marlonanjos 0 Posted November 19, 2020 Share Posted November 19, 2020 I mistakenly published a wrong policy with Replication Proxy settings set. Now my agents cant reach our ERA Server to download the new policy without the proxy settings. There is any way to force agents to connect directly to the replication server? Or to reset settings and download new policies like a new install? ERROR: InitializeConnection: Initiating replication connection to 'host: "zzz.zzz.zzz" port: 2222' failed with: Request: Era.Common.Services.Replication.CheckReplicationConsistencyRequest on connection: host: "zzz.zzz.zzz" port: 2222 with proxy set as: Proxy: Connection: yyy.yyy.yyy:3128, Credentials: Name: , Password: ******, Enabled:1, EnabledFallback:0, failed with error code: 14, error message: Connect Failed, and error details: Thank you in advance, Marlon Link to comment Share on other sites More sharing options...
Administrators Marcos 4,199 Posted November 19, 2020 Administrators Share Posted November 19, 2020 To my best knowledge the agent should fall back to direct connection if connection through the proxy fails. @MartinKwill confirm or correct me. Link to comment Share on other sites More sharing options...
marlonanjos 0 Posted November 19, 2020 Author Share Posted November 19, 2020 @Marcos I had disabled fallback direct connection on the same policy 🙄 Link to comment Share on other sites More sharing options...
ESET Staff MartinK 367 Posted November 19, 2020 ESET Staff Share Posted November 19, 2020 42 minutes ago, Marcos said: To my best knowledge the agent should fall back to direct connection if connection through the proxy fails. @MartinKwill confirm or correct me. 19 minutes ago, marlonanjos said: @Marcos I had disabled fallback direct connection on the same policy 🙄data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw== @Marcos: Unfortunately in this case there is probably no fallback for HTTP proxy, as it was explicitly disabled, and also "replication" proxy was set, not generic/global proxy, where we silently count with possibility that it might not support replication connections. In this case, probably only solution would be to repair installations, i.e. using AGENT installers. IS there no possibility to at least temporarily deploy HTTP proxy on "wrong" hostname/IP? Or redirect agents to other location via DNS changes? It would be probably easier ... Link to comment Share on other sites More sharing options...
marlonanjos 0 Posted November 19, 2020 Author Share Posted November 19, 2020 7 minutes ago, MartinK said: @Marcos: Unfortunately in this case there is probably no fallback for HTTP proxy, as it was explicitly disabled, and also "replication" proxy was set, not generic/global proxy, where we silently count with possibility that it might not support replication connections. In this case, probably only solution would be to repair installations, i.e. using AGENT installers. IS there no possibility to at least temporarily deploy HTTP proxy on "wrong" hostname/IP? Or redirect agents to other location via DNS changes? It would be probably easier ... @MartinK I tried a simple http/https proxy running on the same host/port and I can see traffic but with 403 code response. I need to do anything more to allow this connection? "CONNECT eraserver:2222 HTTP/1.0" 403 226 "-" "grpc-httpcli/0.0" Also tried to redirect from port 3128(proxy)->2222(era) but failed too. Link to comment Share on other sites More sharing options...
ESET Staff Solution MartinK 367 Posted November 20, 2020 ESET Staff Solution Share Posted November 20, 2020 22 hours ago, marlonanjos said: @MartinK I tried a simple http/https proxy running on the same host/port and I can see traffic but with 403 code response. I need to do anything more to allow this connection? "CONNECT eraserver:2222 HTTP/1.0" 403 226 "-" "grpc-httpcli/0.0" Also tried to redirect from port 3128(proxy)->2222(era) but failed too. In case you used Apache HTTP proxy which is part of our installers, you should follow following steps: https://help.eset.com/esmc_install/72/en-US/apache_configuration.html where in short you have to: enable port 2222 in case it is not enabled already (depends on version you used) enable connections to your hostname (hostname where AGENT are trying to connect) - by default, only connections to ESET domains are enabled due to security, therefore using proxy for replication connections requires manual steps. marlonanjos 1 Link to comment Share on other sites More sharing options...
marlonanjos 0 Posted November 24, 2020 Author Share Posted November 24, 2020 Solved as per @MartinK solution. I added the directive AllowCONNECT 443 80 2222 and also a proxymatch to my ERA Server hostname using the expression generated by https://support.eset.com/en/kb7214-write-a-proxymatch-expression-for-configuration-of-apache-http-proxy-with-esmc-7 to the file /etc/httpd/conf.d/proxy.conf, and restarted the service with systemctl restart httpd After that my agents can connect to my ERA Server through the apache proxy (usually used for updates) and replicate the new policies that removed the wrong settings of using proxy to ERA Server. I will remove these changes as soon as all agents replicated. Thank you @MartinK and @Marcos for your help. Link to comment Share on other sites More sharing options...
Recommended Posts