This content has been marked as final. Show 10 replies
The first page you are referring to is the download page that contains the info that the clients will use to connect to this server. If it is an open http server then you don't even need creds here. The 2nd page is the replication page. Here you need the creds needed to be able to upload and modify the dist. repo.
HI Jeff - thanks for that - I'd pretty much figured that out by now and things have moved on a bit :)
Problem no seems to be that more ports than the "epo specific" ones need to be allowed through a firewall than just HTTP to use an HTTP Repository (create it and replicate to it) - now seeing TCP Port 445 being bounced which I believe is associated with DMB/NEtbios/Sharing - which is a definite "no-no" through a firewall into a DMZ for us .....
I seems as if the requirement to enter a UNC to a Share for the Repository Folder on the repository configuration page may be the reason.... checked the ePO 4 config. info from the manual and it now no longer asks for the UNC info...
Any suggestions ?
ALso as a possible workaround I'm no also looking at using an FTP distributed repository so9 any suggestions there on the IIS setup required and firewall config. would be appreciated.
Possible workaround would be a superagent repository. We are working with superagents for years and it runs fine happy
I've been considering this as well - do you have a definitive list of ports/protocols required ?
I have seen posts sayinf that this is "preferred by McAfee" over HTTP/FTP but I also read some stuff about it possibly needing file sharing enabled perhaps ? - not sure if thsi is "through" the firewall or simply on the host server for the cliinets to access ?
Ports for ePO 3/4 are listed in knowledgebase article KB53691.
We opened 80 for agent/server communication and 8081 for global updating.
Thanks - as you might expect by now - I've already seen that article - and you will note that it makes no mention of port 445 for example so I'm a bit wary of taking it on faith ;)
The SA Repositories apparently use a proprietary "spipe" protocol also so I guess this may need additional configuration on the firewall.... and if course you need to have the McAfee Agent installed on the server first don't you ?
You may have better luck doing an ftp repository if you're worried about poking holes in your firewall. Bear in mind you only have to open a few outbound ports to your machine in the dmz so this should not be a big security concern as you only have to allow outbound. Then from the internet side just allow normal ftp inbound communication to the repository. You have to get those files to the repo some how....holes will have to be made regardless but you can lock that down pretty good with your firewall..
Yes indeed - fewer smaller holes are preferred :)
Seem to be some issues with FTP and credentials security etc. though - still considering the SA Repository at the moment.
O.K. - SA REpository is now in place and working with only the ePO/McAfee "standard ports" (but reassigned) through the firewall - so at least I've now got a fallback option available to me provided we can live with whatever file/folder security ends up on the SA Repository or can tighten it up enough to keep folk happy.
I'd still like to hear if anyone has managed to get HTTP Repository working with just the "standard" ePO/McAfee Port range enabled - i.e. not having TCP Port 80 allowed...