UPL02 – Implementing Cloud Enabled Management Hands-On Lab
Description Cloud-enabled Management lets you manage endpoints over the Internet even if the client computers are outside of the corporate environment and cannot access the management servers directly. With Cloud Enabled Agent operation, managed computers do not need to use a VPN connection to your organization's network.
In this session, you will learn how the new Cloud Enabled Management features of the Symantec Management Platform may help you achieve your goals.
At the end of this lab, you should be able to
Understand how Cloud enabled Management works within your environment.
Understand the uses of this new solution and requirements around your existing DMZ and Firewalls.
Complete the following tasks:
o Configure the cloud enabled management solution settings (Agent Site)
o Install the Internet Gateway
o Configure the Cloud enabled Management policy
o Demonstrate Cloud enabled Management behavior
o Create an Internet Site Server with package services
o Create and Deploy a Cloud enabled Agent installation package to a WAN Connected endpoint
o Demonstrate Solution execution in a fully Cloud Enabled environment
o Run the cloud enabled management reports
Notes A brief presentation will introduce this lab session and discuss key concepts.
The lab will be directed and provide you with step-by-step walkthroughs of key features.
Feel free to follow the lab using the instructions on the following pages.
You can optionally perform this lab at your own pace.
Be sure to ask your instructor any questions you may have.
Thank you for coming to our lab session
2 of 22
Cloud-enabled Management (CEM) Introduction Cloud-enabled Management lets you manage endpoints over the Internet even if the client computers are outside of the corporate environment and cannot access the management servers directly. The managed computers do not need to use a VPN connection to your organization's network.
You can apply Cloud-enabled Management in the following scenarios:
An organization with many employees traveling or working outside of the office (outside the corporate intranet).
A managed service provider (MSP), managing external companies.
Highly distributed companies with many small offices or employees working from home.
When you implement Cloud-enabled Management, the Notification Server computer and site servers are not directly exposed to the Internet. Therefore, Symantec Management Agent communicates with the Notification Server computer and the site servers through an Internet gateway. Usually two or more Internet gateways should be available for each site to maintain reliable management of Cloud-enabled clients and to provide failover options. Each Internet gateway can support routing to multiple independent Notification Servers.
The Internet gateway works as a tunneling proxy. It ensures the privacy and safety of the data that is passed between an agent and a management server. The Internet gateway is located in a demilitarized zone (DMZ) between two firewalls. It accepts incoming connections from authorized client computers on the Internet and forwards them to the appropriate Notification Servers and site servers inside your network. The Internet gateway blocks any connection attempts by unauthorized clients.
The Symantec Management Agent automatically determines whether routing the communication through the Internet gateway is needed or not. If a Cloud-enabled computer has direct access to the local network using VPN, the agent automatically switches to a direct communication with Notification Server. If a Cloud-enabled computer is outside the corporate network, then the agent routes all communication on the Internet to Notification Server through the Internet gateway.
Note: Cloud-enabled Management is only supported on Microsoft Windows client computers at this time. Cloud-enabled Management is available on your Symantec Management Platform only when one or more installed solutions support Cloud-enabled Management. Not all Symantec solutions support Cloud-enabled Management in IT Management Suite
Any information regarding pre-release Symantec offerings, future updates or other planned modifications is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec offerings should make their purchase decision based upon features that are currently available.
3 of 22
LAB SCENARIO: CeM Implementation
CORPORATE DMZ
CORPORATE DATACENTER
NotificationServer
InternetGateway
NS75
MONITOR
INTERNET CONNECTED SITE
WIN7
Standard AgentWorkstation
WINXP
INTERNET
ROAMINGEndpoints
WIN7 WIN7
Cloud Enabled Agent Workstation
Internet Site ServerAND
Cloud Enabled Workstation
TO TO
In this scenario, the company would like to support their Roaming endpoints and internet connected sites using all of the management features available through CeM. They would like to provide patching, software distribution, inventory and asset services without the requirement of VPN or Domain Level access to their corporate data center.
This design will consist of a single Notification Server that will manage all CeM users through the use of Organizational Views and Groups and will manage the distribution of packages and tasks through Internet Site Servers assigned to these resources separately through site management. A single Internet Gateway will handle all of the incoming traffic from each resource and will allow a secure tunnel to the Notification Server.
The Company has few Sites that utilize the Standard Symantec Management Agent using a VPN connection and would like to convert them to Cloud Enabled Agents and connect the sites via the internet. They would also like to have Internet Sites Servers with Package Services at each of the Internet Connected Sites to allow for a more robust package distribution. For endpoints that are not currently managed they would like to simply provide an installation package that they can pass to each user to install for Cloud Enabled Management.
We will emulate this scenario by reproducing the environment on our Virtual Lab.
DC – Headless Domain Controller
(Windows Server 2008 R2 SP1)
NS75 – Notification Server 7.5
(Windows Server 2008 R2 SP1)
MONITOR – Internet Gateway
(Windows Server 2008 R2 SP1)
WIN7 – Remote Endpoint/Internet SS
(Windows 7)
WINXP – Roaming Endpoint
(Windows XP)
4 of 22
Lab Exercise 1: Setting up the Customer Environment The following procedure is used to create an Organizational View/Group that will contain all of the Cloud Enabled endpoints in the customer environment. This grouping will be an important step for assigning Cloud Enabled Management policies for these targeted endpoints.
1. Start the 5 VM’s if they have not been started: DC, NS75, MONITOR, WIN7 and WINXP
2. Go to the VM labeled NS75.
3. Open the Symantec Management Console and select Manage | Organizational Views & Groups from the main menu.
4. Right click on the Organizational Views folder in the left pane, and select New > Organizational View
5. Select the organizational view you just created and name it Cloud Enabled Endpoints. If you don’t see the “New Organizational View” in the left pane, press the refresh ( ) button.
