Issue
- You have ESET PROTECT On-Prem installed with no access to the public internet and want to maintain updates to ESET products
Solution
- Prerequisities
- Create an offline repository using Mirror Tool
- Configure your local web server to distribute the offline repository
- Set up your server and clients to use the offline repository for updates
- Optional: Install ESET security products from a shared location via ESET PROTECT On-Prem Software install task
- Optional: To improve performance in larger environments, you can configure ESET Mirror Tool to download updates from another ESET Mirror Tool

I. Prerequisites
- ESET PROTECT On-Prem installed, or the Virtual Appliance deployed
- Ensure you have ESET Bridge installed
- Download Linux
MirrorTool
or WindowsMirrorTool.exe
file. See the complete documentation for more information on the Mirror Tool and a list of available parameters - If you run the Mirror Tool on Windows, install the following:
- Visual C++ Redistributable for Visual Studio 2010
- Visual C++ 2015 Redistributable x86
- One machine is connected to the internet to create and update the offline repository
- At least 250 GB of free space on the machine where the full offline repository is created
- Download offline license files from ESET PROTECT Hub or ESET Business Account
II. Create an offline repository using Mirror Tool
Mirror Tool downloads data to the repository-intermediate
folder. When the download is finished, it moves all the data to the repository-final
folder.
Ensure there is enough free space on your drive, each folder is 100GB in size. As ESET releases new updates and product versions, the total size will continue to grow.
Run the following command in the command line on a computer with internet access. Use
MirrorTool.exe
on Windows machines andMirrorTool
on Linux.MirrorTool.exe --repositoryServer AUTOSELECT ^ --intermediateRepositoryDirectory repository-intermediate ^ --outputRepositoryDirectory repository-final
Follow these steps to reduce the download size of the folder:
To reduce the download size of the folder, create a text file in JSON format placed in the same folder as Mirror Tool, for example:
--filterFilePath filter.txt
In the text file, type in the desired parameters as described in this Online Help topic. Later in this document, you can find a list of the product names that can be used with these parameters. See the list of language codes.
Optionally, add the parameter
--dryRun
to the text file and run the Mirror Tool. When you use this optional parameter, Mirror Tool will not download any files, but it will generate a.csv
file listing all packages that will be downloaded.
To create an update mirror, you need the offline license file (
license_file.lf
) available on your intermediary machine. Run the following command to download the update files:MirrorTool.exe --mirrorType regular ^ --intermediateUpdateDirectory mirror-intermediary ^ --offlineLicenseFilename license_file.lf ^ --outputDirectory mirror-final
The Mirror Tool creates two folders, temporary and final with a 3GB size. You can use the
--excludedProducts
parameters to decrease the download size:ep11
ep12
era6
(covers all PROTECT On-Prem)
Example usage of the
--excludedProducts
parameter:MirrorTool.exe --mirrorType regular ^ --intermediateUpdateDirectory mirror-intermediary ^ --offlineLicenseFilename license_file.lf ^ --outputDirectory mirror-final ^ --excludedProducts ep9 ep10
See the list of available products
Product |
---|
ESET Endpoint Antivirus for Linux |
ESET Bridge |
ESET Endpoint Antivirus |
ESET Endpoint Antivirus for macOS |
ESET Endpoint Security |
ESET Endpoint Security for Android |
ESET Endpoint Security for Android - web edition |
ESET Endpoint Security for macOS |
ESET Full Disk Encryption |
ESET Full Disk Encryption for macOS |
ESET Inspect Connector |
ESET Inspect Server |
ESET Mail Security for IBM Domino |
ESET Mail Security for Microsoft Exchange Server |
ESET Mail/Server/Gateway Security for Linux |
ESET Management Agent |
ESET PROTECT Bootstrapper |
ESET PROTECT Mobile Device Connector |
ESET PROTECT On-Prem Server |
ESET PROTECT Server |
ESET PROTECT WebConsole |
ESET Rogue Detection Sensor |
ESET Secure Authentication |
ESET Secure Authentication Components |
ESET Secure Authentication Synchronization Agent |
ESET Security for Microsoft SharePoint Server |
ESET Server Security |
ESET Server Security for Microsoft Windows Server |
III. Configure your local web server to distribute the offline repository
After you download the update and/or repository files using the Mirror Tool (as described above), choose a local web server (for example, ESET Bridge or Microsoft IIS).
Set up the web server to serve the updates and installers to the machines in the offline environment. See the setup instructions for ESET Bridge and Microsoft IIS below.
Alternative: I want to distribute updates using the ESET Endpoint as the update mirror.
My offline web server is on Windows
Windows server with Microsoft IIS
Copy the whole folder downloaded by Mirror Tool to
C:\inetpub\wwwroot.
Enable Directory Browsing in IIS Manager.
