cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JoelRG
Level 8
Report Inappropriate Content
Message 1 of 11

Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

Hello,

I've added an Agent Handler in our DMZ to handle communications with computers not on our network.  For two main purposes - Servers in the DMZ that will stay in the DMZ and workstations while they are not connected to VPN or in an office.

My issue is with the workstations.  Power on workstation at home, connects to Agent Handler in DMZ as expected. Log on to VPN and the workstation never switches back to the ePO server.  I have the ePO server set higher in the assignment, and if I disable the Agent Handler in the DMZ workstations can connect to the ePO server while on VPN.

It is just they never automatically switch back to the ePO server as expected.

Has anyone had similar experiences?

Thanks,

Joel

2 Solutions

Accepted Solutions
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

If you don't want internal clients to talk to dmz ah, then we recommend putting firewall rules to block that communication when on the internal network.  That will then cause the agents to fail over to epo.  As @Former Member pointed out, as long as the clients receive a response from the dmz agent handler, they will continue to communicate with it.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

JoelRG
Level 8
Report Inappropriate Content
Message 11 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

I've been able to work around this by the following:

  1. Change the split tunnel to force traffic to the external IP of the agent handler through the VPN tunnel.
  2. Create a Windows Firewall rule on the agent handler blocking TCP 80 and 443 from VPN and internal network subnets.

This essentially allows clients to connect to the agent handler when not on VPN or internal network, but blocks access to the agent handler once they connect to VPN or an internal network (be sure not to include the subnet your ePO server is on as it still needs to be able to communicate with the agent handler).

I've noticed that the agent will continue to try to connect to the agent handler and not immediately switch to the ePO server.  It seems to take two ASCI before it will switch over.  So, up to two hours with the default ASCI.  We're a small company (under 600 clients) so I may lower the ASCI to 30 min to force the change quicker.

While not ideal, this is working well enough.

Joel

View solution in original post

10 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

Hello @JoelRG 

Thanks for your post.

If Agent Handler is in the Picture and Mctray About option is not showing:This depends on which machine the agents are able to connect to. Once a client has successfully connected to an agent handler, it remembers that AH and will continue to use it until it fails: once that has happened it will try the AHs in the list.
If the clients can reach the ePO server successfully, then they won't try the AH. That's as designed.

Was my reply helpful?


If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

If you don't want internal clients to talk to dmz ah, then we recommend putting firewall rules to block that communication when on the internal network.  That will then cause the agents to fail over to epo.  As @Former Member pointed out, as long as the clients receive a response from the dmz agent handler, they will continue to communicate with it.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

JoelRG
Level 8
Report Inappropriate Content
Message 4 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

This is an unfortunate design.  It pretty much negates the purpose of Agent Handler Priority.

But thank you for the reply, 

Joel

JoelRG
Level 8
Report Inappropriate Content
Message 5 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

A follow up question to your suggestion..

I'm trying to block access to the agent handler using the Windows Defender Firewall through a GPO setting, however it only seems to block access by IP address, it still allows the connection using the DNS name.

We have split tunnel set up on our VPN, so internet traffic goes straight out, not through our corporate firewall, so a client based solution is required.

Do you have any further suggestions on how to work around the limitation of the Agent Handler priority?

Joel

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

Are you running ENS and is ENS firewall installed?  If so, you can set up connection specific rules, such as when on internal network, block access to dmz agent handler and when external, allow the connection.  That team can assist in configuring it.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

JoelRG
Level 8
Report Inappropriate Content
Message 7 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution
We are migrating to ENS to replace VSE, but no we aren't implementing ENS Firewall at this time..

Joel
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

Can you use your dmz firewall between your internal network and dmz to block traffic?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

JoelRG
Level 8
Report Inappropriate Content
Message 9 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

Not with the split tunnel.  We may be able to exclude the Agent Handler from the split tunnel though.

Through a combination of the Windows Firewall, corporate firewall and changing the split tunnel I'm sure I can get something to work.

I appreciate the help and suggestions, but I'd like to point out how infuriatingly annoying this design is on McAfee's side 😉

Thanks,

Joel

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 11

Re: Clients not switching back to ePO from Agent Handler in DMZ

Jump to solution

Understood, but you might want to look into using ens firewall connection aware rules.  That might make your life simpler with that.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community