6. Right click on the Cloud enabled Endpoints folder and select New > Organizational Group and rename it CeM Endpoints. This is created as the location that we want our Cloud Enabled clients to report into. We will cover this concept later in the Lab.
Lab Exercise 2: Configuring the CeM Solution Settings
Implementing the Agent Site
1. Stay on the VM labeled NS75.
2. Open the Symantec Management Console and select Settings | Notification Server | Cloud-enabled Management under the main menu
3. In the left pane, expand the Cloud-enabled Management > Setup folder, and then click Agent Site Settings.
4. On the Agent Site Settings Setup page, do the following:
a. Check Enable Agent site.
b. Make sure that the Agent site port is 4726. (This is a configurable port if needed by your customers)
c. In the Certificate: drop-down list, click the NS75 certificate
NOTE: the “Certificate:” setting is wher you may choose to import 3rd
Party/Public certificates if you need to. The agent site supports these types of certificates, but you must ensure that you use a FQDN of the site, and that the agents can see the FQDN of this site from the internet.
5. Click Save changes. A warning will appear telling you that these settings cannot be motified or deleted - Press OK
6. The window will display “Working…” for a few minutes until it is completed with the process. Wait until the window displays “Agent Site Configuration Succeded” at the top of the left pane.
Additional steps may have to be taken to add the selected certificate to the Trusted Root Certificates in the Default Domain Policy, as well as adding the FQDN to the trusted sites in Internet Exporer settings. It is also important to note that the Internet Gateway only supports Self-Signed Certificates in this release.
5 of 22
Lab Exercise 3: Installing the Internet Gateway
Creating the Internet Gateway Installation Package
1. Switch to the VM labeled NS75.
2. In the left pane click on Cloud-enabled Management > Setup > Cloud-Enabled Management Setup
3. Read through the Introduction tab to get a better understanding of the items you will need to set up and why you need to set them up.
4. Click on the Internet Gateway Setup tab
5. In the middle of the page click on the “Download the Internet Gateway Installation package” link.
6. Select to Save AS, and save the SMP_Internet_Gateway.MSI file to \\MONITOR\c$\Users\Administrator.SYMPLIFIED\Desktop and press Save.
The package will save to to the MONITOR VM Desktop. Do Not run this file on the NS75 VM, just click Close after the download has completed. Normally you would have a method to securely copy this installation file to the target machine in the DMZ.
NOTE: If you accidentally just pressed “Save”, it will be dowloaded to your Downloads folder. This is the file that will be used to install your Internet Gateway. You will need to get this file to the Server you have decided to assign as an Internet Gateway server . In practice, there are several ways to get the file to the target server, for our lab follow these steps:
Right Click the SMP_Internet_Gateway.MSI file on the desktop and select Copy
Open “Computer” on the desktop and browse to:
\\MONITOR\c$\Users\Administrator.SYMPLIFIED\Desktop
Paste the file to the MONITOR VM Desktop
Installing the Internet Gateway
1. Switch to the MONITOR VM
You should notice that the MONITOR VM does not have a Symantec Management Agent loaded on it. Internet Gateway Servers do not require the Symantec Management Agent or Agent plug-ins. You can install the Symantec Management Agent on the Internet Gateway Server as it could provide you with additional endpoint management capabilities for your CeM infrastrucutre, but we highly recommend securing this system using security and intrusion prevention best practices.
2. Double click on the SMP_Internet_Gateway.MSI file on the desktop to start the installation
Note: the installation file will verify that you have Windows 2008 R2 SP1 installed along with .Net 3.5.1
3. Click Next on the Welcome window
4. Accept the license agreement and press Next
5. Click Next to accept the default file destination
6 of 22
6. Click Next to start the installation
Once the installation has completed, leave the Start configuration wizard checked on and click Finish. The Internet Gateway Configuration will begin
NOTE: If you uncheck the wizard, you can run the configuration utility from the programs menu
7. Leave all of the settings in the IP Addresses and Ports section as they are and click Next. This setting configures the port that the Internet Gatway communicates with the Agents (Port 443).
8. Fill in the SSL Certificate Information by using the following settings:
a. Common Name: MONITOR.symplified.org
b. Organization Name: Symantec
c. Organizational Unit Name: [email protected]
d. Email Address: [email protected]
e. Locality Name: Lindon
f. State or Province Name: UT
g. Country Name: US
9. Click Next
10. Select the LocalService Account and press Next
11. The summary details show your settings that you have selected. Click Finish to continue. This may take about 30 seconds.
12. The first screen you will see once the configuration is complete is the certificate that is required by the agents for them to identify themselves to the Internet Gateway. You will need to Copy the certificate thumbprint and save it on the host.
13. Press the “Copy to Clipboard” button
14. Switch to the NS75 VM
15. Open Notepad (Start > Run, type notepad, then OK)
16. Paste the copied contents into Notepad and save it on your desktop for later. This text will be used on the NS75 in a later step.
17. Switch to the MONITOR VM
18. Click the Servers tab and click the Add Server button
19. Enter NS75.symplified.org in the Host Name field and Click OK. This may take a few seconds…
7 of 22
20. If a window appears that asks you to restart the services, Click Yes
21. After a few seconds you’ll see the NS75 server added to the Servers Tab
22. Press the Settings tab and review the gateway core settings.
23. Close the Internet Gateway Manager. You have now created an Internet Gateway. You may add additional Notification Servers and Site Servers by simply adding them to the Internet Gateway Manager.
