MOVE Antivirus 2 0 Deployment Guide

8/3/2019 MOVE Antivirus 2 0 Deployment Guide

1/30

Deployment Guide

McAfee MOVE Antivirus 2.0.0

For use with ePolicy Orchestrator 4.5.0 and 4.6.0


2/30

COPYRIGHTCopyright 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by

any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),

MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registeredtrademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of

McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS

FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU

HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR

SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A

FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET

FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF

PURCHASE FOR A FULL REFUND.

2 McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0


3/30

Contents

Preface 5

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Introduction 7

2 Common deployment scenarios 9

Clusters with dedicated master images . . . . . . . . . . . . . . . . . . . . . . . . . 9

Deploying McAfee MOVE Antivirus in a cluster . . . . . . . . . . . . . . . . . . . 10

Clusters with shared master images . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Deploying McAfee MOVE Antivirus in a cluster with shared VMs . . . . . . . . . . . . 14

McAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability . . . . . . . 15

3 Scaling McAfee MOVE Antivirus installations 17

McAfee MOVE Antivirus Scalability Guidelines . . . . . . . . . . . . . . . . . . . . . . 17

Fine tuning your offload server settings . . . . . . . . . . . . . . . . . . . . . . . . 18

Miscellaneous best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

A Configuring VLANs in VMware vSphere clusters 21

Prerequisites for creating VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configure a VMware vShield VLAN using a Virtual Distributed Switch . . . . . . . . . . . . . 21

Configuring VLAN using a virtual switch . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring the DHCP server in virtual guest tagging mode . . . . . . . . . . . . . . . . 23

B Deploying high availability servers in a cluster 25

Create NLB server clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Install network load balancing . . . . . . . . . . . . . . . . . . . . . . . . . 27

Create a server cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Schedule the monitor script on each McAfee MOVE Antivirus Offload Server . . . . . . . 28

Index 29

McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0 3


4/30

Contents



5/30

Preface

This guide provides the information you need to install your McAfee product.

Contents

About this guide

Finding product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons used

in this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

Administrators People who implement and enforce the company's security program.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.



6/30

What's in this guideThis guide is organized to help you find the information you need.

This document outlines recommended deployment strategies and usage tips to help you get the most

from your McAfee MOVE AV installation while having the smallest possible impact on performance.

Finding product documentationMcAfee provides the information you need during each phase of product implementation, from

installation to daily use and troubleshooting. After a product is released, information about the product

is entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase Click Search the KnowledgeBase for answers to your product questions.

Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFinding product documentation

http://mysupport.mcafee.com/


7/30

1

Introduction

This document provides guidelines for deploying McAfee MOVE Antivirus in different Virtual Desktop

Infrastructure (VDI) environments. McAfee MOVE Antivirus scalability information is also included.

This document assumes that the user has a basic understanding of McAfee MOVE Antivirus

functionality. For more information on McAfee MOVE Antivirus functionality, please refer to the McAfee

MOVE Antivirus Product Guide. McAfee recommends you read the entire document before starting a

McAfee MOVE Antivirus deployment.

1



8/30

1Introduction



9/30

2

Common deployment scenarios

Here are some common scenarios for McAfee MOVE Antivirus deployment.

Contents

Clusters with dedicated master images

Clusters with shared master images

McAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability

Clusters with dedicated master imagesIn this scenario, the master images are associated with a cluster or pool and are not shared across

clusters or pools.

Deployment Approach

A dedicated McAfee MOVE Antivirus Offload Server needs to be setup for each cluster or pool. For each

master image associated with a cluster:

Install and configure the McAfee MOVE Antivirus Agent

Configure a McAfee MOVE Antivirus policy with the IP address of the McAfee MOVE Antivirus Offload

Server

Effectively, you create a single cluster-specific policy and apply it to all master images associated with

a cluster. To enforce cluster-specific McAfee MOVE Antivirus policies from ePolicy Orchestrator, you

need to:

2



10/30

Create cluster-specific groups in ePolicy Orchestrator

Sort VMs in cluster-specific group in ePolicy Orchestrator using its tagging feature

Enforce cluster specific McAfee MOVE Antivirus policy to cluster groups

Figure 2-1 McAfee MOVE Antivirus deployment for clusters with dedicated master images

Deploying McAfee MOVE Antivirus in a cluster

Properly deploying McAfee MOVE Antivirus into a cluster involves extra configuration work.

