cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
matti.rantakari
Level 7
Report Inappropriate Content
Message 1 of 9
‎08-08-2019 09:46 PM

Internal epo using NAT for external clients

Jump to solution

Hi,

I'm planning to configure internal epo using NAT for external clients. I have couple of questions about the configuration.

Is port 443 enough for NAT rule or does it need port 80 also?

When updating public dns and public ip to internal agent handler, which address agent then first connect, the public dns or the old internal address? Can I change the order somewhere?

ScreenHunter 64.jpg

Does agent sitelist get automatically updated?

Do I need some other configuration? My plan is that external clients can connect to internal epo and get updates using agent interval.

0 Kudos
Reply
1 Solution

Accepted Solutions
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 9
‎08-15-2019 05:56 AM

Re: Internal epo using NAT for external clients

Jump to solution
You can change that port in epo, but it would be better to first find out what is using port 80 on that agent handler. What function is that server for - just agent handler, or other purpose also? It would be easier to remove the program on the agent handler, if possible, causing the issue. The most common is IIS, but not always. You can run this in the command prompt to find out what processes are using that port: net stop http That will show you what processes it wants to stop. If you really want to change the port instead, this KB will walk you through that. It will affect any 4.8 agents until they get an updated sitelist, but your 5.x agents don't use port 80 any longer. https://kc.mcafee.com/corporate/index?page=content&id=KB67605

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

0 Kudos
Reply
8 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 9
‎08-12-2019 05:34 AM

Re: Internal epo using NAT for external clients

Jump to solution
kb66797 lists port requirements for communication through a firewall. However, what we recommend rather than opening up your epo server to external traffic is to put an agent handler in the dmz and use a published dns and IP for that in agent handler settings. The epo product guide has a section for installing an agent handler in the dmz.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
matti.rantakari
Level 7
Report Inappropriate Content
Message 3 of 9
‎08-13-2019 12:39 AM

Re: Internal epo using NAT for external clients

Jump to solution

Hi,

Thanks for the reply. I'm trying to install DMZ agent handler but the problem is that installation says "installation could not find compatible ePO-server for given parameters". What could be the problem?

I have latest epo installed:

ePO Build: ePolicy Orchestrator 5.10.0 (Build 2428)

Update Installed: Update 4 (2.0.0.454)

 

I have extracted AgentHandler installer from the latest epo package "EPO510_2428_18_LR4.zip"

 

ScreenHunter 72.jpg

0 Kudos
Reply
matti.rantakari
Level 7
Report Inappropriate Content
Message 4 of 9
‎08-13-2019 02:56 AM

Re: Internal epo using NAT for external clients

Jump to solution

I can ping the epo server using name. I tried also with ip but same result.

I can telnet the epo server port 8443

I'm using admin account to connect.

 

Strange that still it gives error no compatible epo found...

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 9
‎08-13-2019 04:55 AM

Re: Internal epo using NAT for external clients

Jump to solution
Go through KB66797 to ensure you have all the right ports open. Port 8444 is also required, as well a others. Also, since there is no dns resolution typically in the dmz, add a host file entry for the epo and sql servers on the agent handler with NetBIOS and fqdn so the agent handler can resolve them. Also, since typically a dmz server isn't on the domain, you will need to use an sql account instead of a Windows account to authenticate to the database. So if epo is using a Windows account, that is ok to continue to do so, but you will need to set up a separate sql account using sql authentication with appropriate permissions to the database and use that account with the agent handler.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
matti.rantakari
Level 7
Report Inappropriate Content
Message 6 of 9
‎08-13-2019 10:45 PM

Re: Internal epo using NAT for external clients

Jump to solution

From dmz server I can telnet epo server ports 8443, 8444, 8081, 80, 443.

From dmz server I can telnet sql server port 1433.

From dmz server i can telnet ldap ports also.

I added also hosts file entry for server names. I tried setup with sort name, fqdn and ip. Same result...

I confirmed the port in use is the default 8443.

From dmz server I can also login epo console with browser.

 

Can you confirm that the agent handler setup files are correct and are matching with my epo version?

I have downloaded the newest zip file "EPO510_2428_18_LR4.zip"

My epo version is:

ePO Build: ePolicy Orchestrator 5.10.0 (Build 2428)
Update Installed: Update 4 (2.0.0.454)

 

Still I'm getting this error. In this screen I'm using epo admin user account.

ScreenHunter 76.jpg

0 Kudos
Reply
matti.rantakari
Level 7
Report Inappropriate Content
Message 7 of 9
‎08-14-2019 12:12 AM

Re: Internal epo using NAT for external clients

Jump to solution

This is the error log. Error=12175

ScreenHunter 78.jpg

0 Kudos
Reply
matti.rantakari
Level 7
Report Inappropriate Content
Message 8 of 9
‎08-14-2019 02:23 AM

Re: Internal epo using NAT for external clients

Jump to solution

Found the connection problem. There were some chipher suites disabled.

  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

 

Next problem. There is IIS running on same dmz server and the port is in use.

Should I change Agent-to-server port to some other? If I change it what will happen to currect client connections? Can they connect anymore?

ScreenHunter 79.jpg

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 9
‎08-15-2019 05:56 AM

Re: Internal epo using NAT for external clients

Jump to solution
You can change that port in epo, but it would be better to first find out what is using port 80 on that agent handler. What function is that server for - just agent handler, or other purpose also? It would be easier to remove the program on the agent handler, if possible, causing the issue. The most common is IIS, but not always. You can run this in the command prompt to find out what processes are using that port: net stop http That will show you what processes it wants to stop. If you really want to change the port instead, this KB will walk you through that. It will affect any 4.8 agents until they get an updated sitelist, but your 5.x agents don't use port 80 any longer. https://kc.mcafee.com/corporate/index?page=content&id=KB67605

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC