michalp
-
Posts
87 -
Joined
-
Last visited
-
Days Won
1
Posts posted by michalp
-
-
Where do you get that error? Where is it located? Are you able to login to the webconsole after deploy?
-
I have just tried similar scenario and it worked as you would expect. Are you sure that you did not somehow assign the task to all computers - group All? Or you have some other task that is scheduled? Or you have multiple targets set to the task?
-
You need to connect to your ERA Server Appliance either through SSH as 'root' or directly on appliance enter terminal by entering Management Mode and then Exit Console. Then type 'nano /etc/krb5.conf'. Then edit the file to look similar to this:
[libdefaults] default_realm = DOMAIN1.LOCAL ticket_lifetime = 24h forwardable = yes [realms] DOMAIN1.LOCAL = { kdc = dc.domain1.local } DOMAIN2.LOCAL = { kdc = dc.domain2.local } [domain_realm] .domain1.local = DOMAIN1.LOCAL .domain2.local = DOMAIN2.LOCALAfter you save Kerberos configuration, issue this command 'kdestroy' to clear any already issued tickets.
Then go to the Server tasks section in ERA web console and create synchronisation task. This task will do a synchronisation with the other domain controller, so SERVER field will point to 'dc.domain2.local', LOGIN will be set to 'Administrator@DOMAIN2.LOCAL' and PASSWORD will be set to correct password. It is important to specify the user with the domain as he is not from default realm (DOMAIN1.LOCAL). The click Browse button to verify that you can connect. If you will need to perform synchronisation from different domain then you will need to call 'kdestroy' command again.
I just tried these steps and they worked.
-
ERA 6.2 will have new server task that will batch rename computers by their reported FQDN or Netbios name. By default this will be defined for Lost and Found group and executed each hour. Other new feature in synchronisation task will remove duplicated unmanaged computers (marked with circle) and replace them with managed computers (agent connects to ERA) if there are any present in ERA tree. Collision handling for computers would need to be set to Move. These new features should solve problems described here in this thread. What will still need to be done manually is removal of duplicated computers that are managed - both were connecting to ERA Server and their names are same.
-
ERA Agent is not crashing, but it is stopping because of missing peer certificate or bad password for that certificate. This can happen if policy for that agent was made and a certificate was not set or password was set incorrectly. Only option at this moment would be to repair installation and set correct certificates.
-
One installation package (live installer) for Agent and EES/EEA can not be created by ERA itself at the moment, but it can be created manually - please see: https://forum.eset.com/topic/4112-creating-install-package-in-era6/#entry25872
-
To support multiple domains in one ERA Server Appliance, just edit /etc/krb5.conf and add additional domains to it. It should be straightforward.
I am not sure why synchronisation stops working, there should be exact error in server trace log regarding synchronisation at: /var/log/eset/RemoteAdministrator/Server/trace.log
For configuring proxy policies, please see hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3637, part II. Part I, can be skipped as HTTP caching proxy is included in the appliance, but needs to be enabled during deployment.
To improve virtual machines performance during scanning there is ESET Shared Local Cache. Virtual machines protection by single appliance for each VM host instead of each machine is still in the works.
-
1. You will lose domain users authentication and synchronisation with Active Directory. By entering just 'Windows Domain' and 'Windows Domain Controller' you will still be able to perform synchronisation with AD.
2. Appliance only supports one domain controller. Extra CNAME entry for specific domain controller should be created.
3. It is not necessary. If not present, then it will be automatically derived from domain as first token from domain, e.g.: 'my.domain.com' then derived workgroup will be 'MY'. Some customers have different workgroup (NetBIOS) names for their domains.
-
This is known problem on Windows 8.1. It will be addressed in hot-fix release that will be available soon. Unfortunately there is no workaround in the meantime.
-
Megachip is right. There is also firewall exception for ERA Agent.
-
I just tried to install EES (ESET Endpoint Security; version 6.1.2222.0 for windows (Microsoft Windows 8.1, 8, 7, Vista, XP), language en_US) with license included in one installation task. Only thing that was different from yours was that I used direct download from the repository. Installation and activation worked flawlessly - Yes, firewall will start working after installation but it will not stop activation process or ERA Agent communication with ERA Server.
