cancel
Showing results for 
Search instead for 
Did you mean: 

Agent Handler in the DMZ for Internet Clients

Hi Mcafee Masters.

I cannot get my head around the configuration required to be able to Agent Wake ups with Clients out on the internet.

Now. First of all, I would like to apologise if this question has been done to death, but with all the treads I have read I have still not get this right in my noggin. (Head)

So, I'm building a new EPO environment. (Previous EPO 4.6.6 that is now ready for retirement) This time around I would like to be able to preform Agent Wake ups with my clients out on the internet. As I understand it, to do this, I need to have a Agent Handler in the DMZ.

I have built this.

But I don't understand how the AH connects to the internet.. Specifically, I take it that it has to sit directly on the internet with a Public IP? You cannot use NAT on the connection from the Perimeter Firewall to the AH as this stops the feature I would like to have from working.

Is this correct? So my AH would need to have a Public IP directly on it?

Regards

Bish.

6 Replies
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Agent Handler in the DMZ for Internet Clients

Hello,

the Agent Handler sends a "message" on the Agent Wakeup port.

  • Your agent handler must be able to connect to internet using this port.

Im interested, why you need such a configuration. So, if a client is behind a network device which does NAT you will never be able to connect to the client. You might be able to connect to clients when they are directly connected to the internet and have a public IP address. If no, you cannot connect.

Cheers

Highlighted

Re: Agent Handler in the DMZ for Internet Clients

Thanks Thorsten

I had never even considered that scenario. Damn.. So no way for Agent Wakeups on the internet then?

I think I will stick with the AH in the DMZ though as it give me some resilience with my clients.

Thanks for the Advice

Regards

Bish.

Re: Agent Handler in the DMZ for Internet Clients

Just an offhand comment.

If you have devices which will be behind an DMZ, or off into the utter wilds of the internet, perhaps you could assign them a tag which links back to an Agent Policy to perform an ASCI every hour or so (basically a more frequent ASCI policy).

That may at least get you some of what you're looking for....

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: Agent Handler in the DMZ for Internet Clients

You may change the ASCI Interval for endpoints if they are connected to a specific Agent Handler. 🙂

Cheers

McAfee Employee gebenezerjc
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Agent Handler in the DMZ for Internet Clients

Hi,

Agent wake-up cannot be done in DMZ or NAT environment even if you have installed a AH internally.

In DMZ / NAT environment, only agent - to -  server communication will perform and it will get the update on the ASCII interval.

It has been clearly explained in McAfee Corporate KB - How to use ePolicy Orchestrator in a DMZ or NAT environment KB59218

McAfee Employee Helms
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Agent Handler in the DMZ for Internet Clients

If you install a DXL broker on the DMZ and the DXL agent on the endpoints you will then be able to do an agent wake-up, even if the clients are behind NAT'ed firewalls.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center