Jump to content

Virtual Appliance Multiple Domains and other issues


declen

Recommended Posts

I am in the process of deploying 6.x.  I like some of it and hate other parts of it.  Such as not being able to search for groups by typing the name in and it doing a lookup.  I also have multiple domains and it appears to be if I use the Virtual Appliance I will be unable to configure those machines and add sync tasks as it won't connect to the other domains when I try and do a lookup.  Also, it seems once I get it joined to one domain and the sync job runs it stops working after the first time.  This also occurred on a Windows Build.  Anyone else having this trouble?

 

I know a lot of people are not liking the new version and I am having some reservations about upgrading it.  I have to deploy this to 6,000+ machines and utilizing the all the virtual appliances is awesome but I can't get the ERA to work properly.  Also, kind of upsetting I can't import over all my existing policies.  I need some assistance as some of the documentation is terrible and setting up a policy for proxy is confusing between the Proxy client (mirror on virtual appliance) compared to proxy for internet access.  I also read about agent-less for Virtual Infrastructure and using the virtual appliance and local shared cache to scan the VMs so you just put it on the host?  I can't find anything about it.  Sounds like Trend Micro's deep security where you put an agent on the host and it will scan the guests for you.  I can't find anything on this either.  Anyone have some thoughts?

Link to post
Share on other sites
  • ESET Staff

To support multiple domains in one ERA Server Appliance, just edit /etc/krb5.conf and add additional domains to it. It should be straightforward.

I am not sure why synchronisation stops working, there should be exact error in server trace log regarding synchronisation at: /var/log/eset/RemoteAdministrator/Server/trace.log

 

For configuring proxy policies, please see hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3637, part II. Part I, can be skipped as HTTP caching proxy is included in the appliance, but needs to be enabled during deployment.

To improve virtual machines performance during scanning there is ESET Shared Local Cache. Virtual machines protection by single appliance for each VM host instead of each machine is still in the works.

Link to post
Share on other sites

I am not familiar enough with linux to know how I need to modify the krb5.conf to include additional details.  I also haven't been able to find anything that is really clear.  Can you provide some additional details?  I was able to resolve my issue with services and tasks failure by just rebuilding the box.

 

Right now I see the agents are discovering all my machines in the correct domain and my other domain in my subnet.  I need to be able to import though from my other domain and manage them through the console on the appliance.  I believe once I update the krb5.conf I should be fine but I need to know how to do that....

Link to post
Share on other sites
  • ESET Staff

You need to connect to your ERA Server Appliance either through SSH as 'root' or directly on appliance enter terminal by entering Management Mode and then Exit Console. Then type 'nano /etc/krb5.conf'. Then edit the file to look similar to this:

[libdefaults]
        default_realm = DOMAIN1.LOCAL
        ticket_lifetime = 24h
        forwardable = yes

[realms]
DOMAIN1.LOCAL = {
        kdc = dc.domain1.local
}

DOMAIN2.LOCAL = {
        kdc = dc.domain2.local
}

[domain_realm]
        .domain1.local = DOMAIN1.LOCAL
        .domain2.local = DOMAIN2.LOCAL

After you save Kerberos configuration, issue this command 'kdestroy' to clear any already issued tickets.

 

Then go to the Server tasks section in ERA web console and create synchronisation task. This task will do a synchronisation with the other domain controller, so SERVER field will point to 'dc.domain2.local', LOGIN will be set to 'Administrator@DOMAIN2.LOCAL' and PASSWORD will be set to correct password. It is important to specify the user with the domain as he is not from default realm (DOMAIN1.LOCAL). The click Browse button to verify that you can connect. If you will need to perform synchronisation from different domain then you will need to call 'kdestroy' command again.

 

I just tried these steps and they worked.

Link to post
Share on other sites

This worked.  I hope this finishes pulling in my clients from our old domain and and resolves them to name rather that IP.   This helped so much.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...