1 of 1 people found this helpful
Unfortunately if these networks are truly isolated, you're a bit stuck - even if you could get a superagent onto a machine on the subnet, it wouldn't be able to communicate with ePO and be updated similarly eP won't be able to control any client machines on these networks...
Do these networks have any external connectivity at all?
Thanks for the reply. They're connected through routers/firewalls to the other domains/the main domain, but have very limited connectivity. Most of them are only allowed to send/receive to a single server on specific ports. They essentially have no connectivity to the main domain that the ePO sits on, and they are segregated for security and policy reasons. From my understanding of ePO; the main repository requires direct access to the subnet/computers that it manages, and only uses SuperAgent repositories to simplify sending wakeup calls and updates within the local repository's broadcast zone. Is this correct?
My idea was to have edge servers be the repositories, and have them broadcast the updates to the isolated zones. Unfortunately if they have to be regulated in the ePO on the main repository, this won't be possible for us. Mirroring still sounds feasible, as we could forgo the need for broadcasting wakeup and have the clients check in at scheduled times to grab the updates via port forwarding. For daisy-chaining subnets, we could then re-mirror inside one subnet, or set up forwarding for the second subnet via the first mirror. But using this system may mean slightly-less up-to-date DATs/updates for the isolated networks.
Hopefully this all makes sense so far. Are mirror jobs the way to go, or can SuperAgents be used in this kind of setup?
They essentially have no connectivity to the main domain that the ePO sits on, and they are segregated for security and policy reasons.
Unfortunately this statement means ePO is pretty much dead - if the client machines are unable to communicate with the ePO server, then there's not very much ePO can do. It would probably be easier to set up local mirroring of the McAfee update site (using a mirror task on a single client machine, for example) and configure the clients to update from there, rather than fight trying to get ePO-based updating working
One possibility might be agent handlers, which can help in limited connectivity environments like DMZs... have you investigated them as as possibility?
Thanks for the reply again.
Just checked out the whitepages for Agent Handlers, and it looks like it's only available for ePO 4.5. While it would help the first subnet, we would still need to use mirroring on the rest in the chain.
It looks like I'll be going with mirroring. Thanks again for all the suggestions and info.
No problem - sorry we couldn't be more help.
Frankly I don't envy you trying to administer that environment at all - it sounds very painful