2 Sites with 1 URL and certificates

[JustWantingBasicHelp 0]

Would appreciate some guidance with this.

Site 1: restricted network, small bandwidth. Has ESET appliance managing all machines in this site, by providing the ESMC again in this site allows the virus definition updates to be downloaded once and all machines update from this server as opposed to all machines going over the low bandwidth internet.

Site 2: less restricted, decent bandwidth. Has separate ESET appliance managing machines

Sometimes people in site 1 move to site 2 for a couple of months for work and therefore no longer receive updates to ESET as they can no longer connect to their usual ESMC server. To get around this, we thought it would be possible to use the same URL for machines to use. So matter where the machine was it would use the one URL and and always be able to connect and receive it's updates.

E.g. Laptop A usually lives in Site 1 and ESET goes to eset.domain to contact the ESMC, then when Laptop A moves over to Site 2 (which also has eset.domain) it would just be able to connect in to Site 2's ESMC and receive all it's normal updates. We would then see the machine in ESMC in Site 2 and be able to manage it as needed until it moved back to Site 1 where it could also continue to work as normal - and be managed by the dedicated IT team there.

What we actually find is that these machines from Site 1 are just unable to connect to Site 1 and 2 ESMCs and therefore do not receive any updates until they are back in Site 1 again.

Our thoughts were this was due to the certificates not matching up and therefore ESMC denies ESET Endpoint being able to get updates from here.

Let me know if this is unclear, appreciate any help with this

Thanks!

Edited April 30, 2019 by JustWantingBasicHelp
Grammar

[Marcos 5,071]

First of all, Endpoint and specifically ESMC agent was not designed to report to different ESMC servers.

As for updates from different locations in different networks, it's possible to create two update profiles with different update servers set and then use them as a primary and secondary update profile for an update task.

[MartinK 378]

As @Marcos mentioned, this scenario will most probably not work correctly as it was not tested nor it was designed to work.

Most probable problem you have with communication is indeed related to certificates. It should be resolved fairly easy, you just have to export CA certificates from ESMC1 and import them into ESMC2 and vice versa. Once AGENT connects to such ESMC, it will receive both CA certificates that will enable it to connect to both ESMC servers. What might be problem is that each time AGENT migrates between ESMC servers it will most probably result in duplication in console, i.e. device will be not paired after migration. It is even possible that administrator of ESMC will have to explicitly accept connection of such AGENT (there would be "Questions" due to HW changes) as it might trigger spoofing protection introduced in ESMC. But maybe that is acceptable in case it would not happen very often.

[JustWantingBasicHelp 0]

Hhmmm ok interesting, we'll have to do some testing but the profiles sounds interesting, of course we like like to keep them monitored while they're away from Site 1 but as long as we know they'll still be getting updates directly from a second profile also works for us.

Followup question, if a device doesn't check in with ESMC after a certain time period will it un-license itself or anything? E.g. if it was away from site 1 for 3 months would it no longer update itself?

If so, can this time limit be defined in ESMC?

Thanks for your help!

[Marcos 5,071]

10 minutes ago, JustWantingBasicHelp said:

Followup question, if a device doesn't check in with ESMC after a certain time period will it un-license itself or anything? E.g. if it was away from site 1 for 3 months would it no longer update itself?

If so, can this time limit be defined in ESMC?

This could happen only if you have a server task "Delete not connecting computers" created: