Upload
ankur-mishra
View
222
Download
0
Embed Size (px)
Citation preview
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
1/30
Deployment Guide
McAfee MOVE Antivirus 2.0.0
For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
2/30
COPYRIGHTCopyright 2011 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by
any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),
MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registeredtrademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of
McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
3/30
Contents
Preface 5
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1 Introduction 7
2 Common deployment scenarios 9
Clusters with dedicated master images . . . . . . . . . . . . . . . . . . . . . . . . . 9
Deploying McAfee MOVE Antivirus in a cluster . . . . . . . . . . . . . . . . . . . 10
Clusters with shared master images . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Deploying McAfee MOVE Antivirus in a cluster with shared VMs . . . . . . . . . . . . 14
McAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability . . . . . . . 15
3 Scaling McAfee MOVE Antivirus installations 17
McAfee MOVE Antivirus Scalability Guidelines . . . . . . . . . . . . . . . . . . . . . . 17
Fine tuning your offload server settings . . . . . . . . . . . . . . . . . . . . . . . . 18
Miscellaneous best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
A Configuring VLANs in VMware vSphere clusters 21
Prerequisites for creating VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configure a VMware vShield VLAN using a Virtual Distributed Switch . . . . . . . . . . . . . 21
Configuring VLAN using a virtual switch . . . . . . . . . . . . . . . . . . . . . . . . 22
Configuring the DHCP server in virtual guest tagging mode . . . . . . . . . . . . . . . . 23
B Deploying high availability servers in a cluster 25
Create NLB server clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Install network load balancing . . . . . . . . . . . . . . . . . . . . . . . . . 27
Create a server cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Schedule the monitor script on each McAfee MOVE Antivirus Offload Server . . . . . . . 28
Index 29
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 3
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
4/30
Contents
4 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
5/30
Preface
This guide provides the information you need to install your McAfee product.
Contents
About this guide
Finding product documentation
About this guideThis information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
AudienceMcAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
Administrators People who implement and enforce the company's security program.
ConventionsThis guide uses the following typographical conventions and icons.
Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.
Bold Text that is strongly emphasized.
User input or Path Commands and other text that the user types; the path of a folder or program.
Code A code sample.
User interface Words in the user interface including options, menus, buttons, and dialogboxes.
Hypertext blue A live link to a topic or to a website.
Note: Additional information, like an alternate method of accessing an option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardwareproduct.
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 5
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
6/30
What's in this guideThis guide is organized to help you find the information you need.
This document outlines recommended deployment strategies and usage tips to help you get the most
from your McAfee MOVE AV installation while having the smallest possible impact on performance.
Finding product documentationMcAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
Task
1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2 Under Self Service, access the type of information you need:
To access... Do this...
User documentation 1 Click Product Documentation.
2 Select a product, then select a version.
3 Select a product document.
KnowledgeBase Click Search the KnowledgeBase for answers to your product questions.
Click Browse the KnowledgeBase for articles listed by product and version.
PrefaceFinding product documentation
6 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
http://mysupport.mcafee.com/8/3/2019 MOVE Antivirus 2 0 Deployment Guide
7/30
1
Introduction
This document provides guidelines for deploying McAfee MOVE Antivirus in different Virtual Desktop
Infrastructure (VDI) environments. McAfee MOVE Antivirus scalability information is also included.
This document assumes that the user has a basic understanding of McAfee MOVE Antivirus
functionality. For more information on McAfee MOVE Antivirus functionality, please refer to the McAfee
MOVE Antivirus Product Guide. McAfee recommends you read the entire document before starting a
McAfee MOVE Antivirus deployment.
1
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 7
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
8/30
1Introduction
8 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
9/30
2
Common deployment scenarios
Here are some common scenarios for McAfee MOVE Antivirus deployment.
Contents
Clusters with dedicated master images
Clusters with shared master images
McAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability
Clusters with dedicated master imagesIn this scenario, the master images are associated with a cluster or pool and are not shared across
clusters or pools.
