We need to add an Agent Handler in our DMZ. In our current setup our ePO server is multihomed with a leg in our corporate network and a leg in the DMZ. We would like to simply add an additional Agent Handler in the DMZ on the ePO server using the leg (NIC) that is already in our DMZ. Anybody ever try this? Is it even possible? All information I have dug up involves an additional system in the DMZ. We are also considering a VM on the ePO server to use as the Agent Handler for the DMZ. But we would like to avoid that step if possible. Thanks in advance to the help.
Unfortunately, epo will bind to one of the nics and to prevent systems from using the wrong IP, you often have to add the serveripaddress= parameter in the server.ini to bind it to that. The server won't be listening on all the ports on both nics.
So that is pretty much a "no" it won't work? Since the server cannot communicate with both NIC's. I was thinking this might not be valid.
I think we can spin up a VM on this server with Hyper-V. We even have another NIC to use.
Thank you for the information!
The alternative is to maybe set up a published IP for epo (it doesn't have to be externally public). You can set up a dns entry for that and set epo to use a published IP address that you are more comfortable opening a port on in the dmz. See kb66797 for port requirements. Your internal systems would also use that IP. It could be something totally different than what the physical nic says. You would configure that under agent handlers. You don't have to change the fqdn published entry.
Interesting angle. We will ponder that.
We are not a huge company and have dedicated hardware for just under 1,000 nodes. We only have a handful of systems that are permanently off site. We need those to communicate but it would also be nice if we had a way for systems who roam on and off the corporate WAN to have the the option to communicate (updates/reporting). The plan was to register firstname.lastname@example.org and have an agent in the DMZ to handle the requests when a system happens to be off the corporate WAN.
Given our situation, any other suggestions you have would be greatly appreciated.