[KB7757] Migrate from ERA Proxy (Linux or Virtual Appliance) to Apache HTTP Proxy in ESET PROTECT (8.x)

Issue

  • You have an ESET Remote Administrator (ERA) 6.5 environment running with an ERA Proxy on a Virtual Appliance, and you want to upgrade to ESET PROTECT, which does not support ERA Proxy
  • You want to enable an Apache HTTP Proxy on a Virtual Appliance to substitute the role of an ERA Proxy in ESET PROTECT
  • Migrate from ERA Proxy (Windows) to Apache HTTP Proxy in ESET PROTECT
ERA 6.0 - 6.4 users

The direct upgrade scenario to the ESET PROTECT 8.0 is supported only from ERA 6.5. If you are using an earlier 6.x version of ERA, upgrade to version 6.5 first.

Details

ESET PROTECT is the renamed ESET Security Management Center (ESMC), the new name is used since version 8.0. It uses the agent/server communication protocol introduced with ESMC 7.0. The communication protocol uses TLS and HTTP2 protocols to go through proxy servers, self-recovery features, and a persistent connection that improves overall communication performance.

ERA Proxy 6.5 users

The communication protocol used by ESET PROTECT does not support a connection using ERA Proxy 6.5.

ESET provides a pre-configured Apache installer. The user can also use other proxy solutions (besides Apache HTTP Proxy) that fulfill the following conditions:

  • Can forward SSL communications
  • Supports HTTP CONNECT
  • Can work without authentication (the ESET Management Agent does not support authentication with proxy)

The configuration of other proxy solutions is not provided or supported by ESET. Other solutions may not support caching of ESET Dynamic Threat Defense (EDTD) communications.

The ESET PROTECT Virtual Appliance contains a correctly pre-configured Apache HTTP Proxy. We recommend you use the new appliance instead of upgrading the old one.

Solution

  1. Prepare your ERA 6.x environment
  2. Deploy the new Virtual Appliance and connect it to your ESET PROTECT Server
  3. Assign a transition policy to a test client
  4. Upgrade ERA Agents on client computers
  5. Remove the ERA Proxy address from the list of servers

Connection limitations

  • The ERA 6.x Proxy component is discontinued in ESET PROTECT.
  • ERA 6.x Agents can connect to the ESET PROTECT Server.
  • The ESET Management Agents cannot connect to the ESET PROTECT Server via ERA Proxy or the ERA 6.x Server.
  • Do not upgrade ERA 6.x Agents before a proper proxy solution is set up.
  • It is not possible to run the Agent deployment task on clients with an ESET PROTECT Server. The Agent deployment task can only reach the ESET PROTECT Server using Apache HTTP Proxy. 

I. Prepare your ERA 6.x environment

  1. Back up your ERA Server (for example, backup database, CA and certificates).
     
  2. Run the Component upgrade task on your ERA Server (as target) to upgrade the ERA Server 6.5 to ESET PROTECT Server 8.0. This task updates the server, agent (on the server machine) and web console. When assigning a target for the task, only select the machine with the ERA Server.
     
  3. Wait approximately 24 hours to verify the upgraded environment runs smoothly.
Figure 1-1

II. Deploy the new Virtual Appliance and connect it to your ESET PROTECT Server

To keep your proxy safe and well configured, replace your old ERA Proxy - Virtual Appliance with the new version.  ESET PROTECT does not provide a stand-alone proxy configuration as ERA 6.x did.  We recommend you deploy a new ESET PROTECT Server - Virtual Appliance.  The new server is not used as an administrative server but as a proxy.  The correctly configured Apache HTTP Proxy is included in the ESET PROTECT Virtual Appliance download.  

  1. Download the ESET PROTECT Virtual Appliance.
     
  2. Deploy the ESET PROTECT Virtual Appliance on your hypervisor.
     
  3. Configure the new Appliance as an ESET PROTECT Server.
    • You will be prompted for the new password later in the process.
    • Enable HTTP Forward Proxy during the configuration.
       
  1. Reinstall the ESET Management Agent on the appliance and connect it to the main ESET PROTECT Server. Open the virtual machine with your ESET PROTECT Virtual Appliance → Enter Management mode → enter your password → Login → Exit to terminal.
     
