Timos
Former ESET Employees-
Posts
60 -
Joined
-
Last visited
Everything posted by Timos
-
Exposing Tomcat to the internet
Timos replied to jimwillsher's topic in ESET PROTECT On-prem (Remote Management)
There should be no problems when 6.5 comes out. These versions are compatible. You can check it also in future versions: hxxp://support.eset.com/kb3690/ -
Exposing Tomcat to the internet
Timos replied to jimwillsher's topic in ESET PROTECT On-prem (Remote Management)
I recommend this: Short version: Backup your tomcat installation or whole machine Uninstall tomcat/webconsole Install tomcat/webconsole using Setup.exe Apply again your custom changes you did in tomcat earlier (SSL cert, ...) Long version: Use Setup.exe (according version to server, 6.4 in your case) to uninstall webconsole/tomcat. Tomcat uninstaller will ask you if you want to delete webapps directory, accept it. Run Setup.exe again Setup.exe now lets you to install webconsole/tomcat only. Tomcat is now hardened by Setup.exe: selfsigned ssl cert, sslProtocol, ... Tomcat is up and running now. Try to login into webconsole, it should work. You have to apply your custom changes, your custom ssl cert. You know better what was your changes. If you did not applied custom changes to tomcat/webconsole, you can skip step 6, and it is easy I use this quite a lot when testing ERA, you shouldn't get in any big troubles. -
Exposing Tomcat to the internet
Timos replied to jimwillsher's topic in ESET PROTECT On-prem (Remote Management)
Releases of ERA always contains newest Tomcat 7, but upgrade task applies only to webconsole, not to Tomcat. Your 7.0.55 is from your first installation. For more security I recommend to use another machine which will serve only webconsole: You have installed ERA Server on machine A. Install webconsole+tomcat on some machine B with all-in-one installer. (Possible if you run Setup.exe from commandline with parameters: Setup.exe --mode webconsole). Before install, you can substitute tomcat installer with newer version of Tomcat 7. You must use all-in-installer with same version as the server is, because webconsole and server wouldn't work together. Set up tomcat to your needs (you mentioned ssl cert). Set up webconsole to connect to ERA Server on machine A. It is possible by configuration file located in C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\webapps\era\WEB-INF\classes\sk\eset\era\g2webconsole\server\modules\config\EraWebServerConfig.properties (default: localhost 2223). For more security, you can set here public key of ERA Cert Authority which signed server certificate. Webconsole would then connect only to servers, which authenticates by certificates signed with this CA. Set firewall to allow tcp connections from machine B to machine A on incoming port 2223. Advantages are: On internet is exposed only machine B with tomcat/webconsole. If some attacks it, there is less chance, they will get to ERA database, where are all data are stored. Machine A still exposes to internet only port 2222, where agents connect. You do not have to backup machine A when setting this up. All of the setup is performed on machine B. -
I think it requires SQL Server 2008 R2. If it's possible I'd recommend you to install SQL Server 2014. Follow the instructions hxxp://support.eset.com/kb3671/ Be careful. If you are installing 2 different versions on same machine: https://msdn.microsoft.com/en-us/library/ms143694.aspx You should be careful, another SQL Server can interfere with applications already using the 2008 SQL Server. Backup your data before major changes like this. I recommend you to install on some clean system, Setup.exe will install SQL Server without user interaction a and set it up for ERA packages.
-
Hi vanroy, Because of limitation of Microsoft SQL Server 2014 Installer, it is unable to install it from folder path with special characters (the wider characters than 16 bits). To resolve your problem, please copy contents of ESET All in one installer (Setup.exe and files in the same directory) to some folder path with simple characters (for example C:\EsetInstaller\) and run Setup.exe from there.
-
Web console cannot open
Timos replied to jinlei801011's topic in ESET PROTECT On-prem (Remote Management)
If above doesn't help: 1. Start notepad (or whatever text editor you are using) As Administrator and open server.xml 2. There should be line with <Connector and port="8080", change that port to something else, for example port="9080" 3. Webconsole should be accessible on https://localhost:9080/era -
Web console cannot open
Timos replied to jinlei801011's topic in ESET PROTECT On-prem (Remote Management)
Please try access webconsole on hxxp://localhost:8080/era -
How to upgrade era6.1.444 to 6.3
Timos replied to jinlei801011's topic in ESET PROTECT On-prem (Remote Management)
Better solution for step 5 is: Rename era.war to era.zip. Rename "era" in webapps to "era_backup". Extract era.zip in to "era" in webapps Why? If Apache Tomcat is installed by All in one installer (Setup.exe), Tomcat runs as network service, so it cannot write to disk, thus it cannot extract era.war package into webapps. -
Agent command line to change certificate?
