cancel
Showing results for 
Search instead for 
Did you mean: 

Agent Handler in DMZ for remotely-connected machines

Hi All,

I was able to configure an agent handler in DMZ but was wondering if anyone can advise on my query. Basically our agent handler will serve as the go-to server for those machine that are remotely connected to our network (like those in the office but are connected through Wi-Fi or those connecting via VPN).


Does anyone know how we can do it? I have set up an assignment rule within ePO and included the VPN-related IPs but it did not work. Appreciate it.


Thanks!

Karen

16 Replies
apoling
Level 14
Report Inappropriate Content
Message 2 of 17

Re: Agent Handler in DMZ for remotely-connected machines

Hi Karen,

never did similar things but I have a few fragments of information that might be useful, but first I start with a question: what exactly is your problem?

Tips as promised: when using agent handler, the order of sitelist elements must be so that the agent handler must precede ePo server for remote clients (so they contact it first). Secondly, can the remote clients see the agent handler at all, when they connect via VPN ?

I hope I could have been a tiny bit of help to you and hope someone with more knowledge on AH usage will reply soon.

Attila

Re: Agent Handler in DMZ for remotely-connected machines

Hi Attila,


Thanks for responding. So to make it clear, what we need to figure out is how to make those machines that are connected externally (for example, those on wi-fi) get DAT updates as necessary even if they are not on the network. I know I mentioned VPN but that should not be included, sorry.

Our end goal is for those machines to be protected and updated even if they are connected to our network. Do you have any idea how we can do it?

Thanks,


Karen

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 17

Re: Agent Handler in DMZ for remotely-connected machines

I don't know your exact network topology so I could be wrong here but VPN clients should not require a AH in the DMZ as once they establish a VPN connection they should be on your internal network.

At anyrate if you need external clients to communicate with an AH in the DMZ the first question I would have is does the DMZ AH have an externally routable IP (i.e. a public IP)? If it does not then do you have a port forwarding rule forwarding inbound traffic your standard and secure ASCI ports (default 80 and 443) that hits your public IP on to the AH? Finally you need to edit your AH settings and in the "published IP address" field enter the public IP address. You could also do the same for the published DNS name if you have one of those.

Re: Agent Handler in DMZ for remotely-connected machines

Hello, yes I believe you are right (that VPN clients should not have to connect to the AH in DMZ). Let me reach out to our Networking team and find out about your questions. Thank you!

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 17

Re: Agent Handler in DMZ for remotely-connected machines

Another question would be - do we even need an agent handler at all?  As I understand it, what you're interested in is making sure that the machines can update their DATs - is this correct? If so, and you're not that worried about the machines being able to talk to ePO when they're outside the LAN (or VPN), then all we need to do is to make sure the machines can reach a repository when they're off the network.

You could either do this by configuring an externally-facing repo in your DMZ, controlled by ePO, or simply configure the machines to use the McAfee site as a fallback repository - that way if they can't reach an ePO-controlled repo they'll use the default McAfee site for their updates.

HTH -

Joe

Re: Agent Handler in DMZ for remotely-connected machines

Hi Joe,

Good question. Yes I would say we would need an agent handler in the DMZ as well, for failover purposes. And also, as you mentioned, for machines outside the network to have their DATs updated.

Do you know if McAfee has a guide about configuring an externally-facing repo or using the McAfee site as a fallback repository? I think I have seen some KB articles related to them before but not sure if they are detailed.


Thanks!

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 17

Re: Agent Handler in DMZ for remotely-connected machines

Yes I would say we would need an agent handler in the DMZ as well, for failover purposes. 

Can you clarify a bit by what you mean here? The reason I ask is that an AH in the DMZ is not going to be much use for failover purposes as (presumably) the client machines on the LAN won't have access to it...  I might be missing something though

And also, as you mentioned, for machines outside the network to have their DATs updated.

I think I might not have been clear enough - what I was getting at was exactly the opposite    My point was that you don't need an agent handler for the client machines to update from (although it can perform that function if required) - all you need is a distributed repository.

Do you know if McAfee has a guide about configuring an externally-facing repo or using the McAfee site as a fallback repository? I think I have seen some KB articles related to them before but not sure if they are detailed.

Have a look at the "Setting up repositories" section of the ePO 4.6 Product Guide if you haven't already done so - but in a nutshell, assuming you have an HTTP or FTP server in your DMZ that is externally available, then you can simply set up a folder on this to be your repository and configure a distributed repository in ePO accordingly.  Otherwise, regarding the fallback site, that's even easier - you just have to configure it in the agent policy. (In fact I think the McAfee HTTP site is configured as the fallback by default.)

HTH -

Joe

Re: Agent Handler in DMZ for remotely-connected machines

Hi Joe,

First of all, I am new at this so bear with me.

With regards to failover purposes, it's not actually for machines outside the network. Just in case our network goes down (hopefully not), we would still be ensured that the machines are updated. I may not be using the proper lingo but hopefully, you know what I mean.

Ah ha, gotcha.

And yes, I am actually reading the guide now (again). Fallback site is already configured, as I checked. So I have to look into more about what you said about externally-facing repo. Thanks for the help!

Karen

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 17

Re: Agent Handler in DMZ for remotely-connected machines

No problem - everyone starts somewhere    If you're one of the lucky ones you get to start under your own steam rather than inheriting a (usually broken) installation from someone else, in the middle of an outbreak

The most important thing to remember here is that an agent handler is not required for updating the DATs on machines. From what you're describing I think it's more likely that you don't need an agent handler at all: rather you need a (fairly simple) distributed repository setup.  Any questions, let us know

Regards -

Joe