[KB7805] Best practices for using the ESET PROTECT in an offline environment

Issue

Solution

Prerequisites

  • ESET PROTECT installed or the Virtual Appliance deployed
  • Have Apache (the ESET PROTECT Virtual Appliance have Apache pre-installed) or IIS (part of Windows Server) installed
  • Download Linux MirrorTool or Windows MirrorTool.exe file. See the complete documentation for more information on the Mirror Tool and a list of available parameters.
    • MirrorTool.exe does not run on Windows XP and Windows Server 2003
  • If you run the Mirror Tool on Windows, install the following:
    • Visual C++ Redistributable for Visual Studio 2010
    • Visual C++ 2015 Redistributable x86
  • One machine connected to the internet to create and update the offline repository
  • At least 250 GB of free space at the machine where the full offline repository is created
  • Download offline license files from ESET Business Account

Create the repository using the Mirror Tool

  1. Download the update files using the Mirror Tool to your intermediary machine.

  2. Move files to the offline web server. For example, Apache.

  3. Set up Agents and endpoints to use the offline web server.

  4. Configure the ESET Mirror Tool to download updates from another ESET Mirror Tool.


Create an offline repository

The Mirror Tool downloads data to the repository-intermediate folder. When the download is finished, it moves all the data to the repository-final folder. Make sure to have enough space free on your drive, each folder is 100GB in size. As ESET releases new updates and product versions, the total size will continue to grow.

Update your offline resource regularly

Run this task every few months and move the new files to your offline repository.

  1. Run the following command in the command line on a computer with internet access. Use MirrorTool.exe on Windows machines and MirrorTool on Linux.
MirrorTool.exe --repositoryServer AUTOSELECT ^
--intermediateRepositoryDirectory repository-intermediate ^
--outputRepositoryDirectory repository-final

Follow these steps to reduce the download size of the folder:


ESET PROTECT 8.x users

You can reduce the download size of the folder by using the following parameters:

--productFilterForRepository – Later in this document, you can find a list of the product names that can be used with this parameter. Type the product names or a part of the name. Enclose the in " " if it contains a space. Separate multiple names by a single space, for example: "ESET Management Agent" "Antivirus". When filtering for a partial name, for example "Agent", all products containing the string are filtered.

--languageFilterForRepository – Select which language packs would be downloaded. Type in or copy/paste the codes separated by a single space, for example: sk_SK fr_FR de_DE.

See the list of language codes.

The following command only downloads the packages necessary for an ESET PROTECT upgrade. For example, you can use such a repository when installing ESET Management Agent via the following methods:

Example usage of the --productFilterForRepository parameter:

MirrorTool.exe --repositoryServer AUTOSELECT ^
--intermediateRepositoryDirectory repository-intermediate ^
--outputRepositoryDirectory repository-final^
–-productFilterForRepository "ESET Management Agent" "ESET PROTECT Bootstrapper" "ESET PROTECT Server" "ESET PROTECT WebConsole"

ESET PROTECT 9.x users

  1. To reduce the download size of the folder create a text file in JSON format placed in the same folder as Mirror Tool, for example: --filterFilePath filter.txt

  2. In the text file, type in the desired parameters as described in this Online Help article. Later in this document, you can find a list of the product names that can be used with these parameters. See the list of language codes.

  3. Optionally, add the parameter --dryRun to the text file and run the Mirror Tool. When you use this optional parameter, Mirror Tool will not download any files, but it will generate a .csv file listing all packages that will be downloaded.


Filtering products can break installers

If you use the product filtering option and create a reduced repository, you cannot create an All-in-one installer of a product that you filtered out of the repository.

  • To create an All-in-one installer with Agent only, you need to filter "ESET PROTECT Bootstrapper" "ESET Management Agent".
  • To create an All-in-one installer that contains Agent and an ESET security product, filter also product name(s), for example: "ESET PROTECT Bootstrapper" "ESET Management Agent" "Antivirus".
  1. Create an update mirror

To create an update mirror, you need the offline license file (license_file.lf) available on your intermediary machine. Run the following command to download the update files:

MirrorTool.exe --mirrorType regular ^
--intermediateUpdateDirectory mirror-intermediary ^
--offlineLicenseFilename license_file.lf ^
--outputDirectory mirror-final

The Mirror Tool creates two folders, temporary and final with 3GB size. You can use the --excludedProducts parameters to decrease the download size:

  • ep6
  • ep7
  • ep8
  • ep9
  • era6 (covers all PROTECT, ESMC and ERA packages)

Example usage of the --excludedProducts parameter:

MirrorTool.exe --mirrorType regular ^
--intermediateUpdateDirectory mirror-intermediary ^
--offlineLicenseFilename license_file.lf ^
--outputDirectory mirror-final ^
--excludedProducts ep4 ep5 ep6
Update your offline resource regularly

Schedule this command to run every six hours and move the content of the output folders to the offline server.


