Chris A

Because I don't understand the way certificates work in ESET, I was thinking I need to purchase a public valid certificate for the web interface. For now, the webconsole always shows an invalid self-signed certificate, but it looks like the ESET Agent adds the ESET server's CA as a trusted CA (if I understand this correctly) so once the agent is successfully installed, future updates should work fine from off-network, and I can safely ignore the "invalid certificate" errors in my web browser. Does that sound accurate to you? Is it possible for me to install a public valid cert for the webconsole, or would that just introduce more problems than it causes?

Wow, that was EASY! Thanks, I'll be doing this for all the individual machines we installed on before we had our management server up. It also made upgrading the agent software quick and easy. Thanks again.

We deployed the standalone client to a few servers and workstations before setting up ESET protect. Now that we have ESET protect up and running, I would like to move those existing clients to our server (they are using the same license keys being managed by Protect). Is there a good way to do this, or do I need to fully uinstall and re-deploy from a live installer or similar?

Thanks @MartinK for those details! When the initial NAT policy didn't work I started adding all of the ports I found on a diagram in case they were related. I'll drop the other ones off as I don't want more open than necessary. The certificate being used is currently invalid, if that is critical for connection from outside network then I'll absolutely change it. I just thought since it is working for on-network machines I wouldn't need to get that working yet (we're still in implementation and only have a handful of test computers connected). @Lio We aren't deploying over AD, although half our computers are AD joined (the other half are Macs that authenticate against Azure AD, but aren't officially "joined" to anything). The remote PC I'm testing is Azure AD joined and not local AD joined, and I have rebooted several times. To be honest, I don't see anywhere that my server name is established, so I wonder if changing the certificate for the server will redirect things? My policy already points them to the FQDN I am using, but the certificate is the generic "server" certificate without a proper FQDN. If I swap certs, will I need to manually update each client or will the ones on-LAN get an update? (not a huge deal either way since we only have a few computers so far)

I'm forwarding the following ports from the WAN to our ESET Protect server: TCP: 80, 443, 3128, 2221, 2222, 2223, 8883 UDP: 88, 8883 I can easily browse the ESET Server from external networks, but remote agents are not connecting to the ESET server, and I'm not able to push out profile updates. My live installer does use the FQDN for our server which is forwarded to the ESET Protect server and accessible from off-network. Do I need to do something else in ESET Protect to make it possible to manage clients that aren't on the same network as the Protect server?