Issue
Details
Click to expand
ESET Bridge is an application based on the open-source Nginx web server, tailored to meet the needs of ESET security applications and services. ESET distributes ESET Bridge with ESET PROTECT On-Prem 10.0 (and later) as a proxy component, replacing Apache HTTP Proxy, which was used previously. For more information, see ESET Bridge introduction.
These installers have the correct configuration necessary for the following:
- Forwarding ESET Management Agents' replication (communication with ESET PROTECT Server)
- Caching ESET detection engine updates and installer files
- Caching ESET LiveGuard Advanced analysis results
Solution
Use different proxy configurations for caching and replication
Some environments may require separating content caching and replication traffic. ESET Bridge supports this by allowing different proxy configurations to be used for different types of communication.
The example below illustrates a branch‑office setup in which one proxy is dedicated to caching, while another handles replication traffic between the branch office and the ESET PROTECT Server in the main office.
For instructions on how to configure ESET Management Agents to use different proxy configurations, see the Configure ESET Management Agents to use different proxy configurations section.
Configure ESET Management Agents to use different proxy configurations
-
Create a policy or open an existing one. To configure the policy settings, follow the steps below.
-
In the policy details, click Settings and select ESET Management Agent from the drop-down menu. Expand Advanced Settings and in the drop-down menu next to Proxy Configuration Type, select Different Proxy Per Service.
-
Click Edit next to Replication (to ESET Management Server). Click the toggle next to Use proxy server to enable it. In the Host field, type the hostname or IP address of the machine running the replication proxy and ensure the Port field contains the correct value. Click Save.
-
Click Edit next to ESET Services (updates, packages, telemetry). Click the toggle next to Use proxy server to enable it. In the Host field, type the hostname or IP address of the machine running the caching proxy and ensure the Port field contains the correct value. Click Save.
Deploy ESET Bridge in a DMZ environment
In a more complex infrastructure, where a DMZ subnet separates the internal LAN from untrusted networks, deploying the ESET PROTECT Server outside the DMZ is recommended. The example below illustrates a possible deployment scenario.
When setting up an environment such as this, we recommend adhering to the following guidelines:
- Use hostnames instead of IP addresses in ESET PROTECT On-Prem component settings.
- For roaming clients (devices that can leave the intranet), use dynamic groups and policies to ensure they use the server hostname resolvable from the internet only when they are outside the intranet. For clients that never leave the intranet, use a hostname that is resolvable only internally to prevent their connection from being routed through the internet.
- Use ESET Bridge for replication only if necessary, because replication through ESET Bridge does not aggregate connections from ESET Management Agents and does not reduce bandwidth usage.
- Use ESET Bridge for caching updates and installers to reduce network load. Roaming clients, however, should not use the caching proxy when they are outside the intranet. To ensure this, assign the caching proxy a hostname that is resolvable only inside the intranet. This way, when roaming clients are external, the hostname does not resolve, and they connect directly to ESET update servers.
- Open only the necessary firewall ports for the required hostnames in your environment. For a complete list of ports used by ESET PROTECT On-Prem, see Ports used.
