Internal Clients went for updates from Mcafee site instead of internal ePo
we found some internal clients are getting updates from outside that is McAfee public source, instead of ePO .
We found this in firewall alot of traffic going to specefic subnet when we resolved that it was Mcafee site(nai.update.com)
But we need to find why this was happed we checked all the Agent policies and Server Task status but nothing found in this time frame to relate.
Then we collected MER logs next day by ePO server and some of the Clinets logs but, Technical support person told us to Logs you provided are later date. so we can't find any insight for this incident that happened, i Asked Technical Support person you told me collect the logs even from ePO and Agent , he has to aware how many days Agent logs would be exists,
for how many days Agent logs will be extracted ?
Do we have any way, we can find any reason from ePO Server logs?
is thier any way we can find why ePo was failed to give updates, clients are tried or not this details from ePO logs?
Re: Internal Clients went for updates from Mcafee site instead of internal ePo
In the agent policy you can set the log sizes a little larger and rollover count to 5 or more to capture a larger time frame. By default there is only one backup log, so they can roll over easy. The mcscript log on the clients will be the most revealing for why it could not use a specific repository. I would suggest monitoring repository usage by the default repository query in epo and if you see a spike in using the McAfee site, gather a mer from an affected client right away and from the epo server. Most likely the server logs have rolled over too. In the server log, if epo was having issues with giving up repository content, you would see those errors fairly clearly.
If you are using distributed repositories and replicating to them, make sure your scheduling follows this pattern so that the repositories will always be up to date sites.
Pull from McAfee site
Replicate to repositories after pull
Clients update after replication and before the next pull.
Was my reply helpful? If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?