Jump to content

How can agents connect to ERA from both the office LAN and the internet?


Recommended Posts

We have ERA setup on an internal server on our LAN, and agents from inside the office can currently connect to the ERA over the LAN. However, since most endpoints are laptops and many users work remotely, we also want to set things up so agents can connect to ERA over the internet. I'm hoping someone can outline the steps necessary to accomplish this?

I understand that I need to open port TCP 2222 in the firewall, so internet traffic can reach ERA:   hxxp://support.eset.com/kb3304/

It also looks like I can configure the policy to point to more than one address for the ERA server, so agents would first try the local LAN IP of the ERA server, then try the public internet IP: hxxp://help.eset.com/era_admin/65/en-US/index.html?admin_pol_planed_for_migration.htm

What else would I need to do? Would I need to create a different certificate, or would I need two certificates (one for LAN, one for internet)?

Any advice would be much appreciated!

Edited by Rob75206
Link to comment
Share on other sites

  • ESET Staff

As you pointed out, problem may be certificate - you must make sure that certificate is signed for both "internal" and "external" hostname/IP so that AGENTs will trust it (see column "Host" in peer certificates view). Alternatively special wildcard * matching all hostnames can be used, but it is not recommended.

In case you will need to create new certificate, use field "Host" to specify list of hostnames that your AGENT will be using. Once certificate is created (should be signed with the same CA certificate to avoid problems), you have to set it to be used in "Server settings" and restart SERVER service.

Link to comment
Share on other sites

Thanks Martin - A couple follow up questions:

Are you talking about the Server Certificate or the Agent Certificate?

Right now, the host field in both the Server Cert and Agent cert, is set to * (wildcard). Although this isn't recommended, would this work for our purposes? If so, I'd like to set it up like this for now, just to get everything working.

Then I'd go back and change it later to the specific hostname/IP, after confirming everything else worked properly.

Link to comment
Share on other sites

  • ESET Staff
43 minutes ago, Rob75206 said:

Thanks Martin - A couple follow up questions:

Are you talking about the Server Certificate or the Agent Certificate?

Right now, the host field in both the Server Cert and Agent cert, is set to * (wildcard). Although this isn't recommended, would this work for our purposes? If so, I'd like to set it up like this for now, just to get everything working.

Then I'd go back and change it later to the specific hostname/IP, after confirming everything else worked properly.

I meant SERVER certificate.

Wildcard * (in SERVER's certificate) means that AGENTs will be able to connect to this server using any hostname, including IP addresses. This means it will work for your environment without any limitation. It is not recommended due to security = leaked SERVER certificate (private key) could be used on any domain (i.e. to host "fake" SERVER) and used to take control of AGENTs...

Link to comment
Share on other sites

I've got it working so agents can communicate with the ERA server over the internet and policy changes are successfully pushed out to remote agents. The only problem is that when agents are outside the office, they can't update the virus signature database. In the "Update" section of the client on the laptop, it shows the message "could not connect to server".

In the policy settings, the primary and secondary update servers are set to "choose automatically". How does this work, does that mean it tries to update from the ERA server, but then does not try to update from ESET's public update servers? How do I know which servers it is choosing?

How can I configure this so agents will update when outside the office?

Thanks again for your help...

Link to comment
Share on other sites

  • ESET Staff

Could you check, if the proxy server is configured in the update profile + in the general Endpoint settings:

  • Update profile: F5 - Update - HTTP Proxy
  • General: F5 - Tools - Proxy Server

You can configure various update profiles. And have one used as primary (within your network) and hen one as secondary (outside the network). 

So I would recommend to create two new profiles "Inside" and "outside".

  • For inside, check the settings, if proxy is enabled, leave it as it is.
  • For outside, check the settings, disable the proxy ("do not use proxy server").

Edit the default update task, via "TOOLS" / "Scheduler" and in the "task details" choose the two profiles you have created.

In that case, everything should work correctly.

 

Link to comment
Share on other sites

Hi MichalJ,

Thanks for your reply. I forgot to mention that we're using Endpoint Security for OS X, so there is no profiles option available. The profiles option is only available in Windows policies.

I found this article which seems to describe what I need to do: hxxp://support.eset.com/kb3621/#OSXLinux

However, I'm not sure what I need to do in step 5B: "type the IP address into the Proxy server field and port number (default is 3128) into the Port field"

What server are they referring to or what IP address do I need to type here? Does the ERA server act as the proxy, meaning this should be the internal IP of our ERA server? The only ESET server we have is the ERA server, we don't have a "proxy" server.

