I have a new ePO server. This server has one "normal" IP and one NAT IP.
Clients should be possible to connect to both IPs (depending on which is reachable from their network).
How to configure this?
Update 2013/11/15 08:34:
I just tried to duplicate the site handler_1 in the ePOs sitelist.xml and restarted services.
<SpipeSite ID="handler_1" Enabled="1" Type="master" Name="ePO_Server" Server="server:80" ServerIP="22.214.171.124:80" ServerName="Server:80" Version="5.1.0" SecurePort="443" Order="1">
<SpipeSite ID="handler_2" Enabled="1" Type="master" Name="ePO_Server-2" Server="server-2:80" ServerIP="126.96.36.199:80" ServerName="Server-2:80" Version="5.1.0" SecurePort="443" Order="2 ">
Created a new FramePkg.exe and installed it on the client, which should connect through the NAT IP.
First connection worked. It shows up in ePO and downloaded policies.
Second connection failes.
The change is made in the server.ini file. Please see McAfee support article:
KB56281 - Agents fail to connect to ePO 4.x servers with two IP addresses
Titled for ePO 4.x but should still apply to 5.x too.
ePO binds to only one IP though afaik. You can't have both, but you can choose which.
First connection is working with the modified sitelist.xml. But I guess after policies are fetched the sitelist.xml is overwritten.
Hosts on the same network are working.
On the hosts behind the NAT I added a host entry in C:\Windows\System32\drivers\etc\hosts.
Looks like McAfee Agent first does a DNS lookup. So this is working. But I don't really like the host entry...
Isn't it possible to add the NAT IP to the sitelist.xml permanently.
Not to my knowledge, no, and correct on first connection ePO will send out an updated sitelist using the ePO server's IP address.
Did the Knowledge base article I referenced not apply ?
As I mentioned, ePO only binds to one IP, but you can choose which.
What some customers do in this scenario is deploy a separate Agent Handler.
Knowledge base article is about two network interfaces. I have only one. ePO server isn't aware of NAT.
I'm going to use the relay server function in agent 4.8 on remote sites.
As I wrote before it is working with the host entry but it is "ugly". But since I only need it on the relay server (~50) I guess I will stay with it.
Hoped for a better solution.
I am testing this on one of my virtual ePO servers. I have modified the server.ini and made a modification to the agent handler configuration in ePO, I am in the process of setting up a second vm to test this but it looks promising.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\server.ini
Add to bottom - ServerIPAddress=188.8.131.52
Add to bottom - ServerIPAddress=184.108.40.206
Within ePO > Menu > Configuration > Agent Handlers
Click on the Agent Handler, modify the Published DNS and Published IP Address
i added 220.127.116.11 to the DNS and 18.104.22.168 to the IP. So far it seems to be functional but I have not gotten a second system set up yet. Might be possible to publish the FQDN of the ePO server instead of the original IP address, but that would depend on if the Nat subnets have access to the same DNS server or not. if they dont then that would be the way to go i would think.
At least ePO isnt throwing a fit.
After running the agent installation on a test server, it pulled the updated sitelist and successfully communicated with the ePO server.Message was edited by: pboedges on 11/19/13 10:30:30 AM GMT-05:00