6 Replies Latest reply on May 10, 2010 6:50 PM by ducsta

    Agent Handlers in DMZ and Remote Sites

      Hi All,

       

      Just wondering if anyone has specific firewall rules whch need to be opened for AH (Agent Handlers) in the DMZ.

       

      I have ePO 4.5 on the internal LAN along with SQL server as the DB server

      Planning to deploy AH in DMZ to manage external facing systems

       

      Any potential gotcha?

       

      Also, has any deplioyed AH in remote sites with a WAN link of 256K.. the remote sites have a small amount of managed systems - > 10

       

      Cheers

       

      Ducsta

        • 1. Re: Agent Handlers in DMZ and Remote Sites

          Hi Ducsta,

           

          beteen the ePO and agent handler, you only need to open the port (8433 by default, configurable) you configured to communicate. I prefer that the rule be outbound - from LAN to DMZ. depending on your requirements, you may need additional ports to be opened. I would group these ports and use this group in firewall for configuration. You can find more details on McAfee ePolicy Orchestrator 4.5 Installation Guide page 16.

           

          256Kbps depends on how much of it used and how often you want agent handler to communicate with ePO. You can schedule the communication to happen on off peak hours.

           

          hope this helps. best of luck

           

          1ndian

          • 2. Re: Agent Handlers in DMZ and Remote Sites
            JoeBidgood

            256Kbps depends on how much of it used and how often you want agent handler to communicate with ePO. You can schedule the communication to happen on off peak hours.

             

            hope this helps. best of luck

             

            1ndian

             

            Sorry, just need to jump in here - that's not correct, I'm afraid. An agent handler needs a permanent, high-speed, low-latency connection to the SQL server. You can't schedule when an AH communicates - it's doing it all the time.

            You really, really don't want to put an agent handler on a 10 machine site at the end of a 256K link, trust me

            If you haven't already done so, I'd strongly recommend having a look at the Agent Handler White paper, located  here .

             

            Regards -

             

            Joe

            • 3. Re: Agent Handlers in DMZ and Remote Sites

              Hi Joe,

               

              Thanks for the input.

               

              Iw as under the impression that agent handler communication can be scheduled like agent epo communication. giving it a larger time frame.

               

              by the way, the white paper answers the first question as well.

               

              Thanks Joe.

              • 4. Re: Agent Handlers in DMZ and Remote Sites

                Sounds more like a SuperAgent with the repository function might be in order here. Just dont assign the SA to an AH or you lose control of replication to it.

                 

                Matt

                • 5. Re: Agent Handlers in DMZ and Remote Sites

                  Hello rob,

                   

                  This sounds like a workable solution to me.

                   

                  My VM is busy testing WebGateway 7. I would need to test this for my remote site which is not managed now.

                  • 6. Re: Agent Handlers in DMZ and Remote Sites

                    Hi guys,

                     

                    thanks for the replies...

                     

                    As the link between the private and DMZ will be more than 256K theres no issue here....I'll just neeed to make sure the AH have to correct firewall rules opened

                     

                    As for the remote sites with least than 256K, i'll use superagents with distributed repo's instead...'what are the pros and cons of either one;?