Re: FYI for eTrust AV 7.x Users

When you upgraded the eTrust on the SBS, did you install the redistribution component? I can't remember if it's a separate install, or if you have to click a box when you do the Agent install, but redistribution server is not installed by default. If it's not installed now, it's a separate option available on the main installer screen. Also, this is important and it's a horrible design, if you reinstall the Agent for any reason, it will blow away redistribution, and you have to do that separately _again_.

There are several places you have to configure distribution. First of all, on the SBS with version 8 installed, open eTrust from the r-click menu on the tray icon (this is the agent, not the console). On the Updates tab, you have to configure Redistribution Components for 8, and Legacy if you have any 7.x clients left. You have to select all the components you want, and you have to click the Redistribution Server check box at the top of each tab. If you forget to check the box, it won't work. If the Redistribution option isn't active, that's your notice that the component is not installed.

Now to the eTrust Console. On the Policy Mgmt. Tab, you configure 7.x by setting the drop-downs to eTrust and Legacy Distribution. In addition to the other settings, you have to click the box on the Outgoing tab to indicate that this server provides updates.

Now for 8.x, you change the drop-downs to Common and Content Update. Again make all the settings, and make sure that you check the Redistribution Server box on the Redistribution Components tab. Make sure the Legacy settings are right in this section too.

You don't need the firewall client to get updates. On the client PCs, the server list should just show the SBS server name (not the FQDN or anything, just the netbios name). In the Server section, it should just show the name, HTTP, and port 42511. These should be the defaults. It appears that when installing it on the client, it takes care of the Windows Firewall - I didn't have to change any firewall settings on the client PCs.

As for Phone Home, that's apparently how the clients pick up their licenses from the server. You can set it in a policy. It needs the Schedule set to Disabled (not a very obvious or friendly name for a required setting). Then on the Additional tab, port 42508 (the default), host name is the SBS and approved servers is the SBS IP. I'm not sure how I got to this but it works. Since I'm updating clients from 7.1 to 8.1 and choosing to retain the settings, it's not clear how fast new policies are getting applied (in other words, can't always tell if I'm looking at something that was set in the upgrade, versus something that was later set by the policy). Anyway, Phone Home will eventually get set by the policy but it may take a while. What I'm doing is to set it manually and make sure the license gets configured correctly on the client PC. That way, I don't care how long the policy takes to apply, and I don't have to go back and monitor that the license is OK. Unfortunately, and I learned this the hard way, if you have an incorrect setting that keeps the license from getting applied, the red shield from Security Center will be your first warning.

On the subject of ISA, you should not have to do anything to enable eTrust on the SBS to get updates from CA. The Localhost Access Rule covers this. However, I have the client PCs configured to first get updates from the SBS, then if that fails, to get them from CA. So I did create a rule in ISA to allow the client PCs access to the CA site. You can just pattern that rule after the MS Update rule. I have one called "Software Updates Access Rule" that allows client PCs to access certain sites like that, the one that Acrobat uses to check for downloads, etc.

Once you get this all installed and configured to your satisfaction, you need to remember that anything you do in the way of another install is likely to mess you up. The one example that comes to mind is when I reinstalled the Agent and it bombed out the Redistribution Server. The installer asks if you want to preserve the existing settings or revert to defaults, and in my mind, preserving the settings should prevent this from killing off a previously functioning feature. Unfortunately whoever coded the eTrust installer doesn't agree.

There are a bunch of potential pitfalls with redistribution. For example, if you forget to check any one of the redistribution server boxes, the SBS will update but the clients will not. Even with that box checked, if you have not selected the necessary components, redistribution will run but not update anything. I'm confident that if you spend enough time looking at the settings, you'll figure it out. If it's any comfort, I've looked at competing products quite a bit without finding any of them compelling enough to switch. Good luck!


"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in message news:ebtcYG6YJHA.3844@xxxxxxxxxxxxxxxxxxxxxxx
OK, got it on the server & exchange no problem.

Installed it manually on the first client and it runs, but I can't get it to update via the SBS server.

Licensing is OK (I imported the licence.xml file) but it's having issues getting through ISA for updates. First, it looks like I need the firewall client to get updates (I don't install it by default as most just need web access and IE handles that on its own). Even after installing the firewall client I tried opening port 42511 but the ISA logs show it going through but for some reason a RST occurs during the packet. Not sure if I need to configure the proxy in CA - even if I do the authentication options don't appear to work right.

For now, I opened up ISA to allow direct updates from the CA site for all clients but I'd like to get it working use the "redistribution server" from the SBS.

How did you set up updates for the clients?

Still not clear on the phone home thing for the clients, did you need to add each client to the organization in the CA console discovery tab or what?

Thx

--
Allan Williams



"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:eU%237L8VXJHA.868@xxxxxxxxxxxxxxxxxxxxxxx
1. I had a bad experience trying to install this from a download when we got the first Vista box a year or so ago, and had to reinstall it from the CD. Since then, I've done all the rest from the CD. Either way, the updating thing does seem to make it less relevant as long as you get some version of 8.1. It'll be current after the first download either way.

2. I want to touch each PC anyway, to make sure the licensing is configured properly. So, I have not tried the remote install. I'm just doing them individually as time allows, since all the XP boxes are doing fine with version 7. When I renewed the license last, I had one Vista desktop that failed to pick up the renewal and stopped updating, so I want to see that none of the desktops are showing the trial license.

