosoftAzurecloudaccountdetails.txt.

Configuring cloud accounts and your security productsConfiguring Microsoft Azure cloud accounts 3

Cloud Workload Discovery 4.5.1 Installation Guide 17

Task1 Log on to the Microsoft Azure portal and select Active Directory from the left pane.

2 Select the directory that you want to use for creating the application.

3 Click Applications and then click Add.

4 On the What do you want to do? page, select Add an application my organization is developing.

5 Type a name for your application and select WEB APPLICATION AND/OR WEB API and click Next.

6 Type the properties for your application. For SIGN-ON URL, give the URI to a website that describesyour application. The existence of the website is not validated. For APP ID URI, provide the URI thatidentifies your application. The uniqueness or existence of the endpoint is not validated.

7 Click Complete to create your application.

3 Configuring cloud accounts and your security productsConfiguring Microsoft Azure cloud accounts

18 Cloud Workload Discovery 4.5.1 Installation Guide

Where to find Subscription ID, Tenant ID, and Client IDAfter creating your application, you can make a note of tenant ID and client ID.

• The subscription ID for your Microsoft Azure account is listed in Subscriptions | SUBSCRIPTION ID.

• Select the application that you created and click Configure tab and you can see your Client ID.

• Click VIEW ENDPOINTS button on the bottom pane and you can see App Endpoints page.

You can get your Tenant ID from this page. Your tenant ID is given after the URLs for all theattributes in this page.

Configuring cloud accounts and your security productsConfiguring Microsoft Azure cloud accounts 3

Cloud Workload Discovery 4.5.1 Installation Guide 19

Configure client keyConfigure your client key on Microsoft Azure Active Directory for your application.

Before you beginYou must have created your application in your Microsoft Azure Active Directory.

Task1 Log on to the Microsoft Azure portal.

2 Select the application that you created and click the Configure tab.

3 Scroll down to the Keys section and select how long you would like your password to be valid. Selectthe duration and click Save to create the key.

Copy the key displayed in the application. You won't be able to retrieve it after you leave this page.

Set delegated permissionsSet the delegated permissions for your application.

Before you beginYou must have created your application.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the Microsoft Azure portal.

2 Select the application that you created, then click the Configure tab.

3 Select Add Application.

4 From the list in the Name field, select Windows Service Management API, then click Complete.

5 From Permissions to other applications section, for Windows Azure Service Management, set the Delegated Permissionas Access Azure Service Management as organization.

Assign the application to your subscriptionAssign a role to your application and also assign it to your Microsoft Azure subscription.

Before you begin• You must have created an application in the Microsoft Azure console.

• Configure Client key for your application and set the delegated permissions.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 On the Microsoft Azure console, click Subscritions.

2 Select your subscription, and click Access icon.

3 Configuring cloud accounts and your security productsConfiguring Microsoft Azure cloud accounts

20 Cloud Workload Discovery 4.5.1 Installation Guide

3 Click Add | Select a role and select your role as Contributor.

4 Click Add users and search for your application, click Select and click OK.

Your application is assigned to your subscription.

Register a Microsoft Azure account Register a Microsoft Azure account with McAfee ePO so that McAfee ePO can communicate with theMicrosoft Azure cloud.

Before you begin• Make sure that you have your Microsoft Azure account and its details ready.

• Create an application in the Microsoft Azure console.

• Get Client ID and Tenant ID from the Microsoft Azure console after creating theapplication.

• Configure the Client key for your application.

• Set the delegated permissions for your application.

• Assign the newly created application to a role and to your Microsoft Azure cloud accountsubscription.

• You must have installed the Cloud Workload Discovery extension on McAfee ePO.

• Make sure that your McAfee ePO system date and time is synchronized with internetdate and time.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account.

3 From the Choose Cloud Provider drop-down list, select Microsoft Azure, then click OK.

Configuring cloud accounts and your security productsConfiguring Microsoft Azure cloud accounts 3

Cloud Workload Discovery 4.5.1 Installation Guide 21

4 On the Microsoft Azure Account details page, type these details:

• Name — A name for the Azure account in McAfee ePO. Account names can include characters a–z, A–Z, 0–9, and [_.-], without space.

• Azure Endpoint — The URL of Microsoft Azure endpoint.

The endpoint is pre-populated. Do not change the endpoint URL unless confirmed by the cloudprovider.

• Subscription ID — Type your subscription ID. This is the ID that you get for your Microsoft Azuresubscription.

• Tenant ID— Type the unique ID of the organization in Microsoft Azure Active Directory.

• Client ID — Type your unique ID of the application.

• Client Key — Type your client secret key of the application.

3 Configuring cloud accounts and your security productsConfiguring Microsoft Azure cloud accounts

22 Cloud Workload Discovery 4.5.1 Installation Guide

• Tags — List of McAfee ePO tags that are applied to VMs discovered for this cloud account. Tagname can include characters a–z, A–Z, 0–9, and [_.-], with space. For details about tag usage,see the product documentation for your version of McAfee ePO.

• Sync interval (in Minutes) — Specify the interval for McAfee ePO to synchronize with the cloud (thedefault value is 5 minutes. The maximum value is 60 minutes). If you specify the sync intervalas 5 minutes, the next sync is scheduled 5 minutes after the completion of the current sync.

5 Click Validate Parameters to validate the account details and verify the connection to the cloud.

6 (Optional) Deploy McAfee Agent on the registered VMs, select Create McAfee Agent deployment task andtype the credentials to deploy the McAfee Agent package.

7 Click Save to register the cloud account.

This action registers the Microsoft Azure cloud account and imports all discovered VMs, which areunmanaged, into the System Tree. The instances are imported with the structure and hierarchy ofthe Azure cloud.

The VMs that are already added and managed by McAfee ePO are retained with the existing policysettings.

8 View the imported VMs:

• Select Menu | Cloud Workload Discovery on McAfee ePO to view your cloud asset information.

