the Agent Handler sends a "message" on the Agent Wakeup port.
- Your agent handler must be able to connect to internet using this port.
Im interested, why you need such a configuration. So, if a client is behind a network device which does NAT you will never be able to connect to the client. You might be able to connect to clients when they are directly connected to the internet and have a public IP address. If no, you cannot connect.
I had never even considered that scenario. Damn.. So no way for Agent Wakeups on the internet then?
I think I will stick with the AH in the DMZ though as it give me some resilience with my clients.
Thanks for the Advice
Just an offhand comment.
If you have devices which will be behind an DMZ, or off into the utter wilds of the internet, perhaps you could assign them a tag which links back to an Agent Policy to perform an ASCI every hour or so (basically a more frequent ASCI policy).
That may at least get you some of what you're looking for....
You may change the ASCI Interval for endpoints if they are connected to a specific Agent Handler. :-)
Agent wake-up cannot be done in DMZ or NAT environment even if you have installed a AH internally.
In DMZ / NAT environment, only agent - to - server communication will perform and it will get the update on the ASCII interval.
It has been clearly explained in McAfee Corporate KB - How to use ePolicy Orchestrator in a DMZ or NAT environment KB59218