[KB7916] Advanced scenarios for Apache HTTP Proxy with ESET PROTECT On-Prem

Issue

Apache HTTP Proxy users

ESET Bridge replaces Apache HTTP Proxy in ESET PROTECT On-Prem version 10. All ESET product versions compatible with Apache HTTP Proxy are in Limited Support status. If you currently use Apache HTTP Proxy, we recommend that you migrate to ESET Bridge.

Details


Click to expand


We recommend that you use Apache HTTP Proxy distributed by ESET. It has the correct configuration necessary for:

  • Forwarding ESET Management Agents' replication (communication with ESET PROTECT Server)
  • Caching ESET detection engine updates and installer files  
  • Caching ESET LiveGuard Advanced analysis results

If you use your custom Apache HTTP Proxy installation, make sure you have configured it properly. The proper configuration can be found in the file httpd.conf contained in the Apache installer distributed by ESET.


Solution

About HTTP Proxy

In ESET PROTECT On-Prem, the former ERA Proxy component is no longer being used. Instead, Apache HTTP Proxy forwards the information from Agents checking in to ESET PROTECT On-Prem. Users can also use other proxy solutions that comply with requirements. Unlike the former ERA Proxy component, Apache HTTP Proxy only forwards communication from the Agents; it does not cache or open the communication (replication).

The Apache HTTP Proxy distributed by ESET is by default pre-configured for both replication and caching ESET product downloads and updates, however, some configuration is still needed (see step 6 in the documentation). See the scheme of a single proxy solution for a branch office in Fig. 1-1.

Figure 1-1

Use different proxy solutions for caching and replication

Users in some environments may need to use separate proxy solutions for caching and replication. In the example below one branch office is using a separate proxy for caching and another for replication to the ESET PROTECT Server in the main office.

Figure 2-1

Configure an Agent to use different proxies

The proxy settings are located in the Agent policy. To configure them, create a new Agent policy or modify an existing one. You can also create multiple Agent policies with different proxy setups and assign them to computers using dynamic groups. When a client machine is moved to a different dynamic group, it will automatically use the appropriate proxy setup.

To set up different proxies:

  1. Open ESET PROTECT On-Prem in your web browser and log in.

  2. Click PoliciesNew Policy.

Figure 3-1
  1. In the Basic section, type a Name and Description.
Figure 3-2
  1. Click Settings and select ESET Management Agent from the drop-down menu.
Figure 3-3
  1. Expand Advanced Settings. In the HTTP Proxy section, change the Proxy Configuration Type to Different Proxy Per Service.
Figure 3-4
  1. Click Edit next to Replication (to ESET Management Server). Click the toggle next to Use proxy server to enable it and type the Host value. Port is set to 3128 by default. Host is the hostname or IP address of the machine where the proxy is running. Do not type a Username or Password. Click Save.
Figure 3-5
  1. Click Edit next to ESET Services (updates, packages, telemetry...). Click Use proxy server and type the Host value. Port is set to 3128 by default. Host is the hostname or IP address of the machine where the proxy is running. Click Save.
Figure 3-6
  1. Click Assign Assign. Select a group or multiple machines that will use the new proxy setting.
Figure 3-7
  1. Click Finish to apply the policy.
Figure 3-8

Set up Apache HTTP Proxy for higher security

Apache HTTP Proxy security can be hardened to block all incoming connections except:

  • ESET PROTECT On-Prem and ESET related hostnames.
  • Change Apache service user to a less privileged user.
  • Block all other ports except those required by ESERT PROTECT On-Prem (view the diagram).
    • Set up a separate proxy solution purely for forwarding the Agent - Server communication. In the ESET Management Agent policy click Advanced Settings > HTTP Proxy > Proxy Configuration type, select Different Proxy Per Service and set up the Replication (to ESET management Server) option. When the separate proxy solution is working:

      • Remove the ports 443 and 563 from the AllowCONNECT values in the proxy settings (httpd.conf)
      • Remove whitelisted addresses, ProxyMatch segments, from the proxy settings (httpd.conf), except your ESET PROTECT Server machine
  • Use a different proxy solution (not Apache) if it complies with the proxy requirements. ESET does not provide support for other proxy solutions.


Set up a proxy chain

  • ESET PROTECT On-Prem does not support proxy chaining when the proxy requires authentication. To enable proxy chaining, add the following to the proxy configuration (httpd.conf):

ProxyRemote * http://IP_ADDRESS:3128

  • When using proxy chaining on the ESET PROTECT Virtual Appliance (VA), the SELinux policy must be modified. Open the terminal on the ESET PROTECT VA and run the following command:

/usr/sbin/setsebool -P httpd_can_network_connect 1

  • When using proxy chaining, the firewall must allow communication on the ports in this diagram. Note that proxies communicate with each other at port 3128, but the last HTTP Proxy machine communicates with the ESET PROTECT Server at port 2222. The port numbers mentioned in the documentation are the defaults.

Apache HTTP Proxy in an environment with DMZ

In a more complex infrastructure, with a subnet that separates an internal LAN from untrusted networks (DMZ), it is recommended to deploy the ESET PROTECT Server out of the DMZ. Figure 2-1 illustrates one deployment scenario. When setting up an environment such as this, we recommend adhering to the following guidelines:

  • Use hostnames instead of IP addresses in ESET PROTECT On-Prem component settings.
  • If client machines can leave the intranet (roaming clients): Use dynamic groups and policies to ensure roaming clients use the server hostname resolvable from the internet only when they are outside of the intranet. Clients that cannot leave the intranet should use a hostname that is resolvable only inside the intranet, to be sure their connection is not routed via the internet.
  • Apache HTTP Proxy (when used for replication) does not aggregate connections from Agents and does not save bandwidth. Use Apache HTTP Proxy for replication only if necessary.
  • Using Apache HTTP Proxy for caching updates and installers is recommended. Roaming agents should not use a caching proxy when outside of the intranet. This can be achieved by using a hostname for caching proxy which is not resolvable outside of the intranet and allowing a direct connection.
  • Firewall: Open only necessary ports (see the list of used ports) for selected hostnames.
  • Set up Apache HTTP Proxy for higher security.
Figure 4-1