First of all, the ePO server and another server that will install the Agent Handler, both need to communicate.
Because when you are installing the agent handler, It will ask to you information from your ePO.
Now that you know it.
check out this video on YouTube:
Antes de mais nada, o servidor ePO e o outro servidor que será instalado o Agent Handler, ambos precisam se comunicar.
Porque quando você for instalar o agent handler, ele ira pedir as informações do seu ePO.
Agora que voêc sabe disso.
veja esse video no youtube:
if you wanted to update your agents and also take care of communication install Super agents as agent handler will help only in communication.
Also make sure there is communication between ePO server and super agent
Agent Handlers require a very fast network connection, there are
some scenarios in which you should not use them, including:
• To replace distributed repositories. Distributed repositories are local file shares intended to keep
agent communication traffic local. While Agent Handlers do have repository functionality built in,
they require constant communication with your ePolicy Orchestrator database, and therefore
consume a significantly larger amount of bandwidth.
• To improve repository replication across a WAN connection. The constant communication back to
your database required by repository replication can saturate the WAN connection.
• To connect a disconnected network segment where there is limited or irregular connectivity to the
ePolicy Orchestrator database.
Rest Below are the ports required to be opened between Agent handler , ePO and SQL db
Your agent handler will talk to both ePO and SQL realtime so make sure they are in same network or atleast they have high bandwidth available as relatime sync happens between agent handler , sql and ePO
HOW TO SETUP A MCAFEE EPO AGENT HANDLER IN DMZ
These steps were done using the following:
- Windows Server 2012 R2
- McAfee ePO 5.1
- 1. Build a server running Windows Server 2012 R2 and install all of the latest security patches
- 2. Have server placed in your company’s DMZ which should still be behind a firewall
- 3. Have a published DNS record created for access from internet-based agent
- 4. Have your network engineering team configure the following ports on the internal-facing firewall for communication between the ePO server and the agent handler in DMZ:
- a. Bi-directional 80
- b. Bi-directional 8443 and 8444
- c. Bi-directional 443
- 5. The following is for communication between the agent handler in DMZ and internal SQL server, if your database is not on the ePO server itself:
- a. Bi-directional 1433 TCP and 1434 UDP
- 6. The following is to be configured on your public-facing firewall to allowing communication between your workstations connecting through public internet to your agent handler in DMZ:
- a. Inbound 80 TCP
- b. Inbound 443 TCP
- c. Inbound 8081 TCP
- d. Inbound 8082 UDP
- 7. Follow the Install remote Agent Handlers steps on page 29-30 of epo_510_ig_0-00_en-us.pdf. I used a SQL account with these ePO SQL permissions.
- 8. If you do not already have a Subgroup created for machines that should communicate with agent handler in DMZ, create one. How you move machines there is up to you. I am only assigning laptops so I have a tag named Laptop that is automatically applied to all laptops then have a Server Task move all machines tagged with Laptop to my DMZ Subgroup.
- 9. Log into your ePO server and navigate to Menu>Agent Handlers
- 10. Click New Assignment
- 11. Enter name in Assignment Name field (i.e. DMZ Agent Handler Assignment)
- 12. Click Add Tree Locations, and click on the ellipses button
- 13. Select the DMZ Subgroup and click OK
- 14. Select the Use Custom Handler List radio button
- 15. Click Add Handlers
- 16. From drop-down menu select the agent handler in DMZ (disregard Warning message about primary agent handler)
- 17. Click Save to complete
- 18. Click Edit Priority
- 19. Move your DMZ Assignment to priority 1, click Save
- 20. Click on Agent Handlers to get to list of agent handlers
- 21. Click on the agent handler in DMZ
- 22. Enter the publicly published DNS name created in step #3 in the Published DNS Name field
- 23. Enter the IP that the publicly published DNS name resolves to in the Published IP Address field
- 24. Click Save
- 25. Now back in the Handlers list, enable the agent handler in DMZ by clicking Enable
Your machines designated to get the DMZ Agent Handler Assignment will begin getting their changes during the next couple of ASCI transactions. You can visually confirm by checking the following registry key on a test machine:
Key: HKEY_LOCAL_MACHINE\Software\Network Associates\ePolicy Orchestrator\Agent
String Value Name: ePOServerList
String Value Data: <public DNS name>|<public IP address>|443
Thanks for the update.
We have Agent Handler & 5000 Endpoints are in one network. But they are going to maintain EPO server in completely different network. but both network are in same location.
Is there any possible method to configure both EPO & AH. Or how we can proceed for this method.
Please give me whether our requirement will successfully work or not.
If your networks are routable then one ePO server will easily manage 5000 end points.
We currently manage 7000 end points with one ePO server with the database on a remote SQL cluster. We only use an AH in our DMZ to allow our 1000 mobile MacBooks to communicate with ePO while off our corporate LAN
I would suggest the AH's would not be suitable if all your 5000 end points can reach your ePO server due to the Low network Latency required for the AH to communicate with the SQL database.
Certified McAfee Product Specialist - ePO
McAfee Volunteer Moderator
We run over 15,000 off one ePO server with one Agent Handler without any issue.
What are you trying to accomplish? When you say "different networks in the same location", what do you mean? Are the two networks completely isolated from each other?
We have 2 company x & Y company. In X company we are going to install EPO & SQL server.
In Y company we are going to install agent handler. from Y company we have 5000 endpoints.
From both X & Y company IP segment will be different.
Currently our requirement will be how the product update & policies will replicate from X company EPO server to Y company Agent handler. After that only our endpoints will update the DAT signature and policies.
How we can configure in this scenario and is there any challenges regarding this method.
When you say that the two companies have different IP segments, do you mean that they are separated by firewalls, but you are able to allow bi-directional traffic between them? Is the traffic traversing a WAN link or Internet connection, or will you have a high-speed, low-latency connection between the Agent Handler in one company and the ePO server in another? Agent Handlers communicate directly with the ePO database, and therefore require extremely low latency to operate correctly.
Post #3 in this thread describes in some detail how to set up communication between the Agent Handler, the ePO server, and the DB server.