Due to a recent project I have been working on, a question was asked regarding the possibility of managing remote agents if they were behind a NAT device. As far as I can tell (I may be wrong!), McAfee documentation seems to point to the only way around this being the use of Agent Handlers, and uses the term NAT without distinguishing the standard NAT types of NAT (1:1) and PAT (Many:1). With a 1:1 NAT we have discovered that it is possible to manage (by 'manage' in this case, I mean 'send wake up calls to') through a NAT device, via use of a Superagent. There are 2 constraints to this:
1) Superagent *must* have a static 1:1 NAT (All other agents on the same subnet can be PATted)
2) Superagent is, of course, located on the same subnet as all other managed hosts that you need to be managed in this way (in case of multiple NATted subnets, at least one superagent to be present on all)
3) Superagent is on most of the time...
The test I had was as follows:
1) Superagent IP: 10.0.2.75 / 24 (NATted to 10.100.2.75. All other 10.0.2.x / 24 hosts are PATted to 10.100.2.76)
2) ePO IP: 192.168.1.203 / 24
3) ePO server hosts file included line: 10.100.2.75 <SUPERAGENTHOSTNAME> #this is a test environment, and to get this to work may require thought on DNS infrastructure, but hey, its a start...
When sending a superagent wakeup call from ePO to <SUPERAGENTHOSTNAME>, the first thing it does is to try to contact the host via hostname (it does not try the last known IP first - it goes DNS -> NetBIOS -> Last known IP, although I havent found any documentation on this so far, not to say it doesnt exist, just havent found it!). This obviously resolves to 10.100.2.75. The wakeup call goes out on 8081/tcp toward 10.100.2.75, gets translated to 10.0.2.75 and delivered (confirmed with Wireshark capture). Then, before the 8081/tcp connetion is torn down, an 8082/udp broadcast is sent out, that will reach all 10.0.2.x hosts.
And we're done! It makes sense that the ePO server tries the DNS name first due to the fact that you can have a DHCP environment, but for some reason before I tested this, I thought that it was last known IP (may have been getting confused with agent ASCI, as the agent tries the last known IP of the ePO server first). Also, as said, the DNS side of things *may* get tricky - as far as I know, in DHCP environments the real IP is registered with the domain DNS, not the NATted IP. Gives people another challenge anyhow.
This may or may not help anybody at all, but it is something new that I learned today - hopefully it can be of benefit to others!
PS - Also related to this project was a query regarding SuperAgents with multiple NICs - for more info see https://community.mcafee.com/message/208440