9 Replies Latest reply on Oct 8, 2010 8:18 AM by RLI

    Communicating with servers infront of a firewall (DMZ)

      Hello,

       

      I have a number of webservers in a DMZ protected by our firewall.

       

      I have man aged to install the agent, but it seems tasks like updating the McAfee Viruss scanner don't work.  The Sdat seems to get updated, but I thing they use the last resort option and go out to the internet for this (How can I check this?).

       

      The outbound ports I have opened from the ePolicy 4.5 server are:

       

      TCP/UDP:

      443

      8081

      8082

      82

      8443

      8444

       

      I guess the webservers need to get back to the ePolicy's file respository?  Which I don't think they can.  They can ping the server, but when I go to the ePolicy server and tpe net share nothing shows up.

       

      Please could someone kindly shed some light on how this process works of updating McAfee Virus scanner via a task, I might be able to work out what is missing.

       

      Many thanks

        • 1. Re: Communicating with servers infront of a firewall (DMZ)
          GWIRT

          Agent communication isn't supported through a NAT, but you can get it to work by using KB57509.

           

          Alternatively, you can deploy ePO 4.5 Agent Handlers in your DMZ to address this issue.

           

          The problem you are seeing doesn't seem to be related to this however.

           

          You can look at the Agent_<machinename>.log and the McScript.log to understand why the update is failing.

           

          Also, if you right click the agent icon on the client machine and select "Update Now", does it give any helpful messages?

          • 2. Re: Communicating with servers infront of a firewall (DMZ)
            jstanley

            Hello Gonzouk,

             

            Here are the ports you need to open up (assuming default port assignments):

            From AH - > EPO:

            80 Bi-directional

            8444

            8443 (only during install, only if you do not specify the SQL information during install)

             

            From AH -> SQL server:

            1433 (or whatever the SQL port is)

             

            From AH -> Clients (only if you want to be able to send wakeup calls or view the agent's weblog):

            8081

             

            From Clients -> AH:

            80

            443

             

            Here is a key:

            AH = Agent Handler

            80 = Agent-to-server communication port

            443 = Agent-to-server communication secure port

            8444 = Client-to-server authenticated communication port

            8443 = Console-to-application server communication port

            8081 = Agent wake-up communication port

             

            To specifically address your question the AH has to be able to communicate to the EPO server's master repository (if using the default port this occurs over port 80) to pull updates from the master repository. Lets suppose an agent connects to a remote AH during a DAT update:

            * AH looks in this directory to see if it has the update the client is requesting: <AH Install directory>\DB\Repocache\

            * Assuming the file is not in the Repocache the AH then connects to the EPO server's master repository and pulls the update and stores it in the Repocache

            * AH keeps the update in the Repocache incase another client requests the same update (very likely)

             

            I hope that answers your questions!

            • 3. Re: Communicating with servers infront of a firewall (DMZ)

              Hi Jeremy,

               

              two small questions regarding your answer :

               

              1. you suggest to open the "port 80 Bi-directional" for AH to ePO connections. Aren't all TCP connections "bi-directional" in some way ? Or is this another kind of "bi-directionality" ?

              2. you suggest to open both port 80 and port 443 for connections from Clients to AH, is it really needed to open them both, or only port 443 is sufficient assuming that only encrypted connections will be used ?
              • 4. Re: Communicating with servers infront of a firewall (DMZ)
                JoeBidgood

                you suggest to open the "port 80 Bi-directional" for AH to ePO connections. Aren't all TCP connections "bi-directional" in some way ? Or is this another kind of "bi-directionality" ?

                   

                  Bi-directional here means that the firewall must be configured to pass traffic in both directions.

                   

                   

                  you suggest to open both port 80 and port 443 for connections from Clients to AH, is it really needed to open them both, or only port 443 is sufficient assuming that only encrypted connections will be used ?

                     

                    If you want the agents to be able to update from the AH (i.e. the agents are configured to update from the master repository) then you will need port 80 open as well - if not, then just 443 should be OK.

                     

                    HTH -

                     

                    Joe

                    • 5. Re: Communicating with servers infront of a firewall (DMZ)

                      JoeBidgood wrote:

                       

                      you suggest to open the "port 80 Bi-directional" for AH to ePO connections. Aren't all TCP connections "bi-directional" in some way ? Or is this another kind of "bi-directionality" ?

                         

                        Bi-directional here means that the firewall must be configured to pass traffic in both directions.

                         

                         


                        Thus, it is also the case for all ports mentioned after (443, 8444, 8443, 8081, ...), since they are all using TCP (syn, ack, ...) and are thus bi-directional. Right ?

                        • 6. Re: Communicating with servers infront of a firewall (DMZ)
                          JoeBidgood

                          Sorry, I'm not being clear. It's not the flow of traffic that's  important, it's where the communication was initiated. A better way of  defining bi-directional here would be "allowing traffic that was  initiated on either side of the firewall."

                           

                          So for  example port 8081 does not need to be bidirectional, because a client  machine will never try and contact an AH on this port: it will only ever be the AH or another machine trying to contact the client. Port 80 needs to be bidirectional because the AH will try to contact the ePO server, and the ePO server will also try to contact the AH.

                           

                          HTH -

                           

                          Joe

                          • 7. Re: Communicating with servers infront of a firewall (DMZ)

                            Thanks for your explanations, Joe.

                             

                            I still have some more questions...

                            I saw in a KB that ePO 4.0 was using port 8445 for "Event Parser to Application Server" communications.

                            Is it still the case in ePO 4.5 ?

                             

                            If it is still used by ePO 4.5, must this port be only available locally on the machine ? That is, are there only communications between an Event Parser and an Application Server installed on the same machine ? Or is it possible that the Event Parser installed on an Agent Handler needs to communicate to port 8445 of an Application Server being the main ePO server ?

                            • 8. Re: Communicating with servers infront of a firewall (DMZ)
                              JoeBidgood

                              michael.noiret wrote:

                               

                              Thanks for your explanations, Joe.

                               

                              I still have some more questions...

                              I saw in a KB that ePO 4.0 was using port 8445 for "Event Parser to Application Server" communications.

                              Is it still the case in ePO 4.5 ?

                               

                              If it is still used by ePO 4.5, must this port be only available locally on the machine ? That is, are there only communications between an Event Parser and an Application Server installed on the same machine ?

                               

                              It's not used any more as far as I know - it was used by the notifications system in ePO 4 to monitor the event queue: this is done differently in 4.5.

                               

                              Or is it possible that the Event Parser installed on an Agent Handler needs to communicate to port 8445 of an Application Server being the main ePO server ?

                               

                              No... the list given by Jeremy is complete.

                               

                              HTH -

                               

                              Joe

                              • 9. Re: Communicating with servers infront of a firewall (DMZ)

                                Hi Jeremy

                                 

                                I have the following scenario:

                                Between the agent and the ePO I have a firewall. I opened port 80 when using MA4.0 which was fine. After upgrading to McAfee Agent 4.5 the communication is on port 443. So I removed port 80 from my firewall config and added 443 in both directions. As far as I understand your message port 80 must stay opened as well because otherwise I cannot connect from the agent to my master repository (which resides on the ePO).

                                So far so good: my client is not updating to the newest patch... netstat -a show a wait_sync on port 80... which proof the above. I recognized this just now when I wanted to deploy a new VSE patch. So now I guess I have to reopen port 80 from *->ePO.

                                But until now (just with port 443 opened) the DATs are updating every day without a problem with - why?

                                 

                                Regards RLI