avielc 56 Posted February 4, 2020 Posted February 4, 2020 Hi, So I'm trying to setup apache proxy to allow clients to reach the eset server while being connected outside the office network (e.g. home) I've setup an apache machine in the cloud with open port to the outside (currently set it up on something random) Deployed agent policy on a test machine made sure it was received through the statue page. moved to external network - checked welcome page and saw I have access there. but the agent fails to report on the following error: attaching text of trace + message from the status.html on the agent data. - trace.txt Also attaching the apache logs in debug level. - apache.txt Please notice the following points: 1. a unix machine installed on the web with ESET Management agent that is reporting back to ESMC without a problem 2. Basic httpd installation part of a centos machine, on the server followed the instructions on https://help.eset.com/esmc_install/70/en-US/http_proxy_installation_linux.html 3. changed it a little to try and make it work better (somehow managed to lose the grant deny error I had at first - but it might not be a good thing according to the log. Something I noticed but i'm Unsure of. is there some configurations I need to do on the server side to accept these connections from the apache? adding a certificate or something? (Just noticed I have a proxy certificate available in ESMC) Thanks trace.txt apache.txt
ESET Staff MartinK 384 Posted February 4, 2020 ESET Staff Posted February 4, 2020 (edited) I can see multiple potential issues and I am not sure which one (if not both) is fatal. Unfortunately password-protected HTTP proxy is not supported for AGENT-to-ESMC connection. Seems that you are using it this way, or at least there are proxy parameters set, so this might be a problem, especially in case HTTP proxy indicates some non-authorized access attempts. I can see in apache log that there were such attempts made. Connections fails also with "Failed to resolve: eset-server.mydomain.com:2222": Is this hostname supposed to work correctly? This error might not be fatal, maybe it is just "fallback" attempt after connection through proxy failed, but it is not clear from trace log with default verbosity. Apache logs also shows errors like this: "Connect to remote machine blocked returned by eset-server.mydomain.com:2222" indicating that proxy is not able to connect to your server. There are also errors like "AH00865: declining URL eset-server.mydomain.com:2222" which might indicate that proxy is not configured to enable connections to your hostname. In case you are using Apache HTTP proxy distributed with ESMC, modification/extending blocks <ProxyMatch/> will be required, as our proxy blocks connections to non-ESET servers by default due to security. Edited February 4, 2020 by MartinK
avielc 56 Posted February 4, 2020 Author Posted February 4, 2020 Hi @MartinK Thanks for the reply. I'll answer following your points. it is mandatory in my organization to have some safety over opening connection to the outside world. so having a proxy without any kind of security on it, is simply not allowed. - so Could you please elaboarte why it's not possible? I'm adding the credentials to the agents using an agent policy, should be good enough, no? That might be from the trace.log - agent trying to find the eset-server while changing to an external network. which would make sense and then create a "fallback" to the proxy. That's what I fear I might have missed some settings on the proxy for it to communicate with the eset-server. Is there somewhere clear enough to give that information? any settings I need to do on the server side for it to accept connections from the eset-proxy? After all the proxy is simply a linux machine with httpd pre-installed + mod_ssl and some conf file I'm trying to mash up from all the instructions lying around for windows and linux (non are clear enough on what should or shouldn't be, e.g. windows have "Virtual Server:3128" while the Unix doesn't... it's quite confusing) as mentioned in 3, you're probably right, just found out half hour ago about that "Allow CONNECT 443, 569 2222" no idea what that is about or how to make it work. Also, another point that might matter. I added to the eset-server certificates to make it SSL approved. unfortunately the proxy doesn't have - and it seems to return a lot of Curl(60) or (56) errors about certificate not set correctly (i'm testing with Curl --proxy to see if it works. which I either get html code 403, or 407 as mentioned in the logs. any idea how I should set it up right? If you can help me with a proper .conf file (at least as close as possible without some specific names like domain\authentication that'll really really help! Thanks
ESET Staff MartinK 384 Posted February 5, 2020 ESET Staff Posted February 5, 2020 17 hours ago, avielc said: Hi @MartinK Thanks for the reply. I'll answer following your points. it is mandatory in my organization to have some safety over opening connection to the outside world. so having a proxy without any kind of security on it, is simply not allowed. - so Could you please elaboarte why it's not possible? I'm adding the credentials to the agents using an agent policy, should be good enough, no? This limitation comes from underlying layer which does not support HTTP proxy authentication and thus it is not used.
avielc 56 Posted February 5, 2020 Author Posted February 5, 2020 So, how come that feature exists in the first place. and also, if it's not supported, what other options do I have to secure an agent connection to an ESMC server without exposing the ESMC to the internet?
