6 Replies Latest reply on Jun 16, 2014 8:46 PM by mallet413

    Encryption Won't Start for Off-site Clients

    mallet413

      Having an interesting (edit: infuriating & confusing) problem with a new ePO build.  Any advice anyone can offer would be GREATLY appreciated.

       

      ePO server has been built solely to manage Drive Encryption 7.1 endpoints, with an Agent Handler placed in the DMZ to accommodate machines in the field (some temporarily, others permanent).  I've set up an assignment so that clients will look for the ePO (internal) server first, and then the AH (external) server 2nd.  Policies & install task are in place, and machines on the internal network happily install the agent, run through the pre-encryption tasks and then encrypt themselves with no problem.

       

      The problem, of course, arises when I try to encrypt a machine outside of the network.  I install framepkg.exe, the machine checks into the Agent Handler, shows up on the ePO console, installs the Drive Encryption client, reboots, and upon login initiates the "Creating Event to request data for local domain users"....and that's it.  It will sit for hours, and the MfeEpe.log looks like this:

       

      2014-06-16 17:27:47,697 INFO    EpoState                             == Start of policy enforcement ==

      2014-06-16 17:27:47,713 INFO    EpoPlugin                            enforceUserPolicy: Dispatching enforce policy event.

      2014-06-16 17:27:47,744 INFO    StatusService                        Policy enforcement has started

      2014-06-16 17:27:47,775 INFO    EpoPlugin                            policyHandler: handling EnforcePolicy event

      2014-06-16 17:27:48,275 INFO    EpoPlugin                            policyHandler: checking for machine ID/ePO server change.

      2014-06-16 17:27:48,275 INFO    EpoPlugin                            themeHandler: theme ID change detected (old: 1, new: ECF3E6FD-2C54-4C94-9A5D-81FCE9577F77).

      2014-06-16 17:27:48,306 INFO    EpoPlugin                            themeHandler: theme CRC change detected.

      2014-06-16 17:27:48,399 INFO    EpoPlugin                            userHandler: handling AddLocalDomainUsers event

      2014-06-16 17:27:48,462 INFO    DomainUsers                          Searching for any local domain users.

      2014-06-16 17:27:48,477 INFO    DomainUsers                          Found new (unprocessed in this session) local domain user: \domainX\userX

      2014-06-16 17:27:48,477 INFO    EpoPlugin                            userHandler: dispatching EPOAddDomainUsers event to McAfee Agent

      2014-06-16 17:27:48,477 INFO    EpoPlugin                            userHandler: Note, press Send Events button in McAfee Agent to hasten delivery (see KB71865).

      2014-06-16 17:27:48,711 INFO    StatusService                        Creating Event to request data for local domain users

      2014-06-16 17:33:39,556 INFO    EpoPlugin                            collectProperties: dispatching disk list to AgentHandler

      2014-06-16 17:33:39,743 INFO    EpoPlugin                            epoAudit: dispatching audits to AgentHandler

      2014-06-16 17:36:45,243 INFO    DRIVER                               Session notification: EPEPC_DRIVER_SESSION_STANDBY

      2014-06-16 17:59:19,312 INFO    EpoPlugin                            collectProperties: dispatching disk list to AgentHandler

      2014-06-16 18:14:18,935 INFO    DRIVER                               Session notification: EPEPC_DRIVER_SESSION_UNLOCK

      2014-06-16 18:24:39,130 INFO    EpoPlugin                            collectProperties: dispatching disk list to AgentHandler

      2014-06-16 18:27:21,963 INFO    DRIVER                               Session notification: EPEPC_DRIVER_SESSION_STANDBY

      2014-06-16 18:28:02,745 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement is already in progress, skipping this one.

      2014-06-16 18:28:02,777 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement is already in progress, skipping this one.

      2014-06-16 18:37:35,937 INFO    EpoPlugin                            collectProperties: dispatching disk list to AgentHandler

      2014-06-16 18:39:33,047 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement is already in progress, skipping this one.

      2014-06-16 18:39:33,078 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement is already in progress, skipping this one.

       

      Doesn't matter if I press "Send Events" or not, it won't advance.   It seems like there must be something simple that I'm missing.

       

      Here are our open ports:

      Internet->AgentHandler: TCP 80, 443

      AgentHandler->Internet: TCP 8081

      AgentHandler->ePO: TCP 80, 443, 1433, 8443, 8444

      ePO->AgentHandler: TCP 80, 443

       

      Any ideas?

