0
(0)

Issue

ESET business product in Limited Support status

This article applies to an ESET product version that is currently in Limited Support status and is scheduled to reach End of Life status soon.

For a complete list of supported products and support level definitions, review the ESET End of Life Policy for business products.

Upgrade ESET business products.

  • You have an ESET Remote Administrator (ERA) version 6 environment running the ERA Proxy (on a Windows host) component and you want upgrade to ESET Security Management Center (ESMC) 7
  • ESMC does not support ERA Proxy—Apache HTTP Proxy can substitute the role of ERA Proxy in the infrastructure

Are you using ERA Proxy on Linux or Virtual Appliance?

Details

ESMC 7 introduces a new generation of the Agent – Server communication protocol. The new replication protocol uses TLS and HTTP2 protocols so it can go through Proxy servers. There are also new self-recovery features and a persistent connection which improves overall communication performance.

New communication protocol does not support connection using ERA 6.x Proxy.

ESET provides pre-configured Apache installer. The user can also use other proxy solution (besides Apache HTTP Proxy) which fulfills the following conditions:

  • can forward SSL communication
  • supports HTTP CONNECT
  • can work without authentication (ESET Management Agent does not support authentication with proxy)

However, the configuration of other proxy solutions is not provided or supported by ESET. Other proxy solutions may not support caching of the ESET Dynamic Threat Defense communication.

Solution

  1. Prepare your ERA 6.x environment
  2. Install and configure Apache HTTP Proxy
  3. Assign a transition policy to a test client
  4. Upgrade ERA Agents on client computers
  5. Remove ERA Proxy address from the list of server

Connection limitations

The ESET Remote Administrator version (ERA) 6.x Proxy component is discontinued in ESET Security Management Center 7. Follow the instructions in this article carefully to ensure connection compatibility:

  • ERA 6.x Agents can connect to ESMC 7 Server
  • ESET Management (EM) Agent (version 7) cannot connect to ESMC Server via ERA Proxy
  • EM Agent (version 7) cannot connect to ERA 6.x Server
  • Do not upgrade ERA 6.x Agents before a proper proxy solution is configured
  • It is not possible to run the Agent deployment task on clients where ESMC server can reach only via Apache HTTP Proxy

I. Prepare your ERA 6.x environment

  1. Back up your ERA Server (backup databaseCA and certificates).
  2. Upgrade your ERA Server to ESMC 7 via Remote Administrator Components Upgrade Task. (Server, Agent and Web Console are upgraded). When assigning a target for the task, select only the machine with the ERA Server.

Upgrade the ERA Server manually

  1. Wait approximately 24 hours to make sure that the upgraded environment runs smoothly.
  1. Upgrade the ERA Agent on the ERA Proxy machine via Security management Center Components Upgrade Task.

Figure 1-1


II. Install and configure Apache HTTP Proxy

  1. Install Apache HTTP Proxy on the machine where the ERA Proxy is installed. Use the pre-configured ESET version of Apache HTTP Proxy. The configuration necessary for handling connection of ESET Management Agents is included.
  2. Modify the Apache HTTP Proxy configuration file httpd.conf located in C:\Program Files\Apache HTTP Proxy\conf\How to write a ProxyMatch expression?
    1. If you have changed the default port (2222) for the Agent, find the line AllowCONNECT 443 563 2222 and change 2222 to the number of your port.
    2. Add the hostname or IP address of your ESMC Server to the configuration file. The hostname you add must be exactly the same as Agents use to connect the ESMC Server. You can add IP address, hostname or both.
    3. Save the changes and restart the Apache HTTP Proxy service.

Figure 2-1


III. Assign a transition policy to a test client

Figure 3-1

  1. Create a new policy on your ESMC Server. In the ESMC Web Console click Policies  Create New.
  2. In the Basic section, type a Name for the policy.
  3. In the Settings section, select ESET Management Agent.
  4. Navigate to Connection  Server connects to  Edit server list.
  5. Click Add and enter the address (the address must match what Agent used in the configuration) of your ESMC Server in the Host field. Click OK.
  6. Change the operator from Replace to Append.
  7. Click Save.
  8. Navigate to Advanced Settings → HTTP Proxy and set Proxy Configuration to Different Proxy Per Service.
  9. Click Replication  Edit and enable the Use proxy server option.
  10. Type the IP address of the proxy machine to the Host field.
  11. Leave the default value 3128 for the Port.
  12. Click Save and Finish to save the policy. Do not assign it to any computer yet.
Important!

It is absolutely necessary to have both IP addresses in one list applied on the client. If the Agent does not have this information in the policy, it will be unable to connect to the Proxy and the ESMC Server after the upgrade. Such an Agent must be fixed manually by running a repair installation and using the correct ESMC Server address.

If HTTP Proxy setting is not applied in the policy, the Agent will not be able to connect the ESMC Server. Manual re-installation cannot fix this.

  1. Choose one computer that is connected via ERA Proxy and assign the new policy to that test client.
  2. Wait a few minutes until the policy is applied and check if the computer is still connecting to the ESMC Server.

IV. Upgrade ERA Agents on client computers

  1. Run the Security management Center Components Upgrade Task to upgrade the selected test client computer.
  2. After the client is upgraded to version 7, check if it is still connecting to the ESMC Server. If the computer is successfully connecting after the upgrade, continue to upgrade other computers.
Important!

If you have a larger network, begin the upgrade at departments with IT experienced users or those who are physically closer to computers to make the troubleshooting easier.

  1. Apply the policy (from the part III) to the other computers connected via the ERA Proxy.

Figure 4-1

  1. Wait a few minutes until the policy is applied and check if clients are still connecting to the ESMC Server.
  2. Run the Security management Center Components Upgrade Task on these clients.
  3. If all clients are connecting to the ESMC Server after the upgrade is finished, you can proceed with next steps.

Figure 4-2


V. Remove ERA Proxy address from the list of server

Figure 5-1

  1. Modify the policy (from the part III) by navigating to Policies, clicking the gear icon next to the policy you want to modify and then clicking Edit.
  2. In the Settings Connection change the operator from Append to Replace.
  3. Click Save.
  4. Click Finish to save and apply the policy.
  5. Remove the ERA Proxy component using Client Tasks  Software Uninstall.

Figure 5-2

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 21 times, 1 visits today)