cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

Agent Handlers in DMZ and Remote Sites

Hi All,

Just wondering if anyone has specific firewall rules whch need to be opened for AH (Agent Handlers) in the DMZ.

I have ePO 4.5 on the internal LAN along with SQL server as the DB server

Planning to deploy AH in DMZ to manage external facing systems

Any potential gotcha?

Also, has any deplioyed AH in remote sites with a WAN link of 256K.. the remote sites have a small amount of managed systems - > 10

Cheers

Ducsta

6 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 7

Re: Agent Handlers in DMZ and Remote Sites

Hi Ducsta,

beteen the ePO and agent handler, you only need to open the port (8433 by default, configurable) you configured to communicate. I prefer that the rule be outbound - from LAN to DMZ. depending on your requirements, you may need additional ports to be opened. I would group these ports and use this group in firewall for configuration. You can find more details on McAfee ePolicy Orchestrator 4.5 Installation Guide page 16.

256Kbps depends on how much of it used and how often you want agent handler to communicate with ePO. You can schedule the communication to happen on off peak hours.

hope this helps. best of luck

1ndian

JoeBidgood
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: Agent Handlers in DMZ and Remote Sites

256Kbps depends on how much of it used and how often you want agent handler to communicate with ePO. You can schedule the communication to happen on off peak hours.

hope this helps. best of luck

1ndian

Sorry, just need to jump in here - that's not correct, I'm afraid. An agent handler needs a permanent, high-speed, low-latency connection to the SQL server. You can't schedule when an AH communicates - it's doing it all the time.

You really, really don't want to put an agent handler on a 10 machine site at the end of a 256K link, trust me

If you haven't already done so, I'd strongly recommend having a look at the Agent Handler White paper, located  here .

Regards -

Joe

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 7

Re: Agent Handlers in DMZ and Remote Sites

Hi Joe,

Thanks for the input.

Iw as under the impression that agent handler communication can be scheduled like agent epo communication. giving it a larger time frame.

by the way, the white paper answers the first question as well.

Thanks Joe.

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: Agent Handlers in DMZ and Remote Sites

Sounds more like a SuperAgent with the repository function might be in order here. Just dont assign the SA to an AH or you lose control of replication to it.

Matt

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: Agent Handlers in DMZ and Remote Sites

Hello rob,

This sounds like a workable solution to me.

My VM is busy testing WebGateway 7. I would need to test this for my remote site which is not managed now.

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 7

Re: Agent Handlers in DMZ and Remote Sites

Hi guys,

thanks for the replies...

As the link between the private and DMZ will be more than 256K theres no issue here....I'll just neeed to make sure the AH have to correct firewall rules opened

As for the remote sites with least than 256K, i'll use superagents with distributed repo's instead...'what are the pros and cons of either one;?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community