MOVE Antivirus 2 0 Deployment Guide

Deployment Guide
McAfee MOVE Antivirus 2.0.0

For use with ePolicy Orchestrator 4.5.0 and 4.6.0
COPYRIGHT
Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
McAfee MOVE Antivirus 2.0.0 Deployment Guide For use with ePolicy Orchestrator 4.5.0 and 4.6.0
Contents
Preface
About this guide . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . What's in this guide . . . . . . . . . . . . Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
5 5 5 6 6
1 2
Introduction Common deployment scenarios
7 9
Clusters with dedicated master images . . . . . . . . . . . . . . . . . . . . . . . . . 9 Deploying McAfee MOVE Antivirus in a cluster . . . . . . . . . . . . . . . . . . . 10 Clusters with shared master images . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Deploying McAfee MOVE Antivirus in a cluster with shared VMs . . . . . . . . . . . . 14 McAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability . . . . . . . 15
Scaling McAfee MOVE Antivirus installations
17
McAfee MOVE Antivirus Scalability Guidelines . . . . . . . . . . . . . . . . . . . . . . 17 Fine tuning your offload server settings . . . . . . . . . . . . . . . . . . . . . . . . 18 Miscellaneous best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring VLANs in VMware vSphere clusters

Prerequisites for creating VLANs . . . . . . . . . . . . . . . . . Configure a VMware vShield VLAN using a Virtual Distributed Switch . . . Configuring VLAN using a virtual switch . . . . . . . . . . . . . . . Configuring the DHCP server in virtual guest tagging mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
. . 21 . . 21 . 22 . 23
Deploying high availability servers in a cluster

Create NLB server clusters . . . . . . . . . . . . . . . . . . . . . . . Install network load balancing . . . . . . . . . . . . . . . . . . Create a server cluster . . . . . . . . . . . . . . . . . . . . . Schedule the monitor script on each McAfee MOVE Antivirus Offload Server . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
27 27 27 28
Index
29
Contents
Preface
This guide provides the information you need to install your McAfee product. Contents About this guide Finding product documentation
About this guide

This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program.
Conventions
This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path
Code
Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product.
User interface Hypertext blue
Preface Finding product documentation
What's in this guide

This guide is organized to help you find the information you need. This document outlines recommended deployment strategies and usage tips to help you get the most from your McAfee MOVE AV installation while having the smallest possible impact on performance.
Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 2 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version.
Introduction
This document provides guidelines for deploying McAfee MOVE Antivirus in different Virtual Desktop Infrastructure (VDI) environments. McAfee MOVE Antivirus scalability information is also included. This document assumes that the user has a basic understanding of McAfee MOVE Antivirus functionality. For more information on McAfee MOVE Antivirus functionality, please refer to the McAfee MOVE Antivirus Product Guide. McAfee recommends you read the entire document before starting a McAfee MOVE Antivirus deployment.
Introduction
Common deployment scenarios
Here are some common scenarios for McAfee MOVE Antivirus deployment. Contents Clusters with dedicated master images Clusters with shared master images McAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability
Clusters with dedicated master images

In this scenario, the master images are associated with a cluster or pool and are not shared across clusters or pools.
Deployment Approach
A dedicated McAfee MOVE Antivirus Offload Server needs to be setup for each cluster or pool. For each master image associated with a cluster: Install and configure the McAfee MOVE Antivirus Agent Configure a McAfee MOVE Antivirus policy with the IP address of the McAfee MOVE Antivirus Offload Server
Effectively, you create a single cluster-specific policy and apply it to all master images associated with a cluster. To enforce cluster-specific McAfee MOVE Antivirus policies from ePolicy Orchestrator, you need to:
Common deployment scenarios Clusters with dedicated master images
Create cluster-specific groups in ePolicy Orchestrator Sort VMs in cluster-specific group in ePolicy Orchestrator using its tagging feature Enforce cluster specific McAfee MOVE Antivirus policy to cluster groups
Figure 2-1
McAfee MOVE Antivirus deployment for clusters with dedicated master images
Deploying McAfee MOVE Antivirus in a cluster

