How to deploy software to clients outside network?

[ShaneDT 13]

I've been searching but can't find an answer to this, and have tried everything that I can think of or that's obvious.

 

We have Eset Remote Administrator 6 installed with all internal network clients installed successfully with Eset Endpoint Security.

 

We have a couple of computers that are external to the network that we want to deploy from the ERA server so they report back via the agent.

 

I've opened ports 2222 and 2223 on the firewall, created an 'Agent Live Installer' on the ERA server and run this on the external client. The agent has installed successfully on the client and has reported back successfully on the server, and I can see the Agent is regularly connecting back to the server.

 

I've tried running a Client Task / Software Install task from the server to deploy the Endpoint Security software, the same as I would for an internal client, selecting the 'Repository' for the installation software. I've also tried entering a direct URL (below). Each time I try this I just get a Failed status in Details / Executions in the task properties. The direct URL link I've tried is;

hxxp://www.eset.com/int/download/thank-you-business-v6/file/12627/

 

I can't find any further information in the ERA server reports on what has failed.

 

If I check the Agent log on the external client (C:\Users\%user%\AppData\Local\Temp\ra-agent-install.log) there is no entry in the log at all since the installation of the agent. So I'm assuming the Agent on the client computer is not receiving commands from the server.

 

What do I have to do to get this to install the client software?

 

Thanks in advance for your help

 

[jimwillsher 65]

Look in the agent log in c:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs

 

What you're doing is right. (EDIT apart from the URL, see below)

 

 

 

Jim

Edited November 5, 2015 by jimwillsher

[Marcos 5,074]

Are the clients configured to connect through a proxy server? If you installed the all-in-one installer and opted for installation of Apache HTTP Proxy, agent will connect via this proxy by default. You could check the agent trace log on one of the clients for possible errors as advised by jimwillsher.

[davidpitt 4]

I don't see how that direct URL is going to work, as it just points to the thank you for downloading page and then that prompts to download the installer.

 

I use this method all the time without problem but I use the direct URL of - hxxp://download.eset.com/download/win/ees/ees_nt64_enu.msi

That is for Endpoint Security 64bit version for windows (without AV Remover - I do this through a client task using the agent before the AV is installed)

 

The direct URL needs to point to an actual installer file. I can see in your case you are using Endpoint Security x64 with AV Removal so I think your direct URL would be - hxxp://download.eset.com/download/win/ees/avremover_ees_nt64_enu.exe

 

There doesn't seem to be an .msi version of the installer with AV Remover but I cant see why it shouldn't work like the one I use

Edited November 5, 2015 by davidpitt

[jimwillsher 65]

You actually shouldn't use a direct URL at all, you should choose the package from the list when you create the software installation task. That way, the agent will choose 32bit or 64bit as appropriate.

Edited November 5, 2015 by jimwillsher

[davidpitt 4]

You actually shouldn't use a direct URL at all, you should choose the package from the list when you create the software installation task. That way, the agent will choose 32bit or 64bit as appropriate.

 

I'm not sure that is quite right, direct URL is an option, it's there to be used by people who want to use it. If Eset didn't think it was appropriate they would only allow you to browse a repository.

 

The web interface is a PIA too. Much easier to just copy/paste a URL then have to browse the online repository and then have to specify filters or browse the list manually.

 

Be nice if the console would remember the last set of filters used. Besides we only have 64bit machines so the issue of getting the architecture wrong between 32/64 would never arise.

 

Might be an issue if you were deploying across many multiple machines of varying types but the OP here was asking about deploying to individual remote machines.

[jimwillsher 65]

We deploy to remote machines all the time. In fact every one of our machines is remote, as we have ERA installed off-site managing five separate customers.

 

Aside from the various dynamic groups etc, we have a "manually install ESET" task that points to the repository. When we set up a new computer we simply add the computer to that task, wait until the software instals then remove it from the task again.

 

Image attached.

[ShaneDT 13]

Hi everyone thanks for your replies.

 

Are the clients configured to connect through a proxy server? If you installed the all-in-one installer and opted for installation of Apache HTTP Proxy, agent will connect via this proxy by default. You could check the agent trace log on one of the clients for possible errors as advised by jimwillsher.

 

Marcos I'm not sure that applies until after the Endpoint Security software is installed? I have configured the policy to allow downloading updates directly from the Eset servers, this is working correctly on notebook computers that are out of the office for a few days at a time.

 

It seems to me that the command to install the software isn't getting to the client. The agent is reporting back to the server though, as I can see the 'last connected' time updating regularly.

 

Jimwillsher I'll check that log on the server. Might tell me something more. Edit: Just realised I need to check that log on the client right

 

Currently I only have ports 2222 & 2223 open on the firewall at the server location. This is allowing the agent to connect to the ERA server. Do I need to configure any open ports on the client firewall (ie Windows Firewall)? I wouldn't think I should need to? Or any other ports at the server location?

Edited November 5, 2015 by ShaneDT

[jimwillsher 65]

2222 is the only one we have open (well, we use a high-numbered port, e.g. 54321) and then use PAT in the firewall to redirect to 2222). We don't have 2223 open.

 

 

I have had *some* clients which seemed to refuse to run the tasks, and I ended up reinstalling the agent - uninstall/reinstall.

[ShaneDT 13]

OK, checked the log on the client, getting the following error;

Software installation failed: GetFile: Failed to connect to HTTP proxy server 'ERA server internal IP address' (port: 3128)

 

So Marcus was on the money

 

Anyone know how to change this on the agent side? Without affecting all other clients?

The proxy server settings is being applied to all groups at the All level. Looks like there are multiple policies applied at this level that include the same proxy server settings.

Edited November 6, 2015 by ShaneDT

[ShaneDT 13]

I think I've figured it out.

 

First I tried enabling the Proxy settings in the Security policy applied to the External group, with no proxy settings configured, and the Force setting applied. Still no joy.

 

I then duplicated the Remote Administrator Agent applied at the All group level, and configured this the same as above, and assigned this to the External group. No more proxy server setting applying on the client

 

I'm now just waiting for the software deploy task to complete, but so far no error

Edited November 6, 2015 by ShaneDT

[ShaneDT 13]

And it worked!

 

Thanks everyone for your help.

 

Cheers.