Task

1 Install a McAfee MOVE Antivirus Offload Server in each cluster.

To install multiple McAfee MOVE Antivirus Offload Server virtual machine (VM) in a cluster for High

Availability (HA) and load balancing, seeAppendix B: Deploying high availability servers in a cluster

To review McAfee MOVE Antivirus Offload Server installation steps, refer to the McAfee MOVE

Antivirus Offload Server Product Guide.

2 Install McAfee MOVE Antivirus Agent on each master image.

For information, refer to the McAfee MOVE Antivirus Product Guide.

3 Configure the following McAfee MOVE Antivirus policy parameters on each master image.

> mvadm config set Serveraddress1=> mvadm enable

You do not need to configure a secondary McAfee MOVE Antivirus Offload Server as high availability

and load balancing can be achieved by using an industry standard load balancing solution, such as

Microsoft network load balancing (NLB).

4 Verify that the McAfee MOVE Antivirus protection status is enabled on master image by executing

the mvadm status command.

2Common deployment scenariosClusters with dedicated master images



11/30

5 Create cluster-specific tags in each master image.

a Add the CustomProps registry key entry at the following location.

For 32 bit - HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator

\Agent

For 64-bit - HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy

Orchestrator\Agent\

b Create a string value named CustomProps1.

c Edit the CustomProps1 string value to set the value data to the .

6 Stop the McAfee Framework service.

7 Delete the AgentGUID registry key.

For 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator

\Agent

For 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy

Orchestrator\Agent

8 Shutdown the master image.

9 Create cluster-specific tags in ePolicy Orchestrator.

a Navigate to Menu | Systems | Tag Catalog, then click Tag Action | New Tag.

b Specify the tag name and click Next.

c Select Custom 1 from the Available Properties list.

d Set the Custom 1 value to the cluster name and click Next.

e Select On each agent-server communication and when a "Run Tag Criteria" action is taken.

f Click Next.

g Review the summary and click Save.

10 Create cluster-specific subgroups in the ePolicy Orchestrator system tree.

a Navigate to Menu | Systems | System Tree.

b Select System Tree Action | New Subgroup.

c Enter the subgroup name for the cluster and click OK.

11 Sort the subgroups.


b Select the subgroup from the System Tree.

c Select the Group Details tab.

d Edit the sorting criteria.

e Select Systems that match any of the criteria below (IP addresses and/or tags).

f Click Add Tags.

Common deployment scenariosClusters with dedicated master images 2



12/30

g Select the cluster-specific tags.

h Click Save.

12 Enable system tree sorting for the VMs in ePolicy Orchestrator.


b Select all VMs.

c Select Actions | Directory Management | Change Sorting Status.

d Select Enable System Tree sorting on selected systems.

e Click OK.

If some VMs in ePolicy Orchestrator are under the Lost&Found group and sorting status is

enabled, the VMs will not be sorted based on the agent-server communication. These systems

will only be tagged. To manually sort the VMs, select all systems and choose Actions | Directory

Management | Sort Now.

13 Create and enforce cluster-specific policy to each cluster group in ePolicy Orchestrator.

14 Start the VMs.

After the VMs start, they are sorted in cluster-specific groups in ePolicy Orchestrator at the first

agent-server communication interval.

Clusters with shared master imagesIn this scenario, the master images are shared and used to provision VMs across multiple clusters or

pools.

Each cluster or pool has its own McAfee MOVE Antivirus Offload Server. Install and configure the

McAfee MOVE Antivirus Agent on each master image. Because a single image is used for VMs across

multiple clusters or pools, only one IP address of the McAfee MOVE Antivirus Offload Server can be

configured in the McAfee MOVE Antivirus policy for the master image. This results in the issue of

configuring McAfee MOVE Antivirus Agent policy with IP address of the cluster-specific offload scan

server.

McAfee MOVE Antivirus policy configuration issue for the master image can be resolved by creating a

dedicated Virtual Local Area Network (VLAN) for each cluster or pool. Across the configured VLANS,

the offload scan servers are assigned the same IP address. Thereafter, the McAfee MOVE Antivirus

Agent policy in the master images is configured to use that IP address of the McAfee MOVE Antivirus

Offload Server. Now, the Agents and offload scan server communicate within a cluster- or pool-specific

VLAN.