Add MIME type with extension
*
astext/plain
.Figure 2-1
Windows server with ESET Bridge (distributed with ESET PROTECT On-Prem)
Using a simple text editor, open the
pkgid
file fromC:\Program Files\ESET\Bridge
. Change thehttp_proxy_settings_static_content_enabled
setting totrue
to activate the offline repository server. Save the changes and close thepkgid
file.Copy the downloaded repository to the offline repository server directory:
- The default location of the offline repository server directory is
C:\ProgramData\ESET\Bridge\OfflineRepository
with proper access rights. - To use a custom directory, create a new folder for the offline repository (for example,
C:\Repository
). In thepkgid
file, replace the line"http_proxy_settings_offline_repository_dirPath": "%DATADIR%\\OfflineRepository"
with"http_proxy_settings_offline_repository_dirPath": "C:\\Repository"
. The NETWORK SERVICE user needs full access rights to the directory.
- The default location of the offline repository server directory is
Restart the ESET Bridge service using the command line commands:
net stop "EsetBridge"
andnet start "EsetBridge"
. You must restart the service only after changing thepkgid
file—the service restart is unnecessary when the repository data is changed, deleted, or added.The offline repository runs on the address
http://YourIPaddress:4449
(for example,http://10.1.1.10:4449
).
My offline web server is on Linux or ESET PROTECT Virtual Appliance
Linux and ESET PROTECT Virtual Appliance (CentOS) with ESET Bridge
Using a simple text editor, open the
pkgid
file from/opt/eset/bridge/et
c. Change thehttp_proxy_settings_static_content_enabled
setting totrue
to activate the offline repository server. Save the changes and close thepkgid
file.Copy the downloaded repository to the offline repository server directory:
- The default location of the offline repository server directory is
/var/opt/eset/bridge/OfflineRepository
with proper access rights. - To use a custom directory, create a new folder for the offline repository (for example,
/var/opt/CustomOfflineRepository
). In thepkgid
file, replace the line"http_proxy_settings_offline_repository_dirPath": "%DATADIR%\\OfflineRepository"
with"http_proxy_settings_offline_repository_dirPath": "/var/opt/CustomOfflineRepository"
. The NETWORK SERVICE user needs full access rights to the directory.
- The default location of the offline repository server directory is
Restart the ESET Bridge service using this terminal command:
sudo systemctl restart EsetBridge.service
. You must restart the service only after changing thepkgid
file—the service restart is unnecessary when the repository data is changed, deleted, or added.The offline repository runs on the address
http://YourIPaddress:4449
(for example,http://10.1.1.10:4449
).
SELinux (applicable on Linux and ESET PROTECT Virtual Appliance)
SELinux can block the other devices from accessing the repository machine. Add an exception for the repository/updates files location or disable the SELinux.
To turn off this feature, follow the steps below:
Open
/etc/selinux/config
in your editor, find and set the following value:SELINUX=disabled
Restart the system (machine) to apply the changes.
Open ports 4449 and 3128 on Linux or VA firewall
When using the ESET PROTECT Virtual Appliance, use Webmin to add port 4449 to the rule where 3128 is already listed, and save the configuration.

If you prefer the Linux Console, use the following command to do the same:
iptables -A INPUT -p tcp --dport 4449 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 4449 -j ACCEPT
service iptables save
service ip6tables save
IV. Set up your server and clients to use the offline repository
See the examples below to set paths of the Repository and Update servers with ESET Endpoint products. Do the following in ESET PROTECT On-Prem:
Set up the ESET PROTECT Server to use the offline repository and updates
Server settings
Click More → Settings and expand Advanced Settings.
In the Server field under Repository, type your web server address.
Figure 3-1 Expand Updates.
In the Update server field, type your web server address and click Save.
Figure 3-2
Set up ESET Management Agents to use the offline repository and updates
Agent policy
You need to apply the new settings to all machines (their Agents) that are using the offline server for updates and repositories. Select a suitable policy or create a new one and assign it to those machines.
Open Policies.
Click the appropriate policy and click Edit.
In the policy Settings section, expand Advanced settings.
In the Server field under Repository, type your web server address.
Figure 3-3 Expand Updates.
In the Update server field, type your web server address and click Save. Ensure to type the entire address, including the folder structure, according to the product you are setting up.
Figure 3-4
Set up ESET Endpoint products to use the offline repository and updates
Policies for ESET Endpoint products (on Windows)
You need to apply the new settings to all machines (their ESET security products) that are using the offline server for updates. Select a suitable policy or create a new one and assign it to those machines.
Open Policies.
Click the appropriate policy and click Edit.
In the policy Settings section, click Update → Profiles → Updates → Modules Updates.
Disable the toggle next to Choose automatically.
Type your web server address in the Custom server field and click Finish. Ensure to type the entire address, including the folder structure, according to the product you are setting up. The example image below shows the ESET Endpoint folder address.
Figure 3-5
Set up other ESET products to use the offline repository and updates
Other products
If necessary, create policies for any ESET product similar to the examples shown above.
V. Optional: Install ESET security products from a shared location via ESET PROTECT On-Prem Software install task
In this case, we do not use a repository. You need to have ESET Management Agents installed on client machines.
Download an ESET Endpoint installer (ESET download site).
Save the installer to a location accessible to other computers in your offline network. We recommend creating a logical folder structure based on product names and versions.
Log in to ESET PROTECT Web Console.
Create a new Software Install task with the direct link.
Deploy or upgrade ESET endpoint products using ESET PROTECT On-Prem.