[KB7805] Maintain updates using ESET PROTECT On-Prem in an offline environment

Issue

  • You have ESET PROTECT On-Prem installed with no access to the public internet and want to maintain updates to ESET applications

Solution

  1. Prerequisities
  2. Create an offline repository using Mirror Tool
  3. Configure your local web server to distribute the offline repository
  4. Set up your server and clients to use the offline repository for updates
  5. Optional: Install ESET security applications from a shared location via ESET PROTECT On-Prem Software install task

I. Prerequisites

  • ESET PROTECT On-Prem installed, or the Virtual Appliance deployed
  • Internet connection on the machine where you want to create the offline repository
  • Enough free storage space. Currently, the requirement is 1.2 TB for the whole repository. As ESET releases new updates and application versions, the free storage space requirement will grow

II. Create an offline repository using Mirror Tool

Mirror Tool documentation

For a complete Mirror Tool documentation and a list of available parameters, see Mirror Tool for Windows Online Help guide or Mirror Tool for Linux Online Help guide.

  1. Ensure your device meets the requirements to use Mirror Tool and you have downloaded your offline activation file (activation_file.lf).

  2. Download Mirror Tool.

    Mirror Tool functions

    You can configure Mirror Tool to create module updates or a full repository:

    • Module updates—It downloads detection engine updates and other program modules, but not auto-updates (uPCU)
    • Repository creation—It can create a full offline repository, including auto-updates (uPCU)

    Mirror Tool does not download ESET LiveGrid® data.

  3. Extract the files from the downloaded archive to a desired folder.

  4. Open command line / terminal in the folder where you have extracted the archive.

  5. Create an offline repository. Run the following command in the command line / terminal on a computer with internet access.

    Windows

    MirrorTool.exe --repositoryServer AUTOSELECT ^
--intermediateRepositoryDirectory C:\Intermediary ^
--outputRepositoryDirectory C:\Repository

    Linux

    sudo ./MirrorTool --repositoryServer AUTOSELECT ^
--intermediateRepositoryDirectory ~/Documents/Intermediary ^
--outputRepositoryDirectory ~/Documents/Repository

    Mirror Tool downloads data to the intermediateRepositoryDirectory folder. When the download is finished, it moves all the data to the outputRepositoryDirectory folder.

    Update your offline resources regularly

    Run this task every few months and move the new files to your offline repository.

  6. Optional: Reduce the download size of the folder.

    1. To reduce the download size of the folder, create a text file in JSON format placed in the same folder as Mirror Tool, for example: --filterFilePath filter.txt

    2. In the text file, type in the desired parameters as described in this Online Help topic. You can filter the downloaded files by applications or languages.

    Filtering applications can break installers

    If you use the application filtering option and create a reduced repository, you cannot create an All-in-one installer of an application that you filtered out of the repository.

    • To create an All-in-one installer with Agent only, you need to filter "ESET PROTECT Bootstrapper" "ESET Management Agent"
    • To create an All-in-one installer that contains an Agent and an ESET security application, filter also application names, for example: "ESET PROTECT Bootstrapper" "ESET Management Agent" "ESET Endpoint Security"

    See the list of available applications.

  7. Create an offline update mirror. To create an update mirror, you need the offline activation file (activation_file.lf) available on your intermediary machine. Run the following command in the command line / terminal on a computer with internet access.

    Windows

    MirrorTool.exe --mirrorType regular ^
--intermediateUpdateDirectory c:\temp\mirrorTemp ^
--offlineLicenseFilename c:\temp\offline.lf ^
--outputDirectory c:\temp\mirror

    Linux

    sudo ./MirrorTool --mirrorType regular \
--intermediateUpdateDirectory /tmp/mirrorTool/mirrorTemp \
--offlineLicenseFilename /tmp/mirrorTool/offline.lf \
--outputDirectory /tmp/mirrorTool/mirror

    Mirror Tool creates two folders, temporary and final, with a size of 3 GB. You can use the --excludedProducts parameters to decrease the download size:

    • ep12
    • ep13
    • era6 (covers all PROTECT On-Prem)

    Example usage of the --excludedProducts parameter:

    MirrorTool.exe --mirrorType regular ^
--intermediateUpdateDirectory mirror-intermediary ^
--offlineLicenseFilename activation file_file.lf ^
--outputDirectory mirror-final ^
--excludedProducts ep11 ep12
See the list of available applications
Application
ESET Endpoint Antivirus for Linux
ESET Bridge
ESET Endpoint Antivirus for Windows
ESET Endpoint Antivirus for macOS
ESET Endpoint Security for Windows
ESET Endpoint Security for macOS
ESET Endpoint Security for Android
ESET Full Disk Encryption
ESET Inspect Connector
ESET Inspect Server
ESET Mail Security for IBM Domino
ESET Mail Security for Microsoft Exchange Server
ESET Management Agent
ESET PROTECT Mobile Device Connector
ESET PROTECT On-Prem Server
ESET PROTECT Server
ESET PROTECT Web Console
ESET Rogue Detection Sensor
ESET Secure Authentication
ESET Secure Authentication On-Prem
ESET Secure Authentication Components
ESET Secure Authentication Synchronization Agent
ESET Security for Microsoft SharePoint Server
ESET Server Security for Microsoft Windows Server

III. Configure your local web server to distribute the offline repository

After you download the update and/or repository files using the Mirror Tool (as described above), choose a local web server (for example, ESET Bridge or Microsoft IIS).

Set up the web server to serve the updates and installers to the machines in the offline environment. See the setup instructions for ESET Bridge and Microsoft IIS below.

Alternative: Distribute updates using the ESET Endpoint as the update mirror.

Built-in proxy policy

If you have installed the ESET PROTECT On-Prem using the All-in-one installer with enabled ESET Bridge, all clients will be configured by default to tunnel communication with ESET via the proxy. This configuration is also present in live installer scripts.

My offline web server is on Windows
Windows server with Microsoft IIS

  1. Copy the whole folder downloaded by Mirror Tool to C:\inetpub\wwwroot.

  2. Enable Directory Browsing in IIS Manager.

  3. Add MIME type with extension * as text/plain.

    Unable to read the extension

    If ESET PROTECT On-Prem is unable to read the added extension, edit web.config in the IIS root folder and add a line with fileExtension=".".

    <?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <directoryBrowse enabled="true" />
        <staticContent>
            <mimeMap fileExtension=".*" mimeType="text/plain" />
            <mimeMap fileExtension="." mimeType="text/plain" />
        </staticContent>
    </system.webServer>
</configuration>
Windows server with ESET Bridge (distributed with ESET PROTECT On-Prem)
Administrator access needed

You need to have administrator permissions to edit the ESET Bridge configuration and restart the ESET Bridge service.

  1. Install ESET Bridge (ESET PROTECT On-Prem)

  2. Using a simple text editor, open the pkgid file from C:\Program Files\ESET\Bridge. Change the http_proxy_settings_static_content_enabled setting to true to activate the offline repository server. Save the changes and close the pkgid file.

  3. Copy the downloaded repository to the offline repository server directory:

    • The default location of the offline repository server directory is C:\ProgramData\ESET\Bridge\OfflineRepository with proper access rights.
    • To use a custom directory, create a new folder for the offline repository (for example, C:\Repository). In the pkgid file, replace the line "http_proxy_settings_offline_repository_dirPath": "%DATADIR%\\OfflineRepository" with "http_proxy_settings_offline_repository_dirPath": "C:\\Repository". The NETWORK SERVICE user needs full access rights to the directory.

  4. Restart the ESET Bridge service using the command line commands: net stop "EsetBridge" and net start "EsetBridge". You must restart the service only after changing the pkgid file—the service restart is unnecessary when the repository data is changed, deleted, or added.

  5. The offline repository runs on the address http://YourIPaddress:4449 (for example, http://10.1.1.10:4449).

My offline web server is on Linux or ESET PROTECT Virtual Appliance
Linux and ESET PROTECT Virtual Appliance (CentOS) with ESET Bridge
Administrator access needed

You need to have administrator permissions to edit the ESET Bridge configuration and restart the ESET Bridge service.

  1. Install ESET Bridge (HTTP Proxy) on Linux.

  2. Using a simple text editor, open the pkgid file from /opt/eset/bridge/etc. Change the http_proxy_settings_static_content_enabled setting to true to activate the offline repository server. Save the changes and close the pkgid file.

  3. Copy the downloaded repository to the offline repository server directory:

    • The default location of the offline repository server directory with proper access rights is:

      /var/opt/eset/bridge/OfflineRepository

    • To use a custom directory, create a new folder for the offline repository:

      /var/opt/CustomOfflineRepository

      In the pkgid file, replace the line:

      http_proxy_settings_offline_repository_dirPath": "%DATADIR%\\OfflineRepository

      with:

      http_proxy_settings_offline_repository_dirPath": "/var/opt/CustomOfflineRepository

      The NETWORK SERVICE user needs full access rights to the directory.

