Set up SSL in Deployment Solution 7.5



Similar documents
ECA IIS Instructions. January 2005

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Configuring Load Balancing

APNS Certificate generating and installation

Reconfiguring VMware vsphere Update Manager

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Wavecrest Certificate

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

FTP, IIS, and Firewall Reference and Troubleshooting

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Instructions for Configuring a SAS Metadata Server for Use with JMP Clinical

Desktop Surveillance Help

Reference and Troubleshooting: FTP, IIS, and Firewall Information

SARANGSoft WinBackup Business v2.5 Client Installation Guide

The safer, easier way to help you pass any IT exams. Exam : 9L OS X Server Essentials 10.8 Exam. Title : Version : Demo 1 / 6

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Millennium Drive. Installation Guide

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Microsoft Virtual Labs. Administering the IIS 7 File Transfer Protocol (FTP) Server

AXIS 70U - Using Scan-to-File

Managing Multi-Hypervisor Environments with vcenter Server

4cast Client Specification and Installation

Secure IIS Web Server with SSL

Migrating MSDE to Microsoft SQL 2008 R2 Express

MadCap Software. Upgrading Guide. Pulse

NSi Mobile Installation Guide. Version 6.2

Contents 1. Introduction 2. Security Considerations 3. Installation 4. Configuration 5. Uninstallation 6. Automated Bulk Enrollment 7.

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Back Up and Restore the Project Center and Info Exchange Servers. Newforma Project Center Server

Installing and Configuring vcenter Multi-Hypervisor Manager

Non-ThinManager Components

Moving the TRITON Reporting Databases

Ekran System Help File

Setting Up SSL on IIS6 for MEGA Advisor

Using Group Policies to Install AutoCAD. CMMU 5405 Nate Bartley 9/22/2005

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Moving the Web Security Log Database

WHITE PAPER Citrix Secure Gateway Startup Guide

Distributing SMS v2.0

Version 5.0. SurfControl Web Filter for Citrix Installation Guide for Service Pack 2

HP Device Manager 4.6

MIGRATING TO AVALANCHE 5.0 WITH MS SQL SERVER

Installing The SysAidTM Server Locally


HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

Configuring a Custom Load Evaluator Use the XenApp1 virtual machine, logged on as the XenApp\administrator user for this task.

etoken Enterprise For: SSL SSL with etoken

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # )

KANTECH SCHEDULED EVENTS INSTALLATION MANUAL

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

RSA Security Analytics

DriveLock Quick Start Guide

SonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore

HRC Advanced Citrix Troubleshooting Guide. Remove all Citrix Instances from the Registry

Migrating Trend Micro Mobile Security for Enterprise (TMMS) 8.0 to TMMS 9.0

Parallels Mac Management for Microsoft SCCM 2012

Guide for Generating. Apple Push Notification Service Certificate

Introduction to Mobile Access Gateway Installation

HTTP Server Setup for McAfee Endpoint Encryption (Formerly SafeBoot) Table of Contents

1. Set Daylight Savings Time Create Migrator Account Assign Migrator Account to Administrator group... 4

LepideAuditor Suite for File Server. Installation and Configuration Guide

ADFS Integration Guidelines

How To Install An Archive Service On An Exchange Server (For A Free) With A Free Version Of Ios (For Free) On A Windows Xp Or Windows 7 (For Windows) (For An Ubuntu) (

Installing and Configuring vcloud Connector

HTTP communication between Symantec Enterprise Vault and Clearwell E- Discovery

NetWrix Account Lockout Examiner Version 4.0 Administrator Guide

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Kaseya Server Instal ation User Guide June 6, 2008

Microsoft Corporation. Project Server 2010 Installation Guide

CA NetQoS Performance Center

USING SSL/TLS WITH TERMINAL EMULATION

Releasing blocked in Data Security

Migrating Mobile Security for Enterprise (TMMS) 8.0 to version 9.0

Installing GFI MailArchiver


Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

RoomWizard Synchronization Software Manual Installation Instructions

Live Maps. for System Center Operations Manager 2007 R2 v Installation Guide

Installation Instruction STATISTICA Enterprise Small Business

Deploying Windows Streaming Media Servers NLB Cluster and metasan

EXPRESSCLUSTER X for Windows Quick Start Guide for Microsoft SQL Server Version 1

AvePoint Meetings for SharePoint On-Premises. Installation and Configuration Guide

Software Installation Requirements

6421B: How to Install and Configure DirectAccess

Connection and Printer Setup Guide

Installation Manual (MSI Version)

XStream Remote Control: Configuring DCOM Connectivity

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Lepide Event Log Manager. Users Help Manual. Lepide Event Log Manager. Lepide Software Private Limited. Page 1

How to install and use the File Sharing Outlook Plugin

Installation Guide for Pulse on Windows Server 2012

Installing Policy Patrol on a separate machine

Appendix B Lab Setup Guide

Appendix E. Captioning Manager system requirements. Installing the Captioning Manager

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Transcription:

Set up SSL in Deployment Solution 7.5 Table of Contents Installing certificates... 2 Manually installing certificates... 2 Notification Server/Site Servers... 4 Import Certificate into IIS... 4 Set https bindings... 5 Configure SSL Settings... 6 Console Settings... 7 Targeted Agent Settings... 7 Package codebase Publishing... 8 Extract SSL Certificates Policies... 8 SSL Certificate Installation... 10 Notification Server... 10 Task Server... 10 Package Server... 10 Manual Installation... 11 Server type-specific install paths... 12 Preboot Configurations... 13 WinPE... 13 LinuxPE... 14 Recreate Preboot Configurations... 14 PXE... 15 Automation Folder... 15 Notification Server Alias... 16 SSL-Related Registry Keys... 16 Troubleshooting Resources... 17 General Deployment Solution Logging... 17 SSL Certificate Extraction... 17 Preboot Configurations... 17 1

Installing certificates Certificates will need to be installed on all computers that will be communicating over SSL in production. (It is very possible that the customer has done this already with their own purchased certificate.) The preferred method of installing the certificate throughout the environment is to use a Group Policy. The following is a step by step to install on a single machine. Manually installing certificates Obtain/locate the customer s SSL Certificate Personal Information Exchange (.pfx) file. This certificate will either have been purchased or generated by the customer for their servers and/or environment. Right-click on the pfx file and choose Install PFX This will bring up the Certificate Import Wizard. Input the path and password as necessary. 2

When prompted for Certificate Store, choose Place all certificates in the following store and Browse. Check Show physical stores, expand Trusted Root Certificate Authorities and select Local Computer, then click OK. Then click Next. Then Finish. It will notify you if the installation was successful. 3

Notification Server/Site Servers Several things will need to be configured on the Notification Server and Site Servers, mostly in IIS, in order to set up the Servers to use SSL communication. Import Certificate into IIS Open IIS Manager and select the root Server Name on the left side tree menu. In the center content window, open Server Certificates. The Server s Certificate should be listed there. If it is not, import it by, on the right sidebar, clicking Import, browsing to the.pfx file, and putting in the appropriate password. The newly imported certificate should now be shown listed on the Server Certificates pane. 4

If a.pfx certificate is not readily available, a self-signed certificate can be created on that server. On the right sidebar, click Create Self-Signed Certificate. Input a friendly name for the certificate on this server. The newly created self-signed certificate will be listed under Server Certificates. *Note: On the Site Servers, the name on the certificate must match the name of the server in order to allow correct communication between clients and that server.* Set https bindings Open IIS Manager and select Default Web Site. On the right sidebar, select Bindings. 5

In the Site Bindings dialog box, choose Add. Select https from the drop-down menu. Verify the port is set to 443. Under SSL certificate, select the appropriate certificate. Click OK, then click Close. *Complete the Targeted Agent Settings section before making the following changes to the SSL Settings on the NS to prevent blocking agent communication.* Configure SSL Settings Back on the Default Web Site page in IIS Manager, open SSL Settings. Check the Require SSL box, then click Apply in the right sidebar. It will notify you that The changes have been successfully saved. 6

Console Settings In the Management Console, the following settings need to be changed to get clients to correctly use SSL in their communications. These changes will only occur on the clients after they get an updated configuration. Targeted Agent Settings Open Targeted Agent Settings in the Management Console With a group selected on the left, open the Advanced tab. Check the Specify an alternate URL box, and change the Server Web: field to https. Click Save changes. Repeat the process for all affected/relevant groups. *Note: Deployment Pre-Boot Environment must be changed to allow WinPE/LinuxPE to communicate with the NS. 7

Package codebase Publishing Open Site Server Settings in the Management Console On the left tree menu, open Site Management >> Settings >> Package Settings >> Package Services Settings. Under Published Codebase Types, check the Publish IIS hosted codebases box and select the Publish HTTPS codebases radio button. Click Save changes. Extract SSL Certificates Policies Open All Settings in the Management Console 8

On the left tree menu, open Settings >> Agents/Plug-ins >> Deployment and Migration >> Windows (x64) >> Extract SSL Certificate (x64) Install and enable it (set to On ). Click Save changes. Repeat this with Windows (x86) >> Extract SSL Certificate (x86) Install 9

SSL Certificate Installation The Extract SSL Certificate policy configured in the console will run on the Notification Server, Task Servers, and Package Servers in the environment. File names and locations differ depending on the type of server to which they are installed. This installation should execute without any intervention. Below are instructions to verify it has run successfully, and to run manually if it has not. Notification Server On the Notification Server, the.pfx and xml files should be located in the <Program Files>\Altiris\Notification Server\NSCap\bin\Deployment\Certificates directory as shown. Task Server On a Task Server, the.pfx and xml files should be located in the <Program Files>\Altiris\Altiris Agent\Client Task Server\ServerWeb\Deployment\Certificates directory as shown. Package Server On a Package Server, the.pfx and xml files should be located in the <Program Files>\Altiris\Altiris Agent\Package Server Agent\Deployment_Cert\Certificates directory as shown. *Note: If a Server has multiple services, it will populate only one of these locations/sets of files, in the priority order of NS, TS, then PS. I.e., if a server is both a Task Server and Package Server, it will only have the Task Server-specific files installed to the Task Server-specific location. 10

