1 2 Previous Next 11 Replies Latest reply: Mar 27, 2012 11:12 PM by headless RSS

    DMZ servers - deploying Agents to them using the Agent Handler server

    headless

      Hi

       

      We are using ePo 4.6 and I have installed an Agent Handler in our DMZ. All the required ports are open and tested; I can telnet to the Domain AV server and SQL server on their relevant ports.

      I then added the Agent Handler to our internal AV server so I could deploy the Agent. This failed so I installed it using the framepkg.exe file. Once installed the AH server showed as Managed in the ePo console on the Domain ePo server.

       

      I ran Wake Up Agents for this server to ge tthe Policies applied but it fails; the error log is below:

       

      20120320155306    I               #02388    mod_eporepo       Receivedrequest, uri=/Software/SiteStat.xml, remoteIP=146.195.*.*

      20120320155306    I               #04292    mod_eporepo       Receivedrequest, uri=/Software/SiteStat.xml, remoteIP=146.195.*.*

      20120320155306    I               #04344    mod_eporepo       Receivedrequest, uri=/Software/SiteStat.xml, remoteIP=146.195.*.*

      20120320155306    I               #04464    mod_eporepo       Receivedrequest, uri=/Software/catalog.z, remoteIP=146.195.*.*

      20120320155308    I               #04320    NAIMSRV             Wakeup agent on DNS name <AH SERVER IN DMZ>...

      20120320155308    I               #04320    MCUPLOAD        Successfullydisabled CA trust options.

      20120320155308    I               #04888    NAIMSRV             Received[FullProps] from < AH SERVER IN DMZ >:{908E417D-446E-4A96-B5EB-2920F9C7EA0F}

      20120320155308    I               #04888    NAIMSRV             Processingagent props for <AH SERVER IN DMZ>(908E417D-446E-4A96-B5EB-2920F9C7EA0F)

      20120320155309    I               #04888    NAIMSRV             Agentmeta-data out of date, 647969 > 0; resending.

      20120320155309    I               #04888    NAIMSRV             Sendingprops response for agent <AH SERVER IN DMZ>, policy files attached (Policy\Server.xml)

      20120320155309    I               #04888    NAIMSRV             Signingagent response package with key 6KspR0mvQGlXXFoRqMdzEmdkwFemD9SAr4lVorERRmw=

      20120320155327    E              #04900    mod_eporepo       Failedto send http request.  System error=12002

      20120320155327    E              #04900    mod_eporepo       Errorconnecting to https://<Domain ePo Server>:443/Software/replica.log

      20120320155327    E              #04900    mod_eporepo       Failedto download content for https://<Domain ePo Server>:443/Software/replica.log,system error 2

      20120320155348    E              #04900    mod_eporepo       Failedto send http request.  System error=12002

      20120320155348    E              #04900    mod_eporepo       Errorconnecting to https://<Domain ePo Server>:443/Software/catalog.z

      20120320155348    E              #04900    mod_eporepo       Failedto download content for https://<Domain ePo Server>:443/Software/catalog.z,system error 2

      20120320155348    I               #04932    mod_eporepo       Receivedrequest, uri=/Software/SiteStat.xml, remoteIP=2002:92c3:5825::92c3:5825

      20120320155348    I               #05080    mod_eporepo       Receivedrequest, uri=/Software/catalog.z, remoteIP=2002:92c3:5825::92c3:5825

       

       

      I must say at this point that I do not fully understand how an Agent Handler in the DMZ talks back to the Domain ePo server and SQL server.

      I understand the diagram in the AgentHandler whitepaper but do not understand how you make a server in the DMZ talk to the DMZ Agent Handler. So in a nutshell, what I have done is this:

       

      1. We have a Domain ePo server.
      2. I have installed an Agent Handler server in the DMZ.
      3. All the relevant ports have been opened and are bi-directional:
        1. 1433, 80, 8443 & 8444
        2. The only port I have not opened is 8081 as it didn’t seem      relevant to our setup.
      4. I have added the DMZ Agent Handler server to the sub-group on     the Domain ePo server.
      5. I could not deploy the Agent to the DMZ server so I installed     it using framepkg.exe
      6. I ran Wake Up agents for the DMZ Agent Handler server to run     the policies but this failed – log above.
      7. I tried to follow KB70722 but I could not get https://localhost:8443/core/config-auth     to work.

       

      All in all I have not had a great deal of success and am feeling fairly frustrated.

