[KB7034] Advanced scenarios for Apache HTTP Proxy with ESMC 7
Issue
- General information about HTTP Proxy
- Using different proxy solutions for caching and forwarding
- Configure Apache HTTP Proxy for higher security
- Setup a proxy chain
- Deploy Apache HTTP Proxy in an environment with DMZ
- Transition from ERA Proxy to Apache HTTP Proxy (and ESMC 7) in an environment with DMZ
Details
We recomend that you use Apache HTTP Proxy distributed by ESET. It has the correct configuration necessary for:
- Forwarding ESET Management Agents' replication (communication with ESMC server)
- Caching ESET detection engine updates and installer files
- Caching ESET Dynamic Threat Defense analysis results
If you use your custom Apache HTTP Proxy installation, make sure you have configured it properly. The proper configuration can be found in the file httpd.conf contained in the Apache installer distributed by ESET.
Solution
About HTTP Proxy
In ESET Security Management Center (ESMC) 7, the former ERA Proxy component is no longer being used. Instead, Apache HTTP Proxy forwards the information from Agents checking in to ESMC Server. Users can also use other proxy solutions that comply with requirements. Unlike the former ERA Proxy component, Apache HTTP Proxy only forwards communication from the Agents; it does not cache or open the communication (replication).
The Apache HTTP Proxy distributed by ESET is by default pre-configured for both replication and caching ESET product downloads and updates, however some configuration is still needed (see the step 6 in the documentation). See the scheme of a single proxy solution for a branch office at the Fig. 1-1.
Figure 1-1
Using different proxy solutions for caching and replication
Users in some environments may need to use separate proxy solutions for caching and replication. In the example below one branch office is using a separate proxy for caching and another for replication to the ESMC Server in the main office.
Figure 1-2
The proxy settings are located in the Agent policy. To configure them, create a new Agent policy or modify an existing one. You can also create multiple Agent policies with different proxy setups and assign them to computers using dynamic groups. When a client machine is moved to different dynamic group, it will automatically use the appropriate proxy setup.
To set up a different proxies follow these steps:
-
Open ESET Security Management Web Console (ESMC Web Console) in your web browser and log in as a sufficiently priviledged user.
-
Click Policies → New Policy.
-
Type a Name and Description in the Basic section and click Continue.
-
In the Settings section, select ESET Management Agent from the drop-down menu and expand Advanced settings.
- In the HTTP Proxy section, change the Proxy Configuration Type to Different Proxy Per Service.
Figure 1-3
- Click Edit next to Replication (to ESMC Server). Click Use proxy server and enter the Host and Port values. Port is set to 3128 by default. Host is the hostname or IP addres of the machine where the proxy is running. Do not enter a Username or Password. Click Save to save the settings.
Figure 1-4
- Click Edit next to ESET Services (updates, packages, telemetry...). Click Use proxy server and and enter the Host and Port values. Port is set to 3128 by default. Host is the hostname or IP addres of the machine where the proxy is running. Click Save to save the settings.
Figure 1-5
-
Click Continue and assign the policy to Agents in the Assign screen. Select a group or multiple machines which will use the new proxy setting.
- Click Finish to apply the policy.
Set up Apache HTTP Proxy for higher security
Apache HTTP Proxy security can be hardened to block all incoming connections except:
- ESMC and ESET related hostnames.
- Change Apache service user to a less privileged user.
-
Block all other ports except those required by ESMC (view the diagram).
-
You can set up a separate proxy solution purely for forwarding the Agent - Server communication. In the ESET Management Agent policy navigate to Advanced Settings > HTTP Proxy > Proxy Configuration type, select Different Proxy Per Service and set up the Replication (to ESMC Server) option. When the separate proxy solution is working:
-
you can remove the ports
443and563from theAllowCONNECTvalues in the proxy settings (httpd.conf). -
you can remove whitelisted addresses,
ProxyMatchsegments, from the proxy settings (httpd.conf), except your ESMC Server machine.
-
you can remove the ports
-
You can set up a separate proxy solution purely for forwarding the Agent - Server communication. In the ESET Management Agent policy navigate to Advanced Settings > HTTP Proxy > Proxy Configuration type, select Different Proxy Per Service and set up the Replication (to ESMC Server) option. When the separate proxy solution is working:
- Use a different proxy solution (not Apache) if it complies with the proxy requirements. ESET does not provide support for other proxy solutions.
Set up a proxy chain
ESMC does not support proxy chaining when the proxy requires authentication.To enable proxy chaining, add the following to the proxy configuration (httpd.conf):
ProxyRemote * http://IP_ADDRESS:3128
When using proxy chaining on the ESMC Virtual Appliance, the SELinux policy must be modified. Open the terminal on the ESMC VA and run the following command:
/usr/sbin/setsebool -P httpd_can_network_connect 1
When using proxy chaining, the firewall must allow communication on the ports in this diagram. Note that proxies communicate between each other at port 3128, but the last HTTP Proxy machine communicates with the ESMC Server at the port 2222. The port numbers mentioned in the documentation are the defaults.
Apache HTTP Proxy in an environment with DMZ
In a more complex infrastructure, with a subnet that separates an internal LAN from untrusted networks (DMZ), it is recommended to deploy ESMC server out of the DMZ. Figure 2-1 illustrates one possible deployment scenario. When setting up an environment such as this, we recommend adhering to the following guidelines:
- Use hostnames instead of IP addresses in ESMC component settings.
- If client machines can leave the intranet (roaming clients): use dynamic groups and policies to make sure roaming cients use the server hostname resolvable from the internet only when they are outside of intranet. Clients that can not leave Intranet should use a hostname that is resolvable only inside the Intranet, to be sure their connection is not routed via Internet.
- Apache HTTP Proxy (when used for replication) does not aggregate connections from Agents, hence it does not save bandwidth. Use Apache HTTP Proxy for replication only if necessary.
- Using Apache HTTP Proxy for caching updates and installers is recommended. Roaming agents should not use caching proxy when outsie of Intranet. This can be achieved by using a hostname for chaching proxy which is not resolvable outside of Intranet and allowing direct connection.
- Firewall: open only necessary ports (see the list of used ports) for selected hostnames.
- Set up Apache HTTP Proxy for higher security.
Figure 2-1
Transition from ERA Proxy to Apache HTTP Proxy (and ESMC 7) in an environment with DMZ
An ERA 6.x environment with DMZ and ERA proxy can be migrated to ESMC 7 while substituting ERA Proxy for Apache HTTP Proxy or another proxy solution complying with HTTP Proxy requirements. Never decommision the old ERA Proxy component before a working alternative is set up and running. For complete instructions, visit the following Knowledgebase articles:
