1 2 Previous Next 18 Replies Latest reply on Jul 21, 2011 10:01 AM by awponceh

    Agent Handler in DMZ not syncing with epolicy server

      We are running epolicy orchestrator 4.5 on our network and have set up an Agent Handler in the DMZ to manage policies for DMZ servers and laptops which infrequently connect to our network. The agent handler was installed after downloading the latest version of epolicy orchestrator 4.5.0.937 (ePO450P3) and installing the agent handler from the agent handler folder. I then copied the contents of the RepoCache folder (C:\Program Files (x86)\McAfee\Agent Handler\DB\RepoCache) from the epolicy server to the AH and made sure i was able to update from it. 

       

      The AH has been configured to get updates from itself as a repository and can be seen "checking update packages from repository" and attempting to download but it fails. Similarly it can be seen uploading events to the epolicy server however it does not actually update. After checking the RepoCache folder where the updates are stored i have noticed that it is completely out of synch with the epolicy server and has not updated since the day it was created two weeks prior. As a result none of the devices using the agent handler have updated even though they can be seen communicating with the AH to get updates. They all fail with the "unable to find a vaild repository" error.

       

      All the relevant ports between the epolicy server and the agent handler and between the agent handler and the sql server have been opened after consulting the McAfee white paper. In addition port 443 has been opened between the AH and epolicy server even though that was not in the white papers as, after speaking to McAfee (a support call is now with 3rd line after 3 weeks of troubleshooting). They confirmed the AH was attempting to communicate with the epolicy server on that port. I have confirmed that all the relevant ports are open. 

       

      I can't think of anything i might have missed. I have made communication bi-directional to facilitate troubleshooting, I have reinstalled the AH and finally logged a call with McAfee who appear to be stumped. Any help here would be greatly appreciated as i have no idea where i am going wrong. Thanks

        • 1. Re: Agent Handler in DMZ not syncing with epolicy server

          Further to the above, i forgot to mention that all the devices which get their updates from the AH are actually visible on the epolicy server as using the AH for its repository even though the signatures are up to date, which probably suggests the communication between the AH and SQL is working.

          • 2. Re: Agent Handler in DMZ not syncing with epolicy server
            JoeBidgood

            The AH has been configured to get updates from itself as a repository

             

            Can you explain a bit more what you mean by this? In order for agents to use the repocache on an agent handler, they should be configured to use the ePO server (i.e. the master repo) as the source for their updates. When an agent talks to an agent handler (both for ordinary comms and for updates / deployments) it effectively thinks it's talking to the main ePO server...  when the client machine asks for a file, the AH checks its repocache and if the file is missing, requests it from the main ePO server. In order for it to successfully retrieve the file, the agent-to-server communication port (80 by default - not the secure port, which is 443 by default) needs to be open on the firewall between AH and main ePO server.

             

            HTH -

             

            Joe

            • 3. Re: Agent Handler in DMZ not syncing with epolicy server

              Thanks for the quick reponse.

               

              As the server acting as the agent hander is in the DMZ I want to keep communication with the internal network to a minimum. As a result i have configured the server acting as the agent handler in the DMZ to get its signature updates from the repocache folder which it hosts. The devices in the DMZ will not be able to communicate with the epolicy server directly so that when they are scheduled to get updates they communicate with the agent handler which checks its cache and if it is not up to date then retrieves the current files which the devices in the DMZ will update from. As the server acting as the agent handler is also in the DMZ it will also get its updates from the repocache folder.

               

              Ports opened are:

               

              Bi-directional communication between epolicy server and AH  >  8443, 8444, 80 and 443  (443 was opened to aid secure communication as the logs indicated it was failing)

              From AH to devices in the DMZ  one way  > 8081

              From Devices in DMZ to AH one way > 80, 443

              From AH to SQL one way > 1443

              (The epolicy server and SQL server are on the same network)

               

              I know bidirectional communication may not be necessary but i need to get this working before tying down the ports.  Thanks

              • 4. Re: Agent Handler in DMZ not syncing with epolicy server
                metalhead

                How did you configure to "update the AH from itself" ?

                 

                IMHO this is not possible because the update streaming function is incorporated in the AH.

                And further on there is no need for this because you already opened the port (80) so the AH can directly get and stream updates from the epo server.

                 

                Please post the AHs log and an ePO console AH configuration screenshot.

                • 5. Re: Agent Handler in DMZ not syncing with epolicy server
                  JoeBidgood
                  As a result i have configured the server acting as the agent handler in the DMZ to get its signature updates from the repocache folder which it hosts.

                   

                   

                  Can you clarify this a bit? If by this you mean (for example) you've shared the repocache folder and then configured the agents to update from this share, then this is definitely not going to work: the agent in this case would be expecting to see a full repository, which the repocache is not. Instead you need to configure the agents to update from the master repository.

                   

                  HTH -

                   

                  Joe

                  • 6. Re: Agent Handler in DMZ not syncing with epolicy server
                    If by this you mean (for example) you've shared the repocache folder and then configured the agents to update from this share, then this is definitely not going to work: the agent in this case would be expecting to see a full repository, which the repocache is not. Instead you need to configure the agents to update from the master repository.

                    Hi Joe, funny enough but that i exactly what i did. However when you suggest that the agents need to update from the master repository, correct me if i'm wrong but I thought the point of the placing an agent handler in the DMZ was that it was to provide communication and policy updates between the master repository and the devices in the DMZ. The master repository is on the LAN so the agents should not be able to communicate with it directly.

                    • 7. Re: Agent Handler in DMZ not syncing with epolicy server

                      And further on there is no need for this because you already opened the port (80) so the AH can directly get and stream updates from the epo server.

                       

                      Please post the AHs log and an ePO console AH configuration screenshot.

                      Thanks metalhead

                       

                      The AH is able to update when the master repository is added to the list of repositories it can update from. However, if the signatures on the AH are up to date, does this guarantee its cache is up to date for devices which update from it, as the devices behind it are still not updating. (Btw which particular log file do you need me to provide. Thanks)

                       

                      agent Handler.jpg

                      • 8. Re: Agent Handler in DMZ not syncing with epolicy server
                        JoeBidgood

                        That's correct... when an agent is configured to use the master repo, and is also configured to talk to an agent handler, when it performs an update it *thinks* it's talking directly to the master: in fact it's talking to the AH. If it requests a file that the AH doesn't have, then the AH gets the file from the master repo and then caches it locally: that way if you have 10,000 machines talking to an AH and requesting an update file it only has to pull the file across once rather than 10,000 times.

                         

                        The agents don't talk to the master directly, only to the AH: but they don't know any differently.

                         

                        HTH -

                         

                        Joe

                        1 of 1 people found this helpful
                        • 9. Re: Agent Handler in DMZ not syncing with epolicy server

                          Thanks for that. I have included the the Master Repository as one of the two repositories the DMZ clients can update from (the other being the agent handler) and reinstalled the agent agent. In the AutoUpdate Repository list I now have the two repositories, however when I force an update from the DMZ client, i still get the "Failed to download from repository" error in the log files and an "Error occurred when downloading catalog z." Thanks for the help so far. Any ideas?

                          1 2 Previous Next