3 Replies Latest reply on Oct 14, 2015 9:21 AM by meforum

    ePO in a DMZ

    tobert

      TL;DR: Is it possible to have VSE clients controlled by ePO, pull their DAT updates from a different repository? And how do I figure what failed if it did?

       

      Hello all! I'm hoping for some direction here. Here's a long description of my problem.

       

      I have 2 networks, a private and DMZ. There is a limited amount of ports open between the two networks and getting new ones opened are problematic. The ePO server resides in the private network. Agents have been deployed with no problem to both networks and communication seems to be working. The problem is the DMZ systems are not updating their DAT's regularly. These systems are critical enough that any updates to the engine or program will be performed by hand and we're only concerned at the moment with DAT files. I have pulled the Agent from a test server and had it test it's update and it failed so I'm thinking from my tests that the DMZ is blocking both the ePO repository and the McAfee HTTP site (FTP is a known block from this network) but I'm not sure. It's not really feasible to setup a second ePO server in the DMZ. I can change the ports the Agents and ePO use, but I'd like to avoid that if possible. And the systems in the DMZ are reporting into ePO. Is what I'm trying to do possible or should I be looking at another setup? Or what can I do to help track down the cause?

       

      Apologies for being vague and restrictive. This is the world I'm forced to work in for the next couple of months.

       

      Peace

        • 2. Re: ePO in a DMZ
          tobert

          Thank you akill. I'll look into how to implement this into my network. The video is a nice added touch too and I really appreciate it.

           

          Peace

          • 3. Re: ePO in a DMZ
            meforum

            Hi,

             

            in my opinion you should talk to your firewall admin guy first (as you will have to open some ports - regardless of what setup you chose).

             

            Then: I think a remote Agent Handler is mainly for systems that are OUTSIDE your network (e.g. internet) and have to talk to ePO. So they'll talk to the Agent Handler (AH) instead (client in internet > AH > ePO DB).

            For systems INSIDE your DMZ it should be enough to open the ports from/to ePO - or - if you don't like that you could go for an additional repository (for DATs) or set up an Super Agent or even a relay agent in your DMZ (check out the ePO product guide).

             

            And btw: If your agents talk to epo via Port 80/443 and you have some Proxy in place - or may be doing "SSL interception / inspection" on your firewall e.g. - than this could break the communication (proxy: maybe, SSL interception: sure). So you'll have to configure some exclusions.