Lab Exercise 4: Configuring the CeM Policy 1. Switch to the NS75 VM
2. Open the Symantec Management Console
3. Under the Main Menu, select Settings | Notification Server | Cloud-enabled Management
4. In the left pane, expand the Cloud-enabled Management > Policy folder, and then click Cloud Enabled Management Settings.
5. In this section you will configure the Cloud Enabled Management Settings
6. Switch this policy to On by changing the OFF button to On in the top right corner of the right pane (It will turn Green)
7. Click the Add Gateway button
a. Type MONITOR.symplified.org for into the Server name: field
b. Type 443 for the Port: number
c. Copy/Paste the Thumbprint you saved in notepad into the Thumbprint: field
d. Press OK
At this point we want to specify the group of computers that we would like to enable the CeM features on. In our case, we would like to make sure that Win7 is managed with this policy and that it adds the Cloud Enabled functions to the standard Symantec Management Agent that was previously installed on it. This is a typical action used to enable endpoints with standard Symantec Management Agents to be cloud enabled.
8. Press the Apply to button then choose Computers
a. Press the Add rule button
b. Enter the following settings: THEN: exclude computers not in | Group | Cloud Enabled Computers > CeM Endpoints
c. Press the Update Results button. You will notice that there are no computers in this target.
d. Press OK, then click Save Changes in the Cloud Enabled Management Settings window
8 of 22
Lab Exercise 5: Cloud Enabled Management Behavior The CeM Settings policy has been created and any computer that gets added to the Cloud Enabled Computers > CeM Endpoints organizational group will receive the policy and have the Cloud Enabled features turned on.
1. Switch to the WIN7 VM
2. Double Click on the Symantec Management Agent in the Tray
3. Click on Settings in the top right side
4. Note that the agent is communicating to the Notification Server – the tray icon shows the SMA Logo with a
Green Lock ( ). Look under Network Status to see that this agent is “Connected to the SMP Server via HTTPS” and that “Cloud-enabled Management Mode is disabled”
You are probably wondering why the Cloud Enabled Management mode is Disabled… This is because the Cloud Enabled Policy Settings do not apply to WIN7 because it has not been added to the Cloud Enabled Computers > CeM Endpoints group. In order for this Standard Symantec Management Agent installation to be Cloud Enabled, it must receive it’s policy.
1. Switch to the NS75 VM
2. Open the Symantec Management Console
3. On the Main Menu, choose Manage | Organizational Views and Groups
4. In the left pane, expand Cloud Enabled Computers > CeM Endpoints
5. In the right pane, select the +Add button and select Computers
6. Search for Win7 on the Available Resources side and select it
7. Press the single right arrow (>) to bring it to the selected resources side
8. Press OK.
9. We will now run a Policy Update to speed up the process… In the Main Menu, select Settings > Notification Server > Resource Membership Update
10. Under Policy Update Schedule, Press the Run button on the right side. You should see “Policy Update Schedule has Completed” at the top of the window when it completes.
In order for the WIN7 VM to receive the CeM Policy, it must connect to the Notification Server and get it.
11. Switch to the Win7 VM
12. Right click on the Symantec Management Agent in the tray
13. Select Symantec Management Agent
14. Click on Settings
15. Press the Update button. If the Requested and Changed Time/Date are not the same, wait a few seconds and press the Update button again.
9 of 22
16. You will eventually notice that the Network Status will change to “Cloud Enabled Management mode is enabled but Inactive”. This shows that this Symantec Management Agent is now capable of Cloud Enabled features.
17. Leave the Symantec Management Agent Settings window open so you can view the agent status when we make some changes to show the CeM features.
18. TO EMULATE A NETWORK DISCONNECTION, lets disable the Network Card:
a. Select the Network Icon on the Tray and Select “Open Network and Sharing Center”
b. Select “Change adapter settings” on the left side of the window
c. Right Click on the Local Area Connection and select Disable. Keep this window open.
d. Switch to the Symantec Management Agent settings window
e. Notice that the Network Status has changed to “Disconnected from SMP Server” and that the tray icon is showing that it is disconnected ( )
19. TO EMULATE A NETWORK RE-CONNECTION, lets enable the Network Card:
a. Return to the Network Adapter window
b. Right Click on the Local Area Connection and select Enable
c. Switch to the Symantec Management Agent settings window
d. Notice that the Network Status has changed to “Connected to SMP Server via HTTPS” and that the tray icon is showing connected with a green ‘Lock” icon ( )
20. TO SIMULATE A WAN CONNECTION
Normally you would have the endpoint on an internet connection, but since we have a VMWare Virtual environment, we will simply run a command file that will modify the target IP address of NS75 in the ‘hosts’ file on the WIN7 VM. This will ensure that we cannot ping NS75 through this subnet and will emulate WIN7 being on the internet.
a. Double click the WAN.CMD file located on the Desktop. The results should look like this:
10 of 22
We have essentially redirected NS75.symplified.org to IP Address 10.10.10.10 to show that it is not directly connected to WINXP.
b. Press any key to continue
c. Switch to the Symantec Management Agent settings window
d. Press the Update Button.
e. Symantec Management Agent Settings dialog box should eventually show that the Network Status has changed to “Connected to SMP Server via internet gateway” and Cloud –enabled Management mode is active”.
The tray icon also changes to a green cloud ( ). This process should take under 5 minutes to switch to Cloud Enabled Mode.
NOTE: If the Agent does not switch to Cloud Enabled Management mode in 5 minutes, simply disable and enable the Network Card as you did in Steps 18 and 19 and it should switch right away.
