Anto33 5 Posted March 2, 2015 Share Posted March 2, 2015 We are currently in the process of upgrading to ERA 6 but we are struggling to find a way to make the update process as it was before. Like this : hxxp://SERVERNAME:2221 Unfortunately the current documentation lack of information about how to proceed. We don't want every workstation in our network to update from the internet as it would add additionnal bandwidth usage. We have been going around every aspect of the ERA 6 web page trying to find a way to enable this feature without success. Can anyone here help us with this ? Another thing that we were using with Eset NOD 5.X was the dual update profile. We used this for our laptop users. When they were in our network NOD would use the ERA server to update ( hxxp://SERVER:2221)but when they are out of our network, it would switch to online eset server update method. Again, i am unable to find documentation for this that was present for the 4.X or 5.X versions. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,933 Posted March 3, 2015 Administrators Share Posted March 3, 2015 To create a local mirror, you'll need to use Endpoint v6. ERA v6 no longer supports creation of a mirror, however, it comes with Apache HTTP proxy that you can use to cache update files as they are downloaded by Endpoint v6 clients from ESET's servers. Link to comment Share on other sites More sharing options...
Anto33 5 Posted March 3, 2015 Author Share Posted March 3, 2015 Is there a link somewhere or a PDF documentation where i can find how to do what you are telling me ? If i understand you correctly. - I need to have a workstation running ESET EndPoint Antivirus 6 that gets the latest definition online. ( Can it be installed on the server appliance itself ?) - Find a way with some scheduled task to upload the virus definitions to the ERA server. - Install and configure Apache on the ERA server appliance manually. - Allow the port 2221 throught the firewall. - With a policy, set the update server to hxxp://SERVERNAME:2221on the client workstations Is there a reason why this have been complexified ? This seems very unlikely that a respectable Antivirus Server is unable to update his own clients... Why would he need to rely on an external ESET product ? What if the link between these two is severed... no more updates... We then need some kind of surveillance that will tells us if the definition are still being downloaded and transfered to the ERA6 server. Thank you. Link to comment Share on other sites More sharing options...
Phydeauxdawg 5 Posted March 3, 2015 Share Posted March 3, 2015 hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3637&actp=search&viewlocale=en_US&searchid=1425404913962 hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3639&actp=search&viewlocale=en_US&searchid=1425404913962 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,933 Posted March 3, 2015 Administrators Share Posted March 3, 2015 Is there a reason why this have been complexified ? This seems very unlikely that a respectable Antivirus Server is unable to update his own clients... Why would he need to rely on an external ESET product ? What if the link between these two is severed... no more updates... It hasn't been complexified although it may seem so at the first glance. The main role of ERA is to manage Endpoint clients, not to take care of distributing updates and doing other unnecessary stuff. Therefore various functionalities have been split into several components as of ERA/Endpoint v6. Instead of the small http server previously integrated in ERA, now you can take advantage of Apache HTTP proxy which has several advantages over the previous solution. Unlike ERAv5, Apache HTTP proxy doesn't download all available update files (380-400 files) but it caches those that are actually downloaded by clients. It's also much more powerful as the number of systems updating at a time from the mirror was limited in older versions which might have caused issues in large networks. Still, those who want to use the standard mirror can enable the mirror function in Endpoint v6. Link to comment Share on other sites More sharing options...
Anto33 5 Posted March 3, 2015 Author Share Posted March 3, 2015 hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3637&actp=search&viewlocale=en_US&searchid=1425404913962 hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3639&actp=search&viewlocale=en_US&searchid=1425404913962 Thank you for these articles. Can you let me know if there is a Linux (CENTOS) procedure for this Apache Proxy. I would like to be able to regroup everything on the ERA 6 Appliance if possible... If i understand the current method told in these documents, we need a 2nd machine running this Apache and it needs to be a Windows OS. Link to comment Share on other sites More sharing options...
Phydeauxdawg 5 Posted March 3, 2015 Share Posted March 3, 2015 I couldn't find one either, though I don't think there's anything special about eset's version, just find a setup guide on apache http proxy. For what it's worth, if you're running the appliance, it's already installed in /opt/apache. Just start using "/opt/apache/bin/apachectl start". You also have to open a port in the firewall (3128). Perhaps someone from ESET can clarify how to make it start on boot in addition to a permanent entry for iptables? "iptables -A INPUT -i eth0 -p tcp --dport 3128 -j ACCEPT" works until reboot. Editing /etc/iptables isnt' permanent either. Link to comment Share on other sites More sharing options...
