Showing results for 
Search instead for 
Did you mean: 

EPO & Agent Handler in different network

We have EPO Server in one network and Agent handler in another network. How Agent Handler will talk to EPO server and take Product update and patches. How SQL DB will configure in this methodology.

secondly Endpoints will communicate to Agent handler and it should take update,policies and deployment.

How to configure this and share me if any KB article or any document related to this?



8 Replies

Re: EPO & Agent Handler in different network

Google Translate

Hello Friend,

First of all, the ePO server and another server that will install the Agent Handler, both need to communicate.

Because when you are installing the agent handler, It will ask to you information from your ePO.

Now that you know it.

check out this video on YouTube:

How to Plan McAfee ePolicy Orchestrator Agent Handlers - YouTube

Ola Amigo,

Antes de mais nada, o servidor ePO e o outro servidor que será instalado o Agent Handler, ambos precisam se comunicar.

Porque quando você for instalar o agent handler, ele ira pedir as informações do seu ePO.

Agora que voêc sabe disso.

veja esse video no youtube:

Re: EPO & Agent Handler in different network

Hello Kumar,

if you wanted to update your agents and also take care of communication install Super agents as agent handler will help only in communication.

Also make sure there is communication between ePO server and super agent



Re: EPO & Agent Handler in different network

Hello Kumar,

Agent Handlers require a very fast network connection, there are

some scenarios in which you should not use them, including:

• To replace distributed repositories. Distributed repositories are local file shares intended to keep

agent communication traffic local. While Agent Handlers do have repository functionality built in,

they require constant communication with your ePolicy Orchestrator database, and therefore

consume a significantly larger amount of bandwidth.

• To improve repository replication across a WAN connection. The constant communication back to

your database required by repository replication can saturate the WAN connection.

• To connect a disconnected network segment where there is limited or irregular connectivity to the

ePolicy Orchestrator database.

Rest Below are the ports required to be opened between Agent handler , ePO and SQL db

Your agent handler will talk to both ePO and SQL realtime so make sure they are in same network or atleast they have high bandwidth available as relatime sync happens between agent handler , sql and ePO


These steps were done using the following:

  • Windows Server 2012 R2
  • McAfee ePO 5.1

  1. 1. Build a server running Windows Server 2012 R2 and install all of the latest security patches
  2. 2. Have server placed in your company’s DMZ which should still be behind a firewall
  3. 3. Have a published DNS record created for access from internet-based agent
  4. 4. Have your network engineering team configure the following ports on the internal-facing firewall for communication between the ePO server and the agent handler in DMZ:
    1. a. Bi-directional 80
    2. b. Bi-directional 8443 and 8444
    3. c. Bi-directional 443
  5. 5. The following is for communication between the agent handler in DMZ and internal SQL server, if your database is not on the ePO server itself:
    1. a. Bi-directional 1433 TCP and 1434 UDP
  6. 6. The following is to be configured on your public-facing firewall to allowing communication between your workstations connecting through public internet to your agent handler in DMZ:
    1. a. Inbound 80 TCP
    2. b. Inbound  443 TCP
    3. c. Inbound  8081 TCP
    4. d. Inbound  8082 UDP
  7. 7. Follow the Install remote Agent Handlers steps on page 29-30 of epo_510_ig_0-00_en-us.pdf.  I used a SQL account with these ePO SQL permissions.
  8. 8. If you do not already have a Subgroup created for machines that should communicate with agent handler in DMZ, create one.  How you move machines there is up to you.  I am only assigning laptops so I have a tag named Laptop that is automatically applied to all laptops then have a Server Task move all machines tagged with Laptop to my DMZ Subgroup.
  9. 9. Log into your ePO server and navigate to Menu>Agent Handlers
  10. 10. Click New Assignment
  11. 11. Enter name in Assignment Name field (i.e. DMZ Agent Handler Assignment)
  12. 12. Click Add Tree Locations, and click on the ellipses button
  13. 13. Select the DMZ Subgroup and click OK
  14. 14. Select the Use Custom Handler List radio button
  15. 15. Click Add Handlers
  16. 16. From drop-down menu select the agent handler in DMZ (disregard Warning message about primary agent handler)
  17. 17. Click Save to complete
  18. 18. Click Edit Priority
  19. 19. Move your DMZ Assignment to priority 1, click Save
  20. 20. Click on Agent Handlers to get to list of agent handlers
  21. 21. Click on the agent handler in DMZ
  22. 22. Enter the publicly published DNS name created in step #3 in the Published DNS Name field
  23. 23. Enter the IP that the publicly published DNS name resolves to in the Published IP Address field
  24. 24. Click Save
  25. 25. Now back in the Handlers list, enable the agent handler in DMZ by clicking Enable

Your machines designated to get the DMZ Agent Handler Assignment will begin getting their changes during the next couple of ASCI transactions.  You can visually confirm by checking the following registry key on a test machine:

Key:  HKEY_LOCAL_MACHINE\Software\Network Associates\ePolicy Orchestrator\Agent

String Value Name:  ePOServerList

String Value Data:  <public DNS name>|<public IP address>|443          

Re: EPO & Agent Handler in different network

Hi All,

Thanks for the update.

We have Agent Handler & 5000 Endpoints are in one network. But they are going to maintain EPO server in completely different network. but both network are in same location.

Is there any possible method to configure both EPO & AH. Or how we can proceed for this method.

Please give me whether our requirement will successfully work or not.



Re: EPO & Agent Handler in different network


If your networks are routable then one ePO server will easily manage 5000 end points. 

We currently manage 7000 end points with one ePO server with the database on a remote SQL cluster. We only use an AH in our DMZ to allow our 1000 mobile MacBooks to communicate with ePO while off our corporate LAN

I would suggest the AH's would not be suitable if all your 5000 end points can reach your ePO server due to the Low network Latency required for the AH to communicate with the SQL database. 



Certified McAfee Product Specialist - ePO

McAfee Volunteer Moderator

Re: EPO & Agent Handler in different network

We run over 15,000 off one ePO server with one Agent Handler without any issue.

What are you trying to accomplish?  When you say "different networks in the same location", what do you mean?  Are the two networks completely isolated from each other? 

Re: EPO & Agent Handler in different network

We have 2 company x & Y company. In X company we are going to install EPO & SQL server.

In Y company we are going to install agent handler. from Y company we have 5000 endpoints.

From both X & Y company IP segment will be different.

Currently our requirement will be how the product update & policies will replicate from X company EPO server to Y company Agent handler. After that only our endpoints will update the DAT signature and policies.

How we can configure in this scenario and is there any challenges regarding this method.



Re: EPO & Agent Handler in different network

When you say that the two companies have different IP segments, do you mean that they are separated by firewalls, but you are able to allow bi-directional traffic between them?  Is the traffic traversing a WAN link or Internet connection, or will you have a high-speed, low-latency connection between the Agent Handler in one company and the ePO server in another?  Agent Handlers communicate directly with the ePO database, and therefore require extremely low latency to operate correctly. 

Post #3 in this thread describes in some detail how to set up communication between the Agent Handler, the ePO server, and the DB server.