Using Apache reverse proxy as a local repository for Symantec Endpoint Protection 14.3 RU2+ Linux clients

book

Article ID: 220410

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

While it is possible to create offline install packages for SEP Linux 14.3 RU1+, these need to be created for each major OS release needed and may need to be updated frequently to get updated packages, most notable for the kmod package.
See Creating an offline installation package for the Endpoint Protection Linux Agent.

A more flexible method is to use a local repository that the clients can access on the local network to get all the packages necessary for the client install and potential subsequent package updates.

However, creating a mirrored repository can be complicated and use much more disk space and bandwidth that may be necessary.

Cause

SEP for Linux 14.3 RU1 and higher require access to the Symantec repository for install and update.

Environment

Linux clients managed by a Symantec Endpoint Protection Manager that do not have access to the Symantec repository.

Resolution

Instead of a mirrored repository, it is possible to use a reverse proxy that will download from the Symantec repository on behalf of the clients.

Below is an example of how to configure Apache as a reverse proxy that can be used by clients to download the necessary packages during install and upgrades.

IMPORTANT: Installing and configuring a reverse proxy is beyond the scope of what support can assist with, this article is provided as-is to show an example of how it can be achieved.

1 - Installing Apache

   After selecting a system that has access to the Symantec repository and will act as a reverse proxy, the first step is to install the necessary packages in order to install Apache.
There are 2 packages that will need to be installed, http2 and mod_ssl.

On Red Hat / Centos, they can be installed by running:

yum install httpd
yum install mod_ssl

If you are installing on a different distribution, use the package manager needed accordingly

2 - Configuring Apache to act as a reverse proxy for the Symantec Repository.

   The next step is to adjust Apache's configuration in order for it to sere its purpose. Please note that the configuration described here will be as simple as possible. It can be expanded to add support for file caching and handling clients requests over HTTPS but this will not be covered here.

To amend the configuration, the configuration file at /etc/httpd/conf/httpd.conf will need to be modified.

The first change will be to add the necessary modules to be loaded,
After the lines:

# Example:
# LoadModule foo_module modules/mod_foo.so

Add the following 4 lines:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule ssl_module modules/mod_ssl.so

Then, at the end of the file, add the followings lines:

SSLProxyEngine on

<Location "/">
   ProxyPass "https://linux-repo.us.securitycloud.symantec.com/"
   ProxyPassReverse "https://linux-repo.us.securitycloud.symantec.com/"
</Location>

Save the file and (re)start the daemon, example:

systemctl restart httpd

The reverse proxy is now ready and functional.

3 - Installing a SEP client using the local repository as a source

   Finally, to install the client using the server configured above, the LinuxInstaller needs to be called with the following arguments:

./LinuxInstaller -- -h 'http://[Reverse Proxy IP/Hostname]/sep_linux/14.3RU2'

Make sure to enter the reverse proxy IP or host name of the system on which Apache was configured above.

This will indicate to the installer that the repository to be used for the install is the one listed, it will also keep that repository configured going forward which means further calls to the installagent.sh or update-kmob.sh scripts will use the reverse proxy instead of attempting a direct connection.

Finally, the version needs to be added to the URL as displayed in the example.
While 14.3 RU1 installer lists the -h --local-repo options, it does not work as expected on that version, as a result, 14.3 RU2 client or above should be used if this functionality is to be leveraged.