Anto33 5 Posted March 3, 2015 Author Share Posted March 3, 2015 From what i can see in the following docs : hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3589 -> Apache HTTP Proxy: This will install the Apache HTTP Proxy service, which caches and distributes updates and installation packages to client computers on your network (similar to the mirror in ESET Remote Administrator 5.x). So this feature is actually existing but for the users who install the Windows version. Am i correct ? This mean that the actual appliance is not as "complete" as the Windows ERA Version which allows us to install Apache HTTP Proxy?? Link to comment Share on other sites More sharing options...
Phydeauxdawg 5 Posted March 3, 2015 Share Posted March 3, 2015 There isn't a KB article about HTTP proxy for Centos or the appliance but the appliance already has it installed, it just needs to be started. Link to comment Share on other sites More sharing options...
Anto33 5 Posted March 3, 2015 Author Share Posted March 3, 2015 There isn't a KB article about HTTP proxy for Centos or the appliance but the appliance already has it installed, it just needs to be started. Ok, have you been able to do so ? and get it to get all the updates required ? Link to comment Share on other sites More sharing options...
Phydeauxdawg 5 Posted March 4, 2015 Share Posted March 4, 2015 All I did was run "/opt/apache/bin/apachectl start" I then checked the log files in the same location and it shows a lot of accesses from client computers for update checks as well as software upgrades (I pushed out a client upgrade). Watching my webfilter traffic shows that there is a great reduction in the number of clients accessing eset.com. It isn't easy to discern if all traffic had stopped as some use IP addresses instead of *.eset.com. No idea why, must be random from the client end. We still need someone from ESET to create this KB article on this to determine if it's the best practice. I haven't had time yet but from past experiences it's not difficult to create this as a "service" so it can be started on boot. Link to comment Share on other sites More sharing options...
Phydeauxdawg 5 Posted March 4, 2015 Share Posted March 4, 2015 I should also note there isn't any additional configuration necessary, Apache will cache any request it sees so most subsequent requests pull from its cache rather than the internet. Link to comment Share on other sites More sharing options...
Anto33 5 Posted March 4, 2015 Author Share Posted March 4, 2015 All I did was run "/opt/apache/bin/apachectl start" I then checked the log files in the same location and it shows a lot of accesses from client computers for update checks as well as software upgrades (I pushed out a client upgrade). Watching my webfilter traffic shows that there is a great reduction in the number of clients accessing eset.com. It isn't easy to discern if all traffic had stopped as some use IP addresses instead of *.eset.com. No idea why, must be random from the client end. We still need someone from ESET to create this KB article on this to determine if it's the best practice. I haven't had time yet but from past experiences it's not difficult to create this as a "service" so it can be started on boot. Thank you Phydeauxdawg. Do you have a couple of screenshots or a couple steps to be able to get this to work... i don't really know where to start... I started the apache server on the appliance... opened the ports... but what else ? We probably need some configuration to ask the server to get the updates right ? And for the configuration of the clients ? Where have you set the server to be used ? In mandatory section ? Link to comment Share on other sites More sharing options...
Phydeauxdawg 5 Posted March 4, 2015 Share Posted March 4, 2015 Follow step II in this KB article hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3637&actp=search&viewlocale=en_US&searchid=1425404913962 There isn't anything you need to do on the server, a proxy server just does that, it proxies (caches) requests from clients. So when client A requests an update, it goes to the proxy server and asks for a file from eset.com The proxy server will check it's own cache to see if it already has it and deliver it to the client. If it doesn't, it grabs it from eset.com, caches it, and distributes it to the client. So when Client B requests the same file, it should already be cached. This is a different process from the 5x version where it had a mirror of the updates. It's a similar process but less involved on the server side. Link to comment Share on other sites More sharing options...
