Set up SSL in Deployment Solution 7.5

(1)

1

Set up SSL in Deployment Solution 7.5

Installing certificates

Certificates will need to be installed on all computers that will be communicating over SSL in production. (It is very possible that the customer has done this already with their own purchased certificate.) The preferred method of installing the certificate throughout the environment is to use a Group Policy. The following is a step by step to install on a single machine.

Manually installing certificates

Obtain/locate the customer’s SSL Certificate Personal Information Exchange (.pfx) file. This certificate will either have been purchased or generated by the customer for their servers and/or environment.

Right-click on the pfx file and choose “Install PFX”

This will bring up the Certificate Import Wizard. Input the path and password as necessary.

(3)

3

When prompted for Certificate Store, choose “Place all certificates in the following store” and Browse. Check “Show physical stores,” expand “Trusted Root Certificate Authorities” and select “Local Computer,” then click OK. Then click “Next.”

Then “Finish.” It will notify you if the installation was successful.

(4)

4

Notification Server/Site Servers

Several things will need to be configured on the Notification Server and Site Servers, mostly in IIS, in order to set up the Servers to use SSL communication.

Import Certificate into IIS

Open IIS Manager and select the root Server Name on the left side tree menu. In the center content window, open “Server Certificates.”

(5)

5

If a .pfx certificate is not readily available, a self-signed certificate can be created on that server. On the right sidebar, click “Create Self-Signed Certificate.” Input a friendly name for the

certificate on this server.

The newly created self-signed certificate will be listed under Server Certificates.

*Note: On the Site Servers, the name on the certificate must match the name of the server in order to allow correct communication between clients and that server.*

Set https bindings

(6)

6

In the “Site Bindings” dialog box, choose “Add.” Select “https” from the drop-down menu. Verify the port is set to 443. Under “SSL certificate,” select the appropriate certificate. Click “OK,” then click “Close.”

*Complete the Targeted Agent Settings section before making the following changes to the SSL Settings on the NS to prevent blocking agent communication.*

Configure SSL Settings

Back on the “Default Web Site” page in IIS Manager, open “SSL Settings.”

(7)

7

Console Settings

In the Management Console, the following settings need to be changed to get clients to correctly use SSL in their communications. These changes will only occur on the clients after they get an updated configuration.

Targeted Agent Settings

Open “Targeted Agent Settings” in the Management Console

With a group selected on the left, open the “Advanced” tab. Check the “Specify an alternate URL…” box, and change the “Server Web:” field to “https”. Click “Save changes.”

(8)

8

Package codebase Publishing

Open “Site Server Settings” in the Management Console

On the left tree menu, open “Site Management” >> “Settings” >> “Package Settings” >> “Package Services Settings.” Under “Published Codebase Types,” check the “Publish IIS hosted codebases” box and select the “Publish HTTPS codebases” radio button. Click “Save changes.”

(9)

9

On the left tree menu, open “Settings” >> “Agents/Plug-ins” >> “Deployment and Migration” >> “Windows (x64)” >> “Extract SSL Certificate (x64) – Install” and enable it (set to “On”). Click “Save changes.”

(10)

10

SSL Certificate Installation

The Extract SSL Certificate policy configured in the console will run on the Notification Server, Task Servers, and Package Servers in the environment. File names and locations differ depending on the type of server to which they are installed. This installation should execute without any intervention. Below are instructions to verify it has run successfully, and to run manually if it has not.

Notification Server

On the Notification Server, the .pfx and xml files should be located in the “<Program Files>\Altiris\Notification Server\NSCap\bin\Deployment\Certificates” directory as shown.

Task Server

On a Task Server, the .pfx and xml files should be located in the “<Program Files>\Altiris\Altiris Agent\Client Task Server\ServerWeb\Deployment\Certificates” directory as shown.

Package Server

On a Package Server, the .pfx and xml files should be located in the “<Program

Files>\Altiris\Altiris Agent\Package Server Agent\Deployment_Cert\Certificates” directory as shown.

(11)

11

Manual Installation

Should the correct files not be present/installed on the server, a manual installation can be done using the following steps.

On the server in question, check the Management Agent’s “Software Delivery” tab for the “Extract SSL Certificate” policy. If it is present, double-click it and open the “Download History” tab. Click to open one of the listed source locations. If the “Extract SSL Certificate” policy is not present, or the policy has no source locations, follow the next step, otherwise, skip it.

If the “Extract SSL Certificate” policy was not present, or the policy has no source locations, open “\\<servername>\nscap\bin\Deployment\Installs\Certificate\<x64 or x86>” in Windows Explorer.

(12)

12

In an Administrator: Command Prompt, run the executable file with the switch “exportcert” to install the appropriate certificate. Additional command windows may appear during the execution of this application.

Verify that the certificate files were installed to the correct directory on for the roles of that server. The paths are again listed below.

Server type-specific install paths

Notification Server:

“<Program Files>\Altiris\Notification Server\NSCap\bin\Deployment\Certificates” Task Server:

“<Program Files>\Altiris\Altiris Agent\Client Task Server\ServerWeb\Deployment\Certificates” Package Server:

(13)

13

Preboot Configurations

Configuration files within the preboot environments also need to be set to direct Agent communication to use SSL protocols and ports when connecting to the Server(s). These should be changed automatically when SSL is enabled on the server and the appropriate SSL policies are enabled in the console. These configuration files should be changed without user intervention, but below are the locations this can be verified, as well as instructions to change them if needed.

*Note: All the file locations listed below are located on the Notification Server. These are the Package Sources, and will be replicated to Site Servers as part of the normal Package Replication process. This can be expedited by forcing a Package update on all Site Servers.

WinPE

Open the PECTAgent.ini configuration file at “<Program

Files>\Altiris\Deployment\BDC\bootwiz\oem\DS\winpe\<x86 or x64>\Base\Program Files\Symantec\Deployment” to check settings.

Confirm the “SMPPort” value is set to 443 and the “SMPProtocol” value is set to https. If these are not set, change these values as need.

(14)

14

LinuxPE

Using notepad or a simple text editor, open the .aex-agent-install-config configuration file at “<Program Files>\Altiris\Deployment\BDC\bootwiz\oem\DS\Linux\x86\Base\tmp” to check settings.

Confirm the “NSPort” value is set to 443 and the “NSProtocol” value is set to https. If these are not set, change these values as need.

Recreate Preboot Configurations

These newly changed files will be built into all preboot configurations which are built going forward. If there are existing preboot configurations, they will need to be recreated in order to have those changed files be included.

(15)

15

Select the preboot configuration to recreate, then click “Recreate Preboot Configuration.” A pop-up will confirm that a recreation has been initiated.

PXE

Once each Site Server has rebuilt the configuration on its server, it will be available for clients to PXE boot into.

Automation Folder

Once the automation folder has been recreated on the Notification Server, the newly built folder will need to be installed on the affected client machine(s). This can be done via policy by uninstalling, then the reinstalling on client machines or via task by pushing the installer

(16)

16

Notification Server Alias

In some cases, the Notification Server will use an aliased name. This alias will be the name on the certificate and the DNS should be set up to resolve the aliased name correctly.

As of the release of Deployment Solution 7.5 HF2, there is a known issue regarding this type of setup. For the most current information, please reference Knowledge Base Article TECH214199.

SSL-Related Registry Keys

Though these are related to Notification Server functionality in general and are probably changed already, the values should be confirmed for correct functionality.

Verify that the following keys are set to the correct values:

(17)

17

Troubleshooting Resources

In the event that files/installations/changes are not occurring correctly, the following are log files and file locations which may be useful in troubleshooting for resolution.

General Deployment Solution Logging

This log file tracks general Deployment Solution tasks and activity on a Server with Deployment components installed. This log file is created in “<Program Files>\Altiris\Altiris

Agent\Agents\Deployment\Logs” by default. DSTasks.txt

SSL Certificate Extraction

These log files are created when the “Extract SSL Certificate” policy attempts to execute on the Notification Server, Task Server, and Package Server. This log file is created in “C:\” by default.

DSPluginInstall.log IISCertDeployVBS.txt

Preboot Configurations

When creating/recreating preboot configurations, Boot Disk Creator generates a log file. This log file is created in “<Program Files>\Altiris\Deployment\Logs” by default.

Set up SSL in Deployment Solution 7.5