Hi Mcafee Masters.
I cannot get my head around the configuration required to be able to Agent Wake ups with Clients out on the internet.
Now. First of all, I would like to apologise if this question has been done to death, but with all the treads I have read I have still not get this right in my noggin. (Head)
So, I'm building a new EPO environment. (Previous EPO 4.6.6 that is now ready for retirement) This time around I would like to be able to preform Agent Wake ups with my clients out on the internet. As I understand it, to do this, I need to have a Agent Handler in the DMZ.
I have built this.
But I don't understand how the AH connects to the internet.. Specifically, I take it that it has to sit directly on the internet with a Public IP? You cannot use NAT on the connection from the Perimeter Firewall to the AH as this stops the feature I would like to have from working.
Is this correct? So my AH would need to have a Public IP directly on it?
the Agent Handler sends a "message" on the Agent Wakeup port.
Im interested, why you need such a configuration. So, if a client is behind a network device which does NAT you will never be able to connect to the client. You might be able to connect to clients when they are directly connected to the internet and have a public IP address. If no, you cannot connect.
I had never even considered that scenario. Damn.. So no way for Agent Wakeups on the internet then?
I think I will stick with the AH in the DMZ though as it give me some resilience with my clients.
Thanks for the Advice
Just an offhand comment.
If you have devices which will be behind an DMZ, or off into the utter wilds of the internet, perhaps you could assign them a tag which links back to an Agent Policy to perform an ASCI every hour or so (basically a more frequent ASCI policy).
That may at least get you some of what you're looking for....
Agent wake-up cannot be done in DMZ or NAT environment even if you have installed a AH internally.
In DMZ / NAT environment, only agent - to - server communication will perform and it will get the update on the ASCII interval.
It has been clearly explained in McAfee Corporate KB - How to use ePolicy Orchestrator in a DMZ or NAT environment KB59218
If you install a DXL broker on the DMZ and the DXL agent on the endpoints you will then be able to do an agent wake-up, even if the clients are behind NAT'ed firewalls.