Issue
- You have ESET PROTECT On-Prem installed with no access to the public internet and want to maintain updates to ESET products
- Prerequisites
- Create the repository using the Mirror Tool
- Create an offline repository
- Move files to the offline webserver
- Optional: Installing ESET security products from a shared location
- Set up your server and clients to use the offline repository
- Other products
Solution
Prerequisites
- ESET PROTECT On-Prem installed, or the Virtual Appliance deployed.
- Ensure you have ESET Bridge installed.
- Download Linux
MirrorTool
or WindowsMirrorTool.exe
file. See the complete documentation for more information on the Mirror Tool and a list of available parameters.MirrorTool.exe
does not run on Windows XP and Microsoft Windows Server 2003.
- If you run the Mirror Tool on Windows, install the following:
- Visual C++ Redistributable for Visual Studio 2010
- Visual C++ 2015 Redistributable x86
- One machine is connected to the internet to create and update the offline repository.
- At least 250 GB of free space at the machine where the full offline repository is created.
- Download offline license files from ESET PROTECT Hub or ESET Business Account.
Create the repository using the Mirror Tool
-
Download the update files using the Mirror Tool to your intermediary machine.
-
Move the files to the offline web server. For example, ESET Bridge.
-
Set up the Agents and endpoints to use the offline web server.
-
Configure the ESET Mirror Tool to download updates from another ESET Mirror Tool.
Create an offline repository
The Mirror Tool downloads data to the repository-intermediate
folder. When the download is finished, it moves all the data to the repository-final
folder.
Ensure there is enough free space on your drive, each folder is 100GB in size. As ESET releases new updates and product versions, the total size will continue to grow.
-
Run the following command in the command line on a computer with internet access. Use
MirrorTool.exe
on Windows machines andMirrorTool
on Linux.MirrorTool.exe --repositoryServer AUTOSELECT ^ --intermediateRepositoryDirectory repository-intermediate ^ --outputRepositoryDirectory repository-final
- Follow these steps to reduce the download size of the folder:
-
- To reduce the download size of the folder, create a text file in JSON format placed in the same folder as Mirror Tool, for example:
--filterFilePath filter.txt
- In the text file, type in the desired parameters as described in this Online Help topic. Later in this document, you can find a list of the product names that can be used with these parameters. See the list of language codes.
- Optionally, add the parameter
--dryRun
to the text file and run the Mirror Tool. When you use this optional parameter, Mirror Tool will not download any files, but it will generate a.csv
file listing all packages that will be downloaded.
- To reduce the download size of the folder, create a text file in JSON format placed in the same folder as Mirror Tool, for example:
-
To create an update mirror, you need the offline license file (
license_file.lf
) available on your intermediary machine. Run the following command to download the update files:MirrorTool.exe --mirrorType regular ^ --intermediateUpdateDirectory mirror-intermediary ^ --offlineLicenseFilename license_file.lf ^ --outputDirectory mirror-final
The Mirror Tool creates two folders, temporary and final with a 3GB size. You can use the
--excludedProducts
parameters to decrease the download size:ep9
ep10
ep11
era6
(covers all PROTECT On-Prem)
Example usage of the
--excludedProducts
parameter:MirrorTool.exe --mirrorType regular ^ --intermediateUpdateDirectory mirror-intermediary ^ --offlineLicenseFilename license_file.lf ^ --outputDirectory mirror-final ^ --excludedProducts ep6 ep7 ep8
See the list of available products
Product |
---|
ApacheHttp |
ESET Antivirus for Linux - Business Edition |
ESET Bridge |
ESET Endpoint Antivirus |
ESET Endpoint Antivirus for macOS |
ESET Endpoint Antivirus for OS X |
ESET Endpoint Security |
ESET Endpoint Security for Android |
ESET Endpoint Security for Android - web edition |
ESET Endpoint Security for macOS |
ESET Endpoint Security for OS X |
ESET File Security |
ESET File Security for Microsoft Windows Server |
ESET File Security for Microsoft Windows Server Core |
ESET Full Disk Encryption |
ESET Full Disk Encryption for macOS |
ESET Inspect Connector |
ESET Inspect Server |
ESET Mail Security for IBM Domino |
ESET Mail Security for Microsoft Exchange Server |
ESET Mail/File/Gateway Security for Linux |
ESET Management Agent |
ESET NSX Service Manager |
ESET PROTECT Bootstrapper |
ESET PROTECT Mobile Device Connector |
ESET PROTECT on-prem Server |
ESET PROTECT Server |
ESET PROTECT WebConsole |
ESET Rogue Detection Sensor |
ESET Secure Authentication |
ESET Secure Authentication Components |
ESET Secure Authentication Synchronization Agent |
ESET Security for Microsoft SharePoint Server |
ESET Server Security |
ESET Server Security for Microsoft Windows Server |
Safetica Agent |
WinPcap |
Move files to the offline webserver
After you download the update and/or repository files using the Mirror Tool (as described above), choose a local webserver (for example, ESET Bridge or Microsoft IIS).
Set up the webserver to serve the updates and installers to the machines in the offline environment. See the setup instructions for ESET Bridge and Microsoft IIS below.
Alternative: I want to distribute updates using the ESET Endpoint as the update mirror.
My offline web server is on Windows
Windows server with Microsoft IIS
-
Copy the whole folder downloaded by the Mirror tool to
C:\inetpub\wwwroot.
-
Enable Directory Browsing in IIS Manager.
-
Add MIME type with extension
*
astext/plain
.
