Enabling Advanced Security - Need 2 Knows

[whitelistCMD 1]

ERA Virtual Appliance

ESET Remote Administrator Server 6.5.417.0

 

We're currently moving to TLS 1.2 only, on a large number of our servers. The few Windows Servers (Server 2012R2, and 2016) that have already been migrated over to TLS 1.2 only, have since lost connection to the ERA. I looked to see which ciphers the agents on those servers are using, and even though they are TLS 1.2 ciphers, they are considered weak, which would burn us in an audit. I'd like to turn on "Advanced Security" in ERA Server Settings to hopefully have access to higher cipher suites, but I'm curious of a few things:

1. Am I correct in understanding that in order to accommodate higher cipher suites for TLS 1.2, I would need to turn "Advanced Security" on?

2. What is all involved in regards to certificates? Do I need to prep anything, or change from the default server certificate? (This is probably my biggest concern, as I'm not sure where to begin with this?)

3. Does anyone know what ciphers will be added/replaced when enabling "Advanced Security"?

4. Any additional info?

 

Thanks in advance for any help on this. 

[MichalJ 434]

Turn this setting on to enable advanced security for network communication of ERA components.

Advanced security includes these features:

•Newly created certificates and certification authorities use SHA-256 (instead of SHA-1).

•ERA Server use the latest TLS (TLS 1.2) for communication with Agents.

•Enabled Advanced Security enforces using the TLS 1.2 for Syslog and SMTP communication.

IMPORTANT When you enable advanced security, you need to restart the ERA Server to put this setting in use.

Minimum compatibility requirements:

•Windows: Windows Vista and later.

•Linux: OpenSSL 1.0.1 and later on a supported OS version (Ubuntu 12.04 and later, RHEL/CentOS 6 and later, Debian 7.0 and later).

•OS X 10.9 and later.

IMPORTANT Advanced security does not influence the already existing CAs and certificates, only new CAs and certificates created after advanced security is enabled.

To apply advanced security in the existing ERA infrastructure, you need to replace the existing certificates.

IMPORTANT Advanced security is not compatible with older systems (for example Windows XP, Windows Server 2003). ESET Management Agents disconnect from the ERA Server after the certificate change. To keep managed devices with older unsupported OS connected to ERA Server, do not replace certificates for these devices and do not revoke the original CA and peer certificate. You can check if your Linux client is compatible using following command: openssl s_client -connect google.com:443 -tls1_2

How to enable and apply Advanced security on your network

Before enabling this feature make sure all your client computers can communicate via TLS 1.2 (see the note above). The procedure contains two restarts of the ERA Server service.

Follow this procedure to enable and apply Advanced security:

1.Navigate to Admin > Server Settings and click the slider next to Advanced security (require restart!).

2.Click Save to apply the setting.

3.Close the Console and restart the ERA Server service.

4.Wait a few minutes after the service is started and log in to the Web Console.

5.Check if all computers are still connecting and no other problems have occurred.

6.Navigate to More > Certification Authorities > New and create a new CA. The new CA is automatically sent to all client computers during next Agent - Server connection.

7.Create new peer certificates signed with this new CA. Create a certificate for Agent and for Server (you can select it in the Product drop down in the wizard).

8.Change your current ERA Server certificate for the new one.

9.Create a new ESET Management Agent policy to set up your Agents to use the new Agent certificate.

a.In the section Connection click Certificate > Open certificate list and select the new peer certificate.

b.Assign the policy to computers where you want to use the Advanced security.

c.Click Finish to apply.

10. When all devices are connecting with the new certificate, you can delete your old CA and revoke old certificates. Skip this step if you applied Advanced security only on some (and not all) of the connected client computers.

Advanced security on systems with installed MDM

This setting will affect only communication between ERA Server and MDM Server. Communication between MDM Server and Mobile Devices will not be affected. To apply advanced security to the MDM component  create new MDM and Proxy certificates signed by the new CA and assign them via policy to the MDM server as follows:

•ESET Mobile Device Connector Policy > General > HTTPS certificate. Import the new MDM Certificate.

•ESET Mobile Device Connector Policy > Agents > Certificate = Proxy certificate.