Loading...

Knowledge Center


How to use ePolicy Orchestrator in a DMZ or NAT environment
Technical Articles ID:   KB59218
Last Modified:  6/10/2019
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Summary

This article describes how to use ePO in a Demilitarized Zone (DMZ) or with Network Address Translation (NAT) in the environment.

Problem

McAfee Agent can't communicate with the ePO server in a DMZ or NAT environment. Two-way communications have been allowed between the ePO server and the DMZ server, but the Agent still does not communicate with the ePO server.

Solution

Agent-to-server communication is supported over NAT; but, agent wake-up calls will not work over NAT. It is recommended that you install an ePO server or Agent Handler in the DMZ to manage the external clients, and one in the internal network to manage only the internal network clients.
 
Make sure that the following ports are opened on the firewall. These ports allow agent communication to the ePO server in the DMZ for the internal and external clients:
  • 443/80 (For the external clients only, incoming connections to ePO/Agent Handlers) – agent-to-server port (listed as ServerHttpPort in the EPOServerInfo in ePO)
IMPORTANT: Opening port 443/80 on the firewall to communicate incoming connections to ePO/Agent Handlers with only the external network allows only the external clients to communicate with the ePO server or Agent Handlers in the DMZ. This change is not a major network security consideration because the internal network is still locked down from receiving communications from external clients on this port.
 
For MA 5.x, incoming connections to ePO/Agent Handlers occur on port 443 only in the DMZ. For MA 4.x, incoming connections to the ePO/Agent Handlers occur on both port 443 and 80 in the DMZ.

NOTE: Port 80 is used by MA 4.x to connect to ePO/Agent Handler as a repository for MA tasks.

Other ports in use:
  • 8443 (open from the internal network to the DMZ, if using Rogue System Detection): Console-to-Application Server communication port (listed as RmdSecureHttpPort in the EPOServerInfo table for ePO).
  • 8444 (open from the internal network to the DMZ, if using Rogue System Detection): Sensor-to-Server communication port (listed as SensorSecureHttpPort in the EPOServerInfo table for ePO).
  • 8801 (open from the internal network to the DMZ, if using the McAfee Labs threats download functionality): Security Threats HTTP port (listed as AVERTAlertsPort in the EPOAvertSettings table for ePO).

Solution

This solution is an alternative if Solution 1 is unacceptable and the ePO server resides only on the internal network.

Make sure that the Hosts file on the DMZ server includes a route to the IP address of the ePO server, and then modify the server.ini file as follows. This change causes all internal network computers to use either the DNS name or NetBIOS name to communicate with the ePO server. Only the computers in the DMZ can communicate with the ePO server using the IP address after this change.
  1. In Windows Explorer, navigate to: ...\Program Files\McAfee\ePolicy Orchestrator\DB.
  2. Double-click server.ini.
  3. Append the following lines to the end of the file:

    ServerDNSName=<Fully qualified domain name of the DMZ server>
    ServerIPAddress=<IP address of the DMZ server>
     
  4. Click File, Save.
  5. Restart the following ePO services:
    1. Press Windows+R, type services.msc, and click OK.
    2. Right-click the following services and select Restart:
       
      McAfee ePolicy Orchestrator x.x.x Server
      McAfee ePolicy Orchestrator x.x.x Event Parser
 

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.