[KB7930] Enable and apply Advanced security on your network using ESET PROTECT On-Prem

Issue

Details


Click to expand

  • ESET PROTECT Server installation has Advanced Security enabled by default
  • Newly created certificates and certification authorities use SHA-256 (instead of SHA-1)
  • ESET PROTECT Server uses the latest TLS (TLS 1.2) for communication with Agents
  • Advanced Security enforces using TLS 1.2 for Syslog and SMTP communication

Solution

Minimum compatibility requirements for Advanced security:

  • Before enabling Advanced security, ensure all your client computers can communicate via TLS 1.2
  • Supported operating systems: Windows, Linux, or macOS
  • To enable the Advanced security feature, you must restart the ESET PROTECT Server service twice

Advanced security does not influence the existing Certificate Authorities (CAs) and certificates, only the new CAs and certificates created after Advanced security is enabled. To apply Advanced security in your existing ESET PROTECT On-Prem infrastructure, replace the existing certificates.


Enable Advanced security in ESET PROTECT On-Prem

Resolve Peer Certificate notification

Users may receive the Peer Certificate notification if all of the following is true:

  • ESET Management Agent was originally installed with version 8.0 or earlier and was updated to ESET Management Agent version 8.1 or later
  • Agents were moved to SHA-2 certificates

To resolve the notification follow the steps below to enable Advanced security in ESET PROTECT On-Prem.

  1. Open ESET PROTECT On-Prem in your web browser and log in.

  2. Click More → Server Settings and then click the toggle next to Advanced security (requires restart!) to enable it. 

  3. Click Save to apply your changes.

    Figure 1-1
  4. Close the ESET PROTECT Web Console and restart the ESET PROTECT Server service.

  5. Wait a few minutes after the service has started, and log in to the ESET PROTECT Web Console.

  6. Verify that all computers are still connecting and that no other problems have occurred.

  7. Create a new Certification Authority (CA). The public part of the CA is automatically sent to all client computers during the next Agent-to-Server connection.

  8. Create new peer certificates signed with this new CA. Create a peer certificate for Agent and one for Server (select the applicable value in the Product drop-down menu in step 3 of the linked process).

  9. Complete the steps in the Client computer migration in ESET PROTECT On-Prem article to apply the new Agent certificate and assign the policy to the computers where you want to use the Advanced security.

    Minimize the risk of orphaning client computers

    To minimize the risk of accidentally orphaning client computers, apply the changes to a test computer before applying them to all target computers.

  10. When all devices connect with the new certificate, replace the current Server certificate with the new Server certificate.

    1. In the ESET PROTECT Web Console, click MoreSettingsConnectionChange CertificateOpen certificate list.

    2. Choose the new Server certificate and click OKSave.

    3. Restart the ESET PROTECT Server.

Advanced security is now enabled on your client devices.