Pinni3 21 Posted February 10, 2020 Posted February 10, 2020 As a workaround You can use Squid. I use squid proxy for ESET updates and installs. It also allows You to use credentials for connections....
avielc 56 Posted February 10, 2020 Author Posted February 10, 2020 1 hour ago, Pinni3 said: As a workaround You can use Squid. I use squid proxy for ESET updates and installs. It also allows You to use credentials for connections.... Not sure I fully understand, but will an agent still be able to report back to ESMC using squid?
avielc 56 Posted February 12, 2020 Author Posted February 12, 2020 @MartinK @MichalJ @Marcos Hi Guys, Can I ask you for the specifics of how Agent reports to ESMC via Proxy? I need to provide my company the specifics on how secured it is. I understand that the agent needs to report replication to ESMC in order to receive updates\policies, dynamic groups etc. But in difference to receive updates - this HTTP Proxy can NOT use HTTPS and can not have credentials on it for replication. So to understand better and provide the right info to my company. What is secured in the replication process via PROXY if I can't use credentials or HTTPS communication to it. (and please be as detailed as possible.) Thanks!
ESET Staff MartinK 384 Posted February 12, 2020 ESET Staff Posted February 12, 2020 3 hours ago, avielc said: @MartinK @MichalJ @Marcos Hi Guys, Can I ask you for the specifics of how Agent reports to ESMC via Proxy? I need to provide my company the specifics on how secured it is. I understand that the agent needs to report replication to ESMC in order to receive updates\policies, dynamic groups etc. But in difference to receive updates - this HTTP Proxy can NOT use HTTPS and can not have credentials on it for replication. So to understand better and provide the right info to my company. What is secured in the replication process via PROXY if I can't use credentials or HTTPS communication to it. (and please be as detailed as possible.) Thanks! Connection between AGENT and ESMC is using TLS/SSL and thus is is secured and confidential. In case HTTP proxy is in between, it servers just as forwarding element, i.e. it is not introspecting communication. In other words, both AGENT and ESMC are performing or validity checks of TLS certificate as if there is no proxy and connection will be rejected in case certificate of remote peer is not considered as trusted Credentials of HTTP proxy are suitable only to protect proxy itself from connections of unauthorized clients, i.e. those that do not have right credentials, but even if there is no authentication on proxy, whole AGENT-to-ESMC communication is protected on TLS layer where mutual authorization via certificates is performed. avielc 1
avielc 56 Posted February 13, 2020 Author Posted February 13, 2020 15 hours ago, MartinK said: Connection between AGENT and ESMC is using TLS/SSL and thus is is secured and confidential. In case HTTP proxy is in between, it servers just as forwarding element, i.e. it is not introspecting communication. In other words, both AGENT and ESMC are performing or validity checks of TLS certificate as if there is no proxy and connection will be rejected in case certificate of remote peer is not considered as trusted Credentials of HTTP proxy are suitable only to protect proxy itself from connections of unauthorized clients, i.e. those that do not have right credentials, but even if there is no authentication on proxy, whole AGENT-to-ESMC communication is protected on TLS layer where mutual authorization via certificates is performed. Thanks for answering @MartinK! and also, Thank you for explaining that. I am facing a problem now, I hope you can help me resolve. I'll sum up everything you said into the following statement: "This is the application level security between the agent and the ESMC" Which is great, but in terms of Apache\Proxy, I would like to add a layer of security there. Problem is I tried to add HTTPS as well as password protection, but both failed to allow the agent to report. Could you help me with what solution is supported by the agent (we are talking about replication purpose only, if there are any updates, I allow the agents to download from ESET-servers directly wherever the employees are (home etc)) Looking forward to hear from you Thanks for helping!
Recommended Posts