ESET Endpoint encryption and ESMC HTTP proxy

[Ufoto 14]

Hello,

We have an ESMC server in our internal network which uses a HTTP proxy located in DMZ to manage roaming users. We would like to implement ESET Endpoint Encryption in our environment and the question which immediately popped up is: are we able to manage the roaming encryption clients through the same HTTP proxy? 

I didn't find any official statement about this setup and I am hoping you guys could shed some light? These users never connect to our internal network so this is very important for us.

[MichalJ 434]

Hello, in case you mean "ESET Full Disk Encryption", then the answer is yes, as this is managed via ESET Protect / Security Management Center Server / agents, which use HTTP Proxy. If you want to use ESET Endpoint Encryption, with a dedicated server, then this solution uses a separate Cloud Proxy component. 

[Ufoto 14]

Just now, MichalJ said:

Hello, in case you mean "ESET Full Disk Encryption", then the answer is yes, as this is managed via ESET Protect / Security Management Center Server / agents, which use HTTP Proxy. If you want to use ESET Endpoint Encryption, with a dedicated server, then this solution uses a separate Cloud Proxy component. 

Hello Michal,

Thank you for the prompt response. Yes, I am referring to ESET Endpoint Encryption. As far as I understand it uses an ESET proxy, therefore no proxy is required on our end, Roaming clients should be able to communicate with our internal EEE server via the ESET proxy?

And just one more question, if we use our existing ESMC server to deploy the EEE client, how are we going to point the installed EEE client to our EEE server?

Thank you in advance!

[JPritchard 11]

Good afternoon,

I am a technical support engineer for ESET's Encryption product family.

You have mentioned a few things that I feel need clarifying, some of which may require in-depth explanations in order for you to come to your own conclusion on how best to deploy ESET Endpoint Encryption in your own environment.

First I feel I need to address an important concept regarding ESET Endpoint Encryption. EEE uses a "cloud proxy", which is our patented technology which simply acts as a pigeonhole (or middleman) for communicating commands/client updates between the EEE server and EEE client workstations.

If your environment has an Internet proxy to control traffic, then you will need to add your proxy details to your EEE Server.  For complete details on this, please read our article here: KB7607 - Add internet proxy server settings to ESET Endpoint Encryption Server

Providing everything is configured correctly, your EEE client workstations will be able to communicate with your EEES (through the cloud proxy) as normal.

Regarding your questions about deployment, I am not familiar with deploying EEE from ESMC itself, but I know there isn't a repository for EEE, so it cannot be installed that way. However, the EEE Server has a "Push Install" feature which allows you to install the EEE client (MSI) on clients across the network.

Sadly this may not be suitable, as you said your users never connect to your internal network. In which case I would ask, how do you currently manage software deployments for users off your network?

Regardless, EEE's installer is an MSI file, which can be easily deployed through 3rd party tools. Just ensure your Workstation Policy is configured correctly before generating the MSI for the endpoints, as the Workstation Policy is bundled into the MSI itself. Additionally, depending on your requirements you may need to create a separate Merged Installer for each Workstation Team you have set-up in your EEES. 

I hope this sheds some light on your situation and what you can do to deploy EEE in your environment.

[Ufoto 14]

Hello JPritchard,

Thank you for the detailed explanation. I understand how the communication works now. Is there any limitations for systems which are only able to connect to the EEE server via the 'cloud proxy' in terms of policies, licensing and user enrollment? I am asking because while reading through the guide I noted the following section: https://help.eset.com/eees/en-US/system_requirements.html?enable-esdirect.html. According to the message on the screenshot, self-enrolment requires clients to communicate directly with the EEE server.

Regarding the remote deployment, indeed I might have read about the 'ESET Full Disk Encryption' product which is managed directly by ESMC. It would have been very convenient to be able to deploy the EEE client as well, and somehow pointing it to your own EEE server - either with a configuration in the client task itself, or via policy. 

Thank you in advance!

 

[JPritchard 11]

Good morning,

Self Enrolment is separate from the cloud proxy, take care not to confuse them. Self Enrolment is a feature which automates the EEE user activation process by communicating on the local network to licence users. This is not essential, as you can activate users manually by email instead. You can see the EEES process for user activation here: KB7157 - Activate ESET Endpoint Encryption Client using ESET Endpoint Encryption Server

EFDE and EEE are separate products entirely. Depending on your requirements, perhaps EFDE is more suitable for your needs? It only offers Full Disk Encryption, but it's managed and deployed from your existing ESMC which may be more convenient for you. 

Edited December 15, 2020 by JPritchard