Link to comment
Share on other sites

  • ESET Staff

If you have installed the ERA using all-in-obe installer on Windows and you have checked the option to install the "apache http proxy" or you have deployed the ERA appliance with the same setting enabled, it installed the proxy on the ERA server. So then the proxy address is the address of your ERA server. It would cache the updates for your clients then.

If your organization is not using any proxy you might configure your update to "autoselect" and remove any proxy settings (not just from "update" but also from tools / proxy server). Products will then update from the internet, regardless their location.

 

Link to comment
Share on other sites

Thanks for your help, MichalJ.

I just set it up so all agents would update from the internet, by choosing "autoselect" and not using a proxy. Works great now.

Link to comment
Share on other sites

  • 3 weeks later...

Hi,

I found this thread when searching for similar questions about internet update and have some questions.
We are currently evaluating ESET 6.4 and the ERA setup was installed with the Apache proxy,

Do I need to open up both TCP 2222 (ERA Server) and TCP 3128 (Apache Proxy) from the internet?
Or does all communication (updates and ERA server connections) goes through the proxy 3128, when installed?

We use Endpoint Security.

 

Edited by Johan2390
Link to comment
Share on other sites

  • ESET Staff

Port 2222 is used for AGENT-to-SERVER connection, regardless of proxy configuration. You will have to open it in case AGENT are connecting from outside of your network.

Port 3128 (HTTP Proxy) is used for Endpoints and AGENTS communication with ESET servers, including downloading installation packages, activating licenses on clients and for updating of endpoints. In most scenarios it is not required to open this port as clients connecting from internet will obviously be able to access ESET servers directly.

Link to comment
Share on other sites

  • 2 months later...
  • ESET Staff
8 hours ago, Johan2390 said:

Thanks for the info. We have now bought ESET and is about to set this up.

Is it safe to have port 2222 open to public internet?

It is the easiest solution for this scenario, but it comes with risks. For example attacker might use DoS techniques to overload ERA Server with TCP connections, which may result in ERA service unavailability, even for local or console connections (exhaustion of resources).

More advanced solutions that we know are used include:

  • using VPN, i.e. notebooks are technically in the same (internal and secured) network.
  • Using ERA Proxy in DMZ, where clients connecting from outside of secure network are connecting to ERA Proxy (ERA Server is not visible for them), which is then forwarding data to ERA Server. In this case case DoS-type of attack will affect only ERA Proxy and local connections including console access should not be affected.

Unfortunatelly those solutions require much more complicated configuration. I would recommend to use at least firewall that is able to detect possible attacks, for example by monitoring number of connections, reducing number of attempts to open connections from the same IP...

Link to comment
Share on other sites

Thanks. We have a firewall that can handle DoS attacks.


Have done some testing now, with port 2222 open to public internet.
ERA is now setup with an DNS-name that is available for lookup on both inside network and outside public internet, linked to port 2222.

Virus signature updates works fine from both inside local network and from outside public internet now.

But when I tried to add a client task in ERA to do a software install (update ESET Endpoint Security to latest version), it fails.
It works fine inside local network, but not from public internet.

Does the software install function require access to port 3128 aswell?

 

Link to comment
Share on other sites

  • ESET Staff

Just to confirm. Do you have updates configured to get them directly from the internet, or is proxy server (Apache HTTP Proxy) configured, to cache the updates? Software install works in the way, that Agent tries to download the endpoint msi package, from the ESET repository (repository.eset.com). If proxy is configured, it attempts to download it via the proxy. In case of a installation of ERA using all in one installer, and checking the proxy option, a default policy for ERA agent is configured, that will force ERA agent, to communicate via the proxy for downloading. If this policy is removed, and the machine is able to access repository.eset.com, it should work without any issues. 

 

Link to comment
Share on other sites

I'm a newbie to ESET.

I have a policy set up that is linked to all windows computers.

Settings/Tools/Proxy Server.
Use Proxy = YES
Proxy Server = eset.ourdomain.com
Port 3128
Use direct connection if poxy is not available = YES

Still does not work. What am I missing?

Link to comment
Share on other sites

  • ESET Staff

Unfortunatelly there was an issue with Use direct connection if poxy is not available in ERA Agent 6.4 which caused that it did not work properly. If I recall correctly this issue has been resolved in ERA Agent 6.5 -> could you try to update one of failing AGENTs and re-try?

Link to comment
Share on other sites

Thanks.

After manual update to Agent 6.5 on the specific client, the ERA task to update to Endpoint Security 6.5.2094.1 was successfully done through external internet connection.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...