1 2 Previous Next 16 Replies Latest reply on Jan 10, 2012 10:42 PM by lrolon

    Agent Handler in DMZ for remotely-connected machines

      Hi All,

       

      I was able to configure an agent handler in DMZ but was wondering if anyone can advise on my query. Basically our agent handler will serve as the go-to server for those machine that are remotely connected to our network (like those in the office but are connected through Wi-Fi or those connecting via VPN).


      Does anyone know how we can do it? I have set up an assignment rule within ePO and included the VPN-related IPs but it did not work. Appreciate it.


      Thanks!

       

      Karen

        • 1. Re: Agent Handler in DMZ for remotely-connected machines
          Attila Polinger

          Hi Karen,

           

          never did similar things but I have a few fragments of information that might be useful, but first I start with a question: what exactly is your problem?

           

          Tips as promised: when using agent handler, the order of sitelist elements must be so that the agent handler must precede ePo server for remote clients (so they contact it first). Secondly, can the remote clients see the agent handler at all, when they connect via VPN ?

           

          I hope I could have been a tiny bit of help to you and hope someone with more knowledge on AH usage will reply soon.

           

          Attila

          • 2. Re: Agent Handler in DMZ for remotely-connected machines

            Hi Attila,


            Thanks for responding. So to make it clear, what we need to figure out is how to make those machines that are connected externally (for example, those on wi-fi) get DAT updates as necessary even if they are not on the network. I know I mentioned VPN but that should not be included, sorry.

             

            Our end goal is for those machines to be protected and updated even if they are connected to our network. Do you have any idea how we can do it?

             

            Thanks,


            Karen

            • 3. Re: Agent Handler in DMZ for remotely-connected machines
              jstanley

              I don't know your exact network topology so I could be wrong here but VPN clients should not require a AH in the DMZ as once they establish a VPN connection they should be on your internal network.

               

              At anyrate if you need external clients to communicate with an AH in the DMZ the first question I would have is does the DMZ AH have an externally routable IP (i.e. a public IP)? If it does not then do you have a port forwarding rule forwarding inbound traffic your standard and secure ASCI ports (default 80 and 443) that hits your public IP on to the AH? Finally you need to edit your AH settings and in the "published IP address" field enter the public IP address. You could also do the same for the published DNS name if you have one of those.

              • 4. Re: Agent Handler in DMZ for remotely-connected machines

                Hello, yes I believe you are right (that VPN clients should not have to connect to the AH in DMZ). Let me reach out to our Networking team and find out about your questions. Thank you!

                • 5. Re: Agent Handler in DMZ for remotely-connected machines
                  JoeBidgood

                  Another question would be - do we even need an agent handler at all?  As I understand it, what you're interested in is making sure that the machines can update their DATs - is this correct? If so, and you're not that worried about the machines being able to talk to ePO when they're outside the LAN (or VPN), then all we need to do is to make sure the machines can reach a repository when they're off the network.

                   

                  You could either do this by configuring an externally-facing repo in your DMZ, controlled by ePO, or simply configure the machines to use the McAfee site as a fallback repository - that way if they can't reach an ePO-controlled repo they'll use the default McAfee site for their updates.

                   

                  HTH -

                   

                  Joe

                  • 6. Re: Agent Handler in DMZ for remotely-connected machines

                    Hi Joe,

                     

                    Good question. Yes I would say we would need an agent handler in the DMZ as well, for failover purposes. And also, as you mentioned, for machines outside the network to have their DATs updated.

                     

                    Do you know if McAfee has a guide about configuring an externally-facing repo or using the McAfee site as a fallback repository? I think I have seen some KB articles related to them before but not sure if they are detailed.


                    Thanks!

                    • 7. Re: Agent Handler in DMZ for remotely-connected machines
                      JoeBidgood
                      Yes I would say we would need an agent handler in the DMZ as well, for failover purposes.

                       

                      Can you clarify a bit by what you mean here? The reason I ask is that an AH in the DMZ is not going to be much use for failover purposes as (presumably) the client machines on the LAN won't have access to it...  I might be missing something though

                       

                      And also, as you mentioned, for machines outside the network to have their DATs updated.

                       

                      I think I might not have been clear enough - what I was getting at was exactly the opposite    My point was that you don't need an agent handler for the client machines to update from (although it can perform that function if required) - all you need is a distributed repository.

                       

                       

                      Do you know if McAfee has a guide about configuring an externally-facing repo or using the McAfee site as a fallback repository? I think I have seen some KB articles related to them before but not sure if they are detailed.

                       

                      Have a look at the "Setting up repositories" section of the ePO 4.6 Product Guide if you haven't already done so - but in a nutshell, assuming you have an HTTP or FTP server in your DMZ that is externally available, then you can simply set up a folder on this to be your repository and configure a distributed repository in ePO accordingly.  Otherwise, regarding the fallback site, that's even easier - you just have to configure it in the agent policy. (In fact I think the McAfee HTTP site is configured as the fallback by default.)

                       

                      HTH -

                       

                      Joe

                      • 8. Re: Agent Handler in DMZ for remotely-connected machines

                        Hi Joe,

                         

                        First of all, I am new at this so bear with me.

                         

                        With regards to failover purposes, it's not actually for machines outside the network. Just in case our network goes down (hopefully not), we would still be ensured that the machines are updated. I may not be using the proper lingo but hopefully, you know what I mean.

                         

                        Ah ha, gotcha.

                         

                        And yes, I am actually reading the guide now (again). Fallback site is already configured, as I checked. So I have to look into more about what you said about externally-facing repo. Thanks for the help!

                         

                        Karen

                        • 9. Re: Agent Handler in DMZ for remotely-connected machines
                          JoeBidgood

                          No problem - everyone starts somewhere    If you're one of the lucky ones you get to start under your own steam rather than inheriting a (usually broken) installation from someone else, in the middle of an outbreak

                           

                          The most important thing to remember here is that an agent handler is not required for updating the DATs on machines. From what you're describing I think it's more likely that you don't need an agent handler at all: rather you need a (fairly simple) distributed repository setup.  Any questions, let us know

                           

                          Regards -

                           

                          Joe

                          1 2 Previous Next