Solution Anto33 5 Posted March 4, 2015 Author Solution Share Posted March 4, 2015 (edited) Hi, Just letting you know guys that i have been able to test 2 ways of getting the updates to our workstation without always going over the internet. 1st way ( Thanks to Phydeauxdawg ) : -Open ports and allow them to pass throught the firewall run the following commands : iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPTiptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m tcp --dport 3128 -j ACCEPT service iptables save EDIT: i don't know why but i think eset has a script overwriting all the iptable information at boot located in /root/firewall.sh so if you put the following entries in this script it will work even after a reboot is performed : iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPTiptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m tcp --dport 3128 -j ACCEPT - Now that the changed are made to the iptables file you have to restart the service and save the settings in case of a reboot : service iptables restart - Now we have to start the apache service and make sure it starts when you reboot the server. 1- start the service /opt/apache/bin/apachectl start 2- Create an entry in /etc/init.d/ for the startup : touch /etc/init.d/apache2 chmod 755 /etc/init.d/apache2 vi /etc/init.d/apache2 (what to add is below this section) chkconfig --add apache2 chkconfig --list apache2 Here's the content on the apache2 file that you need to add : #!/bin/bash # # apache2 Startup script for the Apache HTTP Server # # chkconfig: 3 85 15 # description: Apache is a World Wide Web server. It is used to serve \ # HTML files and CGI. /opt/apache/bin/apachectl $@ This was for the server part. - For the workstation configuration, you have to go to Advanced Configuration -> Update -> HTTP Proxy You also need to enter your proxy address and port ( no need for password unless to have enabled auth for you apache server ) - 2nd way to limit internet traffic is with the mirror option. On the host that will hold the latest virus definitions ( Install a Endpoint Antivirus or Security product ) : Advanced Configuration -> Update -> Mirror Enable update mirror You can leave the default folder for the definition files and you can set a password if you want to. - In the HTTP server section below, you can choose a port for your mirror server ( i used the default port 2221 ) - On the workstation ( with policies or manually, you have to configure the update server ) Advanced Configuration -> Update -> General Update server : hxxp://SERVERNAME:2221( Or the port that you specified ) In the Update from mirror section : Enter the credentials that you specified on the host that hold the latest virus definitions. This covers most of the steps i used to get this working. Hope it helps ! Edited March 4, 2015 by Anto33 Link to comment Share on other sites More sharing options...
Anto33 5 Posted March 5, 2015 Author Share Posted March 5, 2015 Anyone ? for the 2nd concern of my topic ? DUAL Profile ? There was documentations for the 4.X and 5.X versions. I am unable to find something like this for the 6.X version. The purpose of this DUAL profile setup is for our laptop users that are not always inside our offices. So they need to be able to get the definitions another way... Anyone have been able to this ? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,933 Posted March 6, 2015 Administrators Share Posted March 6, 2015 Anyone ? for the 2nd concern of my topic ? DUAL Profile ? There was documentations for the 4.X and 5.X versions. I am unable to find something like this for the 6.X version. The purpose of this DUAL profile setup is for our laptop users that are not always inside our offices. So they need to be able to get the definitions another way... It works the same way in v6 as in older versions. Basically you create the desired update profiles and then edit an update task. The wizard will ask you to select the primary and secondary update profile. Next time, please discuss only one issue in a topic so as not to mix more things together. Also marking a particular reply as best answer would be a problem as there cannot be 2 best answers in a topic Link to comment Share on other sites More sharing options...
Anto33 5 Posted March 6, 2015 Author Share Posted March 6, 2015 (edited) Hi Marcos, Can you explain in details the process of creating a dual profile configuration ? I don't have any wizard asking me for a primary or secondary profile... ( Note that i use the appliance... maybe no wizard in the appliance ERA 6 ) I can confirm that i can create multiples update profiles but how to determine which one is the primary and which one is the secondary ??? Here's what we want to do... - Create a primary profile that will use the Appliance HTTP proxy to get the updates for the users inside our network. - Create a secondary profile that will get the updates through internet bypassing the proxy because it won't be available when the users are out of the office with their laptops. Thank you. Edited March 6, 2015 by Anto33 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,933 Posted March 7, 2015 Administrators Share Posted March 7, 2015 Below is a screen shot of the Update wizard when editing an update task in Scheduler: Link to comment Share on other sites More sharing options...
