1 2 Previous Next 13 Replies Latest reply on Jan 8, 2013 10:20 PM by smalldog

    Simple question - diffrent server IP behind NAT

      I have configuration:

      Serwer IP wit address for example: 123.123.123.123 in internal lan

       

      From the internet it is visible on address for example: 111.222.111.222

       

      I have created rules on NAT and firewall so that all ports used by agent sending to 111.222.111.222 are transferred to internal 123.123.123.123

       

      question:

       

      I know how to install agent manually but

      How to manually install (or configure)  agent so that he uses to server  communicate external ip 111.222.111.222 instead internal 123.123.123.123 ?

        • 1. Re: Simple question - diffrent server IP behind NAT
          Attila Polinger

          Hello,

           

           

          I assume you have ePO version 4.5 or later, as well as external and internal clients. For external clients you need to plant an Agent Handler in the DMZ. More about this here: https://kc.mcafee.com/corporate/index?page=content&id=PD22508&actp=search&viewlo cale=en_US&searchid=1327490051436

           

          To define the agent handler a public dns and ip, please go to Configuration - Agent Handler. This will modify the sitelist. Once done, extract the agent installer from ePO and use that on new clients.

           

          (if you have only external clients, you do not necessarily need an additoonal Agent Handler, ePO plays this role, too.)

           

          Attila

          • 2. Re: Simple question - diffrent server IP behind NAT

            I have no DMZ and other free equipement.

             

            I just want to agent after install try to communicate to external server IP not to internal IP.

             

            After manual agent installation, when i checked internet connections, i see  that agent still tries to communicate to internal server IP. how to force it to try communicate to external server IP?

            • 3. Re: Simple question - diffrent server IP behind NAT
              Attila Polinger

              The logic remains the same, then please ignore my references to DMZ and agent handler and go to the said menu and do what I recommended on the ePO server entry. This is the same as if you did it on an agent handler. You need to assign a public dns and ip to the epo server and then it automatically gets into the sitelist. You extract the agent installer from epo once it is done and install manually on clients.

              • 4. Re: Simple question - diffrent server IP behind NAT

                Hello,

                 

                I'm also interested in how you publish an EPO without an Agent handler.

                 

                I don't really understand your description. I understand that you have to setup a dns record for the external IP address. But what do you have to do more? And does the DNS fqdn need to have the same DNS suffix externally as you do internally? If you for example have a local domain named addomain.local and the EPO servers fqdn is epo01.addomain.local, can you publish this EPO on the Internet without an handler?

                 

                Thanks

                /Freddie

                • 5. Re: Simple question - diffrent server IP behind NAT
                  Attila Polinger

                  Hello,

                   

                  ePO itself is considered an agent handler.

                  You do the process on ePO level and on company network level: in ePO level you go to Configuration - Agent Handler; click on the agent handler statistics , this brings up the ePO server normally as the only entry. Click on the name and define a public IP and publicDNS name (this will appear then in the ePO sitelist*). Public DNS name is usually entirely different than FQDN name inside the company and may reflect the company domain name (like epo01.company.com).

                  On company network level: you would create this public DNS name  and IP in your company DNS server's public zone (I'm not a DNS expert) so it is replicated to internet public DNS servers.

                  I would say you need to define firewall rules, too so incoming requests to epo server public name:port are properly translated to internal addresses:ports (and vice versa).

                   

                   

                  We do it similarly in one of our branch company for several external clients and one ePO server in company DMZ no other agent handler.

                   

                  * the new sitelist will get downloaded by clients and get incorporated in the agent installer, too. Extract the agent installer and install it on clients permanently located outside the company.

                  • 6. Re: Simple question - diffrent server IP behind NAT

                    > If you for example have a local domain named addomain.local and the EPO servers fqdn is

                    > epo01.addomain.local, can you publish this EPO on the Internet without an handler?

                     

                     

                    I have made it in this way:

                     

                    1. I have modyfied agent handler settings: Put external IP, and dns name ( i put internal dns name but it deoasn't matter - because i have no external DNS for this IP. Anyway as i understand at first agent tries to connect to IP address)

                     

                    2. The change caused that installation package for agent is rebuild with new address. So I copy the new installation package. And I am just sending package  by the mail with installation .bat(i have created it manually) file to all users outside company. So they have to run it themselves

                     

                    3. Next i changed back agent handler settings.

                     

                    One important thing is that i have to add new repository wisible from outside of company.

                     

                    For now in tests it works but I will see what will be in future.

                    • 7. Re: Simple question - diffrent server IP behind NAT

                      Cool! But I don't understand step 1. How do you modify the Agent Handler settings without actually installing a handler?

                       

                      And why do you need a repository outside. Why can't the PCs just use the primary repository as you have access to it from the Internet?

                       

                      Thanks!

                      /Freddie

                      • 8. Re: Simple question - diffrent server IP behind NAT

                        When You go to configuration there is one default Handler -just server as itself.

                         

                        And about repository.  I don't know. But durring tests with default repository it did't work. Maybe serwer sends IP of serwer to agents as IP of main repository. but IP of serwer is internal IP not visible from outside.

                        maybe.

                        When I created second repository i ca just put any addres I want. I had ftp server published to internet so i just put distributed repository there

                        • 9. Re: Simple question - diffrent server IP behind NAT

                          Configuration -> Agent handler

                          What should I do when I'm there?

                           

                          Regarding the repository it sounds like you don't have the correct ports open. Just a guess.

                           

                          Thanks!

                          /Freddie

                          1 2 Previous Next