Errors after moving from ESMC to ECA

[Roger Nock 1]

Hi ,

I have recently moved from ESMC to ECA, and have moved the proxy to a different server.

My original ESMC was at 192.168.10.22, but this has been uninstalled as all the clients are now managed by the ECA.

The policies settings for the proxy and client were updated to the new server 192.168.1.25

Any ideas why I am still seeing issues on the proxy logfile?

Apache HTTP Proxy - Error Log

[Tue Mar 12 10:43:13.080763 2019] [access_compat:error] [pid 1740:tid 12560] [client 192.168.1.22:57997] AH01797: client denied by server configuration: proxy:192.168.10.22:2222
[Tue Mar 12 10:43:14.221433 2019] [access_compat:error] [pid 1740:tid 12560] [client 192.168.10.128:53096] AH01797: client denied by server configuration: proxy:192.168.10.22:2222
[Tue Mar 12 10:43:14.565162 2019] [access_compat:error] [pid 1740:tid 12560] [client 192.168.1.121:52370] AH01797: client denied by server configuration: proxy:192.168.10.22:2222
[Tue Mar 12 10:43:18.066197 2019] [access_compat:error] [pid 1740:tid 12560] [client 192.168.1.117:54482] AH01797: client denied by server configuration: proxy:192.168.10.22:2222

 

Client - Trace Log

2019-03-12 11:23:44 Error: CReplicationModule [Thread 1c20]: CAgentReplicationManager: Replication finished unsuccessfully with message: InitializeConnection: Initiating replication connection to 'host: "192.168.10.22" port: 2222' failed with: Request: Era.Common.Services.Replication.CheckReplicationConsistencyRequest on connection: host: "192.168.10.22" port: 2222 with proxy set as: Proxy: Connection: 192.168.1.25:3128, Credentials: Name: , Password: ******, Enabled:1, EnabledFallback:1, failed with error code: 14, error message:  Connect Failed, and error details: Replication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: 4xasvbw3hh3edgrmtvqbvr5vmu.a.ecaserver.eset.com:443, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 862ac1e5-39db-41f6-9a2c-9d601ac7b565, Sent logs: 0, Cached static objects: 41, Cached static object groups: 11, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0]
2019-03-12 11:33:23 Error: CReplicationModule [Thread 1c20]: InitializeConnection: Initiating replication connection to 'host: "192.168.10.22" port: 2222' failed with: Request: Era.Common.Services.Replication.CheckReplicationConsistencyRequest on connection: host: "192.168.10.22" port: 2222 with proxy set as: Proxy: Connection: 192.168.1.25:3128, Credentials: Name: , Password: ******, Enabled:1, EnabledFallback:1, failed with error code: 14, error message: Connect Failed, and error details: 
2019-03-12 11:33:23 Warning: CReplicationModule [Thread 1c20]: InitializeConnection: Not possible to establish any connection (Attempts: 1)

 

[MichalJ 434]

You have to adjust the proxy in more places than a one.

- proxy for the Endpoint client, for downloading the updates

- proxy for the ESMC agent, for both downloading updates, and for replication 

Have you changed it in both places? 

[Roger Nock 1]

Yes,

I updated both - I have a policy for File Security, Endpoint Security & Agent all three were changed to the new proxy server.

For the Clients I have:

Update > Updates > Connection Options > Proxy Mode - Use Global Proxy Settings

Tools > Proxy Server >

                                        Use Proxy Server - Yes

                                        Proxy Server - 192.168.1.25

                                        Port - 3128

For The Agent I have:

Advanced Settings > 

                                        Use Proxy Server - Yes

                                        Proxy Server - 192.168.1.25

                                        Port - 3128

[MartinK 378]

Could you please verify that clients generating log entries are actually connecting to ECA? It is possible they have problem and thus connecting also to previous ESMC installation through new HTTP proxy? It is possible that there was something wrong with migration and AGENTs are configured to connect to both ECA and also original ESMC -> could you verify this hypothesis by extracting AGENT's configuration via Diagnostic tool and checking whether configuration contains also original ESMC server referenced by IP address shown in logs?

[Roger Nock 1]

Hi,

All clients are connecting to ECA, they are all showing in the console.

