We recommend that you use Apache HTTP Proxy distributed by ESET. It has the correct configuration necessary for:
If you use your custom Apache HTTP Proxy installation, make sure you have configured it properly. The proper configuration can be found in the file
httpd.conf contained in the Apache installer distributed by ESET.
In ESET Security Management Center (ESMC) 7, the former ERA Proxy component is no longer being used. Instead, Apache HTTP Proxy forwards the information from Agents checking in to ESMC Server. Users can also use other proxy solutions that comply with requirements. Unlike the former ERA Proxy component, Apache HTTP Proxy only forwards communication from the Agents; it does not cache or open the communication (replication).
The Apache HTTP Proxy distributed by ESET is by default pre-configured for both replication and caching ESET product downloads and updates, however some configuration is still needed (see the step 6 in the documentation). See the scheme of a single proxy solution for a branch office at the Fig. 1-1.
Users in some environments may need to use separate proxy solutions for caching and replication. In the example below one branch office is using a separate proxy for caching and another for replication to the ESMC Server in the main office.
The proxy settings are located in the Agent policy. To configure them, create a new Agent policy or modify an existing one. You can also create multiple Agent policies with different proxy setups and assign them to computers using dynamic groups. When a client machine is moved to different dynamic group, it will automatically use the appropriate proxy setup.
To set up different proxies follow these steps:
Apache HTTP Proxy security can be hardened to block all incoming connections except:
AllowCONNECTvalues in the proxy settings (httpd.conf).
ProxyMatchsegments, from the proxy settings (httpd.conf), except your ESMC Server machine.
ESMC does not support proxy chaining when the proxy requires authentication.To enable proxy chaining, add the following to the proxy configuration (
ProxyRemote * http://IP_ADDRESS:3128
When using proxy chaining on the ESMC Virtual Appliance, the SELinux policy must be modified. Open the terminal on the ESMC VA and run the following command:
/usr/sbin/setsebool -P httpd_can_network_connect 1
When using proxy chaining, the firewall must allow communication on the ports in this diagram. Note that proxies communicate between each other at port 3128, but the last HTTP Proxy machine communicates with the ESMC Server at the port 2222. The port numbers mentioned in the documentation are the defaults.
In a more complex infrastructure, with a subnet that separates an internal LAN from untrusted networks (DMZ), it is recommended to deploy ESMC server out of the DMZ. Figure 2-1 illustrates one possible deployment scenario. When setting up an environment such as this, we recommend adhering to the following guidelines:
An ERA 6.x environment with DMZ and ERA proxy can be migrated to ESMC 7 while substituting ERA Proxy for Apache HTTP Proxy or another proxy solution complying with HTTP Proxy requirements. Never decommision the old ERA Proxy component before a working alternative is set up and running. For complete instructions, visit the following Knowledgebase articles: