[KB7805] Maintain updates using ESET PROTECT On-Prem in an offline environment

Issue

  • You have ESET PROTECT On-Prem installed with no access to the public internet and want to maintain updates to ESET products

Solution

  1. Prerequisities
  2. Create an offline repository using Mirror Tool
  3. Configure your local web server to distribute the offline repository
  4. Set up your server and clients to use the offline repository for updates
  5. Optional: Install ESET security products from a shared location via ESET PROTECT On-Prem Software install task
  6. Optional: To improve performance in larger environments, you can configure ESET Mirror Tool to download updates from another ESET Mirror Tool
Figure 1-1

I. Prerequisites

  • ESET PROTECT On-Prem installed, or the Virtual Appliance deployed
  • Ensure you have ESET Bridge installed
  • Download Linux MirrorTool or Windows MirrorTool.exe file. See the complete documentation for more information on the Mirror Tool and a list of available parameters
  • If you run the Mirror Tool on Windows, install the following:
    • Visual C++ Redistributable for Visual Studio 2010
    • Visual C++ 2015 Redistributable x86
  • One machine is connected to the internet to create and update the offline repository
  • At least 250 GB of free space on the machine where the full offline repository is created
  • Download offline license files from ESET PROTECT Hub or ESET Business Account

II. Create an offline repository using Mirror Tool

Mirror Tool functions

You can configure Mirror Tool to create module updates or full repository:

  • Module updates—It downloads detection engine updates and other program modules, but not auto-updates (uPCU)
  • Repository creation—It can create a full offline repository, including auto-updates (uPCU)

Mirror Tool does not download ESET LiveGrid® data.

Mirror Tool downloads data to the repository-intermediate folder. When the download is finished, it moves all the data to the repository-final folder.

Ensure there is enough free space on your drive, each folder is 100GB in size. As ESET releases new updates and product versions, the total size will continue to grow.

Update your offline resources regularly

Run this task every few months and move the new files to your offline repository.

  1. Run the following command in the command line on a computer with internet access. Use MirrorTool.exe on Windows machines and MirrorTool on Linux.

    MirrorTool.exe --repositoryServer AUTOSELECT ^
    --intermediateRepositoryDirectory repository-intermediate ^
    --outputRepositoryDirectory repository-final
  2. Follow these steps to reduce the download size of the folder:

    1. To reduce the download size of the folder, create a text file in JSON format placed in the same folder as Mirror Tool, for example: --filterFilePath filter.txt

    2. In the text file, type in the desired parameters as described in this Online Help topic. Later in this document, you can find a list of the product names that can be used with these parameters. See the list of language codes.

    3. Optionally, add the parameter --dryRun to the text file and run the Mirror Tool. When you use this optional parameter, Mirror Tool will not download any files, but it will generate a .csv file listing all packages that will be downloaded.

    Filtering products can break installers

    If you use the product filtering option and create a reduced repository, you cannot create an All-in-one installer of a product that you filtered out of the repository.

    • To create an All-in-one installer with Agent only, you need to filter "ESET PROTECT Bootstrapper" "ESET Management Agent"
    • To create an All-in-one installer that contains an Agent and an ESET security product, filter also product names, for example: "ESET PROTECT Bootstrapper" "ESET Management Agent" "ESET Endpoint Security"
  3. To create an update mirror, you need the offline license file (license_file.lf) available on your intermediary machine. Run the following command to download the update files:

    MirrorTool.exe --mirrorType regular ^
    --intermediateUpdateDirectory mirror-intermediary ^
    --offlineLicenseFilename license_file.lf ^
    --outputDirectory mirror-final

    The Mirror Tool creates two folders, temporary and final with a 3GB size. You can use the --excludedProducts parameters to decrease the download size:

    • ep11
    • ep12
    • era6 (covers all PROTECT On-Prem)

    Example usage of the --excludedProducts parameter:

    MirrorTool.exe --mirrorType regular ^
    --intermediateUpdateDirectory mirror-intermediary ^
    --offlineLicenseFilename license_file.lf ^
    --outputDirectory mirror-final ^
    --excludedProducts ep9 ep10

