Advanced security

Turn on Advanced security to enable this setting for network communication of ESET PROTECT components.

Advanced security includes these features:

Newly created certificates and certification authorities use SHA-256 (instead of SHA-1). To apply Advanced security in the existing ESET PROTECT infrastructure, you need to replace the existing certificates.

ESET PROTECT Server uses TLS 1.2 for communication with Agents.

Enabled Advanced security enforces using the TLS 1.2 for Syslog and SMTP communication.



When you enable Advanced security, you need to restart the ESET PROTECT Server to begin using the feature.

Advanced security does not influence the already existing CAs and certificates, only new CAs and certificates created after Advanced security is enabled.

If you want to use the Advanced security, we strongly recommend to set it up before importing the MSP account.

You can enable Advanced security on all supported operating systems:





The minimum supported version of OpenSSL for Linux is openssl-1.0.1e-30. We recommend that you use the latest OpenSSL version (1.1.1). You can verify if your Linux client is compatible using the following command:
openssl s_client -connect -tls1_2


How to enable and apply Advanced security on your network

Before enabling this feature, make sure all your client computers can communicate via TLS 1.2 (see the note above). The procedure contains two restarts of the ESET PROTECT Server service.

Follow this procedure to enable and apply Advanced security:

1.Navigate to More > Server Settings > Connection and click the slider next to Advanced security (requires restart!).

2.Click Save to apply the setting.

3.Close the Console and restart the ESET PROTECT Server service.

4.Wait a few minutes after the service is started and log in to the Web Console.

5.Check if all computers are still connecting and no other problems have occurred.

6.Navigate to More > Certification Authorities > New and create a new CA. The new CA is automatically sent to all client computers during the next Agent - Server connection.

7.Create new peer certificates signed with this new CA. Create a certificate for Agent and for Server (you can select it in the Product drop-down menu in the wizard).

8.Change your current ESET PROTECT Server certificate for the new one.

9.Create a new ESET Management Agent policy to set up your Agents to use the new Agent certificate.

a.In the Connection section, click Certificate > Open certificate list and select the new peer certificate.

b.Assign the policy to computers where you want to use the Advanced security.

c.Click Finish to apply.

10. When all devices are connecting with the new certificate, you can delete your old CA and revoke old certificates.



Do not delete your old CA or revoke old certificates if you applied Advanced security only on some (and not all) of the connected client computers.

Advanced security on systems with installed MDM

This setting will affect only communication between ESET PROTECT Server and MDM Server. Communication between MDM Server and Mobile Devices will not be affected. To apply advanced security to the MDM component, create new MDM and Proxy certificates signed by the new CA and assign them via policy to the MDM server as follows:

ESET Mobile Device Connector Policy > General > HTTPS certificate. Import the new MDM Certificate.

ESET Mobile Device Connector Policy > Connection > Certificate = Proxy certificate.