Deployment Approach
A dedicated McAfee MOVE Antivirus Offload Server needs to be setup for each cluster or pool. For each
master image associated with a cluster:
Install and configure the McAfee MOVE Antivirus Agent
Configure a McAfee MOVE Antivirus policy with the IP address of the McAfee MOVE Antivirus Offload
Server
Effectively, you create a single cluster-specific policy and apply it to all master images associated with
a cluster. To enforce cluster-specific McAfee MOVE Antivirus policies from ePolicy Orchestrator, you
need to:
2
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 9
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
10/30
Create cluster-specific groups in ePolicy Orchestrator
Sort VMs in cluster-specific group in ePolicy Orchestrator using its tagging feature
Enforce cluster specific McAfee MOVE Antivirus policy to cluster groups
Figure 2-1 McAfee MOVE Antivirus deployment for clusters with dedicated master images
Deploying McAfee MOVE Antivirus in a cluster
Properly deploying McAfee MOVE Antivirus into a cluster involves extra configuration work.
Task
1 Install a McAfee MOVE Antivirus Offload Server in each cluster.
To install multiple McAfee MOVE Antivirus Offload Server virtual machine (VM) in a cluster for High
Availability (HA) and load balancing, seeAppendix B: Deploying high availability servers in a cluster
To review McAfee MOVE Antivirus Offload Server installation steps, refer to the McAfee MOVE
Antivirus Offload Server Product Guide.
2 Install McAfee MOVE Antivirus Agent on each master image.
For information, refer to the McAfee MOVE Antivirus Product Guide.
3 Configure the following McAfee MOVE Antivirus policy parameters on each master image.
> mvadm config set Serveraddress1=> mvadm enable
You do not need to configure a secondary McAfee MOVE Antivirus Offload Server as high availability
and load balancing can be achieved by using an industry standard load balancing solution, such as
Microsoft network load balancing (NLB).
4 Verify that the McAfee MOVE Antivirus protection status is enabled on master image by executing
the mvadm status command.
2Common deployment scenariosClusters with dedicated master images
10 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
11/30
5 Create cluster-specific tags in each master image.
a Add the CustomProps registry key entry at the following location.
For 32 bit - HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator
\Agent
For 64-bit - HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy
Orchestrator\Agent\
b Create a string value named CustomProps1.
c Edit the CustomProps1 string value to set the value data to the .
6 Stop the McAfee Framework service.
7 Delete the AgentGUID registry key.
For 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator
\Agent
For 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy
Orchestrator\Agent
8 Shutdown the master image.
9 Create cluster-specific tags in ePolicy Orchestrator.
a Navigate to Menu | Systems | Tag Catalog, then click Tag Action | New Tag.
b Specify the tag name and click Next.
c Select Custom 1 from the Available Properties list.
d Set the Custom 1 value to the cluster name and click Next.
e Select On each agent-server communication and when a "Run Tag Criteria" action is taken.
f Click Next.
g Review the summary and click Save.
10 Create cluster-specific subgroups in the ePolicy Orchestrator system tree.
a Navigate to Menu | Systems | System Tree.
b Select System Tree Action | New Subgroup.
c Enter the subgroup name for the cluster and click OK.
11 Sort the subgroups.
a Navigate to Menu | Systems | System Tree.
b Select the subgroup from the System Tree.
c Select the Group Details tab.
d Edit the sorting criteria.
e Select Systems that match any of the criteria below (IP addresses and/or tags).
f Click Add Tags.
Common deployment scenariosClusters with dedicated master images 2
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 11
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
12/30
g Select the cluster-specific tags.
h Click Save.
12 Enable system tree sorting for the VMs in ePolicy Orchestrator.
a Navigate to Menu | Systems | System Tree.
b Select all VMs.
c Select Actions | Directory Management | Change Sorting Status.
d Select Enable System Tree sorting on selected systems.
e Click OK.