21. Keep the Agent in Cloud Enabled Mode for the rest of this Lab – Do not switch it back to a LAN Configuration
Exercise 6: Creating an Internet Site Server (with Package Services) In order to optimize package distribution within an internet site it is necessary to have Package Services in that site. The Symantec Management Platform does not restrict a CeM agent from downloading packages from package servers in the internal NS network through the Internet Gateway. In cases where customers would like an Internet distribution infrastructure for these endpoints, Internet Site Servers can be created.
Now that the CeM Agent is installed and operational in WIN7, we can assign this endpoint as an Internet Site Server and add Package Services to its role for purposes of internet facing package distribution. This model can be used in any customer for roaming user scenarios where internet delivery of packages is a requirement. There is no difference in the installation procedure of Package Services plug-in installation on the target Site Servers with CEM-enabled agents or Site Servers with Standard Agents residing in the internal (NS) network.
NOTE: IIS should be installed on any Internet Facing Site Server that will host Package Services so that the packages will be secure and available as HTTPS codebases. To be sensitive to the time required for this lab and limitations of the VM Environment, the IIS installation has been completed on this Windows 7 endpoint.
1. Switch to the NS75 VM
2. In the Symantec Management Console, Select Settings > Notification Server > Site Server Settings from the main menu
3. In the left pane, expand the view to Site Management > Internet Sites > Default Internet Site
4. Select the Site Servers folder (Under Default Internet Site)
5. In the right pane, press the *New button under Detailed Information
6. Find the WIN7 computer
7. Press the right arrow button (>) to add it to the selected computers list
8. Press OK. The Add/Remove Services window appears
9. Select the Package Service box and press Next.
10. Press OK. The add/remove services window closes. This process will install the Package Service on WIN7 and assign it to the site “Default Internet Site”
11 of 22
11. To speed things along, Select Settings > Notification Server > Resource Membership Update from the main menu
12. Press the Run button under the Policy Update Schedule section
13. Wait until it finishes. You should see an updated status at the top of this screen
14. Switch to the WIN7 VM
15. Right click on the Symantec Management Agent in the tray
16. Select Symantec Management Agent
17. Click on Settings
18. Press the Update button. Notice that the Requested and Changed Time/Date are now the same.
19. Wait a few seconds – You should notice the Symantec Management agent closing by itself. It will eventually re-appear in the tray
20. Once the Symantec Management Agent re-appears, Double click on it to open it.
21. Click on the Settings button, then press the Update button.
22. Select the Package Server Tab on the other Symantec Management Agent window – leave it here.
23. Switch to the NS75 VM
24. Select Settings > Notification Server > Resource Membership Update from the main menu
25. Press the Run button under the Delta Update Schedule section. Wait until a message stating “Delta Update Schedule has Completed” appears at the top left of this window.
26. Open the Windows Task Scheduler using the shortcut on the taskbar (The Clock Icon). Once it loads, click on the “Task Scheduler Library” folder in the left-hand pane.
27. In the right-hand pane, find the “NS.Package.Refresh…” task, right-click on it, and choose Run. Continue to refresh it until it finishes.
28. Switch to the WIN7 VM
29. In the Symantec Management Agent Window, Click on Settings
30. Press the Update button
31. In the Package Server Tab on the other Symantec Management Agent window, you should notice the packages starting to download.
32. Press the Refresh Packages button to speed up the process.
NOTE: If the Symantec Management Agent windows close during this process, simply wait for it to reappear in the task tray and go to the Package Server Tab and press Refresh Packages to review the status. If it does not re-appear, you can run services.msc and start the “Symantec Management Agent” Service.
33. Normally you would wait until all software packages are replicated to the Site Server, but you can proceed with the next steps if you see 7-zip 9.15 English (United States) and Updates that are named “install_flash_player_10_...” showing “Package is Ready” in the Package Status column. If you wait until it is completed, you should see at least 320 packages indicated under “Available packages.”
34. Press the Resend Package Status button to send the status to NS75.
12 of 22
35. In the Symantec Management Agent Window, Click on Settings
36. Press the Update button
37. Switch to the NS75 VM
38. Select Settings > Notification Server > Site Server Settings from the main menu
39. In the left pane, expand the Site Management > Internet Sites
40. Select Default Internet Site
41. Expand the Package Service section on the right pane and notice the status: you should see a graph that shows the updated status and number of packages.
42. You have now created an Internet Site Server with Package Services for use by the CeM Endpoints.
Exercise 7: Creating and Deploying the CeM Installation Package
Creating the CeM Agent Installation Package
In this scenario we would like to create a CeM Agent Installation Package that will be installed on any endpoint that connects to the network via WAN/Internet. This process is used to create a package that can be used to install the CeM Agent on any device you wish to manage that is on the Internet.
