Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
This discussion is archived
5558 Views 11 Replies Latest reply: Mar 27, 2012 11:12 PM by headless RSS 1 2 Previous Next
headless Newcomer 17 posts since
Jan 11, 2012
Currently Being Moderated

Mar 20, 2012 4:34 AM

DMZ servers - deploying Agents to them using the Agent Handler server

Hi

 

We are using ePo 4.6 and I have installed an Agent Handler in our DMZ. All the required ports are open and tested; I can telnet to the Domain AV server and SQL server on their relevant ports.

I then added the Agent Handler to our internal AV server so I could deploy the Agent. This failed so I installed it using the framepkg.exe file. Once installed the AH server showed as Managed in the ePo console on the Domain ePo server.

 

I ran Wake Up Agents for this server to ge tthe Policies applied but it fails; the error log is below:

 

20120320155306    I               #02388    mod_eporepo       Receivedrequest, uri=/Software/SiteStat.xml, remoteIP=146.195.*.*

20120320155306    I               #04292    mod_eporepo       Receivedrequest, uri=/Software/SiteStat.xml, remoteIP=146.195.*.*

20120320155306    I               #04344    mod_eporepo       Receivedrequest, uri=/Software/SiteStat.xml, remoteIP=146.195.*.*

20120320155306    I               #04464    mod_eporepo       Receivedrequest, uri=/Software/catalog.z, remoteIP=146.195.*.*

20120320155308    I               #04320    NAIMSRV             Wakeup agent on DNS name <AH SERVER IN DMZ>...

20120320155308    I               #04320    MCUPLOAD        Successfullydisabled CA trust options.

20120320155308    I               #04888    NAIMSRV             Received[FullProps] from < AH SERVER IN DMZ >:{908E417D-446E-4A96-B5EB-2920F9C7EA0F}

20120320155308    I               #04888    NAIMSRV             Processingagent props for <AH SERVER IN DMZ>(908E417D-446E-4A96-B5EB-2920F9C7EA0F)

20120320155309    I               #04888    NAIMSRV             Agentmeta-data out of date, 647969 > 0; resending.

20120320155309    I               #04888    NAIMSRV             Sendingprops response for agent <AH SERVER IN DMZ>, policy files attached (Policy\Server.xml)

20120320155309    I               #04888    NAIMSRV             Signingagent response package with key 6KspR0mvQGlXXFoRqMdzEmdkwFemD9SAr4lVorERRmw=

20120320155327    E              #04900    mod_eporepo       Failedto send http request.  System error=12002

20120320155327    E              #04900    mod_eporepo       Errorconnecting to https://<Domain ePo Server>:443/Software/replica.log

20120320155327    E              #04900    mod_eporepo       Failedto download content for https://<Domain ePo Server>:443/Software/replica.log,system error 2

20120320155348    E              #04900    mod_eporepo       Failedto send http request.  System error=12002

20120320155348    E              #04900    mod_eporepo       Errorconnecting to https://<Domain ePo Server>:443/Software/catalog.z

20120320155348    E              #04900    mod_eporepo       Failedto download content for https://<Domain ePo Server>:443/Software/catalog.z,system error 2

20120320155348    I               #04932    mod_eporepo       Receivedrequest, uri=/Software/SiteStat.xml, remoteIP=2002:92c3:5825::92c3:5825

20120320155348    I               #05080    mod_eporepo       Receivedrequest, uri=/Software/catalog.z, remoteIP=2002:92c3:5825::92c3:5825

 

 

I must say at this point that I do not fully understand how an Agent Handler in the DMZ talks back to the Domain ePo server and SQL server.

I understand the diagram in the AgentHandler whitepaper but do not understand how you make a server in the DMZ talk to the DMZ Agent Handler. So in a nutshell, what I have done is this:

 

  1. We have a Domain ePo server.
  2. I have installed an Agent Handler server in the DMZ.
  3. All the relevant ports have been opened and are bi-directional:
    1. 1433, 80, 8443 & 8444
    2. The only port I have not opened is 8081 as it didn’t seem      relevant to our setup.
  4. I have added the DMZ Agent Handler server to the sub-group on     the Domain ePo server.
  5. I could not deploy the Agent to the DMZ server so I installed     it using framepkg.exe
  6. I ran Wake Up agents for the DMZ Agent Handler server to run     the policies but this failed – log above.
  7. I tried to follow KB70722 but I could not get https://localhost:8443/core/config-auth     to work.

 

All in all I have not had a great deal of success and am feeling fairly frustrated.

 

Also, for the deployment of Agents to the DMZ server I am using the following:

Agent_logon.JPG

 

Where comadmin is the administrator of the DMZ server in question. The telling error is " Failed toauthenticate to \\146.195.*.*, err=87"

Which I don't understand given the user is a local admin on the server.

 

 

As per my previous discussions any help greatly appreciated.

 

Cheers

 

Chris

  • JoeBidgood McAfee SME 2,867 posts since
    Sep 11, 2009

    Hi...

     

    I think this is down to how the credentials are specified. When you push the agent package, set the domain as a full stop (or period depending on which side of the Atlantic you are) and the user name as comadmin, and try it again.

     

    HTH -

     

    Joe




    (Please post questions to the forum, as I am unable to respond to private messages. Thanks!)



  • JoeBidgood McAfee SME 2,867 posts since
    Sep 11, 2009

    If you manually install the agent on a machine in the DMZ, does it communicate with the agent handler correctly?

    Full details are in the MA 4.6 install guide, but in a nutshell you copy the framepkg.exe from the ePO server to the machine and run it locally with admin rights.

     

    Thanks -

     

    Joe




    (Please post questions to the forum, as I am unable to respond to private messages. Thanks!)



  • JoeBidgood McAfee SME 2,867 posts since
    Sep 11, 2009

    That might have an effect

     

    Thanks -

     

    Joe




    (Please post questions to the forum, as I am unable to respond to private messages. Thanks!)



  • sdelvecchio The Place at McAfee Member 75 posts since
    Jan 8, 2010

    Chris,

    We are not able to deploy via the Agent Handler in the DMZ also, but once the correct rules are in place we are able to install the agents locally and have them talk back to ePO. Once the agent handler is in place and communicating you will have to create a new agent framepkg installation to do the local install because it will contain the new serverlist.xml that has the agent handler. Otherwise your DMZ agents won't know the agent handler exists and they will onl try to connect to the ePO server internally.


    Stephen Del Vecchio

    MFE_Certified_PS_black.jpg MCSE.gif
1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points