Activating EAV6 through ERA6.5 client task

[sk2103 1]

Hello there,

first i want to say, that ERA6.5 is an excellent tool with a nice GUI and some great features. Just wanted to tell you, how much i like it!

But it's giving me a rather hard time during setup, compared to the older 4.x Version we still use in most branch offices. Theres still some problems that you are working on, i guess. So i won't complain and try to get it fixed and/or understood.

At the moment my problem is:

• I've installed ERA 6.5.31 and ESET File Security on the server box (skipped Apache for we want the clients to fetch the updates from a local share)
• I rolled out the agents to the clients via a server task, which worked in the second try
• I installed the clients manually, because i wasn't able to do it via client software installation task
• I applied a standard policy to all the clients, which seems to work (checked the logfiles on clients to refect that a policy change was made)
• In the policy i set the correct http-proxy we use (ipfire on port 8080), no direct connection

Now i want to create a client task to activate the clients. I did that manually on the ERA6.5 and ESET File Security and it worked. But client activation doesn't work at all - no matter how often i try it. I re-checked that the client policy has the correct proxy settings (the policy does, and it gets applied, when i check on a client).

So i've tried activating a client manually in the GUI. It gives me this error:

Error during activation: Activation Server can not be reached (Error Code: ECP.20002)

Im not sure, where to check, whats wrong now. Can i check, if a client is using the proxy configured in the policy? Can i check the activation process in a logfile somehow?

 

Additional question:

Is there detailed information, which module of ERA6.5/EAV/EFS talks to which component in which combination? In some parts im not sure, which ways of communication the software tries to take in different setups (e. g. for a local share update mirror and repository, when we dont want to use apache).

 

 

[Gonzalo Alvarez 66]

Hi,

Good to see someone who does the work and put data on the question.

All ERA thing and Endpoints do the activation to the ESET servers on Internet and your problem
is they aren't reach them. Check this KB about it.

Resolve ACT or ECP errors during activation
hxxp://support.eset.com/kb2434/?locale=en_US

You can send the install task of endpoints with the license on the task so they auto-activate
=> 3 minutes after the installation is finished. <= You don't touch anything, despite the
windows pop-up alerts.
 

In other hand, version 4? You are dealing with fire! hahaha
Seriously, your company has to make a fast plan to upgrade all. Losses are more
expensive than upgrades+time used.

About the additional question
The communication dealer is the Agent, he manage all between the parts.
There is a KB mention all ports ERAv6.x use, I paste the link below
hxxp://support.eset.com/kb3608/

I don't know if answer your question, so hope this help you.

[sk2103 1]

Hello GonzaloA.,

thanks for trying to clear that up and for the work you put into answering my question!

I've had a look at the KB-articles, and maybe the second one had a clue.

I did not install ERA-Proxy/Apache HTTP Proxy on the server, because i wanted to use an internal SMB-share as update mirror and repository. I don't want the clients to directly talk to the internet, if you will.

If i get that that right, the activation happens through a communication between the client-software an the activation server on the internet (which totally makes sense). The question is: does the client use the http-proxy i entered in the policy or do i have to use the module called "ERA-Proxy" (which then communicates with the activation server...?).

My problem is, that all clients can't even be activated via GUI, although you can use the internet in any browser flawlessly on these machines (said proxy). I wonder if i can check, which way the activation process wants to take, so i can troubleshoot the problem.

[sk2103 1]

Hah,

i think i've found the part where i am wrong. I published a policy for the AGENT (and set the proxy in that policy), but did not publish one for the Endpoint Antivirus application. So if i set up a policy for the application and put the proxy there, the communication should work. I missundertstood that agent and application are separate "things" with separate settings i guess. Mainly because it made no sense for me, to set a proxy in the agent (which in my head only communicates in the internal network). So mainly i thought, the application would use the settings from the agent. Do the things i mumble make sense? *shrug*

I will test that and report back.

[Gonzalo Alvarez 66]

Yes, Endpoint and Agents are different and have each his own configuration.

Quote

So if i set up a policy for the application and put the proxy there, the communication should work.

In theory, yes.

Hierarchy will be (from bottom to up): Endpoints > Agent > ERA Server.
Agent controls >everything< on the terminal, you can do a lot.

Don't worry, is a bit complicated to go into the "how its works" ERA, but once you get it is more easy.

ERA-Proxy is to use on another office or network (who reports by Agent to the only ERA server - pyramid structure)
You don't need to install ERA-proxy on the network. You install in a parallel network, another office, another country LAN office, etc).
ERA Apache proxy is who distribute the updates (is need it to be there, you cannot avoid it).

(someone correct me if I wrong)
When you start to use ERA you are not going to do the things like you want, instead you use the
ESET tools. There is a Repository created by ERA with all updates (ERA apache proxy).

Many IT guys try to do the thing how they want (some old ways, some his own way) and is not possible
by "outside of the box", if want to ERA works use the ESET way. Which is a normal thing if you buy a product to do
a job, a security one (from this point of view). Everything is planned, just have to find how its to be done on
ESET product.

You can activate terminals with no connection to the Internet using the "off-line activation license file"
(you can get at ela.eset.com - if you have access)

So you send the install + the activation file and is done or the task with the file (I believe)..

 

[MichalJ 434]

Concerning the confusing setting of "Proxy" in ERA agent policy. ERA agent connects to the internet, to get the module updates (configuration engine module, translator module, others ...), and also connects to ESET repository service, to download the installers of Endpoint, when Endpoint is installed using "software install" task. As in case of module updates in case of Endpoint, it supports caching of the installers, to reduce network load.

Proxy setting in Endpoint policy, serves to direct all Endpoint => Internet communication via the proxy server. Basically, it represents communication with licensing servers, update servers, and ESET Live Grid, which is an important piece of overall protection capabilities that our product uses. 

[sk2103 1]

1 hour ago, MichalJ said:

Proxy setting in Endpoint policy, serves to direct all Endpoint => Internet communication via the proxy server. Basically, it represents communication with licensing servers, update servers, and ESET Live Grid, which is an important piece of overall protection capabilities that our product uses. 

Thanks for clearing that up. I will have to re-read some of the documentation again, to understand, which parts of the server installation i need and how they work together.

Still i have the problem, that none of the (manually) installed Endpoint Antivirus Clients can be activated. Not by pushing a client task, neither by entering the settings in the clients GUI, adding our http-proxy settings and trying to activate from the GUI. It always says, that the activation server can't be found. Even if the proxy settings are correct (checked a 100 times).

In the client task it just says, that there was an error in the application, in the GUI it says, that the activation server can't be found. Internet works via http-proxy on all the machines, activation does not.

[MichalJ 434]

Which version of the product you are using?  In which part of the product UI, is the proxy server configured? There are basically two places, where this could be configured in the application - in "Update" and in "Tools / Proxy Server". For the licensing communication, the latter one is needed. 

Could you verify, that you can access the link https://edf.eset.com/edf on the problematic machine, in the webbrowser: