offbyone received kudos from Mirek S. in Management protocol + reverse proxy
We have successfully implemented haproxy in front of ESMC in a test environment.
Our first attempt to run in http mode failed, as we found that ESMC agent does not seem to send back valid HTTP responses which comply to http standards.
But we further found that this is not a problem with what we want to achieve (checking validity of the client cert on the reverse proxy side), as TLS bridging with haproxy also works in TCP mode.
Following is the relevant part of the haproxy config:
frontend esmcAgentFE mode tcp option tcplog bind *:2222 ssl crt /etc/haproxy/ssl/crt/esmcServer.pem verify required ca-file /etc/haproxy/ssl/ca/esmcCA.pem default_backend esmcAgentBE backend esmcAgentBE mode tcp default-server ssl default-server ca-file /etc/haproxy/ssl/ca/esmcCA.pem default-server crt /etc/haproxy/ssl/crt/esmcAgent.pem server default esmc.mydomain.com:2222 Cheers
offbyone received kudos from Mirek S. in Regex for Dynamic Group not working
I think so.
To get sure I did the last change yesterday evening and had a look at the results today. Group was still empty. Then I changed from "regex" to "has prefix" and 10 minutes later I saw the first computer appearing in the group.
offbyone gave kudos to MartinK in Management protocol + reverse proxy
As AGENT->ESMC protocol currently used gRPC on application layer (not guaranteed to the future), there are many small projects and proxies that can be used to routing, but in case of security, most reliable solution might be standard TLS termination and forwarding of requests on TCP layer, i.e. without interpreting data and requests itself. This is supported by most of the commonly used proxies ad mentioned previously. It would just require some basic "magic" with certificates. In this configuration, proxy should be just "repacking" TCP traffic from one TLS channel to another, instead of interpreting it + it is possible to configure proxies to be transparent for AGENTs. This kind of configuration is very often used for load balancing.
Your case would be probably best matched by something like TLS pass-through with additional client certificate checks, but it is probably not supported by common proxies, I think it not possible to validate client certificate before connection to backend service (ESMC in this case) is opened, so it would somehow reduce security benefits.
offbyone gave kudos to MichalJ in Trigger on static group
I have been able to reproduce the behavior. It seems to me as a bug, so I will report it to our QA / DEV teams. that a confusing description is displayed for the group, as indeed it shows "dynamic group" even when "static group" is set as target.
It only shows like that when you try to "edit trigger".
offbyone gave kudos to Marcos in Future changes to ESET Security Management Center / ESET Remote Administrator
This is not true. It makes good sense to have both static and dynamic groups and users use both a lot. Unlike static groups dynamic groups are evaluated by agent on clients. For instance, with static groups only, it would not be possible to change the membership and run specific tasks on clients if they were not reporting to ESMC (e.g. roaming clients) and an unhandled threat would be detected.
offbyone gave kudos to Tim Jones in Future changes to ESET Security Management Center / ESET Remote Administrator
Description: Example REST API usage with Perl / Python
Detail: An example document on how to use the API with Perl would be helpful you have one using C however I would just like to create a few script based calls to it using Perl for use with Nagios and other systems I have to integrate further with our other tools.
Description: Failure Details inside Web Interface,
Detail: Most of the time when a task fails it provides hardly any details why I need to follow the rabbit hole to the trace log,
Description: Slackware Linux Support /+ Native x64 support without 32 bit libs
Detail: I run 100s of Slackware Servers and have gone away from multilib etc, Also activate product from Remote Administrator rather than having to download an offline license for them
Description: Use Latest option for software install
Detail: Software install of ESET use latest option would be helpful eg tick a box and policy would always use the latest version available of eg Endpoint Antivirus when running the task
Description: From Dashboard take filters and generate a Dynamic Group / Action
Detail: I forever have out of date machine on the dashboard and have to copy the filters down and go an create a dynamic group from them to trigger an upgrade can a button be incorporated ( where you have generate CSV /PDF etc ) to say generate dynamic group please
offbyone received kudos from Craig Cram in regular update of Endpoint Antivirus 7.3.2032 does not work
Anything new on this one.
I was hit by the same problem.
offbyone gave kudos to Marcos in Signature and Module Updates
Automatic updates are ensured via the regular automatic update task in scheduler. You can control how often the task will run. By default it's 60 min. but it's also possible to shorten it to 10 min. if I remember correctly. The "more frequent updates" settings refers to streamed updates that are downloaded every few minutes.
offbyone gave kudos to Marcos in ESMC Auto Upgrade
ESMC is a complex mission-critical product and it's important for administrators that it runs reliably all the time. Upgrade should be performed after backing up the database and at the time when administrators can afford to solve possible issues should something go haywire during upgrade. Likewise administrators do not let server systems upgrade automatically and immediately after the OS maker releases updates not addressing critical vulnerabilities.
offbyone received kudos from santoso in Disable EPNS
There is a permanent connection held open to a host outside the corporate network from every client for triggering actions on that client. This is something not being tolerated and I really can understand that point of view. This is even more senseless if your clients are on the same network segment as ESMC server. This should be configurable similar to cloud based feature. It seems that customer will choose a different product for this reason.