Agent Handlers

Question 1

What are the benefits of implementing remote agent handlers?

Answer 1

• Helps manage an increased number of products and systems managed by a single, logical McAfee ePO server in situations where the CPU on the database server is not overloaded
• Provides fault tolerant and load-balanced communication with many agents, including geographically distributed agents

Question 2

How do Agent Handlers work

Answer 2

Distributed network traffic generated by ASC by directing managed systems or groups of systems to report to a specific Agent Handler.

The AH provides updated sitelists, policies, and PAR, just as the McAfee ePO server does.

Question 3

How can an Agent Handler function as a repository?

Answer 3

It can cache the contents of the Master Repository, so that agents can pull product update packages, DATs, and other needed information

Question 4

What is the most important thing to consider about the relationship between a remote agent handler and the SQL server?

Answer 4

Agent Handlers must have a high-speed, low latency connection to the Database

Question 5

What is the specific value that the Agent Handlers round trip latency must be less than in regards to the SQL Server?

Answer 5

<10 ms

Question 6

T/F The Agent Handler must be able to authenticate domain credentials

Answer 6

True

Question 7

What are some of the reasons to use an Agent Handler?

Answer 7

• Overall cheaper than implementing a second ePO server, since it can run on mid range server hardware
• Agent Handlers can be used to reduce the load on a growing ePO server
• Agent Handlers can manage agent requests behind a firewall or in an external network
• Agents can failover between Agent Handlers using a configured fallback priority list
• Multiple Agent Handlers can load balance the Agent requests in a large remote network

Question 8

What are the instances in which an agent handler isn’t an appropriate response?

Answer 8

Using it as a distributed repository - The purpose of a repository is to distribute large files throughout an organization. They don’t contain logic or code. Agent handlers do contain logic, and communicate events back to the database. So, even though an Agent Handler can function as a DR in essence, it should never be used intentionally to replace a dedicated DR. Agent Handlers should be used to reduce the event management load on the ePO server.

Through a slow or irregular connection - Agent Handlers require a relatively high speed, low latency connection to the database to deliver events sent by the agents

To save bandwidth - Agent Handlers do not save bandwidth. They actually increase bandwidth use over the WAN connection that connects the clients to the Agent Handler. Use DRs to save bandwidth

Question 9

Since it seems to be misunderstood, what is the main reason for implementing a remote agent handler?

Answer 9

To reduce the event management load on the McAfee ePO server

Question 10

T/F If you want to save bandwidth in your network, implementing a remote agent handler would be a good idea

Answer 10

False, AH do not save bandwidth, they increase bandwidth use over the WAN connection that connects the clients to the Agent Handler

Question 11

What is the Agent Handler’s work queue?

Answer 11

Located in the ePO database, Agent Handler’s use a work queue in the ePO database as their primary communication mechanism

They check the server work queue every 10 seconds and perform the requested action. These frequent communications to the database require relatively high speed, low latency connection between the Agent Handler and the ePO database

Question 12

What are the typical actions that will be requested of an Agent Handler in the Work Queue?

Answer 12

Wake up calls, requests for product deployment, and data channel messages

Question 13

What command line command helps you determine the round trip latency between two systems?

Answer 13

Tracert

Question 14

T/F: Admins can create rules to override the default behavior of an agent handler?

Answer 14

True

Question 15

T/F: Usually, it is more efficient and less expensive to add an Agent Handler rather than a ePO server

Answer 15

True

Question 16

How many systems can be easily managed by ePO, provided only VSE is installed?

Answer 16

200K

Question 17

How do Agent Handler’s provide scalability?

Answer 17

As the systems managed and products integrated with a single ePO server instance increase, so do the attempts to receive policies or send events to the server. This increase the load that the server must handle. Implementing a remote agent handler can take a lot of this burden off of the ePO server

Question 18

How do remote Agent Handlers facilitate failover protection?

Answer 18

The Agent Handler is the ePO architectural component responsible for distributing policy and task updates to agents, as well as receiving event reports and property changes from agents. Consequently, if something causes the ePO server to be unavailable (upgrade or network issue), then the aforementioned functions will also be unavailable. By having additional remote agent handlers implemented in the environment, you are providing a way for agents to engage in the aforementioned processes in the event that something goes awry with the ePO server, hence, providing failover support

Question 19

What is the setup for simple deployment failover?

Answer 19

Two agent handlers are deployed as primary and secondary. All agents initiate communications with the primary Agent Handler, and only use the secondary Agent Handler if the primary is unavailable.

