[KB7500] Best practices for using the ESMC 7.x in an offline environment

Issue

ESET business product in Limited Support status

This content applies to an ESET product version that is currently in Limited Support status and is scheduled to reach End of Life status soon.

For a complete list of supported products and support level definitions, review the ESET End of Life Policy for business products.

Upgrade ESET business products.

You have ESET Security Management Center (ESMC) installed with no access to the public internet and want to maintain updates to ESET products

Solution

Create the repository using the Mirrortool:

Prerequisites
Create an offline repository
Move files to the offline web server (e.g. Apache)
Set up Agents and endpoints to use the offline web server

Configure the ESET Mirror Tool to download updates from another ESET Mirror Tool

I. Prerequisites

ESMC 7.x installed or ESMC Virtual Appliance deployed
Apache (httpd) (the ESMC Virtual Appliance have Apache pre-installed) or IIS (part of Windows Server)
Download the MirrorTool (for mirror on Linux) or MirrorTool.exe (for mirror on Windows). You can download the Mirror Tool from the ESET download page. See the complete documentation for more information on the Mirror Tool and a list of available parameters.
- MirrorTool.exe does not run on Windows XP and Windows Server 2003
If you run the Mirror Tool on Windows, install the following:
- Visual C++ Redistributable for Visual Studio 2010
- Visual C++ 2015 Redistributable x86
One machine connected to the internet to create and update the offline repository
- At least 250 GB of free space at the machine where the full offline repository is created
Offline license files from ESET License Administrator or ESET Business Account
- How can I download the offline license file from ESET License Administrator?
- How can I download the offline license file from ESET Business Account?

II. Create an offline repository

The Mirror Tool downloads data to the --repository-intermediate folder and when the download is finished, it moves all the data to --repository-final folder. Make sure to have enough space free on your drive, each folder is 100GB in size. As ESET releases new updates and product versions, the total size will continue to grow.

Update your offline resource regularly

Run this task every few months and move the new files to your offline repository.

Run the following command in the command line on a computer with internet access. Use MirrorTool.exe on Windows machines and MirrorTool on Linux.

MirrorTool.exe --repositoryServer AUTOSELECT ^
--intermediateRepositoryDirectory repository-intermediate ^
--outputRepositoryDirectory repository-final

You can reduce the download size of the folder by using the following parameters:

--productFilterForRepository – Later in this document, you can find a list of the product names that can be used with this parameter. Enter the product names or a part of the name. Enclose the in " " if it contains a space. Separate multiple names by a single space, for example: "ESET Management Agent" "Antivirus". When filtering for a partial name, for example "Agent", all products containing the string are filtered.

See the list of available products

Product
ESET Antivirus for Linux - Business Edition
ESET Endpoint Antivirus
ESET Endpoint Antivirus for OS X
ESET Enterprise Inspector Agent
ESET Enterprise Inspector Server
ESET Endpoint Security for Android
ESET Endpoint Security for OS X
ESET Endpoint Security
ESET Full Disk Encryption
ESET File Security
ESET File Security for Microsoft Windows Server
ESET Mail Security for Microsoft Exchange Server
ESET Security for Kerio
ESET Mail Security for IBM Domino
ESET Rogue Detection Sensor for Linux
ESET Rogue Detection Sensor for Windows
ESET Rogue Detection Sensor
ESET Mail/File/Gateway Security for Linux
ESET Security for Microsoft SharePoint Server
ESET Secure Authentication
ESET NSX Service Manager
Safetica Agent
WinPcap
Microsoft SQL Express 2016 x64
Microsoft SQL Server 2014 Express
Microsoft SQL Express 2014 x64
Microsoft SQL Express 2014 x86
Microsoft SQL Express 2008R2 x86
Microsoft SQL Express 2008R2 x64
ApacheTomcat
ApacheHttp
ESET Remote Administrator Bootstrapper
ESET Remote Administrator 6 WebConsole
ESET Remote Administrator Virtual Agent Host
ESET Remote Administrator Server
ESET Remote Administrator Proxy
ESET Security Management Center Migration Assistant
ESET Migration Assistant
ESET Security Management Center Mobile Device Connector
ESET Remote Administrator Mobile Device Connector
ESET Remote Administrator Agent
ESET Security Management Center Bootstrapper
ESET Management Agent
ESET Security Management Center Server
ESET Security Management Center WebConsole

Filtering products can break installers

If you use the product filtering option and create a reduced repository, youcan not create an All-in-one installer of a product that you filtered out of the repository.

To create an All-in-one installer with Agent only, you need to filter "ESET Security Management Center Bootstrapper" "ESET Management Agent".
To create an All-in-one installer that contains Agent and an ESET security product, filter also product name(s), for example: "ESET Security Management Center Bootstrapper" "ESET Management Agent" "Antivirus".

--languageFilterForRepository – Select which language packs would be downloaded. Enter the codes separated by a single space, for example: sk_SK fr_FR de_DE. See the list of language codes.

The following command only downloads the packages necessary for an ESMC upgrade. For example, you can use such a repository when installing ESET Management Agent via the following methods:

Push install (Server task - Agent Deployment)
Live installer
All-in-one installer
Installation with a direct link to the repository

Example usage of the --productFilterForRepository parameter:

MirrorTool.exe --repositoryServer AUTOSELECT ^
--intermediateRepositoryDirectory repository-intermediate ^
--outputRepositoryDirectory repository-final^
–-productFilterForRepository "ESET Management Agent" "ESET Security Management Center Bootstrapper" "ESET Security Management Center Server" "ESET Security Management Center WebConsole"

Create an update mirror

To create an update mirror, you need the offline license file (license_file.lf) available on your intermediary machine. Run the following command to download the update files:

MirrorTool.exe --mirrorType regular ^
--intermediateUpdateDirectory mirror-intermediary ^
--offlineLicenseFilename license_file.lf ^
--outputDirectory mirror-final

The Mirror Tool creates two folders, temporary and final with 3GB size. You can use the --excludedProducts parameters to decrease the download size:

ep4
ep5
ep6
ep7
era6 (covers all ESMC and ERA packages)

Example usage of the --excludedProducts parameter:

MirrorTool.exe --mirrorType regular ^
--intermediateUpdateDirectory mirror-intermediary ^
--offlineLicenseFilename license_file.lf ^
--outputDirectory mirror-final ^
--excludedProducts ep4 ep5

Update your offline resource regularly

Schedule this command to run every six hours and move the contents of the output folders to the offline server.

III. Move files to the offline web server (e.g. Apache)

After you download the update and/or repository files (Part 1), choose a local webserver. Set up the webserver to serve the updates and installers to the machines in the offline environment. See the setup instructions for Apache and Microsoft IIS below.

Alternative: I want to distribute updates using the ESET Endpoint as the update mirror.

Built-in proxy policy

If you have installed the ESMC using the Bootstraper installer with enabled Apache HTTP Proxy, all clients will be configured by default to tunnel communication with ESET via the proxy. This configuration is present also in live installer scripts.

My offline web server is on Windows

Windows server with Microsoft IIS

Copy the whole folder downloaded by the Mirrortool to C:\inetpub\wwwroot
Enable Directory Browsing in IIS Manager.
Add MIME type with extension * as text/plain.

Windows server with Apache HTTP Proxy (distributed with ESET Security Management Center)

[KB6750] Install Apache HTTP Proxy (ESMC 7.x)

Admin access needed

You need to have administrator permissions to edit the Apache configuration and restart the Apache service.

Locate and open the configuration file of your Apache HTTP Proxy. The default location is C:\Program Files\Apache HTTP Proxy\conf\httpd.conf
Find the following line in the file httpd.conf

...
Listen 3128
...

Add the following line after:

Listen 8080

Save the changes in the file and restart the Apache HTTP Proxy service.

My offline web server is on Linux or ESMC Virtual Appliance

How can I install the Apache HTTP Proxy on Linux?

Linux and ESMC Virtual Appliance (CentOS) with Apache httpd

Find the following line in the file /etc/httpd/conf/httpd.conf:

...
Listen 3128
...

Add the following line after:

Listen 8080

Find the following line:

#DocumentRoot /var/www/html

Replace the line with the following block of code:

DocumentRoot "/var/www/html"
<Directory "/var/www/html">
Options Indexes FollowSymlinks
AllowOverride none
Require all granted
</Directory>

Save the file and restart the httpd service.

sudo systemctl restart httpd.service

SELinux (applicable on Linux and ESMC Virtual Appliance)

SELinux can block the other devices from accessing the repository machine. Add an exception for the repository/updates files location or disable the SELinux.

