cancel
Showing results for 
Search instead for 
Did you mean: 
jgs
Level 7
Report Inappropriate Content
Message 1 of 6

Daisy-Chaining SuperAgent Repositories

Jump to solution

Hey,

I'm relatively new to working with McAfee products and I'm doing local support for a system that's currently in-place.  It seems to be ePO 4.0.x for McAfee Enterprise i8.7.

I've been looking into updating methods for some of our local subnets/domains, and it looks like SuperAgents would be the way to go.  Unfortunately some of the subnets are isolated, with no local access allowed to the rest of the network as a whole.  Would we be able to set up SuperAgents to daisy-chain updates into these subnets?  Most of these subnets are part of isolated domains/workgroups and will have no connection whatsoever to the domain the main repository sits on.

Would another option, such as mirroring, and then setting up a UNC repository, be a better choice?

1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Daisy-Chaining SuperAgent Repositories

Jump to solution
They essentially have no connectivity to the main domain that the ePO sits on, and they are segregated for security and policy reasons.  


Unfortunately this statement means ePO is pretty much dead - if the client machines are unable to communicate with the ePO server, then there's not very much ePO can do. It would probably be easier to set up local mirroring of the McAfee update site (using a mirror task on a single client machine, for example) and configure the clients to update from there, rather than fight trying to get ePO-based updating working

One possibility might be agent handlers, which can help in limited connectivity environments like DMZs... have you investigated them as as possibility?

HTH -

Joe

5 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Daisy-Chaining SuperAgent Repositories

Jump to solution

Unfortunately if these networks are truly isolated, you're a bit stuck - even if you could get a superagent onto a machine on the subnet, it wouldn't be able to communicate with ePO and be updated   similarly eP won't be able to control any client machines on these networks...

Do these networks have any external connectivity at all?

Thanks -

Joe

jgs
Level 7
Report Inappropriate Content
Message 3 of 6

Re: Daisy-Chaining SuperAgent Repositories

Jump to solution

Hi,

Thanks for the reply.  They're connected through routers/firewalls to the other domains/the main domain, but have very limited connectivity.  Most of them are only allowed to send/receive to a single server on specific ports. They essentially have no connectivity to the main domain that the ePO sits on, and they are segregated for security and policy reasons.  From my understanding of ePO; the main repository requires direct access to the subnet/computers that it manages, and only uses SuperAgent repositories to simplify sending wakeup calls and updates within the local repository's broadcast zone.  Is this correct?

My idea was to have edge servers be the repositories, and have them broadcast the updates to the isolated zones.  Unfortunately if they have to be regulated in the ePO on the main repository, this won't be possible for us.  Mirroring still sounds feasible, as we could forgo the need for broadcasting wakeup and have the clients check in at scheduled times to grab the updates via port forwarding.  For daisy-chaining subnets, we could then re-mirror inside one subnet, or set up forwarding for the second subnet via the first mirror.  But using this system may mean slightly-less up-to-date DATs/updates for the isolated networks.

Hopefully this all makes sense so far.  Are mirror jobs the way to go, or can SuperAgents be used in this kind of setup?

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Daisy-Chaining SuperAgent Repositories

Jump to solution
They essentially have no connectivity to the main domain that the ePO sits on, and they are segregated for security and policy reasons.  


Unfortunately this statement means ePO is pretty much dead - if the client machines are unable to communicate with the ePO server, then there's not very much ePO can do. It would probably be easier to set up local mirroring of the McAfee update site (using a mirror task on a single client machine, for example) and configure the clients to update from there, rather than fight trying to get ePO-based updating working

One possibility might be agent handlers, which can help in limited connectivity environments like DMZs... have you investigated them as as possibility?

HTH -

Joe

jgs
Level 7
Report Inappropriate Content
Message 5 of 6

Re: Daisy-Chaining SuperAgent Repositories

Jump to solution

Thanks for the reply again.

Just checked out the whitepages for Agent Handlers, and it looks like it's only available for ePO 4.5.  While it would help the first subnet, we would still need to use mirroring on the rest in the chain.

It looks like I'll be going with mirroring.  Thanks again for all the suggestions and info.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Daisy-Chaining SuperAgent Repositories

Jump to solution

No problem - sorry we couldn't be more help.

Frankly I don't envy you trying to administer that environment at all - it sounds very painful

Regards -

Joe