Jump to content

ESMC - Appliance in DMZ and Multiple IP address for agent communication.


Recommended Posts

I was using this setup on ERA 6.5 with ERA proxy(figure 1). I had multiple ip address on agent's policy (Servers to connect section. see figure 2 ) so clients were able to connect ERA console while roaming, etc.

 

Figure 1:

image.png.8bdf968274807ac34de03dd6995af06c.png

 

Figure 2:

image.thumb.png.fdfe4d97b340754c7a68c89f2322167c.png

 

 

 i replaced ERA with ESMC 7  Virtual Appliance. ( Not a in place upgrade, replaced). followed this guide >> https://support.eset.com/kb6922/

Clients are connecting without any problem but my setup on figure 1 is not working.  because i need to specify proxy  in "ESET Management Agent > Advanced Settings > Http proxy> Replication (to ESMC Server) " settings which  is only one address can be  entered.(Proxy's ip address will be different for roaming clients). so this forces me to use hostnames which i dont want to use hostname for proxy. Because hostname can be blocked by webfilter, miss resolve etc.  I don't want to rely on hostname.

So basically how can i use use multiple ip address for agent to communicate ESMC7 Console.

 

 

 

 

Edited by Zafer H
added link
Link to comment
Share on other sites

  • ESET Staff

Hi Zafer, using the hostnames is the best practice, however if you do not want to use that, there is a workaround for this:

Duplicate your agent policy and set up different IPs in those duplicates. Create dynamic groups with conditions that would separate roaming agents from other agents (e.g. subnet) and apply policies to those dynamic groups appropriately. After that, when the agent find itself in the new group, it will start using the other IP.

Link to comment
Share on other sites

1 hour ago, janoo said:

Hi Zafer, using the hostnames is the best practice, however if you do not want to use that, there is a workaround for this:

Duplicate your agent policy and set up different IPs in those duplicates. Create dynamic groups with conditions that would separate roaming agents from other agents (e.g. subnet) and apply policies to those dynamic groups appropriately. After that, when the agent find itself in the new group, it will start using the other IP.

Thank you very much for quick reply.

yes I do have dynamic groups but how console will be notified by client, please correct me if i am wrong; because there will be no communication between agent and console when client is outside of internal network. (They are not being forced to activate vpn while roaming.)

 

Link to comment
Share on other sites

  • ESET Staff

Hi, if you set this groups and policies while Clients are on the network and connected, policies and DG rules are stored on the agents locally, so they can resolve themselves under new conditions even without server assistance.

This ability is necessary for agents to work properly, because, e.g. if you have replication period set to 6 hours, your agent needs to know what to do every second during those 6 hours.

The question for you is, it is even possible in (your infrastructure) for agents from outside to reach the ESMC Server?

Link to comment
Share on other sites

Quote

The question for you is, it is even possible in (your infrastructure) for agents from outside to reach the ESMC Server?

 

yes its possible via Apache HTTP Proxy.

Quote

Hi, if you set this groups and policies while Clients are on the network and connected, policies and DG rules are stored on the agents locally, so they can resolve themselves under new conditions even without server assistance.

so all i needed to do  create multiple agent policies (Wan IP, port and local IP, port  of Apache HTTP proxy)  and send to workstations. (dynamic group or static group, both should be ok, this is what i understood)

Link to comment
Share on other sites

  • ESET Staff

In general, you need to create "pairs" of dynamic group, based on the location, and of a policy per location, which will be assigned to this dynamic group. 

 

 

Edited by MichalJ
Link to comment
Share on other sites

Thank you very much for your help, it works like a charm now.

Here what i did to an extra  while following  this guide ,https://support.eset.com/kb6922/

  • Added my custom port to /etc/httpd/conf/httpd.conf : Listen 3333
  • Addedm my custom port to /etc/httpd/conf/proxy.conf: AllowConnect 443 2222 3333
  • Created new virtual host /etc/httpd/conf/proxy.conf

    <VirtualHost *:3333>
        ProxyRequests On
    </VirtualHost>

     

  • Added my custom port to SElinux:  semanage port -a -t http_port_t -p tcp 3333

     

I havent used the dynamic group, applied policy directly instead.

it might be better to create dynamic group for those clients but i couldnt figured out yet.

Because subnet is not a good way to detect roaming clients, we have got a large network. Client might be in the same subnet while off to internal network

Do you have any suggestions?

BR,

ZH

 

Link to comment
Share on other sites

  • ESET Staff

Hi, I  am glad it works.

If clients could be in the same subnet even while they are off the internal network, you have to find some condition which is changed when they are off. If network is not a reliable indicator, how they even know they are off? Is there some other app involved?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...