[KB7751] Migrate from ERA Proxy (Windows) to Apache HTTP Proxy in ESET PROTECT On-Prem

Issue

  • You have an ESET Remote Administrator (ERA) version 6 environment running the ERA Proxy (on a Windows host) component and you want to upgrade to ESET PROTECT On-Prem
  • ESET PROTECT On-Prem does not support ERA Proxy—Apache HTTP Proxy can substitute the role of ERA Proxy in the infrastructure
  • Connection limitations

Migrate from ERA Proxy (Linux or Virtual Appliance) to Apache HTTP Proxy in ESET PROTECT On-Prem

Details


Click to expand

ESET PROTECT On-Prem introduces a new generation of the Agent–Server communication protocol. The new replication protocol uses TLS and HTTP2 protocols so it can go through Proxy servers. There are also new self-recovery features and a persistent connection that improves overall communication performance.

New communication protocol does not support connection using ERA 6.x Proxy.

ESET provides a pre-configured Apache installer. The user can also use other proxy solution (besides Apache HTTP Proxy) which fulfills the following conditions:

  • can forward SSL communication
  • supports HTTP CONNECT
  • can work without authentication (ESET Management Agent does not support authentication with proxy)

However, the configuration of other proxy solutions is not provided or supported by ESET. Other proxy solutions may not support caching of the ESET LiveGuard Advanced communication.


Connection limitations

The ESET Remote Administrator version (ERA) 6.x Proxy component is discontinued in ESET PROTECT On-Prem. Follow the instructions in this article carefully to ensure connection compatibility:

  • ERA 6.x Agents can connect to ESET PROTECT On-Prem Server
  • ESET Management (EM) Agent (version 7) cannot connect to ESET PROTECT On-Prem Server via ERA Proxy
  • EM Agent (version 7) cannot connect to ERA 6.x Server
  • Do not upgrade ERA 6.x Agents before a proper proxy solution is configured
  • It is not possible to run the Agent deployment task on clients where ESET PROTECT On-Prem server can reach only via Apache HTTP Proxy

I. Prepare your ERA 6.x environment

  1. Back up your ERA Server (backup databaseCA and certificates).
     
  2. Upgrade your ERA Server to ESET PROTECT On-Prem via ESET PROTECT On-Prem Components Upgrade task. (Server, Agent and Web Console are upgraded). When assigning a target for the task, select only the machine with the ERA Server.
Upgrade the ERA Server manually

    1. Download the necessary ESET PROTECT On-Prem component installers. ESET PROTECT On-Prem Server, Agent, RD Sensor and Web Console are required. Download any other installers as needed. Do not rename downloaded .msi installer files.

    2. Stop Apache Tomcat. Navigate to your %TOMCAT_HOME%in directory (for example, C:\Program Files\Apache Tomcat\Tomcat7\bin\) and double-click tomcat7w.exe.

    3. Back up the C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\webapps\era\ folder and all of its contents.
      File location will differ on 32-bit systems:

      On 32-bit systems, the "Program Files (x86)" folder is named "Program Files".

    4. Copy the EraWebServerConfig.properties configuration file located at: C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\era\WEB-INF\classes\sk\eset\era\g2webconsole\server\modules\config\EraWebServerConfig.properties.

    5. Delete the contents of the original C:\Program Files(x86)\Apache Software Foundation\Tomcat 7.0\webapps\era\ folder (including the era.war file).

    6. In the downloaded installer files from Step a, locate the era.war file and extract it to: C:\Program Files(x86)\Apache Software Foundation\Tomcat 7.0\webapps\era\.

    7. Move the EraWebServerConfig.properties configuration file from Step d to: C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\era\WEB-INF\classes\sk\eset\era\g2webconsole\server\modules\config\.

    8. Double-click Server_x64.msi. Follow the ESET PROTECT On-Prem Server installation process. Specify these database connection settings:
      • If you installed using the All-in-one installer, in the Database drop-down menu, select MS SQL Server via Windows Authentication and click Next.
      • If you used an existing MS SQL Server/MySQL, select the connection type defined during installation. An administrative privileged database connection (user) is required when connecting to the ESET PROTECT On-Prem Server database. Click Next.

    9. Complete the ESET PROTECT On-Prem Server installation.

    10. Start the Apache Tomcat service. Depending on your system configuration, allow up to 40 seconds for the service to start.

    11. Open ESET PROTECT On-Prem in your web browser and log in.
       
  1. Wait approximately 24 hours to make sure that the upgraded environment runs smoothly.
  1. Upgrade the ERA Agent on the ERA Proxy machine via ESET PROTECT On-Prem Components Upgrade task.
Figure 1-1

II. Install and configure Apache HTTP Proxy

  1. Install Apache HTTP Proxy on the machine where the ERA Proxy is installed. Use the pre-configured ESET version of Apache HTTP Proxy. The configuration necessary for handling the connection of ESET Management Agents is included.
  2. Modify the Apache HTTP Proxy configuration file httpd.conf located in C:\Program Files\Apache HTTP Proxy\conf\. How to write a ProxyMatch expression?
    1. If you have changed the default port (2222) for the Agent, find the line AllowCONNECT 443 563 2222 and change 2222 to the number of your port.
       
    2. Add the hostname or IP address of your ESET PROTECT On-Prem Server to the configuration file. The hostname you add must be exactly the same as Agents use to connect the ESET PROTECT On-Prem Server. You can add IP address, hostname or both.

    3. Save the changes and restart the Apache HTTP Proxy service. 
       

 

Figure 2-1

III. Assign a transition policy to a test client

Figure 3-1
 
  1. To create a new policy on your ESET PROTECT On-Prem Server,
    Open ESET PROTECT On-Prem in your web browser and log in.


  2. In the ESET PROTECT On-Prem Web Console click Policies  New Policy.
     
  3. In the Basic section, type a Name for the policy.
     
  4. In the Settings section, select ESET Management Agent from the drop-down menu.
     
  5. Navigate to Connection  Server connects to  Edit server list.
     
  6. Click Add and enter the address (the address must match what Agent used in the configuration) of your ESET PROTECT On-Prem Server in the Host field. Click OK.
     
  7. Change the operator from Replace to Append.
     
  8. Click Finish.
     
  9. Navigate to Advanced Settings  HTTP Proxy and set Proxy Configuration Type to Different Proxy Per Service.
     
  10. Click Edit next to Replication (to ESMC Server) and enable the Use proxy server option.
     
  11. Type the IP address of the proxy machine to the Host field.
     
  12. Leave the default value 3128 for the Port.
     
  13. Click Save and Finish to save the policy. Do not assign it to any computer yet.
IP Addresses
It is absolutely necessary to have both IP addresses in one list applied to the client. If the Agent does not have this information in the policy, it will be unable to connect to the Proxy and the ESET PROTECT On-Prem Server after the upgrade. Such an Agent must be fixed manually by running a repair installation and using the correct ESET PROTECT On-Prem Server address.

If HTTP Proxy setting is not applied in the policy, the Agent will not be able to connect to the ESET PROTECT On-Prem Server. Manual re-installation cannot fix this.
 
  1. Choose one computer that is connected via ERA Proxy and assign the new policy to that test client.
     
  2. Wait a few minutes until the policy is applied and check if the computer is still connecting to the ESET PROTECT On-Prem Server.

IV. Upgrade ERA Agents on client computers

  1. Run the ESET PROTECT Components Upgrade task to upgrade the selected test client computer.
     
  2. After the client is upgraded to version 7, check if it is still connecting to the ESET PROTECT On-Prem Server. If the computer is successfully connecting after the upgrade, continue to upgrade other computers.
Important!

If you have a larger network, begin the upgrade at departments with IT experienced users or those who are physically closer to computers to make the troubleshooting easier.

  1. Apply the policy (from part III) to the other computers connected via the ERA Proxy.
Figure 4-1

 

  1. Wait a few minutes until the policy is applied and check if clients are still connecting to the ESET PROTECT On-Prem Server.
     
  2. Run the ESET PROTECT Components Upgrade task on these clients.
     
  3. If all clients are connecting to the ESET PROTECT On-Prem Server after the upgrade is finished, you can proceed with the next steps.
     
Figure 4-2

V. Remove ERA Proxy address from the list of servers

Figure 5-1
  1. Modify the policy (from part III) by navigating to Policies, clicking the gear icon next to the policy you want to modify, and then clicking Edit.
     
  2. In the Settings Connection change the operator from Append to Replace.
     
  3. Click Save.
     
  4. Click Finish to save and apply the policy.
     
  5. Remove the ERA Proxy component using Client Tasks  Software Uninstall.
Figure 5-2