Embed Size (px)
Citation preview
ESET Remote Administrator v6 Getting Started Guide for MSPs
January 2017
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |2
Table of Contents Table of Contents ............................................................................................................................ 2
Environmental Pre-requisites .................................................................................................. 3
Installing ESET Remote Administrator (ERA) ....................................................................... 4
Configuring ERA (MSP Best Practices) .................................................................................. 6
Create BASE policies .............................................................................................................. 7
Create a new customer in ERA and prepare for deployment ................................................ 10
Deploy ESET ERA agent and security products ................................................................... 12
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |3
Environmental Pre-requisites The ERA management server is required to manage ESET endpoint products across all OS platforms under a single management console. The following pre-requisites should be configured in the environment before proceeding with the install of ERA:
• One of the following (either/or): o Windows machine (supported on Windows Client or Server OS. Windows Server 2012
R2 is recommended) Recommended hardware (virtual or physical): 2 vCPU, 8 GB RAM, 40 GB free
disk space (after Windows install) base build with OS updates static IP address Install Java Runtime Environment (version 7 or later) and ensure Java is updating
correctly Install Microsoft .NET Framework 3.5 using the Add Roles and Features Wizard
(Windows Server) or Turn Windows Features On or Off (Windows Client) ESET Remote Administrator Software downloaded.
o ERA Linux virtual appliance deployed via OVA
NOTE that when installing the Linux virtual appliance, the password that you set as the admin console password will automatically be set as the internal certificate authority password as well
• Download the ESET Remote Administrator Windows installer or Linux Virtual appliance here:
https://www.eset.com/us/support/download/business/remote-administrator-6/
• Firewall rule pointing an external IP address to the ERA server on port 2222 o encrypted communication of endpoint agents to server
• Firewall rule pointing an external IP address to the ERA server on port 443
o Access to ERA management console from outside of your network NOTE this is only required if you desire to be able to access the ERA
management console while outside your internal network and do not have an alternative method of accessing the LAN (i.e. RDP, VPN, VDI, etc.)
• NOTE that ESET plugins to RMM and PSA tools (i.e. Kaseya, Labtech, Tigerpaw, Connectwise or Autotask) will use port 2223 for API communications to the ERA server and either port 80 or 443 (80 by default) for policy display. If there is a firewall between your RMM/PSA server and your ERA server, these port must be transitively allowed between these systems
• An “A” record in your public DNS zone pointing to the external IP address used in the firewall rule. It can new (i.e. era.yourPUBLICdomain.com) or existing (i.e. mail. yourPUBLICdomain.com)
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |4
Installing ESET Remote Administrator (ERA) 1. Extract the zip file downloaded and access the folder
2. Right click on setup.exe and select Run as administrator.
a) If prompted accept the User Account Control elevation prompt
3. Click next on the start-up screen
4. Select Install Remote Administrator Server and click Next.
5. Read the End-User License Agreement. If you agree, select I accept the terms in the license agreement and click Next.
6. Your network architecture will determine which components should be installed. Read the descriptions below and deselect the check box next to any components that you do not want to install:
a) Microsoft SQL Server Express: If you have an existing Microsoft SQL or MySQL database that you will use with ESET Remote Administrator, deselect this check box. Leave this check box selected to create a new Microsoft SQL Server Express database for use with ESET Remote Administrator.
b) Web Console: This will install the Apache Tomcat service necessary for ESET Remote Administrator Server to manage clients. Leave this check box selected.
c) ESET Mobile Device Connector: This will install the ESET Mobile Device Connector (EMDC) component, which allows for the remote management of Android and iOS devices. If you will manage mobile devices, select this option. If not leave it deselected. See our EMDC FAQ for more information.
d) ESET Rogue Detection Sensor: Deselect this component. This will install ESET Rogue
Detection Sensor, a component that helps locate unmanaged computers on your network so that you can deploy resources to allow for their management via ERA. This is only useful for machines on your internal network, not customer machines.
e) Apache HTTP Proxy: Deselect this component
i) Using HTTP Proxy will create and apply several proxy-based policies for clients and apply them automatically, which can affect your ability to download updates. You can install Apache HTTP Proxy later if you want.
Click Install when you are done selecting components. Installation time will vary depending on your system configuration. If a prerequisite is not satisfied or an error occurs, follow the instructions from the installer to resolve any issues.
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |5
7. Upon completion of the SQL Express installation (if applicable) the ESET Remote Administrator Server setup wizard will begin
8. Click Next in the ESET Remote Administrator Server Setup window.
9. If you chose to have Microsoft SQL Server Express installed in step 6, click Next to perform a database connection check and then continue to step 11 Users with a pre-existing database: Select the appropriate database type from the Database drop-down menu. Type the Database name, Hostname and Port (you can find this information in SQL Server Configuration Manager) for your database into the appropriate fields and then click Next. In the following screen, select Use existing user and then enter the Database username and Password if one is used.
