cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mcoffee
Level 10
Report Inappropriate Content
Message 1 of 6

Using On-Premis EPO on internal network to manage endpoints in Azure (using a NAT).

Jump to solution

So I cannot believe we are the first company to be trying to achieve this.

 

Instead of going the expensive route of migrating our entire McAfee offering to ENS or building a new cloud-based EPO, we are trying to manage a new Azure-based customer using our existing internal on-prem EPO server.

 

I have installed the McAfee Agent on the endpoint, and after updating Firewalls etc, have got the endpoint to successfully appear within the EPO. However if I then try to push the VSE client or anything like this to the endpoint it fails.

 

The difficulty I can see is that we are using a NAT to access the Azure VMs, as their address range overlaps slightly with an existing customer. The agent reports the IP configured within the VM - 10.200.x.x however its NAT address is 10.199.x.x - is there anything that can be done to make this work nice and simply? I believe if I could force EPO to try and communicate on 10.199.x.x it would all just work.

 

Thanks in advance!

-------
If my answer helped you, please mark it as the accepted solution and give Kudos if appropriate.
1 Solution

Accepted Solutions
mcoffee
Level 10
Report Inappropriate Content
Message 5 of 6

Re: Using On-Premis EPO on internal network to manage endpoints in Azure (using a NAT).

Jump to solution

So I've actually got this working with some assistance from my networks colleagues. We now have push commands working from the EPO back across to the agents in Azure, so my 'Run Client Task Now' is working to push VSE to the VMs in Azure. Agent Wake Up also works which every McAfee document I come across says won't work..

 

We added another NAT just for the EPO back to the VMs in Azure that would push the commands via the route we wanted it to go rather than via the IP reporting in by the agent. With a little extra playing on the firewalls, this has worked perfectly, client commands, agent wakeups etc all work as normal now.

-------
If my answer helped you, please mark it as the accepted solution and give Kudos if appropriate.

View solution in original post

5 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Using On-Premis EPO on internal network to manage endpoints in Azure (using a NAT).

Jump to solution

How are you attempting to deploy the products - with run client task now, or scheduled tasks?  If run client task now, that will not work over nat, just as wakeup calls do not work over nat.  Refer to KB58818.

A scheduled deployment task should resolve the issue if all the required ports (kb66797) are open and the agent is successfully communicating

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

mcoffee
Level 10
Report Inappropriate Content
Message 3 of 6

Re: Using On-Premis EPO on internal network to manage endpoints in Azure (using a NAT).

Jump to solution

Ah, this is the article I missed during my searches! Perfect, I've configure dmy policies and assigned and scheduled tasks to the relevant group, should see this all working after lunch today 🙂

 

Much appreciated!

-------
If my answer helped you, please mark it as the accepted solution and give Kudos if appropriate.
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Using On-Premis EPO on internal network to manage endpoints in Azure (using a NAT).

Jump to solution

Glad to assist!

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

mcoffee
Level 10
Report Inappropriate Content
Message 5 of 6

Re: Using On-Premis EPO on internal network to manage endpoints in Azure (using a NAT).

Jump to solution

So I've actually got this working with some assistance from my networks colleagues. We now have push commands working from the EPO back across to the agents in Azure, so my 'Run Client Task Now' is working to push VSE to the VMs in Azure. Agent Wake Up also works which every McAfee document I come across says won't work..

 

We added another NAT just for the EPO back to the VMs in Azure that would push the commands via the route we wanted it to go rather than via the IP reporting in by the agent. With a little extra playing on the firewalls, this has worked perfectly, client commands, agent wakeups etc all work as normal now.

-------
If my answer helped you, please mark it as the accepted solution and give Kudos if appropriate.

View solution in original post

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Using On-Premis EPO on internal network to manage endpoints in Azure (using a NAT).

Jump to solution

Sweet, great job!

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community