cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Cannot Wake Up Mcafee Agent behind NAT

Jump to solution

I have a ePO 5.9 server behind firewall using 1to1 mapping to a public IP. I have added ServerIPAddress=<IP address of the DMZ server> in  server.ini so that deployed agent can communicate to the server. However, when i install agent in linux server behind firewall (using port forwarding), then i can find in ePO:

agent deployment arch.pngAgent Deployment Arch

1. Add agent with its NATed public IP, then another record with its private IP will appear and it is managed status.

2. Record with public IP address is still Unmanaged.

3. I cannot wake up agent with private IP record. Instead, i can use public IP to wake up.

4. After waking up, the manged status of the two records are unchanged.

Screenshot_20180622.pngePO System Tree

Agent may report to ePO its local IP address which is private IP.

So any method to resolve the problem? 

BTW, the following deploying agents will individually behind their firewall(with different NATed public IP each)

 

Best regards,
Steven

Labels (3)
1 Solution

Accepted Solutions
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Cannot Wake Up Mcafee Agent behind NAT

Jump to solution

No you don't have to do that.  You can set up a scheduled task for deploying products and updates.  Behind a nat doesn't mean the agent can't talk to epo and get updates, tasks, etc.  It just means epo can't proactively send it wakeups, agent deployments (via the deploy agent function) or run client task now.  But it can receive scheduled tasks and run them on the schedule.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

6 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Cannot Wake Up Mcafee Agent behind NAT

Jump to solution

Please refer to KB58818 - wakeup calls in a nat environment do not work, as you have seen.  The agent binds to the first IP it is given at startup and that is what is reported to epo.  There is also typically no dns resolution for a natted system. 

However, check KB88008.  With 5.3.3 and above, if dxl is installed in your environment, the wakeup calls will be routed over dxl even in a natted environment.  It existed in earler 5.3 versions, but had issues that were resolved in 5.3.3.  That feature also exists in 5.9.1

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Cannot Wake Up Mcafee Agent behind NAT

Jump to solution

Thx for your reply.

Refer to KB58818, client will receive all the updates and policies from the server with every agent-to-server communication.

But if I want to force product deployment of endpoint protection through ePO, is it possible to make it happen? Or i can only download the package, transfer to Linux server and install it locally?

Best regards,

Steven

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Cannot Wake Up Mcafee Agent behind NAT

Jump to solution

No you don't have to do that.  You can set up a scheduled task for deploying products and updates.  Behind a nat doesn't mean the agent can't talk to epo and get updates, tasks, etc.  It just means epo can't proactively send it wakeups, agent deployments (via the deploy agent function) or run client task now.  But it can receive scheduled tasks and run them on the schedule.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Cannot Wake Up Mcafee Agent behind NAT

Jump to solution

Noted~thx a lot for your reply.

Best regards,

Steven

shed
Level 7
Report Inappropriate Content
Message 6 of 7

Re: Cannot Wake Up Mcafee Agent behind NAT

Jump to solution

HI

 

i set up a schedule task to deploy the agent to a nat'd pc as you suggested, but it does not work

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Cannot Wake Up Mcafee Agent behind NAT

Jump to solution

The masvc log will show it getting the task and invoking it.  The mcscript log will show whether it was able to get the necessary files and run them.  If that all succeeds, then you need to look at the install logs for the agent deployment to see where the failure is. 

Agent log location - c:\programdata\mcafee\agent\logs

install logs - c:\windows\temp\mcafeelogs

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center