10. Type the password you will use to log into ERA Web Console into the Password and Confirm Password fields. Make sure to record this password for use later and then click Next.
a) NOTE if you are deploying the Linux virtual appliance the password for the certificate authority is automatically set as the same password that is specified as the administrative log in for the ERA console.
12. In the Certificate Information window, leave all fields at default and click next
a) NOTE if you are deploying the Linux virtual appliance the password for the certificate authority is automatically set as the same password that is specified as the administrative log in for the ERA console.
13. Select Activate Later and click Next.
14. Click Install.
15. Upon successful installation, click Next to install the ESET Remote Administrator agent, and subsequently any additional modules (MDC, Rogue Detection Sensor) that you had chosen during setup.
16. At the installation successful window click the URL link to open the ERA web console. Bookmark the page for easy access in the future. How do I open ERA Web Console?
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |6
Configuring ERA (MSP Best Practices) 1) Skip the startup wizard
LICENSING ERA
2) Go in to Admin>License Management and add the Security Administrator account created in the Ingram Micro Cloud Marketplace. a) NOTE: Once these credentials have been added to ERA, one simply needs to hit the Synchronize
Licenses button and changes made in the licensing portal will automatically be synced to ERA within about 5 minutes.
CREATE DYNAMIC GROUP TEMPLATES 3) Go to Admin>Dynamic Group Templates and create three (3) new dynamic group templates:
a) Windows Client OS i) BASIC:
(1) Name: Windows Client OS (2) Description: machine runs a Windows Client Operating System
ii) EXPRESSION: (1) Operation: AND (All conditions have to be TRUE) (2) RULES:
(a) OS Edition, OS Type – equals – Microsoft Windows (b) OS Edition, OS Name – doesn’t contain – Server
b) Windows Server OS
i) BASIC: (1) Name: Windows Server OS (2) Description: machine runs a Windows Server OS
ii) EXPRESSION: (1) Operation: AND (all conditions have to be TRUE) (2) RULES:
(a) OS Edition, OS Type – equals – Microsoft Windows (b) OS Edition, OS Name – contains – Server
c) No ESET Security Product
i) BASIC: (1) Name: No ESET Security Product (2) Description: machine does not have an ESET security product installed
ii) EXPRESSION: (1) Operation: NOR (All conditions have to be FALSE) (2) RULES:
(a) Installed Software, Application Name – contains – ESET Endpoint (b) Installed Software, Application Name – contains – ESET File (c) Installed Software, Application Name – contains – ESET Mail
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |7
CREATE _CUSTOMER AND _INTERNAL PARENT STATIC GROUPS 4) Go in to Admin>Groups and click on the ALL group at the top. Click on the “settings” gear that appears
on the right side of the group.
5) Select New Static Group. 6) Name the static group _CUSTOMERS and click finish. 7) Go in to Admin>Groups and click on the ALL group at the top. Click on the “settings” gear that appears
on the right side of the group.
8) Select New Static Group. 9) Name the Static group _INTERNAL and click finish.
Create BASE policies 1) Go to Admin>Groups and find the Windows dynamic group that nests under the ALL static group.
Click on the “settings” gear that appears on the right side of the Windows dynamic group, name it Clients and use the Windows Client OS dynamic group template
2) Repeat task 1, this time creating a Servers dynamic group based off of the Windows Server OS
dynamic group template
If a setting is not specified in the instructions below, please leave at default Create Base ERA Agent policy
3) Go to Admin>Policies and click on new policy. Name the policy _BASE ERA Agent policy a) Expand SETTINGS and under “Select Product” choose ESET Remote Administrator Agent
i) Expand out ADVANCED SETTINGS (1) Ensure that under HTTP PROXY the setting for “Use proxy server” is set to off (2) Scroll down to OPERATING SYSTEM and configure the settings as follows:
(a) Report non-ESET-installed applications – ON (b) Report if operating system is not up-to-date
(i) ON if not using an RMM or other patch management solution (ii) OFF if using an RMM or patch management solution
(c) Report network firewall issues – OFF (d) Report virus and spyware protection issues – ON
(3) Scroll down to SETUP and enter a password to protect the uninstall or modification of settings of the agent on the endpoint
b) Expand out ASSIGN
i) click on “ASSIGN” button.
