cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 8
Report Inappropriate Content
Message 1 of 4

DXL functionality inquiry

Jump to solution

Dear community,

Due to the C19 situation, "The Business" has requested a solution to provide visibility of events pertaining to malware prevention, device control and DLP functionalities for endpoints which are connected to the Internet from a non-corporate network.

So, we've deployed a DXL appliance, placed it in the DMZ with a public IP and hostname.

Our on-premise ePO, has the DXL fabric lit green, the DXL registered services are displaying and all.

When I select a workstation from the system tree (which is outside of the CDN) and do Actions -> DXL -> Look up in DXL, it shows as Connected.

And now... I expect to download eicar and have the ENS detection show real-time in the system's Threat Events, but that's not the case.

Could someone please shed some light as to what we're missing? Are our expectations wrong?

Your assistance is greatly appreciated.

BR,

Radko

P.S. I went through the installation/product/architecture guide but could not find an answer.

1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: DXL functionality inquiry

Jump to solution

Hello RMazhReport, 

DXL has a number of uses but I am afraid replacing agent handler functionality is not one of them. Within the McAfee product suites we have numerous product integrations over DXL. ENS/TIE as you have outlined but we also expand into other AV solutions as well, MWG, ATD, ATP. Command and control functionality and threat hunting is offered with integrations with MAR/EDR. Endpoint Encryption can leverage DXL....we also heavily use it for On Prem > Cloud solutions. 

It does handle agent wakeup functionality today, but only the wakeup. The remaining ASCI workflow remains unchanged and is the reason an agent handler must be present. To get the output you would expect (covering events for external devices) an agent handler in the DMZ would be required. As long as this DMZ handler can communicate with your internal ePO and is also reachable by your clients either through a direct public address....or NAT, etc...it should be all you need. 

If you have some time you can also review some of the open/third-party integrations offered over OpenDXL. www.opendxl.com

 

Thanks

Brian

View solution in original post

3 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: DXL functionality inquiry

Jump to solution

Hello RMadzReport, 

While I may not have the full picture of your deployment there, there is a piece missing. By placing a DXL broker in the DMZ and ensuring that DMZ DXL broker is connected to your internal brokers you should have any services hosted internally on DXL also available to external clients. This means, for instance, TIE reputation data is available to your externally connected endpoints.

 

However, TIE/DXL do not manage the trafficking of threat events. That is still the responsibility of MA > EPO/AH communication. Did you also place an agent handler in the DMZ? Is it fully connected to the internal ePO server?

Thanks

Brian

Level 8
Report Inappropriate Content
Message 3 of 4

Re: DXL functionality inquiry

Jump to solution
Hey Brian,

Thank you for your kind reply.

DXL was presented to us as an improvement to McAfee Agent Handler.
Now, I realize it is used mainly to complement TIE and its various integrations (e.g. MWG).
Could you possibly point us to any other services supported by the DXL?

On another note, if we wish to track threat events generated by ENS on the Internet, we need to deploy an AH in the DMZ and what then?

If this is too broad a topic for this forum, I could open a ticket, ofc 🙂

Thank you in advance!

BR,
Radko
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: DXL functionality inquiry

Jump to solution

Hello RMazhReport, 

DXL has a number of uses but I am afraid replacing agent handler functionality is not one of them. Within the McAfee product suites we have numerous product integrations over DXL. ENS/TIE as you have outlined but we also expand into other AV solutions as well, MWG, ATD, ATP. Command and control functionality and threat hunting is offered with integrations with MAR/EDR. Endpoint Encryption can leverage DXL....we also heavily use it for On Prem > Cloud solutions. 

It does handle agent wakeup functionality today, but only the wakeup. The remaining ASCI workflow remains unchanged and is the reason an agent handler must be present. To get the output you would expect (covering events for external devices) an agent handler in the DMZ would be required. As long as this DMZ handler can communicate with your internal ePO and is also reachable by your clients either through a direct public address....or NAT, etc...it should be all you need. 

If you have some time you can also review some of the open/third-party integrations offered over OpenDXL. www.opendxl.com

 

Thanks

Brian

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community