jinlei801011 2 Posted May 2, 2018 Share Posted May 2, 2018 Our company has 300 users in total (HQ 200u, subcompany 100u), all managed by one license key and ERA server installed in HQ. Due to company reconstruction, our subcompany will move to other location and they will manage ESET (100u) themself. We will buy new license and install new ERA server in subcompany, and re-deploy Agent to the 100 users. My questions is, are there any other solutions that no need to re-deploy Agent? Create an agent policy in HQ ERA server to change the server address? how about the certificates? Thanks Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted May 2, 2018 ESET Staff Share Posted May 2, 2018 It is possible. You just have to be aware of correct steps order, otherwise it could end up with 100 AGENT not able to connect to original, nor to new SERVER. There are various possibilities with various level of separation. As you mentioned, you have to change certificates and hostname. More problematic is configuration certificate, where are two possibilities: migrate subcompany AGENTs to use completely new certificates generated by newly installed ERA (this is more secure, ERA networks would be independent and only specific AGENTs will be able to connect to new SERVER) use the same certificate for both ERA Servers. This simplifies migration and roaming between SERVER significantly. Only requirement is that SERVER certificates can be used for both original and new hostname (in case there is no wildcard * used). It is even possible to have two SERVER certificate, but signed by the same CA certificate currently available in original server. In case subcompany separation is not temporary solution, I would recommend to use first possibility, which involves following steps: Install new ERA. During installation, new certificate will be generated. For further steps, exporting CA certificate will be required. Import CA certificate mentioned in step "1." into original ERA. Once this is done, this CA certificate will be distributed to all AGENTS, which will enable them to trust both original and new SERVER. Import CA certificate of old ERA into new ERA. Once this is done, AGENTs will be able to connect to new ERA even with old (current) peer certificate Create new AGENT configuration policy on original SERVER, and configure AGENTs to connect to new ERA (you can even use list of hostnames, where first in list should be new hostname, folowed by current) + assign this policy to AGENTs that are supposed to be migrated. Create new AGENT configuration policy on new SERVER, and configure AGENTs to connect only to new ERA (replace list of hostname with only current), and to use AGENT peer certificate available in new ERA. This policy should be assigned to all AGENTs -> it will override settings that were used on original ERA server. I would strongly recommend to check this on test machine, so that risk of loosing control is minimal. Once AGENTs fetch new configuration and successfully connects to new ERA, they should stop connecting to original ERA, which is sign of success. Once migration is finalized, it is possible to "delete" CA certificate imported from other ERA, just to be sure AGENT from different ERA "realm" are no longer able to connect. Link to comment Share on other sites More sharing options...
ESET Staff janoo 11 Posted May 4, 2018 ESET Staff Share Posted May 4, 2018 Hi, similar migration is described also here: https://support.eset.com/kb6490/ and here https://support.eset.com/kb6492/ Link to comment Share on other sites More sharing options...
jinlei801011 2 Posted May 5, 2018 Author Share Posted May 5, 2018 On 3/5/2018 at 3:06 AM, MartinK said: It is possible. You just have to be aware of correct steps order, otherwise it could end up with 100 AGENT not able to connect to original, nor to new SERVER. There are various possibilities with various level of separation. As you mentioned, you have to change certificates and hostname. More problematic is configuration certificate, where are two possibilities: migrate subcompany AGENTs to use completely new certificates generated by newly installed ERA (this is more secure, ERA networks would be independent and only specific AGENTs will be able to connect to new SERVER) use the same certificate for both ERA Servers. This simplifies migration and roaming between SERVER significantly. Only requirement is that SERVER certificates can be used for both original and new hostname (in case there is no wildcard * used). It is even possible to have two SERVER certificate, but signed by the same CA certificate currently available in original server. In case subcompany separation is not temporary solution, I would recommend to use first possibility, which involves following steps: Install new ERA. During installation, new certificate will be generated. For further steps, exporting CA certificate will be required. Import CA certificate mentioned in step "1." into original ERA. Once this is done, this CA certificate will be distributed to all AGENTS, which will enable them to trust both original and new SERVER. Import CA certificate of old ERA into new ERA. Once this is done, AGENTs will be able to connect to new ERA even with old (current) peer certificate Create new AGENT configuration policy on original SERVER, and configure AGENTs to connect to new ERA (you can even use list of hostnames, where first in list should be new hostname, folowed by current) + assign this policy to AGENTs that are supposed to be migrated. Create new AGENT configuration policy on new SERVER, and configure AGENTs to connect only to new ERA (replace list of hostname with only current), and to use AGENT peer certificate available in new ERA. This policy should be assigned to all AGENTs -> it will override settings that were used on original ERA server. I would strongly recommend to check this on test machine, so that risk of loosing control is minimal. Once AGENTs fetch new configuration and successfully connects to new ERA, they should stop connecting to original ERA, which is sign of success. Once migration is finalized, it is possible to "delete" CA certificate imported from other ERA, just to be sure AGENT from different ERA "realm" are no longer able to connect. Thank you Martin, I will test it next week. In step 2, why need to import new ERA CA cert to original ERA? refer to ESET FAQ (https://support.eset.com/kb6490/), only need to import CA cert from original ERA to new ERA. Please advise Thanks Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted May 5, 2018 ESET Staff Share Posted May 5, 2018 5 hours ago, jinlei801011 said: In step 2, why need to import new ERA CA cert to original ERA? refer to ESET FAQ (https://support.eset.com/kb6490/), only need to import CA cert from original ERA to new ERA. Please advise Referenced article describes second variant that I mentioned, but did not provided detailed steps. Difference is that certificates from original SERVER are transferred to new SERVER (peer certificate of SERVER), which makes migration of AGENTs more simple, but it is suitable for SERVER re-location (= old SERVER will no longer exists after migration), not for splitting one into two. You could follow steps in article in case you do not mind that all AGENTs will be able to connect to both old and new SERVER, which may pose security risk. Link to comment Share on other sites More sharing options...
Recommended Posts