Installing Forefront Client Security seems like a daunting task on Windows Server 2008. It can be done, but with a little extra help. If like me, you already have a WSUS server and you have less than 1000 clients, a two server solution is fine. The first thing is to read through the documentation found at:
http://technet.microsoft.com/en-gb/library/bb432630.aspx
However, it does appear that the technical manual department for the Forefront team did not want to spend much time with the documentation. There is a lot of repitition and a few things that are left out or are implied. We will go through and identify these missing instructions...
The first thing to notice is that there are separate instructions for installing on Server 2008. This are specifically for the 32-bit version of Server 2008. As noted in the hardware requirements, Forefront will not work on the 64-bit version of Windows Server 2008. However, these instructions correctly state that you MUST do everything in the order listed. For your own sanity, do so, while added the bits below:
The first missing/implied instruction is to complete the installation of .net 1.1 sp1. To complete the installation of .net 1.1 you have to wait until installing IIS. After installing IIS, you need to complete the .net 1.1 installation or the MOM components (I know, you don't have MOM) will fail and the entire installation will falter.
Step 1: Run the aspnet_regiis.exe /i command from the C:\Windows\Microsoft.NET\Framework\v1.1.4322 directory.
Step 2: Open IIS Manager. Click on the Server name. Under IIS in the main panel, open ISAPI and CGI Restrictions. Change "ASP.NET v1.1.4322" to 'allowed'.
The other is a peculiar problem with Reporting Services. You should check the following URLs to ensure that Reporting Services is installed:
http://reportservername/Reports
http://reportservername/ReportServer
If you get an error message amounting to a lack of permission on the installation account's part, then there is a way round this. This is, in fact, a UAC issue. (Please do not run to switch UAC off...) To get round this, go into the start menu and elevate IE by right clicking the IE link in the programs menu. Then go to the first URL. You now have a "Site Settings" link in the top right hand corner. Click it. Down the bottom of this page you now have a "Configure site-wide security" link. Add the installation account as a System Administrator and System User.
Checking the second URL now results in a blank directory list... Okay? You are now ready to complete the Forefront Client installation. (Remember that the installation will run elevated, so don't worry if you still get the error when running IE when not elevated.)
You may find yourself frustrated trying to run the distribution server installation on your WSUS server. SERVERSETUP.exe just seems to crash everytime. If you have WSUS v3 then you are wasting your time running the installation program. The Forefront Client installation for the Distribution Server is intended to fix WSUS v2 installations so that you can poll for updates every hour. WSUS v3 does this already as installed. Consequently, you do not need to install anything on your WSUS Server. Instead, you need to change the frequency of the synchronization to anything up to each hour of the day, depending how soon you want to recieve antivirus and malware updates.
Oh, and one more thing. The requirements state that a 32-bit installation of Server 2008 is required for the distribution server. Seeing that you do not need to install anything on the WSUS server with v3, you can still have your 64-bit cake there and eat it...
Finally, do not forget that to be truly compatible with Windows Server 2008, you need SP1. This is obtained through Windows Update rather than a seperate download. So get synchronising...
I still have some hair left.
Wednesday 25 February 2009
Monday 23 February 2009
PCs need updates to accept Group Policy Preferences
Group Policy Preferences is a relatively new feature. Consequently, PCs or Servers that have not been updated may not pick up the preferences set on up-to-date administrative workstations.
For example: Suppose you wanted to apply registry settings to your 300 PCs across your site. You can use Group Policy preferences to do this very easily, even pulling the registry changes directly from the administrative workstation. However, some PCs do not appear to pick up the preferences. On closer inspection, they have not yet had the latest updates to Group Policy Preferences. This can happen if the PC was recently rebuilt and is awaiting the next update window.
After running Windows Update, check for the changes and, bingo, there they are...
For example: Suppose you wanted to apply registry settings to your 300 PCs across your site. You can use Group Policy preferences to do this very easily, even pulling the registry changes directly from the administrative workstation. However, some PCs do not appear to pick up the preferences. On closer inspection, they have not yet had the latest updates to Group Policy Preferences. This can happen if the PC was recently rebuilt and is awaiting the next update window.
After running Windows Update, check for the changes and, bingo, there they are...
