3 Replies Latest reply on Nov 18, 2016 1:59 AM by Troja

    How to setup DXL Topology




      I am working with TIE Server where it contains a Ready only Master (inside the network), Slave (inside the network) and a DXL Broker broker in the DMZ.


      My questions is, what is the recommended configuration for the DXL Topology?


      Should I create two hubs, example (internal Broker - add inside servers to it) and (external hub - add DMZ broker to it)? I am confused on how to configure this setting. Any help would be greatly appreciated.

        • 1. Re: How to setup DXL Topology

          Hi nsaman,

          we installed TIE/DXL environment with more than 25000 users, with hundrets or locations and integrating any DXL enabled McAfee product. Enclosed some infos from my experience.

          • DXL broker service directly on TIE only makes sense for smaller installations or POCs. In bigger environments I install dedicated DXL Broker appliances. The DXL broker service on TIE server is not installed.
          • TIE Master and Slave for Database redundancy.
          • Own DXL Broker Appliance for clients connecting from outside the companys network.

          If you have ATD in place just remember, only TIE Master or Slave appliances are uploading files to ATD for analysis.


          How the HUBS are used. You can handle DXL brokers somlike Agent Handlers. Yes, an own DXL Hub provides load balancing and failover.

          Configure your DXL Agent policy for your endpoints to assign the DXL brokers they should use.


          If you can find much useful information in the Expert Center: Threat Intelligence Exchange



          1 of 1 people found this helpful
          • 2. Re: How to setup DXL Topology

            thank you Troja for your respond.


            The main concern i have is to determine how to configure "DXL Topology option within ePO under Menu -> Server Settings > DXL Topology.


            At this time, I have created two entry (see screenshot below). External broker contains what is in the DMZ (which is the DXL Broker). and the internal broker contains what is INSIDE the nextwork (Master server and slave server). is this the right way to configure a basic setup?


            The reason I ask is because when i set it up this way and i go to "Data Exchange Layer Fabric", i dont not see the entry for DXL Broker in the DMZ. I only see what is inside the network.

            • 3. Re: How to setup DXL Topology

              Hi nsaman,

              the DXL topology is like the, let me say, network topology of your DXL environment. The topology is well described in the DXL Architectute Guide in the Expert Center: DXL Architecture Guide.


              This is the DXL fabirc in my LAB:

              You can see the TOP Hub called Malware where my TIE Master and Slave are located. Please note, do not use the DXL Broker Service on the TIE Server in productive or bigger environment.

              • There are 3 incoming bridges from other EPO Servers. Note, from my point of information there is only one TIE Master allowed on one DXL fabric).
              • The second hub is my internal TIE Broker (Malware Internal). As you can see, any DXL Broker can be published with a DNS Name and Public IP (similar as publishing an Agent handler).



              The result of your DXL Configuration is the "sitelist" for your DXL Client and can be used in the DXL Client Policy.

              Two things are importante.

              • The DXL Client uses the configured DXL Broker only. If no Broker is available DXL Client shows "not connected".
              • If you added a public DNS Name or IP in the DXL topology configuration settings (EPO Server Settings) the DXL Client will use this for information to establish the connection.



              Finally, just a hint from my side, read the documents from the Expert Center carefully.

              Hope this helps,


              1 of 1 people found this helpful