NOD32 on ISA Server

Discussion in 'ESET NOD32 Antivirus' started by K_o_R, Apr 19, 2010.

Thread Status:
Not open for further replies.
  1. K_o_R

    K_o_R Registered Member

    Joined:
    Apr 19, 2010
    Posts:
    3
    Hi all.

    I'm in the process of deploying NOD32 to all our workstations and servers, but I have hit a snag where I can't update the virus definitions on our two ISA servers (one per building). I'm trying to update from a local mirror stored on the (non-ISA) other server (also one per building).

    I can't install via push, though this is not an issue since I can manually install the packages. However once installed on the ISA server it will not update from the local mirrors (also ran into the total internet access loss issue, fixed by turning off the web component - no-one's going to be browsing from that server anyway!). The error is "Could not connect to server".

    I'm assuming this is as a result of the ISA firewall doing its job, so what new rule should I create to allow the updates to proceed locally?

    Thanks for any contributions :)

    EDIT: I can update the definitions from the internet (which is good enough I guess) but it is also prevented from reporting in to ERAS.
     
    Last edited: Apr 19, 2010
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    There should be an executable belonging to the ISA server that you can exclude from content filtering. Open the EAV setup (F5), navigate to Protocol filtering -> Excluded applications and put a cross next to the ISA server executables. If you're not using v. 4.2, navigate to the Web browsers setup and put a red cross next to the executables which will exclude them from content filtering.
     
  3. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    I tried to google and the first two hits i got are these from the Eset knowledge base:
    http://kb.eset.com/esetkb/index?page=content&id=SOLN332
    http://kb.eset.com/esetkb/index?page=content&id=SOLN2221

    You can also at the ISA server select "Arrays -> Servername -> Monitoring". Then select the "Logging" tab and you can create a filter or just keep the default to see what is blocked. The "Connectivity Verifiers" might be helpful as well. Then create a access rule to allow that traffic at the ISA server.

    -gan
     
  4. K_o_R

    K_o_R Registered Member

    Joined:
    Apr 19, 2010
    Posts:
    3
    Marcos:

    I've noticed that I can't actually put a cross in any of the boxes, only a tick - several screenshots show a list containing both ticks and crosses as well as empty boxes.

    Gan:

    The request comes up in the log as "Unidentified IP traffic" to port 2221. I can open ports on the ISA server for inbound connections but in this case it's outbound.
     
  5. K_o_R

    K_o_R Registered Member

    Joined:
    Apr 19, 2010
    Posts:
    3
    I've solved it! This may be of use to many people so I'll detail it here:

    The communications between NOD32 and ERAS or the update mirror don't get recognised by ISA Server because they are HTTP traffic to a non-standard port (2221-2224 and others, as detailed in the links so kindly provided by Gan there :) ). To get around this you have to define a new protocol that includes these ports.

    For ISA 2006, this is Firewall Configuration -> Toolbox -> Protocols -> New -> Protocol.

    Here you can set the port(s) to be recognised, and then in turn you can add the protocol to a firewall rule to allow traffic through.

    Hoopefully this will be helpful to others looking to protect their ISA Server with ESET.
     
Thread Status:
Not open for further replies.