If some VMs in ePolicy Orchestrator are under the Lost&Found group and sorting status is
enabled, the VMs will not be sorted based on the agent-server communication. These systems
will only be tagged. To manually sort the VMs, select all systems and choose Actions | Directory
Management | Sort Now.
13 Create and enforce cluster-specific policy to each cluster group in ePolicy Orchestrator.
14 Start the VMs.
After the VMs start, they are sorted in cluster-specific groups in ePolicy Orchestrator at the first
agent-server communication interval.
Clusters with shared master imagesIn this scenario, the master images are shared and used to provision VMs across multiple clusters or
pools.
Each cluster or pool has its own McAfee MOVE Antivirus Offload Server. Install and configure the
McAfee MOVE Antivirus Agent on each master image. Because a single image is used for VMs across
multiple clusters or pools, only one IP address of the McAfee MOVE Antivirus Offload Server can be
configured in the McAfee MOVE Antivirus policy for the master image. This results in the issue of
configuring McAfee MOVE Antivirus Agent policy with IP address of the cluster-specific offload scan
server.
McAfee MOVE Antivirus policy configuration issue for the master image can be resolved by creating a
dedicated Virtual Local Area Network (VLAN) for each cluster or pool. Across the configured VLANS,
the offload scan servers are assigned the same IP address. Thereafter, the McAfee MOVE Antivirus
Agent policy in the master images is configured to use that IP address of the McAfee MOVE Antivirus
Offload Server. Now, the Agents and offload scan server communicate within a cluster- or pool-specific
VLAN.
Implementation of Solution on VMware vSphereOn VMware VSphere, the proposed solution can be implemented using VMware virtual distributed
switch (vDS) or vSwitch.
2Common deployment scenariosClusters with shared master images
12 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
13/30
If vDS is available, create a VLAN for each cluster and add all VMs in the cluster to the VLAN. The
Dynamic Host Configuration Protocol (DHCP) server can be used to assign the IP addresses to VMs
in all VLANs. To ensure the DHCP server can assign IP addresses to all VMs, add the DHCP server to
all VLANs by using the VLAN trunking feature of vDS.
If vDS is not available, create a VLAN of same ID on the vSwitch on all hypervisors belonging to a
cluster. Ensure that the VLAN ID used for each cluster is different. The Dynamic Host Configuration
Protocol (DHCP) server can be used to assign the IP addresses to VMs in all VLANs. To ensure theDHCP server can assign IP addresses to all VMs, make the DHCP server a member of all VLANs
using a VLAN ID of 4095.
Figure 2-2 McAfee MOVE Antivirus deployment using a virtual distributed switch
Common deployment scenariosClusters with shared master images 2
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 13
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
14/30
This figure highlights McAfee MOVE Antivirus deployment on two clusters using a virtual distributed
switch.
Figure 2-3 McAfee MOVE Antivirusdeployment using a virtual switch
This figure highlights a McAfee MOVE Antivirusdeployment using a VMware switch. In both situations,
note that a VLAN is configured in each cluster and each VLAN has a unique ID.
Deploying McAfee MOVE Antivirus in a cluster with shared VMsThis scenario is designed for environments that share virtual machines across clusters.
Task
1 Create a VLAN for each cluster.
For more information on setting up VLANs, refer toAppendix A: Configuring VLAN in in vSphere
clusters.
2 Install the McAfee MOVE Antivirus Offload Server in each cluster.
To install multiple offload scan servers in a cluster for high availability and load balancing, refer to
Appendix B: Deploying high availability servers in a clusterFor installation instructions, refer to the
McAfee MOVE Antivirus Product guide.
3 Install a McAfee MOVE Antivirus Agent on each master image.
2Common deployment scenariosClusters with shared master images
14 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
15/30
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
16/30
2Common deployment scenariosMcAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability
16 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
17/30
3
Scaling McAfee MOVE Antivirusinstallations
When deployed properly, McAfee MOVE Antivirus is designed to operate in an ever expanding virtual
environment.
