cancel
Showing results for 
Search instead for 
Did you mean: 
McDuff
Level 10
Report Inappropriate Content
Message 1 of 9

Move SVA and Offload Scan Servers with Agent Handlers in a DMZ

Jump to solution

Hello

Wondering if anyone has had any experience using MOVE SVA and Offload Scan Servers with Agent Handlers which are located in a DMZ and clients that are in an untrusted network and untrusted domain.

Currently, without MOVE, all clients in an untrusted network talk only with their Agent Handler (located in a DMZ), and the Agent Handler in turn has firewall rules opened to the domain controller, SQL server, and ePO server.

My question is, if we decide to install MOVE on these clients, will these clients also have to talk directly with their SVA Manager and OSS server, or will this communication occur via the Agent Handler?  If clients need to talk directly to the SVA Manager and OSS servers, should these servers be in the DMZ?  If clients need to talk directly to these servers, and the servers are not in the DMZ, wouldn't that mean we'd have to open up ports between the clients and the SVA and OSS, which would defeat the purpose of the Agent Handler?

Any advice would be appreciated.

1 Solution

Accepted Solutions
Highlighted

Re: Re: Move SVA and Offload Scan Servers with Agent Handlers in a DMZ

Jump to solution

Keep Agent handler, SVA, Offload Scan Server and MOVE Clients in the same subnet. (DMZ) minimal load.

-->>But no need for ePO.

 

8 Replies

Re: Move SVA and Offload Scan Servers with Agent Handlers in a DMZ

Jump to solution
McDuff
Level 10
Report Inappropriate Content
Message 3 of 9

Re: Move SVA and Offload Scan Servers with Agent Handlers in a DMZ

Jump to solution

Hi, yes I read the documentation, but I don't see anywhere how MOVE SVA and offload servers interact with an Agent Handler.

Re: Move SVA and Offload Scan Servers with Agent Handlers in a DMZ

Jump to solution

In your mind replace ePO with agent handler in the picture:

Move SVA is interact with Offload Scan Server and Move Client; also with Agent handler and ePO Server. (Same SQL database)

The SVA loadbalaces and manages the Offload Scan Server.for the Clients

The Offload Scan Server just Scans for the clients and keeps the scan hash in the cache of a local database.

All is managed/configured by ePO (or agent handler if you want to use this part of management Server)

I only found a old docu of agent handler:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22508/en_US/...

Maybe you find here what you are looking for:

https://community.mcafee.com/docs/DOC-6829

ah.jpg

McDuff
Level 10
Report Inappropriate Content
Message 5 of 9

Re: Move SVA and Offload Scan Servers with Agent Handlers in a DMZ

Jump to solution

So if we have systems in an untrusted network and we use an Agent Handler to limit access to the ePO server/SQL server/rest of network, should the SVA server and offload servers used by these untrusted systems reside in the DMZ as well?

Highlighted

Re: Re: Move SVA and Offload Scan Servers with Agent Handlers in a DMZ

Jump to solution

Keep Agent handler, SVA, Offload Scan Server and MOVE Clients in the same subnet. (DMZ) minimal load.

-->>But no need for ePO.

 

McDuff
Level 10
Report Inappropriate Content
Message 7 of 9

Re: Move SVA and Offload Scan Servers with Agent Handlers in a DMZ

Jump to solution

Thanks very much, I appreciate it

McAfee Employee evocke
McAfee Employee
Report Inappropriate Content
Message 8 of 9

Re: Re: Move SVA and Offload Scan Servers with Agent Handlers in a DMZ

Jump to solution

I am questioning the proposal to move the SVM/SVA Manager to the DMZ. The SVM Manager requires a direct WebService communication port 8443 to ePO - that may not be advisable from within DMZ. Can you please comment?

Re: Move SVA and Offload Scan Servers with Agent Handlers in a DMZ

Jump to solution

When you use this configuration (with an agenthandler), is it possible to use the vSphere connector?

You need to enter the vSphere credentials from the ePO server for it to connect.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community