Jump to content

ERA server behing firewall


Go to solution Solved by cutor,

Recommended Posts

We have ERA server on virtual apliance.

 

Local network works OK. If i install Agent on PC i can see on ERA.

 

But i dont see PC on other location.

 

On server i have redirect port 2222 on internal IP (with Eset 5 this works fine)

 

On /var/log/eset/RemoteAdministrator/server/trace.log  i see

2016-02-02 11:49:54 Error: NetworkModule [Thread 7facb6bfd700]: ProtocolLayer: unsupported protocol version, ResolvedIpAddress:xx.yy.zz.yyy, ResolvedHostname:, ResolvedPort:27916
2016-02-02 11:49:59 Error: NetworkModule [Thread 7facb6bfd700]: ProtocolLayer: unsupported protocol version, ResolvedIpAddress:rr.zz.xx.yy, ResolvedHostname:, ResolvedPort:11218
2016-02-02 11:50:22 Error: NetworkModule [Thread 7facc4dfa700]: ProtocolLayer: unsupported protocol version, ResolvedIpAddress:dd.yy.xxx.xxx, ResolvedHostname:, ResolvedPort:28084

 

i think this is old eset 5 (i dont upgrade all pc on 6, most is still on eset 5)

But i dont see no 6 agent.

 

What is wrong?

Can you hel me?

Thanks.
 

Link to comment
Share on other sites

  • Administrators

Endpoint v5 does not communicate with ERA6 directly. You must install ERA agent on those machines which will redirect the communication to localhost (will change the ERA setting in Endpoint v5 automatically) and will take care of further communication with ERAS v6.

Link to comment
Share on other sites

Endpoint v5 does not communicate with ERA6 directly. You must install ERA agent on those machines which will redirect the communication to localhost (will change the ERA setting in Endpoint v5 automatically) and will take care of further communication with ERAS v6.

i know. I install ERA agent 6 on clean PC.

Log is probably from old PC. Old PC i will update on 6 and install Agent 6 later.

Link to comment
Share on other sites

  • ESET Staff

i know. I install ERA agent 6 on clean PC.

 

Log is probably from old PC. Old PC i will update on 6 and install Agent 6 later.

 

 

Please try to check status.html or trace.log on AGENT that is not able to connect (located in C:\ProgramData\ESET\RemoteAdministrator\Agent\Logs\ /var/log/eset/RemoteAdministrator/Agent/) -> it may provide more details.

 

Posted errors from SERVER are caused by EESv5 connecting to ERAv6, as you suggested.

Link to comment
Share on other sites

ok problem is certifikat.

STATUS:

Scope	Time	Text
Last replication	2016-Feb-03 14:05:17	Error: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format.

Peer certificate	2016-Feb-03 13:47:59	OK    Agent peer certificate with subject 'CN=Agent at *, C=US' issued by 'CN=Server Certification Authority, C=US' with serial number '010d3c47f3c3c4463ebe30057b6a7e017501' is and will be valid in 30 days

Replication security	2016-Feb-03 14:05:17	Error: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (era.local)
    Remote host: era.mydomain.cz

trace:

2016-02-03 14:04:17 Error: CReplicationModule [Thread afc]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format.
2016-02-03 14:05:17 Error: CAgentSecurityModule [Thread cb4]: Certificated user verification failed with: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (era.local)
2016-02-03 14:05:17 Error: NetworkModule [Thread abc]: Verify user failed for all computers: XX.YY.XX.Y: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (era.local)
2016-02-03 14:05:17 Error: NetworkModule [Thread abc]: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format., ResolvedIpAddress:XX.YY.XX.Y, ResolvedHostname:, ResolvedPort:2222
2016-02-03 14:05:17 Error: NetworkModule [Thread abc]: Protocol failure for session id 18, error:Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format.

i tried make new cert autority and new certif. agent but still wrong.

Its wrong name of virtual host ?

Link to comment
Share on other sites

  • ESET Staff
i tried make new cert autority and new certif. agent but still wrong.

