[KB8368] Advanced scenarios for ESET Bridge with ESET PROTECT On-Prem

Issue

Apache HTTP Proxy users

ESET Bridge replaces Apache HTTP Proxy in ESET PROTECT On-Prem version 10. All ESET product versions compatible with Apache HTTP Proxy are in Limited Support status. If you currently use Apache HTTP Proxy, we recommend that you migrate to ESET Bridge.

Details

Click to expand

These installers have the correct configuration necessary for the following:

  • Forwarding ESET Management Agents' replication (communication with ESET PROTECT Server)
  • Caching ESET detection engine updates and installer files  
  • Caching ESET LiveGuard Advanced analysis results

Solution

About ESET Bridge

HTTPS traffic caching

ESET Bridge can decrypt and cache HTTPS traffic:

  • Update requests (modules, repository) sent from a supported ESET security product:

    Supported ESET security product Supported product version
    ESET Endpoint Antivirus/Security for Windows 10 and later
    ESET Server Security for Microsoft Windows Server 10 and later
    ESET Mail Security for Microsoft Exchange Server 10 and later
    ESET Security for Microsoft SharePoint Server 10 and later

  • ESET LiveGuard Advanced traffic for ESET PROTECT On-Prem and the supported ESET security products listed above.

Products not supporting HTTPS traffic caching

ESET Bridge does not support HTTPS traffic caching for ESET security products (and their versions) not listed above—Linux/macOS security products and earlier Windows security products.

ESET PROTECT does not support HTTPS traffic caching.

ESET Bridge is a new ESET software based on the open-source nginx software adjusted for the needs of ESET security solutions. ESET distributes ESET Bridge with ESET PROTECT On-Prem 10.0 (and later) as a Proxy component replacing the former Apache HTTP Proxy.

See the comparison of ESET Bridge and Apache HTTP Proxy. You can also use ESET Bridge with ESET PROTECT. You can connect up to 10,000 computers to ESET PROTECT using ESET Bridge.

Read more about ESET Bridge on ESET Online Help.

Figure 1-1

Use different proxy solutions for caching and replication

Users in some environments may need separate proxy solutions for caching and replication.

In the example below, one branch office uses a separate proxy for caching and another for replication to the ESET PROTECT Server in the main office.

Figure 2-1

Configure an Agent to use different proxies

The proxy settings are located in the Agent policy. To configure them, create a new Agent policy or modify an existing one. You can also create multiple Agent policies with different proxy setups and assign them to computers using dynamic groups. When a client machine moves to a different dynamic group, it automatically uses the appropriate proxy setup.

To set up different proxies, follow these steps:

  1. Open ESET PROTECT or ESET PROTECT On-Prem in your web browser and log in.

  2. Click PoliciesNew Policy.

    Figure 3-1

  1. In the Basic section, type a Name and Description (the Description field is optional).

    Figure 3-2

  1. Click Settings and select ESET Management Agent from the drop-down menu.

    Figure 3-3

  1. Expand Advanced Settings. In the HTTP Proxy section, change the Proxy Configuration Type to Different Proxy Per Service.

    Figure 3-4

  1. Click Edit next to Replication (to ESET Management Server). Click the toggle next to Use proxy server to enable it and type the Host value. Port is set to 3128 by default. Host is the hostname or IP address of the machine where the proxy is running. Do not type a Username or Password. Click Save.

    Figure 3-5

  1. Click Edit next to ESET Services (updates, packages, telemetry...). Click the toggle next to Use proxy server to enable it and type the Host value. Port is set to 3128 by default. Host is the hostname or IP address of the machine where the proxy is running. Click Save.

    Figure 3-6

  1. Click Assign Assign. Select a group or multiple machines that will use the new proxy setting.

    Figure 3-7

  1. Click Finish to apply the policy.

    Figure 3-8

Set up a proxy chain

ESET Bridge 2 supports proxy chaining for both caching and traffic forwarding.

Protocols supported in normal mode and proxy chaining: HTTP, HTTPS, MQTT, TCP etc.

Figure 4-1

See the instructions for setting ESET Bridge in the proxy chaining mode.

ESET Bridge in an environment with DMZ

In a more complex infrastructure, with a subnet separating an internal LAN from untrusted networks (DMZ), deploying the ESET PROTECT Server out of the DMZ is recommended. Figure 5-1 illustrates one deployment scenario.

When setting up an environment such as this, we recommend adhering to the following guidelines:

  • Use hostnames instead of IP addresses in ESET PROTECT On-Prem component settings.
  • If client machines can leave the intranet (roaming clients): use dynamic groups and policies to ensure roaming clients use the server hostname resolvable from the internet only when they are external to the intranet. Clients that cannot leave the intranet should use a hostname that is only resolvable using the internal intranet to be sure their connection is not routed via the internet.
  • ESET Bridge (when used for replication) does not aggregate connections from Agents and does not save bandwidth. Use ESET Bridge for replication only if necessary.
  • Using ESET Bridge for caching updates and installers is recommended. Roaming agents should not use caching proxy when external to the intranet. This can be achieved by using a hostname for caching proxy which is not resolvable external to the intranet and allowing a direct connection.
  • Firewall: open only necessary ports (see the list of used ports) for selected hostnames.
Figure 5-1
Last Updated: Dec 1, 2023

Additional resources

User Guides

ESET Forum

YouTube videos
Support News Customer Advisories ESET Status Portal Contact ESET Technical Support

Existing customer?