Contents Verify implementation of pcanywhere Solution... 2 Deployment of the pcanywhere plug-in from the SMC... 3 Plug-in installation on managed computer... 5 Problems during pcanywhere Plug-in installation... 6 Verify the plug-in installation... 7 Test a remote control session... 8 Default Settings... 10 pcanywhere Settings policy... 11 Verify the correct host settings... 12 Checking the client policy XML file... 13 Refresh policies and filters in the SMC... 14 How pcanywhere policy settings are implemented... 15 Page 1 of 15
Verify implementation of pcanywhere Solution 1. Install the Symantec Management Platform (SMP) and the latest updates to it. 2. Open Symantec Installation Manager (SIM). Under the Installed Products list, Symantec pcanywhere Service Pack 2 (SP2, build 12.5.539) should be listed: If not, then install pcanywhere Solution SP2 from either Install new products or View and install updates (depending on whether the original Solution is installed already). 3. Once SIM shows Symantec pcanywhere SP2 (build 12.5.539) under Installed Products, browse the Add/Update licenses page in SIM to confirm that the License Type listed for Symantec pcanywhere SP2 is Full rather than Extended Trial. If not, install the Full license at this time. pcanywhere Solution exhibits odd behavior if the number of computers with the plug-in installed exceeds the number of Extended Trial license count, such that computers do not appear in the target membership of the pcanywhere Install or the pcanywhere Settings policies. 4. Only if still running pcanywhere Solution SP1 Apply the Resolution in the following Knowledge Base (KB) article: KNOWN ISSUE: SP1 filter "Windows computers requiring pcanywhere plug-in Upgrade" shows errors at https://kb.altiris.com/article.asp?article=49314&p=1 5. Only if still running pcanywhere Solution SP1 If there were any clones of pcanywhere policies prior to installation of pcanywhere Solution SP1, apply the Resolution in the following KB article: KNOWN ISSUE: SP1 installation overwrites customizations to default policies and removes cloned policies at https://kb.altiris.com/article.asp?article=49304&p=1 Page 2 of 15
Deployment of the pcanywhere plug-in from the SMC Once pcanywhere Solution is installed and patched, it is the responsibility of the administrators to deploy the pcanywhere Solution plug-in to managed computers. As with most solutions, deployment of the plug-in can be done by assigning an Install policy to the desired target computers (based on target filters or computer lists). Symantec recommends using the default filters provided with pcanywhere Solution. However, if the default filters are not optimal in a particular environment, then clone the default policy, remove the default filter, and specify a new set of target computers. When specifying targets, remember two very important rules: 1. The SMP server itself must never be a target for the pcanywhere Install policy, because installation of the pcanywhere Solution plug-in to the SMP server will cause problems and is not supported. 2. Each pcanywhere host computer must be a target of just one pcanywhere Install policy, regardless of whether the policy targets a computer list or a filter. It is up to the Symantec Management Platform administrators to enforce these rules. Page 3 of 15
To view membership of the default filters, for example the Windows Computers with no pcanywhere plug-in Installed filter shown above, browse to the Install policy in the SMC and double-click the filter. The following dialog will open: Click Update results to show a list of computers which belong to this filter. If this results in errors "No items found" and "The data could not be loaded, then please install pcanywhere Solution SP2. Otherwise, if SP1 remains in use, refer to this KB article: https://kb.altiris.com/article.asp?article=49314&p=1. Finally, remember to turn On or Enable the Install policy or policies when ready to deploy the pcanywhere Solution plug-in. There are two ways to do this When viewing the policy, toggle the On/Off button to On and then click Save Changes: Or, right-click the Install policy and then click Enable: Page 4 of 15
Plug-in installation on managed computer Once a pcanywhere plug-in Install policy is assigned to a target computer, the Symantec Management Agent must retrieve the policy information before it downloads and installs the plug-in. This will occur at the next scheduled configuration update, or if the Symantec Management Agent is forced to Update its configuration policies. Following are some methods to force the Symantec Management Agent to Update: Directly from the client computer: 1. Right-click the Symantec Management Agent icon in the system tray, click Altiris Agent Settings > Update. 2. Or, perform restart of the Altiris Agent service 3. Or, run AeXAgentUtil.exe /Server:<SMPservername> Remotely, from the SMC: 1. Click Manage > Jobs and Tasks. Expand Jobs and Tasks > Samples > Notification Server. Click the "Update Client Configuration" task in the left pane, in the right pane click "Quick Run", and enter/select the client computer to which the task should apply. 