• Select Menu | Systems | System Tree in McAfee ePO. After the discovery, you can find your accountunder the group Azure. The VMs from each Microsoft Azure account are logically grouped underdifferent geographical zones in McAfee ePO.

Register Microsoft Azure classic accountRegister a classic Microsoft Azure account with McAfee ePO so that McAfee ePO communicates with theMicrosoft Azure cloud.

Before you begin• Make sure that you have Microsoft Azure classic account and its details ready.

• You must have installed the Cloud Workload Discovery extension on McAfee ePO.

• You must have your JKS or PFX certificate and Keystore Password for your MicrosoftAzure classic account. See Microsoft Azure documentation for more details.

• Make sure that your McAfee ePO system date and time is synchronized with internetdate and time.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account.

Configuring cloud accounts and your security productsConfiguring Microsoft Azure cloud accounts 3

Cloud Workload Discovery 4.5.1 Installation Guide 23

3 From the Choose Cloud Provider drop-down list, select Microsoft Azure Classic, then click OK.

4 On the Microsoft Azure Classic Account Details page, type these details:

• Name — A name for the Azure account in McAfee ePO. Account names can include characters a–z, A–Z, 0–9, and [_.-], without space.

• Azure Endpoint — The URL of Microsoft Azure endpoint.

The endpoint is pre-populated. Do not change the endpoint URL unless confirmed by the cloudprovider.

• Subscription ID — Type your subscription id.

• Keystore (JKS/PFX) containing private key of management certificate— Upload your JKS/PFX certificate.

• Keystore Password — Type the password you specified for the JKS/PFX file.

For details about creating .pfx file, see Microsoft Azure documentation.

3 Configuring cloud accounts and your security productsConfiguring Microsoft Azure cloud accounts

24 Cloud Workload Discovery 4.5.1 Installation Guide

• Tags — List of McAfee ePO tags that are applied to VMs discovered for this cloud account. Tagname can include characters a–z, A–Z, 0–9, and [_.-], with space. For details about tag usage,see the product documentation for your version of McAfee ePO.

• Sync interval (in Minutes) — Specify the interval for McAfee ePO to synchronize with the cloud (thedefault value is 5 minutes. The maximum value is 60 minutes). If you specify the sync intervalas 5 minutes, the next sync is scheduled 5 minutes after the completion of the current sync.

5 Click Validate Parameters to validate the account details and verify the connection to the cloud.

6 (Optional) Deploy McAfee Agent on the registered VMs, select Create McAfee Agent deployment task andtype the credentials to deploy the McAfee Agent package.

7 Click Save to register the cloud account.

This action registers the Microsoft Azure cloud account and imports all discovered VMs, which areunmanaged, into the System Tree. The instances are imported with the structure and hierarchy of theAzure cloud.

The VMs that are already added and managed by McAfee ePO are retained with the existing policysettings.

8 View the imported VMs: Select Menu | Systems | System Tree in McAfee ePO.After the discovery, youcan find your account under the group Azure. The VMs from each azure account are logicallygrouped under different geographical zones in McAfee ePO.

Register a VMware vSphere accountRegister a VMware vSphere account with McAfee ePO so that McAfee ePO communicates with theVMware vCenter, which manages the ESXi servers.

Before you begin• Make sure that you have configured your VMware vCenter server that manages the ESXi

servers, which host the guest VMs.

• You must have installed the Cloud Workload Discovery extension on McAfee ePO.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account to open the AddCloud Account page.

Configuring cloud accounts and your security productsRegister a VMware vSphere account 3

Cloud Workload Discovery 4.5.1 Installation Guide 25

3 From the Choose Cloud Provider drop-down list on the Description page, select VMware vSphere, then clickOK.

4 On the vCenter Account Details page, type these details:

• Account Name — A name for the VMware vCenter account in McAfee ePO. Account names caninclude characters a–z, A–Z, 0–9, and [_.-], without space.

• Server Address — (Required) IP address or the host name of the available VMware vCenter.

• vCenter Username — (Required) User name of the available VMware vCenter account.

• This user's minimum role can be read-only.

• This user can be a domain account.

• This user can also be a Single-Sign-On (SSO) user. The default user name of the SSO user isadmin@system-domain.

• vCenter Password — (Required) Password of the available VMware vCenter account.

• Sync Interval (In Minutes) — Specify the time interval for running subsequent vCenter discovery.

The default value is 5 minutes.

• Port — The port number required to establish the connection with the available VMware vCenter.

• Tag — This is given by the admin to identify the VMs. Tag name can include characters a–z, A–Z,0–9, and [_.-], with space.

3 Configuring cloud accounts and your security productsRegister a VMware vSphere account

26 Cloud Workload Discovery 4.5.1 Installation Guide

5 Click Test Connection to validate VMware vCenter account details and verify the connection to theVMware vCenter, then click Next to open the vCenter Summary page.

The summary page has vCenter, vCNS and NSX summary.

6 Click Finish, then click OK on the confirmation page.

This action registers the VMware vCenter and imports all discovered virtual machines, which areunmanaged, into the McAfee ePO System Tree. The instances are imported with the similarstructure and hierarchy present in VMware vCenter.

The virtual machines that are already added and managed by McAfee ePO are retained with theexisting policy settings, but the virtualization properties for these machines are added.

7 View the imported VMs:

• Select Menu | Systems | Cloud Workload Discovery on McAfee ePO to view your cloud asset information.

• Select Menu | Systems | System Tree in McAfee ePO. After the discovery, you can find your vCenteraccount under the group vSphere. The clusters and hosts from vCenter are logically groupedunder each Data Center group in McAfee ePO.

Register an OpenStack cloud accountRegister an OpenStack cloud account so that McAfee ePO communicates with the OpenStack cloud.

Before you begin• Make sure that you have your OpenStack cloud account and its details ready.

• You must have installed the Cloud Workload Discovery extension on McAfee ePO.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account.