Friday 20 February 2009
Getting App-v to work with a Publishing Server
The way Microsoft is heading with App-v, we will all be dealing with it in a few years time. One day, it will be the way all applications are delivered to your PC. An application living as a distinct entity, yet interacting with the resources of the host PC. It is like discovering pot plants after years trying to weed a garden. If you knew you could isolate each plant, yet share the sunlight, rain and shade of the garden, you would never plant another in the ground ever again unless absolutely necessary. Later versions will allow you to plant two pots side by side so that you can share the same resources between them...
The latest offering, version 4.5 already expands Softgrid's approach by offering extra flavours. Not only can you stream an application from the Publishing Server or from a Terminal Server, you can now create an MSI file that loads the Application directly into the app-v cache and run the application without the need of a Publishing Server. Integration is also possible with System Centre Configuraion Manager.
But there are downsides to this expansion of the possible ways to use app-v: They become incompatible with each other. You cannot have either MSI approaches with a publishing server. There are registry keys that mess with the Publishing Server approach. One is:
HKLM/SOFTWARE/Microsoft/SoftGrid/4.5/Client/Configuration/RequireAuthorizationIfCached
Now to deploying the registry settings. If you are in an AD environment, you may not want to spend the effort writing a host (or PowerShell) script to deal with this. After all, Microsoft gives you the Group Policy Preferences. This is a great idea that saves time. However, Beware! The key registry setting that will cause the Publishing Server to silently fail to deploy its applicatons is:
HKLM/SOFTWARE/Microsoft/SoftGrid/4.5/Client/Configuration/UserDataDirectory
Why? When you place the %appdata% variable into Group Policy Preferences, the machine expands the key when applying the preference. The result is an entry that refers to the appdata for the system account. This is unreachable for normal user accounts. The app-v client appears to refresh, but no applications appear. If you check the list of applications, they will be listed, but will not show any icons.
Solutions: resort to a startup script that writes that particular key or, better still, do not add that key to the preferences at all. The default registry setting on installation is %appdata%...
Finally, it may be worth remembering that App-v is currently only 32-bit. The 64-bit version is apparantly due in 2010...
Finding that out after two days of pulling my hair out does not do wonders for your health. Hopefully, this tip will help you avoid the same pain.
The latest offering, version 4.5 already expands Softgrid's approach by offering extra flavours. Not only can you stream an application from the Publishing Server or from a Terminal Server, you can now create an MSI file that loads the Application directly into the app-v cache and run the application without the need of a Publishing Server. Integration is also possible with System Centre Configuraion Manager.
But there are downsides to this expansion of the possible ways to use app-v: They become incompatible with each other. You cannot have either MSI approaches with a publishing server. There are registry keys that mess with the Publishing Server approach. One is:
HKLM/SOFTWARE/Microsoft/SoftGrid/4.5/Client/Configuration/RequireAuthorizationIfCached
This needs to be set to 1 if the Publishing Server is to work as expected. User targeting or the application may not run for some users, though it appears in the start menu or desktop.
Microsoft recomend that you deply the client application first and then apply the registry settings to make the application tick. I would suggest using SCCM for this. Use of the Setup.exe is almost essential as there is a prerequisite application buried in the Setup file. Don't even bother trying to extract it. You might see then name of the prerequisite during setup; don't bother going to look for it. Though you may install Visual C++ 2005 Redist, it still wants to run it's own version. Attempting to deploying the MSI alone through AD results in miserable failure.Now to deploying the registry settings. If you are in an AD environment, you may not want to spend the effort writing a host (or PowerShell) script to deal with this. After all, Microsoft gives you the Group Policy Preferences. This is a great idea that saves time. However, Beware! The key registry setting that will cause the Publishing Server to silently fail to deploy its applicatons is:
HKLM/SOFTWARE/Microsoft/SoftGrid/4.5/Client/Configuration/UserDataDirectory
Why? When you place the %appdata% variable into Group Policy Preferences, the machine expands the key when applying the preference. The result is an entry that refers to the appdata for the system account. This is unreachable for normal user accounts. The app-v client appears to refresh, but no applications appear. If you check the list of applications, they will be listed, but will not show any icons.
Solutions: resort to a startup script that writes that particular key or, better still, do not add that key to the preferences at all. The default registry setting on installation is %appdata%...
Finally, it may be worth remembering that App-v is currently only 32-bit. The 64-bit version is apparantly due in 2010...
Finding that out after two days of pulling my hair out does not do wonders for your health. Hopefully, this tip will help you avoid the same pain.
Subscribe to:
Posts (Atom)
