0 Replies Latest reply on Sep 1, 2014 3:21 AM by drlandau

    RAH is using hostname rather than FQDN when talking to central ePO

    drlandau

      We had (have) a problem in getting a Remote Agent Handler on a DMZ to talk properly to the central ePO isolated on its own DMZ using the FQDN of the ePO server.

       

      The RAH communicated correctly with the SQL server using the FQDN of the central ePO server - but the ePO communication failed and the repository cache wasn't being populated/replicated.

      The AH server log showed that it attempted to communicate with the ePO services on only the hostname and NOT the FQDN as we'd specified during setup.

       

      We raised a service request with McAfee Gold Support and after they helpfully did som internal testing, they came back with the explaination, that I here include if others should ever get the same problem-

       

      ---

      When the ePO is in domain the RAH connects the ePO using FQDN

      When the ePO is in workgroup the RAH connects the ePO using Hostname

       

      If your ePO is in workgroup and if you want FQDN, you need to add the DNS suffix in Computer Properties and also modify the HOSTS file on the AH if resolution is not happening.

      ---

       

      It is in our eyes a pretty weird decision to on purpose only use hostname when running the ePO in a workgroup - and only use the specified FQDN when running a domain on the ePO.

      When we type in a FQDN servername, we expect it to be used.

       

      Our reason to place the ePO on its own DMZ is for security reasons, since every server in every DMZ, secure and unsecure, will be talking into the same ePO. There is no need for a domain, when the server is alone and isolated.

      Needing to specify anything in the HOSTS file is a relic that should be avoided, because it is only a last resort that increases management and defeats the purpose of DNS alltogether. The HOSTS file should in my opinion never be used in an enterprise environment. And adding the DNS suffix of the central ePO server to every RAH server also a bit crude.

      Anyway hope it can save someone some trouble.

       

      /Nicolaj