Configuring cloud accounts and your security productsRegister an OpenStack cloud account 3

Cloud Workload Discovery 4.5.1 Installation Guide 27

3 From the Choose Cloud Provider drop-down list, select OpenStack Cloud, then click OK.

4 On the OpenStack Cloud account details page, type these details:

• Name — A name for the Rackspace account in McAfee ePO. Account names can includecharacters a–z, A–Z, 0–9, and [_.-], without space.

• Identity Service Endpoint — The URL of the account.

• User Name — The user name of the account in the format Project name:user logon. For example,Project1:admin.

• Password — The password of the account.

• Tags — List of McAfee ePO tags that are applied to VMs discovered for this cloud account. Tagname can include characters a-z, A–Z, 0–9, and [_.-], with space. For details about tag usage,see the product documentation for your version of McAfee ePO.

• Sync interval (in Minutes) — Specify the interval for McAfee ePO to synchronize with the cloud.

The default value is 5 minutes.

5 Click Validate Parameters to validate the account details and verify the connection to the cloud.

3 Configuring cloud accounts and your security productsRegister an OpenStack cloud account

28 Cloud Workload Discovery 4.5.1 Installation Guide

6 (Optional) Deploy McAfee Agent on the registered VMs, select Create McAfee Agent deployment task andtype the credentials to deploy the McAfee Agent package.

Make sure that the McAfee ePO server and the VMs in the OpenStack cloud can communicate witheach other. Check the firewall settings for the machines in the cloud. For Linux VMs, SSH port (22)must be accessible. See the product documentation for your version of McAfee Agent.

7 Click Save to register the cloud account.

This action registers the OpenStack cloud and imports all discovered VMs, which are unmanaged,into the System Tree. The instances are imported with similar structure and hierarchy of the cloud.

8 View the imported VMs: select Menu | Systems | System Tree in McAfee ePO.

Registered cloud account detailsAfter configuring and registering your cloud account with McAfee ePO, the account details aredisplayed in Registered Cloud Accounts on the McAfee ePO server.

Property Description

Name Name of your cloud account.

Type Name of cloud account vendor.

Last Successful Sync Displays the date and time of last successful synchronization between McAfee ePOand your cloud account.

Last Sync Status Displays the last synchronization status, including Sync Scheduled, Success, In Progress,and Failure. Hover your mouse over this property to know the start and end times ofyour account synchronization. If your account synchronization is in progress, youcan see the sync start time.

Total VMs Displays the number of VMs discovered for this account.

Running VMs Displays the number of VMs that are up and running in this account.

Managed VMs Displays the number of VMs that are managed by McAfee ePO.

Auto Deploy MA Specifies if the administrator has enabled the Auto deploy McAfee Agent task for theregistered cloud account.

Tags Displays the tags of the VMs.

Actions You can edit, delete, and synchronize the cloud account using McAfee ePO.When you delete an account, you have these options:• Delete System Tree group corresponding to this account — Deletes all virtual machines and

groups from this account.

• Delete Tags — Deletes the McAfee ePO tags for this account.

If you do not select any of these options, this action deletes only the accountdetails.

Virtual machine details for AWS cloud accountAfter importing the discovered VMs from the cloud accounts, the VM details are displayed in theSystem Tree.

To distinguish VMs imported by the Cloud Workload Discovery from other systems in the System Tree,check for the tags of the system. The VMs imported are tagged with dc_vm_auto.

Configuring cloud accounts and your security productsRegistered cloud account details 3

Cloud Workload Discovery 4.5.1 Installation Guide 29

Property Description

System Name Displays the name of the VM.

Managed State Specifies if the system is managed by McAfee Agent.

Tags Displays the tag applied to this VM.

IP Address Displays the IP address of the VM.

User Name Displays the user name of the user logged on to the system.

Last Communication Displays the time of the last synchronization.

You can view more details of your AWS account by selecting and adding the required column using theChoose Columns option under System Tree | Actions. By default, these columns don't appear under SystemTree.

Property Description

Vendor Name Displays the name of the cloud vendor.

Account Name Displays name of the cloud account.

Unique ID Displays the Unique ID of the instance.

Power Status Displays if the instance is turned on or off.

Instance ID Displays the unique value provided to the instance from AWS.

Instance Name Displays the instance name as shown on AWS console.

Image ID Displays the unique value of Amazon machine image with which the instance wascreated.

Private DNS name Displays the private DNS name from AWS.

Public DNS name Displays the Public DNS name from AWS.

State Transition Reason Displays the reason for the instance to move from one state to another from theAWS console.

Key Name Displays the key name of the instance, which is provided during the launch.

Instance Type Displays the hardware configuration selected for an instance during the launch.

Launch Time Displays the time the instance is launched in AWS.

Availability Zone Displays the region where the instance is created in AWS.

Platform Specifies whether the platform is Microsoft Windows or Linux.

Private IP Address Displays the private IP address from AWS.

Public IP Address Displays the public IP address from AWS, are accessed by McAfee ePO.

VPC ID Displays the Amazon Virtual Private cloud ID.

MAC Address Displays the MAC address of an Instance in Amazon Virtual private cloud.

Architecture Provides details about the hardware specifications of the processor. For example,x86_64, i386.

Virtualization Type Displays the virtualization type of VM like HVM and paravirtualization.

Tags Displays the tags of the VMs.

Security Groups Displays the security group details where the instance is linked in AWS.

Network Interfaces Displays details about all network interfaces associated to the EC2 instance

3 Configuring cloud accounts and your security productsRegistered cloud account details

30 Cloud Workload Discovery 4.5.1 Installation Guide

You can view the virtualization properties of the selected virtual machine by navigating to Menu |Systems | System Tree and double-clicking the target virtual machine.

Virtual machine details for Microsoft Azure accountAfter importing the discovered virtual machines (VMs) from the cloud accounts, the VM details aredisplayed in the System Tree.