1. Switch to the NS75 VM
2. Open the Symantec Management Console
3. On the main menu click on Settings | Notification Server | Cloud-enabled Management
4. In the left pane, expand the Cloud-enabled Management > Setup folder, and then click Cloud-enabled Management Setup
5. Click on the Symantec Management Agent Configuration tab
6. Click on the Generate and download Symantec Management Agent installation package link toweards the bottom of the page. The CeM Installation Package setup screen will appear
7. Setup the CeM Agent Package with the following settings:
a. On the Policy section select Cloud-enabled Management Settings.
b. Then select CeM Endpoints from the Organizational Group drop down list.
c. Type in the installation name of CeMInstall for the Installation Name
d. Enter an Expiry Date that is 2 days from today’s date
e. Enter Password1$ for the Password Encryption Password and Confirmation Password.
f. Press the Generate Agent Installation Package button and wait until it completes.
g. Click on the Download Package link (middle of the page) and choose “Save As” and save it as:
\\winxp\c$\Documents and Settings\Administrator.SYMPLIFIED\Desktop\CeMInstall.exe
This will save it to the WINXP Desktop for you.
h. Close the Download Package dialog box.
i. Click Close on the Package Installer screen
13 of 22
NOTE: The Cloud-enabled Agent installation package is valid for a limited period of time. By default, it is valid for
seven days from the time that it was generated. If you use this package to install the Agent after it has expired,
the installed Agent is not able to use the SMP Internet gateway for communication. You then have to reinstall the
Agent using a newly generated installation package. Other features in this installation package like Limiting the
number of registrations, Signing using thumprint or file can be used to prevent malicious installation of this
agent.
Deploying the CeM Agent Installation Package to an Internet Connected Endpoint
The process for deploying a CeM Agent is the same installation process that you would use to get the agent installed on ANY device that is not connected to your LAN. This installation package would be sent to the target customer in this case and would simply be installed on the customer’s endpoint. Once installed the agent will report through the Internet Gateway to its destination Notification Server where it would be managed from.
1. Switch to the WINXP VM
2. Make sure the CeMInstall.EXE file is placed the desktop. If it is not, you may have saved it on the Desktop of NS75 by accident, simply browse to \\NS75\c$\Users\Administrator.SYMPLIFIED\Desktop and copy it to the WINXP desktop.
3. The WINXP VM is currently able to connect to NS75, to emulate WINXP on a WAN/Internet environment simply double click the WAN.CMD file located on the Desktop. It should look like this:
We have essentially redirected NS75.symplified.org to IP Address 10.10.10.10 to show that it is not directly connected to WINXP.
4. On the Desktop, Run the CEMInstall.EXE installation file by double clicking it, and enter the password (Password1$) when prompted
5. Wait until end of the installation, you will see a box appear that will tell you that the installation succedded then Press OK.
6. The Symantec Management Agent will eventually appear on the Task Tray. It should eventually appear as a green cloud ( ).
7. Double Click on the Symantec Management Agent in the tray once it appears
8. Press the Settings Icon in the top right
9. Press the Update, then Send Button.
10. Switch to the NS75 VM
11. In the Console main menu, select Settings > Notification Server > Resource Membership Update
12. Press the Run button under the Delta Update Schedule section. Wait until a message stating “Delta Update Schedule has Completed” appears at the top left of this window.
14 of 22
13. Under Policy Update Schedule, Press the Run button on the right side. You should see “Policy Update Schedule has Completed” at the top of the window when it completes.
14. Switch to the WINXP VM
15. Double Click on the Symantec Management Agent in the tray once it appears
16. Press the Settings Icon in the top right
17. Press the Update Button. The Agent should eventually dissapear then return a few seconds later.
18. Allow time for the Agent plugins to load. You can proceed with the lab once you see the following:
a. Select the Software Delivery Tab
b. Check the first 3 check boxes in the Options section on the Right
c. Make sure that the Inventory, Software Management, and Software Update Plugins are present
19. Switch to the NS75 VM
20. Select Settings > Notification Server > Resource Membership Update from the main menu
21. Press the Run button under the Delta Update Schedule section. Wait until a message stating “Delta Update Schedule has Completed” appears at the top left of this window.
22. In the main console menu, Select Manage > Organizational Views and Groups
23. Open the Cloud Enabled Computers > CeM Endpoints group
24. Notice that WINXP was automatically added to this group (As it was specified in the installation package)
25. Switch to the WINXP VM
26. Double Click on the Symantec Management Agent in the tray
27. Press the Settings Icon in the top right
28. Press the Update Button. The Agent downloads additional plugins, and the Software Delivery tab will eventually settle down and look like this when completed:
15 of 22
Exercise 8: Solution Execution with Cloud Enabled Management
Capturing Inventory in the Cloud
This task will demonstrate the ability to gather inventory from endpoints that are not connected to the local network. The method to gather inventory is no different than the standard methods used for LAN connected endpoints.
1. Go to the NS75 VM
2. Open the Symantec Management Console
3. Go to Manage|Policies
4. In the Policies pane on the left, browse to Discovery and Inventory > Inventory and select the Collect Full Inventory policy
5. In the settings on the right pane, select the Custom Schedule link
6. Set the start time for 2 minutes after the current time
7. In the Applies To/Compliance section, Select the first entry in the list, the press the Red ‘X’ to delete it.
8. Press the Applied to button and choose Computers
9. Press the Add rule button
10. Enter the following settings: THEN: exclude computers not in | Filter | Windows XP Computers
11. Press the Update Results button.
12. Press OK
13. Turn on the Policy by changing the OFF button on the top right of the window to ON (It will turn Green)
14. Press the Save Changes button on the bottom left side
15. Go to the WINXP VM
16. Double click on the Symantec Management Agent in the task bar
17. Press the Settings icon on the top left corner
18. Press the Update Button
19. Go to the Task Status Tab on the other Symantec Management Agent window.
20. Press the Check for Tasks button to speed things up.
21. Wait for the Collect Full Inventory task to start
22. This has just shown that Inventory Policies and many tasks can be run through CeM.
16 of 22
Delivering Software in the Cloud
This task will demonstrate the ability to distribute software to endpoints that are not connected to the local network. The method to distribute software is no different than the standard methods used for LAN connected endpoints. You will also see that this process will utilize the Internet Site Servers that we provisioned in previous steps.
1. Go to the NS75 VM
2. Open the Symantec Management Console
3. Click on Manage|Software
4. In the left pane, under Deliverable Software, Select Software Releases
5. In the middle pane, Right Click on the 7-Zip 9.15 software package and Select Actions > Managed Software Delivery
6. Press Next
7. Press the Apply to button and select Quick Apply
8. Enter Windows XP Computers in the search field
9. Select the Windows XP Computers entry when it appears, the click Apply
10. Press Next
11. Press the Add Schedule button and select Schedule Window
12. Enter 10 minutes in the “During Window, check every” field
13. Press Next
14. Press Deliver Software
15. Select Settings | Notification Server | Resource Membership Update from the main menu
16. Press the Run button under the Policy Update Schedule section and wait until it completes with a status message in the top of the page.
17. Switch to the WINXP VM
18. Double click on the Symantec Management Agent in the task bar
19. Press the Settings icon on the top left corner
20. Press the Update Button
21. Select the Software Delivery Tab on the other Symantec Management Agent window
22. You should eventually see the 7-Zip 9.15 managed delivery task execute. You can execute it immediately by Selecting the 7-Zip 9.15 Policy in the right pane, then pressing the 7-Zip 9.15 task under the Application Tasks section in the left side of the window.
23. You should see the 7-Zip 9.15 software policy change from “Running”, to “Compliant” when it is completed
24. Check the install to see that 7-zip is installed in the Start > All Programs > 7-Zip Folder
25. Return to the Symantec Management Agent window and double clicking the “Downloading Package for 7-Zip…” reference in the Task list and selecting the Download History Tab
17 of 22
26. Notice the codebases that were presented (Source Location: section) and the Source under the Download History section – It should show them as coming from the WIN7 Internet Site Server and not the Notification Server.
The process for obtaining codebases for package locations uses the same web service for both standard and CeM Agents, GetPackageInfo.aspx is called and it returns NS Codebases or Internet Codebases dependant on the Agent State.
Patching Systems in the Cloud
This task will demonstrate the ability to distribute software updates to endpoints that are not connected to the local network. The method to distribute software updates is no different than the standard methods used for LAN connected endpoints.
1. Go to the NS75 VM
2. Open the Symantec Management Console
3. Go to Home|Patch Management in the main menu
4. In the Left Pane, select the Compliance by Computer link
5. Right Click on the WINXP entry in the report and select View Not Installed Updates
6. Select bulletin number APSB13-09 software update and right click on it, then Distribute Packages
7. Expand the Package Options section with the down arrow on the right and Select Run (Other than agent default) – As soon as possible
8. Under the Apply to Computer section, Select “Windows Computers with Software Update Plug-In Installed Target”, then press the Red X above it.
9. Select the Apply To button and select Quick Apply
10. Enter Windows XP Computers in the search field
11. Select the Windows XP Computers entry when it appears, the click Apply
12. Press Next
13. Turn on the Software Update Policy by changing it from Off to On on the top right side of the window (It shoud turn Green)
14. Press Distribute Software Updates button. It may take a few seconds to create the policy.
15. Press Close when it completes the creation of the policy
16. Open the Task Scheduler using the shortcut on the taskbar (The Clock Icon). Once it loads, click on the “Task Scheduler Library” folder in the left-hand pane. In the right-hand pane,
17. Find the “NS.Windows Patch Remediation Settings” task, right-click on it, and choose Run.
18. Continue to refresh the window until it finishes running. This step is not necessary completed in a production environment as the task automatically runs every 30 minutes. We are simply executing it manually to speed things up for convenience of the lab.
18 of 22
19. Go to the WINXP VM
20. Double click on the Symantec Management Agent in the task bar
21. Press the Settings icon on the top left corner
22. Press the Update Button, notice how the Requested and Changed times match
23. Press the Software Delivery Tab on the other Symantec Management Agent window. You should see a install_flash_player_10_... Policy appear in list.
24. Press the Software Updates Tab on the Symantec Management Agent window. You should eventually see a Pending update APSB13-09 Bulletin appear in a few minutes
25. Go to the Software Delivery Tab – Keep this window open and check back every few minutes for your microsoft patch Update to download.
26. The process will eventually run in less than 5 minutes. You will see a Software Update Installation Notification pop-up when it is ready to install. (You may move on to the next item if you wish, and check back later)
27. Once the patch process has completed, you can double click on the install_flash_player_10_... update and see the download source as WIN7 site server under the Download.
Lab Exercise 9 (OPTIONAL): CeM Reporting The purpose of this section is to familiarize you with the various reports that are available for Cloud Enabled Management.
1. Go to the NS75 VM
2. Open the Symantec Management Console
3. Go to Reports | All Reports
4. On the left pane, browse to Reports > Notification Server Management > Agent > Cloud Enabled Management
5. The following table lists the reports available and a detailed description of what they show
6. Run some of the sample reports to see how they can be used in various situations. Note that some of the reports will not present data as you have just recently created the Cloud Enabled Infrastructure.
CEM Report Name Description
Agents Distribution by Connection Type
Compares the number of clients connecting from the internal network with the number of clients
connecting from the internet. Data is updated on daily basis and doesn't represent real-time
situation.
Agents not connecting from internal network Shows clients that have not recently connected from the internal network.
Agents not connecting over Internet Shows clients that have not recently connected from Internet.
Agents with Cloud-enabled Management configuration and connection problemsThis report shows a l ist of inactive clients and clients which failed in their last attempt to
communicate over Internet in a specified period.
Average Agents Connection Time by TypeCompares the amount of time clients spend on the internal network with time spent on the internet.
Data is updated on daily basis and doesn't represent real-time situation.
