5 Replies Latest reply on Oct 22, 2010 4:50 AM by JoeBidgood

    Daisy-Chaining SuperAgent Repositories

      Hey,

       

      I'm relatively new to working with McAfee products and I'm doing local support for a system that's currently in-place.  It seems to be ePO 4.0.x for McAfee Enterprise i8.7.

       

      I've been looking into updating methods for some of our local subnets/domains, and it looks like SuperAgents would be the way to go.  Unfortunately some of the subnets are isolated, with no local access allowed to the rest of the network as a whole.  Would we be able to set up SuperAgents to daisy-chain updates into these subnets?  Most of these subnets are part of isolated domains/workgroups and will have no connection whatsoever to the domain the main repository sits on.

       

      Would another option, such as mirroring, and then setting up a UNC repository, be a better choice?

        • 1. Re: Daisy-Chaining SuperAgent Repositories
          JoeBidgood

          Unfortunately if these networks are truly isolated, you're a bit stuck - even if you could get a superagent onto a machine on the subnet, it wouldn't be able to communicate with ePO and be updated   similarly eP won't be able to control any client machines on these networks...

          Do these networks have any external connectivity at all?

           

          Thanks -

           

          Joe

          1 of 1 people found this helpful
          • 2. Re: Daisy-Chaining SuperAgent Repositories

            Hi,

             

            Thanks for the reply.  They're connected through routers/firewalls to the other domains/the main domain, but have very limited connectivity.  Most of them are only allowed to send/receive to a single server on specific ports. They essentially have no connectivity to the main domain that the ePO sits on, and they are segregated for security and policy reasons.  From my understanding of ePO; the main repository requires direct access to the subnet/computers that it manages, and only uses SuperAgent repositories to simplify sending wakeup calls and updates within the local repository's broadcast zone.  Is this correct?

             

            My idea was to have edge servers be the repositories, and have them broadcast the updates to the isolated zones.  Unfortunately if they have to be regulated in the ePO on the main repository, this won't be possible for us.  Mirroring still sounds feasible, as we could forgo the need for broadcasting wakeup and have the clients check in at scheduled times to grab the updates via port forwarding.  For daisy-chaining subnets, we could then re-mirror inside one subnet, or set up forwarding for the second subnet via the first mirror.  But using this system may mean slightly-less up-to-date DATs/updates for the isolated networks.

             

            Hopefully this all makes sense so far.  Are mirror jobs the way to go, or can SuperAgents be used in this kind of setup?

            • 3. Re: Daisy-Chaining SuperAgent Repositories
              JoeBidgood
              They essentially have no connectivity to the main domain that the ePO sits on, and they are segregated for security and policy reasons. 

               


              Unfortunately this statement means ePO is pretty much dead - if the client machines are unable to communicate with the ePO server, then there's not very much ePO can do. It would probably be easier to set up local mirroring of the McAfee update site (using a mirror task on a single client machine, for example) and configure the clients to update from there, rather than fight trying to get ePO-based updating working

               

              One possibility might be agent handlers, which can help in limited connectivity environments like DMZs... have you investigated them as as possibility?

               

              HTH -

               

              Joe

              • 4. Re: Daisy-Chaining SuperAgent Repositories

                Thanks for the reply again.

                 

                Just checked out the whitepages for Agent Handlers, and it looks like it's only available for ePO 4.5.  While it would help the first subnet, we would still need to use mirroring on the rest in the chain.

                 

                It looks like I'll be going with mirroring.  Thanks again for all the suggestions and info.

                • 5. Re: Daisy-Chaining SuperAgent Repositories
                  JoeBidgood

                  No problem - sorry we couldn't be more help.

                   

                  Frankly I don't envy you trying to administer that environment at all - it sounds very painful

                   

                  Regards -

                   

                  Joe