Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Deploy Skyhigh Client Using Trellix ePO

  1. Last updated
  2. Save as PDF

To deploy and manage the policies, you must configure Trellix ePO. We have both On-prem and Cloud ePO within ePO. 

It is necessary to push Trellix Agent from ePO to the Client while deploying Skyhigh Client (SC) using Trellix ePO. You need to install the Skyhigh Client software on the Client after pushing the Trellix Agent. Once the Skyhigh Client policy is configured, deploy the policy.

▼ Skyhigh Client Deployment using ePO Cloud

1. Configure Trellix ePO

  1. Log in to ePO Cloud. Click the menu on the top-left and go to Policy Catalog.
  2. In the Product drop-down, select Skyhigh Client 5.0.0.x.
  3. You should see a single policy called Skyhigh Default. This is a read-only policy that we cannot use, so click Duplicate to create a new policy that we can modify.
  4. Name the new policy My Default and click OK.
  5. Click on My Default to open your new policy.  If you see a message that says "The Skyhigh Client ePO Extension is still doing some background work to set the correct permissions to the linked Common Catalog," then click Cancel and wait a few minutes.  This can sometimes take 10 minutes or more to complete.  Keep checking back by re-opening the My Default policy until that message is gone.
  6. Click on Client Configuration on the left.  On the top of the page, set and confirm a shared passphrase.  Then click Save on the bottom-right corner of the screen.
  7. Click My Default again to re-open the policy, and go back to the Client Configuration page.  Then, click the Export Customer Credentials button at the top.  If the file opens in a new tab rather than downloading, then just right-click in the browser and Save As to save the XML file.
  8. In ePO Cloud, click the menu at the top-left and select Getting Started under the Web Protection heading. Record the Customer ID number for the next section.

2. Deploy Trellix Agent 

  1. In ePO, click on System Tree at the top of the page, and then click the New Systems button at the top of the System Tree.
  2. In the How to add systems section at the top, select the radio button labeled Create and download agent installation package
  3. In the Agent version, for Windows, select the Windows radio button, and for Mac, select the Non-Windows radio button, and select the required Trellix Agent versions. Then, click OK in the bottom-right corner of the page.
  4. When ePO is done generating the package, click the Agent Package link to download the installation package, and then click Close.
  5. Copy the FramePkg.exe (for Windows) and agentPackages.zip (for MacOS, it will have install.sh within the package) file to the endpoint you intend to manage, and then execute it.
  6. Go back to the ePO system tree, select the root of the tree (My Organization), and then select This Group and All Subgroups in the Preset drop-down.  This will let you see all managed endpoints in the entire system tree.  You should see the hostname of your endpoint in the list.  If it does not appear, then wait for the agent to check in and refresh the page.

3. Pushing Cloud-ePO

The current RTW build will be pushed from the Trellix to the cloud-ePO.

4. Deploy Skyhigh Client

Skyhigh Client can be deployed using ePO on-prem, ePO Cloud on Windows, and macOS. Follow the steps for Skyhigh Client deployment using ePO ePO Cloud.

  1. In ePO Cloud, go to the Menu  > Software >Advanced Deployment.
  2. Click New Deployment at the top of the page.
  3. Name the deployment Deploy Skyhigh Client , and select the latest Skyhigh Client Version in the Package drop-down. 
  4. Set the Action to Install.
  5. Select the systems: Total for which system will be fetched from the System Tree.
  6. Set the Start Time drop-down to Run Immediately
  7. Click Save.
  8. To add the policy, go to the EPO > Policy Catalog.
  9. Under Products, select Skyhigh Client.
  10. Select the existing policy from the list, or you can create a new policy.
  11. To create a new policy, click New Policy.
    1. In Create a new policy,
    2. Select Category: SCP Policy
    3. Create a Policy based on this existing policy: Skyhigh Default
    4. Enter a Policy Name. Click OK.
  12. In the Policy Catalog, go to the respective policy, under Actions, and click Edit
  13. Under Skyhigh Client Settings, in the Proxy Servers page, you can assign the Proxy Server by entering the IP or Hostname of the proxy and the Proxy Port. Click Add.
  14. Under Client Configuration, in Traffic Redirection Settings, enable the required options using the radio button.
  15. Go to System Tree, under System Name, and select your system.
  16. Click the Policies tab. In Product select the Skyhigh Client.
  17. In Actions, select Edit the Assignment.
  18. In Inherit from, select Break inheritance and assign the policy and settings below.
  19. Select the created policy in Assigned Policy.
  20. Click Save.
  21. To push the policy, Click System Tree at the top of the ePO interface, select your endpoint, and then click Wake Up Agents.  This will cause ePO to attempt to connect to the client.  To follow the status of the wake-up call go to Menu > Automation > Server Task Log.   
    If the task fails to complete successfully, then you can manually update with the following steps:
    1. Open a command prompt on the client machine.
    2. Change directory to C:\Program Files\SCP\Agent.
    3. Run the command cmdagent -s (for Windows) and /Library/McAfee/agent/bin/cmdagent -s (for MacOS).  This should open the Skyhigh Agent Status Monitor window.
    4. Click the top four buttons to kick off an agent synchronization.  (Collect and Send Props, Send Events, Check New Policies, and Enforce Policies)
  22. Once the task is completed, confirm on the endpoint by navigating to the Start menu and looking for an SCP folder. 
  23. In Windows, you will find two shortcuts for About Skyhigh Client and Bypass Skyhigh Client.  Open About Skyhigh Client and check if you have a Policy Name and Policy Revision value.  If these are blank, then repeat step 4 to do another agent communication to pull the policy.
  24. In MacOS, you will see the symbol (what to refer to) at the top right corner. Click About. Under Protection, select Skyhigh Client to find the details.
  25. Review About Skyhigh Client to confirm that the policy has been updated.  You should see the policy along with the status is Always Redirecting, and you can see the Active Proxy field which will show where proxy requests are being sent.
▼ Skyhigh Client Deployment using ePO On-Prem