Computers by Gateway This report shows computers communicating via a specific gateway.
Count of Computers by Gateway This report shows the number of computers communicating via each gateway.
Internet Gateway communication problemsShows the number of communication failures reported by Agents for each gateway. Each computer is
counted only once.
Internet Gateway communication problems (details)Shows the Agents that have reported failures for the chosen Internet Gateway. Each computer is
counted only once.
Servers with Internet Gateway connection problems Shows servers that Internet Gateways fail to make contact to.
Servers with Internet Gateway connection problems (details) List of Agents that failed to connect to a specific server via a specific Internet Gateway.
19 of 22
APPENDIX A: Cloud Enabled Management FAQ 1. Is there an incremental licensing cost for the CEM functionality and SMP Internet Gateway(s)?
No, this functionality is part of the Symantec Management Platform and is free of charge.
2. Will Symantec sell the Internet Gateway (IG) component as a hardware appliance? No, currently there are no plans to offer IG as an appliance. Customer would need to deploy a hardware box or a VM.
3. What OS is required for the SMP Internet Gateway? Currently, SMP Internet Gateway supports Windows Server 2008 R2 SP1 64-bit. (NET 3.5 SP1 is also required, but only to install the IG.)
4. Is it possible to install the Internet Gateway component on a Linux system? In the expected release of CeM there are no plans to support Linux as a base for the IG.
5. Do I need to have a Symantec Management Agent (SMA) installed on the Internet Gateway? No, the SMA is not required on the IG. However, having THE SMA installed on the IG allows for advanced reporting as well as automated IG upgrade/patching – allthough extra security precautions should be observed.
6. What SMA managed Operating Systems are expected to be supported by CEM? Windows agents are expected to be able to leverage CEM functionality. Mac OS support may be included in future releases.
7. Which solutions are expected to be supported by the CEM functionality in its first release? Most core CMS/ITMS solutions and functionality are expected to be supported over CEM; Inventory/Metering, Software Management Solution and Patch. ServiceDesk, Asset/Barcode, ITA are not affected by the CEM functionality.
8. Which solutions may not be supported by the CEM functionality in its first release? Monitor Solution, Deployment Solution (DS), Network Discovery, Virtual Machine Management, SEPIC and OOB/RTSM may not be supported in this CeM release. Software Portal functionality may not be available because it consists of a web page hosted on the Notification Server. Basic Monitor Solution and DS support may be included in a future release.
9. What are the limitations of running tasks over CEM? Server-initiated tasks can run over CEM with some delay. It should be noted though that clients accessing tasks is expected to utilize pull functionality and not push. This means that an agent is expected to only look for a task during its next task check-in cycle (every 30 minutes, by default). These cycles as well as task timeout settings can be managed from the Symantec Management Platform. Look under Settings->Notification Server->Task Settings->Task Agent Settings.
Also note that Task Server cannot communicate to the NS through the gateway, which means that TS must be located on the local network with the NS.
10. For security and optimal load balancing reasons we want to place all of our IGs behind a hardware load balancer. Is it supported? No, it is currently not officially supported (although it should work just fine out of the box). QA is expected to not certify this environment in the first release. This certification is expected for the next release.
11. Is there built-in load balancing in the THE SMA in environments with multiple IGs? Yes, based on the policy defined by the administrator, THE SMA may know about multiple IGs in the environment. Agent is expected to leverage the round-robin mechanism to selecting IG's where each following connection is expected to use the next gateway from list. If connection to gateway fails for any reason, the gateway is skipped and THE SMA connects to the next gateway in the list.
Additionally, THE SMA's is expected to retry "bad gateways" after a 15 minute timeout (registry controllable). Finally, there is back-off logic that is expected to increase timeouts between retries until max timeout (24 hours).
20 of 22
12. Would THE SMA know when a device is on or off the network and whether to use the IG? Yes, this functionality is called Automatic Agent Switching. The agent is expected to use the most optimal method of communication – LAN on LAN, VPN or VPN and only when those are not available and it is enabled for CEM then CEM. Any time connectivity changes the agent senses it and adjusts appropriately.
13. Can one NS have multiple IGs? Yes. It is actually a best practice to have at least two IGs for fault-tolerance purposes.
14. Can one IG serve multiple NS’s? Yes. One IG can tunnel traffic to multiple NS’s.
15. Is there a maximum number of IGs per NS? No, there is no limit.
16. Is there a maximum number of NS’s per IG? No, there is no limit.
17. What is the scalability of SMP Internet Gateway? Theoretically, one IG can support up to 3,000 concurrent connections, which, under normal circumstances, translates into 60,000 CeM-enabled nodes.
18. I have 20k nodes on one NS and 30% of my users are mobile (enabled for CEM) – how Many IGs do I need? For this scenario the best practice would be to have two IG's (to ensure high availability), however even one IG would be able to easily handle this configuration.
19. We have 180k nodes split across two hierarchies with 70% of users CEM enabled. How many IGs do we need? The best practice would be to have at least four IG’s: three to handle the node load and one for fault-tolerance.
20. What are the hardware recommendations for the IG? For optimal scalability we recommend a hardware-based IG with at least 8GB of RAM, 40GB HDD and dual-core CPU.
21. What are the scalability differences between hardware based IG and a VM based IG? Using VM-based IG lowers its scalability by up to 40%. At the same time, even a VM-based IG is expected to be able to support a fully loaded 20,000 node NS server.
22. Is HTTPS a requirement for client to server communication over CEM? Yes. The SMA and NS must be configured to communicate over HTTPS in order to enable CEM.
