https:// console issue after ESET 7.0 upgrade

[Manikandan R 0]

Hi,

 

Please see below image, i have firewall and UPS all hardware console https not open after upgrade the ESET 7.0 client. if i AV removed means i can get the console without any issue.

Please advise.

https://172.25.2.2

[MichalJ 434]

What about accessing it with /era at the end of the https://172.25.2.2/era ?

[Pinni3 21]

I would suggest to try different browser

[MartinK 378]

Do I understand it correctly, that once you installed ESMC, client computers (i.e. computer not with installed ESMC, but with AGENT + Endpoint) is blocking access to internet? If so, could you check configuration of related protection in endpoint? Are you using policy that are supposed to block "unknown" internet traffic?

[Marcos 5,070]

Also does temporarily disabling SSL/TLS filtering in Endpoint make a difference?

[Pinni3 21]

1 hour ago, MartinK said:

Do I understand it correctly, that once you installed ESMC, client computers (i.e. computer not with installed ESMC, but with AGENT + Endpoint) is blocking access to internet? If so, could you check configuration of related protection in endpoint? Are you using policy that are supposed to block "unknown" internet traffic?

Its not blocking internet, just console (SSL)

[MartinK 378]

6 hours ago, Pinni3 said:

Its not blocking internet, just console (SSL)

O, in that case checking with different browser could provide more details. In case ESMC appliance is newly deployed (new installation or migration of older ERA), new SSL certificate has been generated for console. It is possible that certificate is not signed for used IP address used in example, and also certificate will be self-signed, so it has to be explicitly accepted. I am not sure why this possibility has not been offered by this browser ...

Also in case custom SSL certificate for console has been used in older appliance, it has to be migrated manually.

[TomTomTom 2]

Hi, having the same Problem. Can you explain in details how to "migrate Manually" the SSL certificate.

Thanks

[MartinK 378]

Manual migration means that you have to copy old certificate to new appliance, and modify Apache Tomcat's configuration file located in /etc/tomcat/server.xml.

In this configuration file, you will find section like this:

    <Connector port="8443"
               protocol="HTTP/1.1"
               SSLEnabled="true"
               maxThreads="150"
               scheme="https"
               secure="true"
               clientAuth="false"
               sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
               ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                        TLS_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_RSA_WITH_AES_128_CBC_SHA,
                        TLS_RSA_WITH_AES_256_CBC_SHA256,
                        TLS_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_RSA_WITH_AES_256_CBC_SHA"
               keystoreFile="/etc/tomcat/.keystore"
               keystorePass="O1XFm2l6aW0xb1nTzWzSzQIpCdxHh2OO"
               keyAlias="tomcat"
               />

where parameters:

               keystoreFile="/etc/tomcat/.keystore"
               keystorePass="O1XFm2l6aW0xb1nTzWzSzQIpCdxHh2OO"
               keyAlias="tomcat"

are related to SSL certificate configuration -> those settings has to be transferred to new appliance.

So you actually have to:

1. copy file keystoreFile (in my case /etc/tomcat/.keystore) from old appliance to new. It is easiest to just replace file, i.e. use the same name in both old and new appliances
2. modify /etc/tomcat/server.xml in new appliance to use migrated SSL certificate. In case you used the same path to copied file, you just have to set value keystorePass to password used in old appliance. Also keyAlias has to be the same after migration.