1 Reply Latest reply on Jun 24, 2014 1:54 PM by JoeBidgood

    Custom SSL certificate installation on Agent Handler

    mpare

      Hello all - we've run into an issue as a result of a scan/audit against our Agent Handler.

       

      First - a little background:

      We are running ePO 5.1 on the internal network.  I've deployed an Agent Handler in the DMZ and opened up https from the outside to the handler so our remotely deployed laptops can communicate back and forth with the ePO environment (run reports, manage policies, push updates, etc).  This has all been working nicely since I set it up a couple months ago.

       

      Our parent company runs tests against our externally-facing services (http/s, smtp, etc..) using the Critical Watch FusionVM product.  They've identified the "SSL - Certificate Authenticity & Trust Chain Validation" issue on our Agent Handler, and are requiriing us to install a signed certificate from a trusted CA.  I can only assume that this problem exists because the Apache server that is integrated into the Agent Handler service is using a self-signed certificate.

       

      Is there a way to install an SSL certificate on the Apache web service, signed by a trusted CA, that would then be used for remote client to Agent Handler communications?

       

      I did some searches and found this post from last August - sadly - at that time, it doesn't appear that this was possible but I'm hoping there is an update or work-around.  https://community.mcafee.com/thread/59072

       

      Please do not confuse this with Agent Handler to ePO server communications - this traffic is internal, not exposed to the outside, and not a factor in this audit.

       

      I fear if our parent company pushes on this, we might be forced to discontinue use of our DMZ Agent Handler, which would put our remote user population at greater risk.  Therefore, if this is not possible, I'll need to collect and supply appropriate documentation in hopes of being granted an exception.

       

      Thanks,

       

      Michael Pare