See the list of available products

Product
ESET Antivirus for Linux - Business Edition
ESET Endpoint Antivirus
ESET Endpoint Antivirus for OS X
ESET Enterprise Inspector Agent
ESET Enterprise Inspector Server
ESET Endpoint Security for Android
ESET Endpoint Security for OS X
ESET Endpoint Security
ESET Full Disk Encryption
ESET File Security
ESET File Security for Microsoft Windows Server
ESET Mail Security for Microsoft Exchange Server
ESET Security for Kerio
ESET Mail Security for IBM Domino
ESET Rogue Detection Sensor for Linux
ESET Rogue Detection Sensor for Windows
ESET Rogue Detection Sensor
ESET Mail/File/Gateway Security for Linux
ESET Security for Microsoft SharePoint Server
ESET Secure Authentication
ESET NSX Service Manager
Safetica Agent
WinPcap
Microsoft SQL Express 2016 x64
Microsoft SQL Server 2014 Express
Microsoft SQL Express 2014 x64
Microsoft SQL Express 2014 x86
Microsoft SQL Express 2008R2 x86
Microsoft SQL Express 2008R2 x64
ApacheTomcat
ApacheHttp
ESET Remote Administrator Bootstrapper
ESET Remote Administrator 6 WebConsole
ESET Remote Administrator Virtual Agent Host
ESET Remote Administrator Server
ESET Remote Administrator Proxy
ESET Security Management Center Migration Assistant
ESET Migration Assistant
ESET Security Management Center Mobile Device Connector
ESET Remote Administrator Mobile Device Connector
ESET Remote Administrator Agent
ESET Security Management Center Bootstrapper
ESET Management Agent
ESET Security Management Center Server
ESET Security Management Center WebConsole
ESET PROTECT Server
ESET PROTECT Mobile Device Connector
ESET PROTECT Bootstrapper
ESET PROTECT WebConsole


Move files to the offline web server

After you download the update and/or repository files (Part 1, for example, Apache), choose a local web server. Set up the web server to serve the updates and installers to the machines in the offline environment. See the setup instructions for Apache and Microsoft IIS below.

Alternative: I want to distribute updates using the ESET Endpoint as the update mirror.

Built-in proxy policy

If you have installed the ESET PROTECT using the All-in-one (Bootstrapper) installer with enabled Apache HTTP Proxy, all clients will be configured by default to tunnel communication with ESET via the proxy. This configuration is also present in live installer scripts


My offline web server is on Windows

Windows server with Microsoft IIS

  1. Copy the whole folder downloaded by the Mirror tool to C:\inetpub\wwwroot.

  2. Enable Directory Browsing in IIS Manager.

  3. Add MIME type with extension * as text/plain.


    Figure 1-1
    Unable to read the extension

    If ESET PROTECT is unable to read the added extension edit web.config in the IIS root folder and add a line with fileExtension=".".

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
            <directoryBrowse enabled="true" />
            <staticContent>
                <mimeMap fileExtension=".*" mimeType="text/plain" />
                <mimeMap fileExtension="." mimeType="text/plain" />
            </staticContent>
        </system.webServer>
    </configuration>


Windows server with Apache HTTP Proxy (distributed with ESET PROTECT)

Install Apache HTTP Proxy (ESET PROTECT)

Admin access needed

You need to have administrator permissions to edit the Apache configuration and restart the Apache service.

  1. Locate and open the configuration file of your Apache HTTP Proxy. The default location is C:\Program Files\Apache HTTP Proxy\conf\httpd.conf.

  2. Find the following line in the file httpd.conf.
...
Listen 3128
...
  1. Add the following line after:
Listen 8080
  1. Save the changes in the file and restart the Apache HTTP Proxy service.
My offline web server is on Linux or ESET PROTECT Virtual Appliance

How can I install the Apache HTTP Proxy on Linux?

Linux and ESET PROTECT Virtual Appliance (CentOS) with Apache httpd

  1. Find the following line in the file /etc/httpd/conf/httpd.conf:
...
Listen 3128
...
  1. Add the following line after:
Listen 8080
  1. Find the following line:
#DocumentRoot /var/www/html
  1. Replace the line with the following block of code:
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
Options Indexes FollowSymlinks
AllowOverride none
Require all granted
</Directory>
  1. Save the file and restart the httpd service.
sudo systemctl restart httpd.service

SELinux (applicable on Linux and ESET PROTECT Virtual Appliance)

SELinux can block the other devices from accessing the repository machine. Add an exception for the repository/updates files location or disable the SELinux.

