6 Replies Latest reply: Jan 2, 2013 9:48 AM by rackroyd RSS

    SFTP Repository

    brucebishtoncds

      Hi All

      Is it possible to use SFTP as a repository? All there seems to be available are HTTP + FTP + UNC... All these seem quite unsecure...

       

      How is access from the Internet achieved?

       

      Not a great deal of info on this in the manual... Im going to read some posts to see if I can work out how to do it....

       

      Happy New Year

       

      Bruce

        • 1. Re: SFTP Repository
          robrow

          I wouls suggest reviewing the epo_460_product_guide_en-us.pdf (PD22975), pg. 91, Using local distributed repositories that are not managed. This provides a method of creating a repository which is not one of the managed types -  FTP, HTTP Server, or UNC share. Hope this helps!

           

          Message was edited by: robrow on 12/27/12 12:27:13 PM CST
          • 2. Re: SFTP Repository
            rackroyd

            Secure ftp is not supported.

             

            Content is secured and validated using other means by the products themselves during update.

            The details of how that is achieved is not a subject for public discussion, as i'm sure you can understand

             

            The one not mentioned is the SuperAgent repository which use the Agent communication channel over SSL (port 443 by default).

            That would be the most secure as the channel is secured as well as the validation by the product which will still take place.

             

            If you are still concerned about the security of site content please reach out to McAfee Labs.

             

            Rob.

            • 3. Re: SFTP Repository
              brucebishtoncds

              Hi Rob

              Thanks for the Reply.

              Would this type of repository be best suited for access from the Internet? Would it need to go in the DMZ?

               

              I bet you get these types of questions alot, I have read a few of these posts but have not come across one yet that stipulates exactly how to setup an external facing repository.

               

              Many Thanks in Advance

              Bruce.

              • 4. Re: SFTP Repository
                rackroyd

                Hi,

                 

                In that scenario personally I think  placing an Agent Handler in the DMZ would be more suitable so you can actually manage these machines as well as update although it's hard to be certain because we would need to know more detail on your exact requirements to be sure.

                 

                For example if you only want them to get content updates, you might want to just leave them defaulted to get that from the McAfee sites directly, as it'll be much simpler.

                 

                For Agent handlers, please review support white paper: PD22508 - ePolicy Orchestrator 4.5 Agent Handler White Paper.

                This can be accessed via the McAfee knowledge base.

                 

                An SA repository is not really best suited for external use.

                 

                Rgds,

                 

                Rob

                • 5. Re: SFTP Repository
                  brucebishtoncds

                  Hi Rob

                  This proposed Agent Handler would be not only supporting external sites but also laptops that can also come internal as well as external.

                  That would be fine?

                  Regards

                  Bruce

                  • 6. Re: SFTP Repository
                    rackroyd

                    Hi,

                     

                    Providing internally it can reach the Agent handler in the DMZ, yes.

                    It's perhaps more likely that internally a machine would reach out the ePO server first rather than a machine in the DMZ, but still that's all user-defined by Agent policy as you need.

                     

                    At this point it might be worth calling into McAfee support to have a 1:1 discussion with our tech guys on how to configure ePO to your best advantage. I suspect it'll be more benefical

                     

                    Kind Regards,

                     

                    Rob.