Jump to content

Apache HTTP Proxy? Only way to get a mirror/cache for clients?

cpetry
 Share

Recommended Posts

cpetry

cpetry 4

Posted
Posted (edited)

I'm going to perform a swing migration from ERA 5.X to 6.X very soon.  I was told not to install the Apache HTTP Proxy by ESET engineering (they didn't like it for some reason).  However, if that's the only way to generate an update mirror/cache for my clients, I'm going to need it.

 

I have 1,650 endpoints spread over a dozen sites.  We share a single 100 MB internet connection.  I can't have that many clients hammering the single corporate internet connection every hour.  I was going to start with a single ERA at our primary location and later standup mirrors at the largest sites.

 

Is it also recommended to use the ESET HTTP Proxy in the DMZ on a server that's not joined to the domain, and allow the proxy to reach back to the ERA server?

 

I'll be using a published A record in DNS for my clients (split DNS; so the same URL can be used for internal/external clients).

 

PS - I forgot to add/mention; is it best to install one MDM installation in the DMZ as well?  Can the ESET HTTP proxy relay MDM information back to the ERA?  I don't plan on mass deployment of MDM yet, but I'll be buying 25 licenses so we can switch to a business bundle.  I want to experiment with MDM for a bit.

 

Thx!

Edited by cpetry
Link to comment
Share on other sites
bbahes

bbahes 29

Posted
Posted

I'm going to perform a swing migration from ERA 5.X to 6.X very soon.  I was told not to install the Apache HTTP Proxy by ESET engineering (they didn't like it for some reason).  However, if that's the only way to generate an update mirror/cache for my clients, I'm going to need it.

 

I have 1,650 endpoints spread over a dozen sites.  We share a single 100 MB internet connection.  I can't have that many clients hammering the single corporate internet connection every hour.  I was going to start with a single ERA at our primary location and later standup mirrors at the largest sites.

 

Is it also recommended to use the ESET HTTP Proxy in the DMZ on a server that's not joined to the domain, and allow the proxy to reach back to the ERA server?

 

I'll be using a published A record in DNS for my clients (split DNS; so the same URL can be used for internal/external clients).

 

PS - I forgot to add/mention; is it best to install one MDM installation in the DMZ as well?  Can the ESET HTTP proxy relay MDM information back to the ERA?  I don't plan on mass deployment of MDM yet, but I'll be buying 25 licenses so we can switch to a business bundle.  I want to experiment with MDM for a bit.

 

Thx!

 

This is interesting to know, but even more interesting would be to hear those arguments.

 

Single internal update server that gets all updates and handles all communication from clients to ESET is something that would solve many problems regarding v6 popularity. Something like WSUS is for Windows Clients.

However, I think for them it's easier to have client request sent through proxy...some might say ESET programmers are lazy ;)

 

I don't like this new proxy thing as my client's that must not access internet at all, now use proxy for update...

Link to comment
Share on other sites
cpetry

cpetry 4

Posted
  • Author
Posted

I'll have to install Apache HTTP Proxy and use it, and they will have to support it regardless if it has issues or not.  That's really on them.  If they don't want support tickets on it they should code something else.

Link to comment
Share on other sites
bbahes

bbahes 29

Posted
Posted

I'll have to install Apache HTTP Proxy and use it, and they will have to support it regardless if it has issues or not.  That's really on them.  If they don't want support tickets on it they should code something else.

 

I agree. You could try Mirror Tool hxxp://help.eset.com/era_install/63/en-US/?mirror_tool_linux.htm, however it has it's own limitations.

Update is actually one of the main reasons we are still on v5.

Link to comment
Share on other sites
  • ESET Staff
MartinK

MartinK 378

Posted
  • ESET Staff
Posted

I'm going to perform a swing migration from ERA 5.X to 6.X very soon.  I was told not to install the Apache HTTP Proxy by ESET engineering (they didn't like it for some reason).  However, if that's the only way to generate an update mirror/cache for my clients, I'm going to need it.

 

I have 1,650 endpoints spread over a dozen sites.  We share a single 100 MB internet connection.  I can't have that many clients hammering the single corporate internet connection every hour.  I was going to start with a single ERA at our primary location and later standup mirrors at the largest sites.

