1 Reply Latest reply on Jun 17, 2013 10:22 AM by rackroyd

    Manually making an agent that has never communicated to an ePO server use an AH instead

    twisted_pony

      Situation:

       

      ePO 4.6.5 sitting in compartment (A).

       

      McAfee agent 4.6 succesfully installed to various endpoints within a seperate compartment B, using FramePkg.exe created from the ePO server in compartment A.

      None of these endpoint/agents can communicate with the ePO server in compartment A due to firewalls blocking their requests.

       

      An Agent handler is then installed into compartment B.

      It has a valid working connection to the ePO SQL database through the firewall and is registered with the ePO server in compartment A.

      This AH will handle all the client agents in compartment B.

      An Agent handler assignment rule has been created for all agents in compartment B on the ePO server in compartment A.

       

      As the agents were all installed prior to the creation of this AH, using the agent install package that had no knowledege of this AH, they have no knowledge of the AH in compartment B...How do I:

       

       

      (Let's assume that the agent ports on the firewall can not be opened)

       

      1). Get the installed agents to talk to the AH in compartment B rather than fail to talk to the ePO server in compartment A?

      2). Automate the agent install process for new endpoints that will be brought into compartment B so they talk to the AH in compartment B?

       

       

      Any help greatly appreciated:-)

        • 1. Re: Manually making an agent that has never communicated to an ePO server use an AH instead
          rackroyd

          Most likely using this part of: KB73389 - McAfee Agent 4.x Standalone and Command Line installation instructions for Microsoft Windows systems.

           

           

          Installing the agent with user-selected site information and user-selected keys

          Use the command below to install the agent and specify a SiteList file and security keys (srpubkey.bin and reqseckey.bin), other than the defaults.

          framepkg.exe /install=agent /siteinfo=<full path to sitelist.xml>

          NOTE:
          This command is also useful when you upgrade an agent with FramePkg_upd.exe. It specifies the ePO server for the agent, irrespective of the site information embedded in the original installation package.

          The security keys must be located in the same folder as the SiteList.xml file. Use ePolicy Orchestrator (ePO) to export the files:

          1. Export the SiteList file:

            1. Log on to the ePO 4.x server.
            2. Click Menu, Software, Master Repository.
            3. Click Actions, Export Sitelist.
            4. Click Save and select a new location to save it to.
               
          2. Export the security keys:

            1. Log on to the ePO 4.x server.
            2. Click Menu, Configuration, Server Settings.
            3. Click Security Keys under the Setting Categories column and click Edit.
            4. Click the "Master" Agent-server secure communication key and click Export.
            5. Click OK.
            6. Click Save and select the same location as the SiteList.xml file.
            7. Extract the  sr2048<master_key_name>.zip to the same location as the SiteList.xml file.
            8. If you are use ePO 4.6, rename the keys listed below:

              FROM: reqseckey.bin
              TO: req2048seckey.bin

              FROM: srpubkey.bin
              TO: sr2048pubkey.bin

           

           

          You'd need to identify the right sitelist.xml & keys though from a system which does use this Agent Handler already.

          Once a machine has communicated once it'll request the right sitelist & policies and *hopefully* will be ok from then on.