       

      Also, for the deployment of Agents to the DMZ server I am using the following:

      Agent_logon.JPG

       

      Where comadmin is the administrator of the DMZ server in question. The telling error is " Failed toauthenticate to \\146.195.*.*, err=87"

      Which I don't understand given the user is a local admin on the server.

       

       

      As per my previous discussions any help greatly appreciated.

       

      Cheers

       

      Chris

        • 1. Re: DMZ servers - deploying Agents to them using the Agent Handler server
          JoeBidgood

          Hi...

           

          I think this is down to how the credentials are specified. When you push the agent package, set the domain as a full stop (or period depending on which side of the Atlantic you are) and the user name as comadmin, and try it again.

           

          HTH -

           

          Joe

          • 2. Re: DMZ servers - deploying Agents to them using the Agent Handler server
            headless

            Hi Joe

             

            I did as you suggested using "." for the domain amd "comadmin" for the user with no "./" in front of user name.

             

            The following is in the log:

             

            20120321140759    E    #07164    NAIMSRV     Failed to authenticate to \\146.195.80.131, err=53

            20120321140759    E    #07164    NAIMSRV     Push Agent Installation Program to 146.195.80.131 failed

            20120321140759    I    #07164    MCUPLOAD    Successfully disabled CA trust options.

             

            I can ping the IP address from the AH server, that is why I am using the IP address.

             

            Cheers

             

            Chris

            • 3. Re: DMZ servers - deploying Agents to them using the Agent Handler server
              JoeBidgood

              If you manually install the agent on a machine in the DMZ, does it communicate with the agent handler correctly?

              Full details are in the MA 4.6 install guide, but in a nutshell you copy the framepkg.exe from the ePO server to the machine and run it locally with admin rights.

               

              Thanks -

               

              Joe

              • 4. Re: DMZ servers - deploying Agents to them using the Agent Handler server
                headless

                Hi Joe

                 

                Well I may have found the problem. I rasied a change with our Security team to open port 443 on the firewall and on checking the current rule that has been set up for the AH server in the DMZ, they found the rule had the wrong IP address for the AH server - the first octet was 149 instead of 146!!!

                 

                It will be changed tonight and I will check in the morning and update the discussion.

                 

                Cheers

                 

                Chris

                • 5. Re: DMZ servers - deploying Agents to them using the Agent Handler server
                  JoeBidgood

                  That might have an effect

                   

                  Thanks -

                   

                  Joe

                  • 6. Re: DMZ servers - deploying Agents to them using the Agent Handler server
                    headless

                    Hi Joe

                     

                    Unfortunately fixing the IP address didn't fix my problems. I still can't deploy agents.

                     

                    Here is a clean error log from the Agent HAndler server in the DMZ.

                     

                    20120323163958    I    #05400    NAISIGN     RSA BSAFE Crypto-C Micro Edition FIPS 140-2 Module 3.0.0.1

                    20120323163958    I    #05400    NAIMSRV     Initializing server...

                    20120323163958    I    #05400    NAIMSRV     Database initialization: Starting.

                    20120323164013    I    #05400    NAIMSRV     Database initialization: Succeeded.

                    20120323164013    I    #05400    NAIMSRV     Policy Manager initialization: Starting.

                    20120323164013    I    #05400    NAIMSRV     Policy Manager initialization: Succeeded.

                    20120323164013    I    #05400    NAIMSRV     Server state at startup: Enabled

                    20120323164014    I    #05400    NAIMSRV     Checking to see if the ePO server is available.  We will try 12 times.

                    20120323164014    I    #05400    NAIMSRV     The Agent Handler successfully connected to the ePO server.

                    20120323164014    I    #05400    MCUPLOAD    Successfully disabled CA trust options.

                    20120323164014    I    #05400    MCUPLOAD    Successfully disabled CA trust options.

                    20120323164014    I    #05400    NAIMSRV     Syncing keys with the ePO server 'PDC-MCAFEEAV01.ads.westernpower.com.au'.

                    20120323164014    I    #05400    MCUPLOAD    Successfully disabled CA trust options.

                    20120323164014    I    #05400    NAIMSRV     Unloading server private keys

                    20120323164014    I    #05400    NAIMSRV     ePolicy Orchestrator server started.

                    20120323164014    I    #05400    mod_eporepo    Database initialization: Starting.

                    20120323164014    I    #05400    mod_eporepo    Database initialization: Succeeded.

                    20120323164114    E    #05792    NAIMSRV     Failed to authenticate to \\PDC-MCAFEEAV-AH, err=5

                    20120323164114    E    #05792    NAIMSRV     Push Agent Installation Program to PDC-MCAFEEAV-AH failed

                    20120323164114    I    #05792    MCUPLOAD    Successfully disabled CA trust options.

                     

                    The #05792 error is the one I can't seem to fix. The credentials I am using are for a local administrator on the server. This is the AH server in the DMZ.

