4 Replies Latest reply on Jul 12, 2011 10:28 AM by relayer77

    Agent Handler or ePO? Agents not talking to the right box!

    relayer77

      Platform: W2K3 SP 2 , ePO 4.5 patch 4, MA 4.5 patch 2

       

      We've deployed an AH(agent handler) in the DMZ. The assignment rules are set up in ePO 4.5 (patch 4) so that DMZ systems should talk to the AH, and all other systems should communicate only with the ePO server. The ePO itself and the AH are the only AHs in the network.

      The DMZ systems do communicate with the AH. We had some trouble at first getting them to do this, but DNS problems were solved and they are fine now.

       

      Trouble is, we created a new agent (new systems | create and download agent installation package) after deploying the AH. Now, when we install that frame package on a new system, no matter where it is, inside or outside the DMZ, it tries to communicate with the AH inside the DMZ! It of course fails if it's outside the DMZ, and then it does NOT fail over to the ePO server itself.

       

      The sitelist .xml file that is created has the AH in the DMZ first, and the ePO 2nd, but when the system fails to communicate with the AH it does not go on to communicate with the ePO server. It just fails.

       

      I don't understand why the AH is

       

      A) even showing UP in the sitelist.xml for non DMZ systems. SHouldnt' this be determined by the AH settings in menu | configuration | Agent handler | assignment rules? If I state in those rules that I want non DMZ systems to communication only with the primary ePO (Which I have) I dont' think the AH should even show UP in those systems covered by that assignment rule.

       

      B) Showing up FIRST in the list in that sitelist.xml! This seems totally contrary to our AH settings.

       

      In the assigment rules, we have it configured for DMZ systems to try DMZ AH and then fail over to ePO , and for non-DMZ systems to go to ePO only and NOT fall back to DMZ AH.

       

      Luckily, we kept an old version of the framepkg around from before we deployed the AH.

       

      If we deploy this version, to a system outside the DMZ, it works fine. Systems in the DMZ have not been tried, don't want to mess with them as they are working fine now.

       

      Any tips are appreciated! I'm under time constraints and really need to get this figured out.

        • 1. Re: Agent Handler or ePO? Agents not talking to the right box!
          nbaumann

          Hi,

           

          Afaik, you should include all AH's in any assignment rule and only order the list corresponding to what AH you want to prefer to contact from that network.

          I had a similar issue when I set up our environment intially. I was being told either by mcafee support or our distributor (don't remember, sorry) that the logic to assign an agent handler rule to an agent is processed on the server and not on the agent. That's why you would need to include all AH's.

           

          I saw external clients trying to contact the internal ePO until they timed out and fell back to the external AH. Then they updated their agent handler assignment rule and on the next communication interval they started to contact the external AH initially. However we could have been affected by DNS-issues also because we still have our internal ePO resolveable on the external DNS server for historical reasons. It wouldn't be a bad idea to get rid of these entries soon.

           

          regards,

          Nik

           

          Message was edited by: nbaumann on 7/11/11 9:32:27 PM CEST
          • 2. Re: Agent Handler or ePO? Agents not talking to the right box!
            relayer77

            Thanks, but in this case the client won't fall back even though both Agent Handlers are (not by any design of mine) showing up in the sitelist .xml.

            Has anyone seen a difference in how clients behave in this kind of scenario based on which options you choose when you build the agent installation package?

            i.e. you choose 'all handlers' or  you 'choose handler'.

             

            Thanks!

            • 3. Re: Agent Handler or ePO? Agents not talking to the right box!
              nbaumann

              Afaik, you should have an <SpipeSite Type="master" entry in sitelist.xml (%allusersprofile%\Application Data\McAfee\Common Framework) for each AH.

               

              In our configuration, I created assignment rules. For "agent criteria" I only configured IPv4 ranges.

               

              Rule 1: cover internal ip range, "use custom handler list", added all AH, priorized the internal ePO

              Rule 2: cover external ip ranges, "use custom handler list", added all AH, priorized the external AH

              Rule 3: standard rule, use all AH

               

              When obtaining the agent package by "create and download agent installation package", I do not have an option to limit the agent to a specific agent handler (ePO 4.6 / Agent 4.5 patch 2).

               

              regards,

              Nik

              • 4. Re: Agent Handler or ePO? Agents not talking to the right box!
                relayer77

                Thanks.. I double checked the installation package details, and the only setting there that has to do with AH is if you push an agent toa system in the current branch of the system tree you're in. You can simply choose which handler to use to do that push... so this won't help.

                 

                We don't have IP ranges in the assigment rules, just groups from the system tree that we browsed to.

                 

                We'll try this.