Its wrong name of virtual host ?

 

Problem is that certificate you created is tied to hostname era.local but AGENTS are connecting to era.mydomain.cz. You will have to create new SERVER certificate that will be created for mentioned hostname, or with special wildcard "*" for matching all hostnames (less secure).

Link to comment
Share on other sites

ok

i create our authority and server certifikat

apply this new certifikat to server and restart ERA

 

then i create Agent certifikat signed by our authority and generate bat file and install to external PC.

 

now is status from agent better:

Last replication	2016-Feb-04 11:01:35	Error: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 12
Peer certificate	2016-Feb-04 10:53:20	OK     Agent peer certificate with subject 'CN=Agent certifikát pro hostitele era.mydomain.cz xx.yyy.yyy.x1, O=optus, C=CZ' issued by 'CN=certifikacni autorita optus, O=optus, C=CZ' with serial number '01e891d0d871df45cba9c5c2b63925ffbd01' is and will be valid in 30 days
Replication security	2016-Feb-04 11:01:35	OK     Remote host: era.fokus-praha.cz     Remote product: Server

and trace from agent

2016-02-04 10:59:35 Error: CReplicationModule [Thread e88]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 10
2016-02-04 11:00:35 Error: CReplicationModule [Thread eb8]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 11
2016-02-04 11:01:35 Error: CReplicationModule [Thread a0c]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 12

what else is wrong?

Link to comment
Share on other sites

and trace log from server

2016-02-04 11:13:32 Error: NetworkModule [Thread 7f75eb5fe700]: Verify user failed for all computers: ip-xx-yy-zz-aa.net.upcbroadband.cz: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (era.mydomain.cz),xx-yy-zz-aa: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (era.mydomain.cz,xx-yy-zz-aa,10.0.10.99,127.0.0.1)
2016-02-04 11:13:32 Error: NetworkModule [Thread 7f75eb5fe700]: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations., ResolvedIpAddress:xx-yy-zz-aa, ResolvedHostname:ip-xx-yy-zz-aa.net.upcbroadband.cz, ResolvedPort:50848
2016-02-04 11:13:32 Error: NetworkModule [Thread 7f75eb5fe700]: Protocol failure for session id 945, error:Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations.
Link to comment
Share on other sites

  • ESET Staff

ok

i create our authority and server certifikat

apply this new certifikat to server and restart ERA

 

then i create Agent certifikat signed by our authority and generate bat file and install to external PC.

 

now is status from agent better:

Last replication	2016-Feb-04 11:01:35	Error: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 12
Peer certificate	2016-Feb-04 10:53:20	OK     Agent peer certificate with subject 'CN=Agent certifikát pro hostitele era.mydomain.cz xx.yyy.yyy.x1, O=optus, C=CZ' issued by 'CN=certifikacni autorita optus, O=optus, C=CZ' with serial number '01e891d0d871df45cba9c5c2b63925ffbd01' is and will be valid in 30 days
Replication security	2016-Feb-04 11:01:35	OK     Remote host: era.fokus-praha.cz     Remote product: Server

and trace from agent

2016-02-04 10:59:35 Error: CReplicationModule [Thread e88]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 10
2016-02-04 11:00:35 Error: CReplicationModule [Thread eb8]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 11
2016-02-04 11:01:35 Error: CReplicationModule [Thread a0c]: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 12

what else is wrong?

 

Now it is exactly the same error, but on other side of connection :)

 

When AGENT connects to SERVER, its name is resolved to ip-xx-yy-zz-aa.net.upcbroadband.cz, but this is not matching any name nor IP address in AGENTs certificate which contains: era.mydomain.cz,xx-yy-zz-aa,10.0.10.99,127.0.0.1. Therefore SERVER rejects connection for security reasons. I would recommend you to create new AGENT certificate suitable for any hostname/IP using wildcard *.

Link to comment
Share on other sites

thanks for your answer but i still doing some wrong settings.

