Overslaan naar hoofdinhoud

Migrate from ERA Proxy (Windows) to Apache HTTP Proxy in ESMC 7 - Kennisbank / Legacy / ESET Security Management Center / 7.x - ESET Tech Center

Migrate from ERA Proxy (Windows) to Apache HTTP Proxy in ESMC 7

Lijst van auteurs

Issue

  • You have an ESET Remote Administrator (ERA) version 6 environment running the ERA Proxy (on a Windows host) component and you want upgrade to ESET Security Management Center (ESMC) 7
  • ESMC does not support ERA Proxy—Apache HTTP Proxy can substitute the role of ERA Proxy in the infrastructure

Are you using ERA Proxy - Virtual Appliance?

Details

Solution

Connection limitations

The ESET Remote Administrator version (ERA) 6.x Proxy component is discontinued in ESET Security Management Center 7. Follow the instructions in this article carefully to ensure connection compatibility:

  • ERA 6.x Agents can connect to ESMC 7 Server
  • ESET Management (EM) Agent (version 7) cannot connect to ESMC Server via ERA Proxy
  • EM Agent (version 7) cannot connect to ERA 6.x Server
  • Do not upgrade ERA 6.x Agents before a proper proxy solution is configured
  • It is not possible to run the Agent deployment task on clients where ESMC server can reach only via Apache HTTP Proxy
     

Mannually migrate ERA Proxy to Apache HTTP Proxy in ESMC 7

I. Prepare your ERA 6.x environment

  1. Back up your ERA Server (backup databaseCA and certificates).
     
  2. Upgrade your ERA Server.
    1. Download the necessary ESMC 7 component installers. ESMC Server, Agent, RD Sensor and Web Console are required. Download any other installers as needed. Do not rename downloaded .msi installer files.
    2. Stop Apache Tomcat. Navigate to your %TOMCAT_HOME%\bin directory (for example, C:\Program Files\Apache Tomcat\Tomcat7\bin) and double-click tomcat7w.exe.
    3. Back up the C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\webapps\era folder and all of its contents.

      File location will differ on 32-bit systems:

      On 32-bit systems, the "Program Files (x86)" folder is named "Program Files".

    4. Copy the EraWebServerConfig.properties configuration file located at: C:\Program Files(x86)\Apache Software Foundation\Tomcat 7.0\webapps\era\WEB-INF\classes\sk\eset\era\g2webconsole\server\modules\config\EraWebServerConfig.properties.
    5. Delete the contents of the original C:\Program Files(x86)\Apache Software Foundation\Tomcat 7.0\webapps\era folder (including the era.war file).
    6. In the downloaded installer files from Step a, locate the era.war file and extract it to: C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\webapps\era.
    7. Move the EraWebServerConfig.properties configuration file from Step d to: C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\webapps\era\WEB-INF\classes\sk\eset\era\g2webconsole\server\modules\config.
    8. Double-click Server_x64.msi. Follow the ESMC Server installation process. Specify these database connection settings:
      • If you installed using the all-in-one installer, in the Database drop-down menu, select MS SQL Server via Windows Authentication and click Next.
      • If you used an existing MS SQL Server/MySQL, select the connection type defined during installation. An administrative privileged database connection (user) is required when connecting to the ESMC Server database. Click Next.
         
    9. Complete the installation of ESMC Server.
       
    10. Start the Apache Tomcat service. Depending on your system configuration, allow up to 40 seconds for the service to start.
    11. Open ESET Security Management Center Web Console (ESMC Web Console) in your web browser and log in. How do I open ESMC Web Console.
  3. Wait approximately 24 hours to make sure that the upgraded environment runs smoothly.
     
  4. On the ERA Proxy machine, migrate the ERA Agent to the ESMC Agent.
    1. Create a new Dynamic Group based on operating system (32-bit or 64-bit).
      • For 32-bit systems:
        • Operation "AND"
        • Add rule OS edition > OS platform = (equal) 32-bit
        • Add rule OS edition > OS type contains Windows
           
      • For 64-bit systems:
        • Operation "AND"
        • Add rule OS edition > OS platform = (equal) 64-bit
        • Add rule OS edition > OS type contains Windows
           
    2. Create a new Client Task for 32-bit systems.

      ESMC Log File location:

      The ESMC log file is accessible at: %TEMP%; for example: C:\Windows\Temp\

      See also log files location for all ESMC components in ESMC User Guide.

