[KB7805] Best practices for using the ESET PROTECT On-Prem in an offline environment

Issue

Solution

Prerequisites

  • ESET PROTECT On-Prem installed, or the Virtual Appliance deployed.
  • Ensure you have ESET Bridge installed.
  • Download Linux MirrorTool or Windows MirrorTool.exe file. See the complete documentation for more information on the Mirror Tool and a list of available parameters.
    • MirrorTool.exe does not run on Windows XP and Microsoft Windows Server 2003.
  • If you run the Mirror Tool on Windows, install the following:
    • Visual C++ Redistributable for Visual Studio 2010
    • Visual C++ 2015 Redistributable x86
  • One machine is connected to the internet to create and update the offline repository.
  • At least 250 GB of free space at the machine where the full offline repository is created.
  • Download offline license files from ESET Business Account.

Create the repository using the Mirror Tool

  1. Download the update files using the Mirror Tool to your intermediary machine.

  2. Move the files to the offline web server. For example, ESET Bridge.

  3. Set up the Agents and endpoints to use the offline web server.

  4. Configure the ESET Mirror Tool to download updates from another ESET Mirror Tool.

    Figure 1-1

     


Create an offline repository

The Mirror Tool downloads data to the repository-intermediate folder. When the download is finished, it moves all the data to the repository-final folder.

Ensure there is enough free space on your drive, each folder is 100GB in size. As ESET releases new updates and product versions, the total size will continue to grow.

Update your offline resources regularly

Run this task every few months and move the new files to your offline repository.

  1. Run the following command in the command line on a computer with internet access. Use MirrorTool.exe on Windows machines and MirrorTool on Linux.

    MirrorTool.exe --repositoryServer AUTOSELECT ^
    --intermediateRepositoryDirectory repository-intermediate ^
    --outputRepositoryDirectory repository-final
  2. Follow these steps to reduce the download size of the folder:
    1. To reduce the download size of the folder, create a text file in JSON format placed in the same folder as Mirror Tool, for example: --filterFilePath filter.txt

    2. In the text file, type in the desired parameters as described in this Online Help topic. Later in this document, you can find a list of the product names that can be used with these parameters. See the list of language codes.

    3. Optionally, add the parameter --dryRun to the text file and run the Mirror Tool. When you use this optional parameter, Mirror Tool will not download any files, but it will generate a .csv file listing all packages that will be downloaded.
Filtering products can break installers

If you use the product filtering option and create a reduced repository, you cannot create an All-in-one installer of a product that you filtered out of the repository. 

  • To create an All-in-one installer with Agent only, you need to filter "ESET PROTECT Bootstrapper" "ESET Management Agent".
  • To create an All-in-one installer that contains an Agent and an ESET security product, filter also product names, for example: "ESET PROTECT Bootstrapper" "ESET Management Agent" "ESET Endpoint Security".
  1. To create an update mirror, you need the offline license file (license_file.lf) available on your intermediary machine. Run the following command to download the update files:

    MirrorTool.exe --mirrorType regular ^
    --intermediateUpdateDirectory mirror-intermediary ^
    --offlineLicenseFilename license_file.lf ^
    --outputDirectory mirror-final

    The Mirror Tool creates two folders, temporary and final with a 3GB size. You can use the --excludedProducts parameters to decrease the download size:

    • ep9
    • ep10
    • ep11
    • era6 (covers all PROTECT On-Prem)

    Example usage of the --excludedProducts parameter: 

    MirrorTool.exe --mirrorType regular ^
    --intermediateUpdateDirectory mirror-intermediary ^
    --offlineLicenseFilename license_file.lf ^
    --outputDirectory mirror-final ^
    --excludedProducts ep6 ep7 ep8
    Update your offline resources regularly

    Schedule this command to run every six hours and move the content of the output folders to the offline server.


See the list of available products

Product
ApacheHttp
ESET Antivirus for Linux - Business Edition
ESET Bridge
ESET Endpoint Antivirus
ESET Endpoint Antivirus for macOS
ESET Endpoint Antivirus for OS X
ESET Endpoint Security
ESET Endpoint Security for Android
ESET Endpoint Security for Android - web edition
ESET Endpoint Security for macOS
ESET Endpoint Security for OS X
ESET File Security
ESET File Security for Microsoft Windows Server
ESET File Security for Microsoft Windows Server Core
ESET Full Disk Encryption
ESET Full Disk Encryption for macOS
ESET Inspect Connector
ESET Inspect Server
ESET Mail Security for IBM Domino  
ESET Mail Security for Microsoft Exchange Server
ESET Mail/File/Gateway Security for Linux  
ESET Management Agent
ESET NSX Service Manager
ESET PROTECT Bootstrapper
ESET PROTECT Mobile Device Connector
ESET PROTECT on-prem Server
ESET PROTECT Server
ESET PROTECT WebConsole
ESET Rogue Detection Sensor
ESET Secure Authentication
ESET Secure Authentication Components
ESET Secure Authentication Synchronization Agent
ESET Security for Microsoft SharePoint Server
ESET Server Security
ESET Server Security for Microsoft Windows Server
Safetica Agent
WinPcap

Move files to the offline webserver

After you download the update and/or repository files using the Mirror Tool (as described above), choose a local webserver (for example, ESET Bridge or Microsoft IIS).