Contents
McAfee MOVE Antivirus Scalability Guidelines
Fine tuning your offload server settings
Miscellaneous best practices
McAfee MOVE Antivirus Scalability GuidelinesDuring scalability testing, McAfee observed that the McAfee MOVE Antivirus Offload Server uses
5-10% of hypervisor CPU resources for low to high user workloads.
Depending on the number of hypervisors or CPU cores present in a cluster you should reserve up to
10% of available CPU cores for McAfee MOVE Antivirus Offload Server virtual servers.
The following tables help you identify the number of offload scan servers required for a vSphere
cluster. All calculations assume a high workload. However, depending upon the workload, you can
determine the requirement number of offload scan servers in a cluster.
Assumptions
1 Each hypervisor has 8 cores.
2 Hyper threading is enabled on each hypervisor (the number of vCPU will be twice the number of
cores on the hypervisors).
3 Assign four dedicated vCPUs and 4 GB to each McAfee MOVE Antivirus Offload Server.
Hypervisors percluster
Cores per cluster(number ofhypervisors * 8)
vCPU percluster (numberof cores * 2)
vCPU required foroffload scanservers for a
cluster (10% ofvCPU)
Number ofoffload scanservers in a
cluster
2 16 32 3.2 2
8 64 128 12 3
10 80 160 16 4
20 160 320 32 8
35 280 560 56 14
To add multiple offload scan servers to a cluster, use the Microsoft Network Load Balancing (NLB) service
3
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 17
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
18/30
McAfee Labs conducted tests to calculate the VM density on hypervisors. Here are the performance
results.
1 Performance Tool Used : Login vsi 3.0.2
2 Workload: Heavy Workload
3 System Details McAfee MOVE Antivirus Offload Server: Windows 2008 R2 SP1 (x64), 4 GB RAM, 4vCPU
McAfee MOVE Antivirus Agent : XP-SP3 (X86), 1024 MB RAM, 1 vCPU
Hypervisor : one hypervisor with ESX 4.1, Citrix PVS 5.6 having 96 GB of RAM, 12 Cores @
3.324GHz, Fibre channel disc storage
Agent OS Number ofhypervisors
Number ofVMs incluster
VSIMXHIT
VSIMAX
Network anddisk usage
Logintime(sec)
Number ofoffloadscanservers incluster
Win XP-SP3
(x86)
1 121 Yes 113 Network: 7500
KBps, Disk:12,000 KBps
14 1
Windows 7(x64)
1 94 Yes 85 Network:15,000 KBps,Disk: 12,500KBps
5 1
Best Practices
1 Keep offload scan servers on different hypervisors of a vSphere cluster to ensure high availability in
case one hypervisor goes down.
2 Keep a minimum of two offload scan servers in a cluster to achieve high availability.
3 If you find you are hitting limits frequently, consider adding additional scan servers.
Fine tuning your offload server settingsMcAfee has done testing to try to answer the question "How many clients can a single offload scan
server support?"
General guidelines
The actual number of clients than can connect to a single offload scan server depends on a number of
factors. These include server hardware, network availability, and the amount of workload per client.
The optimal configuration will be different in every customer's environment. The primary gating
criteria for determining an optimal number of clients a single offload scan server can support is thenumber of concurrent client scan requests. Offload scan server performance degrades when it receives
more concurrent scan requests than it is configured to handle. The concurrent scan limit is defined by
the NumThreads parameter in the offload scan server.
The offload scan server can handle a maximum of 3000 concurrent active connections (heartbeats,
scan requests, and server side cache check requests). If the server has reached its maximum of 3000
active connections, any new connection will be accepted but queued for handling until one of the 3000
active connections completes. Each client has a maximum of 6 active connections to an offload scan
server (1 connection for a heartbeat and 5 for scan and cache check requests), thereby limiting the
offload scan server to be able to effectively handle a maximum of 500 clients before the connections
3Scaling McAfee MOVE Antivirus installationsFine tuning your offload server settings
18 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
19/30
start to queue. You can increase the number of clients connected to a single offload scan server as
long as the number of concurrent scan requests does not exceed the configured NumThreads
parameter value. If this value is exceeded, server performance begins to degrade rapidly.
