Installing Agent through CMD QUITET doesn't work for ESET PROTECT CLOUD

[DumitruSino 1]

With LOCAL ESET SERVER I was installing Agents with following command and files:

C:\it-tools\eset\Agent_x64.msi /q P_HOSTNAME=199.164.42.68 P_ENABLE_TELEMETRY=1 P_CERT_PATH=C:\it-tools\eset\certificate.txt P_CERT_AUTH_PATH=C:\it-tools\eset\ca.txt P_LOAD_CERTS_FROM_FILE_AS_BASE64=YES /L*V "C:\it-tools\eset\logs.log

agent_x64.msi

ca.txt

certificate.txt

install_config.ini

All worked really nice for all our 60 workstations.

NOW I MIGRATED TO CLOUD and I use following:

C:\it-tools\eset\Agent_x64.msi /q P_ENABLE_TELEMETRY=1 P_HOSTNAME={server name from install_config.ini from protect.eset.com} P_PORT=443 P_CERT_PATH=C:\it-tools\eset\certificate.txt P_CERT_AUTH_PATH=C:\it-tools\eset\ca.txt P_LOAD_CERTS_FROM_FILE_AS_BASE64=YES /L*V "C:\it-tools\eset\logs.log"

agent_x64.msi - new file downloaded from Configuration GPO/SCCM scrip from hxxp://protect.eset.com/

ca.txt - same old file

certificate.txt - same old file

install_config.ini - new file downloaded from Configuration GPO/SCCM scrip from hxxp://protect.eset.com/

I installed it multiple times, on different workstations. Here are the logs:

 

Status log

Scope	Time	Text
Configuration	2021-May-08 23:01:00	Product configuration: Use of HTTP proxy for ESET services is disabled Use of HTTP proxy for replication is disabled Repository hostname is: AUTOSELECT Update server is set to: AUTOSELECT with "regular" update type
Dynamic groups	2021-May-10 14:47:32	Device is not member of any dynamic group
Last authentication	2021-May-10 17:04:58	Enrollment failed with error: Request: Era.Common.Services.Authentication.RPCEnrollmentRequest on connection: host: "*****************.a.ecaserver.eset.com" port: 443 with proxy set as: Proxy: Connection: :3128, Credentials: Name: , Password: ******, Enabled:0, EnabledFallback:1, failed with error code: 14, error message: Connect Failed, and error details:
Last replication	2021-May-10 17:04:52	ERROR: InitializeConnection: Initiating replication connection to 'host: "****************.eset.com" port: 443' failed with: GetAuthenticationSessionToken: Failed to fetch device session token in time Replication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: ****************.a.ecaserver.eset.com:443, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 00000000-0000-0000-0000-000000000000, Sent logs: 0, Cached static objects: 0, Cached static object groups: 0, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0] All replication attempts: 848
Peer certificate	2021-May-10 00:37:44	OK Agent peer certificate with subject 'C*******************************************************************
Policies	2021-May-08 23:01:00	Device has no policies assigned
Product	2021-May-08 23:00:58	Product install configuration: Product type: Agent Product version: 8.0.1238.0 Product locale: en_US
Replication security	2021-May-10 17:04:58	OK Remote host: **************************.a.ecaserver.eset.com Remote product: Server Remote certificate: Subject='**************** ', NotBefore=2019-Sep-04 00:00:00, NotAfter:2021-Oct-03 12:00:00, ************************

Performance

Indicator	Value
Up time	42:04:00
Memory private usage	25 MB
Available physical memory	8792 MB

Generated at 2021-May-10 17:04:58 (2021-May-10 12:04:58 local time)

 

ANY HELP WOULD BE APPRECIATED! THANK YOU!

 

[MartinK 378]

Could you please provide standard trace.log from AGENT or possibly search it for more detailed connection errors? I do not see any obvious problem with deployment method you are using - in case no mistake was made during parameters processing, it should work. From provided status.html it is not clear why connection is failing, it might be network related, but also certificate related. As it seems that certificate of ESET PROTECT Cloud service has been accepted, it might be problem with AGENTs certificate -> in steps you mentions "same old file" next to certificates, but if it means that you are attempting to use the same certificates an you used with on-premise solution, that won't work -> devices managed by cloud service are assigned certificate generated by service itself, and that is only certificate that will enable your devices to connect.

