Showing results for 
Search instead for 
Did you mean: 
Level 8

Connecting DataCenter to ePO

Hi Guys,

I'm trying to enroll servers in datacenter into ePO but i'm not sure which is the best way to do so. By the way - connectivity is not an issue.


Can somebody explain to me what would be the best way to design ePO infrastructure so i can add DC1 and DC2 to ePO in Main Office?

Each DC has about 100 servers

0 Kudos
5 Replies
McAfee Employee

Re: Connecting DataCenter to ePO

​, What you need to do first is to register DC1 and DC2 in ePO. You can do this by clicking on ePO menu > Registered Servers. It's located under "Configuration" section when you expand ePO menu. Simply click "NEW SERVER" button and add the DCs as LDAP servers. Once registered, you can sync AD objects (users, computers etc). This will help in designing your epo system tree, encryption users, deploying software and so on. If your AD is well organized, you can replicate that in system tree. Or you can create custom folders in system tree and sync it with a specific OU in your AD.

After you've registered your DCs, you can select any system tree in ePO, go to "GROUP DETAILS" tab and change "Synchronization type" setting.

Hope this helps. If not, please let me know.

0 Kudos
Level 8

Re: Connecting DataCenter to ePO

Hi Moe,

Thank you for your explanation but i faced some issues already. I managed to add Domain Controllers and synchronize AD but i wasn't able to push agent. The reason is because there's NAT on the way:

So when i add Domain Controller to ePO they can talk to each other but if i want to deploy agent it's trying to use 192.168.1.x IP cause both domain controller and the server itself are not aware of 192.168.100.x

Before i asked my opening question i was thinking about deploying "islands" so they can contact server in DCs by their local IP addresses and send the data back to ePO.

Other solutions i was thinking of is deploy another ePO but i'm not sure if it requires a licence?

Thanks for the extension as well. Will definitely have a look when the ePO works as supposed

0 Kudos

Re: Connecting DataCenter to ePO

you could manage to deploy the agent in DC1 by placing agent handler ( AH) and there will no licensing involved in this, It's just an extension of the ePO server.

Thing you have to care that AH can't directly speak with in their subnet.. 



0 Kudos
Level 8

Re: Connecting DataCenter to ePO


Almost everything is fine I deployed Agent Handler and all servers in DC check into that Agent which then pass all the information to the ePO.

There's only one issue i'm facing right now.

- Added AgentHandler-DC1

  Specified System Tree Location and Agent Subnet

- Created Agent Policy - Repository in System Tree location

  Pointed to AgentHandler-DC1

- Checked in all servers in DC1

  At this point i had AgentHandler-DC1 as primary repository and McAfee Http as fallback repository

Noticed that some of the machines from the office are not checking in and their IP range matched DC1 range

Because the network IPs were overlapping i removed Agent Subnet hoping it will use System Tree location

Now the servers from DC1 System Tree location are not able to connect to AgentHandler-DC1 repository (they still report their status to AgentHandler)

[Thu Sep 14 15:52:39.336890 2017] [authz_core:error] [pid 1548:tid 3612] [client] AH01630: client denied by server configuration: C:/Program Files (x86)/McAfee/Agent Handler/DB/www/SiteStat.xml

btw. the www folder is empty

I thought it's a problem with agent so i have made new FramePkg.exe and deployed it again. System has been added outside DC1 System Tree location and now i could see all repositories (DC1, Office and McAfee Http)

I ran the update and guess what... it updated from AgentHandler-DC1 with no issues. I wanted to check what's the addres but it wouldn't let me edit as they all are read-only.

I tried to find sitelist.xml and i found it but the list is totally different than the repository. I extracted the list from FramePkg.exe and this one was listing all 3 repos.

I didn't bother to replace the list cause it's a bit tricky but i'm wondering

Is there any other way to allow systems to pull data from AgentHandler-DC1 repository than specifying Agent Subnet?

Why it does work when systems are outside System Tree location of AgentHandler-DC1

Most likely it's ePO setting permissions not the Apache running as AgentHandler.

0 Kudos
McAfee Employee

Re: Connecting DataCenter to ePO

1) I would also recommend checking in "Cloud Workload Discovery" extension for epo. With this, you can sync ePO with your VMware environment and receive information about your vms. That way you can plan your security posture by seeing how many vms there are, how many are protected etc. If they are not being managed by ePO, you can target them and install agent and other products. It's much easier when the vms are part of your AD.

2) Look into using "Rogue System Detection" also. This small program will help you determine whether you have rogue systems on your network. You want to install this in your highly active servers (dns, dhcp). Then you can craft query to target domain joined windows systems and push mcafee agents on them. this will automate your administration.

0 Kudos