[KB7907] Install ESET PROTECT On-Prem on Debian Linux

2. To connect to the network, run the nmtui command.

1. Download the MySQL repository file.

   wget https://dev.mysql.com/get/mysql-apt-config_0.8.36-1_all.deb

2. Preconfigure the MySQL server.

   sudo dpkg -i ./mysql-apt-config_0.8.36-1_all.deb

3. Install the MySQL prerequisites.

   sudo apt install gnupg lsb-release

4. Install the MySQL server.

   sudo apt update
   sudo apt install mysql-server

5. During the installation process, type in the database root user password and save it for the installation script in part V. 

6. After the server is installed, open the MySQL configuration file.

   sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

7. Add the following lines to the mysqld section:

   max_allowed_packet=33M
   log_bin_trust_function_creators=1
   innodb_log_file_size=150M
   innodb_log_files_in_group=2

8. Save the changes. Press CTRL + X and press Y to confirm.

9. Restart the MySQL service.

   sudo systemctl restart mysql

10. Verify that the MySQL service is running.

    sudo systemctl status mysql

III. Install the ODBC connector

1. Install unixODBC drivers.

   sudo apt install unixodbc

2. Download the MySQL ODBC connector package.

   wget https://cdn.mysql.com/archives/mysql-connector-odbc-9.3/mysql-connector-odbc_9.3.0-1debian12_amd64.deb

3. Install the MySQL ODBC connector package.

   sudo dpkg -i mysql-connector-odbc_9.3.0-1debian12_amd64.deb

4. Check if the ODBC driver is installed.

   sudo myodbc-installer -d -l

   ODBC connector error during the ESET PROTECT On-Prem installation

   Ensure that the drivers located in /usr/lib/x86_64-linux-gnu/odbc/ are properly registered in the file: /etc/odbcinst.ini.

   Use the full name of the driver in the square brackets. If not, correct the driver location in the .ini file and restart the system.

IV. Install the required tools

Update your OpenSSL and install Xvfb, Cifs-utils, Kerberos, LDAP Search, and SNMP.

sudo apt install openssl xvfb cifs-utils krb5-user ldap-utils snmp

1. Download the ESET PROTECT Server installer.

   wget https://download.eset.com/com/eset/apps/business/era/server/linux/latest/server_linux_x86_64.sh

2. Configure the server installation file as an executable.

   sudo chmod +x ./server_linux_x86_64.sh

3. Create your custom Installer script.

   touch server_installer.sh

4. Open the temporary script and insert the following code, replacing the uppercase parts with your custom config variables.

   sudo ./server_linux_x86_64.sh \
   --skip-license \
   --db-type="MySQL Server" \
   --db-driver="MySQL ODBC 9.3" \
   --db-hostname=HOSTNAME \
   --db-port=3306 \
   --db-admin-username=root \
   --db-admin-password=MYSQL_ROOT_PASSWORD_FROM_PART_II \
   --server-root-password=LINUX_ROOT_PASSWORD \
   --db-user-username=DB_USER_USERNAME \
   --db-user-password=DB_USER_PASSWORD \
   --cert-hostname="hostname, IP, FQDN"

5. Update the hostname and IP address in the file to fit your installation. Use the IP address that agent machines will use to reach the Server machine. Ensure to set up a complex db-user-password. A weak password will cause the installation to fail.

6. Run the installer script.

   sudo sh server_installer.sh

7. Example of successful installer script output

   ESET PROTECT On-Prem Server Installer (version: 13.0.442.0), Copyright © 1992-2025 ESET, spol. s r.o. - All rights reserved.
   
   Extracting archive, please wait...
   Archive extracted to /tmp/tmp.A2IasvMAU4.
   Checking OpenSSL ... done [OpenSSL 3.5.4 30 Sep 2025]
   Reading previous installation settings ... failure
   Checking installed version... done
   Status of current installation is: NEW
   Checking database connection ... done
   Loading GUID ... done [GUID = 8b5f9810-9169-4993-b63d-5b1d3df324df]
   Checking root password ... done
   Inserting root password ... done
   Generating certificates ... done
   Skipping static groups synchronization scheduling.
   Stopping service... Done.
   Creating database ... done
   Storing ports into configuration ... done
   Storing server peer certificate to configuration ... done
   Moving scripts from '/tmp/tmp.A2IasvMAU4/setup/Scripts' to /var/opt/eset/RemoteAdministrator/Server/Scripts/... done
   Moving ESET Modules from '/tmp/tmp.A2IasvMAU4/setup/Modules' to /var/opt/eset/RemoteAdministrator/Server/Modules/... done
   Creating 'config' directory path: /etc/opt/eset/RemoteAdministrator/Server
   Creating 'libs' directory path: /opt/eset/RemoteAdministrator/Server
   Creating 'data' directory path: /var/opt/eset/RemoteAdministrator/Server
   Creating 'Pki Cache' directory path: /var/opt/eset/RemoteAdministrator/Server/pki.eset.com/
   Creating 'logs' directory path: /var/log/eset/RemoteAdministrator/Server
   Moving ReportTemplates from '/tmp/tmp.A2IasvMAU4/setup/ReportTemplates' to /var/opt/eset/RemoteAdministrator/Server/ReportTemplates/... done
   Moving LangData.dat to /var/opt/eset/RemoteAdministrator/Server/Localization/LangData.dat... done
   Extracting ReportPrinter files... done
   Creating startup configuration file /etc/opt/eset/RemoteAdministrator/Server/StartupConfiguration.ini ... done
   Creating config file /etc/opt/eset/RemoteAdministrator/Server/config.cfg ... done
   Backing up contents of /opt/eset/RemoteAdministrator/Server
   Copying files to target destination: /opt/eset/RemoteAdministrator/Server
   Copying installer to target destination: /opt/eset/RemoteAdministrator/Server/setup/installer_backup.sh
   File ownership set to: root:root
   Setting auto-start service...
   Generating Xauthority token... done
   Skipping SELinux policy installation.
   Created symlink '/etc/systemd/system/multi-user.target.wants/eraserver.service' → '/etc/systemd/system/eraserver.service'.
   Removed backup directory: /opt/eset/RemoteAdministrator/.Server-712302407
   Product installed.

