Agent v7.x not connecting to ESMC server

[FinAms 0]

Hi all,

Recently, we have upgraded Eset Remote Administrator 6.5 to Eset Security Management Center 7.
Everything works fine, old Eset Remote Administrator Agents 6.X are connecting succesfully to ESMC.

However, when we are upgrading the agents to Eset Security Management Agent 7.X, the client could not connect to the server.
See attached screenshot for the status log details.

As suggested in other topics, I have restarted the ESMC server several times and reinstalled the Agent. Unfortunately, this does not resolve the issue.

Policies and proxy are created as described in https://support.eset.com/kb6750/?locale=en_US&viewlocale=en_US
A username and password are not set in HTTP Apache Proxy.

Anyone have the solution for this issue?

Edited October 11, 2018 by FinAms
Wrong spelling

[MartinK 378]

Relevant error in this case is "Connect failed" which indicates problem with network connectivity -> could you verify there is no firewall blocking access? Or is AGENT correctly configured in terms of ESMC visibility. HTTP Proxy is not set, is it correct and AGENT should reach ESMC directly? Is OS where ESMC is running capable of holding TCP connection for all connecting clients? This might be problem especially on desktop operating systems. Only this specific client has problem, or no AGENT is able to connect?

If there will be no obvious reason why it does not work, please capture network traffic on client using tcpdump/wireshark so that it can be verified.

[FinAms 0]

On 10/11/2018 at 2:01 PM, MartinK said:

Relevant error in this case is "Connect failed" which indicates problem with network connectivity -> could you verify there is no firewall blocking access? Or is AGENT correctly configured in terms of ESMC visibility. HTTP Proxy is not set, is it correct and AGENT should reach ESMC directly? Is OS where ESMC is running capable of holding TCP connection for all connecting clients? This might be problem especially on desktop operating systems. Only this specific client has problem, or no AGENT is able to connect?

If there will be no obvious reason why it does not work, please capture network traffic on client using tcpdump/wireshark so that it can be verified.

We are testing the new agent on three clients now. None of these clients is connecting to ESMC.
Old agent 6.5 can connect successfully.

No firewall is blocking the used ports.
ESMC holds TCP connection, as the old client agents are still connected.

We are using HTTP Apache Proxy and the http.conf is configured according to the manuals on ESET.
The existing file used for 6.5 is used an a line is added:

#Allow connection to my ESMC Server machine
<ProxyMatch ^(Hotname(:[0-9]+)?(\/.*)?|IPAddress(:[0-9]+)?(\/.*)?)$>

Allow from all

</ProxyMatch>

AllowCONNECT 443 563 2222
 

An 'ESET Management Agent' policy has been applied with the settings:

Connection
Servers to connect to
Ip Address of the ESMC / Apache Proxy server
Port 2222
Not sure if this is really needed

Advanced Settings
- Proxy Configuration Type: Different Proxy Per Service
- Replication (to ESMC Server)
* Use Proxy server
* Host: IP of ESMC / HTTP Apache Proxy server
* Port: 3128
* Username and Password not configured
- ESET services (updates, packages, telemetry...)
* Use Proxy server
* Host: hostname of ESMC / HTTP Apache Proxy server
* Port: 3128
* Username and Password not configured

There is also an 'ESET Endpoint for Windows' policy applied with the settings:

Use Proxy server
* Proxy server: hostname of ESMC / HTTP Apache Proxy server
* Port: 3128

I am not sure why the text next to the scope 'Last Authentication' in the status.html report says "........... port 2222 with proxy set as: Proxy: Connection: :3128.
As you already suggests, it looks like there is not proxy configured.

You have any idea what causes this issue?
If it is related to the configuration of HTTP Apache Proxy, perhaps you can provide me with an example of the 'http.conf' file?

[MartinK 378]

Could you please check, that "Proxy configuration type" is explicitly marked as "apply". In case it is not applied, client will be using default value, which might be different, which might result in fact that your configuration is ignored.

Has this AGENT connected before? Or it has never connected, and thus it has not applied any policies?

Also there is Diagnostic.exe helper tool located in program files of AGENT and it can be used to extract AGENTs configuration - could you please check it contains HTTP proxy configuration?

[FinAms 0]

2 hours ago, MartinK said:

Could you please check, that "Proxy configuration type" is explicitly marked as "apply". In case it is not applied, client will be using default value, which might be different, which might result in fact that your configuration is ignored.

Has this AGENT connected before? Or it has never connected, and thus it has not applied any policies?

Also there is Diagnostic.exe helper tool located in program files of AGENT and it can be used to extract AGENTs configuration - could you please check it contains HTTP proxy configuration?

Could you specify where I need to check that "Proxy configuration type" is marked as "apply"? Do you mean forcing the policy setting?
Attached the configuration file that was collected with the diagnostic.exe

configuration.txt

In this file the actual hostname is replaced with <HOSTNAME>.

The line
{"ce_val":"1","ce_flg":"2"}},"proxy_configuration_type":
does not have a configuration, so it could be right that there is no setting applied.

 

EDIT:

It seems that HTTP Proxy was not enabled.
I have enabled "Use Proxy server" under Admin > Server Settings > Advanced Settings.
The status.html is slightly different.
Also the configuration file (configuration_new.txt) does contain more information.
The actual IP address of the hostname is replaced by <IP HOSTNAME>


configuration_new.txt

Edited October 12, 2018 by FinAms

[MartinK 378]

From exported configuration you provided we can see that HTTP proxy is set, but only for ESET services, i.e. it will be used only for downloading updates, installers, activation, etc., but not for so called "replication" which is how we call communication between AGENT and ESMC/ERA.

In order to resolve this issue, you have technically two possibilities:

1. Use the same HTTP proxy for both ESET services and also for AGENT connection to ESMC. In such case, you can use "Global Proxy" configuration type, and add proxy settings to "Global Proxy". Make sure that both proxy parameter and "Proxy Configuration Type" field are applied (= full dot on left pane). Policy should look like this:
2. Use separate HTTP proxy configuration, or not use HTTP proxy for ESET services, just for AGENT to ESMC communication. In such case, configuration can look like this:

In both case, you have to properly set specific hostname/port values for selected profiles, i.e. use "Edit".

[FinAms 0]

@MartinK,

EDIT:

A found the solution by comparing the policies within ESET ESMC and another restart of the server.

Still one problem as the ESET firewall seems to blocking some traffic.
After installing the agent, I receive the same errors in the status.html report.
When pausing the firewall (allow all traffic), the agent will successfully connect to ESMC.

Edited October 16, 2018 by FinAms

[FinAms 0]

On 10/15/2018 at 12:35 PM, FinAms said:

@MartinK,

EDIT:

A found the solution by comparing the policies within ESET ESMC and another restart of the server.

Still one problem as the ESET firewall seems to blocking some traffic.
After installing the agent, I receive the same errors in the status.html report.
When pausing the firewall (allow all traffic), the agent will successfully connect to ESMC.

Found the solution by disabling the option "Enable detection of application modification" within the Firewall settings.

 

[NuclearSSD 3]

On 10/17/2018 at 1:00 PM, FinAms said:

Found the solution by disabling the option "Enable detection of application modification" within the Firewall settings.

 

Superb find Sir ?

Credit to you on this post