We've been running encryption since safeboot v3 or 4 and currently have the older 5.2.X EEM and 5.2.10 EEPC on most machines.
I am prepping for a migration to ePO as that was the advised path from support. We do not plan on running any of the other mcafee products at this time or even in the future, but support said the ePO has the ability to put a machine in the DMZ for securely updating remote machines, which is the largest pain point with our old 5.2.x as we have about 130 clients and only about half have the ability (without manually connecting to HQ over VPN And updating) to hit the old server. they also stated we get a little more functionality than running the EEM v6 and that the mcafee agent is more secure for remote updates in general.
ive been pouring over the install, best practice guides, etc and trying to decide on our setup. i guess my main question is, when i set up the ePO server should i place it in an administative vlan only (which gives it access to AD) and then force all clients to talk only to the agent handler that will get placed in the DMZ?
Or do i place the ePO in the vlan i typically put other servers clients communicate with so they can hit it internally directly so they can talk either the ePO or the agent handler? i can manage DNS to make internal request to the DMZ agent handler be handled internally instead of looping outside the firewall but not sure what the recommentation is for the setup or what some real world experience from other may be.
We arent looking at a cluster solution per se, just not wanting to expose this new ePO server directly external since it ties in with AD. the DMZ agent handler would still need access to the sql and other various ports to the main ePO but give a bit of a security buffer if compromised (depending on how we configure things).
so i started my inital ePO and ran into issues and called into support today. after the technician assisted i asked about the ports and items listed in the agent handler white paper. turns out that if clients do not have inbound 8081 enabled (and since 99% of users sit behind a firewall) there is going to be some issues with being able to completely manage remote clients. the 8081 data channel handles token info and user updates.
anyone with experience abel to chime in on what we can expect (or not expect) when managing remote clients with a agent handler in the DMZ? that would be remote clients that only talk to the DMZ handler? ideally id make it so the ePO server is completely unnaccessable and everything flows through the DMZ handler. at the initial point of install/config i would do it in my own network and have a firewall rule to talk internally to that DMZ machine (so more like a VLAN in that sense i guess)
i also saw that eepc v7 may fix this data channel issue.