Agent-to-server communication is supported over NAT; but, Agent wake-up calls will
not work over NAT.
Recommendations:
- To manage the external clients, install an ePO Server or Agent Handler in the DMZ
- To manage only the internal network clients, install an ePO Server or Agent Handler in the internal network.
Make sure that the following ports are opened on the firewall. These ports allow agent communication to the ePO server in the DMZ for the internal and external clients:
- 443/80 (For the external clients only, incoming connections to ePO/Agent Handlers) – agent-to-server port (listed as ServerHttpPort in the EPOServerInfo in ePO)
IMPORTANT: You can open
port 443/80 on the firewall to communicate incoming connections to ePO or Agent Handlers with
only the external network. This arrangement allows only the external clients to communicate with the ePO Server or Agent Handlers in the DMZ. This change is not a major network security consideration. The internal network is still locked down from receiving communications from external clients on this port.
For Trellix Agent 5.x, incoming connections to ePO/Agent Handlers occur on port 443 only in the DMZ.
Other ports in use:
- 8443 (open from the internal network to the DMZ, if using Rogue System Detection): Console-to-Application Server communication port (listed as RmdSecureHttpPort in the EPOServerInfo table for ePO).
- 8444 (open from the internal network to the DMZ, if using Rogue System Detection): Sensor-to-Server communication port (listed as SensorSecureHttpPort in the EPOServerInfo table for ePO).
- 8801 (open from the internal network to the DMZ, if using the Advanced Research Center threats download functionality): Security Threats HTTP port (listed as AVERTAlertsPort in the EPOAvertSettings table for ePO).
