Jump to content

Archived

This topic is now archived and is closed to further replies.

Anto33

Setting up the clients update with ESET 6.X

Recommended Posts

We are currently in the process of upgrading to ERA 6 but we are struggling to find a way to make the update process as it was before.

 

Like this :

hxxp://SERVERNAME:2221

 

Unfortunately the current documentation lack of information about how to proceed.

 

We don't want every workstation in our network to update from the internet as it would add additionnal bandwidth usage.

 

We have been going around every aspect of the ERA 6 web page trying to find a way to enable this feature without success.  Can anyone here help us with this ?

 

Another thing that we were using with Eset NOD 5.X was the dual update profile.

 

We used this for our laptop users.  When they were in our network NOD would use the ERA server to update ( hxxp://SERVER:2221)but when they are out of our network, it would switch to online eset server update method.

 

Again, i am unable to find documentation for this that was present for the 4.X or 5.X versions.

 

 

Share this post


Link to post
Share on other sites

To create a local mirror, you'll need to use Endpoint v6. ERA v6 no longer supports creation of a mirror, however, it comes with Apache HTTP proxy that you can use to cache update files as they are downloaded by Endpoint v6 clients from ESET's servers.

Share this post


Link to post
Share on other sites

Is there a link somewhere or a PDF documentation where i can find how to do what you are telling me ?

 

If i understand you correctly.

 

- I need to have a workstation running ESET EndPoint Antivirus 6 that gets the latest definition online. ( Can it be installed on the server appliance itself ?)

- Find a way with some scheduled task to upload the virus definitions to the ERA server.

- Install and configure Apache on the ERA server appliance manually.

- Allow the port 2221 throught the firewall.

- With a policy, set the update server to hxxp://SERVERNAME:2221on the client workstations

 

 

Is there a reason why this have been complexified ?  This seems very unlikely that a respectable Antivirus Server is unable to update his own clients...  Why would he need to rely on an external ESET product ? What if the link between these two is severed... no more updates...

 

We then need some kind of surveillance that will tells us if the definition are still being downloaded and transfered to the ERA6 server.

 

Thank you.

 

:(

Share this post


Link to post
Share on other sites

Is there a reason why this have been complexified ?  This seems very unlikely that a respectable Antivirus Server is unable to update his own clients...  Why would he need to rely on an external ESET product ? What if the link between these two is severed... no more updates...

 

It hasn't been complexified although it may seem so at the first glance. The main role of ERA is to manage Endpoint clients, not to take care of distributing updates and doing other unnecessary stuff. Therefore various functionalities have been split into several components as of ERA/Endpoint v6.

Instead of the small http server previously integrated in ERA, now you can take advantage of Apache HTTP proxy which has several advantages over the previous solution. Unlike ERAv5, Apache HTTP proxy doesn't download all available update files (380-400 files) but it caches those that are actually downloaded by clients. It's also much more powerful as the number of systems updating at a time from the mirror was limited in older versions which might have caused issues in large networks.

Still, those who want to use the standard mirror can enable the mirror function in Endpoint v6.

Share this post


Link to post
Share on other sites

Thank you for these articles.

 

Can you let me know if there is a Linux (CENTOS) procedure for this Apache Proxy.

I would like to be able to regroup everything on the ERA 6 Appliance if possible...

 

If i understand the current method told in these documents, we need a 2nd machine running this Apache and it needs to be a Windows OS.

Share this post


Link to post
Share on other sites

I couldn't find one either, though I don't think there's anything special about eset's version, just find a setup guide on apache http proxy.  For what it's worth, if you're running the appliance, it's already installed in /opt/apache.  Just start using "/opt/apache/bin/apachectl start".  You also have to open a port in the firewall (3128).  Perhaps someone from ESET can clarify how to make it start on boot in addition to a permanent entry for iptables?  "iptables -A INPUT -i eth0 -p tcp --dport 3128 -j ACCEPT" works until reboot.  Editing /etc/iptables isnt' permanent either.

Share this post


Link to post
Share on other sites

From what i can see in the following docs : hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3589

->

Apache HTTP Proxy: This will install the Apache HTTP Proxy service, which caches and distributes updates and installation packages to client computers on your network (similar to the mirror in ESET Remote Administrator 5.x).

 

So this feature is actually existing but for the users who install the Windows version.  Am i correct ?

This mean that the actual appliance is not as "complete" as the Windows ERA Version which allows us to install Apache HTTP Proxy??

Share this post


Link to post
Share on other sites

There isn't a KB article about HTTP proxy for Centos or the appliance but the appliance already has it installed, it just needs to be started.

Share this post


Link to post
Share on other sites

There isn't a KB article about HTTP proxy for Centos or the appliance but the appliance already has it installed, it just needs to be started.

 

 

Ok, have you been able to do so ?

 

and get it to get all the updates required ?

Share this post


Link to post
Share on other sites

All I did was run "/opt/apache/bin/apachectl start"  I then checked the log files in the same location and it shows a lot of accesses from client computers for update checks as well as software upgrades (I pushed out a client upgrade).  Watching my webfilter traffic shows that there is a great reduction in the number of clients accessing eset.com.  It isn't easy to discern if all traffic had stopped as some use IP addresses instead of *.eset.com.  No idea why, must be random from the client end.

We still need someone from ESET to create this KB article on this to determine if it's the best practice.  I haven't had time yet but from past experiences it's not difficult to create this as a "service" so it can be started on boot.

Share this post


Link to post
Share on other sites

I should also note there isn't any additional configuration necessary, Apache will cache any request it sees so most subsequent requests pull from its cache rather than the internet.

Share this post


Link to post
Share on other sites

All I did was run "/opt/apache/bin/apachectl start"  I then checked the log files in the same location and it shows a lot of accesses from client computers for update checks as well as software upgrades (I pushed out a client upgrade).  Watching my webfilter traffic shows that there is a great reduction in the number of clients accessing eset.com.  It isn't easy to discern if all traffic had stopped as some use IP addresses instead of *.eset.com.  No idea why, must be random from the client end.

We still need someone from ESET to create this KB article on this to determine if it's the best practice.  I haven't had time yet but from past experiences it's not difficult to create this as a "service" so it can be started on boot.

 

Thank you Phydeauxdawg.

 

Do you have a couple of screenshots or a couple steps to be able to get this to work... i don't really know where to start...

 

I started the apache server on the appliance... opened the ports... but what else ?

 

We probably need some configuration to ask the server to get the updates right ?

 

And for the configuration of the clients ?  Where have you set the server to be used ?

 

In mandatory section ?

Share this post


Link to post
Share on other sites

Follow step II in this KB article hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3637&actp=search&viewlocale=en_US&searchid=1425404913962

There isn't anything you need to do on the server, a proxy server just does that, it proxies (caches) requests from clients.  So when client A requests an update, it goes to the proxy server and asks for a file from eset.com  The proxy server will check it's own cache to see if it already has it and deliver it to the client.  If it doesn't, it grabs it from eset.com, caches it, and distributes it to the client.  So when Client B requests the same file, it should already be cached.

This is a different process from the 5x version where it had a mirror of the updates.  It's a similar process but less involved on the server side.

Share this post


Link to post
Share on other sites

Hi,

 

Just letting you know guys that i have been able to test 2 ways of getting the updates to our workstation without always going over the internet.

 

1st way ( Thanks to Phydeauxdawg ) :

-Open ports and allow them to pass throught the firewall run the following commands :

iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m tcp --dport 3128 -j ACCEPT

service iptables save

 

EDIT: i don't know why but i think eset has a script overwriting all the iptable information at boot located in /root/firewall.sh so if you put the following entries in this script it will work even after a reboot is performed :

iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m tcp --dport 3128 -j ACCEPT

 

 

- Now that the changed are made to the iptables file you have to restart the service and save the settings in case of a reboot :

service iptables restart

 

 

- Now we have to start the apache service and make sure it starts when you reboot the server.

1- start the service

/opt/apache/bin/apachectl start

2- Create an entry in /etc/init.d/ for the startup :

 

touch /etc/init.d/apache2

chmod 755 /etc/init.d/apache2

vi /etc/init.d/apache2 (what to add is below this section)

chkconfig --add apache2

chkconfig --list apache2

 

Here's the content on the apache2 file that you need to add :

#!/bin/bash
#
# apache2        Startup script for the Apache HTTP Server
#
# chkconfig: 3 85 15
# description: Apache is a World Wide Web server.  It is used to serve \
#              HTML files and CGI.

 /opt/apache/bin/apachectl $@

This was for the server part.

 

- For the workstation configuration, you have to go to Advanced Configuration -> Update -> HTTP Proxy

You also need to enter your proxy address and port ( no need for password unless to have enabled auth for you apache server )

 

- 2nd way to limit internet traffic is with the mirror option.

On the host that will hold the latest virus definitions ( Install a Endpoint Antivirus or Security product ) :

Advanced Configuration -> Update -> Mirror

Enable update mirror

You can leave the default folder for the definition files and you can set a password if you want to.

 

- In the HTTP server section below, you can choose a port for your mirror server ( i used the default port 2221 )

 

- On the workstation ( with policies or manually, you have to configure the update server )

Advanced Configuration -> Update -> General

Update server :  hxxp://SERVERNAME:2221( Or the port that you specified )

 

In the Update from mirror section :

Enter the credentials that you specified on the host that hold the latest virus definitions.

 

This covers most of the steps i used to get this working.

 

Hope it helps !

Share this post


Link to post
Share on other sites

Anyone ? for the 2nd concern of my topic ? DUAL Profile ?

 

There was documentations for the 4.X and 5.X versions. I am unable to find something like this for the 6.X version.

 

The purpose of this DUAL profile setup is for our laptop users that are not always inside our offices.  So they need to be able to get the definitions another way...

 

Anyone have been able to this ?

Share this post


Link to post
Share on other sites

Anyone ? for the 2nd concern of my topic ? DUAL Profile ?

There was documentations for the 4.X and 5.X versions. I am unable to find something like this for the 6.X version.