2. Directly access the Power Management page to "tickle" the Agent. The following KB article shows how to test this: https://kb.altiris.com/article.asp?article=50125&p=1. The main installer file for Windows is pcaclientinstallmanager.exe. It launches a few other processes as it installs multiple components including: pcanywhere host package This is the pcanywhere software. pcanywhere Solution plug-in - This component communicates between the pcanywhere host and the Symantec Management Agent. Once the Agent downloads the pcanywhere Solution plug-in installer, allow it at least several minutes to run. Periodically check membership of the filter Windows Computers with no pcanywhere plug-in Installed after enabling the pcanywhere Install policy. Over time, the number of computers included in this filter membership should decline, while membership of the default filter for the pcanywhere Settings policy, pcanywhere Plug-in for Windows Installed Active, should increase. If the number of members in these filters does not appear to be correct, then follow some of the troubleshooting steps below Page 5 of 15
Problems during pcanywhere Plug-in installation One possible cause of problems is that after an initial run of the pcanywhere plug-in Install or Uninstall policy, subsequent attempts to run the same policies are blocked by the "Run once ASAP" setting that is enabled by default in the policies. Therefore, if the pcanywhere plug-in Install or Uninstall policies must be run more than once, then it is necessary to uncheck the "Run once ASAP" option in the policies, and schedule the policies to run. The pcanywhere plug-in package will create log files in the location where the Symantec Management Agent downloads it. On a Windows client computer, the package will download to, and run from the default location C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{B364DA8F-1735-4DD3-865A- 8B33CA5523CD}\cache. For 64-bit Windows, C:\Program Files (x86)\. The following log files may exist in this folder: hostexelog.txt log.txt msilog.txt pcasolinstaller-pcaclientinstallmanager-trace.log Symantec Technical Support may request these files for case evidence. Another installation problem may be that the pcanywhere host package installs successfully, but the Symantec pca Agent plug-in fails to register with the Symantec Management Agent. See the following Knowledge Base article for assistance with this: https://kb.altiris.com/article.asp?article=50260&p=1. Incomplete or failed pcanywhere Solution plug-in installation may be related to Task Server or Package Server problems. Examine the Symantec Management Agent (formerly Altiris Agent) logs for clues. For example, if there are many instances of errors like this: <![CDATA[CTAgent::OnExecute-Loop(): CAtrsException exception, error = "Unable to start thread", OS error = 8, at line 154... <![CDATA[CTaskAgentBase::ProcessNewSettings(): The settings are the same.]]></event> then the issue is likely related to the Package Servers listed under Settings > Notification Server > Site Server Settings. See https://kb.altiris.com/article.asp?article=51514&p=1 for information on Site Servers. Page 6 of 15
Verify the plug-in installation To verify that the pcanywhere plug-in installation has completed on a managed client computer running the Windows platform: Verify whether the pcanywhere system tray icon is present. Note that it is possible to hide this icon from the Settings policy, so this isn t always a valid test. Run services.msc, and look for Symantec pcanywhere Host Service. Verify that the service is installed and running. If it will not start, reboot the computer and check again. Note that there is a potential for conflicts with RDP and Terminal Services, so it may not be possible to start the Host Service from within an RDP session. Symantec Technical Support is currently working to define when the conflict occurs. For now we have general information in this KB article: https://kb.altiris.com/article.asp?article=45749&p=1. Right-click the Symantec Management Agent icon in the system tray and click Symantec Management Agent Settings. "Symantec pca Agent" should be listed under Installed Agents. From within the SMC, to verify that the pcanywhere plug-in installation has completed on managed computers, view the membership of the filter pcanywhere Plug-in for <Platform> Installed Active. This filter can be found in multiple locations including the pcanywhere Settings policy for each platform. Note that computers on which the pcanywhere plug-in is installed will not immediately appear as members of this filter. The Symantec Management Agent must complete a Basic Inventory and report the results back to the SMP server, and the server must process the inventory, before the canned filter shows the computer. So if the Symantec pca Agent is listed under Installed Agents on a managed computer,but the filter pcanywhere Plug-in for <Platform> Installed Active does not show the computer as a member, then perhaps the server has not received or processed the Basic Inventory from that computer. Another way to verify plug-in installation from the SMC is to check whether the specific computer s basic inventory shows the Symantec pca Agent. Open Resource Manager for that computer, then click Summaries > Resource Summary. Under the Altiris Agent Details section, the Symantec pca Agent should be listed along with other solution agent plug-ins. Page 7 of 15
Another trick to verify that pcanywhere hosts are running and listening for connections is to open the link for the Symantec pcanywhere program on the SMP server. Click Quick Connect in the left pane, and in the right a list of hosts in the Waiting state will gradually appear. Note that Symantec offers a very handy tool for customer use, the Remote Altiris Agent Diagnostics (RAAD). Symantec Management Platform administrators can use this tool remotely to look at client logs, run a configuration update, send basic inventory, and run solution-specific diagnostics and remediation. See this article for an overview and to download the tool: https://kb.altiris.com/article.asp?article=49683&p=1 Page 8 of 15
Test a remote control session To test a remote control session to a computer, click Actions > Remote Management > Remote Control, type a hostname or IP address, and click Connect. If the dialog for credentials appears, the pcanywhere host is running and has responded to the connection attempt. If the dialog for credentials does not appear, then the pcanywhere Remote on the SMP server was not able to reach the pcanywhere Host. Verify the connection from the SMP server to the default TCP port 5631 on the host computer by using telnet. Open a Command Prompt window and type: telnet [hostname IP address] 5631 If the response is Please press <Enter> as shown here, then the port was open and the connection was successful: If the response is Could not open connection to the host, on port 5631: Connect failed then: the host is not running; or the host is listening on a different (non-default) port; or there is a firewall blocking the network communications to that port. Page 9 of 15
Default Settings Once the pcanywhere host is installed and running, it is important to remember that it will initially run default settings, even if a pcanywhere Settings policy is turned On and applied to the managed computer. By design, the pcanywhere plug-in does not immediately incorporate the settings from a pcanywhere Settings policy. As of pcanywhere Solution SP1 (12.5.415), the default pcanywhere host settings include the following: listen on TCP port 5631 the Require user to approve connection" option is enabled only the local "Administrators" group caller is available for authentication the Support global NT users and groups option is disabled, so only accounts directly in the local Administrators group will authenticate. Remember that while the default settings are in place, you must provide the credentials for a user that is directly a member of the local Administrators group. The pcanywhere Solution plug-in will run with the default settings until the following conditions are met: 1. Exactly one pcanywhere Settings policy is applied to the target computer, AND 2. The pcanywhere Settings policy is turned On, AND 3. The Symantec Management Agent performs an Update to receive the pcanywhere Settings policy. Note that SP2 includes a fix for an issue such that the default caller is defined literally as the local "Administrators" group. On host computers running a language where the Administrators group does exist, it is possible to authenticate as a member of that group. However, for languages where Administrators is not the correct name of the group, then no caller will be able to authenticate until the Symantec Management Agent applies the pcanywhere Settings policy. Here is a link to the KB article: https://kb.altiris.com/article.asp?article=49180&p=1. Upgrade to SP2 to resolve this. Page 10 of 15
pcanywhere Settings policy pcanywhere Solution offers the ability to modify the pcanywhere host settings in the console under Settings > Agents/Plug-ins > Remote Management > Remote Control > <Linux Mac Windows>. For each platform, we can modify settings under four tabs: Connection, Authentication, Security and Access Server. There is a default pcanywhere Settings policy provided for each supported platform. Rather than modify the settings or target of a default policy, best practices are to leave the default policy intact and work with a cloned version: 1. disable the default settings policies 2. right-click the default policy 3. click Clone 4. name the cloned policy accordingly 5. adjust the Schedule options as needed 6. remove the default target(s) under the Apply to section (if any exist) 7. apply the policy to the desired targets Important Note: Each pcanywhere host computer can be a target of ONLY ONE pcanywhere Settings policy, regardless of whether the policy targets a computer list or a filter. In other words, filters used in pcanywhere Settings policies must be mutually exclusive. Page 11 of 15
