Internet facing RA server?

Discussion in 'Other ESET Home Products' started by Chompy, Oct 30, 2008.

Thread Status:
Not open for further replies.
  1. Chompy

    Chompy Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    13
    Lo All,

    Have an RA server 2.0.110 working well, and I would like to set it so that my remote as well as internal users connect to it for updates and tasks. I have it set to port 80 for updates and port 443 for client connections so that users will be able to traverse firewalls. This is working great with no issues.

    HOWEVER, the users guide for RA server states that the RA server should NOT be internet facing, and I'm trying to figure out why. I want to deploy 1 image to all my clients and not have to worry about changing RA servers for clients at different sites. I have ESET servers as second backup profile.

    Does anyone know why RA servers can not be internet facing? Is it because of vulnerabilities in RA HTTP server or...o_O

    thnx
     
  2. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    The issue is twofold: You are presenting an attack vector through an exposed HTTP service so you want to take precautions like having that server in a DMZ, locking down its security configuration, or possibly even running a file version manger so you know when system files are being changed and stop potential exploits. The other issue is that a lot of people seem to not bother configuring their servers or clients correctly and take the easiest route which is no authentication on the management console or update mirror. If you do this and the mirror is publicly exposed, someone could stumble upon it and use it to get updates for free without actually buying Nod32 and you serving updates like to unauthorized people, even unintentionally, violates the hell out of the EULA and you are accountable. If you are going to have laptops in the field and want them to report in without connecting to a VPN, I recommend having a secondary RAS in a DMZ and only expose port 2222 for management console reporting and make sure you set a password for clients to attach on to the RAS. Then configure their update profiles so they continue to download updates straight from ESET.

    It is tempting to serve updates through the RAS mirror, especially in light of the update issues a few months ago which caused a huge amount of problems due to our Juniper VPN requiring the very latest Nod32 defs for access and our laptops were unable to do so. You are better off using your update profile for Eset's servers as the primary and only open the firewall and switch to the other profile when those servers are having issues.

    e: Fixed the wrong port number
     
    Last edited: Oct 30, 2008
  3. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Run on custom ports for http updates, no problem, I have quite a few doing that for clients. Port 80 I wouldn't though..it's a common widely exploited port. I usually do something in the 8xxx area. And port 2222 for management updates of course. All other ports...blocked via NAT.
     
Thread Status:
Not open for further replies.