Anto33 5 Posted March 11, 2015 Author Share Posted March 11, 2015 Thank you. I wasn't looking in the scheduler section. I was looking into the update section. Link to comment Share on other sites More sharing options...
bbahes 29 Posted March 25, 2015 Share Posted March 25, 2015 Is there a reason why this have been complexified ? This seems very unlikely that a respectable Antivirus Server is unable to update his own clients... Why would he need to rely on an external ESET product ? What if the link between these two is severed... no more updates... It hasn't been complexified although it may seem so at the first glance. The main role of ERA is to manage Endpoint clients, not to take care of distributing updates and doing other unnecessary stuff. Therefore various functionalities have been split into several components as of ERA/Endpoint v6. Instead of the small http server previously integrated in ERA, now you can take advantage of Apache HTTP proxy which has several advantages over the previous solution. Unlike ERAv5, Apache HTTP proxy doesn't download all available update files (380-400 files) but it caches those that are actually downloaded by clients. It's also much more powerful as the number of systems updating at a time from the mirror was limited in older versions which might have caused issues in large networks. Still, those who want to use the standard mirror can enable the mirror function in Endpoint v6. If I can't control from server side updates that clients are getting than this is mayor design fault. The people who suggest that server caches Antivirus databases from clients have no knowledge of security. Also our environment prevents clients accessing Internet or restricts them to specific content. If this will not change soon I will have to change Antivirus solution next year. I plan to stay on ERA v5 until then. I have also few friends that share same thought. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,933 Posted March 25, 2015 Administrators Share Posted March 25, 2015 If I can't control from server side updates that clients are getting than this is mayor design fault. The people who suggest that server caches Antivirus databases from clients have no knowledge of security. Also our environment prevents clients accessing Internet or restricts them to specific content. If this will not change soon I will have to change Antivirus solution next year. I plan to stay on ERA v5 until then. I have also few friends that share same thought. How do you control updates with ERA5? Even after upgrade to v6, you can create a mirror like with v5 using a v6 Endpoint product. Link to comment Share on other sites More sharing options...
bbahes 29 Posted March 25, 2015 Share Posted March 25, 2015 If I can't control from server side updates that clients are getting than this is mayor design fault. The people who suggest that server caches Antivirus databases from clients have no knowledge of security. Also our environment prevents clients accessing Internet or restricts them to specific content. If this will not change soon I will have to change Antivirus solution next year. I plan to stay on ERA v5 until then. I have also few friends that share same thought. How do you control updates with ERA5? Even after upgrade to v6, you can create a mirror like with v5 using a v6 Endpoint product. At the moment my machine for Antivirus server code is single machine on network that can get updates from your servers. This gives me control over what current version is on your side, my server and clients. Also I can change update port that clients use since they don't access Internet. Link to comment Share on other sites More sharing options...
bbahes 29 Posted March 25, 2015 Share Posted March 25, 2015 If I can't control from server side updates that clients are getting than this is mayor design fault. The people who suggest that server caches Antivirus databases from clients have no knowledge of security. Also our environment prevents clients accessing Internet or restricts them to specific content. If this will not change soon I will have to change Antivirus solution next year. I plan to stay on ERA v5 until then. I have also few friends that share same thought. How do you control updates with ERA5? Even after upgrade to v6, you can create a mirror like with v5 using a v6 Endpoint product. Might I just add that even though I have moderate knowledge of using Linux servers I have never seen so complicated process of creating update server for Antivirus clients. This has to be GUI wizard based process that takes place during installation of product or later during first start of service. Link to comment Share on other sites More sharing options...
Ivart Filho 0 Posted April 13, 2015 Share Posted April 13, 2015 (edited) Please help with iptables rules EDIT: i don't know why but i think eset has a script overwriting all the iptable information at boot located in /root/firewall.sh so if you put the following entries in this script it will work even after a reboot is performed : iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPTiptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m tcp --dport 3128 -j ACCEPT The second line generates an error [root@era ~]# iptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m tcp --dport 3128 -j ACCEPT iptables: No chain/target/match by that name. And I put these lines in /root/firewall.sh and after reboot port 3128 was blocked, I have to execute again iptables commands and restart it Edited April 13, 2015 by Ivart Filho Link to comment Share on other sites More sharing options...
Recommended Posts