The previous ESMC and previous proxy have been uninstalled, only the new proxy is on-premises.

When I moved the clients over to ECA, I generated a live installer and just updated the agent, I didn't replace the EES install. I didn't specify proxy settings on the installer as I believed the settings would be updated by the policies.

Can you guide me to where the diagnostic tool is?

[Roger Nock 1]

I've found the tool - see configuration log

{"internal":{"ProductVersion":{"ce_val":"7.0.0"},"ConfengVersion":{"ce_val":"1663.15.0"},"NextIndex":{"ce_val":"1006"},"NextAutoInc":{"ce_val":"1"}},"agent":{"automation":{"replication_task":{"connections":{"ce_ord":"a1005","ce_flg":"2","a1005":{"host":{"ce_val":"192.168.10.22","ce_flg":"0"},"port":{"ce_val":"2222","ce_flg":"0"}}}},"replication_trigger":{"ce_flg":"2","cron_interval":{"ce_val":"R 3,13,23,33,43,53 * * * ? *","ce_flg":"2"},"delay":{"ce_val":"30","ce_flg":"2"}},"updates_defaults":{"server":{"ce_val":"AUTOSELECT","ce_flg":"2"}}},"network":{"http_proxy_configuration":{"proxy_configuration_eset_services":{"connection":{"host":{"ce_val":"192.168.10.22","ce_flg":"2"},"ce_flg":"2","port":{"ce_val":"3128","ce_flg":"2"}},"enabled":{"ce_val":"1","ce_flg":"2"},"ce_flg":"2","credentials":{"ce_flg":"2","name":{"ce_val":"","ce_flg":"2"},"password":{"ce_val":"","ce_flg":"2"}},"direct_connection_fallback":{"ce_val":"1","ce_flg":"2"}},"proxy_configuration_global":{"connection":{"host":{"ce_val":"192.168.1.25","ce_flg":"2"},"ce_flg":"2","port":{"ce_val":"3128","ce_flg":"2"}},"enabled":{"ce_val":"1","ce_flg":"2"},"ce_flg":"2","credentials":{"ce_flg":"2","name":{"ce_val":"","ce_flg":"2"},"password":{"ce_val":"","ce_flg":"2"}},"direct_connection_fallback":{"ce_val":"1","ce_flg":"2"}},"proxy_configuration_replication":{"connection":{"host":{"ce_val":"192.168.1.25","ce_flg":"0"}},"enabled":{"ce_val":"1","ce_flg":"0"}},"proxy_configuration_type":{"ce_val":"1","ce_flg":"2"}},"network_configuration":{"certificate":""}},"repository":{"repository_configuration":{"ce_val":"http:\/\/us-repository.eset.com\/v1","ce_flg":"2"}},"diagnostics":{"send_crash_report_and_telemetry":{"ce_val":"0","ce_flg":"2"}}}}

From what I can read of the log its showing (forgive me if I'm wrong):

replication host - 192.168.10.22:2222

proxy configuration eset services - 192.168.10.22

proxy configuration global - 192.168.1.25

proxy configuration replication - 192.168.1.25

the first two settings are incorrect, this is pointing to the original ESMC location which has been replaced by ECA.

 

[MartinK 378]

Indeed there is definitely something wrong. This client is clearly not configured to connect to ECA -> any chance you have made some policy imports into ECA? Or some local repair of this client? Replication interval seems to be correct, i.e. this client was connected to ECA, but later it changed it's connection hostname.

[Roger Nock 1]

Hi Martin,

When I initially set the policies on ECA, I did an export of the policies from ESMC and then imported them into ECA.

I created a live installer from ECA using the agent policy, but with no settings for proxy - I assumed the settings would come from the policy.

Some time after moving all the clients onto ECA, I then moved the proxy server and updated the policies to reflect the new change.

It was from here onwards where I was looking closer at the log files and noticing something was not quite right.

 

So with this I did some testing last night, using "request configuration" from ECA to monitor settings:

I created a new agent policy from scratch and applied to my clients, un-assigning the previous policy. This didn't correct the connection host.

I created a new live installer for the agent using the new policy and entered the proxy settings.

I then uninstall the agent from a client and re-deployed the agent this cleared the issue.