 

server trace:

2016-02-04 14:43:11 Error: NetworkModule [Thread 7fb3f35fe700]: Verify user failed for all computers: ip-xx-yy-zz-aaa.net.upcbroadband.cz: Authenticate: Certificate common name contains ambiguous or no product string,xx-yy-zz-aaa: Authenticate: Certificate common name contains ambiguous or no product string
2016-02-04 14:43:11 Error: NetworkModule [Thread 7fb3f35fe700]: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations., ResolvedIpAddress:xx-yy-zz-aaa, ResolvedHostname:ip-xx-yy-zz-aaa.net.upcbroadband.cz, ResolvedPort:49227

 

 

my actual configuration:

 

my cert. autority

my server certf. ( subject: CN=Server certifikát pro hostitele *;S=CZ;C=CZ;   address: *   ,  )

my agent certif ( subject: CN=Agent certifikát pro hostitele *;C=CZ; address: * )

 

generate online instalation ( adress : era.mydomain.cz, and agent  ) 

 

 

 

 

Sory im newbie in certifikation.

Link to comment
Share on other sites

  • ESET Staff

thanks for your answer but i still doing some wrong settings.

 

server trace:

2016-02-04 14:43:11 Error: NetworkModule [Thread 7fb3f35fe700]: Verify user failed for all computers: ip-xx-yy-zz-aaa.net.upcbroadband.cz: Authenticate: Certificate common name contains ambiguous or no product string,xx-yy-zz-aaa: Authenticate: Certificate common name contains ambiguous or no product string

2016-02-04 14:43:11 Error: NetworkModule [Thread 7fb3f35fe700]: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations., ResolvedIpAddress:xx-yy-zz-aaa, ResolvedHostname:ip-xx-yy-zz-aaa.net.upcbroadband.cz, ResolvedPort:49227

 

 

my actual configuration:

 

my cert. autority

my server certf. ( subject: CN=Server certifikát pro hostitele *;S=CZ;C=CZ;   address: *   ,  )

my agent certif ( subject: CN=Agent certifikát pro hostitele *;C=CZ; address: * )

 

generate online instalation ( adress : era.mydomain.cz, and agent  )

 

So now I am also confused. Error

Certificate common name contains ambiguous or no product string

means that in CommonName of AGENT's certificates contains not only expected word "Agent" but also "Server" or "Proxy" (regardless of case sensitivity), but that would be invalid state that is checked during certificates creation wizard - or you are using your own certificates created outside of ERA?

Could you please check status.html on not-connecting AGENT and verify that "Peer certificate" used conforms to this limits, i.e. check that it is certificate that it was supposed to be?

Link to comment
Share on other sites

status agent

Last replication	2016-Feb-04 23:05:58	Error: CReplicationManager: Replication (network) connection to 'host: "era.mydomain.cz" port: 2222' failed with: Connection closed by remote peer for session id 87
Peer certificate	2016-Feb-04 21:40:06	OK    Agent peer certificate with subject 'CN=Agent certifikát pro hostitele *, C=CZ' issued by 'CN=certifikacni autorita optus, O=optus, C=CZ' with serial number '01633bc7aa251948e6b7792c17bc72d48b01' is and will be valid in 30 days
Replication security	2016-Feb-04 23:05:58	OK    Remote host: era.mydomain.cz    Remote product: Server

i createt cert from in ERA wizard

Link to comment
Share on other sites

  • ESET Staff

We are sorry for your inconvenience - you have just found a bug. Seems that Common name of certificate cannot contain non-asci characters (in your case it is á). Please create new certificate for AGENTs with Common name:

Agent certifikat pro hostitele *

instead of default value containing diacritics.

 

There is also chance you will have to regenerate SERVER certificate if AGENT will be reporting the same error as AGENT is reporting currently.

Link to comment
Share on other sites

  • Solution

 

We are sorry for your inconvenience - you have just found a bug

What price i win ?  :-) 

 

 

YES FINALY IT WORKS.

server cert. dont need recreate.

 

Thank you very mutch for your patience

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...