cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 31 of 61

Re: How to setup a McAfee ePO Agent Handler in DMZ

Jump to solution

Make sure to check kb66797, required ports.  When the agent handler is unable to get software from the master repository, there is typically a missing port on the firewall.  The only reason you would ever need ldap ports open is if you are using any user based policies at all - otherwise it is not needed.  And if you ever did need it, you would only need to open it from the agent handler to the ldap server, not the clients. 

Check the server log in the agent handler db folder where it is installed - that can show you errors when a client requests software and the server tries to pull it from epo.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 32 of 61

Re: How to setup a McAfee ePO Agent Handler in DMZ

Jump to solution

Thank you jdxt01, I had already succesfully made things work the way I wanted. I actually had put an "UPDATE" part on my latest post explaining how i fixed it.

Csmith, would an offline installation of the modules you are trying to deploy help you work around the problem? You can install ENS locally on the DMZ server and as long as agent communication to ePO is not failing, should at least get you protected. I know this doesnt directly answer your question, but maybe helps. Additionally, why are you opening ALL ports excet LDAP in the internal firewall? This completely misses the point or having this server built in the DMZ. No server in your internal network should be able to reach this Agent Handler, it should only be used externally by your roaming endpoints.

Re: How to setup a McAfee ePO Agent Handler in DMZ

Jump to solution

Hi Kylekat

No, I meant the required ports for the process to work (according to the KB article).  However, I have viewed the log file as you suggested, cdinet, and saw these entries that led me to believe that the port it wants to use, 443, may not be open after all:

20180412222232 E #04960 MOD_EPOREPO WinHttpDownloader.cpp(191): Failed to send http request.  System error=12002
20180412222232 E #04960 MOD_EPOREPO UrlCacheObject.cpp(393): Error connecting to https://xxxxxxxxxxx:443/Software/Current/AMCORDAT2000/DAT/0000/replica.log
20180412222232 E #04960 MOD_EPOREPO UrlCacheObject.cpp(484): Failed to download content for https://xxxxxxxxxxx:443/Software/Current/AMCORDAT2000/DAT/0000/replica.log, system error 2

I will request our firewall team to confirm and provide feedback.

Regards

RRe: How to setup a McAfee ePO Agent Handler in DMZ

Jump to solution

Guys, can't find an answer anywhere, is it possible to have AH in DMZ that manages agents of systems in DMZ and external systems?

So technically has AH internal (DMZ) IP address and external published IP address? AH has 1 NIC

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 35 of 61

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

Jump to solution

This was answered in your other post.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 36 of 61

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

Jump to solution

@Yellowtree This post ALSO answers your question. I have used it to configure my DMZ agent handler only for external systems (and you could add your DMZ systems as well).

In short:

  1. You use your internal firewall to prevent any internal systems from reaching or even seeing the DMZ agent handler
  2. Within ePO - Agent Handlers, you create "Handler Assignment Rules" (from top to bottom) telling ePO what handler should each of your ePO system Tree groups and subgroups have available.
  3. You have to make sure that roaming systems like laptops that can change from within the network to outside of it, have both your DMZ as well as internal agent habdlers/ePO.
  4. All you permanent internal infrastructure should have ONLY internal AH available
  5. DMZ permanent infrstructure will have ONLY DMZ AH available.

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

Jump to solution

kylekat, it all makes sense and this is the way we planned it.

What was uncler was how to make DMZ devices communicate to DMZ AH within DMZ links, e.g internally, using internal DMZ IP address AND how to make external devises to communicate with DMZ AH externally.

So point was, you have AH in DMZ with published external IP address, so the agents managed by it (DMZ and external systems) get that external IP address and try to commuicate with it using that external IP address. However, because some DMZ systems can't initiate external outbound connection, the won't be able to communicate using the external IP address. So, they would need to communicate to AH using it's internal DMZ IP address.

Ultimately it looks like this is down to DNS. So if there's internal DNS record that resolves AH name to internal IP then agents will use that as a fallback. Initially the agent would still try to go externally because external IP address is published in AH settings. When it fails it will try to reach AH using AH internal DMZ IP address.

Another option which we haven't tried yet is to publish DNS name in AH settings, not IP address. So ideally it should try DNS server whichever is reachable, in case of internal connection it resolves to internal IP, and when externally it will get resovled to external one and go via firewall nat rule that'll reroute traffic to AH in DMZ

 

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

Jump to solution

In regards to adding a new AH server to the DMZ: If both Firewall ports and EPO is configured correctly, would the McAfee Agent on roaming laptops need to be updated to include both the internal and DMZ AH servers or would the roaming laptop automatically fail back to the AH server in the DMZ if it could not connect to the internal AH?

Thank you.

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 39 of 61

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

Jump to solution

@Glenn_Bolton  For the failover to happen the way you describe it, the roaming systems MUST have BOTH internal and public AH listed. You can confirm this from the 'About" screen of your systray agent.

Wanted to show a screenshot, but forum doesnt allow it.

The decision of what AH to use is made during the ASCI step in the agent communication, you want your roaming laptop to try one AH, and if it fails, ASCI will attempt to reach the other. THis is why it's important for internal firewall to be properly set... it has to prevrnt internal systems from even seeing the DMZ AH to trigger an ASCI change.

Re: RRe: How to setup a McAfee ePO Agent Handler in DMZ

Jump to solution

Bonjour, 

Je veux savoir quoi comme caractéristique de serveur VM de Handler Agent doit mettre ? 

(Combien de Gb de RAM et combien de Gb de DD de système sur la vm ?)

MERCI d'avance 

Cordialement 

 

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community