Issue
- You have an ESET Remote Administrator (ERA) version 6 environment running the ERA Proxy (on a Windows host) component and you want upgrade to ESET Security Management Center (ESMC) 7
- ESMC does not support ERA Proxy—Apache HTTP Proxy can substitute the role of ERA Proxy in the infrastructure
Are you using ERA Proxy on Linux or Virtual Appliance?
Details
ESMC 7 introduces a new generation of the Agent – Server communication protocol. The new replication protocol uses TLS and HTTP2 protocols so it can go through Proxy servers. There are also new self-recovery features and a persistent connection which improves overall communication performance.
New communication protocol does not support connection using ERA 6.x Proxy.
ESET provides pre-configured Apache installer. The user can also use other proxy solution (besides Apache HTTP Proxy) which fulfills the following conditions:
- can forward SSL communication
- supports HTTP CONNECT
- can work without authentication (ESET Management Agent does not support authentication with proxy)
However, the configuration of other proxy solutions is not provided or supported by ESET. Other proxy solutions may not support caching of the ESET Dynamic Threat Defense communication.
Solution
- Prepare your ERA 6.x environment
- Install and configure Apache HTTP Proxy
- Assign a transition policy to a test client
- Upgrade ERA Agents on client computers
- Remove ERA Proxy address from the list of server
Connection limitations
The ESET Remote Administrator version (ERA) 6.x Proxy component is discontinued in ESET Security Management Center 7. Follow the instructions in this article carefully to ensure connection compatibility:
- ERA 6.x Agents can connect to ESMC 7 Server
- ESET Management (EM) Agent (version 7) cannot connect to ESMC Server via ERA Proxy
- EM Agent (version 7) cannot connect to ERA 6.x Server
- Do not upgrade ERA 6.x Agents before a proper proxy solution is configured
- It is not possible to run the Agent deployment task on clients where ESMC server can reach only via Apache HTTP Proxy
I. Prepare your ERA 6.x environment
- Back up your ERA Server (backup database, CA and certificates).
- Upgrade your ERA Server to ESMC 7 via Remote Administrator Components Upgrade Task. (Server, Agent and Web Console are upgraded). When assigning a target for the task, select only the machine with the ERA Server.
Upgrade the ERA Server manually
- Wait approximately 24 hours to make sure that the upgraded environment runs smoothly.
- Upgrade the ERA Agent on the ERA Proxy machine via Security management Center Components Upgrade Task.
Figure 1-1
II. Install and configure Apache HTTP Proxy
- Install Apache HTTP Proxy on the machine where the ERA Proxy is installed. Use the pre-configured ESET version of Apache HTTP Proxy. The configuration necessary for handling connection of ESET Management Agents is included.
- ESET download page as a Standalone installer.
- Run the All-in-one ESMC installer and select the option Install/Upgrade Apache HTTP Proxy, click next and finish the installation.
- Modify the Apache HTTP Proxy configuration file httpd.conf located in C:\Program Files\Apache HTTP Proxy\conf\. How to write a ProxyMatch expression?
- If you have changed the default port (2222) for the Agent, find the line
AllowCONNECT 443 563 2222
and change2222
to the number of your port. - Add the hostname or IP address of your ESMC Server to the configuration file. The hostname you add must be exactly the same as Agents use to connect the ESMC Server. You can add IP address, hostname or both.
- Save the changes and restart the Apache HTTP Proxy service.
- If you have changed the default port (2222) for the Agent, find the line
Figure 2-1
III. Assign a transition policy to a test client
Figure 3-1
- Create a new policy on your ESMC Server. In the ESMC Web Console click Policies → Create New.
- In the Basic section, type a Name for the policy.
- In the Settings section, select ESET Management Agent.
- Navigate to Connection → Server connects to → Edit server list.
- Click Add and enter the address (the address must match what Agent used in the configuration) of your ESMC Server in the Host field. Click OK.
- Change the operator from Replace to Append.
- Click Save.
- Navigate to Advanced Settings → HTTP Proxy and set Proxy Configuration to Different Proxy Per Service.
- Click Replication → Edit and enable the Use proxy server option.
- Type the IP address of the proxy machine to the Host field.
- Leave the default value 3128 for the Port.
- Click Save and Finish to save the policy. Do not assign it to any computer yet.
- Choose one computer that is connected via ERA Proxy and assign the new policy to that test client.
- Wait a few minutes until the policy is applied and check if the computer is still connecting to the ESMC Server.
IV. Upgrade ERA Agents on client computers
- Run the Security management Center Components Upgrade Task to upgrade the selected test client computer.
- After the client is upgraded to version 7, check if it is still connecting to the ESMC Server. If the computer is successfully connecting after the upgrade, continue to upgrade other computers.
- Apply the policy (from the part III) to the other computers connected via the ERA Proxy.
Figure 4-1
- Wait a few minutes until the policy is applied and check if clients are still connecting to the ESMC Server.
- Run the Security management Center Components Upgrade Task on these clients.
- If all clients are connecting to the ESMC Server after the upgrade is finished, you can proceed with next steps.
Figure 4-2
V. Remove ERA Proxy address from the list of server
Figure 5-1
- Modify the policy (from the part III) by navigating to Policies, clicking the gear icon next to the policy you want to modify and then clicking Edit.
- In the Settings > Connection change the operator from Append to Replace.
- Click Save.
- Click Finish to save and apply the policy.
- Remove the ERA Proxy component using Client Tasks → Software Uninstall.
Figure 5-2