To distinguish VMs imported by the Cloud Workload Discovery from other systems in the System Tree,check for the tags of the system. The VMs imported are tagged with dc_vm_auto.

You will have VMs from your Microsoft Azure Classic account or Microsoft Azure accounts are displayedhere.

Property Description

System Name Displays the name of the VM.

Managed State Specifies if the system is managed by McAfee Agent.

Tags Displays the tag applied on this VM.

IP Address Displays the IP address of the VM.

User Name Displays the user name of the user logged on to the system.

Last Communication Displays the time of the last synchronization.

Configuring cloud accounts and your security productsRegistered cloud account details 3

Cloud Workload Discovery 4.5.1 Installation Guide 31

You can view more details of the cloud accounts by selecting and adding the required columns usingthe Choose Columns option under System Tree | Actions. By default, these columns don't appear underSystem Tree.

From Choose Columns, select Vendor, and you can see the name of the vendor for your cloud account.

Property Description

Vendor Name Displays the name of the cloud account vendor.

Account Name Displays the name of the account in McAfee ePO.

Power Status Displays if the system is in running or stopped state.

Created Time Displays the time when the instance is created.

Image ID Displays the unique image value provided to the instance from the cloud account.

Instance ID, Unique ID Displays the unique value provided to the instance from the cloud account.

Instance Size Displays the hardware configuration selected for an instance during the launch.

IP Address Displays the IP address from the cloud account.

Last Modified Time Displays the time when the instance was last modified in the cloud account.

Location Displays the location of the instance.

Platform Specifies whether the platform is Microsoft Windows or Linux.

Public DNS Displays the public DNS name from the cloud account.

Virtual IP Address Displays the virtual IP address of the instance.

Network Security Group Displays the network security group associated with this instance.

Instance Endpoints Displays the instance endpoints.

You can view the virtualization properties of the selected VM by navigating to Menu | Systems | SystemTree. Double-click the target VM and click the Virtualization tab.

For VMs with managed disks, Image ID is replaced by the VM's Unique ID.

3 Configuring cloud accounts and your security productsRegistered cloud account details

32 Cloud Workload Discovery 4.5.1 Installation Guide

Virtual machine details for VMware vCenter accountAfter importing the discovered VMs from the cloud accounts, the VM details are displayed in theSystem Tree.

To distinguish VMs imported by the Cloud Workload Discovery from other systems in the System Tree,check for the tags of the system. The VMs imported are tagged dc_vm_auto.

Property Description

System Name Displays the name of the VM.

Managed State Specifies if the system is managed by McAfee Agent.

Tags Displays the tag applied on this VM.

IP Address Displays the IP address of the VM.

User Name Displays the user name of the user logged on to the system.

Last Communication Displays the time of the last synchronization.

You can view more details of the vCenter account by selecting and adding the required column usingthe Choose Columns option under System Tree | Actions. By default, these columns don't appear under SystemTree.

Property Description

Vendor Name Displays the name of the cloud vendor.

Account Name Displays name of the cloud account.

Unique ID Displays the unique ID of the instance.

Power Status Displays if the instance is powered on or off.

VM Name Displays the VM name of the instance as given in vCenter.

DNS Name Displays the DNS name of the instance.

Domain Name Displays the Domain of the instance.

System IP Address Displays the IP address of the instance.

Guest OS Displays the guest operating system of the instance.

Number of vCPU Displays the number of vSPhere CPUs associated with the VM.

Memory Size Displays the memory size of the VM.

VMware Tool Status Displays the status of the VM tool on a VM. For host, the status appears asN/A.

VMware Tool Version Displays the version of the VM tool.

Agentless Anti-MalwareProtection Status

Displays the McAfee MOVE AV Agentless protection status of the client VM:• On — The VM is protected.

• Off — The VM is not protected.

• Unknown — The protection status is not known.

You can view these protection properties only after installing the McAfeeMOVE AV Agentless extension.

Host Displays the host details like IP address of the VM. If the host is selected,the status appears as N/A.

MOR ID Displays the unique identifier given by vCenter to a VM.

UUID Displays the unique ID of the VM.

Configuring cloud accounts and your security productsRegistered cloud account details 3

Cloud Workload Discovery 4.5.1 Installation Guide 33

You can view the virtualization properties of the selected virtual machine by navigating to Menu |Systems | System Tree and double-clicking the target virtual machine.

You can view the virtualization properties of the selected hypervisor by navigating to Menu | Systems |System Tree and double-clicking the target hypervisor.

Property Description

Vendor Name Displays the name of the cloud vendor.

Account Name Displays name of the cloud account.

Unique ID Displays the unique ID of the instance.

Power Status Displays if the instance is powered on or off.

SVA Deployed Displays the SVA deployment status for host and VM:• Yes — SVA is deployed to host.

• No — SVA is not deployed to host.

• N/A — For VM.

DNS name Displays the DNS name of the hypervisor.

Domain name Displays the Domain name of the hypervisor.

System IP Displays the IP address of the hypervisor.

3 Configuring cloud accounts and your security productsRegistered cloud account details

34 Cloud Workload Discovery 4.5.1 Installation Guide

Property Description

Memory Size Displays the memory size of the hypervisor.

Processor Type Displays processor type of the hypervisor.

CPU Cores Displays the number of CPU cores.

Model Displays the model of the physical server.

Manufacturer Displays the manufacturer of the physical server.

Number of NICs Displays the number of network interface cards.

ESX info Displays the ESX hypervisor version.

VM Count Displays the number of VM's.

vMotion Enabled Displays if the VM's can be moved from one hypervisor host to another.

Connection State Displays the connection state of the hypervisor.

Computer Name Displays the computer name of the hypervisor.

BIOS Version Displays the BIOS version of the hypervisor.

MOR-ID Displays the unique identifier given by vCenter to the hypervisor.

Cluster ID Displays the ID of the cluster.

