3 Replies Latest reply on Mar 26, 2015 10:21 AM by Richard Carpenter

    Relay Server on non-local subnet?

    mzs

      Hi,

       

      I will need to manage McAfee agents on a network I don't control. I would prefer to manage the agents through a central ePO server.

       

      The agents would not be able to route directly to the central ePO server. However, they can reach a particular subnet where I can install a RelayServer, SuperAgent, etc. that would be able to reach my central ePO server.

       

      I've been reading up and it looks like RelayServer agents are discovered through a broadcast on the local subnet. Is there a way to configure clients to use a RelayServer that is not on the local subnet?

       

      I would rather not use an Agent Handler as it looks like a lot more hassle (almost a full ePO installation to maintain).

       

      If a RelayServer won't work, perhaps I could configure the McAfee agents to use an HTTP proxy to reach ePO?

       

      Thanks,

      Mike

        • 1. Re: Relay Server on non-local subnet?
          Richard Carpenter

          Hi mzs

           

          When you refer to a non-local subnet do you mean they are not in the same Variable Length Subnet or CIDR?

           

          Both RelayServers and SuperAgents use Broadcast messaging to communicate, or be discovered by other Agents in the same Collision Domain.

           

          AgentHandlers don't sound like they would be the best option, and require direct connectivity to your SQL backend, but if that is the SQLExpress engine running on your ePO server that also will not route.

           

          You might be able to 'forward' the UDP Broadcast message from this subnet to the subnet with a RelayServer using your network layer, but I guess this would be unsupported by McAfee

           

          Maybe JoeBidgood could offer a suggestion?

           

          Regards

          Rich

          Volunteer Moderator

          Certified McAfee Product Specialist - ePO

          • 2. Re: Relay Server on non-local subnet?
            mzs

            Hi Richard,

             

            Yes, to clarify - the clients would be on about 100 different subnets, separated by one or more routers from a server subnet where I can put the relay/proxy/AgentHandler. The server subnet would be able to reach my central ePO server via the WAN. The 100+ client subnets can't see the ePO server directly.

             

            I would like to configure the clients to talk to the relay for agent-to-server communication (and to use the relay as a distributed repository, although it looks like there are other ways to make that part work).

             

            Thanks,

            Mike

            • 3. Re: Relay Server on non-local subnet?
              Richard Carpenter

              Hi Mike.

               

              An Agent Handler in your Server Subnet looks like the only way to get this to work with your Network Topology.

               

              You can Deploy the Agent Handler (with Distributed Repository) into your Server Subnet and set the Agent Policy to configure your clients to use the Agent Handler.

               

              This is a similar to adding an AH to your DMZ for device outside your LAN/WAN, so you would be implementing a DMZ design for your ePO server.

               

               

              Regards

              Rich

              Volunteer Moderator

              Certified McAfee Product Specialist - ePO