I've deployed an Agent Handler in our DMZ. The following ports are open on the firewall between the AH and ePO Server:
The Agent Handler is able to communicate with the ePO Server without any issue. The problem is that other servers in the DMZ cannot communicate with the Agent Handler. I have two priority rules: the first one defines our internal subnets and restricts them to the internal ePO Server, and the second rule defines the DMZ subnet and restricts it to the Agent Handler.
The message I'm receiving in the Agent Monitor on all DMZ servers (except the AH itself) is "Agent failed to communicate with ePO Server." When I go to the "About..." menu, it is correctly pointed to the Agent Handler in the DMZ. Any thoughts?
Possibly a silly question, but is there any kind of firewall or port blocking that is preventing inbound connections to the AH machines? Specifically on the agent-to-server ports, which are 80 and 443 by default?
It isn't public-facing. Servers on our DMZ, including the AH, are assigned one private IP address. Outside access to services such as web, FTP, etc. are provided via NAT.
Just tried that, and yes, it works. At this point, I'm thinking the AH itself isn't functioning properly. It just occured to me that when I said "The Agent Handler is able to communicate with the ePO Server," all I was seeing was the agent installed on the AH communicating with ePO Server, which I'd expect even if the AH isn't functioning.
Here's what I'm seeing for the SQL connection from the AH to the ePO Server. Is "TIME_WAIT" normal?
Nothing in the server.log indicates a problem. However, I think I'm on to something. I ended up uninstalling all Agents as well as the Agent Hander from the DMZ. I then reinstalled the Agent Handler software and pointed it to the ePO Server, and pushed the Agent from the ePO Server onto one DMZ server (our web server). When I pushed the Agent, I told it to use all available Agent Handlers (including the ePO Server). The Agent immediately contacted the ePO Server and timed out. Then, it failed over to the AH.
What I found was that the DMZ servers will connect to the AH once or possibly twice (atfer attempting to contact the internal server), but as soon as they retrieve the new SiteList.xml file, they never again attempt to contact the AH. I've confirmed with netstat that the Agent on our web server is now only attempting to reach the ePO Server.
So I'd venture a guess that there's a problem with the SitesList.xml file that's being pushed onto the DMZ servers. Any thoughts?