The change is made in the server.ini file. Please see McAfee support article:
KB56281 - Agents fail to connect to ePO 4.x servers with two IP addresses
Titled for ePO 4.x but should still apply to 5.x too.
ePO binds to only one IP though afaik. You can't have both, but you can choose which.
1 of 1 people found this helpful
First connection is working with the modified sitelist.xml. But I guess after policies are fetched the sitelist.xml is overwritten.
Hosts on the same network are working.
On the hosts behind the NAT I added a host entry in C:\Windows\System32\drivers\etc\hosts.
Looks like McAfee Agent first does a DNS lookup. So this is working. But I don't really like the host entry...
Isn't it possible to add the NAT IP to the sitelist.xml permanently.
Not to my knowledge, no, and correct on first connection ePO will send out an updated sitelist using the ePO server's IP address.
Did the Knowledge base article I referenced not apply ?
As I mentioned, ePO only binds to one IP, but you can choose which.
What some customers do in this scenario is deploy a separate Agent Handler.
Knowledge base article is about two network interfaces. I have only one. ePO server isn't aware of NAT.
I'm going to use the relay server function in agent 4.8 on remote sites.
As I wrote before it is working with the host entry but it is "ugly". But since I only need it on the relay server (~50) I guess I will stay with it.
Hoped for a better solution.
I am testing this on one of my virtual ePO servers. I have modified the server.ini and made a modification to the agent handler configuration in ePO, I am in the process of setting up a second vm to test this but it looks promising.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\server.ini
Add to bottom - ServerIPAddress=184.108.40.206
Add to bottom - ServerIPAddress=220.127.116.11
Within ePO > Menu > Configuration > Agent Handlers
Click on the Agent Handler, modify the Published DNS and Published IP Address
i added 18.104.22.168 to the DNS and 22.214.171.124 to the IP. So far it seems to be functional but I have not gotten a second system set up yet. Might be possible to publish the FQDN of the ePO server instead of the original IP address, but that would depend on if the Nat subnets have access to the same DNS server or not. if they dont then that would be the way to go i would think.
At least ePO isnt throwing a fit.
After running the agent installation on a test server, it pulled the updated sitelist and successfully communicated with the ePO server.