Advanced security

Turn on Advanced security to enable this setting for network communication of ESMC components.

Advanced security includes these features:

Newly created certificates and certification authorities use SHA-256 (instead of SHA-1). To apply Advanced security in the existing ESMC infrastructure, you need to replace the existing certificates.

ESMC Server uses the latest TLS (TLS 1.2) for communication with Agents.

Enabled Advanced security enforces using the TLS 1.2 for Syslog and SMTP communication.

validation-status-icon-warning IMPORTANT

When you enable Advanced security, you need to restart the ESMC Server to begin using the feature.

Advanced security does not influence the already existing CAs and certificates, only new CAs and certificates created after Advanced security is enabled.

Minimum compatibility requirements include the following:

Windows: Windows XP and later, Windows Server 2003 and later.

details_hoverNOTE

ESET Management Agent 7 contains its own SSL module that enables the usage of TLS 1.2 even with older operating systems (Windows XP and Windows Server 2003).

Linux: Ubuntu 12.04 and later, RHEL/CentOS 6 and later, Debian 7.0 and later.

validation-status-icon-warning IMPORTANT

The minimum supported version of openSSL for Linux is openssl-1.0.1e-30. OpenSSL 1.1.* and later is not supported. You can verify if your Linux client is compatible using the following command:
openssl s_client -connect google.com:443 -tls1_2

OS X 10.9 and later.

 

How to enable and apply Advanced security on your network

Before enabling this feature, make sure all your client computers can communicate via TLS 1.2 (see the note above). The procedure contains two restarts of the ESMC Server service.

Follow this procedure to enable and apply Advanced security:

1.Navigate to More > Server Settings and click the slider next to Advanced security (require restart!).

2.Click Save to apply the setting.

3.Close the Console and restart the ESMC Server service.

4.Wait a few minutes after the service is started and log in to the Web Console.

5.Check if all computers are still connecting and no other problems have occurred.

6.Navigate to More > Certification Authorities > New and create a new CA. The new CA is automatically sent to all client computers during the next Agent - Server connection.

7.Create new peer certificates signed with this new CA. Create a certificate for Agent and for Server (you can select it in the Product drop-down menu in the wizard).

8.Change your current ESMC Server certificate for the new one.

9.Create a new ESET Management Agent policy to set up your Agents to use the new Agent certificate.

a.In the Connection section, click Certificate > Open certificate list and select the new peer certificate.

b.Assign the policy to computers where you want to use the Advanced security.

c.Click Finish to apply.

10. When all devices are connecting with the new certificate, you can delete your old CA and revoke old certificates.

validation-status-icon-warning IMPORTANT

Do not delete your old CA or revoke old certificates if you applied Advanced security only on some (and not all) of the connected client computers.

Advanced security on systems with installed MDM

This setting will affect only communication between ESMC Server and MDM Server. Communication between MDM Server and Mobile Devices will not be affected. To apply advanced security to the MDM component, create new MDM and Proxy certificates signed by the new CA and assign them via policy to the MDM server as follows:

ESET Mobile Device Connector Policy > General > HTTPS certificate. Import the new MDM Certificate.

ESET Mobile Device Connector Policy > Connection > Certificate = Proxy certificate.