Implementation of Solution on VMware vSphereOn VMware VSphere, the proposed solution can be implemented using VMware virtual distributed

switch (vDS) or vSwitch.

2Common deployment scenariosClusters with shared master images



13/30

If vDS is available, create a VLAN for each cluster and add all VMs in the cluster to the VLAN. The

Dynamic Host Configuration Protocol (DHCP) server can be used to assign the IP addresses to VMs

in all VLANs. To ensure the DHCP server can assign IP addresses to all VMs, add the DHCP server to

all VLANs by using the VLAN trunking feature of vDS.

If vDS is not available, create a VLAN of same ID on the vSwitch on all hypervisors belonging to a

cluster. Ensure that the VLAN ID used for each cluster is different. The Dynamic Host Configuration

Protocol (DHCP) server can be used to assign the IP addresses to VMs in all VLANs. To ensure theDHCP server can assign IP addresses to all VMs, make the DHCP server a member of all VLANs

using a VLAN ID of 4095.

Figure 2-2 McAfee MOVE Antivirus deployment using a virtual distributed switch

Common deployment scenariosClusters with shared master images 2



14/30

This figure highlights McAfee MOVE Antivirus deployment on two clusters using a virtual distributed

switch.

Figure 2-3 McAfee MOVE Antivirusdeployment using a virtual switch

This figure highlights a McAfee MOVE Antivirusdeployment using a VMware switch. In both situations,

note that a VLAN is configured in each cluster and each VLAN has a unique ID.

Deploying McAfee MOVE Antivirus in a cluster with shared VMsThis scenario is designed for environments that share virtual machines across clusters.

Task

1 Create a VLAN for each cluster.

For more information on setting up VLANs, refer toAppendix A: Configuring VLAN in in vSphere

clusters.

2 Install the McAfee MOVE Antivirus Offload Server in each cluster.

To install multiple offload scan servers in a cluster for high availability and load balancing, refer to

Appendix B: Deploying high availability servers in a clusterFor installation instructions, refer to the

McAfee MOVE Antivirus Product guide.

3 Install a McAfee MOVE Antivirus Agent on each master image.

2Common deployment scenariosClusters with shared master images



15/30


16/30

2Common deployment scenariosMcAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability



17/30

3

Scaling McAfee MOVE Antivirusinstallations

When deployed properly, McAfee MOVE Antivirus is designed to operate in an ever expanding virtual

environment.

Contents

McAfee MOVE Antivirus Scalability Guidelines

Fine tuning your offload server settings

Miscellaneous best practices

McAfee MOVE Antivirus Scalability GuidelinesDuring scalability testing, McAfee observed that the McAfee MOVE Antivirus Offload Server uses

5-10% of hypervisor CPU resources for low to high user workloads.

Depending on the number of hypervisors or CPU cores present in a cluster you should reserve up to

10% of available CPU cores for McAfee MOVE Antivirus Offload Server virtual servers.

The following tables help you identify the number of offload scan servers required for a vSphere

cluster. All calculations assume a high workload. However, depending upon the workload, you can

determine the requirement number of offload scan servers in a cluster.

Assumptions

1 Each hypervisor has 8 cores.

2 Hyper threading is enabled on each hypervisor (the number of vCPU will be twice the number of

cores on the hypervisors).

3 Assign four dedicated vCPUs and 4 GB to each McAfee MOVE Antivirus Offload Server.

Hypervisors percluster

Cores per cluster(number ofhypervisors * 8)

vCPU percluster (numberof cores * 2)

vCPU required foroffload scanservers for a

cluster (10% ofvCPU)

Number ofoffload scanservers in a

cluster

2 16 32 3.2 2

8 64 128 12 3

10 80 160 16 4

20 160 320 32 8

35 280 560 56 14

To add multiple offload scan servers to a cluster, use the Microsoft Network Load Balancing (NLB) service

3



18/30

McAfee Labs conducted tests to calculate the VM density on hypervisors. Here are the performance

results.

