1 2 Previous Next 10 Replies Latest reply on Apr 28, 2009 3:05 AM by n1koolkat

    Firewalled HTTP Repository Setup ?

    jmaxwell
      HI,

      I'm trying to setup an HTTP Distributed Repository on a server which is behind a firewall and the DMZ behind the firewall is in a totally different Domain with no Trusts in place.

      I've got the necessary port range punched through the firewall and the remote server's IP is defined locally in the ePO Servre's Hosts file.

      Running the Distributed Repository Setup Wizard and the initial site validation work's O.K. - however I'm a bit lost as to what to enter on the next screen regarding the domain info. for the HTTP Server hiosting the remote repository.

      Anyone done this ? or got any ideas what I need to do/configure etc. ?

      TIA

      Jim
        • 1. RE: Firewalled HTTP Repository Setup ?
          JeffGerard
          The first page you are referring to is the download page that contains the info that the clients will use to connect to this server. If it is an open http server then you don't even need creds here. The 2nd page is the replication page. Here you need the creds needed to be able to upload and modify the dist. repo.
          • 2. RE: Firewalled HTTP Repository Setup ?
            jmaxwell
            HI Jeff - thanks for that - I'd pretty much figured that out by now and things have moved on a bit :)

            Problem no seems to be that more ports than the "epo specific" ones need to be allowed through a firewall than just HTTP to use an HTTP Repository (create it and replicate to it) - now seeing TCP Port 445 being bounced which I believe is associated with DMB/NEtbios/Sharing - which is a definite "no-no" through a firewall into a DMZ for us .....

            I seems as if the requirement to enter a UNC to a Share for the Repository Folder on the repository configuration page may be the reason.... checked the ePO 4 config. info from the manual and it now no longer asks for the UNC info...

            Any suggestions ?

            ALso as a possible workaround I'm no also looking at using an FTP distributed repository so9 any suggestions there on the IIS setup required and firewall config. would be appreciated.

            Thanks,

            Jim
            • 3. RE: Firewalled HTTP Repository Setup ?
              akl71
              Possible workaround would be a superagent repository. We are working with superagents for years and it runs fine happy
              • 4. RE: Firewalled HTTP Repository Setup ?
                jmaxwell


                I've been considering this as well - do you have a definitive list of ports/protocols required ?

                I have seen posts sayinf that this is "preferred by McAfee" over HTTP/FTP but I also read some stuff about it possibly needing file sharing enabled perhaps ? - not sure if thsi is "through" the firewall or simply on the host server for the cliinets to access ?

                Jim
                • 5. RE: Firewalled HTTP Repository Setup ?
                  akl71
                  Ports for ePO 3/4 are listed in knowledgebase article KB53691.
                  We opened 80 for agent/server communication and 8081 for global updating.
                  • 6. RE: Firewalled HTTP Repository Setup ?
                    jmaxwell


                    Thanks - as you might expect by now - I've already seen that article - and you will note that it makes no mention of port 445 for example so I'm a bit wary of taking it on faith ;)

                    The SA Repositories apparently use a proprietary "spipe" protocol also so I guess this may need additional configuration on the firewall.... and if course you need to have the McAfee Agent installed on the server first don't you ?

                    Jim
                    • 7. RE: Firewalled HTTP Repository Setup ?
                      JeffGerard
                      You may have better luck doing an ftp repository if you're worried about poking holes in your firewall. Bear in mind you only have to open a few outbound ports to your machine in the dmz so this should not be a big security concern as you only have to allow outbound. Then from the internet side just allow normal ftp inbound communication to the repository. You have to get those files to the repo some how....holes will have to be made regardless but you can lock that down pretty good with your firewall..
                      • 8. RE: Firewalled HTTP Repository Setup ?
                        jmaxwell
                        Yes indeed - fewer smaller holes are preferred :)

                        Seem to be some issues with FTP and credentials security etc. though - still considering the SA Repository at the moment.

                        JIm
                        • 9. RE: Firewalled HTTP Repository Setup ?
                          jmaxwell
                          O.K. - SA REpository is now in place and working with only the ePO/McAfee "standard ports" (but reassigned) through the firewall - so at least I've now got a fallback option available to me provided we can live with whatever file/folder security ends up on the SA Repository or can tighten it up enough to keep folk happy.

                          I'd still like to hear if anyone has managed to get HTTP Repository working with just the "standard" ePO/McAfee Port range enabled - i.e. not having TCP Port 80 allowed...

                          Jim.
                          1 2 Previous Next