To answer your questions below:

1) Does your RAH server cache the Master Repository automatically? Mine don't seem to----------check your server log for errors pulling content from epo.  Port 80 needs to be open to the epo server.  Please check kb66797 to ensure all required ports are open.

2) Did you setup a Distributed Repository on the RAH server as well?------------Please do not do that.  It is a repository already and is not recommended.

3) Do the agents in your DMZ point to the RAH server as both AH and Repository server? ---------------- when you enable the epo server itself in your agent repository policy as an enabled repository, that also enables all agent handlers.  The ah's are considered the master repository as well by the clients - it is loke a virtual extension of the epo server.

4) How do you deploy agents into the machines in your DMZ? Do you install FramePkg.exe manually on all servers - or do you discover via a RSD sensor on the RAH and deploy from the console via the RAH? -------------- systems in the dmz typically aren't on a domain, so local authentication can be difficult deploying agents due to lack of AD authentication.  However, it is possible.  In the domain field for your credentials, use just a period ( . ).  That denotes the local system account.  Then the account name needs to be a local administrator account and password.  You can also check the MA product guide for how to install the agent on an image, if you use images for your servers, so the agent is already installed.

As an important note - The agent handler is already a repository and should not be configured as a superagent.  It is not necessary and can cause issues and additional unnecessary traffic to it since it would be servicing update requests to both locations (ah repository and superagent repository).  That is not recommended.

Also, kb66797 lists the required ports along with their direction and protocol that may be required for all things to work properly.  For an agent handler itself to epo and DB, it definitely needs the sql ports as well as epo ports, including 8443 and 8444.

Hi Richard,

Remote Agent Handler doesnt require super agent policy to be enabled. RAH is a run time (On demand) repository which means that if the client machine if contacting RAH for a DAT/package that is not there in this repository then RAH will contact ePO on the run time and will get the package and share it with the client machine.

If you are enabling SA lazy caching then you are not utilizing the above feature which is by design.

Please let me know if you have queries regarding this. Contact McAfee for any clarification, i am 100% sure they will tell the same.

​ Sir, please correct me if i am wrong.

Thanks & Regards,

AJ

Certified McAfee Product Specialist - ePO

Ex McAfee Employee

Hello AJ

As you mentioned about RAH is absolutely true, three is no need of sadr if rah is available

Coming back to second part of your question

If you are enabling SA lazy caching then you are not utilizing the above feature which is by design.

The above statementis not clear to me

Are you referring if the machine with sadr & rah both enabled

If the sadr using with last caching, then for clients gets update through sadr or rah........

If my understanding is right the answer as below

The client update again depends on the agent repository policy

If you have assignment rule for rah and ePO/ only rah

And through the repo policy ePO is the priority from the repository list. This will take update from rah

If you assigned the priority as sadr then lazy caching from sadr will trigger

Hoping this answered your query

Regards

RGC

Hi RGC,

Hope you are doing well. Everyone this guys is gem (literally) in ePO

Coming back to the clarification of the part which was not clear.

What i meant is, It is not recommended to have Agent Handler and Super Agent on the same box. It doesn't make sense.

Hope that clears the air

Regards,

AJ