An AC Agent performs immediate local disk scan after deployment to endpoints. In some environment where there is limited network bandwidth, installing the AC agent to a large number of endpoints can generate huge traffic if all agents will send its Inventory DB to the server and submit application events all at once. It is ideal in TMEAC to allow only a small group of endpoints to connect to the server, to avoid overloading the network especially during the initial phase of agent deployment.
You can temporarily prevent the agent registration to avoid the initial Inventory Scan when you install the agent component on the endpoints. This is possible by employing an IP/Domain Restriction or Access Control List (ACL) policy to deny traffic specific to TMEAC from different network segments. This gives the administrator full control over which network segments to allow agent registration at a given time and let the present group of agents finish sending their Inventory DB to the server and download applicable policy before enabling TMEAC traffic to other segments.
The following is an example of an IP-based restriction policy configuration via Microsoft IIS:
- On the EAC Server, install the IP and Domain Restriction features in IIS.
Open IIS and go to Sites > EndpointApplicationControl.
Click IP Address and Domain Restrictions.
Right-click in the IP Address and Domain Restrictions window and select Add Deny Restriction Rule.
In the Add Deny Restriction Rulewindow, select either Specific IP Address or IP address range.
Type IPv4 Addresses in the field.If both the server and endpoint computers are IPv6 enabled, then the AC Agent will use IPv6 to connect to the AC Server. Therefore, to deny this traffic in IIS, you need to specify the IPv6 address in the configuration file (applicationHost.config). For more information, refer to the following IIS blog:Using IPv6 with IIS7.
To setup firewall Access Control List (ACL), refer to your router’s manual or contact your Firewall Vendor for assistance.