This is how Executions for installation task looks:
2015 May 6 10:23:25 computer Security product Finished Task finished successfully 2015 May 6 10:23:20 computer Security product Running Task started 2015 May 6 10:23:19 computer ESET Remote Administrator Agent Starting Starting task 2015 May 6 10:21:58 computer Operating system Finished Task finished successfully 2015 May 6 10:21:58 computer ESET Remote Administrator Agent Starting Starting task 2015 May 6 10:20:34 computer Operating system Running Task started 2015 May 6 10:20:23 computer ESET Remote Administrator Agent Starting Starting task
Notice that there are two 'Task finished successfully' from Operating system (EES installation itself) and then Security product (activation). How does your Executions look like?
Are you using proxy? Did you configure it by policies? Could you please make sure that https://edf.eset.com/edf is accessible from a computer on which ESS will be installed. You can try access it with web browser, some XML file should be returned.
-
There is "Export Managed Products Configuration" client task that you can run on whole group if you want. You can also select that you want configuration from only Security Product (EES/EEA).
-
Network connection should be momentarily lost during installation of firewall component and after installation, incoming connections are blocked by firewall itself (default settings). By deploying ERA Agent you will be able to manage EES - perform activation, set policy to turn firewall off.
-
What version of EES/EEA is running on that specific computer? Because it seems that it is not the latest release.
-
To suppress any dialogs shown by EEA or EES after installation, you can use INSTALLED_BY_ERA=1 msi parameter.
-
4612 is very generic error "Can't download". Probably update servers were not fully accessible. Usually next update will succeed. Reporting of agent's update errors will be changed in the future.
-
PaDoX: In your case Agent is not able to download updates repeatedly. From the log it seems that there is problem with your proxy: Failed to connect to HTTP proxy server '193.87.32.48' (port: 3128).
jimwillsher: Update error is from the Agent itself, not a security product. Agent updates are done each 6 hours (see Agent configuration). In next release there will be change to report this error after second unsuccessful update attempt with exact error. Also you will be able to execute both updates in Agent and managed security product (EEA/EES) by Virus Signature Database Update task.
-
It is hard to say what is wrong. Winbind is very picky about its configuration. My experience is only with joining AD on domain controller and that requires:
1. DNS needs to be configured correctly.
2. Time needs to be synchronised with domain controller.
3. Kerberos needs to be configured.
4. Samba needs to be configured.
5. Domain join is necessary.
All these steps are done automatically in ERA Server Appliance. If you want, you can deploy it as a test in VirtualBox (or VMWare Player) and go through manual installation. Afterwards you can look at created configuration files. There is also '/root/help-with-domain.txt' file that in more details explains all steps.
-
What does server trace log say? There should be error about synchronisation.
If you are running ERA on Linux, then try 'kinit <username-without-domain>' from terminal to see if you are able to obtain kerberos ticket from a domain controller. If this works, then use same credentials in the synchronisation task.
-
During first Agent connection only remote IP address is available and it is translated (if possible) to computer name. This of course will not work in your scenario.
There are requests to change this behaviour and it will be eventually changed in the future as it is already tracked as an issue. Only option right now is to rename them manually (or to craft some SQL update that will do that directly in DB, but be careful).
-
The cryptic error line "* Error details: std::exception" will be fixed in next release, so it will be possible to determine exactly what is not working in this specific case.
-
Unfortunately there is no regex operator or 'OR' operator or condition negation operator that would allow you to do simple exclusion in reports.
In your example case I can only suggest to use 'Static group . Static group parent hierarchy' symbol that can be used to select whole subtree recursively. But that will require to have computers structured in a way that are suitable for the report you want.
-
On CentOS (or any Linux), Domain Mapped Groups will only work through Winbind. LDAP auth can only be used with static group synchronisation.
ERA uses 'wbinfo' and 'ntlm_auth' commands to communicate with Winbind daemon and do the authentication. If you are able to configure Winbind to use LDAP, then it will work.
-
Before changing anything, please export all certificates (both peer certificates and certification authorities) so you will be able to repair your installation if something goes wrong.
To create new server certificate, just follow wizard (Certificates -> Peer Certificates -> New) and fill in all fields that are necessary and sign this certificate by certification authority that was created during installation. To set new certificate, please go to Server Settings -> Connection and select newly signed certificate. Be careful and select correct server certificate and set correct password before hitting Save as there is bug that will not validate whether you have selected any certificate and entered correct password. After restart new certificate will be used by server. As it was signed by install-time certification authority, agents will trust it immediately.
Active Directory authentication broken
in ESET PROTECT On-prem (Remote Management)
Posted
Could you please try to rejoin domain:
I am curious why synchronisation stopped working as it does not require joined domain. When you call 'kdestroy' command in terminal and try to run synchronisation again, what is the last error in server trace log?