cancel
Showing results for 
Search instead for 
Did you mean: 
brentdw
Level 7

Agent Handler in DMZ

I've deployed an Agent Handler in our DMZ. The following ports are open on the firewall between the AH and ePO Server:

TCP 80

TCP 389

TCP 443

TCP 636

TCP 1433

UDP 1434

TCP 8081

UDP 8082

TCP 8443

TCP 8444

The Agent Handler is able to communicate with the ePO Server without any issue. The problem is that other servers in the DMZ cannot communicate with the Agent Handler. I have two priority rules: the first one defines our internal subnets and restricts them to the internal ePO Server, and the second rule defines the DMZ subnet and restricts it to the Agent Handler.

The message I'm receiving in the Agent Monitor on all DMZ servers (except the AH itself) is "Agent failed to communicate with ePO Server." When I go to the "About..." menu, it is correctly pointed to the Agent Handler in the DMZ. Any thoughts?

0 Kudos
10 Replies
McAfee Employee

Re: Agent Handler in DMZ

Possibly a silly question, but is there any kind of firewall or port blocking that is preventing inbound connections to the AH machines? Specifically on the agent-to-server ports, which are 80 and 443 by default?

HTH -

Joe

0 Kudos
brentdw
Level 7

Re: Agent Handler in DMZ

No. From the internal network to the DMZ network, there are no restrictions. Windows firewall on each DMZ server is also disabled.

0 Kudos
ulyses31
Level 16

Re: Agent Handler in DMZ

Could it be that servers on DMZ are trying to connect to Agent Handler to its public IP address?

0 Kudos
brentdw
Level 7

Re: Agent Handler in DMZ

It isn't public-facing. Servers on our DMZ, including the AH, are assigned one private IP address. Outside access to services such as web, FTP, etc. are provided via NAT.

0 Kudos
ulyses31
Level 16

Re: Agent Handler in DMZ

Can you telnet from a server on the DMZ to the Agent-Handler through agent-to-server communication port?

0 Kudos
brentdw
Level 7

Re: Agent Handler in DMZ

Just tried that, and yes, it works. At this point, I'm thinking the AH itself isn't functioning properly. It just occured to me that when I said "The Agent Handler is able to communicate with the ePO Server," all I was seeing was the agent installed on the AH communicating with ePO Server, which I'd expect even if the AH isn't functioning.

Here's what I'm seeing for the SQL connection from the AH to the ePO Server. Is "TIME_WAIT" normal?

Capture.JPG

0 Kudos
McAfee Employee

Re: Agent Handler in DMZ

Is there anything recorded in the server.log on the AH that would indicate a problem?

HTH -

Joe

0 Kudos
brentdw
Level 7

Re: Agent Handler in DMZ

Nothing in the server.log indicates a problem. However, I think I'm on to something. I ended up uninstalling all Agents as well as the Agent Hander from the DMZ. I then reinstalled the Agent Handler software and pointed it to the ePO Server, and pushed the Agent from the ePO Server onto one DMZ server (our web server). When I pushed the Agent, I told it to use all available Agent Handlers (including the ePO Server). The Agent immediately contacted the ePO Server and timed out. Then, it failed over to the AH.

What I found was that the DMZ servers will connect to the AH once or possibly twice (atfer attempting to contact the internal server), but as soon as they retrieve the new SiteList.xml file, they never again attempt to contact the AH. I've confirmed with netstat that the Agent on our web server is now only attempting to reach the ePO Server.

So I'd venture a guess that there's a problem with the SitesList.xml file that's being pushed onto the DMZ servers. Any thoughts?

0 Kudos
brentdw
Level 7

Re: Agent Handler in DMZ

Yep, confirmed that the initial SiteList contains both AHs, but as soon as it is updated, it contains only the internal AH (ePO Server).

0 Kudos