Set up the webserver to serve the updates and installers to the machines in the offline environment. See the setup instructions for ESET Bridge and Microsoft IIS below.

Alternative: I want to distribute updates using the ESET Endpoint as the update mirror.

Built-in proxy policy

If you have installed the ESET PROTECT On-Prem using the All-in-one (Bootstrapper) installer with enabled ESET Bridge, all clients will be configured by default to tunnel communication with ESET via the proxy. This configuration is also present in live installer scripts


My offline web server is on Windows

Windows server with Microsoft IIS

  1. Copy the whole folder downloaded by the Mirror tool to C:\inetpub\wwwroot.

  2. Enable Directory Browsing in IIS Manager.

  3. Add MIME type with extension * as text/plain.

    Figure 2-1

     

    Unable to read the extension

    If ESET PROTECT On-Prem is unable to read the added extension, edit web.config in the IIS root folder and add a line with fileExtension=".".

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
            <directoryBrowse enabled="true" />
            <staticContent>
                <mimeMap fileExtension=".*" mimeType="text/plain" />
                <mimeMap fileExtension="." mimeType="text/plain" />
            </staticContent>
        </system.webServer>
    </configuration>

Windows server with ESET Bridge (distributed with ESET PROTECT On-Prem)

  1. Install ESET Bridge (ESET PROTECT On-Prem)
Admin access needed

You need to have administrator permissions to edit the ESET Bridge configuration and restart the ESET Bridge service.

  1. Using a simple text editor, open the pkgid file from C:\Program Files\ESET\Bridge. Change the http_proxy_settings_static_content_enabled setting to true to activate the offline repository server. Save the changes and close the pkgid file. 

  2. Copy the downloaded repository to the offline repository server directory: 

  • The default location of the offline repository server directory is C:\ProgramData\ESET\Bridge\OfflineRepository with proper access rights.
  • To use a custom directory, create a new folder for the offline repository (for example, C:\Repository). In the pkgid file, replace the line "http_proxy_settings_offline_repository_dirPath": "%DATADIR%\\OfflineRepository" with "http_proxy_settings_offline_repository_dirPath": "C:\\Repository". The NETWORK SERVICE user needs full access rights to the directory.
  1. Restart the ESET Bridge service using the command line commands: net stop "EsetBridge" and net start "EsetBridge". You must restart the service only after changing the pkgid file—the service restart is unnecessary when the repository data is changed, deleted or added.

  1. The offline repository runs on the address http://YourIPaddress:4449 (for example, http://10.1.1.10:4449).

My offline web server is on Linux or ESET PROTECT Virtual Appliance

How do I install ESET Bridge (HTTP Proxy) on Linux?

Linux and ESET PROTECT Virtual Appliance (CentOS) with ESET Bridge

CentOS 7 End of Life

CentOS 7 will reach End of Life on June 30, 2024. ESET PROTECT On-Prem installed on CentOS 7 machines and ESET PROTECT Virtual Appliance will require a migration. For more information, refer to the ESET End of Life microsite.

  1. Install ESET Bridge (ESET PROTECT On-Prem)
Admin access needed

You need to have administrator permissions to edit the ESET Bridge configuration and restart the ESET Bridge service.

  1. Using a simple text editor, open the pkgid file from /opt/eset/bridge/etc. Change the http_proxy_settings_static_content_enabled setting to true to activate the offline repository server. Save the changes and close the pkgid file. 

  2. Copy the downloaded repository to the offline repository server directory: 

  • The default location of the offline repository server directory is /var/opt/eset/bridge/OfflineRepository with proper access rights.
  • To use a custom directory, create a new folder for the offline repository (for example, /var/opt/CustomOfflineRepository). In the pkgid file, replace the line "http_proxy_settings_offline_repository_dirPath": "%DATADIR%\\OfflineRepository" with "http_proxy_settings_offline_repository_dirPath": "/var/opt/CustomOfflineRepository". The NETWORK SERVICE user needs full access rights to the directory.
  1. Restart the ESET Bridge service using this terminal command: sudo systemctl restart EsetBridge.service. You must restart the service only after changing the pkgid file—the service restart is unnecessary when the repository data is changed, deleted or added.

