cancel
Showing results for 
Search instead for 
Did you mean: 

agent handler in DMZ

Jump to solution

Is it possible to have agent handler in DMZ with one NIC (private IP address) and public IP address that is NATed to it and have this agent handler manage external systems AND systems that sit in DMZ?

The way I see it is that only 1 published IP address can be configured in AH settings, so say it's external. Now in that case how would systems in DMZ connect to it? I take it using the public IP address so traffic will go out of the network and come back from the outside. 

But is it possible for DMZ systems to go internally using the internal IP of AH, and external systems use the external IP address? Some DNS tweaks perhaps? 

Would be really thankful for any ideas...

Labels (3)
1 Solution

Accepted Solutions
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 10 of 12

Re: agent handler in DMZ

Jump to solution

Yes, it will use dns.  If your dns has an entry for both the internal and external IP's, then yes, that will work.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

11 Replies
McAfee Employee Hawkmoon
McAfee Employee
Report Inappropriate Content
Message 2 of 12

Re: agent handler in DMZ

Jump to solution

Hi Yellowtree,

In terms of the products (ePO, MA, remote AH setups) the short answer is no I'm afraid.

There are articles that discuss issues related to failed communication when a system has more than one NIC where the MA or ePO bind to the 'other card' at restart breaking communication.

McAfee Agent on a computer with multiple NIC cards cannot be bound to a specific IP address
Technical Articles ID:   KB53169
 

How to use ePolicy Orchestrator and Remote Agent Handlers on servers that have multiple NICs
Technical Articles ID: KB56281

Some computers listed in the directory are unable to be managed on an ePolicy Orchestrator server that has two NICs installed
Technical Articles ID:   KB56308
 
How to use SuperAgent and Agent Relay features on systems with multiple Network Interface Cards
Technical Articles ID:   KB90964


If you wish to use DNS tweaks or redirects etc that is up to you, it is not something support or the  products do or support.


You could create a 'product Idea' (formally FMR) to see if such functionality can be added into the software:
How to submit a new Product Idea (Product Enhancement Request)
Technical Articles ID: KB60021

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: agent handler in DMZ

Jump to solution

Hi Hawkmoon,

Just so we are on the same page here...

The server in DMZ (AH) will only have 1 NIC. That nic would have internal IP address say 192.168.1.1 that it will also use to communicate within DMZ and with ePO server that will be sitting inside our org, say 10.0.0.1. The AH will also have a NAT rule on the external firewall that will translate say 192.168.1.1 to 8.8.8.8. Question is, will it work or does it suppose to work like this? So DMZ systems will communicate to AH using 192.168.1.1 and external clients will communicate to AH using 8.8.8.8 (NATed IP).

 

The behaviour we see in the lab is this: in AH settings we have published IP 8.8.8.8. The priority is to try internal ePO, then AH. So what we see if the agent sits in DMZ in 192.168.1.0/24 subnet is that it tries 10.0.0.1 (internal IP) first. Fails, then it tries 8.8.8.8 (public external IP) also fails coz it doesn't have the connextion to the internet and then it tries 192.168.1.1 (DMZ IP of the AH). So with this model it sortof works the way that we want, however, I'm just working, is it the way it supposed to work or does it support the above model at all? Coz if if doesn't then basically it means that I would need to have 2 AH in DMZ, 1 to communicate within DMZ and another for external connections? Which again, strange coz as far as I understood there are people that have only 1 ePO server and it can host internal and external clients without AH in the equasion...

McAfee Employee Hawkmoon
McAfee Employee
Report Inappropriate Content
Message 4 of 12

Re: agent handler in DMZ

Jump to solution

Hi Yellow tree,

OK, that fills in a few holes for me, and I believe you need to have a look at this KB about AH setups:

How to use ePolicy Orchestrator and Remote Agent Handlers on servers that have multiple NICs
Technical Articles ID: KB56281

"Problem
When the ePO Server or Remote Handlers use more than one Network Interface Card (NIC), it could result in a connection issue. The McAfee Agent on a managed client system could use the wrong IP address to connect to a Remote Handler or the ePO server.
For example:


Suppose a Remote Handler has one NIC that faces the internal network and another NIC that faces an external network.
Then, an external client system tries to connect to the handler and uses the IP address of the internal NIC.
The result is the client system fails to connect to this Remote Handler if DNS resolution of the server does not resolve to the external IP address...."

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: agent handler in DMZ

Jump to solution

hi Hawkmoon,

Yes makes sense, thank you. However the KB explains about 2 NICs, in our case we would just have 1 NIC, but the AH is going to be reachable via 2 IP addresses, 1 external IP and 1 internal IP...

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 12

Re: agent handler in DMZ

Jump to solution

All you need to do is in the agent handlers section, choose that AH, then add the public IP and host name to the agent handler properties under published dns/ip.  As long as the firewall routes it properly, then you should be fine.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: agent handler in DMZ

Jump to solution

thanks mate, will do that.

I guess my frustration comes from the fact that I don't quite understand how it all works. I mean if published IP is external, and that info is delievered to the agents, then how internal DMZ systems know that they need to reach AH via it's internal DMZ IP if connection via external IP fails... where do they get the internal IP information from, if only external is published?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 8 of 12

Re: agent handler in DMZ

Jump to solution

Unfortunately they wouldn't.  Internal systems shouldn't be using the dmz ah, they should only be using internal ones.  If they do use it, they would be using the external connection info.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: agent handler in DMZ

Jump to solution

sorry, by internal systems I meant DMZ systems...

and, this is the strange thing, hense the confusion, they DO fallback to internal IP in our test deployment.

So agent that is installed on a DMZ server tries external IP (published in AH settings) - fails, because DMZ server doesn't have connection to the internet. Then the agent falls back to INTERNAL IP address of the AH. The only thing I can come up with really is that it tries to resolve it using internal DNS that has entry for internal IP for AH in DMZ.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 10 of 12

Re: agent handler in DMZ

Jump to solution

Yes, it will use dns.  If your dns has an entry for both the internal and external IP's, then yes, that will work.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community