Manage ESM Server Settings
The ESM Server facilitates communication between Traps agents and WildFire.
The ESM Server periodically communicates with WildFire to send unknown files for analysis, request verdicts associated with executable files and files containing macros, and submit requests to reanalyze a file. The ESM Server also communicates with Traps agents to retrieve the operational status of the agent, obtain reports on processes running on the endpoint, send the agent the latest security policy.
You can customize and change the frequency of these communications using the Database (DB) Configuration Tool (see Configure ESM Server Settings Using the DB Configuration Tool) or using the ESM Console. Use the following workflow to change the settings using the ESM Console:
- From the ESM Console, select.SettingsESMSettings
- Configure any of the following settings for the ESM Server:
- Quarantine Network Path—(Traps 3.1 and earlier versions and deprecated in Traps 4.2.4 and later releases) Default forensic folder to use when the Traps agent cannot reach the folder associated with the ESM Server to which the agent is connected.
- Inventory Interval (Minutes)—Enter the frequency at which Traps sends a list to the ESM Server to report the applications that are running on the endpoint.
- Heartbeat Grace Period (Seconds)—Enter the allowable grace period for a Traps agent that has not responded (range is 300 to 86,400; default is 4200).
- Forensic Folder URL—BITS-enabled forensic folder URL.To encrypt forensic data, we strongly recommend that you use SSL to communicate with the forensic folder. To use SSL, include the fully qualified domain name (FQDN) and specify port 443 (for example,HTTPS://ESMserver.Domain.local:443/BitsUploads). If you do not want to use SSL, specify port 80 (for example,http://ESMSERVER:80/BitsUploads).
- Keep-alive Timeout (Minutes)—Period of time (in minutes) after which the ESM sends a keep-alive message to an external logging platform (range is 0 or greater; default is 0). The keep-alive message alerts the external logging platform that the ESM component is up and collecting logs. The ESM Console indicates the time at which each ESM Server sent the last keep-alive message in theLast Heartbeatfield on the additional details view of the ESM Server on thepage.SettingsESMMulti ESM
- Update From Server Package Address—Externally accessible URL of the ESM Console used to host upgrade packages for Traps agents. By default, when you configure an action rule to upgrade the Traps software, the rule is configured to use the ESM Console hostname. If the ESM Console is accessible by the DNS record only and not by the default ESM Console hostname, use this field to specify a URL beginning with an HTTP or HTTPS prefix followed by the DNS record.If you do not specify a server URL in this field, the action rule to upgrade agents uses your current session to determine the SSL preference. For example, if you log into the ESM Console using HTTP and create an action rule to upgrade the agents, the agents receive an upgrade path with an HTTP prefix. If you log in using HTTPS, the agents receive an HTTPS prefix.
- Use DNS For Address Resolution—Select this option to enable DNS for address resolution. By default, this option is disabled to prevent excessive DNS error logging.
- Automatic Revocation—By default, the ESM Server automatically revokes a license from an agent after a period of 90 days. To change theRevocation Period, enter a value from 30 to 365 days. Or, to prevent the ESM Server from revoking the license, clear the option forAutomatic Revocation. WhenAutomatic Revocationis disabled, the ESM Server does not revoke the license regardless of the length of time in which the Traps agent has not established communication with the ESM Server.
- Saveyour changes.