Migrated ESMC Agents contacting old ERA Proxy Server

[nkm 0]

Hi All,

We have migrated the majority of our clients from ERA (v6.x) to ESMC (v7.x).

All clients have have registered correctly to new ESMC Mgmt Server, and updating correctly.

Before decommissioning the old ERA Proxy Server I wanted to ensure that none of the clients were using the old ERA Proxy server, as the ESET Apache HTTP Proxy installation does not have the appropriate logging DLL installed I am unable to check the Apache access logs only the Error logs.

The 'error.log' file shows the following entries.

Connect to remote machine blocked returned by epns.eset.com:8883

Found that on the client computer the "ERAAgent.exe" process was accessing the old ERA Proxy Server.

Where is this being set, as I have checked all Policies on the new ESMC and there is no reference to the old ERA Proxy Server.

Anyone else had this issue?

 

 

[MartinK 378]

22 hours ago, nkm said:

Before decommissioning the old ERA Proxy Server I wanted to ensure that none of the clients were using the old ERA Proxy server, as the ESET Apache HTTP Proxy installation does not have the appropriate logging DLL installed I am unable to check the Apache access logs only the Error logs.

Just out of curiosity, which Apache module are you missing? If I recall correctly, modules required for access logs to be enabled should be present, but it is possible that they are not loaded by default in httpd.conf.

[nkm 0]

Hi Martin,

Thanks for your reply.

The module missing is "log_config_module". 

If I try to enable it (uncomment from the httpd.conf file), Apache HTTP Proxy fails to start.

My real question is why the ESMC 7.x client still tries to connect to the old ERA Proxy Server.

I notice that, clients that have never had the ERA Agent seem OK, it appears to be upgraded clients only. Could it be my upgrade procedure?

 

Kind Regards,

 

[MartinK 378]

On 11/17/2020 at 7:24 PM, nkm said:

I notice that, clients that have never had the ERA Agent seem OK, it appears to be upgraded clients only. Could it be my upgrade procedure?

It might be so called "fallback mechanisms" integration into connection handler. It protects environment from some "destructive" changes in configuration, and it works in a way that AGENT will be trying to connect to last successful target in case connection to newly set (currently set) ERA/ESMC server fails. So connection attempts to old ERA Proxy are expected behavior in case AGENT are not able to connect to new ESMC. Unfortunately fallback attempt might "hide" real connectivity issues, so I would recommend to double check logs for clue why AGENT is not able to connect to new ESMC, especially if this is the case.

[nkm 0]

Hi Martin,

Ok, will do.

Now that I think about it, I monitored the PC (using Process Hacker 2) to view the TCP communication generated by the ERAAgent process when re-deploying the agent, and observed that the process connected correctly to the new ESMC, then after a while reverted to old ERA Server.

I may run some packet captures etc to see if the agent is having troubles connecting to the new Proxy Server.

Kind Regards,

 

Edited November 18, 2020 by nkm

[nkm 0]

Hi Martin,

Found that, client tries to establish a connection to epns.eset.com on TCP Port 8883, which fails.

Client then attempts to connect using the old Proxy Server, requesting to connect to 8883 (fails), then fails-back to 443 (succeeds).

Client never attempts to connect to epns.eset.com either on TCP Port 8883 or 443 via the new Proxy Server.

New clients (that is, clients that have have never had the previous ERA Agent installed) attempt to connect to epns.eset.com through new Proxy Server using 8883 (fails), however they fall back to 443 (succeeds).

I will try moving the problematic client into the same group as the new clients and let you know.

Besides the original issue, should I change the configuration on the new Proxy Server to allow CONNECT to port 8883?

 

Cheers

[MartinK 378]

On 11/19/2020 at 1:52 PM, nkm said:

Besides the original issue, should I change the configuration on the new Proxy Server to allow CONNECT to port 8883?

Yes, that should help. If I recall correctly, this port is enabled by default in proxy configuration for some time - I guess you are using some older version or at least older httpd.conf file?

 

On 11/17/2020 at 7:24 PM, nkm said:

The module missing is "log_config_module". 

If I try to enable it (uncomment from the httpd.conf file), Apache HTTP Proxy fails to start.

Loading of module should definitely work. In case proxy is not even starting, I would double check that LoadModule statement is correct. Unfortunately I cannot verify as it seems you are using some older version - in current one, there are no dummy load statements in httpd.conf and maybe one of reason is that they were not correct, i.e. there might have been wrong path (or wrong format of path).

[nkm 0]

Downloaded the latest version of Apache HTTP Proxy for Windows to compare the configuration file. Made the modification to our new ESMC Proxy server.

I have moved  some of the upgraded PC's into a group where the Agent proxy server is configured correctly, and will monitor.

 

[nkm 0]

As mentioned, eventhough the agents register with the new ESMC Mgmt Server and updates work OK, if the agent deployment does can't access the EPNS port and explicit proxy settings is not set, it will try and use the previous settings (old ERA Proxy).

Once I added the clients to a group that had the new proxy server explicitly set, and made the proxy configuration changes suggested, clients stop contacting the old ERA Proxy.

Thanks for all your help.