Dynamic Threat Defense Proxy

[karsayor 8]

I successfully activated a Dynamic Threat Defense on a device, activate it through policy, now I get this :

ESET Dynamic Threat Defense is not working. Connection to authentication servers failed.

I wonder because we have a HTTP Proxy setup for Agents / Products, it seems that EDTD does not use the HTTP Proxy ? Or what could be missing ?

[Marcos 5,074]

According to https://help.eset.com/edtd/en-US/troubleshooting.html,  the error means:

The ESET license servers are not accessible.

•Firewall (another setting) is blocking the communication.

•The service is temporarily unavailable.

Check your firewall settings.

Can clients connect to ESET license servers listed at https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall#services as well as to edf.eset.com?

edf.eset.com	40.114.143.2
	13.64.117.133
	13.91.57.145

[karsayor 8]

Ok so endpoints should connect directly to these address ? They cannot use the http proxy on esmc ?

that was not clear to me

[Marcos 5,074]

The question is if clients can contact those servers via http proxy. Do you use Apache http proxy that was installed with the all-in-one ESMC installer?

Our users use EDTD and our http proxy without issues.

[karsayor 8]

Yes we use the Apache HTTP Proxy of ESMC appliance and it works fine for the base product and agents. Our proxy.conf is as follows, maybe there is an issue with it ?

#
# Enable HTTP Cache
#
CacheEnable disk hxxp://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 200000000
CacheMaxExpire 604800
CacheQuickHandler Off
CacheRoot /var/cache/httpd/proxy

AllowCONNECT 443 2222 

ProxyRequests On
ProxyVia On
SetEnv proxy-initial-not-pooled 1

ErrorLog "|/usr/sbin/rotatelogs -n 10 /var/log/httpd/error_log 1M"


<VirtualHost *:3128>
	ProxyRequests On
</VirtualHost>

<VirtualHost *:3128>
        ServerName r.edtd.eset.com
        
        ProxyRequests Off
        CacheEnable disk /        
        SSLProxyEngine On

        RequestHeader set Front-End-Https "On"
        ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=10 smax=10
        ProxyPassReverse / hxxp://r.edtd.eset.com/ keepalive=On
</VirtualHost>


<Proxy *>
Deny from all
</Proxy>
#*.eset.com:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#*.eset.eu:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#*.eset.systems:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[s,S][y,Y][s,S][t,T][e,E][m,M][s,S](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#Antispam module (ESET Mail Security only):
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#Services (activation)
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#ESET servers accessed directly via IP address:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

Also, what are the required ports to connect to r.edtd.eset.com and d.edtd.eset.com ? It's not specified in the doc and might be the issue as well.

Edited July 15, 2020 by karsayor

[karsayor 8]

do you see anything wrong with my proxy conf ? thanks

whats ports are used for the services ? Because our appliances can only do HTTP / HTTPS to any address on the internet.

Edited July 30, 2020 by karsayor

[Marcos 5,074]

Do you use both the EBA and EMA accounts and use the same email address for both by chance? If so, this is a known issue that we are trying to solve.

[karsayor 8]

Yes we are 😀

Do you know how / when it can be fixed ? Will you update this topic ?

[Peter Randziak 1,130]

Hello @karsayor,

we do not have an ETA for the systematical fix, yet.

However you can send me your EDTD public license ID and your EBA / EMA e-mail address via private message and I can ask the devs to fix it manually...

Peter

note: I_EDF-1275