Zafer H 0 Posted December 5, 2018 Share Posted December 5, 2018 (edited) I was using this setup on ERA 6.5 with ERA proxy(figure 1). I had multiple ip address on agent's policy (Servers to connect section. see figure 2 ) so clients were able to connect ERA console while roaming, etc. Figure 1: Figure 2: i replaced ERA with ESMC 7 Virtual Appliance. ( Not a in place upgrade, replaced). followed this guide >> https://support.eset.com/kb6922/ Clients are connecting without any problem but my setup on figure 1 is not working. because i need to specify proxy in "ESET Management Agent > Advanced Settings > Http proxy> Replication (to ESMC Server) " settings which is only one address can be entered.(Proxy's ip address will be different for roaming clients). so this forces me to use hostnames which i dont want to use hostname for proxy. Because hostname can be blocked by webfilter, miss resolve etc. I don't want to rely on hostname. So basically how can i use use multiple ip address for agent to communicate ESMC7 Console. Edited December 5, 2018 by Zafer H added link Link to comment Share on other sites More sharing options...
ESET Staff janoo 11 Posted December 5, 2018 ESET Staff Share Posted December 5, 2018 Hi Zafer, using the hostnames is the best practice, however if you do not want to use that, there is a workaround for this: Duplicate your agent policy and set up different IPs in those duplicates. Create dynamic groups with conditions that would separate roaming agents from other agents (e.g. subnet) and apply policies to those dynamic groups appropriately. After that, when the agent find itself in the new group, it will start using the other IP. Link to comment Share on other sites More sharing options...
Zafer H 0 Posted December 5, 2018 Author Share Posted December 5, 2018 1 hour ago, janoo said: Hi Zafer, using the hostnames is the best practice, however if you do not want to use that, there is a workaround for this: Duplicate your agent policy and set up different IPs in those duplicates. Create dynamic groups with conditions that would separate roaming agents from other agents (e.g. subnet) and apply policies to those dynamic groups appropriately. After that, when the agent find itself in the new group, it will start using the other IP. Thank you very much for quick reply. yes I do have dynamic groups but how console will be notified by client, please correct me if i am wrong; because there will be no communication between agent and console when client is outside of internal network. (They are not being forced to activate vpn while roaming.) Link to comment Share on other sites More sharing options...
ESET Staff janoo 11 Posted December 5, 2018 ESET Staff Share Posted December 5, 2018 Hi, if you set this groups and policies while Clients are on the network and connected, policies and DG rules are stored on the agents locally, so they can resolve themselves under new conditions even without server assistance. This ability is necessary for agents to work properly, because, e.g. if you have replication period set to 6 hours, your agent needs to know what to do every second during those 6 hours. The question for you is, it is even possible in (your infrastructure) for agents from outside to reach the ESMC Server? Link to comment Share on other sites More sharing options...
Zafer H 0 Posted December 5, 2018 Author Share Posted December 5, 2018 Quote The question for you is, it is even possible in (your infrastructure) for agents from outside to reach the ESMC Server? yes its possible via Apache HTTP Proxy. Quote Hi, if you set this groups and policies while Clients are on the network and connected, policies and DG rules are stored on the agents locally, so they can resolve themselves under new conditions even without server assistance. so all i needed to do create multiple agent policies (Wan IP, port and local IP, port of Apache HTTP proxy) and send to workstations. (dynamic group or static group, both should be ok, this is what i understood) Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted December 5, 2018 ESET Staff Share Posted December 5, 2018 (edited) In general, you need to create "pairs" of dynamic group, based on the location, and of a policy per location, which will be assigned to this dynamic group. Edited December 5, 2018 by MichalJ Link to comment Share on other sites More sharing options...
ESET Staff janoo 11 Posted December 5, 2018 ESET Staff Share Posted December 5, 2018 Exactly as MichalJ said, pairs of Dynamic group + Agent policy. Static groups are not viable option for this. (Clients can not automatically change their position in a static group). See the similar scenario: https://support.eset.com/kb6851/ Link to comment Share on other sites More sharing options...
Zafer H 0 Posted December 6, 2018 Author Share Posted December 6, 2018 Thank you very much for your help, it works like a charm now. Here what i did to an extra while following this guide ,https://support.eset.com/kb6922/ Added my custom port to /etc/httpd/conf/httpd.conf : Listen 3333 Addedm my custom port to /etc/httpd/conf/proxy.conf: AllowConnect 443 2222 3333 Created new virtual host /etc/httpd/conf/proxy.conf <VirtualHost *:3333> ProxyRequests On </VirtualHost> Added my custom port to SElinux: semanage port -a -t http_port_t -p tcp 3333 I havent used the dynamic group, applied policy directly instead. it might be better to create dynamic group for those clients but i couldnt figured out yet. Because subnet is not a good way to detect roaming clients, we have got a large network. Client might be in the same subnet while off to internal network Do you have any suggestions? BR, ZH Link to comment Share on other sites More sharing options...
ESET Staff janoo 11 Posted December 10, 2018 ESET Staff Share Posted December 10, 2018 Hi, I am glad it works. If clients could be in the same subnet even while they are off the internal network, you have to find some condition which is changed when they are off. If network is not a reliable indicator, how they even know they are off? Is there some other app involved? Link to comment Share on other sites More sharing options...
Recommended Posts