In general, the fewer actual scan requests received by the offload scan server, the more clients it can
support. While an offload server can theoretically support up to 500 clients (equal to 3000 possible
overall connections) the limiting factor is the number of concurrent scan requests that the clients
trigger. On McAfee's test hardware (a hypervisor having 12 CPUs @ 3.324 GHz, 96 GB RAM, Fibre
channel disc storage, with 4 vCPUs & 4 GB RAM dedicated to the offload scan server), we determined
that the maximum number of concurrent scans that could be supported without degrading
performance was around 400 . Based upon these results, we have increased the default value of
allowed concurrent scans (NumThreads) from 50 in McAfee MOVE Antivirus version 1.5 to 300 in
McAfee MOVE Antivirus version 2.0.
If you deploy the McAfee MOVE Antivirus client to server class machines be aware that you may reach
the concurrent scans upper limit much sooner compared to a deployment to desktop systems.
Important tuning statistics
When tuning your environment, McAfee recommends monitoring the following items:
The offload scan server's CPU usage. It is not uncommon for the CPU usage of the offload scan
server to be at or around 100% while it is under heavy load. However, if the offload scan server is
under heavy load and the CPU drops to 50% this is an indication the server is overwhelmed.
The offload scan server statistics. Use the mvadm stats command to retrieve these. Look for the
Idle Threads number. It is important to make sure that Idle Threads does not fall to 0, as scan
requests begin to compete for scan slots. You want to avoid this situation; it is an indication too
many client scan requests are coming in.
The offload scan server's network performance. Make sure the network connection is not at or near
maximum.
Ways to improve performance
The following options are available to increase server performance:
Increase scan server CPU power. The CPU is the primary limiting factor in an offload scan server's
performance.
Ensure high network availability.
Increase RAM, but only to a maximum of 4GB. The offload scan service is a 32-bit application and
cannot benefit from additional RAM beyond 4GB.
If the offload scan server becomes overwhelmed consider excluding client side log and text files
that are frequently modified to reduce the number of scan requests.
DAT updates can place a large load on the offload scan server. Make sure you are using McAfee
Agent 4.5 patch 2 or later and scheduling DAT updates during non-peak hours.
Large files and network scanning
Enabling McAfee MOVE Antivirus network scanning capabilities, then accessing large files across the
network, greatly increases the access time for network based large files. As Distributed File Systems
(DFS) are not supported by McAfee MOVE Antivirus or McAfee MOVE Scheduler, McAfee recommends,
whenever possible, scanning a file using a scanner closest to the file itself. If a file resides on a
network share, rather than enabling McAfee MOVE Antivirus network scanning, use the McAfee
Scaling McAfee MOVE Antivirus installationsFine tuning your offload server settings 3
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 19
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
20/30
anti-virus product on the system where the file resides to scan the file. If the file resides on a NetApp
Filer we recommend using VirusScan Enterprise for Storage to scan the file. With this approach you
maintain good performance while still providing protection.
One manifestation of large files and networks scanning is seen when using XenApp6 to stream the
virtualized version of Microsoft Word 2007. To improve the application's launch time in this
environment, exclude the following processes from anti-virus scanning:
RadeLauncher.exe
RadeSvc.exe
RadeObj.exe
Miscellaneous best practicesThese are helpful tips and techniques that are not related to performance.
Quarantine files in non-persistent virtual machines
In a non-persistent virtual machine, the quarantine folder contents are not saved when a user logs off
or reboots the virtual machine. The usual workaround for this is to specify the quarantine folder be
somewhere in the user's home directory. However, if the Windows roaming profile feature is used, the
quarantine folder can't be saved in the user's home directory as their home directory becomes a
network location in that environment.
