8 Replies Latest reply on Dec 19, 2015 11:42 PM by tkinkead

    EPO & Agent Handler in different network


      We have EPO Server in one network and Agent handler in another network. How Agent Handler will talk to EPO server and take Product update and patches. How SQL DB will configure in this methodology.


      secondly Endpoints will communicate to Agent handler and it should take update,policies and deployment.


      How to configure this and share me if any KB article or any document related to this?





        • 1. Re: EPO & Agent Handler in different network

          Google Translate


          Hello Friend,


          First of all, the ePO server and another server that will install the Agent Handler, both need to communicate.

          Because when you are installing the agent handler, It will ask to you information from your ePO.

          Now that you know it.

          check out this video on YouTube:


          How to Plan McAfee ePolicy Orchestrator Agent Handlers - YouTube


          Ola Amigo,


          Antes de mais nada, o servidor ePO e o outro servidor que será instalado o Agent Handler, ambos precisam se comunicar.


          Porque quando você for instalar o agent handler, ele ira pedir as informações do seu ePO.


          Agora que voêc sabe disso.


          veja esse video no youtube:

          • 2. Re: EPO & Agent Handler in different network

            Hello Kumar,


            if you wanted to update your agents and also take care of communication install Super agents as agent handler will help only in communication.

            Also make sure there is communication between ePO server and super agent





            • 3. Re: EPO & Agent Handler in different network

              Hello Kumar,


              Agent Handlers require a very fast network connection, there are

              some scenarios in which you should not use them, including:


              • To replace distributed repositories. Distributed repositories are local file shares intended to keep

              agent communication traffic local. While Agent Handlers do have repository functionality built in,

              they require constant communication with your ePolicy Orchestrator database, and therefore

              consume a significantly larger amount of bandwidth.


              • To improve repository replication across a WAN connection. The constant communication back to

              your database required by repository replication can saturate the WAN connection.


              • To connect a disconnected network segment where there is limited or irregular connectivity to the

              ePolicy Orchestrator database.



              Rest Below are the ports required to be opened between Agent handler , ePO and SQL db


              Your agent handler will talk to both ePO and SQL realtime so make sure they are in same network or atleast they have high bandwidth available as relatime sync happens between agent handler , sql and ePO




              These steps were done using the following:

              • Windows Server 2012 R2
              • McAfee ePO 5.1


              1. 1. Build a server running Windows Server 2012 R2 and install all of the latest security patches
              2. 2. Have server placed in your company’s DMZ which should still be behind a firewall
              3. 3. Have a published DNS record created for access from internet-based agent
              4. 4. Have your network engineering team configure the following ports on the internal-facing firewall for communication between the ePO server and the agent handler in DMZ:
                1. a. Bi-directional 80
                2. b. Bi-directional 8443 and 8444
                3. c. Bi-directional 443
              5. 5. The following is for communication between the agent handler in DMZ and internal SQL server, if your database is not on the ePO server itself:
                1. a. Bi-directional 1433 TCP and 1434 UDP
              6. 6. The following is to be configured on your public-facing firewall to allowing communication between your workstations connecting through public internet to your agent handler in DMZ:
                1. a. Inbound 80 TCP
                2. b. Inbound  443 TCP
                3. c. Inbound  8081 TCP
                4. d. Inbound  8082 UDP
              7. 7. Follow the Install remote Agent Handlers steps on page 29-30 of epo_510_ig_0-00_en-us.pdf.  I used a SQL account with these ePO SQL permissions.
              8. 8. If you do not already have a Subgroup created for machines that should communicate with agent handler in DMZ, create one.  How you move machines there is up to you.  I am only assigning laptops so I have a tag named Laptop that is automatically applied to all laptops then have a Server Task move all machines tagged with Laptop to my DMZ Subgroup.
              9. 9. Log into your ePO server and navigate to Menu>Agent Handlers
              10. 10. Click New Assignment
              11. 11. Enter name in Assignment Name field (i.e. DMZ Agent Handler Assignment)
              12. 12. Click Add Tree Locations, and click on the ellipses button
              13. 13. Select the DMZ Subgroup and click OK
              14. 14. Select the Use Custom Handler List radio button
              15. 15. Click Add Handlers
              16. 16. From drop-down menu select the agent handler in DMZ (disregard Warning message about primary agent handler)
              17. 17. Click Save to complete
              18. 18. Click Edit Priority
              19. 19. Move your DMZ Assignment to priority 1, click Save
              20. 20. Click on Agent Handlers to get to list of agent handlers
              21. 21. Click on the agent handler in DMZ
              22. 22. Enter the publicly published DNS name created in step #3 in the Published DNS Name field
              23. 23. Enter the IP that the publicly published DNS name resolves to in the Published IP Address field
              24. 24. Click Save
              25. 25. Now back in the Handlers list, enable the agent handler in DMZ by clicking Enable


              Your machines designated to get the DMZ Agent Handler Assignment will begin getting their changes during the next couple of ASCI transactions.  You can visually confirm by checking the following registry key on a test machine:

              Key:  HKEY_LOCAL_MACHINE\Software\Network Associates\ePolicy Orchestrator\Agent

              String Value Name:  ePOServerList

              String Value Data:  <public DNS name>|<public IP address>|443          

              • 4. Re: EPO & Agent Handler in different network

                Hi All,


                Thanks for the update.


                We have Agent Handler & 5000 Endpoints are in one network. But they are going to maintain EPO server in completely different network. but both network are in same location.


                Is there any possible method to configure both EPO & AH. Or how we can proceed for this method.


                Please give me whether our requirement will successfully work or not.





                • 5. Re: EPO & Agent Handler in different network
                  Richard Carpenter


                  If your networks are routable then one ePO server will easily manage 5000 end points. 

                  We currently manage 7000 end points with one ePO server with the database on a remote SQL cluster. We only use an AH in our DMZ to allow our 1000 mobile MacBooks to communicate with ePO while off our corporate LAN

                  I would suggest the AH's would not be suitable if all your 5000 end points can reach your ePO server due to the Low network Latency required for the AH to communicate with the SQL database. 



                  Certified McAfee Product Specialist - ePO

                  McAfee Volunteer Moderator

                  • 6. Re: EPO & Agent Handler in different network

                    We run over 15,000 off one ePO server with one Agent Handler without any issue.


                    What are you trying to accomplish?  When you say "different networks in the same location", what do you mean?  Are the two networks completely isolated from each other? 

                    • 7. Re: EPO & Agent Handler in different network

                      We have 2 company x & Y company. In X company we are going to install EPO & SQL server.


                      In Y company we are going to install agent handler. from Y company we have 5000 endpoints.


                      From both X & Y company IP segment will be different.


                      Currently our requirement will be how the product update & policies will replicate from X company EPO server to Y company Agent handler. After that only our endpoints will update the DAT signature and policies.


                      How we can configure in this scenario and is there any challenges regarding this method.




                      • 8. Re: EPO & Agent Handler in different network

                        When you say that the two companies have different IP segments, do you mean that they are separated by firewalls, but you are able to allow bi-directional traffic between them?  Is the traffic traversing a WAN link or Internet connection, or will you have a high-speed, low-latency connection between the Agent Handler in one company and the ePO server in another?  Agent Handlers communicate directly with the ePO database, and therefore require extremely low latency to operate correctly. 


                        Post #3 in this thread describes in some detail how to set up communication between the Agent Handler, the ePO server, and the DB server.