  2. The Agent installer is located at: /root/eset_installers/Agent-Linux-x86_64.sh
    We recommend you use the server-assisted installation. For example:

    /root/eset_installers/Agent-Linux-x86_64.sh \
    --skip-license \
    --hostname=10.1.179.36 \
    --port=2222 \
    --webconsole-user=Administrator \
    --webconsole-password=aB45$45c \
    --webconsole-port=2223

    Replace the hostname and password values with actual values from the main ESET PROTECT Server. For more information, refer to the Agent installation - Linux topic in the ESET PROTECT Online Help Guide.
Figure 1-2

 

  1. If required, you can stop certain services on the new appliance to save resources.
    In the Terminal, run the applicable commands: 

    System V init Systemd
    service eraserver stop systemctl stop eraserver
    service mysql stop systemctl stop mysql
    service tomcat stop systemctl stop tomcat

    To prevent ESET PROTECT and MySQL services from starting after reboot, disable them:

    Systemd
    systemctl disable eraserver
    systemctl disable mysql
    systemctl disable tomcat
  2. Modify the Apache HTTP Proxy configuration file /etc/httpd/conf.d/proxy.conf. Use the nano editor in the Terminal or access the file using Webmin. For nano, use the following command:

    nano /etc/httpd/conf.d/proxy.conf
     
    1. If you have changed the default port (2222) for the agent, find the line AllowCONNECT 443 2222 and change 2222 to the number of your port.
       
    2. Add the hostname or IP address of your ESET PROTECT Server to the configuration file. The hostname you add must be exactly the same as the hostname agents use to connect to the ESET PROTECT Server. You can also add a ProxyMatch expression.
       
    3. Close the file and save the changes.
       
    4. Restart the Apache HTTP Proxy service.

      systemctl restart httpd

  3. Open the ESET PROTECT Web Console in your web browser and log in.
    If the new agent is connecting, use it for future maintenance of the proxy machine.

III. Assign a transition policy to a test client

  1. In the ESET PROTECT Web Console click Policies → New Policy.
Figure 3-1
  1. Type a Name for the policy.
Figure 3-2
  1. Click Settings, select ESET Management Agent.

  2. Expand Connection, click Edit server list next to Server connects to.

Figure 3-3
  1. Click Add.

Figure 3-4
  1. In the Host field, type the applicable address (the address must match what the agent uses in the configuration) of your ESET PROTECT Server and click OK.

Figure 3-5
  1. Click Save.

Figure 3-6
  1. In the Policy settings drop-down menu, select Append.

Figure 3-7
  1. Expand Advanced Settings. In the HTTP Proxy section, select Different Proxy Per Service from the Proxy Configuration drop-down menu.

Figure 3-8
  1. Next to Replication (to ESET PROTECT Server), click Edit.

Figure 3-9
  1. Enable the Use proxy server. In the Host field, type the IP address of the proxy machine. In the Port field, leave the default value (3128), and click Save.
Figure 3-10
  1. Click Finish to save the policy. Do not assign it to a computer yet.
IP Addresses

It is necessary to have both IP addresses in one list applied to the client. If the agent does not have this information in the policy, it is unable to connect to the proxy and the ESET PROTECT Server after the upgrade. Such an agent must be fixed manually by running a repair installation and using the correct ESET PROTECT Server address. If the HTTP Proxy setting is not applied in the policy, the agent is able to connect to the ESET PROTECT Server.

Figure 3-11
  1. Choose one computer that is connected via ERA Proxy and assign the new policy to that test client.

  2. After a few minutes, verify the computer is still connecting to the ESET PROTECT Server.

IV. Upgrade ERA Agents on client computers

  1. Run an ESET PROTECT Components Upgrade Task.

  2. Verify the client is connected to the ESET PROTECT Server. Continue upgrading the remaining clients.

Upgrades and troubleshooting

If you have a more extensive network, begin the upgrade with departments that include IT experienced users or those who are physically closer to their computers to make troubleshooting easier.

  1. Apply the policy from part III to the other computers connected via the ERA Proxy.
Figure 4-1

 

  1. After the policy is applied, verify all clients are connecting to the ESET PROTECT Server.

  2. Run an ESET PROTECT Components Upgrade Task.

  3. If all clients are connecting to the ESET PROTECT Server after the upgrade is finished, proceed to section V. below.

V. Remove the ERA Proxy address from the list of servers

  1. Open the ESET PROTECT Web Console in your web browser and log in.

  2. Click Policies, select the applicable policy and click Edit.
Figure 5-1
  1. Click Settings

  2. In the Policy settings drop-down menu, select Replace.

  3. Click Finish to save and apply the policy.

Figure 5-2
  1. Remove the ERA Proxy Virtual Appliance (remove the virtual machine from the hypervisor). 
Figure 5-3