Manual Installation Should the correct files not be present/installed on the server, a manual installation can be done using the following steps. On the server in question, check the Management Agent s Software Delivery tab for the Extract SSL Certificate policy. If it is present, double-click it and open the Download History tab. Click to open one of the listed source locations. If the Extract SSL Certificate policy is not present, or the policy has no source locations, follow the next step, otherwise, skip it. If the Extract SSL Certificate policy was not present, or the policy has no source locations, open \\<servername>\nscap\bin\deployment\installs\certificate\<x64 or x86> in Windows Explorer. Take the two files in the directory (from either of the steps above) and copy them to a local, non-package share location on the server. 11

In an Administrator: Command Prompt, run the executable file with the switch exportcert to install the appropriate certificate. Additional command windows may appear during the execution of this application. Verify that the certificate files were installed to the correct directory on for the roles of that server. The paths are again listed below. Server type-specific install paths Notification Server: <Program Files>\Altiris\Notification Server\NSCap\bin\Deployment\Certificates Task Server: <Program Files>\Altiris\Altiris Agent\Client Task Server\ServerWeb\Deployment\Certificates Package Server: <Program Files>\Altiris\Altiris Agent\Package Server Agent\Deployment_Cert\Certificates 12

Preboot Configurations Configuration files within the preboot environments also need to be set to direct Agent communication to use SSL protocols and ports when connecting to the Server(s). These should be changed automatically when SSL is enabled on the server and the appropriate SSL policies are enabled in the console. These configuration files should be changed without user intervention, but below are the locations this can be verified, as well as instructions to change them if needed. *Note: All the file locations listed below are located on the Notification Server. These are the Package Sources, and will be replicated to Site Servers as part of the normal Package Replication process. This can be expedited by forcing a Package update on all Site Servers. WinPE Open the PECTAgent.ini configuration file at <Program Files>\Altiris\Deployment\BDC\bootwiz\oem\DS\winpe\<x86 or x64>\base\program Files\Symantec\Deployment to check settings. Confirm the SMPPort value is set to 443 and the SMPProtocol value is set to https. If these are not set, change these values as need. *Note: Be sure the change the files in both x86 and x64 directories to make sure the WinPE files are changed for both architectures. 13

LinuxPE Using notepad or a simple text editor, open the.aex-agent-install-config configuration file at <Program Files>\Altiris\Deployment\BDC\bootwiz\oem\DS\Linux\x86\Base\tmp to check settings. Confirm the NSPort value is set to 443 and the NSProtocol value is set to https. If these are not set, change these values as need. Recreate Preboot Configurations These newly changed files will be built into all preboot configurations which are built going forward. If there are existing preboot configurations, they will need to be recreated in order to have those changed files be included. In the Management Console, open Settings >> Deployment >> Create Preboot Configurations 14

Select the preboot configuration to recreate, then click Recreate Preboot Configuration. A pop-up will confirm that a recreation has been initiated. PXE Once each Site Server has rebuilt the configuration on its server, it will be available for clients to PXE boot into. Automation Folder Once the automation folder has been recreated on the Notification Server, the newly built folder will need to be installed on the affected client machine(s). This can be done via policy by uninstalling, then the reinstalling on client machines or via task by pushing the installer package. 15

Notification Server Alias In some cases, the Notification Server will use an aliased name. This alias will be the name on the certificate and the DNS should be set up to resolve the aliased name correctly. As of the release of Deployment Solution 7.5 HF2, there is a known issue regarding this type of setup. For the most current information, please reference Knowledge Base Article TECH214199. SSL-Related Registry Keys Though these are related to Notification Server functionality in general and are probably changed already, the values should be confirmed for correct functionality. Verify that the following keys are set to the correct values: HKLM\SOFTWARE\Altiris\AIM\Configuration\NsConfiguration\NsWebSitePort = 443 HKLM\SOFTWARE\Altiris\AIM\Configuration\NsConfiguration\NsWebSiteSSL = True 16

Troubleshooting Resources In the event that files/installations/changes are not occurring correctly, the following are log files and file locations which may be useful in troubleshooting for resolution. General Deployment Solution Logging This log file tracks general Deployment Solution tasks and activity on a Server with Deployment components installed. This log file is created in <Program Files>\Altiris\Altiris Agent\Agents\Deployment\Logs by default. DSTasks.txt SSL Certificate Extraction These log files are created when the Extract SSL Certificate policy attempts to execute on the Notification Server, Task Server, and Package Server. This log file is created in C:\ by default. DSPluginInstall.log IISCertDeployVBS.txt Preboot Configurations When creating/recreating preboot configurations, Boot Disk Creator generates a log file. This log file is created in <Program Files>\Altiris\Deployment\Logs by default. Bootwiz.log 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information