2 Replies Latest reply: Aug 15, 2014 10:03 AM by ansarias RSS

    How to setup a McAfee ePO Agent Handler in DMZ

    dexterrivera

      I just recently configured this and it was successful thanks to this community but I still had to piece it together using steps found here and some from documentation but was never able to find a step-by-step document.  I am sharing all the steps I went through hoping this helps someone else. I am also attaching the steps as a .docx. Thanks.

       

      HOW TO SETUP A MCAFEE EPO AGENT HANDLER IN DMZ

      These steps were done using the following:

      • Windows Server 2012 R2
      • McAfee ePO 5.1

       

      1. Build a server running Windows Server 2012 R2 and install all of the latest security patches
      2. Have server placed in your company’s DMZ which should still be behind a firewall
      3. Have a published DNS record created for access from internet-based agent
      4. Have your network engineering team configure the following ports on the internal-facing firewall for communication between the ePO server and the agent handler in DMZ:
        • Bi-directional 80
        • Bi-directional 8443 and 8444
        • Bi-directional 443
      5. The following is for communication between the agent handler in DMZ and internal SQL server, if your database is not on the ePO server itself:
        1. Bi-directional 1433 TCP and 1434 UDP
      6. The following is to be configured on your public-facing firewall to allowing communication between your workstations connecting through public internet to your agent handler in DMZ:
        • Inbound 80 TCP
        • Inbound 443 TCP
        • Inbound  8081 TCP
        • Inbound  8082 UDP
      7. Follow the Install remote Agent Handlers steps on page 29-30 of https://kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24807/en_US/epo_510_ig_0-00_en-us.pdf.  I used a SQL account with these https://kc.mcafee.com/corporate/index?page=content&id=KB75766&actp=null&viewloca le=en_US&showDraft=false&platinum_status=false&locale=en_US.
      8. If you do not already have a Subgroup created for machines that should communicate with agent handler in DMZ, create one.  How you move machines there is up to you.  I am only assigning laptops so I have a tag named Laptop that is automatically applied to all laptops then have a Server Task move all machines tagged with Laptop to my DMZ Subgroup.
      9. Log into your ePO server and navigate to Menu>Agent Handlers
      10. Click New Assignment
      11. Enter name in Assignment Name field (i.e. DMZ Agent Handler Assignment)
      12. Click Add Tree Locations, and click on the ellipses button
      13. Select the DMZ Subgroup and click OK
      14. Select the Use Custom Handler List radio button
      15. Click Add Handlers
      16. From drop-down menu select the agent handler in DMZ (disregard Warning message about primary agent handler)
      17. Click Save to complete
      18. Click Edit Priority
      19. Move your DMZ Assignment to priority 1, click Save
      20. Click on Agent Handlers to get to list of agent handlers
      21. Click on the agent handler in DMZ
      22. Enter the publicly published DNS name created in step #3 in the Published DNS Name field
      23. Enter the IP that the publicly published DNS name resolves to in the Published IP Address field
      24. Click Save
      25. Now back in the Handlers list, enable the agent handler in DMZ by clicking Enable

       

      Your machines designated to get the DMZ Agent Handler Assignment will begin getting their changes during the next couple of ASCI transactions.  You can visually confirm by checking the following registry key on a test machine:

       

      • Key:  HKEY_LOCAL_MACHINE\Software\Network Associates\ePolicy Orchestrator\Agent
      • String Value Name:  ePOServerList
      • String Value Data:  <public DNS name>|<public IP address>|443

       

      on 5/2/14 9:17:57 AM CDT
        • 1. Re: How to setup a McAfee ePO Agent Handler in DMZ
          drlandau

          Hi Dexter, thanks a lot for posting the guide for everyone to use.

           

          I'm trying the same thing, but coming up short on some questions.

           

          1) Does your RAH server cache the Master Repository automatically? Mine don't seem to.

          2) Did you setup a Distributed Repository on the RAH server as well?

          3) Do the agents in your DMZ point to the RAH server as both AH and Repository server?

          4) How do you deploy agents into the machines in your DMZ? Do you install FramePkg.exe manually on all servers - or do you discover via a RSD sensor on the RAH and deploy from the console via the RAH?

           

          If you have any good points for my questions in Re: Deployment of McAfee Agent throught RAH? please don't hesitate to let me know.

           

          Thanks a lot.

          Nicolaj

          • 2. Re: How to setup a McAfee ePO Agent Handler in DMZ
            ansarias

            Hello,

             

            Looks like all steps are good, Only 2 thing are important.

             

            1. DB.properties data should be same as your ePO server.

            2. Below port should be allowed on server local firewall inbound rule.

            • Inbound 80 TCP
            • Inbound 443 TCP