UUID Displays the unique ID of the hypervisor.

Configuring cloud accounts and your security productsRegistered cloud account details 3

Cloud Workload Discovery 4.5.1 Installation Guide 35

Property Description

Data Stores Displays the repository for storing VM files.

Networks Displays the network interfaces of hosts or VM.

Virtual machine details for OpenStack accountAfter importing the discovered VMs from the cloud accounts, the VM details are displayed in theSystem Tree.

Property Description

System Name Displays the name of the VM.

Managed State Specifies if the system is managed by McAfee Agent.

Tags Displays the tag applied on this VM.

IP Address Displays the IP address of the VM.

User Name Displays the user name of the user logged on to the system.

Last Communication Displays the time of the last synchronization.

3 Configuring cloud accounts and your security productsRegistered cloud account details

36 Cloud Workload Discovery 4.5.1 Installation Guide

You can view more details of the cloud accounts by selecting and adding the required columns usingthe Choose Columns option under System Tree | Actions. By default, these columns don't appear under SystemTree.

Property Description

Availability Zone Displays the region where the instance is created.

Image ID Displays the unique value provided to the instance from the cloud account.

Instance ID Displays the unique value provided to the instance from the cloud account.

Instance Type Displays the hardware configuration selected for an instance during the launch.

Key Name Displays the key name, which is provided during the launch of the instance.

Launch time Displays the time when the instance is launched in the cloud account.

Platform Specifies whether the platform is Microsoft Windows or Linux.

Private IP address Displays the private IP address from the cloud account.

Public IP Address Displays the public IP address from the cloud account.

Tags Displays the tags of the systems on McAfee ePO.

Hypervisor Name Displays the DNS name of the Hypervisor host.

Hypervisor Version Displays the version of the Hypervisor.

Hypervisor Type Displays the type of the Hypervisor.

You can view the virtualization properties of the selected VM by navigating to Menu | Systems | SystemTree. Double-click the target VM and click the Virtualization tab.

Configuring your security products and viewing reportsAfter installing the Cloud Workload Discovery extension and registering cloud accounts, completethese tasks to configure the security products on your McAfee ePO server.

1 Configure your firewall policies in Policy Catalog and assign them to required systems.

2 View your cloud account information from Menu | Systems | Cloud Workload Discovery. This graphicalvisualization of your cloud accounts gives you visibility into your cloud infrastructure assets andtheir hierarchy. The left Issues pane highlights any immediate issues or violations on your firewallsettings or your IP traffic settings.

3 After visualizing cloud account structure and seeing which systems are at risk, you can activate anymissing protection with a few clicks.

• Manage your instances by installing McAfee Agent.

• Install other McAfee products on your instances. For details, see Activate missing protectionwith few clicks in Cloud Workload Discovery Product Guide.

4 Secure the instances in your network by correcting your firewall settings. For details, seeRemediation in Cloud Workload Discovery Product Guide.

5 You can see the encryption status of your AWS volumes in the Cloud Workload Discoverydashboard.

6 To encrypt volumes, deploy McAfee Data Protection for Cloud to your managed systems with theproduct deployment client task. For details, see Deploy Data Protection to the client system in theMcAfee Data Protection for Cloud Product Guide.

Configuring cloud accounts and your security productsConfiguring your security products and viewing reports 3

Cloud Workload Discovery 4.5.1 Installation Guide 37

7 Select Data Protection for Cloud to see that it displays all zones from your registered AWS cloud account.You can encrypt volumes from here. For details, see Performing encryption in McAfee DataProtection for Cloud Product Guide.

8 Track the usage of AWS and Microsoft Azure cloud VMs using the metering feature. You can get amonthly report of your usage hours for your cloud instances. You can also create custom queries todisplay this information. For details, see Cloud Workload Discovery Product Guide.

9 Select Dashboard | Public Cloud to see the security summary of your EC2 instances and EBS volumes.You can also see details about Data Centers, OS Distribution, Anti-Malware Status, Security Incidents, Host FirewallStatus, File Integrity Monitoring Status, Data Protection Per Cloud VM, Instance Assesment Report, and Usage MeteringReport. For details, see Dashboards and monitors in Cloud Workload Discovery Product Guide.

3 Configuring cloud accounts and your security productsConfiguring your security products and viewing reports

38 Cloud Workload Discovery 4.5.1 Installation Guide

4 Best practices: Using McAfee ePO andCloud Workload Discovery with AWS

To secure endpoints or assets on AWS, install McAfee ePO in an AWS environment or a hybrid cloudenvironment.

Contents How McAfee ePO server and clients communicate Managing AWS clients using McAfee ePO installed on AWS Managing AWS clients using McAfee ePO installed on-premise Using Cloud Workload Discovery Deploying McAfee security products on AWS cloud

How McAfee ePO server and clients communicateMcAfee ePO is deployed on-premise or in the cloud.

McAfee ePO communicates with client systems across networks in these ways:

• Client-initiated communication — McAfee Agent is installed on each client system. It periodicallyconnects to the McAfee ePO server to check for updates such as new policy information, assignedtasks, and product updates. For client systems to connect to McAfee ePO:

• Client systems must have outbound access to McAfee ePO.

• McAfee ePO server must have inbound access on TCP ports 80 and 443.

TCP ports 80 and 443 are the default ports used for communication between McAfee ePO and theMcAfee Agent. You can change the ports while installing McAfee ePO.

• McAfee ePO server-initiated communication — McAfee ePO can wake up and force client systems topull down the latest security content. For McAfee ePO to connect to the client systems:

• McAfee ePO must have outbound access to client systems.

• Client instances must have inbound access on port 8081.

The AWS Security Group must allow this communication. For details about port requirements, seeKB66797.

Managing AWS clients using McAfee ePO installed on AWSTo manage client systems outside your organization's network, install McAfee ePO on an AWS instancewith a compatible operating system.

For information about compatible operating systems, see KB51569.