      1. In the Basic section, select Run Command from the Task drop-down menu.
      2. In the Settings section, in the Command line to run field, type: msiexec /qn /i "\\SERVER\readonlyshare\Agent_x86.msi" /l*v! %TEMP%\era-agent-upgrade.txt (replace server with your actual server name and readonlyshare with your share name).
        • When using the installer package via HTTP:

          msiexec /qn /i "http://SERVER/share/agent_x86.msi" /l*v! %TEMP%\era-agent-upgrade.txt

          msiexec /qn /i "http://repository.eset.com/v1/com/eset/apps/business/era/agent/v7/7.0.553.0/agent_x86.msi" /l*v! %TEMP%\era-agent-upgrade.txt
      3. Create Trigger for this Client Task and in the Targets section, select the dynamic group for 32-bit operating systems created in Step a.
    3. Create a new Client Task for 64-bit systems.

      "MainEngineThread is returning 1619" Error Message:

      The installation package is damaged and cannot be opened. Deploy ESET Management Agent with a different installation package.

      1. In the Basic section, select Run Command from the Task drop-down menu.
      2. In the Settings section, in the Command line to run field, type: msiexec /qn /i "\\server\readonlyshare\Agent_x64.msi" /l*v! %TEMP%\era-agent-upgrade.txt  (replace server with your actual server name and readonlyshare with share name).
        • When using installer package via HTTP:

          msiexec /qn /i "http://SERVER/share/agent_x64.msi" /l*v! %TEMP%\era-agent-upgrade.txt

          msiexec /qn /i "http://repository.eset.com/v1/com/eset/apps/business/era/agent/v7/7.0.553.0/agent_x64.msi" /l*v! %TEMP%\era-agent-upgrade.txt
      3. Create Trigger for this Client Task and in the Targets section, select the dynamic group for 64-bit operating systems created in Step a.
    4. To view client task details, click Computers, select the applicable client computer, click Show Details and then click Installed Applications. There will be a brief period where two versions of Agent are running on a single client machine. This is only temporary. Create an Outdated applications report to monitor the status of client computers hourly.

Figure 1-1

II. Install and configure Apache HTTP Proxy

  1. Install Apache HTTP Proxy on the machine where the ERA Proxy is installed. Use the pre-configured ESET version of Apache HTTP Proxy. The configuration necessary for handling connection of ESET Management Agents is included.
  2. Modify the Apache HTTP Proxy configuration file httpd.conf located in C:\Program FIles\Apache HTTP Proxy\conf.
    1. If you have changed the default port (2222) for the Agent, find the line AllowCONNECT 443 563 2222and change 2222 to the number of your port.
       
    2. Add the hostname or IP address of your ESMC Server to the configuration file. The hostname you add must be exactly the same as Agents use to connect the ESMC Server. You can add IP address, hostname or both. See the example code below. Add the whole segment of the code to your configuration file. Substitute hostname.example for your hostname, and 10.1.1.123 for your IP address.

      #Allow connection to my ESMC Server machine

      <ProxyMatch ^(hostname.example|10.1.1.123)$>

      Allow from all

      </ProxyMatch>

      If you want to use only the hostname (or IP), use the following syntax and substitute hostname.example for your hostname (or IP):

      #Allow connection to my ESMC Server machine

      <ProxyMatch ^hostname.example$>

      Allow from all

      </ProxyMatch>
       

    3. Save the changes and restart the Apache HTTP Proxy service.
       

 

Figure 2-1

 

III. Assign a transition policy to a test client

Figure 3-1

 

  1. Create a new policy on your ESMC Server. In the ESMC Web Console click Policies  Create New.
     
  2. In the Basic section, type a Name for the policy.
     
  3. In the Settings section, select ESET Management Agent.
     
  4. Navigate to Connection  Server connects to Edit server list.
     
  5. Click Add and enter the address (the address must match what Agent use in the configuration) of your ESMC Server in the Host field. Click OK.
     
  6. Change the operator from Replace to Append.
     
  7. Click Save.
     
  8. Navigate to Advanced Settings HTTP Proxy and set Proxy Configuration to Different Proxy Per Service.
     
  9. Click Replication  Edit and enable the Use proxy server option.
     
  10. Type the IP address of the proxy machine to the Host field.
     
  11. Leave the default value 3128 for the Port.
     
  12. Click Save and Finish to save the policy. Do not assign it to any computer yet.
Important!

It is absolutely necessary to have both IP addresses in one list applied on the client. If the Agent does not have this information in the policy, it will be unable to connect to the Proxy and the ESMC Server after the upgrade. Such an Agent must be fixed manually by running a repair installation and using the correct ESMC Server address.


