Guys, can't find an answer anywhere, is it possible to have AH in DMZ that manages agents of systems in DMZ and external systems?
So technically has AH internal (DMZ) IP address and external published IP address? AH has 1 NIC
This was answered in your other post.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
@Yellowtree This post ALSO answers your question. I have used it to configure my DMZ agent handler only for external systems (and you could add your DMZ systems as well).
kylekat, it all makes sense and this is the way we planned it.
What was uncler was how to make DMZ devices communicate to DMZ AH within DMZ links, e.g internally, using internal DMZ IP address AND how to make external devises to communicate with DMZ AH externally.
So point was, you have AH in DMZ with published external IP address, so the agents managed by it (DMZ and external systems) get that external IP address and try to commuicate with it using that external IP address. However, because some DMZ systems can't initiate external outbound connection, the won't be able to communicate using the external IP address. So, they would need to communicate to AH using it's internal DMZ IP address.
Ultimately it looks like this is down to DNS. So if there's internal DNS record that resolves AH name to internal IP then agents will use that as a fallback. Initially the agent would still try to go externally because external IP address is published in AH settings. When it fails it will try to reach AH using AH internal DMZ IP address.
Another option which we haven't tried yet is to publish DNS name in AH settings, not IP address. So ideally it should try DNS server whichever is reachable, in case of internal connection it resolves to internal IP, and when externally it will get resovled to external one and go via firewall nat rule that'll reroute traffic to AH in DMZ
In regards to adding a new AH server to the DMZ: If both Firewall ports and EPO is configured correctly, would the McAfee Agent on roaming laptops need to be updated to include both the internal and DMZ AH servers or would the roaming laptop automatically fail back to the AH server in the DMZ if it could not connect to the internal AH?
@Glenn_Bolton For the failover to happen the way you describe it, the roaming systems MUST have BOTH internal and public AH listed. You can confirm this from the 'About" screen of your systray agent.
Wanted to show a screenshot, but forum doesnt allow it.
The decision of what AH to use is made during the ASCI step in the agent communication, you want your roaming laptop to try one AH, and if it fails, ASCI will attempt to reach the other. THis is why it's important for internal firewall to be properly set... it has to prevrnt internal systems from even seeing the DMZ AH to trigger an ASCI change.