Additional network for backup and antivirus for all 800xA machines to avoid network traffic in CSA/CSB

Having Dedicated network for all 800xA machines additional network for backup and anti-virus .
Since the 800XA domain need to listen to only 172,16.x/172.17.x series , facing issue with Mcafee and Acronis server reaching node.

Mcafee and acronis traffic is dedicated to new separate network 192.168.x , same network is added on top of the Client/Server network.
Macfee is not able to communicate to all nodes even if its is able to ping the nodes , as soon as CSA/CSB network is removed mcAfee client starts updating to epo server ?

Epo server and Backup server is also connected to CSA and CSB

Comments (0) New comment

Rajeesh Mariyodan Rank: 52

Asked 1 year ago

Answer this question Follow

Answers

IMHO: multihomed computers (computers having more than one network adapter) has always been a risk when running Microsoft Windows. Especially if you configure more than one default gateway in the same computer.

Check if asymmetric routing triggers the McAfee client computer's firewall to discard the ePO responses, i.e. the McAfee client transmit on one LAN while the ePO server respond on a different. Such asymmetric traffic may become blocked by a stateful firewall (only responses on the same LAN as the request will be accepted). Studying the output of "C:\> route print" in both ends should be enough to spot the asymmetry, but you can always temporarily disable the firewall as a check or use an Ethernet analyzer (e.g. Wireshark, etc) to monitor the traffic. By default, traffic is sent on the "fastest" LAN if multiple choices are found.

Solution: modify the routing table (use -p parameter to make the change persist across reboot)

Comments (4) New comment

by Rajeesh Mariyodan Rank: 52 on 3/4/2019 1:11:50 AM | Like (0) | Report

We have not created any gateway in any of the network, all NIC cards are running without gateway.
We have put the Matric priority for NIC cards ( Windows 2016 and windows 10 are not sure its really work ).
--- Note : we have added CSA/CSB also in the management servers (Like Epo, Syslog Server, Hivision and ASM (ACRONIS) )

We have changed the configuration of Matric priority to 1 to management network , that also did not help. Final observation is once we disable CSA and CSB it starts updating the Agent (Mcafee). We have not faced major issues with Acronis only issue was some nodes was not reporting to AMS server ( after few restarts if came back).

by erik AKS expert

Rank: 29 on 3/4/2019 1:14:27 AM | Like (0) | Report

More than one default gateway will allways lead to confusion. In most of our sites we have a dedicated "Managment LAN" for ePO and such things. It work well as long as you have only one path to the ePO. This should work without extra routing, but perhaps it will help in your case.
/Erik

by Stefan Stromqvist AKS expert

Rank: 1 on 3/4/2019 1:21:20 AM | Like (0) | Report

Client/Server network where the domain controllers are located should have best Metric. This is automatically set by RNRP if Client/Server area has lowest Area number.

Sounds like a problem isolated to McAfee - try contacting their support, or read their KBs and FAQs on the Internet.

Try different methods to resolve the ePO server (AFAIK, the ePO server must also be able to resolve the clients; I suspect on the *same* LAN as the client addresses the ePO server = symmetric)
a) DNS A record
b) hosts files entry
c) ...

by Rajeesh Mariyodan Rank: 52 on 3/4/2019 2:07:41 AM | Like (0) | Report

Erik :
Epo is integrated to Domain as it required domain authentication as well , since the epo server is also part of domain . Thats the reason we have CSA/CSB also in the Epo servers.
If we keep only management server can we authenticate to Domain (Domain server also have management network) , but we have set the DNS to listen only on the 172.16 series (as per 800xa recommendation).

Stefan Stromqvist :
McAfee case already created , Acronis also created ->

We have added the machine details to host file - in epo server but did not help much.
Solution works for us was removing the CSA/CSB network from the Epo server .
Note: We have not installed any 800XA software ( we did deploy this node as generic node) so no RNRP is running in this server

One more strange point we have notices :
Management switch we have bought L3 switch(No L3 functions are used) , during initial trouble shooting - engineers have disconnected management server and one client from L3 switch to temporary L2 switch they have notices the Epo server communication was happening ( LE Switch model GRS1042 Hirschman).

Add new comment

Stefan Stromqvist AKS expert

Rank: 1

Answered 1 year ago

Question details

Additional network for backup and antivirus for all 800xA machines to avoid network traffic in CSA/CSB

Answers

Other questions needing answers

Related topics

AKS experts