3 Replies Latest reply on Oct 26, 2010 10:35 AM by JoeBidgood

    Agent Handlers questions

    SergeM

      Hi,

       

      We've been using ePO for several years now but never had any DRs (AH is new so we never had those either).

      We've hadePO 3.x, 3.5, 3.6, 4.0.  Presently all our servers are using ePO 4.5. Most (95%) of our clients are using MA 4.5 (not sure I care for the others, if/when users call, we'll fix them).

       

      I have lots of questions about Agent Handlers (with ePO 4.5) and I'm afraid I'm not even sure where to start.

      IM(ns)HO, the documentation is severely lacking and has been close to useless (to us) in every aspects of Agent Handlers (AH) and previously Distributed Repositories (DR) for as long as I remember.

       

       

      1)  We're trying to relieve the (main) ePO server by diverting some of the connection load to AHs (and also to DRs).  I hope this is the correct thing to do.

           We're also hoping this may provide us with some measure of redundancy (as a side-effect) so if we need to stop the main server, clients will be able to conenct to the AH (&DR)

       

      2) We plan on using the AH as DR as well. Is this OK ?  Is this a recommended function ?

          (AH need to be installed on server OS, so we might just as well use the power and network connectivity... or not ?)

       

       

      I follow the install guide (epo_450_installguide_en-us.pdf) on "Installing an Agent Handler" (p. 15) and got stuck.

       

      3)  nowhere does the documentation give any information on which ports should be opened in a firewall. Guys, we live in a firewalled world (*)  it would help if we didn't have to guess and spend time searching (finding out).

       

      4)  I'm presently stuck with an error message which I suppose is linked with some communication problem due to our firewalls...

           When trying to install the AH, I run the SETUP.EXE and it asks for some information... (doc. tech. writers... a screenshot would've helped).

           Some of the information (ePO Server, ePO Admin User & Password) is logical but the ePO Server Port

           The doc quotes :

      "6 Type the port to be used for server-handler communication. Port 8433 is the default. McAfee
         recommends that you change the port designation. See the discussion of Ports in the Server
         and Agent Handler requirements section."

       

        4a) Is ePO Server Port the same as what the ePO Server Settings (Ports) call the "Console-to-application server communication port" ?  Then heavens, why doesn't the doc say so !

       

        4b) What happens if I decide to change this Port to 12345 in the AH Install sequence ?

            Should I also change the "Console-to-application server communication port" in the ePO server settings ?

            Will this affect my console URL ?  (https://[servername]:8443/  or  https://[servername]:12345/)

            (Should I really have to try and find things out ?)

       

      5) I presently get the error message

                  "Setup did not detect a compatible ePO server with the specified parameters. "

          How do I find out if this is because

        • the communication is blocked by our network firewalls (I know that, I checked our firewall logs and fixed it)
        • the communication is rejected by the ePO Server's Win2008 firewall (I checked the firewall logs)
        • the ePO Server Port is/is not/should be the same as the Console-to-application server communication port
        • something else happened (BOFH excuse #2: solar flares)

       

      6) The doc quotes:

      "7 Type the ePO Admin User name and password of a user with global administrator
      privileges
      . If these credentials are to be used for the database as well, click Next to start
      the installation.
      NOTE: These credentials must be identical with those used during installation of ePolicy
      Orchestrator.
      "

       

         a) "a user with global administrator privileges", common sens would suggest we create a new user for agent handlers !?

             Is this recommended ?  not recommended ?

         b) "If these credentials are to be used for the database as well"  so the AH needs to connect to the DB (& DB Server) as well ?

             Should we then create a user for this as well ?  How do I know if these are the same credentials or if I should create specific credentials ?

         c) AHA !

                "These credentials must be identical with those used during installation of ePolicy Orchestrator"

            So, should these be the same as the original ePO administrator ? or the DB admin ?

       

      7) Finally the doc says:

      "9 Click Next. The installation process begins."

          Fantastic... and then ?

          How do I see if the installation worked ?  What should we do now ?

          Is there something we should see or do on the server ?

          I suppose I should be able to see this somewhere so I can configure the MA policies !??

       

       

      And once I'll be done with that, I dread having to configure the DR as well...

       

      Is there somewhere some useable documentation on this ?

       

      thanks for any help

        Serge

       

       

      (*) at least we should (and we do), I can't imagine someone using ePO and not having at least one or two firewalls...

       

       

      on 26/10/10 13:02:15 CEST
        • 1. Re: Agent Handlers questions
          JoeBidgood

          Forgive the question, but before anything else, read the AH White Paper from https://kc.mcafee.com/corporate/index?page=content&id=PD22508 - it should help.

          Can you give us some more detail about your environment? It's likely that you don't need agent handlers - not many environments do.

           

          HTH -

           

          Joe

          • 2. Re: Agent Handlers questions
            SergeM

            Hi Joe,

             

            Thanks for the answer. I did read the white  paper. Will re-read it tomorrow to be sure I didn't miss something  important.  I was largely upset by the poor quality of the install  documentation which leaves a lot to guesswork.

             

            Presently have two separate production servers, one is in behind a  NAT, the other is in our "server DMZ" (everything is a DMZ or VLAN).

            This  is for the new server which will replace current set-up.  This server  will also have a separate SQL server as we've been having lots of  trouble with an ePO server having its SQL server on the same machine.

             

            I'm quite certain we'll need about 2-3 AHs and probably 2-5 DRs.

            We're  presently managing 6000+ clients, dispersed in +200 sites, in ~10  countries.  I expect we'll have up to 10 clients within 2 years.

            We  need to have at least one AH behind a NAT to serve some of our sites  and one in a DMZ for some clients connecting through the internet.

            We've been discussing and preparing this for about one year, including talks with McAfee reps and support, and consultants.

             

            Serge

            • 3. Re: Agent Handlers questions
              JoeBidgood

              Okay, that doesn't sound too scary. The number of nodes is fine, and doesn't really justify agent handlers, but the topology definitely does: if you want machines in DMZs then agent handlers are the best approach.

               

              Please make sure that any design you come up with does NOT put an agent handler at the end of a slow, low-bandwidth or high-latency connection. The AH requires a permanent high-speed connection to the SQL server, and one AH that doesn't have this can have a very negative effect on the entire ePO installation.

               

              Let us know if you hit any problems.

               

              HTH -

               

              Joe