[KB7916] Advanced scenarios for Apache HTTP Proxy with ESET PROTECT (8.x – 9.x)

Issue

Details


Click to expand


We recommend that you use Apache HTTP Proxy distributed by ESET. It has the correct configuration necessary for:

  • Forwarding ESET Management Agents' replication (communication with ESET PROTECT server)
  • Caching ESET detection engine updates and installer files  
  • Caching ESET LiveGuard Advanced analysis results

If you use your custom Apache HTTP Proxy installation, make sure you have configured it properly. The proper configuration can be found in the file httpd.conf contained in the Apache installer distributed by ESET.


Solution

About HTTP Proxy

In ESET PROTECT, the former ERA Proxy component is no longer being used. Instead, Apache HTTP Proxy forwards the information from Agents checking in to ESET PROTECT. Users can also use other proxy solutions that comply with requirements. Unlike the former ERA Proxy component, Apache HTTP Proxy only forwards communication from the Agents; it does not cache or open the communication (replication).

The Apache HTTP Proxy distributed by ESET is by default pre-configured for both replication and caching ESET product downloads and updates, however, some configuration is still needed (see step 6 in the documentation). See the scheme of a single proxy solution for a branch office in Fig. 1-1.

Figure 1-1

Use different proxy solutions for caching and replication

Users in some environments may need to use separate proxy solutions for caching and replication. In the example below one branch office is using a separate proxy for caching and another for replication to the ESET PROTECT Server in the main office.

Figure 2-1

Configure an Agent to use different proxies

The proxy settings are located in the Agent policy. To configure them, create a new Agent policy or modify an existing one. You can also create multiple Agent policies with different proxy setups and assign them to computers using dynamic groups. When a client machine is moved to a different dynamic group, it will automatically use the appropriate proxy setup.

To set up a different proxies follow these steps:

  1. Open the ESET PROTECT Web Console in your web browser and log in.

  2. Click PoliciesNew Policy.

Figure 3-1
  1. In the Basic section, type a Name and Description.
Figure 3-2
  1. Click Settings and select ESET Management Agent from the drop-down menu.
Figure 3-3
  1. Expand Advanced Settings. In the HTTP Proxy section, change the Proxy Configuration Type to Different Proxy Per Service.
Figure 3-4
  1. Click Edit next to Replication (to ESET Management Server). Click the slider bar next to Use proxy server and type the Host value. Port is set to 3128 by default. Host is the hostname or IP address of the machine where the proxy is running. Do not type a Username or Password. Click Save.
Figure 3-5
  1. Click Edit next to ESET Services (updates, packages, telemetry...). Click Use proxy server and type the Host value. Port is set to 3128 by default. Host is the hostname or IP address of the machine where the proxy is running. Click Save.
Figure 3-6
  1. Click Assign Assign. Select a group or multiple machines that will use the new proxy setting.
Figure 3-7
  1. Click Finish to apply the policy.
Figure 3-8

Set up Apache HTTP Proxy for higher security

Apache HTTP Proxy security can be hardened to block all incoming connections except:

  • ESET PROTECT and ESET related hostnames.
  • Change Apache service user to a less privileged user.
  • Block all other ports except those required by ESERT PROTECT (view the diagram).
    • You can set up a separate proxy solution purely for forwarding the Agent - Server communication. In the ESET Management Agent policy click Advanced Settings > HTTP Proxy > Proxy Configuration type, select Different Proxy Per Service and set up the Replication (to ESET management Server) option. When the separate proxy solution is working:

      • you can remove the ports 443 and 563 from the AllowCONNECT values in the proxy settings (httpd.conf).
      • you can remove whitelisted addresses, ProxyMatch segments, from the proxy settings (httpd.conf), except your ESET PROTECT Server machine.
  • Use a different proxy solution (not Apache) if it complies with the proxy requirements. ESET does not provide support for other proxy solutions.


Set up a proxy chain

  • ESET PROTECT does not support proxy chaining when the proxy requires authentication. To enable proxy chaining, add the following to the proxy configuration (httpd.conf):

ProxyRemote * http://IP_ADDRESS:3128

  • When using proxy chaining on the ESET PROTECT Virtual Appliance, the SELinux policy must be modified. Open the terminal on the ESET PROTECT VA and run the following command:

/usr/sbin/setsebool -P httpd_can_network_connect 1

  • When using proxy chaining, the firewall must allow communication on the ports in this diagram. Note that proxies communicate with each other at port 3128, but the last HTTP Proxy machine communicates with the ESET PROTECT Server at port 2222. The port numbers mentioned in the documentation are the defaults.

Apache HTTP Proxy in an environment with DMZ

In a more complex infrastructure, with a subnet that separates an internal LAN from untrusted networks (DMZ), it is recommended to deploy the ESET PROTECT server out of the DMZ. Figure 2-1 illustrates one deployment scenario. When setting up an environment such as this, we recommend adhering to the following guidelines:

  • Use hostnames instead of IP addresses in ESET PROTECT component settings.
  • If client machines can leave the intranet (roaming clients): use dynamic groups and policies to make sure roaming clients use the server hostname resolvable from the internet only when they are outside of intranet. Clients that can not leave Intranet should use a hostname that is resolvable only inside the Intranet, to be sure their connection is not routed via the internet.
  • Apache HTTP Proxy (when used for replication) does not aggregate connections from Agents and does not save bandwidth. Use Apache HTTP Proxy for replication only if necessary.
  • Using Apache HTTP Proxy for caching updates and installers is recommended. Roaming agents should not use caching proxy when outside of Intranet. This can be achieved by using a hostname for caching proxy which is not resolvable outside of Intranet and allowing a direct connection.
  • Firewall: open only necessary ports (see the list of used ports) for selected hostnames.
  • Set up Apache HTTP Proxy for higher security.
Figure 4-1

Transition from ERA Proxy to Apache HTTP Proxy (and ESET PROTECT) in an environment with DMZ

An ERA 6.x environment with DMZ and ERA proxy can be migrated to ESET PROTECT while substituting ERA Proxy for Apache HTTP Proxy or another proxy solution complying with HTTP Proxy requirements. Do not disable the old ERA Proxy component before a working alternative is set up and running.