  1. The offline repository runs on the address http://YourIPaddress:4449 (for example, http://10.1.1.10:4449).


SELinux (applicable on Linux and ESET PROTECT Virtual Appliance)

SELinux can block the other devices from accessing the repository machine. Add an exception for the repository/updates files location or disable the SELinux.

To turn off this feature, follow the steps below:

  1. Open /etc/selinux/config in your editor, find and set the following value:

    SELINUX=disabled
  1. Restart the system (machine) to apply the changes.


Open ports 4449 a 3128 on Linux or VA firewall

  1. When using the ESET PROTECT Virtual Appliance, use Webmin to add port 4449 to the rule where 3128 is already listed, and save the configuration.
    Figure 3-1

If you prefer the Linux Console, use the following command to do the same:

iptables -A INPUT -p tcp --dport 4449 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 4449 -j ACCEPT
service iptables save
service ip6tables save

 

Optional: Installing ESET security products from a shared location

In this case, we do not use a repository. You need to have ESET Management Agents installed on client machines.

  1. Download an ESET Endpoint installer (ESET download site).

  2. Save the installer to a location accessible to other computers in your offline network. We recommend creating a logical folder structure based on product names and versions.

  3. Log in to ESET PROTECT On-Prem.

  4. Create a new Software Install task with the direct link.  Deploy or upgrade ESET endpoint products using ESET PROTECT On-Prem.


Set up your server and clients to use the offline repository

See the examples below to set paths of Repository and Update servers with ESET Endpoint products. Do the following in ESET PROTECT On-Prem:

Set up the ESET PROTECT Server to use the offline repository and updates


Server settings

  1. Open ESET PROTECT On-Prem in your web browser and log in.

  2. Navigate to More → Settings Advanced Settings → Repository.

  3. Type your address in the Server field.

    Figure 4-1
  4. Navigate to the Updates section.

  5. Type your offline server's address in the Update server field and click Save. Type the whole address with the folder structure, according to the product you are setting up.

    Figure 4-2
Use the correct path for each product

For the Update server settings, always type the full path according to the product you are setting up. For example: http://update.server.local/mirror-final/eset_upd/ep11

The last folder in the path should be one of the following:

Folder Name Updated products
ep9 ESET Endpoint 9.x
ep10 ESET Endpoint 10.x
ep11 ESET Endpoint 11.x
era6
ESET PROTECT On-Prem
Set up ESET Management Agents to use the offline repository and updates


Agent policy

You need to apply the new settings to all machines (their Agents) that are using the offline server for updates and repositories. Select a suitable policy or create a new one and assign it to those machines.

  1. Open ESET PROTECT On-Prem in your web browser and log in.

  2. Navigate to Policies.

  3. Select the appropriate policy.

  4. In the policy Settings section, navigate to → Advanced SettingsRepository.

  5. Type your address in the Server field.

    Figure 5-1
  6. Navigate to Updates section.

  7. Type your offline server's address in the Update server field and click Save. Ensure you type the whole address with the folder structure, according to the product you are setting up.

    Figure 5-2
Set up ESET Endpoint products to use the offline repository and updates


Policies for ESET Endpoint products (on Windows)

  1. Activate ESET Endpoint products in the offline environment.

You need to apply the new settings to all machines (their ESET security products) that are using the offline server for updates. Select a suitable policy or create a new one and assign it to those machines.

  1. Open ESET PROTECT On-Prem in your web browser and log in.

  2. Navigate to Policies.

  3. Select the appropriate policy.

  4. In the policy Settings section, navigate to → UPDATEProfiles → Updates → Modules Updates.

  5. Disable the toggle next to Choose automatically.

  6. Type your offline server's address in the Custom server field and click Finish. Make sure to enter the whole address with the folder structure, according to the product you are setting up. The example image below shows the ESET Endpoint folder address.

    Figure 6-1
Use the correct path for each product

For the Custom server settings, always type the full path according to the product you are setting up. For example: http://update.server.local:8080/mirror-final/eset_upd/ep11

The last folder in the path should be one of the following:

Folder Name Updated products
ep9 ESET Endpoint 9.x
ep10 ESET Endpoint 10.x
ep11 ESET Endpoint 11.x
era6
ESET PROTECT On-Prem

Other products

If necessary, create policies for any ESET product similar to the examples shown above.

Enable access to the web server machine

Make sure all client machines can access the offline repository machine on port 8080.

Assistance supplémentaire