We recommend that you use Apache HTTP Proxy distributed by ESET. It has the correct configuration necessary for:
If you use your custom Apache HTTP Proxy installation, make sure you have configured it properly. The proper configuration can be found in the file httpd.conf
contained in the Apache installer distributed by ESET.
In ESET PROTECT, the former ERA Proxy component is no longer being used. Instead, Apache HTTP Proxy forwards the information from Agents checking in to ESET PROTECT. Users can also use other proxy solutions that comply with requirements. Unlike the former ERA Proxy component, Apache HTTP Proxy only forwards communication from the Agents; it does not cache or open the communication (replication).
The Apache HTTP Proxy distributed by ESET is by default pre-configured for both replication and caching ESET product downloads and updates, however, some configuration is still needed (see step 6 in the documentation). Note that it is possible to upgrade from ESET Remote Administrator 6.x to ESET PROTECT 8.1 only. See the scheme of a single proxy solution for a branch office in Fig. 1-1.
Users in some environments may need to use separate proxy solutions for caching and replication. In the example below one branch office is using a separate proxy for caching and another for replication to the ESET PROTECT Server in the main office.
Apache HTTP Proxy security can be hardened to block all incoming connections except:
You can set up a separate proxy solution purely for forwarding the Agent - Server communication. In the ESET Management Agent policy click Advanced Settings > HTTP Proxy > Proxy Configuration type, select Different Proxy Per Service and set up the Replication (to ESET management Server) option. When the separate proxy solution is working:
443
and 563
from the AllowCONNECT
values in the proxy settings (httpd.conf).ProxyMatch
segments, from the proxy settings (httpd.conf), except your ESET PROTECT Server machine.Use a different proxy solution (not Apache) if it complies with the proxy requirements. ESET does not provide support for other proxy solutions.
httpd.conf
):ProxyRemote * http://IP_ADDRESS:3128
/usr/sbin/setsebool -P httpd_can_network_connect 1
In a more complex infrastructure, with a subnet that separates an internal LAN from untrusted networks (DMZ), it is recommended to deploy the ESET PROTECT server out of the DMZ. Figure 2-1 illustrates one deployment scenario. When setting up an environment such as this, we recommend adhering to the following guidelines:
An ERA 6.x environment with DMZ and ERA proxy can be migrated to ESET PROTECT while substituting ERA Proxy for Apache HTTP Proxy or another proxy solution complying with HTTP Proxy requirements. Do not disable the old ERA Proxy component before a working alternative is set up and running.