cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 6

ePO web console with a public ip address!

Jump to solution

Dear Guys,

We have actually installed McAfee ePO on a windows server where the IP address is public. After installing the clients which have got private IP addresses, the problem is that the clients are able to connect to the ePO but ePO cannot see them and make the necessary connection. For example the update task is OK but the policies cannot be enforced.

McAfee ePolicy Orchestrator 

4 Solutions

Accepted Solutions
uday-
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: ePO web console with a public ip address!

Jump to solution

Hello it1024,

 

1. If the client machines are able to communicate with the EPO server from an external network (Using Public IP of EPO). As per the design, the clients will receive the policy updates when they establish a connection with the EPO server every 60 minutes by default.  

https://kc.mcafee.com/corporate/index?page=content&id=S:KB92610.

  • Currently applied policies are still enforced on the configured schedule. By default, policy enforcement is every 60 minutes.
  • An agent-server communication must occur from ePO for the following changes to take place:
    • Policies
    • Policy assignments
    • Client tasks
    • ​Client task assignments
If agent-server communication is not possible because of network considerations, none of these changes are made until communication is restored.
 

2. IF the client machines are within the LAN, You can enforce the policy by wakeup agent.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Hem
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: ePO web console with a public ip address!

Jump to solution


clients which have got private IP addresses, the problem is that the clients are able to connect to the ePO but ePO cannot see them and make the necessary connection. For example the update task is OK but the policies cannot be enforced.

 

A: ePO can't see them? You mean: there is no entry of client machines in ePO or if there is entry, it's 'unmanaged'.

2. For example the update task is OK but the policies cannot be enforced.

A: If client machines have Internet access then they can pull updates from Internet -so update may work. To download policies, they need to communicate to ePO/AH server. If policies are not enforcing then I suspect communication issue.

View solution in original post

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: ePO web console with a public ip address!

Jump to solution

If the clients are able to reach epo and show current communication in the system tree, then that means epo is able to respond to the clients and they should be getting policy & task updates.  What exactly is the error that makes you think epo isn't responding to the clients?  Are all the required firewall ports open?  See KB66797.  What private IP's are you referring to?  Ones on an internal network, or home users on their own ISP connection?

If you are referring to wakeups failing, that is expected behavior if any of the clients are behind a natted address unless you have a dxl broker that the clients can connect to.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: ePO web console with a public ip address!

Jump to solution

"What practically happens is that the ePO is unable to send tasks to clients like Wake-Up call or installation tasks."

What kind of tasks - run client task now or assigned client tasks from the system tree, client task assignment?  Run client task now won't work in your scenario, but if the agents are communicating, an assigned client task for both deployments and one for updates will work.

Are the agents communicating to epo?  If so, you should be able to configure policies and tasks and have the clients get them and pull content and updates from the epo server.  Just don't use run client task now, use assigned tasks.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

5 Replies
uday-
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: ePO web console with a public ip address!

Jump to solution

Hello it1024,

 

1. If the client machines are able to communicate with the EPO server from an external network (Using Public IP of EPO). As per the design, the clients will receive the policy updates when they establish a connection with the EPO server every 60 minutes by default.  

https://kc.mcafee.com/corporate/index?page=content&id=S:KB92610.

  • Currently applied policies are still enforced on the configured schedule. By default, policy enforcement is every 60 minutes.
  • An agent-server communication must occur from ePO for the following changes to take place:
    • Policies
    • Policy assignments
    • Client tasks
    • ​Client task assignments
If agent-server communication is not possible because of network considerations, none of these changes are made until communication is restored.
 

2. IF the client machines are within the LAN, You can enforce the policy by wakeup agent.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Hem
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: ePO web console with a public ip address!

Jump to solution


clients which have got private IP addresses, the problem is that the clients are able to connect to the ePO but ePO cannot see them and make the necessary connection. For example the update task is OK but the policies cannot be enforced.

 

A: ePO can't see them? You mean: there is no entry of client machines in ePO or if there is entry, it's 'unmanaged'.

2. For example the update task is OK but the policies cannot be enforced.

A: If client machines have Internet access then they can pull updates from Internet -so update may work. To download policies, they need to communicate to ePO/AH server. If policies are not enforcing then I suspect communication issue.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: ePO web console with a public ip address!

Jump to solution

If the clients are able to reach epo and show current communication in the system tree, then that means epo is able to respond to the clients and they should be getting policy & task updates.  What exactly is the error that makes you think epo isn't responding to the clients?  Are all the required firewall ports open?  See KB66797.  What private IP's are you referring to?  Ones on an internal network, or home users on their own ISP connection?

If you are referring to wakeups failing, that is expected behavior if any of the clients are behind a natted address unless you have a dxl broker that the clients can connect to.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 6

Re: ePO web console with a public ip address!

Jump to solution

@cdinet

@Hem

@uday-

Thank you all for the useful information you provided. Let's review the scenario below:

I install the ePO console on a VPS which has got a public internet IP address.

Then I edit the agent handler and set the Handler IP address as the VPS IP. (I may even buy a domain name and create a DNS record and assign the VPS IP address to it and use the domain name as the handler published DNS name).

The clients are all behind natted networks so thatI create an agent deployment file on the ePO and install it locally on the clients.

What practically happens is that the ePO is unable to send tasks to clients like Wake-Up call or installation tasks. However if I for example install ENS on clients locally the client is able to download both policies and updates from the ePO.

In the above scenario I believe that I have got a cloud console with limited access from console to clients! Although setting password on the ENS interface would make it less limited. I tested it and it worked! But am I right? Can it be considered as a solution?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: ePO web console with a public ip address!

Jump to solution

"What practically happens is that the ePO is unable to send tasks to clients like Wake-Up call or installation tasks."

What kind of tasks - run client task now or assigned client tasks from the system tree, client task assignment?  Run client task now won't work in your scenario, but if the agents are communicating, an assigned client task for both deployments and one for updates will work.

Are the agents communicating to epo?  If so, you should be able to configure policies and tasks and have the clients get them and pull content and updates from the epo server.  Just don't use run client task now, use assigned tasks.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community