Properly deploying McAfee MOVE Antivirus into a cluster involves extra configuration work. Task 1 Install a McAfee MOVE Antivirus Offload Server in each cluster. To install multiple McAfee MOVE Antivirus Offload Server virtual machine (VM) in a cluster for High Availability (HA) and load balancing, see Appendix B: Deploying high availability servers in a cluster To review McAfee MOVE Antivirus Offload Server installation steps, refer to the McAfee MOVE Antivirus Offload Server Product Guide. 2 Install McAfee MOVE Antivirus Agent on each master image. For information, refer to the McAfee MOVE Antivirus Product Guide. 3 Configure the following McAfee MOVE Antivirus policy parameters on each master image.
> mvadm config set Serveraddress1=<IP address of MOVE AV server> > mvadm enable You do not need to configure a secondary McAfee MOVE Antivirus Offload Server as high availability and load balancing can be achieved by using an industry standard load balancing solution, such as Microsoft network load balancing (NLB).
Verify that the McAfee MOVE Antivirus protection status is enabled on master image by executing the mvadm status command.
10
Common deployment scenarios Clusters with dedicated master images
Create cluster-specific tags in each master image. a Add the CustomProps registry key entry at the following location. b c For 32 bit - HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator \Agent For 64-bit - HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent\
Create a string value named CustomProps1. Edit the CustomProps1 string value to set the value data to the <cluster-name>.
6 7
Stop the McAfee Framework service. Delete the AgentGUID registry key. For 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator \Agent For 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent
8 9
Shutdown the master image. Create cluster-specific tags in ePolicy Orchestrator. a b c d e f g Navigate to Menu | Systems | Tag Catalog, then click Tag Action | New Tag. Specify the tag name and click Next. Select Custom 1 from the Available Properties list. Set the Custom 1 value to the cluster name and click Next. Select On each agent-server communication and when a "Run Tag Criteria" action is taken. Click Next. Review the summary and click Save.
10 Create cluster-specific subgroups in the ePolicy Orchestrator system tree. a b c Navigate to Menu | Systems | System Tree. Select System Tree Action | New Subgroup. Enter the subgroup name for the cluster and click OK.
11 Sort the subgroups. a b c d e f Navigate to Menu | Systems | System Tree. Select the subgroup from the System Tree. Select the Group Details tab. Edit the sorting criteria. Select Systems that match any of the criteria below (IP addresses and/or tags). Click Add Tags.
11
Common deployment scenarios Clusters with shared master images
g h
Select the cluster-specific tags. Click Save.
12 Enable system tree sorting for the VMs in ePolicy Orchestrator. a b c d e Navigate to Menu | Systems | System Tree. Select all VMs. Select Actions | Directory Management | Change Sorting Status. Select Enable System Tree sorting on selected systems. Click OK. If some VMs in ePolicy Orchestrator are under the Lost&Found group and sorting status is enabled, the VMs will not be sorted based on the agent-server communication. These systems will only be tagged. To manually sort the VMs, select all systems and choose Actions | Directory Management | Sort Now. 13 Create and enforce cluster-specific policy to each cluster group in ePolicy Orchestrator. 14 Start the VMs. After the VMs start, they are sorted in cluster-specific groups in ePolicy Orchestrator at the first agent-server communication interval.
Clusters with shared master images

In this scenario, the master images are shared and used to provision VMs across multiple clusters or pools. Each cluster or pool has its own McAfee MOVE Antivirus Offload Server. Install and configure the McAfee MOVE Antivirus Agent on each master image. Because a single image is used for VMs across multiple clusters or pools, only one IP address of the McAfee MOVE Antivirus Offload Server can be configured in the McAfee MOVE Antivirus policy for the master image. This results in the issue of configuring McAfee MOVE Antivirus Agent policy with IP address of the cluster-specific offload scan server. McAfee MOVE Antivirus policy configuration issue for the master image can be resolved by creating a dedicated Virtual Local Area Network (VLAN) for each cluster or pool. Across the configured VLANS, the offload scan servers are assigned the same IP address. Thereafter, the McAfee MOVE Antivirus Agent policy in the master images is configured to use that IP address of the McAfee MOVE Antivirus Offload Server. Now, the Agents and offload scan server communicate within a cluster- or pool-specific VLAN.
Implementation of Solution on VMware vSphere

