4 Replies Latest reply on Oct 11, 2010 1:55 AM by Attila Polinger

    Agent Handle in DMZ

      Hi All

       

      Before I setup the AH in DMZ I want to know how it works if client is on the WAN?

       

      The structure will be

                LAN               <>      DMZ     <>     WAN

      Clients and epo4.5            AH4.5            Clients

       

      1. I want clients are able to download dat, policy and report event when they are in LAN.
      2. I want clients are able to do everything as in LAN execpt download dat.

       

      When clients are on the WAN, how does the  client talk to Agent Handle?

      Does the client download the dat, policy and upload event?

      Which file will use on the client when it's on WAN?

      How to publish the AH to the WAN?

      Does other (Not belong to our company) McAfee Agent will talk to my AH.

       

      Thanks

      Alex

        • 1. Re: Agent Handle in DMZ
          Attila Polinger

          Hello,

           

          When clients are on the WAN, how does the  client talk to Agent Handle?

          Using information in the sitelist containing the information of agent handlers and epo server (when adding the agent handler to the sitelist definiton, be sure it precedes the ePO server for external clients)

           

          Does the client download the dat, policy and upload event?

           

          Yes, an Agent Handler can provide policy and agent manipulation functionality and repository cache (in case when agents are unable to contact any repository).

           

          Which file will use on the client when it's on WAN?

          What do you mean by this?

           

          How to publish the AH to the WAN?

           

          With firewall rules and a public IP for AH so external clients can resolve name to IP on the WAN.

          Does other (Not belong to our company) McAfee Agent will talk to my AH.

           

          Not expected unless they have the information of it in their own sitelists.

           

          I attach the Agent Handler whitepaper: not as informative in DMZ scenario as it should be, just giving tips instead of exact steps of AH publishing to external clients.

           

          Attila

          • 2. Re: Agent Handle in DMZ

            Hi Attila

             

            After install the AH in our DMZ, on the default policy the AH become first, second ePO4.5 server and then other oversea repositories and McAfee Http. Can we change the propreity to make AH become last second (just above the McAfee Http)?

             

            after install it in DMZ, lots overseas pcs from branch office will connect to AH. Can we avoide that (Do we need to create the firewall rule on our physical firewall to block the traffice from AH to our intranet), we still want to all branch PCs report to our ePO. We only want our PC report to AH when out of office.

             

            Just find a articl (http://www.networkt.co.uk/agent-handlers-and-what-they-do/), it says clients PC will download the dats from AH. Can we block that as well?

             

            How agent handlers work

            Agent handlers distribute network traffic generated by agent-to-server communication by assigning managed systems or groups of systems to report to a specific agent handler. Once assigned, a managed system performs regular ASCIs to its agent handler instead of the main ePO server. The handler provides updated sitelists, policies, and policy assignment rules just as the ePO server does. The handler also caches the contents of the master repository, so that agents can pull product update packages, DATs, and other necessary information.

            NOTE: When an agent checks in with its handler, if the handler does not have the updates needed, the handler retrieves them from the assigned repository and caches them, while passing the update through to the agent.

             

            Thanks

            Alex

            • 3. Re: Agent Handle in DMZ

              Anyone know the answers?

              • 4. Re: Agent Handle in DMZ
                Attila Polinger

                Hi,

                 

                I'm sorry I was out of office last whole week.

                 

                I understand that you want only computers out of company WAN to connect to AH,and computers on company WAN report to ePO rather than AH. This could be a problem, since now to my knowledge the MA is incapable of handling two sitelists depending on the actual IP address of the client. So you just might assume that it is the laptops that spend time outside the company and therefore you could assign a different sitelist to the laptops (by tag), where the ePO server antecedes the agent handler, and another sitelist for any other "unmovable computer", where the ePO server precedes the AH.

                 

                As for AH caching the master repository, I am not sure if you could change that behaviour at the moment.

                 

                Attila