7 Replies Latest reply on Oct 13, 2011 3:39 AM by JoeBidgood

    443 dependencies?

      Just converted a machine from ePO 4.0 to 4.5. Now under Configuration -> Server Settings -> Ports, there is a new field that says "Agent to Server Communication Secure Port" We have configured to port 443. This is a Secure Port field did not exist in 4.0. Will ASCI not occur if 443 is blocked, or does communication still occur over 80 and 591? Why does this new port exist, and does it necessitate a rule creation. We are seeing a communication issue on machines with a 4.5 mcafee agent.

       

      Thanks in advance.

        • 1. Re: 443 dependencies?
          hem

          We have improved much more secure communication between the ePO server and the client machine through port 443.

           

          All the client machine's secure info like IP address, machine name, domain etc will send to the ePO server through this port. This is new feature in MA 4.5 and was not in version 4.0.

           

          If you don't want to use port 443 then even ASCI will work with port 80.

           

          Only thing is that you are compromising with security. You are sending your machine/network information through non-secure channel.

          • 2. Re: 443 dependencies?
            JoeBidgood

            Only thing is that you are compromising with security. You are sending your machine/network information through non-secure channel.

             

             

            I'm afraid that's spectacularly wrong. Comms over port 80 are in no way "non-secure": they are secured by McAfee's SPIPE protocol. ePO 4.5 with MA 4.5 introduces the ability to use SSL, thereby ensuring the entire communication is encrypted using well-known and well-understood protocols.

             

            The introduction of this feature simply gives administrators a choice, and also allows ePO to comply with any company policies that require the use of certificate-based encryption.

             

            Joe

            1 of 1 people found this helpful
            • 3. Re: 443 dependencies?

              Thanks for the responses.

               

              Im kind of disappointed that an upgrade from ePO 4.0 to 4.5 has left us now with agents that could not communicate. We made the rule to allow a bi directional 443 connection for now, but what if we wanted to still run our connections over port 80? How are we able to change back?

              • 4. Re: 443 dependencies?
                hem

                Apologize for incorrect answer.

                • 5. Re: 443 dependencies?
                  JoeBidgood

                  If you go to server configuration / ports, you can disable the agent-to-server secure port. This modifies the sitelist and tells the client machines to try to connect to the agent-to-server port rather than the secure port. (Please note it doesn't stop the ePO server listening on the secure port: it just tells the clients not to try to talk to it.)

                   

                  HTH -

                   

                  Joe

                  • 6. Re: 443 dependencies?
                    msimard

                    Sorry to drop on this again, but by switching a already 443 setup back to 80 on the server, do you still have to re-deploy agent to every node like changing the port from 443 to something custom ? Or this switch is possible without re-deployment ?

                     

                    thanks a lot

                    • 7. Re: 443 dependencies?
                      JoeBidgood

                      Nope - as long as the agents can still talk to 443, then they will make one last connection to the server on 443, get given the new sitelist, and from that point on will use 80 (using the ports that you mention as examples.)

                      If however the machines cannot talk to the server on 443 - for example if someone has implemented a firewall that blocks 443 between client and server - then you'll need to redeploy.

                       

                      HTH -

                       

                      Joe