4

Cloud Workload Discovery 4.5.1 Installation Guide 39

To manage client instances in AWS cloud, McAfee ePO can be deployed:

• In one geographic region

• In one geographic region with one Amazon Virtual Private Cloud (VPC)

• In one geographic region with multiple Amazon VPCs

• In multiple geographic regions

Managing instances in one geographic regionMcAfee ePO can be installed to manage instances in one geographic region with multiple availabilityzones.

This type of deployment supports client-initiated and McAfee ePO server-initiated communication. Youmust create a separate AWS security group for McAfee ePO that allows outbound connections to clientinstances (server-initiated communication) and inbound connections (agent-initiated communication).Once you deploy McAfee ePO, you can view the available systems in the System Tree under AWS.

Managing instances in one geographic region with one VPCA virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolatedfrom other virtual networks in the AWS Cloud. You can launch your AWS resources, such as AmazonEC2 instances, into your VPC.

In one geographic region with a single VPC, each instance that you launch in a non-default subnet hasa private IP address. When you install McAfee ePO in the VPC, client instances in the same VPCcommunicates with the McAfee ePO server or with other instances across the private network. Forinformation about VPCs and subnets, see AWS documentation.

4 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSManaging AWS clients using McAfee ePO installed on AWS

40 Cloud Workload Discovery 4.5.1 Installation Guide

One geographic region deployment with multiple VPCsWhen multiple VPCs are present in one geographic region, you can use VPC peering to connect theVPCs.

For information about VPC peering and setting one VPC as private and another VPC as public, see AWSdocumentation.

When you configure VPC peering, McAfee ePO server and client instances communicate via the privatenetwork. VPC peering supports client-initiated and McAfee ePO server-initiated communication.

You can configure VPC routes to restrict communication between VPCs only to McAfee ePO and clientinstances if other applications do not require VPC peering on the same infrastructure.

Set up VPC peering for McAfee ePO server and client communication wherever possible.

Multiple geographic region deploymentIn multiple geographic region deployment, you can use an architecture where client instances connectto McAfee ePO using a public IP address via the Internet.

Use this architecture if:

• Your organization uses multiple regions with multiple VPCs

• You can't use VPC peering to connect multiple VPCs in a region

This architecture supports only client-initiated communication. To use this architecture:

Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSManaging AWS clients using McAfee ePO installed on AWS 4

Cloud Workload Discovery 4.5.1 Installation Guide 41

• All client instances must have outbound access to McAfee ePO. Configure the AWS security groupsaccordingly.

• The AWS security group of the McAfee ePO server must be configured to accept communicationfrom the client instances.

Set the agent-server communication interval to 60 minutes so that client instances can get product,policy, and task updates frequently without affecting performance.

Set up McAfee ePO and client communicationConfigure McAfee ePO and Agent Handler to set up communication for McAfee ePO and the client onAWS.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Install McAfee ePO in the region with the highest number of instances.

This ensures optimized communication between McAfee ePO and client instances.

2 Assign an elastic IP address to the McAfee ePO instance.

This ensures that the public IP address of the McAfee ePO instance does not change.

For details about assigning an elastic IP address, see AWS documentation.

4 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSManaging AWS clients using McAfee ePO installed on AWS

42 Cloud Workload Discovery 4.5.1 Installation Guide

3 Configure a virtual Agent Handler on the McAfee ePO server for your managed client instances toconnect to the McAfee ePO server.

a Open the Agent Handlers page: Menu | Configuration | Agent Handlers, then in Handler Groups, click NewGroup to open the Add/Edit Group.

b Specify a virtual Agent Handler group name.

c In the Included Handlers section, select Use load balancer and specify the details.

• Virtual DNS Name — Type the DNS name assigned to the static public IP address associated withthis AWS server.

• Virtual IP Address — Type the static public IP address associated with this AWS server.

4 Enable the new virtual Agent Handler.

a Select Menu | Configuration | Agent Handlers, then click the Handler Groups monitor.

b Find the new virtual Agent Handler, then click Actions | Enable.

5 Assign the virtual Agent Handler group.

a Select Menu | Configuration | Agent Handlers, then click New Assignment.

b Specify a unique name for this assignment.

c In the Agent Criteria section, browse to and select My Organization from the System Tree location.

d In the Handler Priority section, click Use custom handler list and select the new virtual Agent Handler.

Use + to add additional Agent Handlers to the list.

The created virtual Agent Handler publishes McAfee ePO on its public IP address and all clientinstances communicate using this address.

Managing AWS clients using McAfee ePO installed on-premiseInstall McAfee ePO on an on-premise server and the Agent Handler in the DMZ with a public IPaddress for easy connectivity and scalability.

This architecture is best if:

• You use McAfee ePO in a hybrid cloud environment.

• Your organization requires McAfee ePO to be installed on-premise rather than in the cloud.

To use this architecture:

Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSManaging AWS clients using McAfee ePO installed on-premise 4

Cloud Workload Discovery 4.5.1 Installation Guide 43

• Install McAfee ePO on an on-premise server to manage systems on-premise. Assign an internalprivate IP address to McAfee ePO.

• Install Agent Handler on an on-premise server in the DMZ to manage instances on AWS. You mustassign a public IP address to the Agent Handler.

• You must connect McAfee ePO server and the Agent Handler through a low latency andhigh-bandwidth network.

This architecture supports client-initiated communication, but McAfee ePO can't wake up the McAfeeAgent on a managed AWS instance. To use McAfee ePO initiated communication (wake up agent)feature, AWS instances must use a VPN to connect to the on-premise network.

For information about the ports required for McAfee ePO and client instance communication, seeKB66797. For information about port guidelines, see the McAfee ePolicy Orchestrator Product Guide.

Set up McAfee ePO and client communicationConfigure McAfee ePO and the Agent Handler to set up communication between McAfee ePO and theclient.

Task1 Install McAfee ePO on an on-premise server.

