2 Replies Latest reply on Oct 7, 2013 8:56 AM by andrep1

    Question about agent handlers and multiple domains and forests with no trusts

    rbrissey64

      I am new to my company and want to deploy ePO 5.0 but have questions:

       

      Scenario:

      - I have multiple domains/forests with no trusts between the forests spread across the US and EU.

      - I currently have 10 separate 4.5 ePO managers (app server); 1 for each domain we manage.

       

      My Goal:

      - 1 App server, 1 agent handler per site (maybe 2 for failover)

       

      My questions:

      - Support has told me there MUST be trusts between the forests, why, what directionality?

      -- Is it required because of DLP? If we don't use DLP, is it still needed?

      -- Is it required if I put the agent handlers in different domains depending on the site they are at? if so, I can just add them to the same domain as the app server.

       

      My company does not want to set up trusts between the different domains. I cannot see any reason (other than maybe the 2 questions above) why there needs to be a trust between any of the domains.

       

      I would apprecate feedback from anyone who has been through a similar situation.

       

      Thanks,

      Rod.

        • 1. Re: Question about agent handlers and multiple domains and forests with no trusts
          rgc

          Hi,

           

          From the McAfee support team, we suggest to have the trust relation ship with multiple domains from different forest, because to add the machines from the other domain to epo.

           

          The trust relation ship should be bi-directional.

           

          Moreover, taking an example you have two domains in different forest and each domain contains 1000 machines with atleast 5 OU's per domain.

           

          So, you install the EPO on one domain environment, and the registered servers from the EPO console, will help to register your local domain and then when you do the AD sync to pull the machine information, it will get the hostnames for those 1000 machines.

           

          At the same scenario for other domain, if you want to register from EPO and do the AD sync, the trustrelation ship is very much important to pull the information of the machines through the LDAP. protocol

          >>. So, if you okay, to install the agents locally or by 3rd party deployment  tool or through grouppolicy to all the 2000 machines as per my example with different domains from different forest.

          Then, there is no need of the trustrelation ship.

           

          Once, the agent installed ( either by deploy from epo or locally install) to the machine and communicating to EPO and shows as managed in epo system tree, the way it works further is as same ( for member of domain or workgroup machines).

           

          Deploying the product from then onwards is as usual same for all products.

          There is no concern to deploy, either it may be DLP or VSE or any more products.


          >> If machine is available and able to communicate via agent with required ports open, so deployment task will push from epo and agent will enforce it and then client will receive product deployment task request with scheduled time and installs as scheduled.

           

           

          Then you can go for remote agent handler to get updates and policies enforce locally from that region/ location / branch through agent handler.

           

          As, you will install epo on location A and location B you can install Agent handler and from EPO you can create the assignment via IP based or the groups.

          So, if there are two sub groups under My organization under system tree== then group 1 for local domain and group 2 for remote domain.

          >. So, you can configure the assignment reule for group 2 machines reporting should get allt he updates via agent handler.

           

          This helps to avoid the bandwidth for remote clients is not required to reach EPo all the time.

           

          For more information about agent handler, attached the documents and I hope answered all your queries.

           

          Reply back to this post, if you still have any queries about my suggestions.

           

           

          Regards,

          RGC

           

          Message was edited by: rgc on 10/5/13 6:10:03 AM CDT

           

          Message was edited by: rgc on 10/5/13 6:11:08 AM CDT

           

          Message was edited by: rgc on 10/5/13 6:17:28 AM CDT
          • 2. Re: Question about agent handlers and multiple domains and forests with no trusts
            andrep1

            I don't see a reason at all. DNS being visible for all domain from your ePo server will make your life easier for sure.

            Best way to test is to define a registered LDAP server from one of the domain you don't trust and see if the test works, you might require a domain account to setup the registered server. Then setup a sync point in your organization and see if the devices sync. That should pretty much give you the answer.

            If you push the agent from ePO, obviously you woudl have some credential issue to resolve. In your sync setting, you define your push credentials for that sync (that domain) and that should take care of that.

             

            In regards to the agent handler, they really are mini epo server and require the same access to the database (speed/latency). Super Agents make more sense in a remote site.A central agent handler will enable your devices to talk to the database for policies and events if your ePO server is down for any reason (including maintenance)