Advanced security includes a secure network communication between ESET PROTECT components:
•Certificates and certification authorities use SHA-256 (instead of SHA-1).
•The ESET PROTECT server uses the highest possible security (TLS 1.3 or 1.2) for communication with agents, Syslog and SMTP communication.
•MDM users: The ESET PROTECT server uses TLS 1.2 for communication with the MDM server. Communication between the MDM server and mobile devices is not affected.
Advanced security works with all supported operating systems:
•Windows
•Linux - We recommend that you use the latest version of OpenSSL 1.1.1. ESET Management Agent also supports OpenSSL 3.x. The minimum supported version of OpenSSL for Linux is openssl-1.0.1e-30. There can be more versions of OpenSSL installed on one system simultaneously. At least one supported version must be present on your system.
oUse the command openssl version to show the current default version.
oYou can list all versions of OpenSSL present on your system. See the filename endings listed using the command sudo find / -iname *libcrypto.so*
oVerify if your Linux client is compatible using the following command: openssl s_client -connect google.com:443 -tls1_2
•macOS
|
|
Advanced security is enabled by default in all new installations of ESET PROTECT 8.1 and later.
If you use ESMC or ESET PROTECT 8.0 with disabled Advanced security and you upgrade to ESET PROTECT 8.1 and later, advanced security remains disabled. We recommend that you enable it by following the steps below.
|
Enable and apply advanced security on your network
|
|
•When you enable advanced security, you must restart the ESET PROTECT server to start using the feature.
•Advanced security does not influence the existing Certification Authorities (CAs) and certificates. Advanced security includes only the new CAs and certificates created after advanced security is enabled. To apply advanced security in the current ESET PROTECT infrastructure, you must replace the existing certificates.
•If you want to use the Advanced security, we strongly recommend to set it up before importing the MSP account. |
1.Click More > Settings > Connection and click the toggle next to Advanced security (requires restart!).
2.Click Save to apply the setting.
3.Close the Console and restart the ESET PROTECT server service.
4.Wait a few minutes after the service is started and log in to the Web Console.
5.Verify if all computers are still connecting and no other problems have occurred.
6.Click More > Certification Authorities > New and create a new CA. The new CA is automatically sent to all client computers during the next Agent - Server connection.
7.Create new peer certificates signed with this new CA. Create a certificate for the agent and the server (you can select it in the Product drop-down menu in the wizard).
8.Exchange your current ESET PROTECT server certificate for the new one.
9.Create a new ESET Management Agent policy to set up your agents to use the new agent certificate:
a.In the Connection section, click Certificate > Open certificate list and select the new peer certificate.
b.Assign the policy to computers where you want to use the advanced security.
c.Click Finish.
10. After all devices are connecting with the new certificate, you can delete your old CA and revoke old certificates.
|
|
Do not delete your old CA or revoke old certificates if you applied advanced security only on some (and not all) of the connected client computers.
|
To apply advanced security to the Mobile Device Management (MDM) component, create new MDM and proxy certificates signed by the new CA and assign them via a policy to the MDM server as follows:
•Click ESET Mobile Device Connector Policy > General > HTTPS certificate. Import the new MDM Certificate.
•Click ESET Mobile Device Connector Policy > Connection > Certificate = proxy certificate. |
