6 Replies Latest reply on Feb 7, 2012 1:20 PM by thelostgirl

    Agent Handler in DMZ with Endpoint Encryption

      I’m running Endpoint Encryption 6.1.1 and EPO 4.5. and I’ve set up an agent handler in my DMZ to manage machines that are connecting via the web.


      It’s working up to a point.  The machines out on the web seem to be talking OK to the AH as their last communication time is being displayed in the EPO, however any policy/configuration changes I make to Endpoint Encryption settings in the EPO don’t flow back down the machines connected via the web.


      I’ve got all of the required firewall ports open and I’ve put DNS entries in place so that AH knows about the EPO and SQL servers and visa-versa.


      Has anyone got any ideas why this wouldn’t work?  Do I have to set up a distributed repository on my AH in the DMZ?





        • 1. Re: Agent Handler in DMZ with Endpoint Encryption

          What does the McAfee Agent log on an affected client look like ?

          Cheers Tom

          • 2. Re: Agent Handler in DMZ with Endpoint Encryption

            Hi Adrian, I have a similar question entered. I was wondering, how did you manage to make the machines talk to the agent handler in DMZ when they are connecting via the web? Your advice is appreciated. Thanks!

            • 3. Re: Agent Handler in DMZ with Endpoint Encryption

              In order to do the trick you need a valid Public IP address. That IP address is asigned to the server handler at the DMZ. Then you configure the DMZ Handler information into the epo console in the Agent Handler section. At first the machines need to be in contact with the ePO Primary Console in order to get the new information (DMZ Handler), once the machines has the new information they will be able to connect to the DMZ Handler because it will have the public IP address to look for.


              I'm not sure I answered the question but if you need more information let me know, I'll be happy to get back to you.




              I also forgot to tell you that the corrects ports must be allowed in the Firewall for the DMZ Handler to communicate with the ePO Server (primary handler).


              Message was edited by: lrolon on 1/7/12 11:58:50 PM CST
              • 4. Re: Agent Handler in DMZ with Endpoint Encryption

                Hi Irolon, thanks. I asked our Networking team to assign an external IP address to the agent handler server in DMZ. Am I right to assume that the information is to be put in the published IP address field in ePO? But I do believe that the machines are able to connect to the agent handler server in DMZ as I created an assignment rule and I am seeing some machines connecting to the DMZ server.

                • 5. Re: Agent Handler in DMZ with Endpoint Encryption

                  Hello thelostgirl,


                  I told you I will let you know our implementation so this is how it goes.

                  I just wanted tell you that we are testing the agent handler in the dmz and is working just fine. what we do is that we assigned an external IP address and also create a dns record, so we can configure the agent handler by name in case we change that IP in the future. Then I configured the agent handler in the epo console just like you said. The published IP is the external IP address and for the name I used the dns record we assigned. In the firewall we allowed all traffice from the internet to the AH only the ports necesary for the agents to comunicate, and from the dmz to internal lan we allowed the same ports but also the port for the Database so the AH can communicate with the database. As the results, I was be able to Install DLP, EEPC and other software, also I did activate the encryption for the laptop and did decrypted again. So we were able to apply policies, we did some software installation and uninstall. So, we are ready for Production next week.

                  • 6. Re: Agent Handler in DMZ with Endpoint Encryption

                    Hi Irolon, thanks for the update. Glad yours is working as planned. I already have the external IP address but am just waiting for advice about the name. I might ask you a few more questions after all that is done. Thanks!