cancel
Showing results for 
Search instead for 
Did you mean: 
dexterrivera
Level 8

How to setup a McAfee ePO Agent Handler in DMZ

I just recently configured this and it was successful thanks to this community but I still had to piece it together using steps found here and some from documentation but was never able to find a step-by-step document.  I am sharing all the steps I went through hoping this helps someone else. I am also attaching the steps as a .docx. Thanks.

HOW TO SETUP A MCAFEE EPO AGENT HANDLER IN DMZ

These steps were done using the following:

  • Windows Server 2012 R2
  • McAfee ePO 5.1

  1. Build a server running Windows Server 2012 R2 and install all of the latest security patches
  2. Have server placed in your company’s DMZ which should still be behind a firewall
  3. Have a published DNS record created for access from internet-based agent
  4. Have your network engineering team configure the following ports on the internal-facing firewall for communication between the ePO server and the agent handler in DMZ:
    • Bi-directional 80
    • Bi-directional 8443 and 8444
    • Bi-directional 443
  5. The following is for communication between the agent handler in DMZ and internal SQL server, if your database is not on the ePO server itself:
    1. Bi-directional 1433 TCP and 1434 UDP
  6. The following is to be configured on your public-facing firewall to allowing communication between your workstations connecting through public internet to your agent handler in DMZ:
    • Inbound 80 TCP
    • Inbound 443 TCP
    • Inbound  8081 TCP
    • Inbound  8082 UDP
  7. Follow the Install remote Agent Handlers steps on page 29-30 of https://kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24807/en_US/....  I used a SQL account with these https://kc.mcafee.com/corporate/index?page=content&id=KB75766&actp=null&viewlocale=en_US&showDraft=f....
  8. If you do not already have a Subgroup created for machines that should communicate with agent handler in DMZ, create one.  How you move machines there is up to you.  I am only assigning laptops so I have a tag named Laptop that is automatically applied to all laptops then have a Server Task move all machines tagged with Laptop to my DMZ Subgroup.
  9. Log into your ePO server and navigate to Menu>Agent Handlers
  10. Click New Assignment
  11. Enter name in Assignment Name field (i.e. DMZ Agent Handler Assignment)
  12. Click Add Tree Locations, and click on the ellipses button
  13. Select the DMZ Subgroup and click OK
  14. Select the Use Custom Handler List radio button
  15. Click Add Handlers
  16. From drop-down menu select the agent handler in DMZ (disregard Warning message about primary agent handler)
  17. Click Save to complete
  18. Click Edit Priority
  19. Move your DMZ Assignment to priority 1, click Save
  20. Click on Agent Handlers to get to list of agent handlers
  21. Click on the agent handler in DMZ
  22. Enter the publicly published DNS name created in step #3 in the Published DNS Name field
  23. Enter the IP that the publicly published DNS name resolves to in the Published IP Address field
  24. Click Save
  25. Now back in the Handlers list, enable the agent handler in DMZ by clicking Enable

Your machines designated to get the DMZ Agent Handler Assignment will begin getting their changes during the next couple of ASCI transactions.  You can visually confirm by checking the following registry key on a test machine:

  • Key:  HKEY_LOCAL_MACHINE\Software\Network Associates\ePolicy Orchestrator\Agent
  • String Value Name:  ePOServerList
  • String Value Data:  <public DNS name>|<public IP address>|443

on 5/2/14 9:17:57 AM CDT
23 Replies
drlandau
Level 7

Re: How to setup a McAfee ePO Agent Handler in DMZ

Hi Dexter, thanks a lot for posting the guide for everyone to use.

I'm trying the same thing, but coming up short on some questions.

1) Does your RAH server cache the Master Repository automatically? Mine don't seem to.

2) Did you setup a Distributed Repository on the RAH server as well?

3) Do the agents in your DMZ point to the RAH server as both AH and Repository server?

4) How do you deploy agents into the machines in your DMZ? Do you install FramePkg.exe manually on all servers - or do you discover via a RSD sensor on the RAH and deploy from the console via the RAH?

If you have any good points for my questions in please don't hesitate to let me know.

Thanks a lot.

Nicolaj

0 Kudos
McAfee Employee

Re: How to setup a McAfee ePO Agent Handler in DMZ

To answer your questions below:

1) Does your RAH server cache the Master Repository automatically? Mine don't seem to----------check your server log for errors pulling content from epo.  Port 80 needs to be open to the epo server.  Please check kb66797 to ensure all required ports are open.

