Jump to content

install AV by msi & GP at remote offices with era 6


roga
 Share

Go to solution Solved by roga,

Recommended Posts

I have some remote offices and would like to install EEAV & EFSW v6 to windows clients & servers, and have them managed by ver 6 ERA. The remote offices are on different subnets and connected by VPN, but are linked by standard copper wire internet, so not a very fast connection.

 

I have created a bat file to install the agent locally and then link to the central office ERA, but I don't think there is enough bandwidth to install EEAV & EFSW to the clients.

 

However I can get the msi files locally. If I was to use group policy to install the msi files, would the agent then automatically turn them into managed machines?

 

If I was to try and install the v6 msi files via group policy, would they run OK without any extras? (I don't think you use xml any more on v6)

 

regards

 

Roga

Edited by roga
Link to comment
Share on other sites

  • ESET Staff

I have some remote offices and would like to install EEAV & EFSW v6 to windows clients & servers, and have them managed by ver 6 ERA. The remote offices are on different subnets and connected by VPN, but are linked by standard copper wire internet, so not a very fast connection.

 

I have created a bat file to install the agent locally and then link to the central office ERA, but I don't think there is enough bandwidth to install EEAV & EFSW to the clients.

 

However I can get the msi files locally. If I was to use group policy to install the msi files, would the agent then automatically turn them into managed machines?

 

If I was to try and install the v6 msi files via group policy, would they run OK without any extras? (I don't think you use xml any more on v6)

 

regards

 

Roga

 

Yes, already installed AGENT will almost immediately detect newly installed ESET product and start managing it. There is no difference when installing v6 products manually or by ERA, except that products installed using ERA are installed silently and thus using some default set of configuration.

Link to comment
Share on other sites

Thanks ESET Staff for you advice about the agent.

 

Can you tell me if installing the products (Endpoint Anti-Virus v6 and File Security v6) by msi and group policy will work? i.e. is all I need do to roll out the msi via group policy to the clients? Do I need to any xml or transform files?

 

regards

 

Roga

Link to comment
Share on other sites

Hi Roga,

 

is there any background why you want to install the client software manually?

I just did the update from v5 to v6 for about 500 clients and some servers.

 

I installed the agent via our software deployment or via a batch file. As soon as the agent is installed you are able to manage the clients via the console. So after the agent installation the clients appear on our console and are immediately moved to a dynamic group with a task assigned to install EFS/EEA as soon as a computer is joining the group. This is working quite well and you don't need any additional xml files or do something manually because of the configured policies.

 

This is also working for our remote offices.

 

regards

Palps

Link to comment
Share on other sites

Hi Palps

Thanks for your reply.

1) Could you give me a link for the dynamic group & assigned task? Would it be possible e.g. to differentiate between windows servers and win 7 machines?

2) I did a test to try and install EFSW to a remote machine over a vpn. The task failed (twice) although the agent installed OK over the VPN. I thought most likely the agent is a smaller payload than the AV. I ended up installing EFSW manually which the agent then picked up.

 

I have some branches with each with a win server and a number of win 7 clients which are linked over a slow VPN. I thought it would be easier to install the av locally by GP and then manage from agent. How succesful do you think it would be trying to install say 25 win7 clients over a slow VPN?

 

3) Another thought is to have proxy servers at the remote sites, but would a deployment via ERA come from the proxy server on the local subnet or the main server at the central office?

Link to comment
Share on other sites

  • ESET Staff

Thanks ESET Staff for you advice about the agent.

 

Can you tell me if installing the products (Endpoint Anti-Virus v6 and File Security v6) by msi and group policy will work? i.e. is all I need do to roll out the msi via group policy to the clients? Do I need to any xml or transform files?

 

regards

 

Roga

 

It should be possible even without configuration (actually it is not possible to install pre-configured v6 products) but I am not sure it will be completely silent. To avoid it, you may try to deploy Endpoint Security installer with parameter INSTALLED_BY_ERA=1 to suppress activation and network zones configuration popup windows. Once installed, configuration (and possibly activation task) from AGENT will be delivered.

Link to comment
Share on other sites

Hi Palps

Thanks for your reply.

1) Could you give me a link for the dynamic group & assigned task? Would it be possible e.g. to differentiate between windows servers and win 7 machines?

2) I did a test to try and install EFSW to a remote machine over a vpn. The task failed (twice) although the agent installed OK over the VPN. I thought most likely the agent is a smaller payload than the AV. I ended up installing EFSW manually which the agent then picked up.

 

I have some branches with each with a win server and a number of win 7 clients which are linked over a slow VPN. I thought it would be easier to install the av locally by GP and then manage from agent. How succesful do you think it would be trying to install say 25 win7 clients over a slow VPN?

 

3) Another thought is to have proxy servers at the remote sites, but would a deployment via ERA come from the proxy server on the local subnet or the main server at the central office?

 

1) Yes it is possible, just look at my attachments. The trigger is pretty easy. Just create a software installation task and later on chose "Run on", select the dynamic groups and choose the "Joined dynamic group trigger" trigger.

2,3) We have also some small remote sides with only up to 5 people and slow VPN connections but the enrollment went quite well. The agent was distributed via our software deployment and the client via the automatic installation task of the dynamic groups. On the bigger remote sides I have installed an ERA Proxy.

Unfortunately I don't know how the enrollment via GP is working and if the installation files are distributed from the local proxy or from the main ERA server.

 

Maybe some ESET member can answer this question.

post-10739-0-69906500-1461856103_thumb.jpg

post-10739-0-18356400-1461856111_thumb.jpg

Link to comment
Share on other sites

 

1) Yes it is possible, just look at my attachments. The trigger is pretty easy. Just create a software installation task and later on chose "Run on", select the dynamic groups and choose the "Joined dynamic group trigger" trigger.

2,3) We have also some small remote sides with only up to 5 people and slow VPN connections but the enrollment went quite well. The agent was distributed via our software deployment and the client via the automatic installation task of the dynamic groups. On the bigger remote sides I have installed an ERA Proxy.

Unfortunately I don't know how the enrollment via GP is working and if the installation files are distributed from the local proxy or from the main ERA server.

 

Maybe some ESET member can answer this question.

 

Thanks for your help Palps, I have managed to get the agent on all of the machines, so perhaps I will try out the dynamic group at one of the sites and see how that goes. It would be good if the all of the task can be done by ERA.

 

regards

 

roga

Link to comment
Share on other sites

  • Solution

I have now finished my deployment to a main central office and 4 branch offices connected by slowish VPN, this is my first install of V6 (have been working with ESET ERA previous versions for a number of years). In this case there was a migration from Symantec Endpoint Protection (clients and servers) to eset endpoint and eset file security. We have about 60 endpoints.

 

Once I understood that deployment of endpoint protection was from an internet resource (rather than ERA server) I decided to try and use the ERA to uninstall the old SEP, and then install eset.

 

Agent install worked in over 95% of all cases, not perfect but good enough, I had to do a couple of manual installs, which was quite easy.

 

SEP uninstall worked in about 90% of cases, there were a few I had to manually install.

 

Eset endpoint and File Security install was not quite as successful, worked in about 80% of cases, and not really easy to find out why it had failed. I ended up manually installing on the failed 20%

 

In my case I think it might have been better to have installed via group policy on the remote sites (as previous SEP was via group policy and I might have had an easier time using group policy to migrate), but there is not enough clear documentation for this.

 

I would like to see more helpful troubleshooting when rollouts via ERA have failed.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...