On VMware VSphere, the proposed solution can be implemented using VMware virtual distributed switch (vDS) or vSwitch.
12
If vDS is available, create a VLAN for each cluster and add all VMs in the cluster to the VLAN. The Dynamic Host Configuration Protocol (DHCP) server can be used to assign the IP addresses to VMs in all VLANs. To ensure the DHCP server can assign IP addresses to all VMs, add the DHCP server to all VLANs by using the VLAN trunking feature of vDS. If vDS is not available, create a VLAN of same ID on the vSwitch on all hypervisors belonging to a cluster. Ensure that the VLAN ID used for each cluster is different. The Dynamic Host Configuration Protocol (DHCP) server can be used to assign the IP addresses to VMs in all VLANs. To ensure the DHCP server can assign IP addresses to all VMs, make the DHCP server a member of all VLANs using a VLAN ID of 4095.
Figure 2-2 McAfee MOVE Antivirus deployment using a virtual distributed switch
13
This figure highlights McAfee MOVE Antivirus deployment on two clusters using a virtual distributed switch.
Figure 2-3 McAfee MOVE Antivirusdeployment using a virtual switch
This figure highlights a McAfee MOVE Antivirusdeployment using a VMware switch. In both situations, note that a VLAN is configured in each cluster and each VLAN has a unique ID.
Deploying McAfee MOVE Antivirus in a cluster with shared VMs

This scenario is designed for environments that share virtual machines across clusters. Task 1 Create a VLAN for each cluster. For more information on setting up VLANs, refer to Appendix A: Configuring VLAN in in vSphere clusters. 2 Install the McAfee MOVE Antivirus Offload Server in each cluster. To install multiple offload scan servers in a cluster for high availability and load balancing, refer to Appendix B: Deploying high availability servers in a cluster For installation instructions, refer to the McAfee MOVE Antivirus Product guide. 3 Install a McAfee MOVE Antivirus Agent on each master image.
14
Common deployment scenarios McAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability
Configure the following McAfee MOVE Antivirus policy parameters on the master image.
> mvadm config set Serveraddress1=<IP address of MOVE AV server> > mvadm enable You do not need to configure a secondary offload scan server as high availability and load balancing can be achieved by using an industry standard load balancing solution, such as Microsoft network load balancing (NLB).
Verify that the McAfee MOVE Antivirus protection status is enabled on master image by executing the mvadm status command. Configure the McAfee MOVE Antivirus policy in ePolicy Orchestrator and apply to My Organization in the ePolicy Orchestrator System Tree. Delete the AgentGUID registry value. For 32-bit - HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator \Agent For 64-bit - HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent
6 7
Shutdown the master image and provision all VMs from the master image.
McAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability
McAfee MOVE Antivirus is compatible with VMware Distributed Resource Scheduler (DRS) and High Availability (HA). McAfee MOVE Antivirus Agents can be migrated to another hypervisor or cluster. However, McAfee recommends not migrating any McAfee MOVE Antivirus Offload Server across clusters or hypervisors as it could distrupt the connection between McAfee MOVE Antivirus Agents and their offload scan server. If that communication is terminated, protection is disabled until the McAfee MOVE Antivirus Agents re-establish connection with their offload scan server. We recommend that you create affinity rules for the McAfee MOVE Antivirus Offload Server to disable automatic migration to a different hypervisor.
15
Common deployment scenarios McAfee MOVE Antivirus with Distributed Resource Scheduler and High Availability
16
Scaling McAfee MOVE Antivirus installations
When deployed properly, McAfee MOVE Antivirus is designed to operate in an ever expanding virtual environment. Contents McAfee MOVE Antivirus Scalability Guidelines Fine tuning your offload server settings Miscellaneous best practices
McAfee MOVE Antivirus Scalability Guidelines

During scalability testing, McAfee observed that the McAfee MOVE Antivirus Offload Server uses 5-10% of hypervisor CPU resources for low to high user workloads. Depending on the number of hypervisors or CPU cores present in a cluster you should reserve up to 10% of available CPU cores for McAfee MOVE Antivirus Offload Server virtual servers. The following tables help you identify the number of offload scan servers required for a vSphere cluster. All calculations assume a high workload. However, depending upon the workload, you can determine the requirement number of offload scan servers in a cluster.
Assumptions
1 2 3 Each hypervisor has 8 cores. Hyper threading is enabled on each hypervisor (the number of vCPU will be twice the number of cores on the hypervisors). Assign four dedicated vCPUs and 4 GB to each McAfee MOVE Antivirus Offload Server. Cores per cluster (number of hypervisors * 8) vCPU per vCPU required for cluster (number offload scan of cores * 2) servers for a cluster (10% of vCPU) 32 128 160 320 560 3.2 12 16 32 56 Number of offload scan servers in a cluster 2 3 4 8 14
Hypervisors per cluster
2 8 10 20 35
16 64 80 160 280
To add multiple offload scan servers to a cluster, use the Microsoft Network Load Balancing (NLB) service.
17
Scaling McAfee MOVE Antivirus installations Fine tuning your offload server settings
McAfee Labs conducted tests to calculate the VM density on hypervisors. Here are the performance results. 1 2 3 Performance Tool Used : Login vsi 3.0.2 Workload: Heavy Workload System Details McAfee MOVE Antivirus Offload Server: Windows 2008 R2 SP1 (x64), 4 GB RAM, 4vCPU McAfee MOVE Antivirus Agent : XP-SP3 (X86), 1024 MB RAM, 1 vCPU Hypervisor : one hypervisor with ESX 4.1, Citrix PVS 5.6 having 96 GB of RAM, 12 Cores @ 3.324GHz, Fibre channel disc storage Number of hypervisors Number of VSI VMs in MX cluster HIT VSI MAX Network and disk usage Login time (sec) Number of offload scan servers in cluster 1
Agent OS
Win XP-SP3 (x86) Windows 7 (x64)
121
Yes
113
Network: 7500 KBps, Disk: 12,000 KBps Network: 15,000 KBps, Disk: 12,500 KBps
14
94
Yes
85
Best Practices
1 2 3 Keep offload scan servers on different hypervisors of a vSphere cluster to ensure high availability in case one hypervisor goes down. Keep a minimum of two offload scan servers in a cluster to achieve high availability. If you find you are hitting limits frequently, consider adding additional scan servers.
Fine tuning your offload server settings

McAfee has done testing to try to answer the question "How many clients can a single offload scan server support?"
General guidelines
The actual number of clients than can connect to a single offload scan server depends on a number of factors. These include server hardware, network availability, and the amount of workload per client. The optimal configuration will be different in every customer's environment. The primary gating criteria for determining an optimal number of clients a single offload scan server can support is the number of concurrent client scan requests. Offload scan server performance degrades when it receives more concurrent scan requests than it is configured to handle. The concurrent scan limit is defined by the NumThreads parameter in the offload scan server. The offload scan server can handle a maximum of 3000 concurrent active connections (heartbeats, scan requests, and server side cache check requests). If the server has reached its maximum of 3000 active connections, any new connection will be accepted but queued for handling until one of the 3000 active connections completes. Each client has a maximum of 6 active connections to an offload scan server (1 connection for a heartbeat and 5 for scan and cache check requests), thereby limiting the offload scan server to be able to effectively handle a maximum of 500 clients before the connections
18
Scaling McAfee MOVE Antivirus installations Fine tuning your offload server settings
start to queue. You can increase the number of clients connected to a single offload scan server as long as the number of concurrent scan requests does not exceed the configured NumThreads parameter value. If this value is exceeded, server performance begins to degrade rapidly. In general, the fewer actual scan requests received by the offload scan server, the more clients it can support. While an offload server can theoretically support up to 500 clients (equal to 3000 possible overall connections) the limiting factor is the number of concurrent scan requests that the clients trigger. On McAfee's test hardware (a hypervisor having 12 CPUs @ 3.324 GHz, 96 GB RAM, Fibre channel disc storage, with 4 vCPUs & 4 GB RAM dedicated to the offload scan server), we determined that the maximum number of concurrent scans that could be supported without degrading performance was around 400 . Based upon these results, we have increased the default value of allowed concurrent scans (NumThreads) from 50 in McAfee MOVE Antivirus version 1.5 to 300 in McAfee MOVE Antivirus version 2.0. If you deploy the McAfee MOVE Antivirus client to server class machines be aware that you may reach the concurrent scans upper limit much sooner compared to a deployment to desktop systems.
Important tuning statistics