See the list of available products
Product
ESET Endpoint Antivirus for Linux
ESET Bridge
ESET Endpoint Antivirus
ESET Endpoint Antivirus for macOS
ESET Endpoint Security
ESET Endpoint Security for Android
ESET Endpoint Security for Android - web edition
ESET Endpoint Security for macOS
ESET Full Disk Encryption
ESET Full Disk Encryption for macOS
ESET Inspect Connector
ESET Inspect Server
ESET Mail Security for IBM Domino
ESET Mail Security for Microsoft Exchange Server
ESET Mail/Server/Gateway Security for Linux
ESET Management Agent
ESET PROTECT Bootstrapper
ESET PROTECT Mobile Device Connector
ESET PROTECT On-Prem Server
ESET PROTECT Server
ESET PROTECT WebConsole
ESET Rogue Detection Sensor
ESET Secure Authentication
ESET Secure Authentication Components
ESET Secure Authentication Synchronization Agent
ESET Security for Microsoft SharePoint Server
ESET Server Security
ESET Server Security for Microsoft Windows Server

III. Configure your local web server to distribute the offline repository

After you download the update and/or repository files using the Mirror Tool (as described above), choose a local web server (for example, ESET Bridge or Microsoft IIS).

Set up the web server to serve the updates and installers to the machines in the offline environment. See the setup instructions for ESET Bridge and Microsoft IIS below.

Alternative:  I want to distribute updates using the ESET Endpoint as the update mirror.

Built-in proxy policy

If you have installed the ESET PROTECT On-Prem using the All-in-one (Bootstrapper) installer with enabled ESET Bridge, all clients will be configured by default to tunnel communication with ESET via the proxy. This configuration is also present in live installer scripts.


My offline web server is on Windows

Windows server with Microsoft IIS
  1. Copy the whole folder downloaded by Mirror Tool to C:\inetpub\wwwroot.

  2. Enable Directory Browsing in IIS Manager.

  3. Add MIME type with extension * as text/plain.

    Figure 2-1
    Unable to read the extension

    If ESET PROTECT On-Prem is unable to read the added extension, edit web.config in the IIS root folder and add a line with fileExtension=".".

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
            <directoryBrowse enabled="true" />
            <staticContent>
                <mimeMap fileExtension=".*" mimeType="text/plain" />
                <mimeMap fileExtension="." mimeType="text/plain" />
            </staticContent>
        </system.webServer>
    </configuration>

Windows server with ESET Bridge (distributed with ESET PROTECT On-Prem)
Administrator access needed

You need to have administrator permissions to edit the ESET Bridge configuration and restart the ESET Bridge service.

  1. Install ESET Bridge (ESET PROTECT On-Prem)

  2. Using a simple text editor, open the pkgid file from C:\Program Files\ESET\Bridge. Change the http_proxy_settings_static_content_enabled setting to true to activate the offline repository server. Save the changes and close the pkgid file.

  3. Copy the downloaded repository to the offline repository server directory:

    • The default location of the offline repository server directory is C:\ProgramData\ESET\Bridge\OfflineRepository with proper access rights.
    • To use a custom directory, create a new folder for the offline repository (for example, C:\Repository). In the pkgid file, replace the line "http_proxy_settings_offline_repository_dirPath": "%DATADIR%\\OfflineRepository" with "http_proxy_settings_offline_repository_dirPath": "C:\\Repository". The NETWORK SERVICE user needs full access rights to the directory.

  4. Restart the ESET Bridge service using the command line commands: net stop "EsetBridge" and net start "EsetBridge". You must restart the service only after changing the pkgid file—the service restart is unnecessary when the repository data is changed, deleted, or added.

  5. The offline repository runs on the address http://YourIPaddress:4449 (for example, http://10.1.1.10:4449).


My offline web server is on Linux or ESET PROTECT Virtual Appliance

Linux and ESET PROTECT Virtual Appliance (CentOS) with ESET Bridge
CentOS 7 End of Life

CentOS 7 reached its End of Life status on June 30, 2024. ESET PROTECT On-Prem installed on CentOS 7 machines, and ESET PROTECT Virtual Appliance must be migrated. For more information, refer to the ESET End of Life microsite.

Administrator access needed

You need to have administrator permissions to edit the ESET Bridge configuration and restart the ESET Bridge service.

  1. Install ESET Bridge (HTTP Proxy) on Linux.

  2. Using a simple text editor, open the pkgid file from /opt/eset/bridge/etc. Change the http_proxy_settings_static_content_enabled setting to true to activate the offline repository server. Save the changes and close the pkgid file.

  3. Copy the downloaded repository to the offline repository server directory:

    • The default location of the offline repository server directory is /var/opt/eset/bridge/OfflineRepository with proper access rights.
    • To use a custom directory, create a new folder for the offline repository (for example, /var/opt/CustomOfflineRepository). In the pkgid file, replace the line "http_proxy_settings_offline_repository_dirPath": "%DATADIR%\\OfflineRepository" with "http_proxy_settings_offline_repository_dirPath": "/var/opt/CustomOfflineRepository". The NETWORK SERVICE user needs full access rights to the directory.

