I assume you have ePO version 4.5 or later, as well as external and internal clients. For external clients you need to plant an Agent Handler in the DMZ. More about this here: https://kc.mcafee.com/corporate/index?page=content&id=PD22508&actp=search&viewlo cale=en_US&searchid=1327490051436
To define the agent handler a public dns and ip, please go to Configuration - Agent Handler. This will modify the sitelist. Once done, extract the agent installer from ePO and use that on new clients.
(if you have only external clients, you do not necessarily need an additoonal Agent Handler, ePO plays this role, too.)
I have no DMZ and other free equipement.
I just want to agent after install try to communicate to external server IP not to internal IP.
After manual agent installation, when i checked internet connections, i see that agent still tries to communicate to internal server IP. how to force it to try communicate to external server IP?
The logic remains the same, then please ignore my references to DMZ and agent handler and go to the said menu and do what I recommended on the ePO server entry. This is the same as if you did it on an agent handler. You need to assign a public dns and ip to the epo server and then it automatically gets into the sitelist. You extract the agent installer from epo once it is done and install manually on clients.
I'm also interested in how you publish an EPO without an Agent handler.
I don't really understand your description. I understand that you have to setup a dns record for the external IP address. But what do you have to do more? And does the DNS fqdn need to have the same DNS suffix externally as you do internally? If you for example have a local domain named addomain.local and the EPO servers fqdn is epo01.addomain.local, can you publish this EPO on the Internet without an handler?
ePO itself is considered an agent handler.
You do the process on ePO level and on company network level: in ePO level you go to Configuration - Agent Handler; click on the agent handler statistics , this brings up the ePO server normally as the only entry. Click on the name and define a public IP and publicDNS name (this will appear then in the ePO sitelist*). Public DNS name is usually entirely different than FQDN name inside the company and may reflect the company domain name (like epo01.company.com).
On company network level: you would create this public DNS name and IP in your company DNS server's public zone (I'm not a DNS expert) so it is replicated to internet public DNS servers.
I would say you need to define firewall rules, too so incoming requests to epo server public name:port are properly translated to internal addresses:ports (and vice versa).
We do it similarly in one of our branch company for several external clients and one ePO server in company DMZ no other agent handler.
* the new sitelist will get downloaded by clients and get incorporated in the agent installer, too. Extract the agent installer and install it on clients permanently located outside the company.
> If you for example have a local domain named addomain.local and the EPO servers fqdn is
> epo01.addomain.local, can you publish this EPO on the Internet without an handler?
I have made it in this way:
1. I have modyfied agent handler settings: Put external IP, and dns name ( i put internal dns name but it deoasn't matter - because i have no external DNS for this IP. Anyway as i understand at first agent tries to connect to IP address)
2. The change caused that installation package for agent is rebuild with new address. So I copy the new installation package. And I am just sending package by the mail with installation .bat(i have created it manually) file to all users outside company. So they have to run it themselves
3. Next i changed back agent handler settings.
One important thing is that i have to add new repository wisible from outside of company.
For now in tests it works but I will see what will be in future.
Cool! But I don't understand step 1. How do you modify the Agent Handler settings without actually installing a handler?
And why do you need a repository outside. Why can't the PCs just use the primary repository as you have access to it from the Internet?
When You go to configuration there is one default Handler -just server as itself.
And about repository. I don't know. But durring tests with default repository it did't work. Maybe serwer sends IP of serwer to agents as IP of main repository. but IP of serwer is internal IP not visible from outside.
When I created second repository i ca just put any addres I want. I had ftp server published to internet so i just put distributed repository there
Configuration -> Agent handler
What should I do when I'm there?
Regarding the repository it sounds like you don't have the correct ports open. Just a guess.