Also note, that there is even simpler deployment method:

1. Download AGENT MSI file and install_config.ini (so called GPO installer) into the same folder
2. Initiate silent installation of AGENT via msiexec command, but without product specific parameters (those P_***)
3. Observe that installer properties are automatically loaded from install_config.ini, i.e. there is no need to copy them to command line

[DumitruSino 1]

42 minutes ago, MartinK said:

Could you please provide standard trace.log from AGENT or possibly search it for more detailed connection errors? I do not see any obvious problem with deployment method you are using - in case no mistake was made during parameters processing, it should work. From provided status.html it is not clear why connection is failing, it might be network related, but also certificate related. As it seems that certificate of ESET PROTECT Cloud service has been accepted, it might be problem with AGENTs certificate -> in steps you mentions "same old file" next to certificates, but if it means that you are attempting to use the same certificates an you used with on-premise solution, that won't work -> devices managed by cloud service are assigned certificate generated by service itself, and that is only certificate that will enable your devices to connect.

Also note, that there is even simpler deployment method:

1. Download AGENT MSI file and install_config.ini (so called GPO installer) into the same folder
2. Initiate silent installation of AGENT via msiexec command, but without product specific parameters (those P_***)
3. Observe that installer properties are automatically loaded from install_config.ini, i.e. there is no need to copy them to command line

Installed using: C:\it-tools\eset\Agent_x64.msi /q P_CERT_PATH=C:\it-tools\eset\certificate.txt P_CERT_AUTH_PATH=C:\it-tools\eset\ca.txt P_LOAD_CERTS_FROM_FILE_AS_BASE64=YES /L*V "C:\it-tools\eset\logs.log"

Here is what I got: 

Last authentication	2021-May-10 19:32:28	Enrollment failed with error: Request: Era.Common.Services.Authentication.RPCEnrollmentRequest on connection: host: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.eset.com" port: 443 with proxy set as: Proxy: Connection: :3128, Credentials: Name: , Password: ******, Enabled:0, EnabledFallback:1, failed with error code: 14, error message: Connect Failed, and error details:
Last replication	2021-May-10 19:32:28	ERROR: InitializeConnection: Initiating replication connection to 'host: "xxxxxxxxxxxxxxxxxxxxxxxxx.a.ecaserver.eset.com" port: 443' failed with: GetAuthenticationSessionToken: Failed to fetch device session token in time Replication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: 2alxfromorhuzkixxiws7uwxzq.a.ecaserver.eset.com:443, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 00000000-0000-0000-0000-000000000000, Sent logs: 0, Cached static objects: 0, Cached static object groups: 0, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0] All replication attempts: 2

See trace log attached.

trace.log

[DumitruSino 1]

55 minutes ago, MartinK said:

Could you please provide standard trace.log from AGENT or possibly search it for more detailed connection errors? I do not see any obvious problem with deployment method you are using - in case no mistake was made during parameters processing, it should work. From provided status.html it is not clear why connection is failing, it might be network related, but also certificate related. As it seems that certificate of ESET PROTECT Cloud service has been accepted, it might be problem with AGENTs certificate -> in steps you mentions "same old file" next to certificates, but if it means that you are attempting to use the same certificates an you used with on-premise solution, that won't work -> devices managed by cloud service are assigned certificate generated by service itself, and that is only certificate that will enable your devices to connect.

Also note, that there is even simpler deployment method:

1. Download AGENT MSI file and install_config.ini (so called GPO installer) into the same folder
2. Initiate silent installation of AGENT via msiexec command, but without product specific parameters (those P_***)
3. Observe that installer properties are automatically loaded from install_config.ini, i.e. there is no need to copy them to command line

Tried using: C:\it-tools\eset\Agent_x64.msi /q /L*V "C:\it-tools\eset\logs.log"

and SUCCESS!

Apparently the CERTIFICATE was the problem! Weird that I chatted with couple ESET Support guys, and nobody had this idea to remove the certificate. 

Last authentication	2021-May-10 19:43:35	Enrollment OK
Last replication	2021-May-10 19:43:43	OK
Last successful replication	2021-May-10 19:43:43	OK Successful replications: 3 All replication attempts: 3 Connection: xxxxxxxxxx.a.ecaserver.eset.com:443 Scenario: REGULAR
Peer certificate	2021-May-10 19:41:03	OK Agent peer certificate with subject 'xxxxxxxxxxxxxxxxxxxxxministrator External CA' with serial number 'xxxxxxx4' is and will be valid in 30 days
Policies	2021-May-10 19:41:03	Applied policies: Hidden: Agent defaults VNC Allow Disable Windows Updates Notifications Enable Secure Browser
Product	2021-May-10 19:41:01	Product install configuration: Product type: Agent Product version: 8.0.1238.0 Product locale: en_US

Thank you!