[KB7930] Enable and apply Advanced security on your network using ESET PROTECT On-Prem

Issue

Details


Click to expand

  • ESET PROTECT Server installation has Advanced Security enabled by default
  • Newly created certificates and certification authorities use SHA-256 (instead of SHA-1)
  • ESET PROTECT Server uses the latest TLS (TLS 1.2) for communication with Agents
  • Advanced Security enforces using TLS 1.2 for Syslog and SMTP communication

Solution

Minimum compatibility requirements for Advanced security

  • Before enabling Advanced security, ensure all your client computers can communicate via TLS 1.2
  • Supported operating systems: Windows, Linux or macOS
  • To enable the Advanced security feature, you must restart the ESET PROTECT Server service twice

Advanced security does not influence the existing Certificate Authorities (CAs) and certificates, only the new CAs and certificates created after Advanced security is enabled. To apply Advanced security in your existing ESET PROTECT On-Prem infrastructure, replace the existing certificates.


Enable Advanced security in ESET PROTECT On-Prem

Resolve Peer Certificate notification

Users may receive the Peer Certificate notification if all of the following is true:

  • ESET Management Agent was originally installed with version 8.0 or earlier and was updated to ESET Management Agent version 8.1 or later
  • Agents were moved to SHA-2 certificates
  1. Click More → Settings. Click the toggle next to Advanced security (requires restart!) to enable it. Click Save.

    Figure 1-1
  2. Close the ESET PROTECT Web Console and restart the ESET PROTECT Server service.

  3. Wait a few minutes after the service has started, and log in to the ESET PROTECT Web Console.

  4. Verify that all computers are still connecting and that no other problems have occurred.

  5. Create a new Certification Authority (CA). The public part of the CA is automatically sent to all client computers during the next Agent-to-Server connection.

  6. Create new peer certificates signed with the new CA. Create a peer certificate for Agent and one for Server (select the applicable value in the Product drop-down menu in step 3 of the linked process).

  7. Apply the new Agent certificate and assign the policy to the computers where you want to use the Advanced security.

    Minimize the risk of orphaning client computers

    To minimize the risk of orphaning client computers, apply the changes to a test computer before applying them to all target computers.

  8. After all devices connect with the new certificate, replace the current Server certificate with the new Server certificate. In the ESET PROTECT Web Console, click MoreSettings Change Certificate.

    Figure 1-2
  9. Click Open certificate list.

    Figure 1-3
  10. Choose the new Server certificate and click OK.

    Figure 1-4
  11. Click Save. Restart the ESET PROTECT Server.