Timos replied to GreenEnvy22's topic in ESET PROTECT On-prem (Remote Management)
Importing CA that signed Agent certificates into the Trusted Root Certificates on server machine should work. Server will accept these certificates. (It must be in Computer account, not My User nor Service account) BUT, agents will still reject server certificate unless they have CA that signed Server certificate. If they get this CA in installation, they should accept Server certificate. -
Error 65535 during setup
Timos replied to Luminai's topic in ESET PROTECT On-prem (Remote Management)
Ensure SQL Server is listening on port 1433. If it did not help, try using database type "MS SQL Server via Windows Authentication" on port 1433 instead of "MS SQL Server" -
Everything you need can be set in server's Generate Report task - How can I get report by date interval / monthly Set trigger in task- How can I export/save the report Select Save to file or Send email.- How can I export Client list as HTML/TXT/CSV Set this setting in task, choices are PDF, Postscript or csv. We have also help page for reports hxxp://help.eset.com/era/6/en-US/index.html?reports.htm
-
This will be fixed in new version. Apache HTTP Proxy will be installed, but configured access to ESET servers only.
-
This works only on first install, name of objects in database will be set accordingly to locale setting. Correct usage: --locale=xx_YY Here is the list: sk_SK ar_EG zh_CN zh_TW de_DE en_US es_CL es_ES fr_FR fr_CA hr_HR it_IT ja_JP ko_KR pl_PL pt_BR ru_RU cs_CZ
-
Login failed (communication error)
Timos replied to Megachip's topic in ESET PROTECT On-prem (Remote Management)
Check ERA Server is running. Check if it is listening on port 2223. Try open this port with telnet. Look at servers trace.log after unsuccessful login, there could be more info what is worng. -
Looks like ERAS v5 is still installed on machine. If true, follow this KB to upgrade from v5 to v6 hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3607
-
Remote Admin 6 on a Linux 12.04 virtual machine
Timos replied to GeorgeC's topic in ESET PROTECT On-prem (Remote Management)
Linux logs are located here: /var/log/eset/RemoteAdministrator/Agent/status.html /var/log/eset/RemoteAdministrator/Agent/trace.log -
I think there are running 2 instances on port 1433, and they cannot both run on same port. Try to set ERA sql instance port to something else than 1433. Use SQL Server Configuration Manager for this, it should be installed with sql server. In next version of ERA, Setup.exe will install "ERA" instance for you, running on port 14222. Until then, you must install sql server manually.
-
ERA v6 Webconsole SSL Certificate
Timos replied to zhopkins's topic in ESET PROTECT On-prem (Remote Management)
In fact, you do not need to use openssl. Java keytool should be enough. hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3724 Following step 1 and 5 let you generate self signed certificate with your values and setting tomcat's server xml to use generated keystore. Create a keystore with an SSL certificate. You must have Java JRE installed, and it is preferable that you are running the latest version, because it includes the Java Keytool (keytool.exe), which allows you to create the certificate via command line. You need to generate a new certificate for each tomcat instance (in case you have multiple tomcat instances) to ensure that, if one certificate is compromised, other tomcat instances will remain secure. Below is an example command that creates a keystore with an SSL certificate (to perform this step, navigate to exact location of keytool.exe file, for example C:\Program Files (x86)\Java\jre1.8.0_40\bin>, and then run the command):keytool.exe -genkey -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -storepass "yourpassword" -keypass "yourpassword" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" Edit the server.xml configuration file so that tag is written similar to the example below:<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" keystorePass="yourpassword" keyAlias="tomcat"/> -
ERA6 and SQL server authentication
Timos replied to antoineL's topic in ESET PROTECT On-prem (Remote Management)
Installing new database instance for ERA should be best for you. Of course you can install in any instance, if you want. In this instance you can install databases for Server, Proxy, and Mobile Connector. Installers needs "sa" login for installing databases and each installer create user and password, which will access its own product database. 1. Database should be accessible on opened tcp port, this is why "mixed mode" is "must". 2. Windows Authentication is optional, but it is used only in installation. It is for users who do not know password for "sa" user 3. Both are valid, it is same as Server. For small network, there is no need for Proxy, and it can be installed later if needed. 4. Same as (3) 5. None of these use database connection. If Windows Authentication is used for install, you do not have to create some administrator user, you do not even need to know "sa" user password in this case. Other logins are created by installers.