When tuning your environment, McAfee recommends monitoring the following items: The offload scan server's CPU usage. It is not uncommon for the CPU usage of the offload scan server to be at or around 100% while it is under heavy load. However, if the offload scan server is under heavy load and the CPU drops to 50% this is an indication the server is overwhelmed. The offload scan server statistics. Use the mvadm stats command to retrieve these. Look for the Idle Threads number. It is important to make sure that Idle Threads does not fall to 0, as scan requests begin to compete for scan slots. You want to avoid this situation; it is an indication too many client scan requests are coming in. The offload scan server's network performance. Make sure the network connection is not at or near maximum.
Ways to improve performance

The following options are available to increase server performance: Increase scan server CPU power. The CPU is the primary limiting factor in an offload scan server's performance. Ensure high network availability. Increase RAM, but only to a maximum of 4GB. The offload scan service is a 32-bit application and cannot benefit from additional RAM beyond 4GB. If the offload scan server becomes overwhelmed consider excluding client side log and text files that are frequently modified to reduce the number of scan requests. DAT updates can place a large load on the offload scan server. Make sure you are using McAfee Agent 4.5 patch 2 or later and scheduling DAT updates during non-peak hours.
Large files and network scanning

Enabling McAfee MOVE Antivirus network scanning capabilities, then accessing large files across the network, greatly increases the access time for network based large files. As Distributed File Systems (DFS) are not supported by McAfee MOVE Antivirus or McAfee MOVE Scheduler, McAfee recommends, whenever possible, scanning a file using a scanner closest to the file itself. If a file resides on a network share, rather than enabling McAfee MOVE Antivirus network scanning, use the McAfee
19
Scaling McAfee MOVE Antivirus installations Miscellaneous best practices
anti-virus product on the system where the file resides to scan the file. If the file resides on a NetApp Filer we recommend using VirusScan Enterprise for Storage to scan the file. With this approach you maintain good performance while still providing protection. One manifestation of large files and networks scanning is seen when using XenApp6 to stream the virtualized version of Microsoft Word 2007. To improve the application's launch time in this environment, exclude the following processes from anti-virus scanning: RadeLauncher.exe RadeSvc.exe RadeObj.exe
Miscellaneous best practices

These are helpful tips and techniques that are not related to performance.
Quarantine files in non-persistent virtual machines

In a non-persistent virtual machine, the quarantine folder contents are not saved when a user logs off or reboots the virtual machine. The usual workaround for this is to specify the quarantine folder be somewhere in the user's home directory. However, if the Windows roaming profile feature is used, the quarantine folder can't be saved in the user's home directory as their home directory becomes a network location in that environment.
Balancing offload scan servers to handle downtime

There is a simple technique to make sure an an environment with two offload scan servers (ScanServer1 and ScanServer2) can handle either server going offline without overloading the other server. Once you determine the number of virtual machines (VMs) one offload scan server can handle, split that number of VMs roughly in half by some criteria such as even or odd MAC addresses. Assign one half of those VMs ScanServer1 as their primary scan server and ScanServer2 as their secondary scan server. With a second policy assignment, reverse those assignments for the other half of the VMs. You will now have each offload scan server running at approximately half capacity, but able to absorb the other scan server going offline without any configuration changes.
Scanning offline virtual images in a VMware environment

