cashguy, What you need to do first is to register DC1 and DC2 in ePO. You can do this by clicking on ePO menu > Registered Servers. It's located under "Configuration" section when you expand ePO menu. Simply click "NEW SERVER" button and add the DCs as LDAP servers. Once registered, you can sync AD objects (users, computers etc). This will help in designing your epo system tree, encryption users, deploying software and so on. If your AD is well organized, you can replicate that in system tree. Or you can create custom folders in system tree and sync it with a specific OU in your AD.
After you've registered your DCs, you can select any system tree in ePO, go to "GROUP DETAILS" tab and change "Synchronization type" setting.
Hope this helps. If not, please let me know.
1) I would also recommend checking in "Cloud Workload Discovery" extension for epo. With this, you can sync ePO with your VMware environment and receive information about your vms. That way you can plan your security posture by seeing how many vms there are, how many are protected etc. If they are not being managed by ePO, you can target them and install agent and other products. It's much easier when the vms are part of your AD.
2) Look into using "Rogue System Detection" also. This small program will help you determine whether you have rogue systems on your network. You want to install this in your highly active servers (dns, dhcp). Then you can craft query to target domain joined windows systems and push mcafee agents on them. this will automate your administration.
Thank you for your explanation but i faced some issues already. I managed to add Domain Controllers and synchronize AD but i wasn't able to push agent. The reason is because there's NAT on the way:
So when i add Domain Controller to ePO they can talk to each other but if i want to deploy agent it's trying to use 192.168.1.x IP cause both domain controller and the server itself are not aware of 192.168.100.x
Before i asked my opening question i was thinking about deploying "islands" so they can contact server in DCs by their local IP addresses and send the data back to ePO.
Other solutions i was thinking of is deploy another ePO but i'm not sure if it requires a licence?
Thanks for the extension as well. Will definitely have a look when the ePO works as supposed
you could manage to deploy the agent in DC1 by placing agent handler ( AH) and there will no licensing involved in this, It's just an extension of the ePO server.
Thing you have to care that AH can't directly speak with in their subnet..
Almost everything is fine I deployed Agent Handler and all servers in DC check into that Agent which then pass all the information to the ePO.
There's only one issue i'm facing right now.
- Added AgentHandler-DC1
Specified System Tree Location and Agent Subnet
- Created Agent Policy - Repository in System Tree location
Pointed to AgentHandler-DC1
- Checked in all servers in DC1
At this point i had AgentHandler-DC1 as primary repository and McAfee Http as fallback repository
Noticed that some of the machines from the office are not checking in and their IP range matched DC1 range
Because the network IPs were overlapping i removed Agent Subnet hoping it will use System Tree location
Now the servers from DC1 System Tree location are not able to connect to AgentHandler-DC1 repository (they still report their status to AgentHandler)
[Thu Sep 14 15:52:39.336890 2017] [authz_core:error] [pid 1548:tid 3612] [client 192.168.1.13:64131] AH01630: client denied by server configuration: C:/Program Files (x86)/McAfee/Agent Handler/DB/www/SiteStat.xml
btw. the www folder is empty
I thought it's a problem with agent so i have made new FramePkg.exe and deployed it again. System has been added outside DC1 System Tree location and now i could see all repositories (DC1, Office and McAfee Http)
I ran the update and guess what... it updated from AgentHandler-DC1 with no issues. I wanted to check what's the addres but it wouldn't let me edit as they all are read-only.
I tried to find sitelist.xml and i found it but the list is totally different than the repository. I extracted the list from FramePkg.exe and this one was listing all 3 repos.
I didn't bother to replace the list cause it's a bit tricky but i'm wondering
Is there any other way to allow systems to pull data from AgentHandler-DC1 repository than specifying Agent Subnet?
Why it does work when systems are outside System Tree location of AgentHandler-DC1
Most likely it's ePO setting permissions not the Apache running as AgentHandler.