To turn off this feature, follow the steps below:

  1. Open /etc/selinux/config in your editor, find and set the following value:
SELINUX=disabled
  1. Restart the system (machine) to apply the changes.

Open the ports 8080 a 3128 on Linux or VA firewall

When using the ESET PROTECT Virtual Appliance, use Webmin to add port 8080 to the rule where 3128 is already listed, and save the configuration.

If you prefer the Linux Console, use the following command to do the same:

iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 8080 -j ACCEPT
service iptables save
service ip6tables save

Copy the files downloaded by Mirrortool to the offline web server

Copy the files from the intermediary machine to the offline server where the Apache is running.

  • Copy the whole structure to /var/www/html (or the folder you specified in the DocumentRoot setting)
  • Set the file permissions so the user running the httpd service can read them

Optional: Installing ESET security products from a shared location

In this case, we do not use a repository. You need to have ESET Management Agents installed on client machines.

  1. Download a ESET Endpoint installer (ESET download site).

  2. Save the installer to a location accessible to other computers in your offline network. We recommend creating a logical folder structure based on product names and versions.

  3. Log in to your management console (ESET PROTECT).

  4. Create a new Software Install task with the direct link.  Deploy or upgrade ESET endpoint products using ESET PROTECT.


Set up your server and clients to use the offline repository

See the examples below to set paths of Repository and Update servers with ESET Endpoint version 7.x (and later) products. Do the following in the ESET PROTECT:

Set up the ESET PROTECT Server to use the offline repository and updates


Server settings

  1. Open the ESET PROTECT Web Console in your web browser and log in.

  2. Navigate to More Server Settings > Advanced Settings Repository.

  3. Enter your address to the Server field.

Figure 2-1
  1. Navigate to the Updates section.

  2. Enter your offline server's address to the Update server field. Enter the whole address with the folder structure, according to the product you are setting up.

Figure 2-2
  1. Click Save.

Figure 2-3
Use the correct path for each product

For the Update server settings, always enter the full path according to the product you are setting up. For example: http://update.server.local/mirror-final/eset_upd/ep8

The last folder in the path should be one of the following:

Folder Name Updated products
ep6 ESET Endpoint 6.x
ep7 ESET Endpoint 7.x
ep8 ESET Endpoint 8.x
ep9  ESET Endpoint 9.x
era6
  • ERA 6.x
  • ESMC 7.x
  • ESET PROTECT
Set up ESET Management Agents to use the offline repository and updates


Agent policy

You need to apply the new settings to all machines (their Agents) which are using the offline server for updates and repository. Select a suitable policy or create a new one and assign it to those machines.

  1. Open the ESET PROTECT Web Console in your web browser and log in.

  2. Navigate to Policies.

  3. Select the appropriate policy.

  4. In the policy Settings section navigate to → Advanced SettingsRepository.

  5. Enter your address to the Server field.

Figure 3-1
  1. Navigate to Updates section.

  2. Type your offline server's address to the Update server field. Make sure to enter the whole address with the folder structure, according to the product you are setting up.

Figure 3-2
Set up ESET Endpoint products to use the offline repository and updates


Policies for ESET Endpoint products (on Windows)

How can I activate ESET Endpoint products in the offline environment?

You need to apply the new settings to all machines (their ESET security products) which are using the offline server for updates. Select a suitable policy or create a new one and assign it to those machines.

  1. Open the ESET PROTECT Web Console in your web browser and log in.

  2. Navigate to Policies.

  3. Select the appropriate policy.

  4. In the policy Settings section navigate to → UPDATEProfiles → Updates → Modules Updates.

  5. Deselect the Choose automatically option.

  6. Type your offline server's address to the Custom server field. Make sure to enter the whole address with the folder structure, according to the product you are setting up. The example image below shows the ESET Endpoint 7.x folder address.


    Figure 4-1
Use the correct path for each product

For the Custom server settings, always enter the full path according to the product you are setting up. For example: http://update.server.local/mirror-final/eset_upd/ep8

The last folder in the path should be one of the following:

Folder Name Updated products
ep6 ESET Endpoint 6.x
ep7 ESET Endpoint 7.x
ep8 ESET Endpoint 8.x
ep9  ESET Endpoint 9.x
era6
  • ERA 6.x
  • ESMC 7.x
  • ESET PROTECT

Other products

If necessary, create policies for any ESET product similar to the examples shown above.

Enable access to the web server machine

Make sure all client machines can access the offline repository machine on port 8080.