From this KB Article below, I am reading the following statement:
"For clients running McAfee Agent 4.0 Patch 1 and Host Intrusion Prevention 7.0 Patch 3 or higher which are managed by the Host Intrusion Prevention 7.0.3 Extension for ePO 4.0 or higher:
The ePO server must be reachable via this connection entry in the Connection Aware Group (CAG) configuration. The rules in the CAG should be enforced only if the CAG criteria are matched AND the ePO server can be resolved via DNS query over any interface.
This section of the log displays how Connection Aware Groups are configured and that the Requires home network option will be enabled"
Am I reading this right? A system that uses a CAG in it's firewall policy, must also be able to resolve the ePO server via DNS query, for the CAG to be applicable? Doesn't seem right, and I have not read this in the past.
Maybe that is for something with the old agent/HIPS.. you are still running machines with MA 4.0? We have a bunch of machines in isolated DMZ's that use a CAG in its firewall policy, and I know they can't query via DNS to the ePO server, but all of our agents are 4.8+ and hips 8.
No, we are way above all levels mentioned for MA and HIPS. However the article states MA 4.0 P1 and HIPS 7.0, or HIGHER. At minimum, this KB should be updated, if ePO being reachable via DNS lookup is not still a CAG criteria requirement.