Migrate from ERA Proxy (Virtual appliance) to Apache HTTP Proxy in ESMC 7
You have an ERA 6.x environment running with ERA Proxy (on a Virtual Appliance) component and you want upgrade to ESET Security Management Center (ESMC) 7, which does not support ERA Proxy. You can replace your appliance with a new one and enable Apache HTTP Proxy to substitute the role of ERA Proxy in the infrastructure. The transition must follow strict rules described in this article.
ESMC 7 introduces a new generation of the Agent - Server communication protocol. The new replication protocol uses TLS and HTTP2 protocols so it can go through Proxy servers. There are also new self-recovery features and a persistent connection which improves overall communication performance.
New communication protocol does not support connection using ERA 6.x Proxy.
ESET provides pre-configured Apache installer. The user can also use other proxy solution (besides Apache HTTP Proxy) which fulfills the following conditions:
•can forward SSL communication
•supports HTTP CONNECT
• can work without authentication (ESET Management Agent does not support authentication with proxy)
However, the configuration of other proxy solutions is not provided or supported by ESET. Other than Apache proxy solutions may not support caching of the ESET Dynamic Threat Defense communication.
- ERA 6.x Agents can connect to ESMC 7 Server.
- ESET Management (EM) Agent (version 7) cannot connect to ESMC Server via ERA Proxy.
- EM Agent (version 7) cannot connect to ERA 6.x Server.
- Do not upgrade ERA 6.x Agents before a proper proxy solution is set up.
It is not possible to run the Agent deployment task on clients which ESMC server can reach only via Apache HTTP Proxy.
I. Prepare your ERA 6.x environment
Back up your ERA Server (backup database, CA and certificates).
Upgrade your ERA Server to ESMC 7. (Server, Agent and Web Console, the Component upgrade task for Server component is currently not available).
- Wait approximately 24 hours to make sure that the upgraded environment runs smoothly.
II. Deploy the new Virtual Appliance and connect it to your ESMC Server
Download ESET Security Management Center 7 Virtual Appliance from the ESET download page.
Deploy the ESMC 7 VA on your hypervisor.
Configure the new Appliance as ESMC Server.
- Keep the password you set-up here safe. You will need it later.
Enable HTTP Forward Proxy during the configuration.
When the Appliance is deployed and configured, you have to reinstall EM Agent on this Appliance to connect to you main ESMC Server. Open the virtual machine with your ESMC VA > Enter Management mode > enter your password > Login > Exit to terminal.
The Agent installer is located:
Reinstall the Agent to connect to your main ESMC Server. We recomment to use the server-assisted installation. E.g.:
Optional: You can stop certain services on the new Appliance to save resources.
Run following commands (
System V initor
Systemdcommand, according to what you use) in the Terminal.
System V init Systemd
service eraserver stop
systemctl stop eraserver
service mysql stop
systemctl stop mysql
service tomcat stop
systemctl stop tomcat
To prevent ESMC and MySQL services to start after reboot, disable them:
systemctl disable eraserver
systemctl disable mysql
systemctl disable tomcat
Modify the Apache HTTP Proxy configuration file /etc/httpd/conf.d/proxy.conf. You can use nano editor in the Terminal or access the file using the Webmin. For nano use command:
If you have changed the default port (2222) for the Agent, find the line
AllowCONNECT 443 2222and change
2222to the number of your port.
Add the hostname or IP address of your ESMC Server to the configuration file. The hostname you add must be exactly the same as Agents use to connect the ESMC Server. You can add IP address, hostname or both.
How to write a ProxyMatch expression?
Click Create ProxyMatch expression button below to see the example code below. Substitute
example.eset.localfor your hostname, and
10.0.0.1for your IP address. Add the whole segment of the code to your configuration file.
If you want to use only the hostname (or IP), use the following syntax and substitute
hostname.examplefor your hostname (or IP):
#Allow connection to my ESMC Server machine
Allow from all
Close the file (Ctrl + x) and save the changes.
Restart the Apache HTTP Proxy service.
systemctl restart httpd
- If you have changed the default port (2222) for the Agent, find the line
- Check on your main ESMC Web Console, if the new Agent is connecting. You can use it for the future maintenance of the proxy machine.
III. Assign a transition policy to a test client
Create a new policy on your ESMC Server. In the ESMC Web Console click Policies > Create New.
In the Basic section, type a Name for the policy.
In the Settings section select ESET Management Agent.
Navigate to Connection > Server connects to > Edit server list.
Click Add and enter the address (the address must match what Agent use in the configuration) of your ESMC Server in the Host field. Click OK.
Change the operator from Replace to Append.
Navigate to Advanced Settings > HTTP Proxy and set Proxy Configuration to Different Proxy Per Service.
Click Replication > Edit and enable the Use proxy server option.
Type the IP address of the proxy machine to the Host field.
Leave the default value 3128 for the Port.
- Click Save and Finish to save the policy. Do not assign it to any computer yet.
Choose one computer which is connected via ERA Proxy and assign the new policy to that test client.
Wait a few minutes until the policy is applied and check if the computer is still connecting the ESMC Server.
IV. Upgrade ERA Agents on client computers
Run the Security management Center Components Upgrade Task to upgrade the selected test client computer.
- After the client is upgraded to version 7, check if it is still connecting to the ESMC Server. If the computer is successfully connecting after the upgrade, continue to upgrade other computers.
- Apply the policy (from the part III.) to the other computers connected via the ERA Proxy.
Wait a few minutes until the policy is applied and check if clients are still connecting to the ESMC Server.
Run the Security management Center Components Upgrade Task on these clients.
If all clients are connecting to the ESMC Server after the upgrade is finished, you can proceed with next steps.
V. Remove ERA Proxy address from the list of servers
Modify the policy (from the part III.): navigate to Policies > click the gear icon next to the policy you want to modify and click Edit.
In the Settings > Connection change the operator from Append to Replace.
Click Finish to save and apply the policy.
- You can remove the ERA Proxy Virtual Appliance (remove the virtual machine from hypervisor).