Question 20

When would simple deployment failover be considered as a viable option?

Answer 20

When the primary Agent Handler has better hardware, and can handle the whole load of the infrastructure

Question 21

What type of deployment would be an alternative to the simple deployment failover?

Answer 21

Failover with load balancing. This is achieved by placing multiple Agent Handlers into the same Agent Handler group, thus causing the ePO server to insert each AH in the group into the list of AHs at the same order level. The McAfee Agent randomizes AH at the same order level, resulting in an equal load across all Agent Handlers in a particular group. Agents failover between all Agent Handlers in a group before failing through to the next Agent Handler in the assignment list.

Question 22

What is the benefit of using Agent Handler groups?

Answer 22

They allow for both load balancing and failover benefits

Question 23

What is the predicament that is caused by agents behind a DMZ, firewall, or in a NAT network?

Answer 23

They can be viewed by the ePO server, but they can’t be managed or directly manipulated

Question 24

What is the purpose of having an Agent Handler in the DMZ?

Answer 24

Managing systems behind a firewall, dmz, or in a NAT network

Question 25

What needs to be considered when placing an Agent Handler in the DMZ?

Answer 25

The ports connecting the Agent Handler to the ePO server and SQL database must be open to connect to the Agent Handler through a firewall

Question 26

What ports must be opened on the firewall for an Agent Handler in the DMZ?

Answer 26

the ones that allow it to communicate with ePO and the SQL database

Question 27

How can agent handlers address roaming users?

Answer 27

Allows users who roam between enterprise network sites to connect to the nearest Agent Handler.

Roaming is possible only if the Agent Handlers from all locations are configured in the McAfee agent failover list.

You can modify policy and system sorting so that roaming systems can receive a different policy in each lcoation

Question 28

How does the repository cache work?

Answer 28

Agent Handlers automatically cache content and product updates if a McAfee Agent can’t access the content directly from the Master Repository on the ePO server

The McAfee Agent, by default, uses the primary McAfee ePO server (same server as Tomcat) as the Master
Repository. Agents fail back to the Agent Handler if they are unable to communicate with their configured
remote repository to pull content and product updates. Since the Agent Handler might not be running on the
same server as the true Master Repository (on the McAfee ePO server), the Agent Handler manages these
requests. Agent Handlers transparently handle requests for software and cache the required files after
downloading them from the Master Repository. No configuration is necessary.

Question 29

T/F If ePO’s SQL database is overloaded, adding an Agent Handler can increase performance

Answer 29

False, in this situation, it could actually decrease performance. You would need to upgrade the SQL database hardware to take advantage of multiple agent handlers

Question 30

What did McAfee testing determine in regards to database CPU and adding agent handlers

Answer 30

McAfee testing shows that adding Agent Handlers improves performance until your McAfee ePO database CPU load exceeds 70 percent. Since each Agent Handler adds some overhead, for example database connections and management queries to the database, adding Agent Handlers beyond 70 percent database CPU load does
not help performance.

Question 31

When should you use multiple ePO servers?

Answer 31

Use a separate ePO server for separate IT infrastructures, separate administrative groups, or test environments. Also, if an Agent Handler isn’t a viable option for scalability, then you may have to use another ePO server

Question 32

Why should you configure the primary Agent Handler as the lowest priority agent handler?

Answer 32

• Forces systems to connect to all other Agent Handlers before connecting to the primary ePO server Agent Handler
• Reduces the McAfee ePO server load so that it can perform other tasks like displaying the ePO console user interface and running reports and server tasks

Question 33

What are the majors steps that need to be taken to configure an agent handler in the DMZ?

Answer 33

1 Install the Windows Server hardware and software in the DMZ between your networks that are internal and
external to McAfee ePO.

2 Configure all ports on your firewall between your McAfee ePO server and SQL database and the Agent
Handler.

3 Install the McAfee ePO remote Agent Handler software using the information in the McAfee ePolicy
Orchestrator Installation Guide.

4 If needed, create a subgroup of systems to communicate with the McAfee ePO server through the Agent Handler.

5 Create an Agent Handlers assignment.

6 Configure the Agent Handlers priority list and enable the Agent Handler in the DMZ.

Question 34

What ports need to be configured on the internal facing firewall to communicate between the ePO server and the Agent Handler in the DMZ?