 

Is it also recommended to use the ESET HTTP Proxy in the DMZ on a server that's not joined to the domain, and allow the proxy to reach back to the ERA server?

 

I'll be using a published A record in DNS for my clients (split DNS; so the same URL can be used for internal/external clients).

 

PS - I forgot to add/mention; is it best to install one MDM installation in the DMZ as well?  Can the ESET HTTP proxy relay MDM information back to the ERA?  I don't plan on mass deployment of MDM yet, but I'll be buying 25 licenses so we can switch to a business bundle.  I want to experiment with MDM for a bit.

 

Thx!

 

Apache HTTP proxy relies only communication from ERA components and Endpoint Security products to ESET servers and is primarily intended to safe network traffic especially for larger networks. It has also advantages over standard offline mirror:

  • less traffic to outside network (mirror downloads much more data in case synchronization is executed multiple times a day).
  • clients get latest files version from ESET server and not version from last mirror synchronization (this is crucial for security)
  • proxy handles also other security-related connection(cloud) not handled by offline mirror

You may also use your own HTTP proxy, but it may require configuration tweaking.

 

There is still alternative - classic offline mirror, but unfortunately no longer available/manageable by ERA, but instead available either as separate tool (MirrorTool: downloads files but does not shares them) or bundled in Endpoint Security as in v5.

Link to comment
Share on other sites
cpetry

cpetry 4

Posted
  • Author
Posted

 

I'm going to perform a swing migration from ERA 5.X to 6.X very soon.  I was told not to install the Apache HTTP Proxy by ESET engineering (they didn't like it for some reason).  However, if that's the only way to generate an update mirror/cache for my clients, I'm going to need it.

 

I have 1,650 endpoints spread over a dozen sites.  We share a single 100 MB internet connection.  I can't have that many clients hammering the single corporate internet connection every hour.  I was going to start with a single ERA at our primary location and later standup mirrors at the largest sites.

 

Is it also recommended to use the ESET HTTP Proxy in the DMZ on a server that's not joined to the domain, and allow the proxy to reach back to the ERA server?

 

I'll be using a published A record in DNS for my clients (split DNS; so the same URL can be used for internal/external clients).

 

PS - I forgot to add/mention; is it best to install one MDM installation in the DMZ as well?  Can the ESET HTTP proxy relay MDM information back to the ERA?  I don't plan on mass deployment of MDM yet, but I'll be buying 25 licenses so we can switch to a business bundle.  I want to experiment with MDM for a bit.

 

Thx!

 

Apache HTTP proxy relies only communication from ERA components and Endpoint Security products to ESET servers and is primarily intended to safe network traffic especially for larger networks. It has also advantages over standard offline mirror:

  • less traffic to outside network (mirror downloads much more data in case synchronization is executed multiple times a day).
  • clients get latest files version from ESET server and not version from last mirror synchronization (this is crucial for security)
  • proxy handles also other security-related connection(cloud) not handled by offline mirror

You may also use your own HTTP proxy, but it may require configuration tweaking.

 

There is still alternative - classic offline mirror, but unfortunately no longer available/manageable by ERA, but instead available either as separate tool (MirrorTool: downloads files but does not shares them) or bundled in Endpoint Security as in v5.

 

 

Thanks, I'm going to be setting up the Apache HTTP Proxy on our internal ERA VM and the ESET HTTP Proxy for external agent communication on our DMZ VM.  

 

I'm not sure yet how we will deploy / test MDM.  I was thinking slap MDM on the internal and external VM and use split DNS with it for the same reasons you'd use split DNS for any reason.  I'd rather not have clients/devices reaching out and then back in.

Link to comment
Share on other sites
  • ESET Staff
MartinK

MartinK 378

Posted
  • ESET Staff
Posted

 

Thanks, I'm going to be setting up the Apache HTTP Proxy on our internal ERA VM and the ESET HTTP Proxy for external agent communication on our DMZ VM.  

 

I'm not sure yet how we will deploy / test MDM.  I was thinking slap MDM on the internal and external VM and use split DNS with it for the same reasons you'd use split DNS for any reason.  I'd rather not have clients/devices reaching out and then back in.

