5 Replies Latest reply on Aug 7, 2015 5:59 AM by frank_enser

    Receiving remote allerts (AV Solutio) ...


      Dear Community,


      My first try to challenge the community receiving experiences and feedback; looking for practical experts trying to get the best of the solution.


      As user of McAfee's solutions I'm wondering how to tackle with this problem:

      Beneath of many corporate LAN connected users we serve a lot of traveling colleagues using Laptops. Whenever the are connected to the LAN the will get the newest updates and policy settings and also "report" their log-entries / alarms / detections to EPO.


      As soon as they aren't connected to corporate LAN any more, they loose the connection to the EPO management.

      Receiving updates and patters isn't an issue as the update sources are available as soon as the laptop connects to the Internet. This is working fine.


      An issue we experienced is when e.g. this Laptop (McAfee) detects a virus, the central EPO management does not get this information and so isn't shared with IT responsible staff in charge of IS. This is clear as the EPO is an internal service @ corporate LAN only.


      So the question: How is it possible to inform IT responsible staff in charge of IS earlier than the next time the user connects to the corporate LAN?

      Indeed popping-up a message on the users screen and asking to do so is possible - but no automated way?


      It tried to find out something re this but without success but I can imagine I'm not the only one thinking about it.


      Any help would be appreciated!


      Thx :-)


        • 1. Re: Receiving remote allerts (AV Solutio) ...



          I know several companies which use an Agent Handler (Whitepaper) in their DMZ. But this can easily be seen as a security issue, so this risk has to be thoroughly calculated.


          Apart from that, I don't know any other possibility than that the roadwarriors have to VPN into the company at least once a day.




          • 2. Re: Receiving remote allerts (AV Solutio) ...

            Hi Ralf,

            As Frank said, an Internet facing Agent Handler is probably your best bet unless you require all systems to be VPN connected.

            If you do place an Agent Handler either internally or externally, they must have a low-latency connection to SQL. This is because the Agent Handler is maintaining an always active connection to the SQL database. Also, when new versions of ePO come out, your ePO server and Agent Handlers must always be on the same version. Additionally, you do add the burden of patching an additional server, along with any patches provided by Intel Security.

            Review the white paper that Frank linked to, and evaluate if adding an Internet facing agent handler is right for you.

            • 3. Re: Receiving remote allerts (AV Solutio) ...

              Thanks a lot frank - very helpful!


              I guess this will help us managing not-(corporate-LAN)-connected systems. BTW: VPN is possible and available but we prefer secure Citrix Thin Client based remote access providing a secure desktop as part of the secured internal infra.

              Re the security issues - do you see more then the normal consideration in terms of having servers in the DMZ providing any kind of services (so harding and tiering etc)?



              • 4. Re: Receiving remote allerts (AV Solutio) ...

                Thanks a lot tomz2.


                If we go for the Agent I assume the IT Team will consider it as it is a known topic in the community.

                As soon as I got the product hint from frank I reviewed additional information and got some additional information on that. Also the white-paper is a good starting point but not very detailed.



                • 5. Re: Receiving remote allerts (AV Solutio) ...

                  Apart from normal DMZ consideration, you should take into account, that the Agent Handler also has full access to the ePO database, so potential security issues with ePO (Agent Handler is nothing more than a "simple" ePO) must be addressed ASAP.


                  Edit: You could also contact support. Perhaps they can provide hardening hints.