5 Replies Latest reply on Nov 19, 2013 9:30 AM by pboedges

    ePO server 5.1 with 2 IPs

    bosqcqtp

      Hi,

      I have a new ePO server. This server has one "normal" IP and one NAT IP.

      Clients should be possible to connect to both IPs (depending on which is reachable from their network).

       

      How to configure this?

       

      Update 2013/11/15 08:34:

      I just tried to duplicate the site handler_1 in the ePOs sitelist.xml and restarted services.

      <SpipeSite ID="handler_1" Enabled="1" Type="master" Name="ePO_Server" Server="server:80" ServerIP="1.2.3.4:80" ServerName="Server:80" Version="5.1.0" SecurePort="443" Order="1">

      <SpipeSite ID="handler_2" Enabled="1" Type="master" Name="ePO_Server-2" Server="server-2:80" ServerIP="5.6.7.8:80" ServerName="Server-2:80" Version="5.1.0" SecurePort="443" Order="2 ">

       

      Created a new FramePkg.exe and installed it on the client, which should connect through the NAT IP.

      First connection worked. It shows up in ePO and downloaded policies.

      Second connection failes.

       

      Message was edited by: bosqcqtp on 11/15/13 1:35:16 AM CST
        • 1. Re: ePO server 5.1 with 2 IPs
          rackroyd

          The change is made in the server.ini file. Please see McAfee support article:

          KB56281 - Agents fail to connect to ePO 4.x servers with two IP addresses

           

          Titled for ePO 4.x but should still apply to 5.x too.

           

          ePO binds to only one IP though afaik. You can't have both, but you can choose which.

          • 2. Re: ePO server 5.1 with 2 IPs
            bosqcqtp

            First connection is working with the modified sitelist.xml. But I guess after policies are fetched the sitelist.xml is overwritten.

             

            Hosts on the same network are working.

            On the hosts behind the NAT I added a host entry in C:\Windows\System32\drivers\etc\hosts.

            5.6.7.8    ePO_Server

            Looks like McAfee Agent first does a DNS lookup. So this is working. But I don't really like the host entry...

             

            Isn't it possible to add the NAT IP to the sitelist.xml permanently.

            1 of 1 people found this helpful
            • 3. Re: ePO server 5.1 with 2 IPs
              rackroyd

              Not to my knowledge, no, and correct on first connection ePO will send out an updated sitelist using the ePO server's IP address.

              Did the Knowledge base article I referenced not apply ?

               

              As I mentioned, ePO only binds to one IP, but you can choose which.

               

              What some customers do in this scenario is deploy a separate Agent Handler.

              • 4. Re: ePO server 5.1 with 2 IPs
                bosqcqtp

                Knowledge base article is about two network interfaces. I have only one. ePO server isn't aware of NAT.

                 

                I'm going to use the relay server function in agent 4.8 on remote sites.

                 

                As I wrote before it is working with the host entry but it is "ugly". But since I only need it on the relay server (~50) I guess I will stay with it.

                Hoped for a better solution.

                • 5. Re: ePO server 5.1 with 2 IPs
                  pboedges

                  I am testing this on one of my virtual ePO servers.  I have modified the server.ini and made a modification to the agent handler configuration in ePO,  I am in the process of setting up a second vm to test this but it looks promising.

                   

                  C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\server.ini

                   

                  [Server]

                  Add to bottom - ServerIPAddress=1.2.3.4

                  Add to bottom - ServerIPAddress=5.6.7.8

                   

                  Within ePO > Menu > Configuration > Agent Handlers

                  Click on the Agent Handler, modify the Published DNS and Published IP Address

                   

                  i added 1.2.3.4 to the DNS and 5.6.7.8 to the IP.  So far it seems to be functional but I have not gotten a second system set up yet.  Might be possible to publish the FQDN of the ePO server instead of the original IP address, but that would depend on if the Nat subnets have access to the same DNS server or not.  if they dont then that would be the way to go i would think.

                   

                  At least ePO isnt throwing a fit.

                   

                  After running the agent installation on a test server, it pulled the updated sitelist and successfully communicated with the ePO server.

                   

                  Message was edited by: pboedges on 11/19/13 10:30:30 AM GMT-05:00