Re: Firewall Client Deployment

I think I may have found the answer.

In my VMware test environment, I have a control machine that is not a member
of the AD 2003 domain, and I have two domain machines for testing, one Win2k
and one WinXPSP2.

I set up a GPO with the following settings:
- User Configuration -> Software Settings -> Software Installation:
--- create a package and point it to the MS_FWC.msi installer in the mspclnt
share
--- in the Deployment tab:
----- Deployment Type: Assigned
----- Deployment Options: only "Auto-install this application..." is
checkmarked
----- Installation User Interface Options: Basic
- User Configuration -> Windows Settings -> Scripts -> Logon:
--- created a script called "copy_ini.bat" with the following instructions:
----- @echo off
----- mkdir "c:\documents and settings\%username%\local settings\application
data\microsoft\firewall client 2004"
----- copy \\testserver\mspclnt\*.ini "c:\documents and
settings\%username%\local settings\application data\microsoft\firewall client
2004\" (I should also mention that I copied a "management.ini" file with the
"TrayIconVisualState" flag set to 1 into the mspclnt share as well as an
"application.ini" file with the settings I want to use)

In Group Policy Management Security Filtering, I applied the GPO to
"Authenticated Users". I also linked the GPO to the domain.

When a regular user logs into the XPSP2 machine, the FWC software loads
without prompting the user for anything, and the FWCMgmt screen never shows
up. But the software definitely gets loaded. When the user tries to open
the FWCMgmt item in the Start Menu, an install script runs but errors out,
telling me that the user does not have access to view/make any changes.
However, subsequent logins still display the configuration script loading,
albeit for only a few short seconds.

When an "administrator" logs into the XPSP2 machine, the FWC software loads
in the background, doesn't prompt the user, but the FWCMgmt screen does open
one time, and does have the "Hide icon..." setting checkmarked. When the
user clicks OK the first time, they never see the screen again, unless
opening it from the Start Menu.

Problem solved, for me anyway. Hope that helps *someone* else ;)


"Brian Edwards" wrote:

Gentlemen:

Let me take this a step further...

I am currently testing deployment scenarios for the firewall client software
on a test network. I have a special GPO set up to deploy the software. I
have tried both the Computer Configuration and User Configuration templates
for Software Installation, and the exact same results apply to both. When a
user with simple user-level permissions on the local computer logs in and the
software gets installed, this procedure repeats itself each time the user
logs in. As in, it appears that the software gets reinstalled every login,
until a user with admin permissions logs in. After the admin logs in, the
install never again occurs for a regular user, but each time the user logs
in, they are presented with the FWCMgmt screen. It's not a huge deal but it
is annoying. However, this brings up some questions:

- when used concurrently with the "Install with elevated priviliges" setting
enabled, why does the firewall client software try to reinstall with every
user login until an "Administrator" logs in?
- does deploying the firewall client software require the use of a script
that will set a registry entry when the software is installed, such that each
subsequent login checks the registry setting (flag) in order to determine if
the software needs to be installed?

I know there is a flag in the INI file that can be set so that the FWCMgmt
screen does not show up for the user. I think the easiest way to set this
flag is to probably have a login script that will copy the "management.ini"
file, with the "TrayIconVisualState" flag set to 1, from a central share to
the user's "c:\documents and settings\%username%\local settings\application
data\microsoft\firewall client 200x\" directory. I could be very wrong about
that, but it has worked for me.

In any case, what is the method to use to deploy the FWC software using a
GPO such that user-permission users can install the software once, and never
again? I'd really hate to have to remote into 1,000+ computers and login
just to install the client.

TIA


"lushtanet" wrote:

Hi Edvord,

I have the same problem with ISA 2004 firewall clinet, when ever I deploy
the ISA clinet from a destribution share thru GPO this happens, but not when
you simply run the setup file. I can not tell why is this happening, maybe it
requres some switches to make it work, for now I'm in a midle of research on
this issue as soon as I know more I let you know.

It seems to be a general problem.

Bujar Lushta
CCNA. MCP

"Ori Yosefi [MSFT]" wrote:

Hi Edward,

This indeed sounds strange. Can you please explain how your machines got
into this situation? Is this reproducible?
Did you happen to create a shortcut to FWCMgmt in the startup folder by any
chance?
I am not familiar with such a scenario, please provide any information that
may help us understand how you got to to this scenario.

Thanks,
Ori.

--
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.This posting is provided "AS IS" with no warranties, and
confers no rights.
"Edward" <Edward@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1DC1B186-03CB-4784-AE45-C96CA65892AA@xxxxxxxxxxxxxxxx
Hi All

I am deploying ISA Server's Firewall Client 2006 to client machines
running
Windows XP Professional SP2. The client software has successfully been
deployed on these computers, but whenever a user logs in the Firewall
Client
opens up a window with all its settings.

How can I prevent this windows from opening and instead just minimizing to
the tasktray such as previous versions done?

Regards
Edward



.

Relevant Pages

  • Re: Firewall Client Deployment
    ... I am currently testing deployment scenarios for the firewall client software ... user with simple user-level permissions on the local computer logs in and the ... install never again occurs for a regular user, but each time the user logs ...
    (microsoft.public.isa.clients)
  • Re: ADVANCED CLIENT INSTALLED BUT...
    ... longer appearing in that log and the other logs on the management point ... indicate they are installed as far as the database goes though the client ... as verified via the install logs on the client and the settings present ... the Management Point (a different server than the site server itself). ...
    (microsoft.public.sms.setup)
  • Re: Win2k Pro Not installing
    ... I am manually installing the client. ... >> If you are pushing the client installation the logs are under ... >>> For SMS2003 where exactly would I find the install log? ... >>>> Can you check the logs and post the errors that you get, the log files ...
    (microsoft.public.sms.setup)
  • PerfNet Errors
    ... Once all the updates are installed I install the latest Netware ... client and uninstall 'Client for Microsoft Networks" and 'File and Printer ... In the past if I were to now go to the Event Viewer and check the logs there ...
    (microsoft.public.win2000.general)
  • Problem installing advanced client - ccmsetup service stays active.
    ... I am having a problem with 1 PCinstalling the advanced client. ... -Pushed client install from console but install ... SMS Advanced Client is not installed. ...
    (microsoft.public.sms.setup)