8. Verify that the ESET PROTECT Server service is running.

   sudo systemctl status eraserver

9. Example output of running ESET PROTECT Server

   ● eraserver.service - ESET PROTECT Server
        Loaded: loaded (/etc/systemd/system/eraserver.service; enabled; preset: enabled)
        Active: active (running) since Wed 2026-01-28 11:26:01 CET; 34s ago
    Invocation: 511c310f22f94b4c8c09509f8af66c65
       Process: 202 ExecStart=/opt/eset/RemoteAdministrator/Server/ERAServer --daemon --pidfile /var/run/eraserver.pid (co>
      Main PID: 252 (ERAServer)
         Tasks: 63 (limit: 18979)
        Memory: 510.4M (peak: 511.5M)
           CPU: 7.121s
        CGroup: /system.slice/eraserver.service
                └─252 /opt/eset/RemoteAdministrator/Server/ERAServer --daemon --pidfile /var/run/eraserver.pid
   
   Jan 28 11:26:01 hostname systemd[1]: Starting eraserver.service - ESET PROTECT Server...
   Jan 28 11:26:01 hostname systemd[1]: Started eraserver.service - ESET PROTECT Server.

VI. Install the Web Console

1. Install JDK.

   sudo apt install default-jdk

2. Verify the installed version of JDK.

   java -version

3. Download Tomcat9 (Tomcat 10 is not supported; version 9 is not available in Debian repositories).

   wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.115/bin/apache-tomcat-9.0.115.tar.gz

4. Create the Tomcat directory and extract the binaries.

   sudo mkdir -p /opt/tomcat
   sudo tar xzf apache-tomcat-9.0.115.tar.gz -C /opt/tomcat --strip-components=1

5. Add tomcat user.

   sudo groupadd tomcat
   sudo useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

6. Add tomcat user and adjust permissions.

   sudo chown -R tomcat:tomcat /opt/tomcat
   sudo chmod -R 755 /opt/tomcat

7. Create a Tomcat service.

   sudo nano /etc/systemd/system/tomcat.service

8. Insert the following code into the tomcat.service file.

   [Unit]
   Description=Apache Tomcat 9
   After=network.target
   
   [Service]
   Type=forking
   
   User=tomcat
   Group=tomcat
   Environment="JAVA_HOME=/usr/lib/jvm/default-java"
   Environment="CATALINA_HOME=/opt/tomcat"
   Environment="CATALINA_BASE=/opt/tomcat"
   Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
   
   ExecStart=/opt/tomcat/bin/startup.sh
   ExecStop=/opt/tomcat/bin/shutdown.sh
   
   [Install]
   WantedBy=multi-user.target

9. Save the changes. Press CTRL + X and press Y to confirm.

10. Enable the Tomcat service.

    sudo systemctl daemon-reload
    sudo systemctl enable --now tomcat

11. Verify that Tomcat is running (or open http://hostname:8080/).

    sudo systemctl status tomcat

12. Download the Web Console war file.

    wget https://download.eset.com/com/eset/apps/business/era/webconsole/latest/era_x64.war

13. Copy the Web Console file into the Tomcat folder.

    sudo cp era_x64.war /opt/tomcat/webapps/era.war

14. Restart the Tomcat service to deploy the war file.

    sudo systemctl restart tomcat

15. Verify the era folder is present in the Tomcat folder.

    ls /opt/tomcat/webapps

16. You can now connect the Web Console to other machines. For example, try the following link using the hostname from the installer files: http://localhost:8080/era.

Continue to the next section if you can open the ESET PROTECT Web Console and log in with administrator credentials. The password was set in the installer script as db-user-username.

