cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 1 of 2

Why does MCP Incorrectly Detect Being on Corporate Network?

Jump to solution

When a client using MCP is configured for detecting whether it is on the corporate network or not, it may falsely detect being on the corporate network. This is possible even if the detection is based on being able to reach a server name that can only be resolved on the corporate network. Why is this?

1 Solution

Accepted Solutions
Highlighted
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Why does MCP Incorrectly Detect Being on Corporate Network?

Jump to solution

MCP network awareness is based on the MCP policy settings. If you are using  ePO cloud, or you have agent handlers exposed to the Internet and you use the ability to reach ePO as your detection method, MCP will always think it is on the corporate network because it can always reach ePO. 😉

Another possibility is that you have used an internal server FQDN and a common web port (80 or 443) as your "landmark." This scenario is a bit harder to understand as it is highly dependent on how the DNS infrastructure at the client location works. Some DNS services will respond with the IP of a server hosting a web page advertising DNS services or name registration when there is no authoritative server for the site or domain that was queried.

So, if my landmark is "someserver.somecompany.com" on port 80 and that name does not exist publicly, then some DNS servers will return the IP of a website offering to register that name. MCP will take that address and successfully connect to it on port 80 thinking that it is connecting to the requested server. When the connection is successful, MCP concludes that it is on the corporate network and stands down. 

Simple solutions to this issue are using IPs instead of FQDNs and/or less commonly used ports in your landmark definitions. For example I could use mwg.somecompany.com on port 9090, if mwg.somecompany.com resolves to the address of an on premise MWG and my MWG is listening on port 9090.  Likewise if my MWG is at 192.168.1.222 and is listening on port 80, I could use 192.168.1.222 on port 80 as my landmark.

View solution in original post

1 Reply
Highlighted
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Why does MCP Incorrectly Detect Being on Corporate Network?

Jump to solution

MCP network awareness is based on the MCP policy settings. If you are using  ePO cloud, or you have agent handlers exposed to the Internet and you use the ability to reach ePO as your detection method, MCP will always think it is on the corporate network because it can always reach ePO. 😉

Another possibility is that you have used an internal server FQDN and a common web port (80 or 443) as your "landmark." This scenario is a bit harder to understand as it is highly dependent on how the DNS infrastructure at the client location works. Some DNS services will respond with the IP of a server hosting a web page advertising DNS services or name registration when there is no authoritative server for the site or domain that was queried.

So, if my landmark is "someserver.somecompany.com" on port 80 and that name does not exist publicly, then some DNS servers will return the IP of a website offering to register that name. MCP will take that address and successfully connect to it on port 80 thinking that it is connecting to the requested server. When the connection is successful, MCP concludes that it is on the corporate network and stands down. 

Simple solutions to this issue are using IPs instead of FQDNs and/or less commonly used ports in your landmark definitions. For example I could use mwg.somecompany.com on port 9090, if mwg.somecompany.com resolves to the address of an on premise MWG and my MWG is listening on port 9090.  Likewise if my MWG is at 192.168.1.222 and is listening on port 80, I could use 192.168.1.222 on port 80 as my landmark.

View solution in original post

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community