When VirusScan Enterprise for Offline Virtual Images begins scanning an offline VMware virtual machine, it locks the image until the scan is complete. The virtual machine cannot be started until the scan is complete. Use a policy that schedules offline virtual image scanning in off-peak hours only.
20
Configuring VLANs in VMware vSphere clusters
McAfee recommends that if you use the same master image to provision virtual machines in multiple clusters, you create a dedicated VLAN in each cluster to handle McAfee MOVE Antivirus deployment. This helps maintain the same IP address for the McAfee MOVE Antivirus Offload Server across all VLANs. You can create VLANs using a virtual switch or a virtual distributed switch. These steps create VLANs in each environment. Contents Prerequisites for creating VLANs Configure a VMware vShield VLAN using a Virtual Distributed Switch Configuring VLAN using a virtual switch Configuring the DHCP server in virtual guest tagging mode
Prerequisites for creating VLANs

These conditions must exist for McAfee MOVE Antivirus to work in a VMware vShield VLAN environment. The virtual switch or virtual distributed switch is available.
Virtual distributed switches are available with the VMware Enterprise Plus license.
The physical network interface cards (NIC) for all hypervisors selected for McAfee MOVE Antivirus communication are connected to the trunk port of the physical switch. One virtual NIC has been added to each VM. A dedicated virtual machine is hosting the DHCP server. All VLANs are configured on the physical switch.
Configure a VMware vShield VLAN using a Virtual Distributed Switch

A VLAN must be configured in a specific way to be compatible with McAfee MOVE Antivirus. Task 1 Create a Virtual Distributed Switch (VDS). If you are using an existing VDS, skip step 2.
21
Configuring VLANs in VMware vSphere clusters Configuring VLAN using a virtual switch
Add the physical NICs of all hypervisors in the VDS selected for VLAN. A single VDS supports 64 hypervisors. If you are using more than 64 hypervisors, create a new VDS.
3 4 5 6 7 8
Create a port group for each cluster on the VDS. Assign a unique VLAN ID to each port group. Add virtual network interface cards (vNIC) to all VMs. Add all VMs to the cluster VLAN by using the vNIC of each VM. Create VLANs on the physical switch with the same VLAN ID as created on the VDS. Allocate IP addresses to VMs in the VLANs by configuring the DHCP server. a b c d Create a port group on the vDS and select VLAN type as VLAN Trunking. Specify the range of VLANs to accommodate all VLANs created for the clusters. Add the DHCP server to the port group. Configure the DHCP VM in VGT (Virtual Guest Tagging) mode to make it a member of all cluster VLANs so that a single DHCP server can be used to assign IP addresses to all VMs. See Configuring the DHCP server in Virtual Guest Tagging mode for further information.
Configuring VLAN using a virtual switch

A VLAN can be created using a virtual switch so it is compatible with McAfee MOVE Antivirus. Task 1 2 3 4 5 6 Create a port group on vSwitch for all hypervisors in the cluster. Assign the VLAN ID to the port group in each vSwitch. Add a virtual NIC (vNIC) to all virtual machines (VMs). Add the VMs to the cluster VLAN by using the vNIC of each VM. Create VLANs on the physical switch with the same VLAN ID as created on the virtual switches. Allocate IP addresses to the VMs in all VLANs by configuring the DHCP server. a b c Create a port group on the vSwitch of the hypervisor where the DHCP server is hosted and set the VLAN ID to 4095. Add the DHCP server to the port group (VLAN ID = 4095). Configure the DHCP virtual machine in virtual guest tagging mode to make it a member of all cluster VLANs so that a single DHCP server can be used to assign IP addresses to all VMs. See Configuring the DHCP server in virtual guest tagging mode for more information.
22
Configuring VLANs in VMware vSphere clusters Configuring the DHCP server in virtual guest tagging mode
Configuring the DHCP server in virtual guest tagging mode

