1 of 1 people found this helpful
In the EPO GUI: Server Settings > Server Certificates
Here you add your certificate you have previously created/acquired. After adding the certificate data you have to completely restart the EPO server. Now, that's all there is about EPO and HTTPS certificate. Everything else has nothing to do with EPO and must be done outside of it. You see, every computer has a certificate store locally (OS/browser) where all trusted certificate authorities are saved. If you come across a HTTPS site the certificate is then checked/compared with the local store to see if it is trusted.
There are two ways to approach this. Either you have to create an official certificate with one of the authorities that are trusted by your clients/browsers or you have to create your own certificate but that would also force you to add your own root certificate to each and every system that so wishes to use your EPO GUI. If you are working in a big company you probably have your own authority or root certificate and in that case you simply need to request a certificate internally. If not, then you might need to use VeriSign, GoDaddy, Commodo or a similar provider and it mostly likely will cost you money and you have to be reviewed. So:
- Create your own root/SSL certificate (clients using your epo need to install/add the root certificate)
- Acquire an official SSL certificate by a trusted CA (costs money and you have to be reviewed)
- Use your company CA and get a certificate from the people inside your company (only bigger companies have that)
Pick your poison.
Wow, A lot of great information, and just the type of information I'm looking for.
There is a KB which discusses using a custom SSL certificate with ePO 4.6 - but most of the steps apply to ePO 4.5. Check KB72477 - "How to generate a custom SSL Certificate for use with ePO 4.6 using OpenSSL toolkit" for details.
I am also unclear on another points.
1. Is an Agent Handler required in every system. Our server are all centrally located, with the exception of DR.
No, but a McAfee Agent is obviously required on each managed system. An Agent Handler is only needed if you want to manage different geographic or logical locations that have no (or a very slow) direct connection to the EPO server or as an (worse) alternative to superagents or repositories to distribute the load of signature updating and unburden the EPO server. However, I'm managing EPO servers with about 5000 clients each scattered around our country without additional handlers or repositories. It works although it is not something I would recommend.
So no, you probably don't need even one handler if all your managed systems are centralized and if there is no restrictive zone concept in effect with several VLANs, firewalls and other shenanigans.
An Agent Handler is only needed if you want to manage different geographic or logical locations that have no (or a very slow) direct connection to the EPO server or as an (worse) alternative to superagents or repositories to distribute the load of signature updating and unburden the EPO server.
Hi - unfortunately this is incorrect (assuming that the SQL server is located close to the ePO server.) Agent handlers should never be used over slow links - they require a permanent, high-speed, low-latency connection to the SQL server hosting the ePO DB. In extreme cases one AH over a very poor link can cripple the entire ePO installation, as it locks the DB for so long that nothing else gets done
I agree that they are a much worse alternative to distributed repositories, though
Thank you Joe, that is correct.
Agent Handler require very good connectivity to the database!
2. Allow remote system to connect to local ePO server via Agent Handler in the DMZ
Please see the following document for more information.
Thanks to everyone who has posted.
I have a basic question. Can I operate successfully without an Agent Handler or distributed repositories? Can I run my repository local to the ePO server and no Agent Handler loaded on remote servers. If the answer is yes, I think I'm ready to move forward.
Absolutely. It depends to a large extent on how many client machines you will be managing, but it's entirely possible to run everything from one machine.
Agent handlers and distributed repositories are really there to take some of the load off the ePO server itself, but if that load is manageable by a single machine, they are not required.