cancel
Showing results for 
Search instead for 
Did you mean: 

Re: How to setup a McAfee ePO Agent Handler in DMZ

Afternoon,

What server specs did you require?

RAM?

Disk?

CPU?

Regards

Iain

vmnit
Level 7
Report Inappropriate Content
Message 12 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

All,

I been trying for quite some time to get my Agent Handler to work for remote users and are not able to.

Overview:

-Load Balancer

-2 Agent Handlers

-Inbound Allow: 80 and 443

-Trusted public certificate installed on load balancer

-Agent Handler groups and Assignment configured

My systems cannot connect to the Agent Handlers through the load balancer. Have anyone successfully configured agent handlers behind a load balancer? Any pointers would help.

Do I need to enable PING/ICMP to the load balancer VIP?

Thank you

Re: How to setup a McAfee ePO Agent Handler in DMZ

You cannot have the trusted CERT on the load balance. You need the Load balancer to pass the traffic in as a bridge straight through without intercepting the traffic. The agent will see that CERT and not communicate as its looking for the cert from the AH or ePo server in its list.

vmnit
Level 7
Report Inappropriate Content
Message 14 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

After changing the LB settings I realized that we just have to allow 443 TCP to pass through and that is now working. Thank you

Re: How to setup a McAfee ePO Agent Handler in DMZ

Correct me if I am wrong but for the step 6 above, I think it should be corrected as:

  • Inbound 80 TCP
  • Inbound 443 TCP
  • Outbound  8081 TCP
  • Outbound  8082 UDP

In fact, I think that 2 outbound ports are not probably working in most cases as they are under the router/NAT devices...

Thanks,

Young-

vmnit
Level 7
Report Inappropriate Content
Message 16 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

I believe you are correct. Don't set any outbound, just inbound from the McAfee Agents to the DMZ Handlers. Even if you set outbound, the Agent Handler won't be able to communicate to the McAfee Agents.

johnmoe
Level 11
Report Inappropriate Content
Message 17 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

"Inbound" and "outbound" both depend on which side of the firewall you're on. 😛 You want TCP 80 + 443 open from AgentHandler to clients, and TCP 8081 + UDP 8082 open from clients to AgentHandler.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 18 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

8081 port is only needed for the epo server/ah to send wakeup calls and for the agent itself to receive it.  The agents are the only thing listening on that port.  8082 is only used for sending superagent wakeup calls.  That is where you send a superagent wakeup call to a superagent and it in turns sends a wakeup call to all the clients in its broadcast subnet.  That is rarely ever used.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: How to setup a McAfee ePO Agent Handler in DMZ

Why do the SQL ports need to be opened bi-directionally?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 20 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

sql ports do not need to be bi-directional - see KB66797 - outbound from epo/agent handler to sql server, (or inbound on the sql server from epo/ah).

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.