You must configure the DHCP server virtual machine in virtual guest tagging (VGT) mode for use in McAfee MOVE Antivirus VLANs. Task 1 Install the DHCP server on the virtual machine (VM) and choose class B address for scoping. Create a single scope for IP addresses of all VMs across different cluster VLANs. 2 3 Add a type E1000 virtual NIC (vNIC) to the DHCP server VM. Install the Intel driver that supports VGT. You can download the Intel driver from http://www.intel.com/support/network/sb/cs-006120.htm. 4 5 Right-click the vNIC icon on the DHCP server and select Properties | Configure | VLANs. Add the cluster VLANs. A new network adapter is automatically added for each VLAN. 6 Specify a static IP address for the network adapter.
Considering the virtual device infrastructure size, it is advisable to use the class B addressing scheme that provides close to 60000 unique IP addresses.
23
Configuring VLANs in VMware vSphere clusters Configuring the DHCP server in virtual guest tagging mode
24
In a typical virtual device infrastructure (VDI) deployment scenario, there are multiple hypervisors in a cluster. It is usually necessary to deploy multiple McAfee MOVE Antivirus Offload Server virtual machines for load balancing and high availability (HA) in this kind of environment. You can deploy multiple McAfee MOVE Antivirus Offload Server VMs in a cluster by using the Microsoft network load balancing (NLB) service. The number of servers you deploy should follow the scalability guidelines. Within this document, the group of offload scan servers managed by the NLB service is referred to as the NLB server cluster. The NLB server cluster is transparent to McAfee MOVE Antivirus Agents and the Agents communicate with the NLB server cluster using its virtual IP address. The NLB server cluster's virtual IP address is configured with McAfee MOVE Antivirus policy in ePolicy Orchestrator.
25
When using NLB server clusters, you do not need to deploy secondary offload scan servers because HA will be provided by the NLB server cluster. To monitor the health of a McAfee MOVE Antivirus Offload Server, deploy the external monitoring script provided with the McAfee MOVE Antivirus deployment kit.
Figure B-1 NLB server cluster - clusters using dedicated master images for VMs
Figure B-2
NLB server cluster - clusters sharing master images for VMs
26
Deploying high availability servers in a cluster Create NLB server clusters
Create NLB server clusters

These tasks create a McAfee MOVE Antivirus compatible server cluster. Tasks Install network load balancing on page 27 Network load balancing must be installed before use. Create a server cluster on page 27 Create the cluster after the Network Load Balancing feature is installed. Schedule the monitor script on each McAfee MOVE Antivirus Offload Server on page 28 McAfee provides ascript that checks the health of an offload scan server as well as controlling scan traffic based on load.
Install network load balancing

Network load balancing must be installed before use. This feature is not installed on Windows Server 2008 R2 by default. Task 1 2 3 4 5 Ensure all McAfee MOVE Antivirus Offload Server virtual machines in the cluster are in the same domain and subnet. Navigate to Administrative Tools | Server Manager. In the Server Manager window, select Select Features | Add Features. Select Network Load Balancing. Click OK.
Create a server cluster