1 Performance Tool Used : Login vsi 3.0.2

2 Workload: Heavy Workload

3 System Details McAfee MOVE Antivirus Offload Server: Windows 2008 R2 SP1 (x64), 4 GB RAM, 4vCPU

McAfee MOVE Antivirus Agent : XP-SP3 (X86), 1024 MB RAM, 1 vCPU

Hypervisor : one hypervisor with ESX 4.1, Citrix PVS 5.6 having 96 GB of RAM, 12 Cores @

3.324GHz, Fibre channel disc storage

Agent OS Number ofhypervisors

Number ofVMs incluster

VSIMXHIT

VSIMAX

Network anddisk usage

Logintime(sec)

Number ofoffloadscanservers incluster

Win XP-SP3

(x86)

1 121 Yes 113 Network: 7500

KBps, Disk:12,000 KBps

14 1

Windows 7(x64)

1 94 Yes 85 Network:15,000 KBps,Disk: 12,500KBps

5 1

Best Practices

1 Keep offload scan servers on different hypervisors of a vSphere cluster to ensure high availability in

case one hypervisor goes down.

2 Keep a minimum of two offload scan servers in a cluster to achieve high availability.

3 If you find you are hitting limits frequently, consider adding additional scan servers.

Fine tuning your offload server settingsMcAfee has done testing to try to answer the question "How many clients can a single offload scan

server support?"

General guidelines

The actual number of clients than can connect to a single offload scan server depends on a number of

factors. These include server hardware, network availability, and the amount of workload per client.

The optimal configuration will be different in every customer's environment. The primary gating

criteria for determining an optimal number of clients a single offload scan server can support is thenumber of concurrent client scan requests. Offload scan server performance degrades when it receives

more concurrent scan requests than it is configured to handle. The concurrent scan limit is defined by

the NumThreads parameter in the offload scan server.

The offload scan server can handle a maximum of 3000 concurrent active connections (heartbeats,

scan requests, and server side cache check requests). If the server has reached its maximum of 3000

active connections, any new connection will be accepted but queued for handling until one of the 3000

active connections completes. Each client has a maximum of 6 active connections to an offload scan

server (1 connection for a heartbeat and 5 for scan and cache check requests), thereby limiting the

offload scan server to be able to effectively handle a maximum of 500 clients before the connections

3Scaling McAfee MOVE Antivirus installationsFine tuning your offload server settings



19/30

start to queue. You can increase the number of clients connected to a single offload scan server as

long as the number of concurrent scan requests does not exceed the configured NumThreads

parameter value. If this value is exceeded, server performance begins to degrade rapidly.

In general, the fewer actual scan requests received by the offload scan server, the more clients it can

support. While an offload server can theoretically support up to 500 clients (equal to 3000 possible

overall connections) the limiting factor is the number of concurrent scan requests that the clients

trigger. On McAfee's test hardware (a hypervisor having 12 CPUs @ 3.324 GHz, 96 GB RAM, Fibre

channel disc storage, with 4 vCPUs & 4 GB RAM dedicated to the offload scan server), we determined

that the maximum number of concurrent scans that could be supported without degrading

performance was around 400 . Based upon these results, we have increased the default value of

allowed concurrent scans (NumThreads) from 50 in McAfee MOVE Antivirus version 1.5 to 300 in

McAfee MOVE Antivirus version 2.0.

If you deploy the McAfee MOVE Antivirus client to server class machines be aware that you may reach

the concurrent scans upper limit much sooner compared to a deployment to desktop systems.

Important tuning statistics

When tuning your environment, McAfee recommends monitoring the following items:

The offload scan server's CPU usage. It is not uncommon for the CPU usage of the offload scan

server to be at or around 100% while it is under heavy load. However, if the offload scan server is

under heavy load and the CPU drops to 50% this is an indication the server is overwhelmed.

The offload scan server statistics. Use the mvadm stats command to retrieve these. Look for the

Idle Threads number. It is important to make sure that Idle Threads does not fall to 0, as scan

requests begin to compete for scan slots. You want to avoid this situation; it is an indication too

many client scan requests are coming in.

The offload scan server's network performance. Make sure the network connection is not at or near

maximum.

Ways to improve performance

The following options are available to increase server performance:

Increase scan server CPU power. The CPU is the primary limiting factor in an offload scan server's

performance.

Ensure high network availability.

Increase RAM, but only to a maximum of 4GB. The offload scan service is a 32-bit application and

cannot benefit from additional RAM beyond 4GB.

If the offload scan server becomes overwhelmed consider excluding client side log and text files

that are frequently modified to reduce the number of scan requests.

DAT updates can place a large load on the offload scan server. Make sure you are using McAfee

Agent 4.5 patch 2 or later and scheduling DAT updates during non-peak hours.

