Jump to content
Topsy

Era Server in Lan, Era Proxy in DMZ

Recommended Posts

Posted (edited)

Hi everyone.

I'm kinda new to this Eset software (business antivirus), but I already installed era server (+apache proxy), and web console, and deployed agents and antivirus software.

I did half with web console because it didn't work at the end. I did the other part with gpo script with silent install. It works fine.

So now i'm looking to deploy eset antivirus on computers over internet (not in my lan).

So, my era administrator server (ws2016) is in lan (172.16.xx.xx) and i created a new vm (ws 2016) in dmz (192.168.xx.xx). vm in dmz can communicate with era server.

The communication is ok because i can see my era proxy in my era administrator console and no error (i had problem with certificat but it's now ok). Then i see agent and proxy icon on the left of the name.

I set up an ip address in my firewall, and allowed 443 and 2222 communication.

My proxy seems to be accessible from internet (answer to my ping) but I don't know how to make sure it's 100% ok (I tried in http/https with differents port, with /era or not but nothing answer)

I created a dedicated agent/av policy and create a new all in one package (i put my public ip address in list of server). If I run aio package on a remote computer, installation is ok, but I can't see it in console.

In case of android smartphone, it gives me an url like https://xx.xx.xx.xx:9980/egn7b9td9  where xx is my external ip. But i can't download the apk. But i made an error : i installed smartphone connector in lan server. So I uninstalled it, but I cannot install it on proxy server, because there is already an agent ,and a database. Where should I install it ? 

What would you advice me to remote install on computers ? 

If you need more information just tell me. 

Thank you.

 

Edited by Topsy
added os

Share this post


Link to post
Share on other sites

I would recommend to troubleshoot AGENT connection using steps described in documentation, I would start with status.html log, which should indicate connection problem. There are two most common issues in this scenario:

  • PROXY certificate has to be signed for public hostname used by AGENTs. This means, that certificate used by PROXY must contain public hostname in it's Host field, or wildcard "*", which is not recommended, but would work.
  • AGENT are connecting to wrong hostname. I guess this is the problem, as I am not sure whether hostnames from policy you mentioned are actually used. Cannot verify now, but I think hostname specified during installer creation (should be in advanced parameters in installer wizard) will actually override those specified in policy, and in case you have not modified it, default value will be used (= it will be most probably internal hostname of your ERA server, which is obviously not accessible from outside of network). Problem with wrong hostname will be visible in status.html log. Workaround is to use public hostname explicitly in installer, and once AGENT connects to ERA, it can be re-configred to use mutliple hostnames, i/e/ apply policy with list of servers, including private and public hostname.

Just a note: ERA PROXY is used only by AGENT to connect to ERA SERVER. ERA Webconsole (web interface) won't be accessible from outside of network through PROXY machine, so port 443 can be blocked.

Share this post


Link to post
Share on other sites
Posted (edited)

Indeed, the adress was good but, i need to modify my firewall rule (before, i set 2222 -> 2222 and change it to 1:655535 -> 2222). And I read again the board with all ports (read on eset website). So now I can see new remote computers in era web console :-)

To be easier to send, I use agent live with eset script (download from eset website, and use my script configuration). For my own curiosity, I was wondering if agent download antivirus from my business place or on the internet ? (I guess internet because my firewall say that only few mb are used).

Few questions about remote actions. I didn't tried all we can do but :

Some of actions are working : 
- uninstall software works (tried with 7zip it works even if the console computers>name_of_computer>installed software> 5th column > says that agent cannot do it)
- send messages work
- reboot / shutdown work

But some are not working : 
- I tried to uninstall eset antivirus : uninstall software, select in list eset antivirus => failed (eset agent uninstall works, but it keeps antivirus on computer).


- windows update failed (RunUpdate: Update installation failed with orcFailed)


- It's not it's first role but it could be usefull to install other software than eset ? for example, I tried to create a new task, installation softare, then I tried to wrote : "https://get.videolan.org/vlc/3.0.3/win64/vlc-3.0.3-win64.exe", with parameter : /S but it failed. I guess that software have to be on local computer ? So, maybe can we send files ? 


- if i go on a computer, software installed I notice one software, then I want to uninstall it with task => software is unfindeable. 

 

Then i'm still stuck on mdm because of certificate (I don't have a true one) so I export it from era web console but, when I try to download, website tells me that certificate isn't trust, I accept certificate, then tells me that certificate isn't good  (https configuration invalid). I read many articles like this one or this one or this one but i must be stupid because I still have the error.   

 

Edited by Topsy
.

Share this post


Link to post
Share on other sites
Posted (edited)

Morning..

I'm using :

ESET Remote Administrator (Server), version 6.5 (6.5.522.0)
ESET Remote Administrator (Console Web), version 6.5 (6.5.388.0)
ESET Endpoint Antivirus ; version 6.6.2078.5  windows

=> mdm : it's the  mdmcore_x64.exe include in eset iso image

I'll see your link

 

Edited by Topsy
.

Share this post


Link to post
Share on other sites

I still got an error.

First I create a new certificate (ADMIN> Certificate). I create a new (standard) one. 

Then I fill :

GENERAL 

- Description : MDM Certificate
- Host :  12.34.56.78 (example, I write my own public ip adress used to connect proxy vm in dmz)
- passphrase : /
- common name : 12.34.56.78
- country code : FR (same as other certificates)
- State : /  (same as other certificates)
- Locality name : my_town  (same as other certificates)
- Organization name : my_organization_name  (same as other certificates)

SIGN 

- Method : certification authority
- Certification authority : select (Era certification authority" (my era server)
- certification authority passphrase : my_passphrase

Then I create. I export the certificate.


Then, I install mdm connector (standalone) on the DMZ VM (because accesible from internet). I accept terms.
I select the exported certificate. I'm using no password. 

Then I fill :
- mdm hostname : 12.34.56.78
- mdm port : 9981
- enrollment port : 9980

> next

- database : ms sql server
- odbc driver : sql server
- database name : era_mdm_db
- hostname : 172.16.XX.XX (LAN ip adress of era server)
- port : 1433 (my port)

> next, network connection to eset remote adminisrator

- server host : 172.16.XX.XX (LAN ip of era server)
- server port : 2222
- server assisted installation

> next, connection to remote adminisrator server

- server host : 172.16.XX.XX (LAN ip of era server)
- web console port : 2223
- username : sa (my sql user)
- password : my_sql_password

> received serve certificate : yes , next, next , finish. 

Ports 9981 + 9980 are accessible from the internet.
Trying to enroll a smartphone.

When trying from outside the business lan : 
https://12.34.56.78:9980/e8z39vkmc
=> advanced parameters. continue to site 12.34.56.78 (dangerous).

Quote

Seeing eset remot administrator banner, and message : Invalid HTTPS configuration
The host name of the HTTPS certificate does not match the Mobile Device Connector host name or has expired.
Reconfigure the Mobile Device Connector with a valid HTTPS certificate.

When trying https://12.34.56.79:9980 => message that mdm is running well. 
 

Share this post


Link to post
Share on other sites

At this point, I would recommend contacting  ESET technical support, with a reference to this forum topic.

Share this post


Link to post
Share on other sites

If you installed MDM on windows machine MDM HTTPS certificate chain (in this case ERA CA you used to generate certificate) must be imported into machine keystore.

This requirement will be removed in 7.0 as we moved away from windows crypto api.

https://help.eset.com/era_install/65/en-US/certificate_mdm_https.html

HTH

Edited by LegacyConnectorSupport

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×