2 Replies Latest reply: Feb 12, 2013 10:34 AM by northomsk RSS

    Agent handler in DMZ

    northomsk

      Hi all

       

      Could I have a little bit of help on following question(s)

       

      Ports needed for agent handler, would it be following

      From                  To                 Port

      =========================

      Agent               Handler              80

      Agent               Handler              443

      Handler             Agent                8081

      Handler             SQL                  1433

      Handler             ePO                  80

      ePO                 Handler              80

      ePO                 SQL                  1433

      Handler             ePO                  8443 & 8444

       

      Or following be enough

      Ensure that the following ports are opened on the firewall allowing agent communication to the ePO server in the DMZ for the internal and external clients:

      80 (bidirectional to the External clients only) - Agent-to-Server port (listed as ServerHttpPort in the EPOServerInfo in ePO 4.x)

       

      IMPORTANT: Opening port 80 on the firewall to communicate bi-directionally with just the external network allows only the external clients to communicate with the ePO server on the DMZ.

      This is not a major network security consideration because the internal network is still locked down from receiving communications from external clients on this port.

      8443 (open from the Internal network to the DMZ if using RSD) - Console-to-Application Server communication port (listed as RmdSecureHttpPort in the EPOServerInfo table for ePO 4.x)

      8444 (open from the Internal network to the DMZ if using RSD) - Sensor-to-Server communication port (listed as SensorSecureHttpPort in the EPOServerInfo table for ePO 4.x) 

      8801 (open from the Internal network to the DMZ if using the McAfee Labs threats download functionality) - Security Threats HTTP port (listed as AVERTAlertsPort in the EPOAvertSettings table for ePO 4.x)

       

      Also Are there any benefit to register a DNS name for the DMZ agent handler?

       

      Thanks in advance

        • 1. Re: Agent handler in DMZ
          alexn

          Hi,

          For ePo 4.6,please follow this chart.

           

          1.Agent wakeup 8081
          2.Agent broadcast UDP 8082

          3.Security threats comm Http 8801

           

           

          RTM.jpg

          PortDefaultDescriptionTraffic direction
          Agent to server communication port80TCP port opened by the ePO Server service to receive requests from agents.Bi-directional between the Agent Handler and the ePO server and inbound to the Agent Handler from the McAfee Agent.
          Agent communicating over SSL (4.5 and later agents only)

           

          Software Manager
          443By default, 4.5 agents should communicate over SSL (443 by default). This port is also used for the remote Agent Handler to communicate with the ePO Master Repository.Inbound connection to the Agent Handler from the McAfee Agent.
          Agent wake-up communication port
          SuperAgent repository port
          8081TCP port opened by agents to receive agent wakeup requests from the ePO server.
          TCP port opened to replicate repository content to a SuperAgent repository.
          Outbound connection from the ePO server/Agent Handler to the McAfee Agent.
          Agent broadcast communication port8082UDP port opened by SuperAgents to forward messages from the ePO server/Agent Handler.Outbound connection from the SuperAgents to other McAfee Agents.
          Console-to-application server communication port8443HTTPS port opened by the ePO Application Server service to allow web browser UI access.Inbound connection to the ePO server from ePO Console.
          Client-to-server authenticated communication port8444HTTPS port opened by the ePO Application Server service to receive RSD connections. Also, used by the Agent Handler to talk to the ePO server to get required information (like LDAP servers).Inbound connection to the ePO server from the Rogue System Sensor. Outbound connection from remote Agent Handlers to an LDAP server.
          Security threats communication port8801HTTP port hosted by McAfee Labs for retrieving security threat feed. Note that this port cannot be changed.Outbound connection from the ePO server the external McAfee Labs server.
          SQL server TCP port1433TCP port used to communicate with the SQL server. This port is specified or determined automatically during the setup process. Outbound connection from the ePO server/Agent Handler to the SQL server.
          SQL server UDP port1434UDP port used to request the TCP port that the SQL instance hosting the ePO database is using.Outbound connection from the ePO server/Agent Handler to the SQL server.
          Default LDAP server port389LDAP connection to look up computers, users, groups, and Organizational Units for User Based Policies.Outbound connection from the ePO server/Agent Handler to an LDAP server.
          Default SSL LDAP server port636User Based Policies use the LDAP connection to look up users, groups, and Organizational Units.Outbound connection from the ePO server/Agent Handler to an LDAP server.

           

          Agent-to-Server communication is supported over a NAT, however Agent wakeup calls will not work over a NAT. Additionally, communication over the Data Channel (used by products like Endpoint Encryption for PC 6) will not properly work over a NAT until ePO 4.5 Patch 4 and McAfee Agent 4.5 Patch 2 or later are installed.

          Recommended
          Install an ePO server or Agent Handler in the DMZ to manage the external clients and one in the Internal network to manage only the Internal network clients.

          Ensure that the following ports are opened on the firewall allowing agent communication to the ePO server in the DMZ for the internal and external clients:

          80 (bidirectional to the External clients only) - Agent-to-Server port (listed as ServerHttpPort in the EPOServerInfo in ePO 4.x)

           

          In my View DMZ DNS server design is best practice, as compare to ask your internal DC for Name Resolution, and for Remote McAfee Agent Handler I never heard about Seprate DNS in DMZ.

           

          Message was edited by: alexn on 2/11/13 1:22:48 PM CST
          • 2. Re: Agent handler in DMZ
            northomsk

            Thanks for the help