Large files and network scanning

Enabling McAfee MOVE Antivirus network scanning capabilities, then accessing large files across the

network, greatly increases the access time for network based large files. As Distributed File Systems

(DFS) are not supported by McAfee MOVE Antivirus or McAfee MOVE Scheduler, McAfee recommends,

whenever possible, scanning a file using a scanner closest to the file itself. If a file resides on a

network share, rather than enabling McAfee MOVE Antivirus network scanning, use the McAfee

Scaling McAfee MOVE Antivirus installationsFine tuning your offload server settings 3



20/30

anti-virus product on the system where the file resides to scan the file. If the file resides on a NetApp

Filer we recommend using VirusScan Enterprise for Storage to scan the file. With this approach you

maintain good performance while still providing protection.

One manifestation of large files and networks scanning is seen when using XenApp6 to stream the

virtualized version of Microsoft Word 2007. To improve the application's launch time in this

environment, exclude the following processes from anti-virus scanning:

RadeLauncher.exe

RadeSvc.exe

RadeObj.exe

Miscellaneous best practicesThese are helpful tips and techniques that are not related to performance.

Quarantine files in non-persistent virtual machines

In a non-persistent virtual machine, the quarantine folder contents are not saved when a user logs off

or reboots the virtual machine. The usual workaround for this is to specify the quarantine folder be

somewhere in the user's home directory. However, if the Windows roaming profile feature is used, the

quarantine folder can't be saved in the user's home directory as their home directory becomes a

network location in that environment.

Balancing offload scan servers to handle downtime

There is a simple technique to make sure an an environment with two offload scan servers

(ScanServer1 and ScanServer2) can handle either server going offline without overloading the other

server. Once you determine the number of virtual machines (VMs) one offload scan server can handle,

split that number of VMs roughly in half by some criteria such as even or odd MAC addresses. Assign

one half of those VMs ScanServer1 as their primary scan server and ScanServer2 as their secondaryscan server. With a second policy assignment, reverse those assignments for the other half of the VMs

You will now have each offload scan server running at approximately half capacity, but able to absorb

the other scan server going offline without any configuration changes.

Scanning offline virtual images in a VMware environment

When VirusScan Enterprise for Offline Virtual Images begins scanning an offline VMware virtual

machine, it locks the image until the scan is complete. The virtual machine cannot be started until the

scan is complete. Use a policy that schedules offline virtual image scanning in off-peak hours only.

3Scaling McAfee MOVE Antivirus installationsMiscellaneous best practices



21/30

A

Configuring VLANs in VMware vSphereclusters

McAfee recommends that if you use the same master image to provision virtual machines in multiple

clusters, you create a dedicated VLAN in each cluster to handle McAfee MOVE Antivirus deployment.

This helps maintain the same IP address for the McAfee MOVE Antivirus Offload Server across all VLANs

You can create VLANs using a virtual switch or a virtual distributed switch. These steps create VLANs

in each environment.

Contents

Prerequisites for creating VLANs

Configure a VMware vShield VLAN using a Virtual Distributed Switch

Configuring VLAN using a virtual switch

Configuring the DHCP server in virtual guest tagging mode

Prerequisites for creating VLANsThese conditions must exist for McAfee MOVE Antivirus to work in a VMware vShield VLAN environment

The virtual switch or virtual distributed switch is available.

Virtual distributed switches are available with the VMware Enterprise Plus license.

The physical network interface cards (NIC) for all hypervisors selected for McAfee MOVE Antivirus

communication are connected to the trunk port of the physical switch.

One virtual NIC has been added to each VM.

A dedicated virtual machine is hosting the DHCP server.

All VLANs are configured on the physical switch.

Configure a VMware vShield VLAN using a Virtual DistributedSwitch

A VLAN must be configured in a specific way to be compatible with McAfee MOVE Antivirus.

Task

1 Create a Virtual Distributed Switch (VDS).

If you are using an existing VDS, skip step 2.



22/30

2 Add the physical NICs of all hypervisors in the VDS selected for VLAN.

A single VDS supports 64 hypervisors. If you are using more than 64 hypervisors, create a new VDS

3 Create a port group for each cluster on the VDS.

4 Assign a unique VLAN ID to each port group.

5 Add virtual network interface cards (vNIC) to all VMs.

6 Add all VMs to the cluster VLAN by using the vNIC of each VM.

7 Create VLANs on the physical switch with the same VLAN ID as created on the VDS.

8 Allocate IP addresses to VMs in the VLANs by configuring the DHCP server.

a Create a port group on the vDS and select VLAN type as VLAN Trunking.

b Specify the range of VLANs to accommodate all VLANs created for the clusters.

c Add the DHCP server to the port group.

d Configure the DHCP VM in VGT (Virtual Guest Tagging) mode to make it a member of all cluster

VLANs so that a single DHCP server can be used to assign IP addresses to all VMs. SeeConfiguring the DHCP server in Virtual Guest Tagging mode for further information.