Answer 34

• Port 80 — Bidirectional
• Port 8443 — Agent Handler to the McAfee ePO server
• Port 8444 — Agent Handler to the McAfee ePO server
• Port 443 — Bidirectional

Question 35

If the SQL Database is installed on a different server than the ePO server, what two ports need to be configured on the internal facing firewall for that connection to the agent handler?

Answer 35

• Port 1433 TCP — Agent Handler to SQL database server

* Port 1434 UDP — Agent Handler to SQL database server

Question 36

What ports need to be configured on the public facing firewall for an Agent Handler in the DMZ?

Answer 36

• Port 80 TCP — Inbound
• Port 443 TCP — Inbound
• Port 8081 TCP — Bidirectional
• Port 8082 UDP — Bidirectional

Question 37

How would you make it so that the Agents in the DMZ report to the Agent Handler there?

Answer 37

You would create a new agent handler assignment in the Agent Handler configuration page. Either the DMZ systems would have to be together in a System Tree group, or you would need to know their ip address, so you could link them to the DMZ agent handler and then set the priority of the rule to the top of the list

Question 38

What problem arises with an Agent Handler in the DMZ if your ePO server is in a domain?

Answer 38

The Agent Handler installed in the DMZ cannot connect to the ePO SQL database because the Agent Handler cannot use domain credentials

To bypass this limitation, configure the Agent Handler to use the SQL database system administrator (sa)
account credentials

Question 39

How can you achieve load balancing with Agent Handler?

Answer 39

By creating Agent Handler groups. Agent Handlers in a group are inserted into the SiteList.xml file at the same priority order

You can also use a 3rd party handler

Question 40

Generally speaking, when is an agent handler a better idea than another ePO server?

Answer 40

• The existing ePO infrastructure needs to be expanded to handle more agents, more products,
or a higher load due to more frequent ASCI communication.

• The customer wants to ensure agents continue to dial in and receive policy/task/product
updates even if the application server is unavailable.

• The customer wants to expand ePO management into disconnected network segments,
where there is still a relatively high bandwidth link to the ePO database.

Question 41

Is any data sent from the Agent Handler to the ePO server itself, rather than the database?

Answer 41

Yes, with the Data Channel. It is a mechanism for McAfee products to exchange messages
between their endpoint plugins and their management extensions. This will be the majority of data sent from the Agent Handler to the application server

Question 42

Is communication between the Agent and the Agent handler encrypted?

Answer 42

Yes. All traffic between Agents and the Handler are signed and verified with public/private
DSA key pairs for authenticity. Agents prior to 4.5 use the legacy 3DES encryption for channel
encryption. McAfee Agent 4.5 and later use TLS by default.

Question 43

Generally, when is it time to consider a remote agent handler for scalability purposes?

Answer 43

Agent Handlers for scalability is not required until a deployment reaches 100K nodes.

However, Agent Handlers for topology or failover may be required at any stage

Question 44

How many Agents can a remote agent handler support, generally speaking?

Answer 44

50,000 per AH

Question 45

T/F: It is fine to install agent handlers in remote locations?

Answer 45

False, Install additional Agent Handlers in the same data center as the SQL Server. Do not install Agent Handlers in remote locations or you risk impacting the performance of the entire McAfee ePO environment.

Question 46

T/F: A customer wants to expand ePO management to a disconnected network segment. This particular network segment has limited and irregular connectivity to the current ePO database. Considering this information, an Agent Handler would be a good solution to this problem.

Answer 46

False, an Agent Handler requires a reliable, high speed, low latency connection to the ePO database. It would not be the appropriate response in this situation.

Question 47

What is the difference between horizontal scalability and vertical scalability?

Answer 47

Horizontal Scalability - Increasing the size of the environment that one ePO server can manage. Accomplished by adding Agent Handlers, all sharing the same database

Vertical Scalability - Adding and upgrading to bigger, faster hardware to manage larger and larger environments. Accomplished by upgrading your server hardware and installing McAfee ePO on multiple server throughout your network, each with its own database

Question 48

How much bandwidth is used for communication between the database and the agent handler?

Answer 48

Varies based on the number of agents connecting to the agent handler. (Each Agent Handler places a fixed load on the database server)

Question 49

What is the fixed load placed on the Database Server by each Agent Handler?

Answer 49

• its Heartbeat (updated every minute)
• Checking the work queue (every 10 seconds)
• Pool of database connections held open to the database(2xCPU for EventParser + 4xCPU for Apache)

Question 50

In what version of ePO were Agent Handlers introduced?

Answer 50

4.5

Question 51

How many concurrent connections is one Agent Handler capable of?

Answer 51

245