Agent V7 connection to server ESMC error code 14

[DMcCurtain 0]

Please excuse my lack of understanding of this process.  Our company had many layoff due to the Covid 19 and my head security officer has been laid off.   I am looking for help in setting up agent on local PC's that are on the outside of our network.   All local domain computer are functioning as expected with tasks from Security Management Center.   I about 5 pc's that are at other locations that I would like to manage with SMC.   Only when the PC are logon onto the network through a VPN software does the SMC apply the tasks correctly.  Problem is, these computers really don't log in to the network very often, only to get rare files.   I have tried to set up the agent to connect to the server hosting SMC.  I have set up firewall ports 2221-2225 to point to this server using the same url that the VPN connects to successfully.   Could someone please help me with what this error means?  

[Marcos 4,935]

There is obviously a problem with the agent peer certificate which cannot be verified. Create a fresh agent live installer and re-deploy it on the client so that the current CA and peer certificates are installed and used.

[DMcCurtain 0]

Ok,  I redid the agent like you asked and connected via vpn to my local network with ESMC server and all is fine.  Once I disconnect the VPN the management center now can not see the client anymore.   Is there a way to configure the agent so It can connect to my server with being connected to a vpn software?

[MartinK 376]

From logs it seems that after reinstallation, AGENT is connecting (or attempting to do so) to different hostname, containing .local. Maybe problem is that it cannot use "local" hostname when connection from outside of internal network? In case it is required to use different hostname (as visible in original logs), I would recommend to explicitly set it in installer configuration, or maybe ESMC Agent configuration policy containing both internal and external hostname should be used.

[TonyK 3]

So lets assume here

 

1) ESMC Server is behind corporate network say 10.10.0.10 (just go with it) - your server resolves to that IP address

2) When your endpoints are connected to VPN, their connection (say 10.10.1.121 is one of the IPs)

3) Lets assume 10.10.1.0/24 can route back and forth to 10.10.0.0/24 while on VPN

Everything is working A-OK!

 

When your endpoints are not part of the VPN, eg. they are on their own network, whether a home network, coffee shop, public wifi...regardless of the case, they are no longer attached to your 'local network' - they are part of that networks 'local network'

 

In order for those endpoints to reach your ESMC server, you must do three things:

 

1) The ESMC will need an outside IP address to reach with ports 2222 open (this can be accomplished by placing a public IP NAT that is bound to the internal IP address or port forwarding 2222 from that internal address, but traffic must be allowed in and out) -- obtain the public IP address of that device (typically will be firewall external address if going port forwarding, or NAT public internet address, save that for next step)

 

2) Create a new ESET Remote Administrator policy

Include the IP address on the inside, include the inside IP address as first on list, and add the external address (NAT or FW pub IP) as second and then assign that to (I usually would just say all, it wouldn't hurt) those devices; its best to use that red lightning bolt for admin enforcement, and just to make sure there isnt any other conflicts at hand --- test out one or two devices if possible, take a laptop home or something for a test

 

3) Have endpoints that have not received policy - VPN in or connect to corporate network as soon as possible once that step two is successful. When the endpoints check in, they should obtain the policy update for the ESMC/ERA agent

 

[TomPark 4]

@DMcCurtain

Following on from what @TonyK has said, the following KB shows you how to allow External Communications to ESET Security Management Center 7.x to allow manageability of remote Machines.
https://support.eset.com/en/kb6870-network-configuration-requirements-for-allowing-clients-to-connect-to-eset-security-management-center-remotely

 

[avielc 52]

Let me throw in another solution possible (Though it's hard to understand the security level of it) 
You can create a proxy in the cloud that will only be used for ESMC reports (and not mirror for AV Installation files\images to minimize the data usage costs)

that way whenever the agent fails to report the local server, it use a failover using the proxy to reach it the other way around. 

(I managed to perfect that method in my case, where we do not allow local servers access from the external network internally.)

[DMcCurtain 0]

I have it working.  I thank all of you.