To turn off this feature, follow the steps below:

Open /etc/selinux/config in your editor, find and set the following value:

SELINUX=disabled

Restart the system (machine) to apply the changes.

Open the ports 8080 a 3128 on Linux or VA firewall

When using the ESMC Virtual Appliance, use Webmin to add port 8080 to the rule where 3128 is already listed, and save the configuration.

If you prefer the Linux Console, use the following command to do the same:

iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 8080 -j ACCEPT
service iptables save
service ip6tables save

Copy the files downloaded by Mirrortool to the offline web server

Copy the files from the intermediary machine to the offline server where the Apache is running.

Copy the whole structure to /var/www/html (or the folder you specified in the DocumentRoot setting)
Set the file permissions so the user running the httpd service can read them

Optional: Install ESET security products from a shared location

In this case, we do not use a repository. You need to have ESET Management Agents installed on client machines.

Download a ESET Endpoint installer (ESET download site).
Save the installer to a location accessible to other computers in your offline network. We recommend creating a logical folder structure based on product names and versions.
Log in to your management console (ESMC).
Create a new Software Install task with the direct link. [KB6726] Deploy or upgrade ESET endpoint products using ESET Security Management Center (7.x)

IV. Setup your server and clients to use the offline repository

See the examples below to set paths of Repository and Update servers with ESET Endpoint version 7.x products. Do the following in the ESET Security Management Center:

Set up the ESMC Server to use the offline repository and updates

Server settings

Log in to ESMC Web Console.
Navigate to More > Server Settings > Advanced Settings > Repository.
Type in your address to the Server field.

Navigate to the Updates section.
Type in your offline server's address to the Update server field. Type the whole address with the folder structure, according to the product you are setting up.

Click Save.

Use the correct path for each product

For the Update server settings, always enter the full path according to the product you are setting up. For example: http://update.server.local/mirror-final/eset_upd/ep7

The last folder in the path should be one of the following:

Folder Name	Updated products
ep4	ESET Endpoint 4.x
ep5	ESET Endpoint 5.x
ep6	ESET Endpoint 6.x
ep7	ESET Endpoint 7.x
era6	ERA 6.x and ESMC 7.x

Set up ESET Management Agents to use the offline repository and updates

Agent policy

You need to apply the new settings to all machines (their Agents) which are using the offline server for updates and repository. Select a suitable policy or create a new one and assign it to those machines.

Log in to ESMC Web Console.
Navigate to Policies.
Select the appropriate policy.
In the policy Settings section navigate to > Advanced Settings > Repository.
Type in your address to the Server field.

Navigate to Updates section.
Type your offline server's address to the Update server field. Make sure to type the whole address with the folder structure, according to the product you are setting up.

Set up ESET Endpoint products to use the offline repository and updates

Policies for ESET Endpoint products (on Windows)

How can I activate ESET Endpoint products in the offline environment?

You need to apply the new settings to all machines (their ESET security products) which are using the offline server for updates. Select a suitable policy or create a new one and assign it to those machines.

Log in to ESMC Web Console.
Navigate to Policies.
Select the appropriate policy.
In the policy Settings section navigate to > UPDATE > Profiles > Updates > Modules Updates.
Deselect the Choose automatically option.
Type in your offline server's address to the Custom server field. Make sure to type the whole address with the folder structure, according to the product you are setting up. The example image below shows the ESET Endpoint 7.x folder address.

Use the correct path for each product

For the Custom server settings, always type the full path according to the product you are setting up. For example: http://update.server.local/mirror-final/eset_upd/ep7

The last folder in the path should be one of the following:

Folder Name	Updated products
ep4	ESET Endpoint 4.x
ep5	ESET Endpoint 5.x
ep6	ESET Endpoint 6.x
ep7	ESET Endpoint 7.x
era6	ERA 6.x and ESMC 7.x

Other products

If necessary, create policies for any ESET product similar to the examples shown above.

Enable access to the webserver machine

Make sure all client machines can access the offline repository machine on port 8080.

Last Updated: Mar 4, 2022