  4. Restart the ESET Bridge service using this terminal command:

    sudo systemctl restart EsetBridge.service

    You must restart the service only after changing the pkgid file—the service restart is unnecessary when the repository data is changed, deleted, or added.

  5. The offline repository runs on the address http://YourIPaddress:4449 (for example, http://10.1.1.10:4449).

SELinux (applicable on Linux and ESET PROTECT Virtual Appliance)

SELinux can block the other devices from accessing the repository machine. Add an exception for the repository/updates files location or disable the SELinux.

To turn off this feature, follow the steps below:

  1. Open /etc/selinux/config in your editor, find and set the following value:

    SELINUX=disabled

  2. Restart the system (machine) to apply the changes.

Open ports 4449 and 3128 on Linux or VA firewall

When using the ESET PROTECT Virtual Appliance, use Webmin to add port 4449 to the rule where 3128 is already listed, and save the configuration.

If you prefer the Linux Console, use the following command to do the same:

iptables -A INPUT -p tcp --dport 4449 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 4449 -j ACCEPT
service iptables save
service ip6tables save

IV. Set up your server and clients to use the offline repository

See the examples below to set paths of the Repository and Update servers with ESET Endpoint applications. Do the following in ESET PROTECT On-Prem:

Set up the ESET PROTECT Server to use the offline repository and updates
Server settings

  2. Click More → Settings and expand Advanced Settings.

  3. In the Server field under Repository, type your web server address.

  4. Expand Updates.

  5. In the Update server field, type your web server address and click Save.

    Use the correct path for each application

    For the Update server settings, always type the full path according to the application you are setting up. For ESET PROTECT On-Prem, use folder era6:
    http://update.server.local/mirror-final/eset_upd/era6/

Set up ESET Management Agents to use the offline repository and updates
Agent policy

You need to apply the new settings to all machines (their Agents) that are using the offline server for updates and repositories. Select a suitable policy or create a new one and assign it to those machines.

  2. Open Policies.

  3. Click the appropriate policy and click Edit.

  4. In the policy Settings section, expand Advanced settings.

  5. In the Server field under Repository, type your web server address.

  6. Expand Updates.

  7. In the Update server field, type your web server address and click Save. Ensure to type the entire address, including the folder structure, according to the application you are setting up.

Set up ESET Endpoint applications to use the offline repository and updates
Policies for ESET Endpoint applications (on Windows)

You need to apply the new settings to all machines (their ESET security applications) that are using the offline server for updates. Select a suitable policy or create a new one and assign it to those machines.

  1. Activate ESET Endpoint applications in the offline environment.

  3. Open Policies.

  4. Click the appropriate policy and click Edit.

  5. In the policy Settings section, click UpdateProfiles → Updates → Modules Updates.

  6. Disable the toggle next to Choose automatically.

  7. Type your web server address in the Custom server field and click Finish. Ensure to type the entire address, including the folder structure, according to the application you are setting up. The example image below shows the ESET Endpoint folder address.

    Use the correct path for each application

    For the Custom server settings, always type the full path according to the application you are setting up. For example: http://update.server.local:8080/mirror-final/eset_upd/ep12

    The last folder in the path should be one of the following:

    Folder Name Updated applications
    ep11 ESET Endpoint 11.x
    ep12 ESET Endpoint 12.x
Application updates

If you created a full repository that includes auto-update files, you can also add your local web server to the Custom server in the Application Updates section.

Set up other ESET applications to use the offline repository and updates
Other applications

If necessary, create policies for any ESET application similar to the examples shown above.

Enable access to the web server

Ensure all client devices can access the offline repository web server on port 8080.

V. Optional: Install ESET security applications from a shared location via ESET PROTECT On-Prem Software install task

In this case, we do not use a repository. You need to have ESET Management Agents installed on client machines.

  1. Download an ESET Endpoint installer (ESET download site).

  2. Save the installer to a location accessible to other computers in your offline network. We recommend creating a logical folder structure based on application names and versions.

  3. Log in to ESET PROTECT Web Console.

  4. Create a new Software Install task with the direct link.

    Deploy or upgrade ESET endpoint applications using ESET PROTECT On-Prem.

Last Updated: Jan 13, 2026

Additional resources

User guides

ESET Forum

YouTube videos
ESET Support News ESET Customer Advisories ESET Status Portal ESET Technical Support

Existing customer?