Question about HTTPS proxy (or Bridge)->ESET Protect Server

[SALC 0]

Hi!

We are running an ESET Protect server (on premises) in a server that it's not accessible from the outside.
While I understand that TCP over port 2222 occurs securely (using certificates) between the the agent and eset server, we want to have a proxy in front of it so computers runnings agents can authenticate against a proxy which will send the communication to the server.

My idea is:
Agent --> HTTPS Proxy (use authentication, port 3128) -> Server (2222)

Another option could be to install VPN in all computers running the agent but that's something we would like to avoid.

Is this something that can be done?

Thanks in advance!

Best,

Salva

[SALC 0]

Not sure if I'm right or not but I believe I read in another topic in the forum that the Proxy cannot be used for authentication against ESET Protect.
Anyway, I wasn't able to make Apache Proxy work (agent hasn't been detected by the Server)

I guess that that's also applicable to Squid (instead of ESET Bridge or Apache2).

Any input?
Best,

 

[Peter Randziak 1,014]

Hello @SALC,

well yes the VPN would be a very good solution, but deploying it for this purpose only probably does not make a sense.

As far as I know it is not possible to verify the agent certificate on the proxy, but you can set up the proxy with an authentication, set it up in the agent's policy so the agents will connect to the on-prem server via it.

Or you can migrate to the cloud version, where are teams are taking care of it 😉 

Peter

[SALC 0]

Hi Peter.

A few things, 
1) why won't make any sense to use VPN? We plan to roll out new devices (managed) for all employees and that will be a good oportunity to setup everything from scratch. It will give us an extra security layer for agent-server communication
2) I have seen that it's possible to use squid, place the server and agents certificates there so they are checked on proxy side. That's it's tedious to be sincere and that's something I would like to avoid... Also, I do not see the benefit of using squid and check the certificates. Supossedly that's what agent-server do when communicating each other
3) I haven't been able to run ESET Proxy (Apache) or ESET bridge with authentication (not sure if you meant that). I configured a policy (and also in the installer) the proxy but I always get 407 and agents are not able to connect to the server (and therefore does not appear as devices)
4) Cloud option is quite expensive compared to the price we are paying at the moment (minimum 100 nodes, +-3600K for 1 year)
5)When you say, teams are taking care of it. You mean the service itself or some other security around it?.
I do not like the idea of having this service publicly available (even if we 2FA)

 

Thanks and cannot wait for your responses!

Best,

[SALC 0]

@Peter Randziak just to confirm it.

ESET Bridge does not use HTTPS right?
if that's the case, it's a proxy quite useless from the security point of view since someone could just sneatch the credentials.

Thanks!

[IggyPop 19]

Hi @SALC, for the ESET PROTECT we have the HTTPS and for the ESET PROTECT Cloud we do not have it at the present, however, we are looking into incorporating this into the product to support the HTTPS in ESET PROTECT Cloud as well.

[SALC 0]

Hi @IggyPop,

Just to confirm.
With ESET Bridge, we can have HTTPS proxy authentication.
Is that right?

Thanks!
Best,

Salva

[IggyPop 19]

Hi @SALC,

In the on-premise yes. It should work for cloud as well. You will just need to create an ESET Bridge policy, enable proxy authentication and assign the policy to the Bridge machine.

Only one mention regarding proxy authentication, in case of proxy chaining, it only works for the main proxy. In case the second proxy has proxy authentication enabled as well, it won't work.

Kind regards,

Ingemar

[SALC 0]

Thanks for the information @IggyPop

I' having some issues while using Bridge.
Let me show you the setup and maybe you can point what I'm doing wrong

I have configured ESET bridge and applied the policy (https://help.eset.com/ebe/1/en-US/bridge_policy.html)

EsetBridge listens in "ep.domain.com:3128" (server reachable from internet) and should redirect connections to "eset.int.domain.com:2222" (which it's only available from the internal network and also reachable from ep.domain.com).

I configured an Agent policy (that's used in the Agent installer) with the proxy details.
After I install the agent in a device out of the internal network, does not appear in the ESET Server. I get 403 in the logs
AGENT_IP - - [17/Jul/2023:13:44:39 +0200] "CONNECTeset.int.domain.com:2222 HTTP/1.0" 403 146 "-" "grpc-httpcli/0.0".

User and password for the proxy are well configured so I'm not sure why I get a 403...

Best,

Salva

[Peter Randziak 1,014]

Hello @SALC,

5 minutes ago, SALC said:

EsetBridge listens in "ep.domain.com:3128" (server reachable from internet) and should redirect connections to "eset.int.domain.com:2222" (which it's only available from the internal network and also reachable from ep.domain.com).

I configured an Agent policy (that's used in the Agent installer) with the proxy details.
After I install the agent in a device out of the internal network, does not appear in the ESET Server. I get 403 in the logs
AGENT_IP - - [17/Jul/2023:13:44:39 +0200] "CONNECTeset.int.domain.com:2222 HTTP/1.0" 403 146 "-" "grpc-httpcli/0.0".

User and password for the proxy are well configured so I'm not sure why I get a 403...

I recommend to open a support ticket to have it checked, provide the with the configuration of the proxy, policy of the agent and the log from the proxy to have it checked.

Peter

[Peter Randziak 1,014]

Hello @SALC,

On 7/14/2023 at 2:14 PM, SALC said:

1) why won't make any sense to use VPN? We plan to roll out new devices (managed) for all employees and that will be a good oportunity to setup everything from scratch. It will give us an extra security layer for agent-server communication

VPN is a great tool, but from my PoV to use it just to secure the EP server <-> agent communication would be cracking a nut with a sledgehammer

On 7/14/2023 at 2:14 PM, SALC said:

2) I have seen that it's possible to use squid, place the server and agents certificates there so they are checked on proxy side. That's it's tedious to be sincere and that's something I would like to avoid... Also, I do not see the benefit of using squid and check the certificates. Supossedly that's what agent-server do when communicating each other

I'm afraid that the checking of the agent's certificate on the proxy level is not possible, at least not easy to achieve, see the links on the end of my post

On 7/14/2023 at 2:14 PM, SALC said:

3) I haven't been able to run ESET Proxy (Apache) or ESET bridge with authentication (not sure if you meant that). I configured a policy (and also in the installer) the proxy but I always get 407 and agents are not able to connect to the server (and therefore does not appear as devices)

I recommend to check it with the support.

On 7/14/2023 at 2:14 PM, SALC said:

4) Cloud option is quite expensive compared to the price we are paying at the moment (minimum 100 nodes, +-3600K for 1 year)

Sure the cloud license brings some additional costs, but many benefits as well - like to do not need to host the EP infrastructure and do not need to keep it updated / maintained.

On 7/14/2023 at 2:14 PM, SALC said:

5)When you say, teams are taking care of it. You mean the service itself or some other security around it?.
I do not like the idea of having this service publicly available (even if we 2FA)

I meant of the proxies in this case 🙂 

Additional details on the EP server <-> agent communication can be found in the posts by MartinK

https://forum.eset.com/topic/27187-securing-port-2222-on-sonicwall-firewall-to-allow-remote-connections-to-esmc-server-on-premise/

https://forum.eset.com/topic/29496-public-facing-esmc-port-2222/

https://forum.eset.com/topic/24859-management-protocol-reverse-proxy/

 

 

Peter