Balancing offload scan servers to handle downtime
There is a simple technique to make sure an an environment with two offload scan servers
(ScanServer1 and ScanServer2) can handle either server going offline without overloading the other
server. Once you determine the number of virtual machines (VMs) one offload scan server can handle,
split that number of VMs roughly in half by some criteria such as even or odd MAC addresses. Assign
one half of those VMs ScanServer1 as their primary scan server and ScanServer2 as their secondaryscan server. With a second policy assignment, reverse those assignments for the other half of the VMs
You will now have each offload scan server running at approximately half capacity, but able to absorb
the other scan server going offline without any configuration changes.
Scanning offline virtual images in a VMware environment
When VirusScan Enterprise for Offline Virtual Images begins scanning an offline VMware virtual
machine, it locks the image until the scan is complete. The virtual machine cannot be started until the
scan is complete. Use a policy that schedules offline virtual image scanning in off-peak hours only.
3Scaling McAfee MOVE Antivirus installationsMiscellaneous best practices
20 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
21/30
A
Configuring VLANs in VMware vSphereclusters
McAfee recommends that if you use the same master image to provision virtual machines in multiple
clusters, you create a dedicated VLAN in each cluster to handle McAfee MOVE Antivirus deployment.
This helps maintain the same IP address for the McAfee MOVE Antivirus Offload Server across all VLANs
You can create VLANs using a virtual switch or a virtual distributed switch. These steps create VLANs
in each environment.
Contents
Prerequisites for creating VLANs
Configure a VMware vShield VLAN using a Virtual Distributed Switch
Configuring VLAN using a virtual switch
Configuring the DHCP server in virtual guest tagging mode
Prerequisites for creating VLANsThese conditions must exist for McAfee MOVE Antivirus to work in a VMware vShield VLAN environment
The virtual switch or virtual distributed switch is available.
Virtual distributed switches are available with the VMware Enterprise Plus license.
The physical network interface cards (NIC) for all hypervisors selected for McAfee MOVE Antivirus
communication are connected to the trunk port of the physical switch.
One virtual NIC has been added to each VM.
A dedicated virtual machine is hosting the DHCP server.
All VLANs are configured on the physical switch.
Configure a VMware vShield VLAN using a Virtual DistributedSwitch
A VLAN must be configured in a specific way to be compatible with McAfee MOVE Antivirus.
Task
1 Create a Virtual Distributed Switch (VDS).
If you are using an existing VDS, skip step 2.
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 21
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
22/30
2 Add the physical NICs of all hypervisors in the VDS selected for VLAN.
A single VDS supports 64 hypervisors. If you are using more than 64 hypervisors, create a new VDS
3 Create a port group for each cluster on the VDS.
4 Assign a unique VLAN ID to each port group.
5 Add virtual network interface cards (vNIC) to all VMs.
6 Add all VMs to the cluster VLAN by using the vNIC of each VM.
7 Create VLANs on the physical switch with the same VLAN ID as created on the VDS.
8 Allocate IP addresses to VMs in the VLANs by configuring the DHCP server.
a Create a port group on the vDS and select VLAN type as VLAN Trunking.
b Specify the range of VLANs to accommodate all VLANs created for the clusters.
c Add the DHCP server to the port group.
d Configure the DHCP VM in VGT (Virtual Guest Tagging) mode to make it a member of all cluster
VLANs so that a single DHCP server can be used to assign IP addresses to all VMs. SeeConfiguring the DHCP server in Virtual Guest Tagging mode for further information.
Configuring VLAN using a virtual switchA VLAN can be created using a virtual switch so it is compatible with McAfee MOVE Antivirus.
Task
1 Create a port group on vSwitch for all hypervisors in the cluster.
2 Assign the VLAN ID to the port group in each vSwitch.
3 Add a virtual NIC (vNIC) to all virtual machines (VMs).
4 Add the VMs to the cluster VLAN by using the vNIC of each VM.
5 Create VLANs on the physical switch with the same VLAN ID as created on the virtual switches.
6 Allocate IP addresses to the VMs in all VLANs by configuring the DHCP server.
a Create a port group on the vSwitch of the hypervisor where the DHCP server is hosted and set
the VLAN ID to 4095.
b Add the DHCP server to the port group (VLAN ID = 4095).
c Configure the DHCP virtual machine in virtual guest tagging mode to make it a member of all
cluster VLANs so that a single DHCP server can be used to assign IP addresses to all VMs. See
Configuring the DHCP server in virtual guest tagging mode for more information.