Skyhigh Client deployment can be done On-prem and standalone.

ePO On-Prem

1. Authenticate the Secure Web Gateway (On-prem)

We need to enable authentication for SCP in SWG (on-prem)

  1. Login to SWG and click Policy at the top of the interface.
  2. In the policy pane on the left, click Add > Rule Set from Library.
  3. Go to Authentication > Authentication With Skyhigh Client Proxy.
  4. Click Auto-Solve Conflict. Click Solve by referring to existing objects. Click OK.
  5. Click on Show details and then click the Authenticate: Skyhigh Client  link on that rule.
  6. Enter your customer ID number in the Customer ID field, and then click the Change... button to enter the shared passphrase.
  7. Click OK to save the settings object, and then Save Changes on the top-right.

2. Deploy Trellix Agent 

  1. In ePO, click on System Tree at the top of the page, and then click the New Systems button at the top of the System Tree.
  2. In the How to add systems section at the top, select the radio button labeled Create and download agent installation package.  Then, click OK in the bottom-right corner of the page.
  3. When ePO is done generating the package, click the Agent Package link to download the installation package, and then click Close.
  4. Copy the FramePkg.exe (for Windows) and agentPackages.zip (for MacOS, it will have install.sh within the package) file to the endpoint you intend to manage, and then execute it.
  5. Go back to the ePO system tree, select the root of the tree ("My Organization"), and then select This Group and All Subgroups in the Preset drop-down.  This will let you see all managed endpoints in the entire system tree.  You should see the hostname of your endpoint in the list.  If it does not appear, then wait for the agent to check in and refresh the page.

3. Checking the SC Package into the ePO main repo

  • You can install Skyhigh Client using the cloud security portal or through downloads or policy downloads.
  • You can check the SC package into the ePO main repository in two ways:

1. Go to main (three lines) >Main Repository>Check In Package.  In Check In Package, choose the required build in the File path. Click Ok, and then Next.

  • Package Info: contains build details such as Name, Version, Minor Version, Type, and Language of the build you're checkin
  • Choose the branch however you want to post it as Current, Previous, or an Evaluation branch
    • Current: Current build is what we want to post to all the clients
    • Previous: Earlier version of current build
    • Evaluation: Any build that needed to be tested or the older version of build
  • Options: Enable the Options to move the existing package to the Previous branch using 

2. You can follow these steps to checkin the SC package:

  • Navigate to Software > Catalog Utilities & Connectors > Packages.

  • Select the required package in Actions > Check in at another branch to check in.

  • Select the required client package branch.

  • Click Check In.

4. Deploy Skyhigh Client

Follow the steps for Skyhigh Client deployment using ePO on Prem.

  1. In ePO on Prem, go to the MenuSoftware > Product Deployment.
  2. Click New Deployment at the top of the page.
  3. Name the deployment Deploy SC, and select the latest SC Version (Skyhigh Client 5.0.0.x) in the Package drop-down. 
  4. Set the Action to Install.
  5. Set the Start Time drop-down to Run Immediately
  6. Click Save.
  7. Click System Tree at the top of the ePO interface, select your endpoint, and then click Wake Up Agents.  This will cause ePO to attempt to connect to the client.  To follow the status of the wake-up call go to Menu > Automation > Server Task Log.   
    If the task fails to complete successfully, then you can manually update with the following steps:
    1. Open a command prompt on the client machine.
    2. Change directory to C:\Program Files\SCP\Agent.
    3. Run the command cmdagent /s.  This should open the Skyhigh Agent Status Monitor window.
    4. Click the top four buttons to kick off an agent synchronization.  (Collect and Send Props, Send Events, Check New Policies, and Enforce Policies)
  8. Once the task is completed, confirm on the endpoint by navigating to the Start menu and looking for an SCP folder.  You will find two shortcuts for About Skyhigh Client and Bypass Skyhigh Client.  Open About Skyhigh Client and check if you have a Policy Name and Policy Revision value.  If these are blank, then repeat step 4 to do another agent communication to pull the policy.
  9. Review About Skyhigh Client to confirm that the policy has been updated.  You should see the policy along with the status is Always Redirecting, and you can see the Active Proxy field which will show where proxy requests are being sent.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.