The purpose of this DUAL profile setup is for our laptop users that are not always inside our offices.  So they need to be able to get the definitions another way...

 

It works the same way in v6 as in older versions. Basically you create the desired update profiles and then edit an update task. The wizard will ask you to select the primary and secondary update profile. Next time, please discuss only one issue in a topic so as not to mix more things together. Also marking a particular reply as best answer would be a problem as there cannot be 2 best answers in a topic :)

Share this post


Link to post
Share on other sites

Hi Marcos,

 

Can you explain in details the process of creating a dual profile configuration ?

 

I don't have any wizard asking me for a primary or secondary profile...  ( Note that i use the appliance... maybe no wizard in the appliance ERA 6 )

 

I can confirm that i can create multiples update profiles but how to determine which one is the primary and which one is the secondary ???

 

Here's what we want to do...

 

- Create a primary profile that will use the Appliance HTTP proxy to get the updates for the users inside our network.

- Create a secondary profile that will get the updates through internet bypassing the proxy because it won't be available when the users are out of the office with their laptops.

 

Thank you.

Share this post


Link to post
Share on other sites

Below is a screen shot of the Update wizard when editing an update task in Scheduler:

 

post-10-0-86365600-1425734991_thumb.png

 

Share this post


Link to post
Share on other sites

Thank you.

 

I wasn't looking in the scheduler section.  I was looking into the update section.

Share this post


Link to post
Share on other sites

 

Is there a reason why this have been complexified ?  This seems very unlikely that a respectable Antivirus Server is unable to update his own clients...  Why would he need to rely on an external ESET product ? What if the link between these two is severed... no more updates...

 

It hasn't been complexified although it may seem so at the first glance. The main role of ERA is to manage Endpoint clients, not to take care of distributing updates and doing other unnecessary stuff. Therefore various functionalities have been split into several components as of ERA/Endpoint v6.

Instead of the small http server previously integrated in ERA, now you can take advantage of Apache HTTP proxy which has several advantages over the previous solution. Unlike ERAv5, Apache HTTP proxy doesn't download all available update files (380-400 files) but it caches those that are actually downloaded by clients. It's also much more powerful as the number of systems updating at a time from the mirror was limited in older versions which might have caused issues in large networks.

Still, those who want to use the standard mirror can enable the mirror function in Endpoint v6.

 

 

If I can't control from server side updates that clients are getting than this is mayor design fault.  The people who suggest that server caches Antivirus databases from clients have no knowledge of security.

Also our environment prevents clients accessing Internet or restricts them to specific content.

 

If this will not change soon I will have to change Antivirus solution next year. I plan to stay on ERA v5 until then. I have also few friends that share same thought.

Share this post


Link to post
Share on other sites

If I can't control from server side updates that clients are getting than this is mayor design fault.  The people who suggest that server caches Antivirus databases from clients have no knowledge of security.

Also our environment prevents clients accessing Internet or restricts them to specific content.

 

If this will not change soon I will have to change Antivirus solution next year. I plan to stay on ERA v5 until then. I have also few friends that share same thought.

How do you control updates with ERA5? Even after upgrade to v6, you can create a mirror like with v5 using a v6 Endpoint product.

Share this post


Link to post
Share on other sites

 

If I can't control from server side updates that clients are getting than this is mayor design fault.  The people who suggest that server caches Antivirus databases from clients have no knowledge of security.

Also our environment prevents clients accessing Internet or restricts them to specific content.

 

If this will not change soon I will have to change Antivirus solution next year. I plan to stay on ERA v5 until then. I have also few friends that share same thought.

How do you control updates with ERA5? Even after upgrade to v6, you can create a mirror like with v5 using a v6 Endpoint product.

 

 

At the moment my machine for Antivirus server code is single machine on network that can get updates from your servers. This gives me control over what current version is on your side, my server and clients. Also I can change update port that clients use since they don't access Internet.

Share this post


Link to post
Share on other sites

 

If I can't control from server side updates that clients are getting than this is mayor design fault.  The people who suggest that server caches Antivirus databases from clients have no knowledge of security.

Also our environment prevents clients accessing Internet or restricts them to specific content.

 

If this will not change soon I will have to change Antivirus solution next year. I plan to stay on ERA v5 until then. I have also few friends that share same thought.

How do you control updates with ERA5? Even after upgrade to v6, you can create a mirror like with v5 using a v6 Endpoint product.

 

 

Might I just add that even though I have moderate knowledge of using Linux servers I have never seen so complicated process of creating update server for Antivirus clients. This has to be GUI wizard based process that takes place during installation of product or later during first start of service.

Share this post


Link to post
Share on other sites

Please help with iptables rules

 

EDIT: i don't know why but i think eset has a script overwriting all the iptable information at boot located in /root/firewall.sh so if you put the following entries in this script it will work even after a reboot is performed :

iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m tcp --dport 3128 -j ACCEPT

 

The second line generates an error

[root@era ~]# iptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m tcp --dport 3128 -j ACCEPT
iptables: No chain/target/match by that name.
 
And I put these lines in /root/firewall.sh and after reboot port 3128 was blocked, I have to execute again iptables commands and restart it

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...