Windows server with ESET Bridge (distributed with ESET PROTECT On-Prem)
-
Using a simple text editor, open the
pkgid
file fromC:\Program Files\ESET\Bridge
. Change thehttp_proxy_settings_static_content_enabled
setting totrue
to activate the offline repository server. Save the changes and close thepkgid
file. -
Copy the downloaded repository to the offline repository server directory:
- The default location of the offline repository server directory is
C:\ProgramData\ESET\Bridge\OfflineRepository
with proper access rights. - To use a custom directory, create a new folder for the offline repository (for example,
C:\Repository
). In thepkgid
file, replace the line"http_proxy_settings_offline_repository_dirPath": "%DATADIR%\\OfflineRepository"
with"http_proxy_settings_offline_repository_dirPath": "C:\\Repository"
. The NETWORK SERVICE user needs full access rights to the directory.
-
Restart the ESET Bridge service using the command line commands:
net stop "EsetBridge"
andnet start "EsetBridge"
. You must restart the service only after changing thepkgid
file—the service restart is unnecessary when the repository data is changed, deleted or added.
-
The offline repository runs on the address
http://YourIPaddress:4449
(for example,http://10.1.1.10:4449
).
My offline web server is on Linux or ESET PROTECT Virtual Appliance
How do I install ESET Bridge (HTTP Proxy) on Linux?Linux and ESET PROTECT Virtual Appliance (CentOS) with ESET Bridge
-
Using a simple text editor, open the
pkgid
file from/opt/eset/bridge/et
c. Change thehttp_proxy_settings_static_content_enabled
setting totrue
to activate the offline repository server. Save the changes and close thepkgid
file. -
Copy the downloaded repository to the offline repository server directory:
- The default location of the offline repository server directory is
/var/opt/eset/bridge/OfflineRepository
with proper access rights. - To use a custom directory, create a new folder for the offline repository (for example,
/var/opt/CustomOfflineRepository
). In thepkgid
file, replace the line"http_proxy_settings_offline_repository_dirPath": "%DATADIR%\\OfflineRepository"
with"http_proxy_settings_offline_repository_dirPath": "/var/opt/CustomOfflineRepository"
. The NETWORK SERVICE user needs full access rights to the directory.
-
Restart the ESET Bridge service using this terminal command:
sudo systemctl restart EsetBridge.service
. You must restart the service only after changing thepkgid
file—the service restart is unnecessary when the repository data is changed, deleted or added.
-
The offline repository runs on the address
http://YourIPaddress:4449
(for example,http://10.1.1.10:4449
).
SELinux (applicable on Linux and ESET PROTECT Virtual Appliance)
SELinux can block the other devices from accessing the repository machine. Add an exception for the repository/updates files location or disable the SELinux.
To turn off this feature, follow the steps below:
-
Open
/etc/selinux/config
in your editor, find and set the following value:SELINUX=disabled
-
Restart the system (machine) to apply the changes.
Open ports 4449 a 3128 on Linux or VA firewall
- When using the ESET PROTECT Virtual Appliance, use Webmin to add port 4449 to the rule where 3128 is already listed, and save the configuration.
If you prefer the Linux Console, use the following command to do the same:
iptables -A INPUT -p tcp --dport 4449 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 4449 -j ACCEPT
service iptables save
service ip6tables save
Optional: Installing ESET security products from a shared location
In this case, we do not use a repository. You need to have ESET Management Agents installed on client machines.
-
Download an ESET Endpoint installer (ESET download site).
-
Save the installer to a location accessible to other computers in your offline network. We recommend creating a logical folder structure based on product names and versions.
-
Log in to ESET PROTECT On-Prem.
-
Create a new Software Install task with the direct link. Deploy or upgrade ESET endpoint products using ESET PROTECT On-Prem.
Set up your server and clients to use the offline repository
See the examples below to set paths of Repository and Update servers with ESET Endpoint products. Do the following in ESET PROTECT On-Prem:
Set up the ESET PROTECT Server to use the offline repository and updates
Server settings
-
Open ESET PROTECT On-Prem in your web browser and log in.
-
Navigate to More → Settings → Advanced Settings → Repository.
-
Type your address in the Server field.
-
Navigate to the Updates section.
-
Type your offline server's address in the Update server field and click Save. Type the whole address with the folder structure, according to the product you are setting up.
Set up ESET Management Agents to use the offline repository and updates
Agent policy
You need to apply the new settings to all machines (their Agents) that are using the offline server for updates and repositories. Select a suitable policy or create a new one and assign it to those machines.
-
Open ESET PROTECT On-Prem in your web browser and log in.
-
Navigate to Policies.
-
Select the appropriate policy.
-
In the policy Settings section, navigate to → Advanced Settings → Repository.
-
Type your address in the Server field.
-
Navigate to Updates section.
-
Type your offline server's address in the Update server field and click Save. Ensure you type the whole address with the folder structure, according to the product you are setting up.
Set up ESET Endpoint products to use the offline repository and updates
Policies for ESET Endpoint products (on Windows)
You need to apply the new settings to all machines (their ESET security products) that are using the offline server for updates. Select a suitable policy or create a new one and assign it to those machines.
-
Open ESET PROTECT On-Prem in your web browser and log in.
-
Navigate to Policies.
-
Select the appropriate policy.
-
In the policy Settings section, navigate to → UPDATE → Profiles → Updates → Modules Updates.
-
Disable the toggle next to Choose automatically.
-
Type your offline server's address in the Custom server field and click Finish. Make sure to enter the whole address with the folder structure, according to the product you are setting up. The example image below shows the ESET Endpoint folder address.
Other products
If necessary, create policies for any ESET product similar to the examples shown above.