Configuring VLAN using a virtual switchA VLAN can be created using a virtual switch so it is compatible with McAfee MOVE Antivirus.

Task

1 Create a port group on vSwitch for all hypervisors in the cluster.

2 Assign the VLAN ID to the port group in each vSwitch.

3 Add a virtual NIC (vNIC) to all virtual machines (VMs).

4 Add the VMs to the cluster VLAN by using the vNIC of each VM.

5 Create VLANs on the physical switch with the same VLAN ID as created on the virtual switches.

6 Allocate IP addresses to the VMs in all VLANs by configuring the DHCP server.

a Create a port group on the vSwitch of the hypervisor where the DHCP server is hosted and set

the VLAN ID to 4095.

b Add the DHCP server to the port group (VLAN ID = 4095).

c Configure the DHCP virtual machine in virtual guest tagging mode to make it a member of all

cluster VLANs so that a single DHCP server can be used to assign IP addresses to all VMs. See

Configuring the DHCP server in virtual guest tagging mode for more information.

AConfiguring VLANs in VMware vSphere clustersConfiguring VLAN using a virtual switch



23/30

Configuring the DHCP server in virtual guest tagging modeYou must configure the DHCP server virtual machine in virtual guest tagging (VGT) mode for use in

McAfee MOVE Antivirus VLANs.

Task

1 Install the DHCP server on the virtual machine (VM) and choose class B address for scoping.Create a single scope for IP addresses of all VMs across different cluster VLANs.

2 Add a type E1000 virtual NIC (vNIC) to the DHCP server VM.

3 Install the Intel driver that supports VGT.

You can download the Intel driver from http://www.intel.com/support/network/sb/cs-006120.htm.

4 Right-click the vNIC icon on the DHCP server and select Properties | Configure | VLANs.

5 Add the cluster VLANs.

A new network adapter is automatically added for each VLAN.

6 Specify a static IP address for the network adapter.

Considering the virtual device infrastructure size, it is advisable to use the class B addressing scheme

that provides close to 60000 unique IP addresses.

Configuring VLANs in VMware vSphere clustersConfiguring the DHCP server in virtual guest tagging mode A

http://http//WWW.INTEL.COM/SUPPORT/NETWORK/SB/CS-006120.HTM


24/30

AConfiguring VLANs in VMware vSphere clustersConfiguring the DHCP server in virtual guest tagging mode



25/30

B

Deploying high availability servers in acluster

In a typical virtual device infrastructure (VDI) deployment scenario, there are multiple hypervisors in a

cluster. It is usually necessary to deploy multiple McAfee MOVE Antivirus Offload Server virtual

machines for load balancing and high availability (HA) in this kind of environment.

You can deploy multiple McAfee MOVE Antivirus Offload Server VMs in a cluster by using the Microsoft

network load balancing (NLB) service. The number of servers you deploy should follow the scalability

guidelines.

Within this document, the group of offload scan servers managed by the NLB service is referred to as

the NLB server cluster. The NLB server cluster is transparent to McAfee MOVE Antivirus Agents and the

Agents communicate with the NLB server cluster using its virtual IP address. The NLB server cluster's

virtual IP address is configured with McAfee MOVE Antivirus policy in ePolicy Orchestrator.



26/30

When using NLB server clusters, you do not need to deploy secondary offload scan servers because HA

will be provided by the NLB server cluster. To monitor the health of a McAfee MOVE Antivirus Offload

Server, deploy the external monitoring script provided with the McAfee MOVE Antivirus deployment kit

Figure B-1 NLB server cluster - clusters using dedicated master images for VMs

Figure B-2 NLB server cluster - clusters sharing master images for VMs

BDeploying high availability servers in a cluster



27/30

Create NLB server clustersThese tasks create a McAfee MOVE Antivirus compatible server cluster.

Tasks

Install network load balancing on page 27

Network load balancing must be installed before use. Create a server cluster on page 27

Create the cluster after the Network Load Balancing feature is installed.