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |8
ii) Select the box next to the ALL static group to assign the base ERA agent policy to all agents in the console
c) Click on finish
Create Base ESET Security Product for Windows clients policy 4) Go to Admin>Policies and click on new policy. Name the policy _BASE <PRODUCT> Windows Client
Policy (i.e. _BASE EES Windows Client policy) a) Expand SETTINGS and under “Select Product” choose ESET Security Product for Windows
i) Click on the ANTIVIRUS tab (1) Expand out BASIC
(a) Configure the settings as follows: (i) Enable detection of potentially unwanted applications - ON (ii) Enable detection of potentially unsafe applications - ON
(2) Beneath ANTIVIRUS, click on the Real-time file system protection tab (a) Expand out THREATSENSE PARAMETERS
(i) Configure the settings as follows: 1. Runtime packers - ON 2. Advanced heuristics/DNA signatures - ON
(3) Beneath ANTIVIRUS click on On-demand computer scan (a) Expand out BASIC
(i) For “Selected Profile” choose In-Depth Scan (b) Expand out THREATSENSE PARAMETERS
(i) Scroll to “cleaning level” and select Strict Cleaning (4) Beneath ANTIVIRUS click on Removable Media
(a) Expand out BASIC (i) For “Action” select Automatic device scan
ii) Click on the PERSONAL FIREWALL tab - *NOTE* The settings on this tab only apply to ESET
Endpoint Security, not ESET Endpoint Antivirus (1) Expand out BASIC
(a) Click the slider bar for “Enable Personal Firewall” to OFF
iii) Click on TOOLS tab (1) Expand out MICROSOFT WINDOWS UPDATE
(a) For “Notify about Microsoft Windows system updates” select the following: (i) Recommended updates if NOT using an RMM or other patch management tool (ii) No updates if using an RMM or other patch management tool
(2) Beneath TOOLS click on Email notifications (a) Configure SMTP email notifications from the endpoint, if desired
iv) Click on USER INTERFACE tab
(1) Expand out USER INTERFACE ELEMENTS (a) Configure the settings as follows:
(i) Start Mode – Minimal (ii) Show splash-screen at startup – OFF (iii) Use sound signal – OFF
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |9
(iv) Show license information – OFF (v) Show license messages and notifications – OFF
(2) Expand out ALERTS AND NOTIFICATIONS (a) Configure the settings as follows:
(i) Display alerts – OFF (ii) Display notifications on desktop – OFF
(3) Expand out ACCESS SETUP (a) Set password to protect the advanced settings and uninstall of Windows client
security product
b) Expand out ASSIGN and click on the “ASSIGN” button i) Assign the policy to the ALL>Windows>Clients dynamic group created in step 1 of this section
c) Click on finish Create Base ESET Security for Windows Server policy 5) Go to Admin>Policies and click on new policy. Name the policy _BASE EFS Windows Server Policy
a) Expand SETTINGS and under “Select Product” choose ESET File Security for Windows Server (V6+) i) Click on the ANTIVIRUS tab
(1) Expand out BASIC (a) Click the following slide bars to ON:
(i) Enable detection of potentially unwanted applications (ii) Enable detection of potentially unsafe applications
(2) Beneath ANTIVIRUS, click on the Real-time file system protection tab (a) Expand out THREATSENSE PARAMETERS
(i) Configure the settings as follows: 1. Runtime packers - ON 2. Advanced heuristics/DNA signatures – ON 3. Cleaning level – Strict Cleaning
(3) Beneath ANTIVIRUS click on On-demand computer scan (a) Expand out BASIC
(i) For “Selected Profile” choose Smart Scan (b) Expand out THREATSENSE PARAMETERS
(i) Scroll to “cleaning level” and select Strict Cleaning (c) Expand out BASIC
(i) For “Selected Profile” choose In-Depth Scan (d) Expand out THREATSENSE PARAMETERS
(i) Scroll to “cleaning level” and select Strict Cleaning (4) Beneath ANTIVIRUS click on Startup scan
(a) Expand out THREATSENSE PARAMETERS (i) Scroll to “cleaning level” and select Strict Cleaning
(5) Beneath ANTIVIRUS click on Removable Media (a) Expand out BASIC
(i) For “Action” select Automatic device scan
ii) Click on TOOLS tab
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |10
(1) Expand out MICROSOFT WINDOWS UPDATE (a) For “Notify about Microsoft Windows system updates” select the following:
(i) Recommended updates if NOT using an RMM or other patch management tool (ii) No updates if using an RMM or other patch management tool
(2) Beneath TOOLS click on Email notifications (a) Configure SMTP email notifications from the endpoint if desired
(3) Beneath TOOLS click on Presentation Mode (a) Click the slider for “Enable Presentation mode when running applications in full-
screen mode automatically” to OFF
iii) Click on USER INTERFACE tab (1) Expand out USER INTERFACE ELEMENTS
(a) Configure the settings as follows: (i) Start Mode – Terminal (ii) Show splash-screen at startup – OFF (iii) Use sound signal – OFF (iv) Show license information – OFF (v) Show license messages and notifications – OFF
(2) Expand out ALERTS AND NOTIFICATIONS (a) Configure the settings as follows:
(i) Display alerts – OFF (ii) Display notifications on desktop – OFF
(3) Expand out ACCESS SETUP (a) Set password to protect the advanced settings and uninstall of Windows server
security product
b) Expand out ASSIGN and click on the “ASSIGN” button i) Assign the policy to the ALL>Windows>Servers dynamic group created in step 2 of this section
c) Click on finish
Create a new customer in ERA and prepare for deployment
1) Insert instructions for license procurement in Ingram Cloud Marketplace (Enter in link for ESET page in Ingram Cloud Marketplace)
2) Go to Admin>License Management (in ERA) and click on synchronize licenses 3) Go to Admin>Groups and create a new static group nested under the _CUSTOMERS static group for
each customer (left click “settings” gear that appears when you click on the _CUSTOMERS static group)
4) Create new dynamic group(s) nested under the new customer’s static group for the types of machines
that will be managed (Windows clients, Windows servers, Macs, etc.) based off of their respective dynamic group templates
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |11
5) Create a new dynamic group nested under each of the dynamic groups created in step 4 called ESET
Not Activated and use the security product not activated dynamic group template 6) Go to Admin>Client Tasks and go to product activation task. Create new task (or duplicate existing)
and name the task <Customer> <Product> (Windows Client) Activation i.e. Acme, Inc EES (Windows Client) Activation. Under settings of the task, specify the customer’s windows client product license.
