Jump to content
karsayor

Dynamic Threat Defense Proxy

Recommended Posts

I successfully activated a Dynamic Threat Defense on a device, activate it through policy, now I get this :

ESET Dynamic Threat Defense is not working. Connection to authentication servers failed.

I wonder because we have a HTTP Proxy setup for Agents / Products, it seems that EDTD does not use the HTTP Proxy ? Or what could be missing ?

Share this post


Link to post
Share on other sites

According to https://help.eset.com/edtd/en-US/troubleshooting.html,  the error means:

The ESET license servers are not accessible.

Firewall (another setting) is blocking the communication.

The service is temporarily unavailable.

Check your firewall settings.

Can clients connect to ESET license servers listed at https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall#services as well as to edf.eset.com?

edf.eset.com 40.114.143.2
13.64.117.133
13.91.57.145

Share this post


Link to post
Share on other sites

Ok so endpoints should connect directly to these address ? They cannot use the http proxy on esmc ?

that was not clear to me

Share this post


Link to post
Share on other sites

The question is if clients can contact those servers via http proxy. Do you use Apache http proxy that was installed with the all-in-one ESMC installer?

Our users use EDTD and our http proxy without issues.

Share this post


Link to post
Share on other sites
Posted (edited)

Yes we use the Apache HTTP Proxy of ESMC appliance and it works fine for the base product and agents. Our proxy.conf is as follows, maybe there is an issue with it ?

#
# Enable HTTP Cache
#
CacheEnable disk hxxp://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 200000000
CacheMaxExpire 604800
CacheQuickHandler Off
CacheRoot /var/cache/httpd/proxy

AllowCONNECT 443 2222 

ProxyRequests On
ProxyVia On
SetEnv proxy-initial-not-pooled 1

ErrorLog "|/usr/sbin/rotatelogs -n 10 /var/log/httpd/error_log 1M"


<VirtualHost *:3128>
	ProxyRequests On
</VirtualHost>

<VirtualHost *:3128>
        ServerName r.edtd.eset.com
        
        ProxyRequests Off
        CacheEnable disk /        
        SSLProxyEngine On

        RequestHeader set Front-End-Https "On"
        ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=10 smax=10
        ProxyPassReverse / hxxp://r.edtd.eset.com/ keepalive=On
</VirtualHost>


<Proxy *>
Deny from all
</Proxy>
#*.eset.com:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#*.eset.eu:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#*.eset.systems:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[s,S][y,Y][s,S][t,T][e,E][m,M][s,S](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#Antispam module (ESET Mail Security only):
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#Services (activation)
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#ESET servers accessed directly via IP address:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

Also, what are the required ports to connect to r.edtd.eset.com and d.edtd.eset.com ? It's not specified in the doc and might be the issue as well.

Edited by karsayor

Share this post


Link to post
Share on other sites
Posted (edited)

do you see anything wrong with my proxy conf ? thanks

whats ports are used for the services ? Because our appliances can only do HTTP / HTTPS to any address on the internet.

Edited by karsayor

Share this post


Link to post
Share on other sites

Do you use both the EBA and EMA accounts and use the same email address for both by chance? If so, this is a known issue that we are trying to solve.

Share this post


Link to post
Share on other sites

Yes we are 😀

Do you know how / when it can be fixed ? Will you update this topic ?

Share this post


Link to post
Share on other sites

Hello @karsayor,

we do not have an ETA for the systematical fix, yet.

However you can send me your EDTD public license ID and your EBA / EMA e-mail address via private message and I can ask the devs to fix it manually...

Peter

note: I_EDF-1275

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...