cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

Applying Policies From Outside the Corporate Environment

Jump to solution

Hey guys, please, I need a hand with this issue.

Nowadays my customer has standard HIPS policies applied in their corporate environment, which is composed by 500 laptops and 3500 desktops.

However he wants to apply stronger HIPS policies for the laptops that leave the company network and uses the device outside their protected network.

I've already created rules for tagging the devices that has their internal IP with "Internal IP" and the other IPs as "External IP".

Also I've created a Server Task that reapply the Tags once in a while (in order to update the tag status for each system).

With these tags created, I created also a Policy Assignment Rule that applies the standard HIPS protection if the same has the "Internal IP" tag, and another that applies the stronger HIPS protection if the tag is "External IP".

However a wild doubt has appeared (haha ).

1) Does the Agent will receive these updates from ePO only when it is connected to the VPN?

2) If yes, there is a way to put an Agent Handler in the DMZ and direct the Agent communication to it?

3) There is a way to configure the Agent to search communication with the internal Agent Handler if it is in the corporate network and, if it isn't, to communicate with the Agent Handler placed at DMZ?

Please, if it is possible, can you inform where I can configure both itens 2 and 3?

Thank you very much!

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: Applying Policies From Outside the Corporate Environment

Jump to solution

yep that is correct.....your ah in your dmz acts like a headless epo server that you cant log into as an admin.  it can do everything else an epo server can do.  by default if you do nothing and only install an ah in your dmz, all your agents will know about because epo will update your sitelist file that goes to all agents, and in the ah config area we automatically add a rule that forces all agents to use all available ah's randomly.  you can alter it but i dont recommend you do.  see pic

Capture.PNG

View solution in original post

6 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 7

Re: Applying Policies From Outside the Corporate Environment

Jump to solution

the agent will change the tag dynmically on each ascii.  but if you dont have an ah in the dmz then you will have to wait till end user establishes vpn connection.  more importantly this will cause a long delay before the agent gets its new policy.  why not consider leveraging the connection aware group functionality in hips.  this will allow the client to dynamically assign a fw policy based on if it is inside or outside your network.  most custs apply a stronger fw policy when end users are outside and a more open fw policy when inside and its very easy to setup.  https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20747/en_US/...

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: Applying Policies From Outside the Corporate Environment

Jump to solution

Actually, this configuration must be made to HIPS (Not HIPS Firewall), however your answer have already helped me a lot.

So please, do you know where is the place where I configure the Agent to search communication with the internal Agent Handler if it is in the corporate network and, if it isn't, to communicate with the Agent Handler placed at DMZ?

This must be made using through McAfee Agent Policy? Policy Catalog > McAfee Agent | Repository > Repository List?

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 7

Re: Applying Policies From Outside the Corporate Environment

Jump to solution

agent handlers are configured in the agent handler area as shown in pic below.  I do not recommend you touch them.  by default the agent will know about epo and your ah in the dmz.  it will dynamically talk to both....so if it cant get to the internal epo server it will use ah in dmz and vice versa.  there is NO need to configure anything in this area unless you have a very good reason.

untitled.JPG

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: Applying Policies From Outside the Corporate Environment

Jump to solution

Thanks for the advice.

However there is a thing that I didn't understand yet. If I have an Agent Handler on my DMZ, a company laptop will reach it from the Internet (not DMZ) to update policies/taks/tags and  without any kind of configuration in the Agents?

Thank you again!

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: Applying Policies From Outside the Corporate Environment

Jump to solution

yep that is correct.....your ah in your dmz acts like a headless epo server that you cant log into as an admin.  it can do everything else an epo server can do.  by default if you do nothing and only install an ah in your dmz, all your agents will know about because epo will update your sitelist file that goes to all agents, and in the ah config area we automatically add a rule that forces all agents to use all available ah's randomly.  you can alter it but i dont recommend you do.  see pic

Capture.PNG

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 7

Re: Applying Policies From Outside the Corporate Environment

Jump to solution

That's amazing then! To much simpler than I thought! haha! Thank you very much Pit!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community