2) Did you setup a Distributed Repository on the RAH server as well?------------Please do not do that.  It is a repository already and is not recommended.

3) Do the agents in your DMZ point to the RAH server as both AH and Repository server? ---------------- when you enable the epo server itself in your agent repository policy as an enabled repository, that also enables all agent handlers.  The ah's are considered the master repository as well by the clients - it is loke a virtual extension of the epo server.

4) How do you deploy agents into the machines in your DMZ? Do you install FramePkg.exe manually on all servers - or do you discover via a RSD sensor on the RAH and deploy from the console via the RAH? -------------- systems in the dmz typically aren't on a domain, so local authentication can be difficult deploying agents due to lack of AD authentication.  However, it is possible.  In the domain field for your credentials, use just a period ( . ).  That denotes the local system account.  Then the account name needs to be a local administrator account and password.  You can also check the MA product guide for how to install the agent on an image, if you use images for your servers, so the agent is already installed.

0 Kudos
ansarias
Level 13

Re: How to setup a McAfee ePO Agent Handler in DMZ

Hello,

Looks like all steps are good, Only 2 thing are important.

1. DB.properties data should be same as your ePO server.

2. Below port should be allowed on server local firewall inbound rule.

  • Inbound 80 TCP
  • Inbound 443 TCP


0 Kudos
bmand
Level 7

Re: How to setup a McAfee ePO Agent Handler in DMZ

Thanks for this write-up!

Are there any extra security precautions we should consider before attempting the same? Anything to do with a windows OS facing the outside world, or SQL server facing out?

0 Kudos
Artfulbodger
Level 13

Re: How to setup a McAfee ePO Agent Handler in DMZ

Hi

You can Enable Lazy Caching on the AH handler by enabling the Super Agent features in the devices McAfee Agent Policy. This is will cause all updates requested through this AH to be cached by the McAfee Super Agent.

Policy > McAfee Agent > General > <policy name>

Super Agents Tab, "Convert Agents to Super Agents" and "Enable Lazy Caching....."

Regards

Rich

McAfee Volunteer Moderator

Certified McAfee Product Specialist - ePO

0 Kudos
McAfee Employee

Re: How to setup a McAfee ePO Agent Handler in DMZ

As an important note - The agent handler is already a repository and should not be configured as a superagent.  It is not necessary and can cause issues and additional unnecessary traffic to it since it would be servicing update requests to both locations (ah repository and superagent repository).  That is not recommended.

Also, kb66797 lists the required ports along with their direction and protocol that may be required for all things to work properly.  For an agent handler itself to epo and DB, it definitely needs the sql ports as well as epo ports, including 8443 and 8444.

0 Kudos
jaydxt01
Level 9

Re: How to setup a McAfee ePO Agent Handler in DMZ

Hi Richard,

Remote Agent Handler doesnt require super agent policy to be enabled. RAH is a run time (On demand) repository which means that if the client machine if contacting RAH for a DAT/package that is not there in this repository then RAH will contact ePO on the run time and will get the package and share it with the client machine.

If you are enabling SA lazy caching then you are not utilizing the above feature which is by design.

Please let me know if you have queries regarding this. Contact McAfee for any clarification, i am 100% sure they will tell the same.

​ Sir, please correct me if i am wrong.

Thanks & Regards,

AJ

Certified McAfee Product Specialist - ePO

Ex McAfee Employee

0 Kudos
rgc
Level 11

Re: How to setup a McAfee ePO Agent Handler in DMZ

Hello AJ

As you mentioned about RAH is absolutely true, three is no need of sadr if rah is available

Coming back to second part of your question

If you are enabling SA lazy caching then you are not utilizing the above feature which is by design.

The above statementis not clear to me

Are you referring if the machine with sadr & rah both enabled

If the sadr using with last caching, then for clients gets update through sadr or rah........

If my understanding is right the answer as below

The client update again depends on the agent repository policy

If you have assignment rule for rah and ePO/ only rah

And through the repo policy ePO is the priority from the repository list. This will take update from rah

If you assigned the priority as sadr then lazy caching from sadr will trigger

Hoping this answered your query

Regards

RGC

0 Kudos
jaydxt01
Level 9

Re: How to setup a McAfee ePO Agent Handler in DMZ

Hi RGC,

Hope you are doing well. Everyone this guys is gem (literally) in ePO

Coming back to the clarification of the part which was not clear.

What i meant is, It is not recommended to have Agent Handler and Super Agent on the same box. It doesn't make sense.

Hope that clears the air

Regards,

AJ

0 Kudos