Create the cluster after the Network Load Balancing feature is installed. Task 1 2 3 4 5 6 7 8 9 Navigate to Administrative Tools | Network Load Balancing Manager. In the Network Load Balancing Manager window, select Cluster | New Cluster In the New Cluster: Connect window, enter the IP address of the McAfee MOVE Antivirus Offload Server and click Connect. Select the interface name based on your setup (whether using VLAN or not) and click Next. Review the information and click Next. In the New Cluster: Cluster IP Addresses window, click Add. In the Add IP Address window, select Add IPv4 address and enter the virtual IP address of the servers to include in the NLB server cluster. Click OK. Click Next. In the New Cluster: Cluster Parameters window, enter the cluster name in the Full Internet name field.
10 Select Multicast. Click Next. 11 In the New Cluster: Port Rules window, click Edit.
27
Deploying high availability servers in a cluster Create NLB server clusters
12 In the Add/Edit Port Rule window, deselect All. 13 Select the virtual IP address of the NLB cluster and specify the port range from 9053 to 9053 or the non-default port which you selected during McAfee MOVE Antivirus Offload Server installation. 14 Set the protocol to TCP and click OK. 15 Set the Filtering mode to Multiple host, and set the Affinity to None. 16 Click Finish to create the cluster.
Schedule the monitor script on each McAfee MOVE Antivirus Offload Server
McAfee provides ascript that checks the health of an offload scan server as well as controlling scan traffic based on load. If a server is down or not responding, the script removes the host from the NLB server cluster. After the McAfee MOVE Antivirus Offload Server returns, the script automatically adds the host back to the NLB server cluster. This script also places a log entry in the Windows Event Viewer when either event occurs. Task 1 2 3 4 5 6 7 8 9 Navigate to Administrative Tools | Task Scheduler. In the Task Scheduler window, select Create Task in the Actions panel. Select Run whether user is logged on or not and Do not store password. Select the Triggers tab. Click New. In the New Trigger window, select At startup in the Begin the task list. Click OK. Select the Action tab. Click New. In the New Action window, select Start a program in the Action list. Enter cscript.exe in the Program/Script field. Specify the name of the monitoring script (move-av-monitor.vbs) in the Add arguments field. Click OK.
10 Select the Conditions tab. 11 Deselect Start the task only if the computer is on AC power. Click OK to schedule the task.
28
Index
A
about this guide 5
N
network scanning large files 18
B
best practices non-performance tips 20 performance 18
O
offline virtual images scanning in VMware 20 offload scan server improving performance 18 load balancing 20 number per cluster 17
C
cluster deploy using shared master images 12 deployment 10 clusters with dedicated master images 9 conventions and icons used in this guide 5
P
performance improving 18 virtualized applications 18 performance data 17
D
dedicated master images deployment strategy 9 deploy cluster with dedicated master images 9 cluster with shared master images 12 deployment into clusters 10 Distributed Resource Scheduler VMware 15 documentation audience for this guide 5 product-specific, finding 6 typographical conventions and icons 5
Q
quarantine folder non-persistent virtual machines 20
S
scalability guidelines 17 ServicePortal, finding product documentation 6 shared master images deployment strategy 12
T
Technical Support, finding product information 6
H
High Availability compatibility 15 hypervisor migration restrictions 15
V
virtual machine density 17 VMware VLAN prerequisites 21
M
McAfee MOVE Antivirus resource usage 17 McAfee ServicePortal, accessing 6
W
what's in this guide 6
29
00

MOVE Antivirus 2 0 Deployment Guide

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

MOVE Antivirus 2 0 Deployment Guide

Transféré par

Droits d'auteur :

Formats disponibles

Deployment Guide

McAfee MOVE Antivirus 2.0.0

LICENSE INFORMATION License Agreement

Introduction Common deployment scenarios

Scaling McAfee MOVE Antivirus installations

Configuring VLANs in VMware vSphere clusters

Deploying high availability servers in a cluster

About this guide

User interface Hypertext blue

Preface Finding product documentation

What's in this guide

Finding product documentation

Common deployment scenarios

Clusters with dedicated master images

Common deployment scenarios Clusters with dedicated master images

Deploying McAfee MOVE Antivirus in a cluster

Common deployment scenarios Clusters with dedicated master images

Common deployment scenarios Clusters with shared master images

Select the cluster-specific tags. Click Save.

Clusters with shared master images

Implementation of Solution on VMware vSphere

Common deployment scenarios Clusters with shared master images

Common deployment scenarios Clusters with shared master images

Figure 2-3 McAfee MOVE Antivirusdeployment using a virtual switch

Deploying McAfee MOVE Antivirus in a cluster with shared VMs

Scaling McAfee MOVE Antivirus installations

McAfee MOVE Antivirus Scalability Guidelines

Hypervisors per cluster

Win XP-SP3 (x86) Windows 7 (x64)

Fine tuning your offload server settings

Important tuning statistics

Ways to improve performance

Large files and network scanning

Scaling McAfee MOVE Antivirus installations Miscellaneous best practices

Miscellaneous best practices

Quarantine files in non-persistent virtual machines

Balancing offload scan servers to handle downtime

Scanning offline virtual images in a VMware environment

Configuring VLANs in VMware vSphere clusters

Prerequisites for creating VLANs

Configure a VMware vShield VLAN using a Virtual Distributed Switch

Configuring VLAN using a virtual switch

Configuring the DHCP server in virtual guest tagging mode

Deploying high availability servers in a cluster

Deploying high availability servers in a cluster

NLB server cluster - clusters sharing master images for VMs

Deploying high availability servers in a cluster Create NLB server clusters

Create NLB server clusters

Install network load balancing

Create a server cluster

Deploying high availability servers in a cluster Create NLB server clusters

Vous aimerez peut-être aussi