If HTTP Proxy setting is not applied in the policy, the Agent will not be able to connect the ESMC Server. Manual re-installation cannot fix this.
 

  1. Choose one computer that is connected via ERA Proxy and assign the new policy to that test client.
     
  2. Wait a few minutes until the policy is applied and check if the computer is still connecting to the ESMC Server.
     

IV. Upgrade ERA Agents on client computers

  1. Upgrade a test client computer.
    1. Create a new Dynamic Group based on operating system (32-bit or 64-bit).
      • For 32-bit systems:
        • Operation "AND"
        • Add rule OS edition > OS platform = (equal) 32-bit
        • Add rule OS edition > OS type contains Windows
           
      • For 64-bit systems:
        • Operation "AND"
        • Add rule OS edition > OS platform = (equal) 64-bit
        • Add rule OS edition > OS type contains Windows
           
    2. Create a new Client Task for 32-bit systems.

      ESMC Log File location:

      The ESMC log file is accessible at: %TEMP%; for example: C:\Windows\Temp\

      See also log files location for all ESMC components in ESMC User Guide.

      1. In the Basic section, select Run Command from the Task drop-down menu.
      2. In the Settings section, in the Command line to run field, type: msiexec /qn /i "\\SERVER\readonlyshare\Agent_x86.msi" /l*v! %TEMP%\era-agent-upgrade.txt (replace server with your actual server name and readonlyshare with your share name).
        • When using the installer package via HTTP:

          msiexec /qn /i "http://SERVER/share/agent_x86.msi" /l*v! %TEMP%\era-agent-upgrade.txt

          msiexec /qn /i "http://repository.eset.com/v1/com/eset/apps/business/era/agent/v7/7.0.553.0/agent_x86.msi" /l*v! %TEMP%\era-agent-upgrade.txt
      3. Create Trigger for this Client Task and in the Targets section, select the dynamic group for 32-bit operating systems created in Step a.
    3. Create a new Client Task for 64-bit systems.

      "MainEngineThread is returning 1619" Error Message:

      The installation package is damaged and cannot be opened. Deploy ESET Management Agent with a different installation package.

      1. In the Basic section, select Run Command from the Task drop-down menu.
      2. In the Settings section, in the Command line to run field, type: msiexec /qn /i "\\server\readonlyshare\Agent_x64.msi" /l*v! %TEMP%\era-agent-upgrade.txt  (replace server with your actual server name and readonlyshare with share name).
        • When using installer package via HTTP:

          msiexec /qn /i "http://SERVER/share/agent_x64.msi" /l*v! %TEMP%\era-agent-upgrade.txt

          msiexec /qn /i "http://repository.eset.com/v1/com/eset/apps/business/era/agent/v7/7.0.553.0/agent_x64.msi" /l*v! %TEMP%\era-agent-upgrade.txt
      3. Create Trigger for this Client Task and in the Targets section, select the dynamic group for 64-bit operating systems created in Step a.
    4. To view client task details, click Computers, select the applicable client computer, click Show Details and then click Installed Applications. There will be a brief period where two versions of Agent are running on a single client machine. This is only temporary. Create an Outdated applications report to monitor the status of client computers hourly.
  2. After the client is upgraded to version 7, check if it is still connecting to the ESMC Server. If the computer is successfully connecting after the upgrade, continue to upgrade other computers.
Important!

If you have a larger network, begin the upgrade at departments with IT-experienced users or those who are physically closer to computers to make the troubleshooting easier.

  1. Apply the policy (from the part III) to the other computers connected via the ERA Proxy.

Figure 4-1

 

  1. Wait a few minutes until the policy is applied and check if clients are still connecting to the ESMC Server.
     
  2. Repeat Step 1 in this section.
     
  3. If all clients are connecting to the ESMC Server after the upgrade is finished, you can proceed with next steps.
     

Figure 4-2

 

V. Remove ERA Proxy address from the list of servers

Figure 5-1

  1. Modify the policy (from the part III).Click Policies, click the gear icon next to the policy you want to modify and then click Edit.
     
  2. In the Settings > Connection change the operator from Append to Replace.
     
  3. Click Save.
     
  4. Click Finish to save and apply the policy.
     
  5. Remove the ERA Proxy component using Client Tasks Software Uninstall.

Figure 5-2


Reactie toevoegen

Log in of registreer om een reactie te plaatsen.

Heeft u een wachtwoordherinnering nodig?