Advanced security includes a secure network communication between ESET PROTECT components:
•Certificates and certification authorities use SHA-256 (instead of SHA-1).
•The ESET PROTECT server uses TLS 1.2 for communication with agents.
•Advanced security enforces the use of TLS 1.2 for Syslog and SMTP communication.
•MDM users: The ESET PROTECT server uses TLS 1.2 for communication with the MDM server. Communication between the MDM server and mobile devices is not affected.
Advanced security works with all supported operating systems:
•Windows
•Linux - The minimum supported version of OpenSSL for Linux is openssl-1.0.1e-30. ESET recommends that you use the latest OpenSSL version (1.1.1). You can verify if your Linux client is compatible using the following command:
openssl s_client -connect google.com:443 -tls1_2
•macOS
|
|
Advanced security is enabled by default in all new installations of ESET PROTECT 8.1 and later.
If you use ESMC or ESET PROTECT 8.0 with disabled Advanced security and you upgrade to ESET PROTECT 8.1 and later, advanced security remains disabled. ESET recommends that you enable it by following the steps below.
|
Enable and apply advanced security on your network
|
|
•When you enable advanced security, you must restart the ESET PROTECT server to start using the feature.
•Advanced security does not influence the existing Certification Authorities (CAs) and certificates. Advanced security includes only the new CAs and certificates created after advanced security is enabled. To apply advanced security in the current ESET PROTECT infrastructure, you must replace the existing certificates.
•If you want to use the Advanced security, we strongly recommend to set it up before importing the MSP account. |
1.Click More > Server Settings > Connection and click the slider next to Advanced security (requires restart!).
2.Click Save to apply the setting.
3.Close the Console and restart the ESET PROTECT server service.
4.Wait a few minutes after the service is started and log in to the Web Console.
5.Verify if all computers are still connecting and no other problems have occurred.
6.Click More > Certification Authorities > New and create a new CA. The new CA is automatically sent to all client computers during the next Agent - Server connection.
7.Create new peer certificates signed with this new CA. Create a certificate for the agent and the server (you can select it in the Product drop-down menu in the wizard).
8.Exchange your current ESET PROTECT server certificate for the new one.
9.Create a new ESET Management Agent policy to set up your agents to use the new agent certificate:
a.In the Connection section, click Certificate > Open certificate list and select the new peer certificate.
b.Assign the policy to computers where you want to use the advanced security.
c.Click Finish.
10. After all devices are connecting with the new certificate, you can delete your old CA and revoke old certificates.
|
|
Do not delete your old CA or revoke old certificates if you applied advanced security only on some (and not all) of the connected client computers.
|
To apply advanced security to the Mobile Device Management (MDM) component, create new MDM and proxy certificates signed by the new CA and assign them via a policy to the MDM server as follows:
•Click ESET Mobile Device Connector Policy > General > HTTPS certificate. Import the new MDM Certificate.
•Click ESET Mobile Device Connector Policy > Connection > Certificate = proxy certificate. |