We have an EPO server setup (4.6.1) and ideally we want the agents (188.8.131.522) working in the following way:
-The agent attempts to connect to the EPO locally
-If the machine is outside of the organisation it then fails over to the second agent handler which is publishing the public dns and IP address via their internet connections.
The EPO server itself is acting as what I would want to be the primary agent handler and is publishing the internal DNS/IP addresses. I have installed a seperate agent handler that is publishing the public address.
At the moment the agents are deciding somewhat arbitrarily what agent handler they will use. Some are going out via the internet others are looking internally (when on the LAN). This is when using the default handler assignment rule (use all agent handlers)
What would be the best way to achieve what I want? I have tried setting up assignment rules, but when I do that (EPO agent handler first priority (internal), public agent handler secondarily (public) ), the agents sitelist has no mention of the secondary handler and therefore will fail when taken off the LAN.
Ideally we wouldn't want a second agent handler at all (we will want the EPO server to deal with everything itself), but installing a second that directs the agent to the public IP address seems to the only way to have two addresses published and usable
I believe I am thinking or doing something fundamentally wrong so please feel free to put me straight!
I hope that makes sense
Your priority rules are only half of the equation. Your internal Agent Handler also needs to have the IP ranges for your internal subnets defined so that only internal systems use it. Everything else will fail over to the agent handler next in the list.
I have one Agent Handler in the DMZ so I use "Handler Priority" (found under "Agent Handler Assignment") to create a custom handler list. The local ePO server is listed first and the AH in the DMZ is listed second. When the nodes come back in it does take a couple of Agent cycles before they drop the AH in the DMZ and pick up the local ePO.
Thanks for your input so far.
To give you a further idea, internally our machines are denied access to the internet using a hardware firewall, hence why we need the laptops to look internally first. At the moment some laptops seem to want to check the public agent handler every time first, then fail over to internal. However, the laptops are often taken out of the organisation hence the need to have them continuing to contact the EPO when they are at home using their wifi connections etc. So they should never use one agent handler exclusively, they need both sites as options, I just want it to use the internal first.
Currently (using the default assignment rule) when I look in 'about' on the client, I can see the the two agent handlers (or published addresses in any case). On some machines the public agent handler is first on the list and the internal is second on the list, and vice-versa (I'm not sure if this is significant)
When trying to troubleshoot, I setup priority rules, I did specifiy our IP ranges. So anthing on the local subnet would use the internal agent handler, and then the public agent handler was second in the priority list. However, when I did this, the public agent handler disappeared from the sitelist on the client and in 'about'. So when taken off the local subnet it had nowhere else to look.
I'm going to continue to play about with this today, but any guidance would be great. I'm pretty sure I'm missing something obvious and what you've posted above makes sense, but when I setup the internal agent handler to deal with all clients with the IP range criteria I set, the public address disappears from the clientMessage was edited by: hatevessel on 09/02/12 04:30:46 CST
Not to start up an old thread, but I am having the same issue.... I have an AH in the DMZ that I do not want internal people to use. I have set up AH priority so internal people should not use the DMZ AH, but it appears a number of machines insist on going out the the DMZ AH when on the internal network. I plan on to learn more about how this really functions, but any tips on a similar setup? I'm considering putting in a firewall rule so internal clients can't get to the DMZ AH via 443.
I ended up having to define internal IP ranges to only use the internal AH (ePO Server) and everything else will failover to the AH in the DMZ. If you have laptops though they will hit the AH in the DMZ when they are off your network.