[Exposing Tomcat to the internet]

 

Brilliant, thanks Timos. I've followed the steps, reinstalled my wildcard, and I'm up and running on 7.0.70.

 

This is how everything has ended up:

 

ESET Remote Administrator (Server), Version 6.4.295.0

ESET Remote Administrator (Web Console), Version 6.4.266.0

 

Does that look okay to you, insofar as I shouldn't expect any problems whenever 6.5 comes out?

 

Thanks again

 

 

 

Jim

 

There should be no problems when 6.5 comes out.

These versions are compatible. You can check it also in future versions: hxxp://support.eset.com/kb3690/

[Exposing Tomcat to the internet]

I recommend this: 

 

Short version:

1. Backup your tomcat installation or whole machine
2. Uninstall tomcat/webconsole
3. Install tomcat/webconsole using Setup.exe
4. Apply again your custom changes you did in tomcat earlier (SSL cert, ...)

Long version:

1. Use Setup.exe (according version to server, 6.4 in your case) to uninstall webconsole/tomcat. Tomcat uninstaller will ask you if you want to delete webapps directory, accept it.
2. Run Setup.exe again
3. Setup.exe now lets you to install webconsole/tomcat only.
4. Tomcat is now hardened by Setup.exe: selfsigned ssl cert, sslProtocol, ...
5. Tomcat is up and running now. Try to login into webconsole, it should work.
6. You have to apply your custom changes, your custom ssl cert. You know better what was your changes.

If you did not applied custom changes to tomcat/webconsole, you can skip step 6, and it is easy

I use this quite a lot when testing ERA, you shouldn't get in any big troubles.

[Exposing Tomcat to the internet]

Releases of ERA always contains newest Tomcat 7, but upgrade task applies only to webconsole, not to Tomcat. Your 7.0.55 is from your first installation.

 

 

For more security I recommend to use another machine which will serve only webconsole:

1. You have installed ERA Server on machine A.
2. Install webconsole+tomcat on some machine B with all-in-one installer. (Possible if you run Setup.exe from commandline with parameters: Setup.exe --mode webconsole). Before install, you can substitute tomcat installer with newer version of Tomcat 7. You must use all-in-installer with same version as the server is, because webconsole and server wouldn't work together.
3. Set up tomcat to your needs (you mentioned ssl cert).
4. Set up webconsole to connect to ERA Server on machine A. It is possible by configuration file located in C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\webapps\era\WEB-INF\classes\sk\eset\era\g2webconsole\server\modules\config\EraWebServerConfig.properties (default: localhost 2223). For more security, you can set here public key of ERA Cert Authority which signed server certificate. Webconsole would then connect only to servers, which authenticates by certificates signed with this CA.
5. Set firewall to allow tcp connections from machine B to machine A on incoming port 2223.

Advantages are:

• On internet is exposed only machine B with tomcat/webconsole. If some attacks it, there is less chance, they will get to ERA database, where are all data are stored.
• Machine A still exposes to internet only port 2222, where agents connect.
• You do not have to backup machine A when setting this up. All of the setup is performed on machine B.

[Is possible activate / desactivate firewall by agent?]

You can create policy for Security Product with disabled firewall, and then assign it to clients or groups.

[Problem in installing/creating new instance for Microsoft SQL (ERA Installation)]

Googling for the error gave me this result hxxp://databasebestpractices.com/sql-server-configuration-manager-access-denied/

[Problem in installing/creating new instance for Microsoft SQL (ERA Installation)]

I think it requires SQL Server 2008 R2. If it's possible I'd recommend you to install SQL Server 2014. Follow the instructions hxxp://support.eset.com/kb3671/

 

Be careful. If you are installing 2 different versions on same machine: https://msdn.microsoft.com/en-us/library/ms143694.aspx

You should be careful, another SQL Server can interfere with applications already using the 2008 SQL Server. Backup your data before major changes like this.

 

I recommend you to install on some clean system, Setup.exe will install SQL Server without user interaction a and set it up for ERA packages.

[UCS characters wider than 16-bits are not supported]

Hi vanroy,

 

Because of limitation of Microsoft SQL Server 2014 Installer, it is unable to install it from folder path with special characters (the wider characters than 16 bits).

 

To resolve your problem, please copy contents of ESET All in one installer (Setup.exe and files in the same directory) to some folder path with simple characters (for example C:\EsetInstaller\) and run Setup.exe from there.

[Web console cannot open]

If above doesn't help:

 

1. Start notepad (or whatever text editor you are using) As Administrator and open server.xml

2. There should be line with <Connector  and port="8080", change that port to something else, for example port="9080"

3. Webconsole should be accessible on https://localhost:9080/era

[Web console cannot open]

Please try access webconsole on hxxp://localhost:8080/era

[How to upgrade era6.1.444 to 6.3]

5, Place era.war to the Tomcat folder.

 

 

Better solution for step 5 is:

Rename era.war to era.zip.

Rename "era" in webapps to "era_backup".

Extract era.zip in to "era" in webapps

 

Why?