AConfiguring VLANs in VMware vSphere clustersConfiguring VLAN using a virtual switch
22 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
23/30
Configuring the DHCP server in virtual guest tagging modeYou must configure the DHCP server virtual machine in virtual guest tagging (VGT) mode for use in
McAfee MOVE Antivirus VLANs.
Task
1 Install the DHCP server on the virtual machine (VM) and choose class B address for scoping.Create a single scope for IP addresses of all VMs across different cluster VLANs.
2 Add a type E1000 virtual NIC (vNIC) to the DHCP server VM.
3 Install the Intel driver that supports VGT.
You can download the Intel driver from http://www.intel.com/support/network/sb/cs-006120.htm.
4 Right-click the vNIC icon on the DHCP server and select Properties | Configure | VLANs.
5 Add the cluster VLANs.
A new network adapter is automatically added for each VLAN.
6 Specify a static IP address for the network adapter.
Considering the virtual device infrastructure size, it is advisable to use the class B addressing scheme
that provides close to 60000 unique IP addresses.
Configuring VLANs in VMware vSphere clustersConfiguring the DHCP server in virtual guest tagging mode A
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 23
http://http//WWW.INTEL.COM/SUPPORT/NETWORK/SB/CS-006120.HTM8/3/2019 MOVE Antivirus 2 0 Deployment Guide
24/30
AConfiguring VLANs in VMware vSphere clustersConfiguring the DHCP server in virtual guest tagging mode
24 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
25/30
B
Deploying high availability servers in acluster
In a typical virtual device infrastructure (VDI) deployment scenario, there are multiple hypervisors in a
cluster. It is usually necessary to deploy multiple McAfee MOVE Antivirus Offload Server virtual
machines for load balancing and high availability (HA) in this kind of environment.
You can deploy multiple McAfee MOVE Antivirus Offload Server VMs in a cluster by using the Microsoft
network load balancing (NLB) service. The number of servers you deploy should follow the scalability
guidelines.
Within this document, the group of offload scan servers managed by the NLB service is referred to as
the NLB server cluster. The NLB server cluster is transparent to McAfee MOVE Antivirus Agents and the
Agents communicate with the NLB server cluster using its virtual IP address. The NLB server cluster's
virtual IP address is configured with McAfee MOVE Antivirus policy in ePolicy Orchestrator.
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 25
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
26/30
When using NLB server clusters, you do not need to deploy secondary offload scan servers because HA
will be provided by the NLB server cluster. To monitor the health of a McAfee MOVE Antivirus Offload
Server, deploy the external monitoring script provided with the McAfee MOVE Antivirus deployment kit
Figure B-1 NLB server cluster - clusters using dedicated master images for VMs
Figure B-2 NLB server cluster - clusters sharing master images for VMs
BDeploying high availability servers in a cluster
26 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
27/30
Create NLB server clustersThese tasks create a McAfee MOVE Antivirus compatible server cluster.
Tasks
Install network load balancing on page 27
Network load balancing must be installed before use. Create a server cluster on page 27
Create the cluster after the Network Load Balancing feature is installed.
Schedule the monitor script on each McAfee MOVE Antivirus Offload Server on page 28
McAfee provides ascript that checks the health of an offload scan server as well as
controlling scan traffic based on load.
Install network load balancingNetwork load balancing must be installed before use.
This feature is not installed on Windows Server 2008 R2 by default.
Task
1 Ensure all McAfee MOVE Antivirus Offload Server virtual machines in the cluster are in the same
domain and subnet.