The connection to the Web Console is now available only via HTTP. You can set up a new HTTPS connection.

VII. Install the ESET Management Agent

1. Download the Agent installer.

   wget https://download.eset.com/com/eset/apps/business/era/agent/latest/agent_linux_x86_64.sh

2. Set the installer as executable.

   chmod +x agent_linux_x86_64.sh

3. Create a temporary agent_installer.sh script.

   touch agent_installer.sh

4. Use the following parameters and ensure to include the full path to the .pfx certificate and the .der certification authority files exported from the ESET PROTECT Webconsole, as well as a certificate password if there is one. All parts in uppercase should be edited to your configuration.

   sudo ./agent_linux_x86_64.sh \
   --skip-license \
   --cert-path=/HOME/ADMIN/AGENT.PFX \
   --cert-auth-path=/HOME/ADMIN/CA.DER \
   --cert-password=AGENT_PEER_CERTIFICATE_PASSWORD \
   --hostname=hostname \
   --port=2222

5. Run the agent installer script.

   sudo ./agent_installer.sh

6. Example output of successful agent installation.

   ESET Management Agent Installer (version: 12.5.2104.0), Copyright © 1992-2025 ESET, spol. s r.o. - All rights reserved.
   
   Creating directories...
   Creating 'config' directory path: /etc/opt/eset/RemoteAdministrator/Agent
   Creating 'data' directory path: /var/opt/eset/RemoteAdministrator/Agent
   Creating 'Pki Cache' directory path: /var/opt/eset/RemoteAdministrator/Agent/pki.eset.com/
   Creating 'logs' directory path: /var/log/eset/RemoteAdministrator/Agent
   Creating 'libs' directory path: /opt/eset/RemoteAdministrator/Agent
   Directories created
   The archive will be extracted to: /opt/eset/RemoteAdministrator/AgentInstallerData
   Extracting, please wait...
   Checking OpenSSL ... done [OpenSSL 3.5.4 30 Sep 2025]
   Checking installed version ...
   Status of current installation is: NEW
   The unpacked installer data will be moved to: /opt/eset/RemoteAdministrator/Agent
   New connection settings are 'hostname': 'localhost', 'port': 2222
   Checking server connection...
   Connection checked successfully.
   Loading correct GUID...
   Loading of GUID was successful (new GUID = 359950cd-4133-4ef1-b4ca-300c319d2ebc)
   Checking peer certificate ... done
   Creating config file: /etc/opt/eset/RemoteAdministrator/Agent/config.cfg ...
   Creating 'modules' directory path: /var/opt/eset/RemoteAdministrator/Agent/Modules/
   Moving ESET Modules from '/opt/eset/RemoteAdministrator/Agent/setup/Modules' to /var/opt/eset/RemoteAdministrator/Agent/Modules/...
   Reading database status...
   Database read successfully.
   Database status is 'DB_MISSING'
   Database status is 'DB_MISSING'. Database does not exists - it will be created
   Inserting certificate authority into database...
   Certificate authority inserted successfully.
   Creating database.
   Database created.
   Setting connection into config...
   Connection set successfully.
   Resetting replication interval...
   Replication interval reset was successful.
   Setting peer certificate into config...
   Peer certificate set successfully.
   Copying installer to target destination: /opt/eset/RemoteAdministrator/Agent/setup/installer_backup.sh
   Skipping needrestart exclusion installation.
   File ownership set to: root:root
   Setting auto-start service...
   Created symlink '/etc/systemd/system/multi-user.target.wants/eraagent.service' → '/etc/systemd/system/eraagent.service'.
   Skipping SELinux policy installation.
   Service started.
   Product installed.

7. Verify that the ESET Management Agent service is running.

   sudo systemctl status eraagent

8. Example output of running ESET PROTECT agent.

   ● eraagent.service - ESET Management Agent
        Loaded: loaded (/etc/systemd/system/eraagent.service; enabled; preset: enabled)
        Active: active (running) since Thu 2026-01-29 16:22:12 CET; 4min 11s ago
    Invocation: fcb3d2461b1e46159e972b7175c07a0c
       Process: 71383 ExecStart=/opt/eset/RemoteAdministrator/Agent/ERAAgent --daemon --pidfile /run/>
      Main PID: 71384 (ERAAgent)
         Tasks: 22 (limit: 18979)
        Memory: 71.2M (peak: 82.9M)
           CPU: 1.284s
        CGroup: /system.slice/eraagent.service
                └─71384 /opt/eset/RemoteAdministrator/Agent/ERAAgent --daemon --pidfile /run/eraagent>
   
   Jan 29 16:22:12 hostname systemd[1]: Starting eraagent.service - ESET Management Agent...
   Jan 29 16:22:12 hostname systemd[1]: Started eraagent.service - ESET Management Agent.

9. Open the ESET PROTECT Web Console and log in as administrator. The Agent is installed successfully if your server machine appears in the Computers section.