cancel
Showing results for 
Search instead for 
Did you mean: 

RRe: How to setup a McAfee ePO Agent Handler in DMZ

Guys, can't find an answer anywhere, is it possible to have AH in DMZ that manages agents of systems in DMZ and external systems?

So technically has AH internal (DMZ) IP address and external published IP address? AH has 1 NIC

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 32 of 36

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

This was answered in your other post.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 33 of 36

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

@Yellowtree This post ALSO answers your question. I have used it to configure my DMZ agent handler only for external systems (and you could add your DMZ systems as well).

In short:

  1. You use your internal firewall to prevent any internal systems from reaching or even seeing the DMZ agent handler
  2. Within ePO - Agent Handlers, you create "Handler Assignment Rules" (from top to bottom) telling ePO what handler should each of your ePO system Tree groups and subgroups have available.
  3. You have to make sure that roaming systems like laptops that can change from within the network to outside of it, have both your DMZ as well as internal agent habdlers/ePO.
  4. All you permanent internal infrastructure should have ONLY internal AH available
  5. DMZ permanent infrstructure will have ONLY DMZ AH available.

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

kylekat, it all makes sense and this is the way we planned it.

What was uncler was how to make DMZ devices communicate to DMZ AH within DMZ links, e.g internally, using internal DMZ IP address AND how to make external devises to communicate with DMZ AH externally.

So point was, you have AH in DMZ with published external IP address, so the agents managed by it (DMZ and external systems) get that external IP address and try to commuicate with it using that external IP address. However, because some DMZ systems can't initiate external outbound connection, the won't be able to communicate using the external IP address. So, they would need to communicate to AH using it's internal DMZ IP address.

Ultimately it looks like this is down to DNS. So if there's internal DNS record that resolves AH name to internal IP then agents will use that as a fallback. Initially the agent would still try to go externally because external IP address is published in AH settings. When it fails it will try to reach AH using AH internal DMZ IP address.

Another option which we haven't tried yet is to publish DNS name in AH settings, not IP address. So ideally it should try DNS server whichever is reachable, in case of internal connection it resolves to internal IP, and when externally it will get resovled to external one and go via firewall nat rule that'll reroute traffic to AH in DMZ

 

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

In regards to adding a new AH server to the DMZ: If both Firewall ports and EPO is configured correctly, would the McAfee Agent on roaming laptops need to be updated to include both the internal and DMZ AH servers or would the roaming laptop automatically fail back to the AH server in the DMZ if it could not connect to the internal AH?

Thank you.

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 36 of 36

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

@Glenn_Bolton  For the failover to happen the way you describe it, the roaming systems MUST have BOTH internal and public AH listed. You can confirm this from the 'About" screen of your systray agent.

Wanted to show a screenshot, but forum doesnt allow it.

The decision of what AH to use is made during the ASCI step in the agent communication, you want your roaming laptop to try one AH, and if it fails, ASCI will attempt to reach the other. THis is why it's important for internal firewall to be properly set... it has to prevrnt internal systems from even seeing the DMZ AH to trigger an ASCI change.

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.