Help required to make a policy to allow eset agents report to the eset protect

[sanjay mehta 6]

if we setup an eset protect server with eset endpoint security or eset file security installed on the same machine, then the first thing we notice is that eset agents in the network do not report to the server by default, until put off the firewall.

can somebody please help me define a policy to allow eset traffic, (on the eset protect server machine with either windows 10/11 OS or server OS) that includes agent communication, epns - wake up calls, http proxy or eset bridge, web console etc.

i also feel that this should have been allowed by default using a built in policy.

[Marcos 5,074]

What firewall do you use? The ESET firewall in ESET Endpoint Security allows communication for ESET and ESET agents and connectors by default.

[sanjay mehta 6]

it is eset firewall from eset endpoint security on a windows 10 m/c used for eset protect installation.

the expectation is that eset communication must be allowed by default, but no, it does not happen. the agents start reporting to server only after the eset firewall is switched off.

[Marcos 5,074]

It should work unless you've changed default ports or created a blocking rule that was put above default (built-in) rules.

Please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Reboot the machine
3. After 1-2 minutes stop logging
4. Collect logs with ESET Log Collector and upload the generated archive here.

[sanjay mehta 6]

will do shortly, and like to report that unable to access the https://192.168.1.XXX/era, where 192.168.1.xxx is eset protect m/c from other machines in network.

putting firewall off on server solves this issue too.

[sanjay mehta 6]

the log file is bigger than 200 mb, about 270 mb, so could not upload (had collected with profile - all).

please suggest if default profile will be ok ?

[Marcos 5,074]

You can use the default template which does not collect a registry dump for instance and therefore the size of the generated archive should be smaller. Or you can upload the archive to a file sharing service and drop me a private message with a download link.

[sanjay mehta 6]

sent you a DM with link to download the file

[Marcos 5,074]

ESET PROTECT server is installed on the local machine, ie. on Windows 11.

According to https://forum.eset.com/topic/36080-help-required-to-make-a-policy-to-allow-eset-agents-report-to-the-eset-protect/, while this OS is supported: "Installing ESET PROTECT components on a desktop OS might not be in alignment with Microsoft licensing policy. Check the Microsoft licensing policy or consult your software supplier for details. In SMB / small network environments, we encourage you to consider a Linux ESET PROTECT installation or virtual appliance where applicable."

Also duplicate IP addresses 192.168.1.174 [9c:14:63:fe:c0:77] and 192.168.1.174 [cc:98:8b:c8:05:05] and 192.168.1.252 [f0:6c:5d:ac:2a:e8] and 192.168.1.252 [44:d9:e7:d4:6e:79] as well as ARP cache poisoning were detected. Please fix this first. Also try to deploy a virtual appliance or install ESET PROTECT on a server OS.

Creating a rule for inbound communication on port 2222 would likely resolve the issue:

[sanjay mehta 6]

thanks for your prompt reply. thanks for pointing out the duplicate PC & ARp cache poisoning issues, will work on that.

i wasn't aware that installing eset protect on windows 10 or 11 is not in line with microsoft policy. since this is a smaller network with just 30 endpoints, went ahead with windows, but will consider switching the OS.

1. however, please specify if agents not reporting to eset server problem is due to the wrong OS for eset protect installation.

2. if not, then why do i have to create a policy to allow the eset traffic, which should have been allowed by default ?

3. have created the policy to allow eset agent connections & agents are working now, but still cannot access the web console from other client PCs in network, until i disable firewall on eset protec machine. need help with this specifically.

thanks in advance.

[Marcos 5,074]

You must create the rule because the firewall blocks all non-initiated inbound traffic in automatic mode which is when the managing agent attempts to contact the ESET PROTECT server. On a Linux virtual appliance the traffic is allowed. Also on Windows server operating systems that ESET PROTECT server is intended for besides Linux, ESET Server security that users might have installed there doesn't contain a firewall that would block the inbound communication.

What is allowed by default in ESET's firewall is the communication of the management agent on endpoints:

[sanjay mehta 6]

got it. 🙏
but now i need help with allowing web console access from other network PCs. so could you please specifically let me know what policy configuration should i create for eset protect machine firewall to allow network computers to access web console ? tried working on this with various configs, but nothing seems to be working.

[Marcos 5,074]

Create a permissive rule with the local port 443 (https) or 80 (http).