tomrgsd 0 Posted July 11, 2019 Share Posted July 11, 2019 (edited) I have thousands of machines running version 5 (mostly version 5.0.2254). I have a new server running ESET Management Center latest version. I am pushing out management agent upgrades from the server to get machines communicating, then I initiate Endpoint upgrades form there. The clients are upgrading, however they are not activating. I try to push activation but it fails. It shows red and has an alert that says ESET Security Product is not activated and your computer is not protected. When I view the Prodcuts installed, it shows ESET Management Agent 7.0.577.0 Up-to-date version and ESET Endpoint Security 7.1.2053.0 Up-to-date Version. On one of the machines, I manually removed the Endpoint software and did manual install and it worked. I don't want to have to do that for 3000+ devices. Any help is appreciated Edited July 11, 2019 by tomrgsd Link to comment Share on other sites More sharing options...
tomrgsd 0 Posted July 12, 2019 Author Share Posted July 12, 2019 There is an error code of ECP.20006 which just says to contact support. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted July 15, 2019 Administrators Share Posted July 15, 2019 You wrote " On one of the machines, I manually removed the Endpoint software and did manual install and it worked. " Does activation also work if you don't uninstall Endpoint first and try to activate it via gui -> Help and support -> Change license? If that fails, enable advanced network protection and advanced licensing logging in the advanced setup -> tools -> diagnostics -> advanced logging, try to activate the product, disable logging, collect logs with ESET Log Collector (https://support.eset.com/kb3466/) and post the generated archive here. Link to comment Share on other sites More sharing options...
tomrgsd 0 Posted July 15, 2019 Author Share Posted July 15, 2019 1 hour ago, Marcos said: You wrote " On one of the machines, I manually removed the Endpoint software and did manual install and it worked. " Does activation also work if you don't uninstall Endpoint first and try to activate it via gui -> Help and support -> Change license? If that fails, enable advanced network protection and advanced licensing logging in the advanced setup -> tools -> diagnostics -> advanced logging, try to activate the product, disable logging, collect logs with ESET Log Collector (https://support.eset.com/kb3466/) and post the generated archive here. ees_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted July 15, 2019 Administrators Share Posted July 15, 2019 There's only one "client hello" in the pcap log for SSL communication with 10.1.10.121 which is your proxy. If SSL inspection is performed by the proxy, you will need to set up an exception for communication with ESET licensing servers. For a list of addresses, please visit https://support.eset.com/kb332/. You mentioned that activation works after uninstalling Endpoint and installing it from scratch. Couldn't it be because you didn't configure the proxy then and Endpoint connected directly to the activation servers? Link to comment Share on other sites More sharing options...
tomrgsd 0 Posted July 15, 2019 Author Share Posted July 15, 2019 3 hours ago, Marcos said: 52 minutes ago, Marcos said: There's only one "client hello" in the pcap log for SSL communication with 10.1.10.121 which is your proxy. If SSL inspection is performed by the proxy, you will need to set up an exception for communication with ESET licensing servers. For a list of addresses, please visit https://support.eset.com/kb332/. You mentioned that activation works after uninstalling Endpoint and installing it from scratch. Couldn't it be because you didn't configure the proxy then and Endpoint connected directly to the activation servers? I already have those addresses allowed. I believe the same policy is applied for a fresh install. It is a packaged setup with our configuration bundled. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 383 Posted July 15, 2019 ESET Staff Share Posted July 15, 2019 4 hours ago, tomrgsd said: I already have those addresses allowed. I believe the same policy is applied for a fresh install. It is a packaged setup with our configuration bundled. I would recommend to double check configuration of proxy (or security-related network device) you are using whether it is configured in a way that communication with ESET licensing servers is not only enabled, but also TLS introspection is disabled, so that traffic is not modified. In provided network capture there is no attempt to bypass HTTP proxy configuration - is HTTP proxy fallback explicitly disabled in configuration? In case activation works manually, it might be because of HTTP proxy available to logged-in user, which might have different configuration and thus working. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted July 15, 2019 Administrators Share Posted July 15, 2019 Looks like SSL introspection is performed on the proxy. This looks like a self-signed certificate, not ESET's one: Certificate: Issuer: C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown Validity Not Before: Jul 8 15:56:58 2019 GMT Not After : Jul 5 15:56:58 2029 GMT Subject: C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown X509v3 extensions: X509v3 Subject Alternative Name: IP Address:FE80:0:0:0:649D:D79:552A:4648, IP Address:10.1.10.121, DNS:localhost, DNS:RGSD-ESETMC.rgsd.local SSL communication with ESET's activation servers must be excluded from SSL introspection. Link to comment Share on other sites More sharing options...
tomrgsd 0 Posted July 15, 2019 Author Share Posted July 15, 2019 I am now working with support on this issue. It seems we had a policy that enabled Proxy communication which does not work with activation. Turning off Proxy option allows machine to activate. Unable to get proxy setting turned off remotely, but still working to see if that can be rectified. Link to comment Share on other sites More sharing options...
Recommended Posts