Hello thelostgirl,

The Agent Handler is mostly use for one of the following:

(by McAfee Documentation)

• Scalability — if your ePO server is overloaded handling your agent request volume.

• Failover — if you want to allow agents to fail over between multiple physical devices, and

do not want to cluster the ePO server.

• Topology — if you need to manage systems behind a NAT, or in an external network, so

long as the agent handler can continue to have a high bandwidth connection to the central

database.

For what I was reading on the past post, I think the option your looking is the Topology. I configured an Agent handler but as NAT using the same ePO Server and didn't have to use another server on the DMZ and works just fine even if is not a very good practice (you need to be aware of the rules on the firewall). This way I could apply policies, install packages remoteley, even encrypt the laptops and many other things. Actually from january to february I will be configuring an Agent Handler on the DMZ so I'll let you know how it goes....

Hello Irolon, that's right. The agent handler in DMZ is configured just fine - firewalls are enabled. We are just looking into the possibility of having machines updated even if they are not in the network. So I have asked our Networking team for an external IP address for this and let's see what happens!

Hi jstanley, I have a question. So I did reach out to our Networking team for an external IP address and I was wondering, after that, do we have to have a port forwarding rule in place? Or should I go ahead and just fill in the published IP address field? Thanks!

It has a published IP but the external IP I am requesting for from our networking team will be NATted to the DMZ server. So maybe I would need port forwarding rules after all.

Hello, In your case I sure you will need a port fowarding configuration due to the NAT in the DMZ. In my case we did use a NAT configuration from an Internal LAN to an External IP Address and because of that, like "jstanley" said, you don't need a port fowarding but it is not an usual configuration). In your case you are goint to need one rule to por foward from external to dmz, and another rule from DMZ to LAN so the internal ePO can communicate to the DMZ handler. I'm designing exactly a similar configuration for our DMZ handler but we need to do some test so I'll let you know whatever new conflict we may find in the process or how it goes.