2 Install the Agent Handler on another on-premise server in the DMZ.

3 Configure the Agent Handler.

a Open the Agent Handlers page: Menu | Configuration | Agent Handlers, then in Handler Status, click AgentHandler.

b From the Handler List, click the Agent Handler that is installed in the DMZ.

c Specify the public IP address of the Agent Handler to connect to AWS EC2 instances in thePublished IP Address field.

4 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSManaging AWS clients using McAfee ePO installed on-premise

44 Cloud Workload Discovery 4.5.1 Installation Guide

Using Cloud Workload DiscoveryConsider these best practices to set up Cloud Workload Discovery to monitor and manage AWS EC2resources.

Task1 Install McAfee ePO based on your infrastructure requirements.

2 Install the Cloud Workload Security extension on the McAfee ePO server.

3 Make sure that you set up a user on AWS with Read only privileges on EC2 for all regions thatrequires management.

4 Register your AWS cloud account with McAfee ePO, so that McAfee ePO discovers, imports,assesses and displays your cloud account information. For details, see Cloud Workload DiscoveryProduct Guide.

5 Specify the sync interval for McAfee ePO to AWS synchronization.

Sync interval determines how often new instances are discovered. For details, see Cloud WorkloadDiscovery Product Guide.

6 While deploying McAfee Agent, select Auto deploy Mcafee Agent on VMs when all your EC2 instances are inthe same region and support Active Directory based deployment. For details, see Cloud WorkloadDiscovery Product Guide.

See also Installing the Cloud Workload Discovery extension on page 8

Deploying McAfee security products on AWS cloudTo deploy McAfee security products on AWS instances, deploy a McAfee Agent on each of the AWSinstances.

Once you deploy McAfee Agent, you can use McAfee ePO to manage product installation and networksecurity of the AWS instances.

You must have credentials for each of the AWS instances. Currently, only password-basedauthentication is supported on Windows and Linux.

To deploy McAfee security products easily and efficiently:

• Use Active Directory-based authentication. For deployment instructions, see Register an AWSaccount in the Cloud Workload Discovery Product Guide.

• Create secure client Amazon Machine Image (AMIs) with the McAfee Agent and products installed.

Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSUsing Cloud Workload Discovery 4

Cloud Workload Discovery 4.5.1 Installation Guide 45

Deploy McAfee Agent on AWS instances using AMIsTo ensure security of the AWS instances as they start, create secure client Amazon Machine Images(AMIs) using standard AMIs. The AMI contains McAfee ePO, McAfee Agent, Cloud Workload Discovery,and McAfee Endpoint Security.

Before you begin

• If you are using Amazon Elastic Compute Cloud (Amazon EC2), start a Windows orLinux instance.

• Install the McAfee Agent and Endpoint Security extensions in the McAfee ePO server.Endpoint Security protects instances from malware.

• Check in the client packages.

• Make sure that you don't have duplicate McAfee Agent GUIDs, which can affect productinstallation, policy enforcement, and prevent properties from being recorded correctly.

• To secure instances that are not started from secure AMIs, use AWS security groups.

• Make sure that AWS instances are only accessible from McAfee ePO until the AWSinstances are compliant with the organization's IT security standards.

Tasks

• Create secure client AMIs with a known McAfee ePO IP address on page 46Start a secure client AMI on a Windows EC2 or Linux instance.

• Create secure client AMIs with an unknown McAfee ePO address on page 47Start a secure client AMI on a Windows EC2 or Linux instance.

• Configure McAfee Agent with McAfee ePO details on page 47After creating a secure client AMI, configure McAfee Agent.

• Install McAfee Agent over an existing McAfee Agent on the AWS instance on page 48Install McAfee Agent and Endpoint Security on AWS instances running Windows or Linux.

Using McAfee Agent deployment URL featureThe McAfee Agent deployment URL contains a link to an installer. The installer downloads and installsMcAfee Agent and deploys McAfee products to AWS instances.

For instructions about deploying McAfee Agent on AWS instances, see KB85233.

Create secure client AMIs with a known McAfee ePO IP addressStart a secure client AMI on a Windows EC2 or Linux instance.

Task

1 Depending on the operating system that you use, start a Windows EC2 or a Linux instance on theAWS console.

2 Log on to the instance.

3 Deploy McAfee Agent on the instance.

• Use McAfee ePO for Windows and Linux operating system.

• Use FramePkg.exe for Windows operating system.

• Use install.sh for Linux operating system.

For details, see the McAfee Agent Product Guide.

4 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSDeploying McAfee security products on AWS cloud

46 Cloud Workload Discovery 4.5.1 Installation Guide

4 Install Endpoint Security on the instance using McAfee ePO. For details, see the McAfee EndpointSecurity Installation Guide.

5 Delete the AgentGUID registry key.

• For Windows, see KB56086.

• For Linux, see KB66456.

6 On the AWS console:

• Select the instance and click Create Image.

• Select the AMI and click Launch.

This starts a new secure client AMI with McAfee Agent and Endpoint Security installed on it.

Create secure client AMIs with an unknown McAfee ePO addressStart a secure client AMI on a Windows EC2 or Linux instance.

Task1 Depending on the operating system that you use, start a Windows EC2 or a Linux instance on the

AWS console.

2 Log on to the instance.

3 Download and install Endpoint Security on the instance.

4 On the AWS console:

• Select the instance and click Create Image.

• Select the AMI and click Launch.

This starts a new secure client AMI with Endpoint Security installed on it. To manage the instance, youcan manually configure Endpoint Security or override the existing McAfee Agent with McAfee ePOdetails.

Configure McAfee Agent with McAfee ePO detailsAfter creating a secure client AMI, configure McAfee Agent.

Task1 Log on to the McAfee ePO server.