       

      Thanks,

      Ben

        • 1. Re: Encryption Won't Start for Off-site Clients
          mallet413

          I'm not sure, but maybe this has something to do with it.  Here is a snippet from the Agent Handler's "server_[servername].log file showing the incoming event.  "LAPTOP" refers to the client machine, "AGENTHANDLER" refers to...well, you get it:

           

          0140616211738    I    #03840    NAIMSERV    Received [Event] from LAPTOP:{8E93AF34-0504-4BC7-8D3A-6403C5CB2A54}

          20140616211803    I    #00892    EPODAL      Label cache cleaned; oldsize=30, newsize=11

          20140616211804    I    #03508    PLUGNMGR    Calling CoFreeLibrary for library C:\PROGRAM FILES (X86)\MCAFEE\AGENT HANDLER\DB\PLUGIN\EEADMIN\EPEAGENTHANDLERPLUGIN.12833.DLL

          20140616211804    I    #03508    PLUGNMGR    Freeing unused libraries - no delay

          20140616211859    I    #03604    NAIMSERV    Wake up agent on DNS name LAPTOP.domain.com...

          20140616211859    I    #04176    NAIMSERV    Wake up agent on DNS name LAPTOP.domain.com...

          20140616211859    E    #03604    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP.domain.com

          20140616211859    E    #04176    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP.domain.com

          20140616211859    E    #03604    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP.domain.com

          20140616211859    E    #04176    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP.domain.com

          20140616211859    E    #03604    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP.domain.com

          20140616211859    I    #03604    NAIMSERV    Wake up agent on NetBIOS name LAPTOP...

          20140616211859    E    #04176    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP.domain.com

          20140616211859    I    #04176    NAIMSERV    Wake up agent on NetBIOS name LAPTOP...

          20140616211902    E    #03604    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP

          20140616211902    E    #04176    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP

          20140616211904    E    #04176    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP

          20140616211904    E    #03604    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP

          20140616211907    E    #04176    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP

          20140616211907    I    #04176    NAIMSERV    Wake up agent on IP Addr 10.158.51.50...

          20140616211907    E    #03604    NAIMSERV    naSPIPE.cpp(320): Failed to find IP address for LAPTOP

          20140616211907    I    #03604    NAIMSERV    Wake up agent on IP Addr 10.158.51.50...

          20140616211928    E    #04176    NAIMSERV    naSPIPE.cpp(338): Failed to connect to 10.158.51.50:8081, network error was 10060

          20140616211928    E    #03604    NAIMSERV    naSPIPE.cpp(338): Failed to connect to 10.158.51.50:8081, network error was 10060

           

          If I'm reading it right, the agent handler receives the event, and then about 30 seconds later, tries to wake up the endpoint using a DNS lookup, and then directly by it last known internal IP address.  Obviously this won't work because my laptop is outside of the office. 

          • 2. Re: Encryption Won't Start for Off-site Clients
            mvm_101

            Does the data channel between the remote system(s) and the agent handler work?

             

            When you click "Send events" do you see the agent trying to send one or more events?

            • 3. Re: Encryption Won't Start for Off-site Clients
              mallet413

              I'm fairly sure it does...I see sequences like this on agent monitor:

               

              • Agent is looking for events to upload
              • Agent uploading 1 events to ePO Server
              • Agent communication session started
              • Agent is sending EVENT package to ePO server
              • Agent is connecting to ePO server
              • No package received from ePO Server
              • 4. Re: Encryption Won't Start for Off-site Clients
                mvm_101

                Ok, that's good news. What happens when you clik "Check New Policies" after the event(s) is sent? -AFAIK in theory you should receive an updated policy package telling the drive encryption agent what to do next.

                 

                Message was edited by: mvm_101 on 6/16/14 3:52:42 PM CDT
                1 of 1 people found this helpful
                • 5. Re: Encryption Won't Start for Off-site Clients

                  The systems will eventually activate. The problem is that those systems cannot be reached by ePO. When you send the events, they go up to ePO. Then ePO tries to respond. Since those systems are not on your network, those attempts to respond fail (for the same reason that an agent wakeup would fail). However, ePO will remember that those events have been sent up and will allow the activation process to stay alive. The next time your client initiates a connection, the activation process will pick up where it left off.So you simply have to wait for the next ASCI. You need at least two ASCIs, but you will need three if you have the "add local domain users" feature enabled.

                   

                  The short answer is to just wait for three ASCIs.

                   

                  A lot of customers will modify their McAfee Agent policy on their remote systems so that it syncs more frequently. For example, set the ASCI to every 30 minutes. That way the process will complete in 90 minutes. When MDE is done activating, you can revert back to a "normal" ASCI interval. Note that you can automate MA policy switching with tags and server tasks in ePO.

                  • 6. Re: Encryption Won't Start for Off-site Clients
                    mallet413

                    Thanks DLarson...you're absolutely right.  I actually figured this out while trying to replicate for mvm_101 and your answer sealed it for me.  Thanks much to both of you.