Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
This discussion is archived
3870 Views 2 Replies Latest reply: Feb 12, 2013 10:34 AM by northomsk RSS
northomsk Newcomer 36 posts since
Mar 19, 2012
Currently Being Moderated

Feb 11, 2013 8:50 AM

Agent handler in DMZ

Hi all

 

Could I have a little bit of help on following question(s)

 

Ports needed for agent handler, would it be following

From                  To                 Port

=========================

Agent               Handler              80

Agent               Handler              443

Handler             Agent                8081

Handler             SQL                  1433

Handler             ePO                  80

ePO                 Handler              80

ePO                 SQL                  1433

Handler             ePO                  8443 & 8444

 

Or following be enough

Ensure that the following ports are opened on the firewall allowing agent communication to the ePO server in the DMZ for the internal and external clients:

80 (bidirectional to the External clients only) - Agent-to-Server port (listed as ServerHttpPort in the EPOServerInfo in ePO 4.x)

 

IMPORTANT: Opening port 80 on the firewall to communicate bi-directionally with just the external network allows only the external clients to communicate with the ePO server on the DMZ.

This is not a major network security consideration because the internal network is still locked down from receiving communications from external clients on this port.

8443 (open from the Internal network to the DMZ if using RSD) - Console-to-Application Server communication port (listed as RmdSecureHttpPort in the EPOServerInfo table for ePO 4.x)

8444 (open from the Internal network to the DMZ if using RSD) - Sensor-to-Server communication port (listed as SensorSecureHttpPort in the EPOServerInfo table for ePO 4.x) 

8801 (open from the Internal network to the DMZ if using the McAfee Labs threats download functionality) - Security Threats HTTP port (listed as AVERTAlertsPort in the EPOAvertSettings table for ePO 4.x)

 

Also Are there any benefit to register a DNS name for the DMZ agent handler?

 

Thanks in advance

  • alexn Veteran 722 posts since
    Aug 9, 2012
    Currently Being Moderated
    1. Feb 11, 2013 1:22 PM (in response to northomsk)
    Re: Agent handler in DMZ

    Hi,

    For ePo 4.6,please follow this chart.

     

    1.Agent wakeup 8081
    2.Agent broadcast UDP 8082

    3.Security threats comm Http 8801

     

     

    RTM.jpg

    PortDefaultDescriptionTraffic direction
    Agent to server communication port80TCP port opened by the ePO Server service to receive requests from agents.Bi-directional between the Agent Handler and the ePO server and inbound to the Agent Handler from the McAfee Agent.
    Agent communicating over SSL (4.5 and later agents only)

     

    Software Manager
    443By default, 4.5 agents should communicate over SSL (443 by default). This port is also used for the remote Agent Handler to communicate with the ePO Master Repository.Inbound connection to the Agent Handler from the McAfee Agent.
    Agent wake-up communication port
    SuperAgent repository port
    8081TCP port opened by agents to receive agent wakeup requests from the ePO server.
    TCP port opened to replicate repository content to a SuperAgent repository.
    Outbound connection from the ePO server/Agent Handler to the McAfee Agent.
    Agent broadcast communication port8082UDP port opened by SuperAgents to forward messages from the ePO server/Agent Handler.Outbound connection from the SuperAgents to other McAfee Agents.
    Console-to-application server communication port8443HTTPS port opened by the ePO Application Server service to allow web browser UI access.Inbound connection to the ePO server from ePO Console.
    Client-to-server authenticated communication port8444HTTPS port opened by the ePO Application Server service to receive RSD connections. Also, used by the Agent Handler to talk to the ePO server to get required information (like LDAP servers).Inbound connection to the ePO server from the Rogue System Sensor. Outbound connection from remote Agent Handlers to an LDAP server.
    Security threats communication port8801HTTP port hosted by McAfee Labs for retrieving security threat feed. Note that this port cannot be changed.Outbound connection from the ePO server the external McAfee Labs server.
    SQL server TCP port1433TCP port used to communicate with the SQL server. This port is specified or determined automatically during the setup process. Outbound connection from the ePO server/Agent Handler to the SQL server.
    SQL server UDP port1434UDP port used to request the TCP port that the SQL instance hosting the ePO database is using.Outbound connection from the ePO server/Agent Handler to the SQL server.
    Default LDAP server port389LDAP connection to look up computers, users, groups, and Organizational Units for User Based Policies.Outbound connection from the ePO server/Agent Handler to an LDAP server.
    Default SSL LDAP server port636User Based Policies use the LDAP connection to look up users, groups, and Organizational Units.Outbound connection from the ePO server/Agent Handler to an LDAP server.

     

    Agent-to-Server communication is supported over a NAT, however Agent wakeup calls will not work over a NAT. Additionally, communication over the Data Channel (used by products like Endpoint Encryption for PC 6) will not properly work over a NAT until ePO 4.5 Patch 4 and McAfee Agent 4.5 Patch 2 or later are installed.

    Recommended
    Install an ePO server or Agent Handler in the DMZ to manage the external clients and one in the Internal network to manage only the Internal network clients.

    Ensure that the following ports are opened on the firewall allowing agent communication to the ePO server in the DMZ for the internal and external clients:

    80 (bidirectional to the External clients only) - Agent-to-Server port (listed as ServerHttpPort in the EPOServerInfo in ePO 4.x)

     

    In my View DMZ DNS server design is best practice, as compare to ask your internal DC for Name Resolution, and for Remote McAfee Agent Handler I never heard about Seprate DNS in DMZ.

     

    Message was edited by: alexn on 2/11/13 1:22:48 PM CST

    Post Timings: 6.00 AM to 3.00PM PDT

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points