cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee moekhass
McAfee Employee
Report Inappropriate Content
Message 21 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 22 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

Is a special license needed to install or deploy Agent Handlers? Or it's included in the ePO installation license?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 23 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

No special license needed, it is included in epo license.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: How to setup a McAfee ePO Agent Handler in DMZ

@

kylekat
kylekat : There is no separate license for installation of Agent Handler. You can find AH installation package under the ePO Installation zip file.
 
 
Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 25 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

So i finally built the server, installed Agent Handler 5.3.3 and set the firewall with the right ports. I tested the handler in th eopen internet and it works if i force the handler on a endpoint system the way that is described in the guide.

The challenge im facing is making the systems reach the internal handler (main epO server) or the secondary (in DMZ) depending of the system being on VPN/office or away (home, airport, hotel, etc)

I don't feel Mcafee Agent is failing-over from one Agent Handler to the other when it gets no response from it. Wouldnt the bottom default rule "Handler Priority: Use all agent handlers" automatically make all endpoints check for connectivity to either agent handler?

 

UPDATE: It ended up being that the default bottom rule is not what i thought it was. As soon as i created a top rule telling it to FIRST attempt ePO server and SECOND attemp the DMZ agent handler... my systems started doing what i expected them to do. YOu can see the 2 options when you right click on mcafee icon in the systray and click ABOUT. Both should show up there (as well as in the registry key mentioned int he first post).

Re: How to setup a McAfee ePO Agent Handler in DMZ

Would suggest you to create addtional AH assignment rule and in the configuration specify which system should contact which AH 

Let me know if this helps or you need more info on this. 

 

Regards,

AJ

Re: How to setup a McAfee ePO Agent Handler in DMZ

I really hope someone has a positive answer for my challenge:

 

I have set up an agent handler in the DMZ, having all the ports opened on the firewall except for the LDAP ports, which we do not want to allow from the DMZ to the internal network.  Communication from the agents to the agent handler works perfectly from the internet, policies and client tasks are downloaded successfully.  Changed policies are updated and applied correctlly after clients received them at the next ASCI.

 

However, software cannot be retrieved from the ePO master repsitory by the agent handler.  In other words, when installing an agent on the agent handler itself, software, e.g. Endpoint Security is not downloaded and updates are unsuccessful.  Agents on agent handler and clients report "unable to find a valid repository".  Technical Support requested me to open the LDAP ports as well, just to determine if that will resolve the issue.

The problem is that they cannot answer me on the question of why the LDAP ports must be open.

Does anybody have success with retrieving software from the agent handler in the DMZ?

Thanks and regards

 

 

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 28 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

Make sure to check kb66797, required ports.  When the agent handler is unable to get software from the master repository, there is typically a missing port on the firewall.  The only reason you would ever need ldap ports open is if you are using any user based policies at all - otherwise it is not needed.  And if you ever did need it, you would only need to open it from the agent handler to the ldap server, not the clients. 

Check the server log in the agent handler db folder where it is installed - that can show you errors when a client requests software and the server tries to pull it from epo.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 29 of 36

Re: How to setup a McAfee ePO Agent Handler in DMZ

Thank you jdxt01, I had already succesfully made things work the way I wanted. I actually had put an "UPDATE" part on my latest post explaining how i fixed it.

Csmith, would an offline installation of the modules you are trying to deploy help you work around the problem? You can install ENS locally on the DMZ server and as long as agent communication to ePO is not failing, should at least get you protected. I know this doesnt directly answer your question, but maybe helps. Additionally, why are you opening ALL ports excet LDAP in the internal firewall? This completely misses the point or having this server built in the DMZ. No server in your internal network should be able to reach this Agent Handler, it should only be used externally by your roaming endpoints.

Re: How to setup a McAfee ePO Agent Handler in DMZ

Hi Kylekat

No, I meant the required ports for the process to work (according to the KB article).  However, I have viewed the log file as you suggested, cdinet, and saw these entries that led me to believe that the port it wants to use, 443, may not be open after all:

20180412222232 E #04960 MOD_EPOREPO WinHttpDownloader.cpp(191): Failed to send http request.  System error=12002
20180412222232 E #04960 MOD_EPOREPO UrlCacheObject.cpp(393): Error connecting to https://xxxxxxxxxxx:443/Software/Current/AMCORDAT2000/DAT/0000/replica.log
20180412222232 E #04960 MOD_EPOREPO UrlCacheObject.cpp(484): Failed to download content for https://xxxxxxxxxxx:443/Software/Current/AMCORDAT2000/DAT/0000/replica.log, system error 2

I will request our firewall team to confirm and provide feedback.

Regards

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.