Schedule the monitor script on each McAfee MOVE Antivirus Offload Server on page 28

McAfee provides ascript that checks the health of an offload scan server as well as

controlling scan traffic based on load.

Install network load balancingNetwork load balancing must be installed before use.

This feature is not installed on Windows Server 2008 R2 by default.

Task

1 Ensure all McAfee MOVE Antivirus Offload Server virtual machines in the cluster are in the same

domain and subnet.

2 Navigate to Administrative Tools | Server Manager.

3 In the Server Managerwindow, select Select Features | Add Features.

4 Select Network Load Balancing.

5 Click OK.

Create a server clusterCreate the cluster after the Network Load Balancing feature is installed.

Task

1 Navigate to Administrative Tools | Network Load Balancing Manager.

2 In the Network Load Balancing Managerwindow, select Cluster| New Cluster

3 In the New Cluster: Connect window, enter the IP address of the McAfee MOVE Antivirus Offload Server

and click Connect.

4 Select the interface name based on your setup (whether using VLAN or not) and click Next.

5 Review the information and click Next.

6 In the New Cluster: Cluster IP Addresses window, click Add.

7 In the Add IP Address window, select Add IPv4 address and enter the virtual IP address of the servers to

include in the NLB server cluster. Click OK.

8 Click Next.

9 In the New Cluster: Cluster Parameters window, enter the cluster name in the Full Internet name field.

10 Select Multicast. Click Next.

11 In the New Cluster: Port Rules window, click Edit.

Deploying high availability servers in a clusterCreate NLB server clusters B



28/30

12 In the Add/Edit Port Rule window, deselect All.

13 Select the virtual IP address of the NLB cluster and specify the port range from 9053 to 9053 or the

non-default port which you selected during McAfee MOVE Antivirus Offload Server installation.

14 Set the protocol to TCP and click OK.

15 Set the Filtering mode to Multiple host, and set the Affinity to None.

16 Click Finish to create the cluster.

Schedule the monitor script on each McAfee MOVE AntivirusOffload ServerMcAfee provides ascript that checks the health of an offload scan server as well as controlling scan

traffic based on load.

If a server is down or not responding, the script removes the host from the NLB server cluster. After

the McAfee MOVE Antivirus Offload Server returns, the script automatically adds the host back to the

NLB server cluster. This script also places a log entry in the Windows Event Viewer when either event

occurs.

Task

1 Navigate to Administrative Tools | Task Scheduler.

2 In the Task Schedulerwindow, select Create Task in the Actions panel.

3 Select Run whether user is logged on or not and Do not store password.

4 Select the Triggers tab. Click New.

5 In the New Triggerwindow, select At startup in the Begin the task list. Click OK.

6 Select the Action tab. Click New.

7 In the New Action window, select Start a program in the Action list.

8 Enter cscript.exe in the Program/Script field.

9 Specify the name of the monitoring script (move-av-monitor.vbs) in the Add arguments field. Click OK

10 Select the Conditions tab.

11 Deselect Start the task only if the computer is on AC power. Click OK to schedule the task.

BDeploying high availability servers in a clusterCreate NLB server clusters



29/30

Index

A

about this guide 5

B

best practices

non-performance tips 20

performance 18

C

cluster

deploy using shared master images 12

deployment 10

clusters

with dedicated master images 9

conventions and icons used in this guide 5

D

dedicated master images

deployment strategy 9

deploy

cluster with dedicated master images 9

cluster with shared master images 12

deployment

into clusters 10

Distributed Resource Scheduler

VMware 15

documentation

audience for this guide 5

product-specific, finding 6

typographical conventions and icons 5

H

High Availability

compatibility 15

hypervisor

migration restrictions 15

M

McAfee MOVE Antivirus

resource usage 17

McAfee ServicePortal, accessing 6

N

network scanning

large files 18

O

offline virtual images

scanning in VMware 20

offload scan serverimproving performance 18

load balancing 20

number per cluster 17

P

performance

improving 18

virtualized applications 18

performance data 17

Q

quarantine foldernon-persistent virtual machines 20

S

scalability guidelines 17

ServicePortal, finding product documentation 6

shared master images

deployment strategy 12

T

Technical Support, finding product information 6

V

virtual machine density 17

VMware

VLAN prerequisites 21

W

what's in this guide 6



30/30

Documents

MOVE Antivirus 2 0 Deployment Guide