The Agent Handler is mostly use for one of the following:
(by McAfee Documentation)
• Scalability — if your ePO server is overloaded handling your agent request volume.
• Failover — if you want to allow agents to fail over between multiple physical devices, and
do not want to cluster the ePO server.
• Topology — if you need to manage systems behind a NAT, or in an external network, so
long as the agent handler can continue to have a high bandwidth connection to the central
For what I was reading on the past post, I think the option your looking is the Topology. I configured an Agent handler but as NAT using the same ePO Server and didn't have to use another server on the DMZ and works just fine even if is not a very good practice (you need to be aware of the rules on the firewall). This way I could apply policies, install packages remoteley, even encrypt the laptops and many other things. Actually from january to february I will be configuring an Agent Handler on the DMZ so I'll let you know how it goes....
Hello Irolon, that's right. The agent handler in DMZ is configured just fine - firewalls are enabled. We are just looking into the possibility of having machines updated even if they are not in the network. So I have asked our Networking team for an external IP address for this and let's see what happens!
Hi jstanley, I have a question. So I did reach out to our Networking team for an external IP address and I was wondering, after that, do we have to have a port forwarding rule in place? Or should I go ahead and just fill in the published IP address field? Thanks!
Well that depends. Does the AH actually have the published IP (i.e. if you open a command prompt on the AH and do "ipconfig" does it have the published IP assigned to it) or does it have a NAT'd IP (this would be more typical). If it has a NAT'd IP then you would have to setup port forwarding rules on whatever machine has the publish IP address assigned to it forwarding inbound traffic on ports 80 and 443 (default ports) to the NAT'd IP address of your AH. If it has a published IP (unusual and not very secure) then no port forwarding rules are needed.
It has a published IP but the external IP I am requesting for from our networking team will be NATted to the DMZ server. So maybe I would need port forwarding rules after all.
Hello, In your case I sure you will need a port fowarding configuration due to the NAT in the DMZ. In my case we did use a NAT configuration from an Internal LAN to an External IP Address and because of that, like "jstanley" said, you don't need a port fowarding but it is not an usual configuration). In your case you are goint to need one rule to por foward from external to dmz, and another rule from DMZ to LAN so the internal ePO can communicate to the DMZ handler. I'm designing exactly a similar configuration for our DMZ handler but we need to do some test so I'll let you know whatever new conflict we may find in the process or how it goes.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center