Jump to content

Migration from ERA to ESMC with proxy in DMZ


Ufoto
 Share

Go to solution Solved by Ufoto,

Recommended Posts

Hello,

We are trying to migrate endpoints from a remote ERA server to our existing ESMC server which is in another geographical location. Since the endpoints can't communicate with the ESMC directly we've set up an HTTP proxy in DMZ. We've tested the proxy with some test devices and it is working. 

Now we want to start transferring devices from the old ERA server however we've encountered few issues along the way. Since the ERA server manages Agents 6.x they can't communicate with the HTTP proxy directly. In order to resolve this we've installed an ERA proxy on the same server where the HTTP proxy is installed. Our idea was to follow KB6729 in order to redirect endpoints from the existing ERA server to the new ESMC server via the ERA proxy. However this doesn't seem to work because the relevant policy setting are applicable only for version 7+ agents while the systems managed by the ERA server use agent 6.5. 

We are aware that we can uninstall the agent locally and install an agent from the new ESMC server and this will migrate the system, but this is not really applicable as we are talking about few hundred endpoints and we don't have the resource to do it manually. 

We are really lost at this point and I am seeking advice what's the best approach to handle this migration? 

Thank you in advance!

Link to comment
Share on other sites

  • ESET Staff
1 hour ago, Kostadin_k said:

However this doesn't seem to work because the relevant policy setting are applicable only for version 7+ agents while the systems managed by the ERA server use agent 6.5.

Could you please provide more details of how was policy created? Even policy for "ESET Management Agent 7+" is applicable for "ESET Remote Administrator 6" AGENTs, except settings that were added later (i.e. HTTP proxy configuration for AGENT-to-ESMC communication), but other settings were shared and should be properly applied.

In your case I see two alternatives: either our original plan with use of ERA Proxy will work once correct policy is prepared, or upgrade of ERA Agent will made prior to migration. Actually upgrade of AGENTs is not complicated, but few considerations has to be made:

  • ERA Agent once upgrade to ESMC Agent won't be able to connect to original ERA Server. But in case it is already configured to connect to new ESMC server via proxy, it should do so automatically after upgrade. Upgrade itself might be performed using "Components upgrade task" with targeting 7.2 version. Steps that should probably work are:
    • Apply migration policy to AGENTs, but in a way that ERA Agents are still able to tonnect to original server. This can be achieved by providing list of servers in configuration (but beware it would work only in case certificates are properly configured so that both old and new servers will trust AGENTs)
    • Execute components upgrade task on migrated client.
    • Once ERA Agent is upgraded to ESMC Agent, it will start to use HTTP proxy that it has in configuration since step1.
  • Second alternative is to upgrade whole infrastructure, i.e. AGENT and ERA Server prior to migration. This is probably most straightforward but ERA->ESMC upgrade has its limitation, in both minimal requirements changes and also drop of ERA Proxy support.
Link to comment
Share on other sites

Hello Martin,

Thank you for your response. Indeed we entered the ERA proxy details in the HTTP Proxy section of the Management Agent policy (ERA version Version 6.5 (6.5.522.0)). All sections there have a note that these settings are applicable only for 7+ agents which I would expect as only agent 7+ can use the HTTP proxy. Should we configure the ERA proxy somewhere else?

Indeed upgrading the agent is also an option as we upgraded one device locally and it started communicating with the new server. However the component upgrade task requires an upgrade of the entire ERA infrastructure to version 7. I couldn't find an option to upgrade just the agent. Additionally, when I try to create an agent deployment task, there is no option to select a package. On the ERA console agent 6.5 is listed as latest and there are no updates available in order to upgrade it via client upgrade task.

Yes, upgrading the entire infrastructure to ESMC is an option, but we really wanted to avoid possible upgrade complications as this old infrastructure will be decommissioned once the systems are migrated over.

Link to comment
Share on other sites

  • Solution

Just a quick update on this. Since you mentioned the Agent policy I did some testing and I understood what was wrong. The ERA proxy has to be added to the server list instead of the HTTP proxy section. Additionally, unlike the HTTP proxy, the ERA proxy actually needs a management agent installed in order to forward the communication. 

I implemented the changes above and the communication between systems on the old server and our new ESMC server started immediately. The component upgrade task also worked and the systems communicate with our HTTP proxy as soon as they are upgraded.

Thank you for your prompt response, it guided me in the right direction.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...