23. Can I have my internal/static machines communicate via HTTP and only the external/traveling machines over HTTPS, i.e. run in the mixed mode/environment? Yes, you can configure your infrastructure to work in the mixed mode where local systems communicate with NS via HTTP and only CEM-enabled systems work over HTTPS.
24. Would the packages (Package Server) reside on Gateway or would machines connect to the internal site servers once authenticated to the Internet Gateway? I.e. would IG also behave like a site server (PS/TS)? No, IG does not include PS/TS functionality and in most cases machines is expected to connect to the internal site servers.
21 of 22
25. Can you define a PS specifically for machines communicating over CEM? I.e. can I have site Servers/PS specific to CEM clients? Yes, site servers are manually assigned via a policy to Internet sites. Each CEM client must belong to some Internet site.
26. If I want to manage a remote site over CEM – is expected to that be supported? Yes, you can manage remote site over CEM. For more optimal bandwidth management we is expected to support remote Package Servers (PS), so that systems located on that site can download packages from a local PS rather than going back to the NS or PS on the intranet. However, please note that remote Task Servers (TS) as well as remote Network Discovery (ND) may not be supported in the first release.
27. Can I use CEM in an environment with a hierarchy? Yes, CEM supports hierarchy. The same set of gateways can be used for all SMP Servers and configurations can be pushed down (defining sites for computers on the internet, configuring list of gateways, enabling CEM for targeted endpoints). The only operation that is not available from top-level SMP Server is the offline client package generation.
28. My WAN traffic is pretty expensive (e.g. 3G/4G roaming), so can I allow Patch updates, but block SWM’s software deliveries over CEM? There is currently no UI that allows you to specifically tell the system not to use the IG for Patch or Software Management. It is possible however to limit your targeting based on filter, thus ensuring only specific delivery jobs use the IG. Bandwidth throttling is still fully supported via the IG.
Ability to specifically exclude certain solutions from CEM is expected to not be provided in the first release, but is high priority going forward.
29. Is it possible to force THE SMA to communicate over CEM only? Yes, it is possible to force THE SMA to always use the IG and disregard Automatic Agent Switching functionality, but it's currently done via registry on the client. "Prefer Secure Gateway Connect"=dword:00000001 under HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Communications.
30. Can I determine whether my Agent is enabled to communicate over CEM from the client side? Yes, just open THE SMA’s Settings on the client and look under the Network Status section. You is expected to see“Cloud-enabled Management mode is active” or “Cloud-enabled Management is disabled” or similar.
31. I have multiple Internet Gateways. Can I limit the usage of a particular Gateway(s) to a specific group of clients? Yes, if you don’t want all CEM-enabled clients to know about all available Internet Gateways you can clone the Cloud-enabled Management Settings policy and specify your Internet Gateways per specific group of clients.
32. How easy is it to enable HTTPS and manage certificates for HTTPS? The Symantec Management Platform during installation allows you to create a self-signed certificate to allow SSL communications between the agents and the notification server. The management of these certificates is covered in the help documentation provided online and with the Symantec Management Platform installation.
The IG uses self-signed certificates; these are manually generated through the use of the Gateway Configuration Manager tool. These are expected to be manually added to the internet policy by an administrator. Revocation is also a manual process.
33. How easy is it to perform certificate generation/distribution? It is expected to be a simple step to generate and distribute certificates. As the CEM agent is created the certificate is embedded and can be deployed directly into the environment.
34. Can I use a public CA authorities (e.g. VeriSign) rather than a self signed certificate for Internet Gateways? Can I use my own certificates for Internet Gateways? No, you must use a system generated self-signed certificate rather than a commercial one.
22 of 22
35. What is the process to issue and manage and revoke certifications? Gateway self-signed certificates is expected to be manually generated on the gateway machines with the help of Gateway Configuration Manager tool and is expected to need to be manually added to the internet policy by administrator. Revocation is also a manual process. Site server certificates is expected to need to be manually generated and installed on all site servers.
Revocation is expected to be either manual or automated from the console.
Temporary client certificates are generated on the NS automatically for the client installation packages. They are replaced with permanent client certificates on the first use. The temporary and permanent client certificate revocation should be available from the SMP console.
36. Is the Active Directory access needed for CEM to work properly? No.
37. Can our MSP partners use CEM functionality to offer ITMS as a service to their customers? Yes, CEM (incl. remote PS) allows for secure and fully supported management of customers over WAN. MSPs can use ExSP month to month pricing for ITMS, CMS or standalone solutions from within ITMS. It is important to note however that MSPs should deploy a separate NS per customer, as full multi-tenancy support may not be provided. Also customers should not have any direct console access and any value customer-facing dashboards is expected to need to be created by the MSP.
Finally, there is currently no remote Network Discovery (ND) support that would allow for device discovery on a remote site. If Agent push is not possible, offline client package can be used. I.e. administrators can create THE SMA installation package that is enabled for CEM and then deliver it to customer’s website via offline means.
38. Would there be an appropriate level of reporting provided to get details on the CEM functionality, IG load etc? Yes, many CEM reports are expected to be included with the release. IG load/performance can be determined via PerfMon counters.
39. Is Symantec Management Agent a requirement for Internet Gateway? Would the lack of THE SMA on the IG limit the amount of data/reporting that I get from the IG? No, THE SMA is not a requirement for the Internet Gateway. Lack of the THE SMA on the IG is expected to not limit CEM reporting. However, in environments with many Internet Gateways it may be beneficial to have THE SMA installed to simplify patching and other management tasks. Additionally, if THE SMA is installed on an IG it’ll populate the Internet Gateway filter on the NS.