1 2 Previous Next 10 Replies Latest reply: Oct 30, 2013 9:23 PM by brentdw RSS

    Agent Handler in DMZ


      I've deployed an Agent Handler in our DMZ. The following ports are open on the firewall between the AH and ePO Server:


      TCP 80

      TCP 389

      TCP 443

      TCP 636

      TCP 1433

      UDP 1434

      TCP 8081

      UDP 8082

      TCP 8443

      TCP 8444


      The Agent Handler is able to communicate with the ePO Server without any issue. The problem is that other servers in the DMZ cannot communicate with the Agent Handler. I have two priority rules: the first one defines our internal subnets and restricts them to the internal ePO Server, and the second rule defines the DMZ subnet and restricts it to the Agent Handler.


      The message I'm receiving in the Agent Monitor on all DMZ servers (except the AH itself) is "Agent failed to communicate with ePO Server." When I go to the "About..." menu, it is correctly pointed to the Agent Handler in the DMZ. Any thoughts?

        • 1. Re: Agent Handler in DMZ

          Possibly a silly question, but is there any kind of firewall or port blocking that is preventing inbound connections to the AH machines? Specifically on the agent-to-server ports, which are 80 and 443 by default?


          HTH -



          • 2. Re: Agent Handler in DMZ

            No. From the internal network to the DMZ network, there are no restrictions. Windows firewall on each DMZ server is also disabled.

            • 3. Re: Agent Handler in DMZ
              Laszlo G

              Could it be that servers on DMZ are trying to connect to Agent Handler to its public IP address?

              • 4. Re: Agent Handler in DMZ

                It isn't public-facing. Servers on our DMZ, including the AH, are assigned one private IP address. Outside access to services such as web, FTP, etc. are provided via NAT.

                • 5. Re: Agent Handler in DMZ
                  Laszlo G

                  Can you telnet from a server on the DMZ to the Agent-Handler through agent-to-server communication port?

                  • 6. Re: Agent Handler in DMZ

                    Just tried that, and yes, it works. At this point, I'm thinking the AH itself isn't functioning properly. It just occured to me that when I said "The Agent Handler is able to communicate with the ePO Server," all I was seeing was the agent installed on the AH communicating with ePO Server, which I'd expect even if the AH isn't functioning.


                    Here's what I'm seeing for the SQL connection from the AH to the ePO Server. Is "TIME_WAIT" normal?



                    • 7. Re: Agent Handler in DMZ

                      Is there anything recorded in the server.log on the AH that would indicate a problem?


                      HTH -



                      • 8. Re: Agent Handler in DMZ

                        Nothing in the server.log indicates a problem. However, I think I'm on to something. I ended up uninstalling all Agents as well as the Agent Hander from the DMZ. I then reinstalled the Agent Handler software and pointed it to the ePO Server, and pushed the Agent from the ePO Server onto one DMZ server (our web server). When I pushed the Agent, I told it to use all available Agent Handlers (including the ePO Server). The Agent immediately contacted the ePO Server and timed out. Then, it failed over to the AH.


                        What I found was that the DMZ servers will connect to the AH once or possibly twice (atfer attempting to contact the internal server), but as soon as they retrieve the new SiteList.xml file, they never again attempt to contact the AH. I've confirmed with netstat that the Agent on our web server is now only attempting to reach the ePO Server.


                        So I'd venture a guess that there's a problem with the SitesList.xml file that's being pushed onto the DMZ servers. Any thoughts?

                        • 9. Re: Agent Handler in DMZ

                          Yep, confirmed that the initial SiteList contains both AHs, but as soon as it is updated, it contains only the internal AH (ePO Server).

                          1 2 Previous Next