7) Upon clicking finish you will be prompted to create a trigger. Click on the blue Create Trigger button
and name the trigger joined [Customer]>windows>clients>ESET not activated dynamic group. Target the ESET not activated dynamic group nested under the [Customer]>windows>clients dynamic group that was created in step 4. Under trigger, set the “trigger type” to Joined Dynamic Group Trigger
a. REPEAT steps 6 and 7 for all products types to be used by the customer: i.e. EES (Windows Client), EFS (Windows Server), EES for Mac (Mac Client), etc.
b. Target the product activation tasks for each product to the corresponding “ESET Not Activated” dynamic group(s) created in step 4
NOTE: Steps 8 – 10 are first time/one time set up steps. Steps 11 – 13 will be repeated for each new customer created in ERA 8) Go to Admin>Groups and find the Clients dynamic group nested under the ALL>Windows dynamic
group. Create a sub-dynamic group called ESET not activated, and base this dynamic groups off of the Security Product Not Activated dynamic group template. Repeat this step for each OS type that will be managed in the environment (Clients, Servers, Macs, etc.)
9) Go to Admin>Client Tasks and go to product activation task. Create new task and name the task
<Product> (Windows Client) Activation i.e. EES (Windows Client) Activation. Under settings of the task, specify the windows client license and click finish.
10) Upon clicking finish you will be prompted to create a trigger. Click on the blue Create Trigger button
and name the trigger joined ALL>windows>clients>ESET not activated dynamic group. Target the ESET not activated dynamic group nested under the ALL>windows>clients dynamic group that was created in step 10. Under trigger, set the “trigger type” to Joined Dynamic Group Trigger
c. REPEAT steps 9 and 10 for all products types to be managed in your environment: i.e. EES (Windows Client), EFS (Windows Server), EES for Mac (Mac Client), etc.
d. Target the product activation tasks for each product to the corresponding “ESET Not Activated” dynamic group(s) created in step 10
Repeat steps 13 – 15 for each new customer
11) Go to Admin>License Management and click on synchronize licenses. Ensure that you have enough
available licenses for your anticipated deployment
ERA Getting Started Guide for MSPs Jan 2017
ESET MSP Getting Started Guide P a g e |12
12) Go to Admin>Groups and create a new static group for each customer nested in the _CUSTOMERS static group (left click “settings” gear that appears when you click on the _CUSTOMERS static group)
13) Go to Admin>Groups and create a new dynamic group nested under the new customer’s folder for
the types of machines that will be managed (Windows clients, Windows servers, Macs, etc.) based off of their respective dynamic group templates
Deploy ESET ERA agent and security products NOTE IF using an RMM tool you can leverage your RMM tool for deployment assistance. If you are using Labtech (Connectwise Automate), Kaseya or Autotask, you’ll want to use the deployment tasks that are built in to the plugins for those platforms. To deploy via ERA, hover over Admin toolbox in ERA and click on Deploy ERA Agent
a. All-in-one installer will bundle agent and product (windows client OS only) in to a single .exe
b. Agent Live Installer will create batch file that will command the endpoint to download
the agent from the internet and configure it appropriately i. You also have the ability to convert your batch files to MSI with the included
MST at https://package.essetusa.com:8443. This will provide both 32 bit and 64 bit versions
c. GPO script will provide an .ini that can be bundled with the agent MSI (if created in step b.i)
d. Push from server (available only on local LAN)