I then re-deployed this agent to a client with a previous install thus overwriting, corrected most but still have the eset services proxy set to the old ESMC.

The configuration between the two clients differed in advanced settings - Proxy Type, Global Proxy, Replication, Eset Services.

I tried multiple changes and this is where I got lost/tired.

 

There are some possible scenarios:

1. The policy imported into ECA had settings specifically for ESMC that were not required by ECA. This then propagated to each client when I updated the agents on the clients.

2. When deploying the agent, the agent install did not clear out setting of the previous install on clients and left bogus setting which was then used.

3. There is an issue with the live agent generation for ECA, which is not tailoring the setting for ECA usage.

 

Can you please investigate this, as I believe I may have discovered a bug/issue that needs correcting.

 

[MartinK 378]

6 hours ago, Roger Nock said:

1. The policy imported into ECA had settings specifically for ESMC that were not required by ECA. This then propagated to each client when I updated the agents on the clients

This is the most probable reason. ECA does not enable user to create policy with connection hostname, but policy imported from ESMC will retain this setting. So in case you imported policy that had some connection host specified, ECA agents will start to us it instead of their original ECA hostname. If this is the case, only solution is to unassigned/remove such policy (unfortunately you won't be able to see which one it is as this setting are hidden in ECA console) and repair AGENT by re-deployment of installer.

Regarding proxy, I am not sure whether I do understand scenario, but in case you used HTTP proxy for ESMC, and you do not with to use this proxy for ECA, you have to create new policy in ECA, where you explicitly disable use of HTTP proxy. In case you do not do that, AGENTs will be still using previous settings, i.e. they won't revert to settings used before policy was applied. This can be fore example done by creating policy:

where crutial parts are highlighted. Not visible "Proxy configuration type" should be set to Global proxy.

[Roger Nock 1]

I have remade the agent and deployed it to a client. I uninstalled the previous agent first before installing the new one.

 These are the setting shown below:

Config = Client Configuration Settings pulled by ECA, Policy = ECA Policy Settings

Can you please confirm that this is what is expected from installing the agent as I have done.

Config - Agent Advanced.jpg shows Proxy Configuration set to Different Proxy Per Service, and Global Proxy greyed out.

 

Config - Agent Replication.jpg shows the correct settings.

 

Config - Agent Service.jpg shows that the proxy setting is disabled.

 

Policy - Agent Settings.jpg shows all the settings that are available, it does not give the ability to change the global policy settings - the image you posted previously was for the ESMC/ERA not the ECA.

(I will try and get the images of a client configuration using the same installer where I didn't remove the agent initially, I believe it shows different settings in the configuration.)

Edited March 14, 2019 by Roger Nock
Tidy up message

[Roger Nock 1]

I have reinstalled the new agent (one used above) onto a client without uninstalling the agent first, as I thought the results are different.

The configuration settings for a clean install match the ones for an overwrite except for the services setting.

The Services still point to the old ESMC address, which would have been the Global Proxy address.

I don't understand why the global proxy address is not being set, and all the individual proxy settings using this.

For any relevance, I install the agents by the remote deployment tool. I use the agent created in a live installer.

When deploying I unset the use ESET AV remover, I didn't want it to clear any previous installs.

Edited March 14, 2019 by Roger Nock
added note

[Roger Nock 1]

@MartinK

@MichalJ

Any update/solution to the proxy settings?

In particular why I am not getting the global proxy setting enabled when deploying the agent.

I would like to get my installations re-deployed with a working agent as soon as I can.

Cheers

[MartinK 378]

On 3/14/2019 at 6:20 PM, Roger Nock said:

Policy - Agent Settings.jpg shows all the settings that are available, it does not give the ability to change the global policy settings - the image you posted previously was for the ESMC/ERA not the ECA.

Thanks for pointing this out -> I think this is the core problem and I have to ask whether is is supposed to work this way. Technically in ECA you can actually set only HTTP proxy for "ESET services" and that is why global proxy is not overridden. This also means that if such proxy configuration was used before migration to ECA, it will remain because policy from ECA won't override it.

[Roger Nock 1]

@MartinK

Any update on this, or an ETA? I'm still waiting to re-deploy the agent with correct settings to all my workstations.