cancel
Showing results for 
Search instead for 
Did you mean: 

Best Practice ePO Architecture

We would like to use ePO to manage clients in an internal network. The issue is that ePO needs to connect to the internet to obtain virus files. We would prefer to not have a direct connection to the internet, and instead go through something in the DMZ. What is the recommended way for doing this?

 

10 Replies
mcoffee
Level 10
Report Inappropriate Content
Message 2 of 11

Re: Best Practice ePO Architecture

If you dont want it to automatically grab the updates from the McAfee site (NAI\FTP etc) from the internal network then you can always use it as a disconnected EPO.

 

You can simply download the updates for yourself from your own PC etc that is connected to the internet from https://www.mcafee.com/apps/downloads/security-updates/security-updates.aspx?region=us (make sure you download the EPO paackage relevant to your estate) - and then copy this file to the EPO server, and check it in to the master repository.

 

Then simply use your client tasks etc to distribute the new DAT.

 

Re-reading your post would sound like you're thinking along the same lines as having a WSUS upstrea/downstream setup, having a server in the DMZ to do the downloading, and then filter the DATs down to your downstream server inside your internal network?

 

May I ask if there is any specific concern to having your EPO internet facing, if you are behind firewalls etc this should be perfectly securable, we have a DMZ available, but we still have 3 EPOs deployed on our internal network, they have internet connectivitiy but only allowed access on specific ports controlled by our checkpoints. Doing anything else seems overkill as it is perfectly secure on your internal network, as you dont need to expose the server in its entirety.

 

Regards

Nick

-------
If my answer helped you, please mark it as the accepted solution and give Kudos if appropriate.

Re: Best Practice ePO Architecture

Exactly, I'm thinking something along the same lines as an upstream/downstream WSUS. 

My understanding is that a DMZ is not just for inbound traffic, but it is also good practice (depending on sensitivity) to place servers requiring outbound traffic in a DMZ. Agree it might be overkill for some networks, but it does add a little extra segregation 'just in case'.

 

I'm guessing that the most common way is to just open an outbound port to the McAfee website, but I was wondering if there was a McAfee recommendation (or best practice) if you want to utilise the DMZ. 

I struggled to find any docs on alternate source sites for ePO, would you be able to provide a link? I also imagine there might be a few different ways to make a source site for ePO, and was hoping for some comparisons / recommendations?

mcoffee
Level 10
Report Inappropriate Content
Message 4 of 11

Re: Best Practice ePO Architecture

Thinking a bit more, if you still wanted to go via your preferred method, you could deploy something like a McAfee Web Server in the DMZ, and use that to download your DATs, then you can add additional source site on the EPO to pull from - as long as your web server can pull the data from McAfee's site then this should work. 

 

The product guide shows how to set up alternate source sites as I cant quite recall the steps off the top of my head (think the doc can be found within your product portal accessed using your Grant number).

-------
If my answer helped you, please mark it as the accepted solution and give Kudos if appropriate.
Highlighted
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 5 of 11

Re: Best Practice ePO Architecture

You might also want to look at KB59128 for using epo in a dmz environment and KB66797 for required ports.  PD26432, best practices guide, also has some info on using epo in a dmz envirionment and some other suggestions on that.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Best Practice ePO Architecture

KB59128 actually isn't related to my question. This KB is for the situation of managing DMZ machines using ePO, rather than having ePO obtain files from the DMZ. Completely different things. KB66797 only outlines the ports, and I couldn't find the question discussed in the best practices guide either (again only the situation of managing DMZ machines).

I would like to configure a server in the DMZ to pull content from the McAfee website, and have my internal ePO pull content from this DMZ server. My question is what is the recommended way to do this? How should I configure this DMZ server?

Here are two similar questions, though aren't really answered properly: 

https://community.mcafee.com/t5/ePolicy-Orchestrator/EPO-Install-Internal-Network-and-DMZ/td-p/25779...

https://community.mcafee.com/t5/ePolicy-Orchestrator/Distributed-Repository-in-DMZ-not-working/td-p/...

"As an alternative, you could put a single agent on a machine in the DMZ, and configure it to run a mirror task. This will download an exact copy of the McAfee commonupdater site to a folder. You can then make this folder available to the internal network in whatever way you choose - a UNC share, or make it part of an HTTP or FTP server. Then set the internal ePO server to pull from it."

Is there any documentation on this configuration? Is there a better way?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 7 of 11

Re: Best Practice ePO Architecture

Look at KB82581 - How to update an epo master repository from another epo server and let me know if that is what you are looking for.  I will look at the other 2 posts you listed.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Best Practice ePO Architecture

I have seen KB82581 but can't imagine this is the right solution. A whole seperate ePO server in the DMZ? This seems really bloated given that I just need the content files, and don't need to use any of the ePO management features. It's a solution, but I can't imagine it's the best way to go.

mcoffee
Level 10
Report Inappropriate Content
Message 9 of 11

Re: Best Practice ePO Architecture

Aside the Web Server being deployed in the DMZ and using that as an upstream source for your EPO, I would suggest looking if you definately need that extra layer, or if it simplifies your entire situation if you can justify internet access via restricted port channels on your internal network?

 

We have compliance constraints upto the eyeballs, but that solution complies with out ISO standards, and has not presented a single security flaw due to the controlled access.

-------
If my answer helped you, please mark it as the accepted solution and give Kudos if appropriate.
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 10 of 11

Re: Best Practice ePO Architecture

I apologize, I took set up server in dmz for epo server, my mistake.  PD22941 is the product guide for VSE to set up a mirror task on that server in the dmz.  You can then use that as a source site by setting up that location as an http or ftp type repository.  Starting on page 46 is a section on configuring a source site.  The epo product guide has info on setting up that as a source site to pull from.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community