Could somebody that has worked with ePolicy Orchestrator in VMWare provide a high level overview of the roles in the stack?

Question

E policy Orchestrator (EPO) is a McAfee product that manages AV MOVE apis. The EPO server works in conjunction with ESX and vcenter.

VISUALLY I don't see the workflow of this entire process very clearly. Individually I think I get a general idea of what responsibilities they each have, but in terms of what order and how exactly they depend on each other is still very cloudy to me.

For example purposes lets assume 150-200 endpoints

Why is the MOVE AV called "agentless" when it installs a SVA scanner on the endpoint? Isn't that what an agent is?

Also if EPO manages the MOVE AV's where does its responsibility end and where does the ESX begin? (and vice versa) what kind of appliance or server does vCenter sit on and how does it play into all of this?

Can both the EPO and its "non-agent" MOVE instances all reside virtually? or does the EPO have to have a dedicated physical appliance? That controls the virtual machines that run the MOVE?

Does the VM "control" the MOVE or does the move "control" the SVA?

Can MOVE be a standalone (offline) product? Not managed any outside applications or is it solely deployed and administered by ePO?

• I'm sorry if there's inconsistencies or inaccuracies in this post. I'm kind of learning this as I go and trying to fit the pieces of the puzzle together to get a better understanding.

Answer 1

ServerFault is not the best place for ePO questions in my experience - you will get much better support at https://community.mcafee.com/community/business/epo

To your question,

ePO is a product to manage and report on many different McAfee products in an enterprise environment. A typical install of ePO might look like an ePO server, a couple of agent handlers, a database server and some distributed repositories. These can all be installed into VMs if you wanted (although that might cause some performance issue depending on the capabilities of your VM platform). All the servers that are managed by ePO then have an ePO agent installed on them. The agents communicate with the ePO agent handlers (sending back threat events and pulling down new polices) and download product and content updates from the repositories.

MOVE then is just one product that can be managed by ePO.

But, there are 2 ways you can install MOVE.

One method involves installing a MOVE agent into each VM you want to be protected - the MOVE agents run as software installed into the VMs OS and communicate with MOVE Offload Scanner servers. This typically means you'd have both a MOVE agent and an ePO agent installed on each VM.

The other method is called agentless, because it does not require a MOVE agent to be installed into your guest VMs. Instead is integrates directly with VMWare through vShield API. The SVA is NOT installed on each node. The SVA is a virtual appliance (meaning a pre-packaged VM) and it interacts directly with the VMware platform to scan guest VMs without software being installed on those guest VMs. (hence agentless).