Verify the correct host settings Assuming that the pcanywhere plug-in is installed on a managed computer, look under the Configuration section at the top of the same Symantec Management Agent Settings dialog box. To determine whether the managed client computer received the newest configuration policy, you can check whether the "Changed" timestamp is accurate when compared to the most recent pcanywhere Setting policy change that you made in the SMC. To investigate potential problems with pcanywhere Settings policies on managed computers, access the client policy file. This is an XML file located in the folder C:\Program Files\Altiris\Altiris Agent\Client Policies\. Look for the larger XML file, with a name format similar to one of the following: <servername>.<domain>.<com>.xml <servername>.xml Symantec Technical Support may request the client policy XML file for case evidence. Inside the client policy XML file there should be a section containing the host configuration settings that were set in the SMC. An easy way to find the section is to search for the element <pcasettings>. Here is a snippet showing the beginning of a pcanywhere configuration policy element: - <Policy guid="{8204b0d5-a56b-4f2e-ba2f-ded9c61e515c}" name="pcanywhere Settings - Windows" version="7.0.7270.0" hash="90afdc63464606e1c575b4c86933b45a" userpolicy=""> - <ClientPolicy agentclsid="symantec.pcaagent"> <DateTime>2010-1-18 16:25:13</DateTime> + <pcasettings> Page 12 of 15
Checking the client policy XML file Does the <pcasettings> element exist? If not, then the Symantec Management Agent has not retrieved the latest policy for some reason. It may be necessary to: force an Update of the Symantec Management Agent (described above); or force a refresh of the filters in the SMC (described below). ensure that the managed computer is a member of the target for the pcanywhere Settings policy. Do the settings match the policy in the SMC? If the <pcasettings> element exists in the client computer's local policy XML file but the settings do not match the intended policy in the SMC, then: the computer may not belong to the target filter specified. This may be due to a mistake in filter query logic (if not using the default filter); or force a refresh of the filters in the SMC (described below). Does the client policy file contain more than one <pcasettings> element? If the client policy XML file contains more than one <pcasettings> element, then it is likely related to an issue with pcanywhere Solution SP1 described in this KB article: https://kb.altiris.com/article.asp?article=50644&p=1. If so, this must be addressed by following the Resolution in that article. Page 13 of 15
Refresh policies and filters in the SMC If it appears that a managed computer is member of the target filter that is applied to a pcanywhere Settings policy, but the managed computer has not received the policy settings based on an examination of the client policy XML file, then perhaps the filter membership has not yet been updated. This occurs based on a schedule, so over time this situation should resolve itself. It is also possible to force a refresh from the SMC. To force a refresh, click Settings > Notification Server > Resource Membership Update. To the right of the Complete Update Schedule line, click the the page should refresh with a notification stating Complete Update Schedule has completed. button. Eventually Performing this step may result in quicker distribution of the pcanywhere Settings policy to the intended managed computers. Page 14 of 15
How pcanywhere policy settings are implemented Once the Symantec Management Agent receives the correct pcanywhere Settings policy and the pcanywhere plug-in parses the policy file, the data is then stored on the managed computer under one of these folders (depending on the version of Windows): C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\Hosts C:\ProgramData\Symantec\pcAnywhere\Hosts in these files: pcanshost.bhf *.CIF Symantec Technical Support may request these host files for case evidence. The BHF (Be a Host File) contains host configuration settings and is modified on the managed computer when a modified settings policy is received by the Symantec Management Agent. There must be at least one CIF (Caller) file present in this folder, and possibly multiple CIF files depending on the number of callers defined in the Settings policy in the SMC. If the pcanshost.bhf file or *.CIF files are missing, then the Symantec pcanywhere Host service will error at startup. Contact Symantec Technical Support to investigate. In addition, the pcanywhere host service uses several registry keys including these: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\pcAnywhere\CurrentVersion\Host HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\pcAnywhere\CurrentVersion\System Some of the settings, such as the TCP listening port, are stored in the registry and therefore can be viewed to compare against the policy settings. Page 15 of 15