If Apache Tomcat is installed by All in one installer (Setup.exe), Tomcat runs as network service, so it cannot write to disk, thus it cannot extract era.war package into webapps.

[Error on login via Remote administrator web console]

Try restart the services or machine. Try CTRL+F5 in browser. I have no other ideas for now.

[Agent command line to change certificate?]

Importing CA that signed Agent certificates into the Trusted Root Certificates on server machine should work. Server will accept these certificates. (It must be in Computer account, not My User nor Service account)

BUT, agents will still reject server certificate unless they have CA that signed Server certificate. If they get this CA in installation, they should accept Server certificate.

[Error 65535 during setup]

Ensure SQL Server is listening on port 1433.

 

If it did not help, try using database type "MS SQL Server via Windows Authentication" on port 1433 instead of "MS SQL Server"

[Reporting Style ERA 6]

Everything you need can be set in server's Generate Report task

 

- How can I get report by date interval / monthly

• Set trigger in task

- How can I export/save the report

• Select Save to file or Send email.

- How can I export Client list as HTML/TXT/CSV

• Set this setting in task, choices are PDF, Postscript or csv.

 

We have also help page for reports hxxp://help.eset.com/era/6/en-US/index.html?reports.htm

[Not happy with ERA 6]

This will be fixed in new version. Apache HTTP Proxy will be installed, but configured access to ESET servers only.

[--locale]

This works only on first install, name of objects in database will be set accordingly to locale setting.

 

Correct usage:

--locale=xx_YY

 

Here is the list:

sk_SK

ar_EG

zh_CN

zh_TW

de_DE

en_US

es_CL

es_ES

fr_FR

fr_CA

hr_HR

it_IT

ja_JP

ko_KR

pl_PL

pt_BR

ru_RU

cs_CZ

[Login failed (communication error)]

• Check ERA Server is running.

Check if it is listening on port 2223.

Try open this port with telnet.

Look at servers trace.log after unsuccessful login, there could be more info what is worng.

[Eset RAS setup]

Looks like ERAS v5 is still installed on machine. If true, follow this KB to upgrade from v5 to v6 hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3607

[Remote Admin 6 on a Linux 12.04 virtual machine]

Linux logs are located here:

 /var/log/eset/RemoteAdministrator/Agent/status.html

 /var/log/eset/RemoteAdministrator/Agent/trace.log

[Can't Install ERA when SQL Express Already Installed]

I think there are running 2 instances on port 1433, and they cannot both run on same port.

Try to set ERA sql instance port to something else than 1433. Use SQL Server Configuration Manager for this, it should be installed with sql server.

 

In next version of ERA, Setup.exe will install "ERA" instance for you, running on port 14222. Until then, you must install sql server manually.

[Can't Install ERA when SQL Express Already Installed]

Install ERA database to your MSSQL Express, or install manually new instance of MSSQL Express and use this instance as db server for ERA.

[ERA v6 Webconsole SSL Certificate]

In fact, you do not need to use openssl. Java keytool should be enough.

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3724

 

Following step 1 and 5 let you generate self signed certificate with your values and setting tomcat's server xml to use generated keystore.

 

1. Create a keystore with an SSL certificate. You must have Java JRE installed, and it is preferable that you are running the latest version, because it includes the Java Keytool (keytool.exe), which allows you to create the certificate via command line. You need to generate a new certificate for each tomcat instance (in case you have multiple tomcat instances) to ensure that, if one certificate is compromised, other tomcat instances will remain secure.
   
   Below is an example command that creates a keystore with an SSL certificate (to perform this step, navigate to exact location of keytool.exe file, for example C:\Program Files (x86)\Java\jre1.8.0_40\bin>, and then run the command):

keytool.exe -genkey -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -storepass "yourpassword" -keypass "yourpassword" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

 

5. Edit the server.xml configuration file so that tag is written similar to the example below:

<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" keystorePass="yourpassword" keyAlias="tomcat"/>
 

[ERA6 and SQL server authentication]

Installing new database instance for ERA should be best for you. Of course you can install in any instance, if you want. In this instance you can install databases for Server, Proxy, and Mobile Connector. Installers needs "sa" login for installing databases and each installer create user and password, which will access its own product database. 

 

1. Database should be accessible on opened tcp port, this is why "mixed mode" is "must".

2. Windows Authentication is optional, but it is used only in installation. It is for users who do not know password for "sa" user

3. Both are valid, it is same as Server. For small network, there is no need for Proxy, and it can be installed later if needed.

4. Same as (3)

5. None of these use database connection.

 

If Windows Authentication is used for install, you do not have to create some administrator user, you do not even need to know "sa" user password in this case. Other logins are created by installers.

[Help needed to create new dynamic group for automatic deployment]

Only computers with Agent can be in dynamic groups. So Agentless computer cannot be member of dynamic group.

But, you can sort computers by Status in Computers screen and run deployment task on them.

[Remote MSSQL database connection failure installing ERA Server 6 on linux]

Try to use --db-type="MS SQL Server"

because default is MySQL