Topsy 0 Posted July 9, 2018 Share Posted July 9, 2018 (edited) Hi everyone. I'm kinda new to this Eset software (business antivirus), but I already installed era server (+apache proxy), and web console, and deployed agents and antivirus software. I did half with web console because it didn't work at the end. I did the other part with gpo script with silent install. It works fine. So now i'm looking to deploy eset antivirus on computers over internet (not in my lan). So, my era administrator server (ws2016) is in lan (172.16.xx.xx) and i created a new vm (ws 2016) in dmz (192.168.xx.xx). vm in dmz can communicate with era server. The communication is ok because i can see my era proxy in my era administrator console and no error (i had problem with certificat but it's now ok). Then i see agent and proxy icon on the left of the name. I set up an ip address in my firewall, and allowed 443 and 2222 communication. My proxy seems to be accessible from internet (answer to my ping) but I don't know how to make sure it's 100% ok (I tried in http/https with differents port, with /era or not but nothing answer) I created a dedicated agent/av policy and create a new all in one package (i put my public ip address in list of server). If I run aio package on a remote computer, installation is ok, but I can't see it in console. In case of android smartphone, it gives me an url like https://xx.xx.xx.xx:9980/egn7b9td9 where xx is my external ip. But i can't download the apk. But i made an error : i installed smartphone connector in lan server. So I uninstalled it, but I cannot install it on proxy server, because there is already an agent ,and a database. Where should I install it ? What would you advice me to remote install on computers ? If you need more information just tell me. Thank you. Edited July 9, 2018 by Topsy added os Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted July 9, 2018 ESET Staff Share Posted July 9, 2018 I would recommend to troubleshoot AGENT connection using steps described in documentation, I would start with status.html log, which should indicate connection problem. There are two most common issues in this scenario: PROXY certificate has to be signed for public hostname used by AGENTs. This means, that certificate used by PROXY must contain public hostname in it's Host field, or wildcard "*", which is not recommended, but would work. AGENT are connecting to wrong hostname. I guess this is the problem, as I am not sure whether hostnames from policy you mentioned are actually used. Cannot verify now, but I think hostname specified during installer creation (should be in advanced parameters in installer wizard) will actually override those specified in policy, and in case you have not modified it, default value will be used (= it will be most probably internal hostname of your ERA server, which is obviously not accessible from outside of network). Problem with wrong hostname will be visible in status.html log. Workaround is to use public hostname explicitly in installer, and once AGENT connects to ERA, it can be re-configred to use mutliple hostnames, i/e/ apply policy with list of servers, including private and public hostname. Just a note: ERA PROXY is used only by AGENT to connect to ERA SERVER. ERA Webconsole (web interface) won't be accessible from outside of network through PROXY machine, so port 443 can be blocked. Link to comment Share on other sites More sharing options...
Topsy 0 Posted July 10, 2018 Author Share Posted July 10, 2018 (edited) Indeed, the adress was good but, i need to modify my firewall rule (before, i set 2222 -> 2222 and change it to 1:655535 -> 2222). And I read again the board with all ports (read on eset website). So now I can see new remote computers in era web console :-) To be easier to send, I use agent live with eset script (download from eset website, and use my script configuration). For my own curiosity, I was wondering if agent download antivirus from my business place or on the internet ? (I guess internet because my firewall say that only few mb are used). Few questions about remote actions. I didn't tried all we can do but : Some of actions are working : - uninstall software works (tried with 7zip it works even if the console computers>name_of_computer>installed software> 5th column > says that agent cannot do it) - send messages work - reboot / shutdown work But some are not working : - I tried to uninstall eset antivirus : uninstall software, select in list eset antivirus => failed (eset agent uninstall works, but it keeps antivirus on computer). - windows update failed (RunUpdate: Update installation failed with orcFailed) - It's not it's first role but it could be usefull to install other software than eset ? for example, I tried to create a new task, installation softare, then I tried to wrote : "https://get.videolan.org/vlc/3.0.3/win64/vlc-3.0.3-win64.exe", with parameter : /S but it failed. I guess that software have to be on local computer ? So, maybe can we send files ? - if i go on a computer, software installed I notice one software, then I want to uninstall it with task => software is unfindeable. Then i'm still stuck on mdm because of certificate (I don't have a true one) so I export it from era web console but, when I try to download, website tells me that certificate isn't trust, I accept certificate, then tells me that certificate isn't good (https configuration invalid). I read many articles like this one or this one or this one but i must be stupid because I still have the error. Edited July 10, 2018 by Topsy . Link to comment Share on other sites More sharing options...