                    As it is a DMZ server I am using a period or dot for the Domain and the user name is the local administrator. I have tried the following for the user name:

                     

                    <user name>

                    .\<user name>

                    .<user name>

                    \<user name>

                     

                    I did use framepkg.exe to install the Agent originally but the server would not talk back to the internal ePo server. So I uninstalled it and am trying a normal Agent deploy. I figure if I can't get the AH handler sorted I'm not going to be able to do the other DMZ servers.

                     

                    Cheers

                     

                    Chris

                    • 7. Re: DMZ servers - deploying Agents to them using the Agent Handler server
                      sdelvecchio

                      Chris,

                      We are not able to deploy via the Agent Handler in the DMZ also, but once the correct rules are in place we are able to install the agents locally and have them talk back to ePO. Once the agent handler is in place and communicating you will have to create a new agent framepkg installation to do the local install because it will contain the new serverlist.xml that has the agent handler. Otherwise your DMZ agents won't know the agent handler exists and they will onl try to connect to the ePO server internally.

                      • 8. Re: DMZ servers - deploying Agents to them using the Agent Handler server
                        headless

                        Hi sdelvecchio

                         

                        Thanks for the reply.

                         

                        I did install the agent on the AH server manually but it wouldn't talk back to the ePo server. So while it was managed, it didn't download any policies.

                         

                        Maybe the AH rules are incorrect but I have entered the IP address ranges and set up an AH group. I will install the agent on the AH server manually again and see where it takes me.

                         

                        Cheers

                         

                        Chris

                        • 9. Re: DMZ servers - deploying Agents to them using the Agent Handler server
                          headless

                          Hi sdelvecchio

                           

                          I manually installed the Agent on the AH server and sent a wake up agent request to get the policies downloaded. The following is from the AH log:

                           

                          20120324152311    E    #07624    mod_eporepo    Failed to send http request.  System error=12002

                          20120324152311    E    #07624    mod_eporepo    Error connecting to https://PDC-MCAFEEAV01.xxx.xxxxxxx.xxx.xx:443/Software/catalog.z

                          20120324152311    E    #07624    mod_eporepo    Failed to download content for https://PDC-MCAFEEAV01.xxx.xxxxxxx.xxx.xx:443/Software/catalog.z, system error 2

                          20120324152311    I    #06752    mod_eporepo    Received request, uri=/Software/SiteStat.xml, remoteIP=2002:92c3:5825::92c3:5825

                          20120324152311    I    #03116    mod_eporepo    Received request, uri=/Software/catalog.z, remoteIP=2002:92c3:5825::92c3:5825

                          20120324152332    E    #07624    mod_eporepo    Failed to send http request.  System error=12002

                          20120324152332    E    #07624    mod_eporepo    Error connecting to https://PDC-MCAFEEAV01.xxx.xxxxxxx.xxx.xx:443/Software/replica.log

                          20120324152332    E    #07624    mod_eporepo    Failed to download content for https://PDC-MCAFEEAV01.xxx.xxxxxxx.xxx.x:443/Software/replica.log, system error 2

                          20120324152353    E    #07624    mod_eporepo    Failed to send http request.  System error=12002

                          20120324152353    E    #07624    mod_eporepo    Error connecting to https://PDC-MCAFEEAV01.xxx.xxxxxxx.xxx.xx:443/Software/catalog.z

                          20120324152353    E    #07624    mod_eporepo    Failed to download content for https://PDC-MCAFEEAV01.xxx.xxxxxxx.xxx.xx:443/Software/catalog.z, system error 2

                           

                          The bold lines are the ones that concern me. I have had port 443 opened and conirmed as such. I will need to check it myself, going from the AH server to the ePo server. I tried telnet but it failed to connect; do you know of another test I can do to check 443 is open?

                           

                          Cheers

                           

                          Chris

                          1 2 Previous Next