2 Navigate to Administrative Tools | Server Manager.
3 In the Server Managerwindow, select Select Features | Add Features.
4 Select Network Load Balancing.
5 Click OK.
Create a server clusterCreate the cluster after the Network Load Balancing feature is installed.
Task
1 Navigate to Administrative Tools | Network Load Balancing Manager.
2 In the Network Load Balancing Managerwindow, select Cluster| New Cluster
3 In the New Cluster: Connect window, enter the IP address of the McAfee MOVE Antivirus Offload Server
and click Connect.
4 Select the interface name based on your setup (whether using VLAN or not) and click Next.
5 Review the information and click Next.
6 In the New Cluster: Cluster IP Addresses window, click Add.
7 In the Add IP Address window, select Add IPv4 address and enter the virtual IP address of the servers to
include in the NLB server cluster. Click OK.
8 Click Next.
9 In the New Cluster: Cluster Parameters window, enter the cluster name in the Full Internet name field.
10 Select Multicast. Click Next.
11 In the New Cluster: Port Rules window, click Edit.
Deploying high availability servers in a clusterCreate NLB server clusters B
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 27
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
28/30
12 In the Add/Edit Port Rule window, deselect All.
13 Select the virtual IP address of the NLB cluster and specify the port range from 9053 to 9053 or the
non-default port which you selected during McAfee MOVE Antivirus Offload Server installation.
14 Set the protocol to TCP and click OK.
15 Set the Filtering mode to Multiple host, and set the Affinity to None.
16 Click Finish to create the cluster.
Schedule the monitor script on each McAfee MOVE AntivirusOffload ServerMcAfee provides ascript that checks the health of an offload scan server as well as controlling scan
traffic based on load.
If a server is down or not responding, the script removes the host from the NLB server cluster. After
the McAfee MOVE Antivirus Offload Server returns, the script automatically adds the host back to the
NLB server cluster. This script also places a log entry in the Windows Event Viewer when either event
occurs.
Task
1 Navigate to Administrative Tools | Task Scheduler.
2 In the Task Schedulerwindow, select Create Task in the Actions panel.
3 Select Run whether user is logged on or not and Do not store password.
4 Select the Triggers tab. Click New.
5 In the New Triggerwindow, select At startup in the Begin the task list. Click OK.
6 Select the Action tab. Click New.
7 In the New Action window, select Start a program in the Action list.
8 Enter cscript.exe in the Program/Script field.
9 Specify the name of the monitoring script (move-av-monitor.vbs) in the Add arguments field. Click OK
10 Select the Conditions tab.
11 Deselect Start the task only if the computer is on AC power. Click OK to schedule the task.
BDeploying high availability servers in a clusterCreate NLB server clusters
28 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
29/30
Index
A
about this guide 5
B
best practices
non-performance tips 20
performance 18
C
cluster
deploy using shared master images 12
deployment 10
clusters
with dedicated master images 9
conventions and icons used in this guide 5
D
dedicated master images
deployment strategy 9
deploy
cluster with dedicated master images 9
cluster with shared master images 12
deployment
into clusters 10
Distributed Resource Scheduler
VMware 15
documentation
audience for this guide 5
product-specific, finding 6
typographical conventions and icons 5
H
High Availability
compatibility 15
hypervisor
migration restrictions 15
M
McAfee MOVE Antivirus
resource usage 17
McAfee ServicePortal, accessing 6
N
network scanning
large files 18
O
offline virtual images
scanning in VMware 20
offload scan serverimproving performance 18
load balancing 20
number per cluster 17
P
performance
improving 18
virtualized applications 18
performance data 17
Q
quarantine foldernon-persistent virtual machines 20
S
scalability guidelines 17
ServicePortal, finding product documentation 6
shared master images
deployment strategy 12
T
Technical Support, finding product information 6
V
virtual machine density 17
VMware
VLAN prerequisites 21
W
what's in this guide 6
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 29
8/3/2019 MOVE Antivirus 2 0 Deployment Guide
30/30