 

And I forgot to mention, that Apache HTTP Proxy is not able to rely AGENT<->SERVER communication. For this purpose, you should either redirect port from outside network to SERVER, or install ERA Proxy component (this is something different than HTTP proxy).

Link to comment
Share on other sites
cpetry

cpetry 4

Posted
  • Author
Posted

No, I figured that.  I want external clients using a dual update profile if possible so they reach out to ESET servers if they aren't on my corporate network.  From the sounds of the Apache HTTP Proxy it really only acts as a cache for the ERA itself.  That's fine and that will work.  I just don't want 1650+ clients using my corporate internet connection.  I want the ERA to download/cache and distribute to the clients.  

 

Internal VM -

ERA

ESET HTTP Proxy

Apache HTTP Proxy

Rogue Detection Server

Possibly MDM

 

DMZ VM -

ESET HTTP Proxy

MDM

Link to comment
Share on other sites
  • ESET Moderators
TomasP

TomasP 316

Posted
  • ESET Moderators
Posted

I was told not to install the Apache HTTP Proxy by ESET engineering (they didn't like it for some reason).

 

Hello,

This is definitely not our statement and/or attitude towards this product/situation.

Could you please specify who told you this information and what might be the reason?

Thank you,

T.

Link to comment
Share on other sites
cpetry

cpetry 4

Posted
  • Author
Posted

 

I was told not to install the Apache HTTP Proxy by ESET engineering (they didn't like it for some reason).

 

Hello,

This is definitely not our statement and/or attitude towards this product/situation.

Could you please specify who told you this information and what might be the reason?

Thank you,

T.

 

 

Sam S. told me the Apache HTTP Proxy causes more harm than good and that he doesn't like to use it.  He also said it's not used for creating a mirror/update cache.  He showed me another way to create a mirror/update cache on my network that will work.  You don't need that mirror tool.  You just configure an AGENT/Endpoint to act as a mirror and configure your clients to use it as the source for updates.  I'm using the AGENT/Endpoint that's installed on my Windows based ERA.

 

I've removed the Apache HTTP Proxy as it's not required and I too have no idea why anyone would need or want it after talking to Sam.

Link to comment
Share on other sites
  • ESET Staff
MichalJ

MichalJ 434

Posted
  • ESET Staff
Posted (edited)

Problem with the solution you have mentioned, and Sam has recommended to you is that:

  1. If you choose the mirror from a specific Endpoint version, it gets updates only from update server appointed for that version. If you update V5 / 4 products, it might happen, you won´t get the updates. Also, it depends, if you have installed EEA / EES on the server (I assume EEA), so it might not download all of the files needed to update EES.
  2. Mirror from a specific Endpoint version is not able to get updates for ERA components, which we are going to release as of now (it will bring some new functionality, like import of lists into the policy editor, and support for new settings in Endpoints for Windows / Max + support for Domino / SharePoint. You won´t get it, if your agents are updating from Mirror.

Also, if your company is using some proxy server as of now, you could not install the Apache HTTP proxy, but instead of that, configure ERA server / agents / endpoints, to communicate via your proxy server, and cache updates there. This way is far more effective from the perspective of data traffic, and once setup properly, it provides better user experience than the legacy mirror. We are working on documentation change, that will explain benefits of using Apache HTTP Proxy, over the standard mirror, respectively guide customers to use the proper scenario of their environment.

Edited by MichalJ
Link to comment
Share on other sites
cpetry

cpetry 4

Posted
  • Author
Posted

Would I still be able to use a dual update profile with a proxy in place with the Apache HTTP proxy acting as a cache?  I have it setup right now so that if they can't reach my internal cache they hit up the ESET servers.  This is good for laptops as well as DMZ servers.  I think Sam is doing more research on the updating of clients on a large network.

 

Even he mentioned getting a lot of different recommendations from various ESET employee, and he's an ESET employee.  We only have a few test clients being managed right now.  So if we are going to change anything now would be the time to do it.

 

I'm waiting on my new licensing before we start the rip and replace.  We are upgrading from the Endpoint AV to the Endpoint Security product.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...