2 Select Menu | Master Repository.

3 Export the Sitelist.xml file, then copy the file to a location on your AWS instance.

4 From the McAfee ePO server, copy the bin files from C:\Program Files (x86)\McAfee\ePolicyOrchestrator\DB\Software\Current\EPOAGENT3000\Install\0409 (srpubkey.bin,req2048seckey.bin, reqseckey.bin, sr2048pubkey.bin), to the same folder where you copied theSitelist.xml file.

5 Open the command prompt, then navigate to C:\Program Files (x86)\McAfee\CommonFramework.

Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSDeploying McAfee security products on AWS cloud 4

Cloud Workload Discovery 4.5.1 Installation Guide 47

6 Configure McAfee Agent with these commands.

• For Windows: frameinst.exe /install=agent /siteinfo=<full path to sitelist.xml> .

• For Linux: <McAfee Agent install path>/bin/msaconfig ‑m ‑d Path=<full path toSitelist.xml>.

These commands configure McAfee Agent.

7 Click OK when McAfee Agent configuration is complete.

Install McAfee Agent over an existing McAfee Agent on the AWS instanceInstall McAfee Agent and Endpoint Security on AWS instances running Windows or Linux.

Task1 For instances running Windows:

a Copy the McAfee Agent installation package, FramePkg.exe, from your McAfee ePO server to thetarget instance.

The default location for the installation package is C:\Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\EPOAGENT3000\Install\0409\.

b Double-click FramePkg.exe.

If a Security Warning appears, click Run to continue.

For Windows Vista, Windows 7, or Windows 2008 R2 with User Access Control (UAC) enabled,right-click FramePkg.exe and select Run as Administrator.

c When McAfee Agent installation is complete, click OK.

2 For instances running Linux:

a Start a Linux instance on the AWS console.

b Log on to the instance.

c Install Endpoint Security on the instance using McAfee ePO. For details, see the McAfeeEndpoint Security Installation Guide.

d On the AWS console, select the instance and click Create Image to create the AMI.

e Select the AMI and click Launch.

This starts a new secure client AMI with McAfee Agent and Endpoint Security installed on it.

4 Best practices: Using McAfee ePO and Cloud Workload Discovery with AWSDeploying McAfee security products on AWS cloud

48 Cloud Workload Discovery 4.5.1 Installation Guide

5 Use DevOps scripts to deploy McAfeeproducts

You can use automation platforms like Chef and Puppet to deploy McAfee products on the virtualinstances without using McAfee ePO.

Contents Using Chef Using Puppet Using Amazon OpsWorks Using AWS UserData for McAfee Agent deployment

Using ChefChef is an automation platform used for managing and automating large-scale infrastructure.

For details about using Chef to configure security solutions provided by McAfee, see this McAfeeKnowledgeBase article KB82584.

Using PuppetPuppet is an automation platform used for managing and automating large-scale infrastructure.Puppet relies on the manifests and modules created in a custom declarative language.

For details about using Puppet to configure security solutions provided by McAfee, see this McAfeeKnowledgeBase article KB82585.

Using Amazon OpsWorksAWS OpsWorks features an integrated management experience for the entire application lifecycleincluding resource provisioning, configuration management, application deployment, monitoring, andaccess control. It works with applications of any level of complexity and is independent of anyparticular architectural pattern

For details about using Amazon OpWorks to configure security solutions provided by McAfee, see thisMcAfee KnowledgeBase article KB82586.

5

Cloud Workload Discovery 4.5.1 Installation Guide 49

Using AWS UserData for McAfee Agent deploymentYou can create an Agent deployment URL and use AWS UserData to install McAfee Agent on AWSinstances.

For details, see this McAfee KnowledgeBase article: KB85233.

5 Use DevOps scripts to deploy McAfee productsUsing AWS UserData for McAfee Agent deployment

50 Cloud Workload Discovery 4.5.1 Installation Guide

Index

Aaccounts, registering 15, 21, 23, 25

AWS 15

Microsoft Azure account 21

Microsoft Azure classic account 23

OpenStack 27

VMware vCenter 25

Amazon Machine Imagedeploying McAfee Agent 46

Amazon OpsWorks, product deployment 49

automation platformchef 49

puppet 49

AWS (Amazon Web Services)account 15

AWS accountediting and deleting 29

registering 15

AWS usercreating 11

creating access key, secret access key 11

CChef, product deployment 49

cloud account, choosing 25, 27

cloud usage metering 37

cloud workload discovery extensionrequirements 8

configurationoverview 37

security products 37

Ddashboards, public cloud

anti-malware status 37

application reputation 37

Data Center 37

File Integrity Monitoring Status 37

Firewall Status 37

OS Distribution 37

security incidents 37

deployment methodsDevOps scripts 49

deployment methods (continued)McAfee Agent 45

McAfee ePO 7DevOps scripts for product deployment 49

displayingprotection status 15

registered cloud account details 29

tags 29

Eencrypting volumes 37

extensionsdownloading 8installing 8

Hhypervisors 25

Iinstallation

OpenStack cloud account, registering 27

Mmanage AWS clients

McAfee ePO installed on AWS 39

McAfee ePO installed on-premise 39

McAfee ePO-Agent communicationport access 39

Microsoft Azure accountabout 21

editing and deleting 29

registering 21

Microsoft Azure classic accountabout 23

registering 23

OOpenStack cloud

account 27

registering 27

Cloud Workload Discovery 4.5.1 Installation Guide 51

PPublic Cloud Security extension

downloading, installing 8using Software Manager 8

Puppet, product deployment 49

Rrequired permissions policy on AWS

assigning 14

requirements 8

Sscripts, product deployment 49

Software Manager, installation 8

Ttags

defining 15, 21, 23, 25, 27

tags (continued)deleting 29

Vvirtual machines

trust status 15

virtual machines, discoveringOpenStack cloud 27

virtual properties, displaying 15, 21, 23, 25

VMware vCenter accountdefining 25

registering 25

Index

52 Cloud Workload Discovery 4.5.1 Installation Guide

0-00