  4. Restart the ESET Bridge service using this terminal command: sudo systemctl restart EsetBridge.service. You must restart the service only after changing the pkgid file—the service restart is unnecessary when the repository data is changed, deleted, or added.

  5. The offline repository runs on the address http://YourIPaddress:4449 (for example, http://10.1.1.10:4449).


SELinux (applicable on Linux and ESET PROTECT Virtual Appliance)

SELinux can block the other devices from accessing the repository machine. Add an exception for the repository/updates files location or disable the SELinux.

To turn off this feature, follow the steps below:

  1. Open /etc/selinux/config in your editor, find and set the following value:

    SELINUX=disabled
  2. Restart the system (machine) to apply the changes.


Open ports 4449 and 3128 on Linux or VA firewall

When using the ESET PROTECT Virtual Appliance, use Webmin to add port 4449 to the rule where 3128 is already listed, and save the configuration.

Figure 2-2

If you prefer the Linux Console, use the following command to do the same:

iptables -A INPUT -p tcp --dport 4449 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 4449 -j ACCEPT
service iptables save
service ip6tables save

IV. Set up your server and clients to use the offline repository

See the examples below to set paths of the Repository and Update servers with ESET Endpoint products. Do the following in ESET PROTECT On-Prem:


Set up the ESET PROTECT Server to use the offline repository and updates

Server settings
  1. Click More → Settings and expand Advanced Settings.

  2. In the Server field under Repository, type your web server address.

    Figure 3-1
  3. Expand Updates.

  4. In the Update server field, type your web server address and click Save.

    Use the correct path for each product

    For the Update server settings, always type the full path according to the product you are setting up. For ESET PROTECT On-Prem, use folder era6:
    http://update.server.local/mirror-final/eset_upd/era6/

    Figure 3-2

Set up ESET Management Agents to use the offline repository and updates

Agent policy

You need to apply the new settings to all machines (their Agents) that are using the offline server for updates and repositories. Select a suitable policy or create a new one and assign it to those machines.

  1. Open Policies.

  2. Click the appropriate policy and click Edit.

  3. In the policy Settings section, expand Advanced settings.

  4. In the Server field under Repository, type your web server address.

    Figure 3-3
  5. Expand Updates.

  6. In the Update server field, type your web server address and click Save. Ensure to type the entire address, including the folder structure, according to the product you are setting up.

    Figure 3-4

Set up ESET Endpoint products to use the offline repository and updates

Policies for ESET Endpoint products (on Windows)

You need to apply the new settings to all machines (their ESET security products) that are using the offline server for updates. Select a suitable policy or create a new one and assign it to those machines.

  1. Activate ESET Endpoint products in the offline environment.

  2. Open Policies.

  3. Click the appropriate policy and click Edit.

  4. In the policy Settings section, click UpdateProfiles → Updates → Modules Updates.

  5. Disable the toggle next to Choose automatically.

  6. Type your web server address in the Custom server field and click Finish. Ensure to type the entire address, including the folder structure, according to the product you are setting up. The example image below shows the ESET Endpoint folder address.

    Use the correct path for each product

    For the Custom server settings, always type the full path according to the product you are setting up. For example: http://update.server.local:8080/mirror-final/eset_upd/ep12

    The last folder in the path should be one of the following:

    Folder Name Updated products
    ep11 ESET Endpoint 11.x
    ep12 ESET Endpoint 12.x
    Figure 3-5
Product updates

If you created a full repository that includes auto-update files, you can also add your local web server to the Custom server in the Product Updates section.


Set up other ESET products to use the offline repository and updates

Other products

If necessary, create policies for any ESET product similar to the examples shown above.

Enable access to the web server

Make sure all client devices can access the offline repository web server on port 8080.


V. Optional: Install ESET security products from a shared location via ESET PROTECT On-Prem Software install task

In this case, we do not use a repository. You need to have ESET Management Agents installed on client machines.

  1. Download an ESET Endpoint installer (ESET download site).

  2. Save the installer to a location accessible to other computers in your offline network. We recommend creating a logical folder structure based on product names and versions.

  3. Log in to ESET PROTECT Web Console.

  4. Create a new Software Install task with the direct link.

    Deploy or upgrade ESET endpoint products using ESET PROTECT On-Prem.

Czat z ESET AI Advisor w celu uzyskania wsparcia