ESET Staff Oliver 9 Posted July 11, 2018 ESET Staff Share Posted July 11, 2018 For the MDM part : what is the version of MDM and ERA server you are using? ( because you mentioned v6.3 and v6.4 documentation articles) This is a detailed guide with everything you should know/do to successfully enroll a mobile device: (Android: https://support.eset.com/kb3686/ / iOS: https://support.eset.com/kb6368/ ) Link to comment Share on other sites More sharing options...
Topsy 0 Posted July 11, 2018 Author Share Posted July 11, 2018 (edited) Morning.. I'm using : ESET Remote Administrator (Server), version 6.5 (6.5.522.0)ESET Remote Administrator (Console Web), version 6.5 (6.5.388.0)ESET Endpoint Antivirus ; version 6.6.2078.5 windows => mdm : it's the mdmcore_x64.exe include in eset iso image I'll see your link Edited July 11, 2018 by Topsy . Link to comment Share on other sites More sharing options...
Topsy 0 Posted July 11, 2018 Author Share Posted July 11, 2018 I still got an error. First I create a new certificate (ADMIN> Certificate). I create a new (standard) one. Then I fill : GENERAL - Description : MDM Certificate - Host : 12.34.56.78 (example, I write my own public ip adress used to connect proxy vm in dmz) - passphrase : / - common name : 12.34.56.78 - country code : FR (same as other certificates) - State : / (same as other certificates) - Locality name : my_town (same as other certificates) - Organization name : my_organization_name (same as other certificates) SIGN - Method : certification authority - Certification authority : select (Era certification authority" (my era server) - certification authority passphrase : my_passphrase Then I create. I export the certificate. Then, I install mdm connector (standalone) on the DMZ VM (because accesible from internet). I accept terms. I select the exported certificate. I'm using no password. Then I fill : - mdm hostname : 12.34.56.78 - mdm port : 9981 - enrollment port : 9980 > next - database : ms sql server - odbc driver : sql server - database name : era_mdm_db - hostname : 172.16.XX.XX (LAN ip adress of era server) - port : 1433 (my port) > next, network connection to eset remote adminisrator - server host : 172.16.XX.XX (LAN ip of era server) - server port : 2222 - server assisted installation > next, connection to remote adminisrator server - server host : 172.16.XX.XX (LAN ip of era server) - web console port : 2223 - username : sa (my sql user) - password : my_sql_password > received serve certificate : yes , next, next , finish. Ports 9981 + 9980 are accessible from the internet. Trying to enroll a smartphone. When trying from outside the business lan : https://12.34.56.78:9980/e8z39vkmc => advanced parameters. continue to site 12.34.56.78 (dangerous). Quote Seeing eset remot administrator banner, and message : Invalid HTTPS configuration The host name of the HTTPS certificate does not match the Mobile Device Connector host name or has expired. Reconfigure the Mobile Device Connector with a valid HTTPS certificate. When trying https://12.34.56.79:9980 => message that mdm is running well. Link to comment Share on other sites More sharing options...
ESET Staff Oliver 9 Posted July 12, 2018 ESET Staff Share Posted July 12, 2018 At this point, I would recommend contacting ESET technical support, with a reference to this forum topic. Link to comment Share on other sites More sharing options...
ESET Staff Mirek S. 18 Posted July 17, 2018 ESET Staff Share Posted July 17, 2018 (edited) If you installed MDM on windows machine MDM HTTPS certificate chain (in this case ERA CA you used to generate certificate) must be imported into machine keystore. This requirement will be removed in 7.0 as we moved away from windows crypto api. https://help.eset.com/era_install/65/en-US/certificate_mdm_https.html HTH Edited July 17, 2018 by LegacyConnectorSupport Link to comment Share on other sites More sharing options...
Recommended Posts