Jump to content

Some questions regarding ERA Server and Agent certificates


RyanTsai
 Share

Go to solution Solved by MartinK,

Recommended Posts

Hi, I have some questions regarding certificates:

 

1. Is it correct to assume that in order for the Agent to connect to the Server, both Server and Agent certificate has to be signed by the same CA? For instance if I have 2 groups of PCs managed by 2 separate ERA servers, let's call them group A and B. Just by importing the CA certificate from ERAS-B to ERAS-A and pointing group B PCs  to connect to ERAS-A will not work right?

 

2. Will it work if I use the same Server certificate on 2 ERA Servers and configure the Agent to connect to both? Or actually I can just generate another Server certificate with the same CA for use on the second server and the clients can still connect to both?

 

3. What happens when the Agent certificate expire? will ERA server automatically remove client computers with expired certificate from the client list? Will anything happen on the client side (e.g. a warning message of some sort saying that the Agent certificate is expired), or the Agent will keep trying to connect to the server at specified interval but keeps getting rejected due to expired certificate?

 

Thanks a lot in advance!

Link to comment
Share on other sites

  • ESET Staff
  • Solution

1. Is it correct to assume that in order for the Agent to connect to the Server, both Server and Agent certificate has to be signed by the same CA? For instance if I have 2 groups of PCs managed by 2 separate ERA servers, let's call them group A and B. Just by importing the CA certificate from ERAS-B to ERAS-A and pointing group B PCs  to connect to ERAS-A will not work right?

 

Their certificates don't have to share CA certificates, but in order to communicate, each of them must have CA certificate of remote peer. Your mentioned scenario will not work, because ERAS-B AGENTs will be missing ERAS-A CA certificate. You can fix it by importing all CA certificates to both ERAS-A and ERAS-B (each of them will have at least two CA certificates) ... once all AGENTS will connect to their respective ERA server, they will have both CA certificates and from that moment they will be able to connect to both servers and both servers will be able to accept them.

 

 

2. Will it work if I use the same Server certificate on 2 ERA Servers and configure the Agent to connect to both? Or actually I can just generate another Server certificate with the same CA for use on the second server and the clients can still connect to both?

 

It will work, but make sure you import CA certificate of this shared SERVER certificate into both ERA servers before and wait until all AGENTs connect. If you miss this, AGENTS won't be able to connect, not even to primary ERA server because once they connect to secondary server, they will drop CA certificates they had previously and will synchronize state with secondary server.

 

3. What happens when the Agent certificate expire? will ERA server automatically remove client computers with expired certificate from the client list? Will anything happen on the client side (e.g. a warning message of some sort saying that the Agent certificate is expired), or the Agent will keep trying to connect to the server at specified interval but keeps getting rejected due to expired certificate?

 

There will be no notification on AGENT, but you will see warnings 30 days before this happens in ERAS console. Once expired, AGENT will be still trying to connect as nothing changed. Client computers won't be removed directly, but they will stop connecting, therefore server task "Delete Not Connecting Computers" will eventually remove them if configured to do so.

Link to comment
Share on other sites

May I join with related question? We have subnet1,  where ERA server is and which is accessible to our local PCs from subnet2. We also have subnet3, where ERA proxy server is and which is accessible to our VPN users from subnet4. Local PCs are on ERA6, VPN on ERA5. Is there any way how to deploy agents through bat file and connect directly to ERA proxy server in subnet3? VPN users don't have access into subnet1 and never will... I tried to manually rewrite EraAgentInstaller.bat but ended up with some certificate error. I will of course feed more info if needed, it was 6 months ago, so memories are fuzzy litle bit... Thx

Link to comment
Share on other sites

  • ESET Staff

May I join with related question? We have subnet1,  where ERA server is and which is accessible to our local PCs from subnet2. We also have subnet3, where ERA proxy server is and which is accessible to our VPN users from subnet4. Local PCs are on ERA6, VPN on ERA5. Is there any way how to deploy agents through bat file and connect directly to ERA proxy server in subnet3? VPN users don't have access into subnet1 and never will... I tried to manually rewrite EraAgentInstaller.bat but ended up with some certificate error. I will of course feed more info if needed, it was 6 months ago, so memories are fuzzy litle bit... Thx

 

You could specify hostname or IP address to which newly installed AGENTs will be connecting in live installers wizard, specifically in optional field called Server hostname.

This will work only in case your PROXY is listening on the same port as SERVER and PROXY certificate is signed with the same CA certificate as SERVER certificate currently being used (both are default scenario).

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...