3. You do need a contract to get signatures now - as far as I know, it's the regular CA thing that includes support, software updates, etc. If I remember right, it costs in the neighborhood of $12 per seat per year, including the server and Exchange. If you don't have a CA open license vendor, try SoftwareONE. I get my MS open licenses from them too - they're great.

4. I've done all in-place upgrades. I did the console first (the 8 console works with 7, but the 7 console does not work with 8). Once the console was done, I did the Vista boxes as I deployed them (7 doesn't work on Vista). Now I've been doing the XP boxes one or two at a time until I get them all upgraded. In-place upgrade retains your existing settings (if you choose the option). However, for settings that don't exist in 7, they'll be at the defaults. That means in particular, the "phone home" feature will not be configured. That's what gets you the licensing from the SBS, so you need to make sure that's done. You can control that setting from the console, but if you do that without verifying that the setting applied correctly, you'll need to monitor that the desktops don't fail to update after the expiration of the trial license.

5. Have not tried it on a TS, but I can't see any reason it wouldn't work as expected.



"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in message news:OZ7HV0KXJHA.5272@xxxxxxxxxxxxxxxxxxxxxxx
A few Q's:

1) Did you use the v8.1 CD or did you get updates from the web? With 7.1 my CD was so old it needed upteen patches but I don't see any updates for v8.1 up on CA's site (unless I'm looking int he wrong place). Maybe with this new update system you mention updates are obsolete...

2) Were you able to remotely upgrade the client PC's as well? I used their remote install in 7.1 and it worked OK (other than not going through the Windows XP firewall) and was wondering if v8.1 worked similarly.

3) So they changed it so you need a contract to get signatures? Oh well, it was cheap while it lasted.

4) Did you uninstall the 7.1 exchange part before upgrading or does it maintain your exclusions etc. if you install over top? I see CA doc TEC432016 documents a bug if you install over-top but wasn't sure if it applies.

5) Do you know of any issues running it on a terminal server?


Thanks.

--
Allan Williams



"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:%23ug$yeKXJHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
I can't really say that Apache has caused me any problems. It runs two services, and eTrust runs five. Probably using about 100 MB of RAM or so on the server. The interface, changing settings, etc. definitely performs noticeably slower than 7.x, although it doesn't seem to have much more impact on the workstations.

Version 8 enforces licensing, so you need to be sure that all the workstations are properly licensed. Otherwise, the default is a 30 day trial license, and they'll stop getting signature updates at that point. There's a thing called "phone home" that you can configure to point to the SBS (assuming that's where the server part of eTrust is installed). Then you set the phone home schedule to "disabled," and somehow that makes it pick up the license from the server install. (This licensing thing is because you now need to be under a paid support contract in order to get signature updates).

The best thing about it is that all the parts are upgraded through the regular distribution, not just signature files. So if there's a driver update or other part that gets a new version, it'll be installed automatically when the signatures update.

Also, Exchange is a separate install. If you just run the eTrust installer once to update the server install, it'll leave Exchange at 7.x. You have to run the installer a second time to upgrade Exchange.

Let me know if you have questions - I've probably messed with this enough by now that I might be able to help at least a little.


"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in message news:et2F9JJXJHA.5272@xxxxxxxxxxxxxxxxxxxxxxx
Still using CA 7.1 on our SBS 2003 Sp2 Premium - always liked CA because it works well (once configured which can be a pain) and is cheap to maintain (no service contract needed for updates).

Was planning on moving to v8.1 in the near future. What sort of issues do you know of and any tips appreciated. I wasn't aware of the Apache thing does that cause issues?

--
Allan Williams



"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:%23M%23mxk%23WJHA.868@xxxxxxxxxxxxxxxxxxxxxxx
I doubt there are many SBS'ers using eTrust antivirus, but I'll mention this just in case. Apparently the 7.x versions are going off support on December 31, including that the signature files will no longer be updated. If you're using one of these, you'll have to upgrade to the newer version or a different product by then. I can comment on version 8 if anyone is interested - it installs Apache on the server, which may be a deal breaker for some all by itself.

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=172833&productID=156









.

Relevant Pages

  • Re: FYI for eTrust AV 7.x Users
    ... installed the new remote install utility which works the same as v7 did - ... from the server. ... I think my issues had to do with my first client upgrade - our Windows 2003 ... I think this is why the updates did not go through (although you'd think ...
    (microsoft.public.windows.server.sbs)
  • RE: Where does SBS store its client updates?
    ... Thanks for updates. ... I am sorry to hear that SP2 have bring you some inconvenience, ... from the client application. ... You have to remove it manually after install ...
    (microsoft.public.windows.server.sbs)
  • Re: FYI for eTrust AV 7.x Users
    ... got it on the server & exchange no problem. ... Installed it manually on the first client and it runs, but I can't get it to ... getting through ISA for updates. ... I have not tried the remote install. ...
    (microsoft.public.windows.server.sbs)
  • Re: 800703E7 error message
    ... I get this message when trying to install service pack 2. ... > Check for hardware driver updates? ... > Patches and Updates! ... > drivers for your hardware/operating system. ...
    (microsoft.public.windowsupdate)
  • Re: i cant update windows!
    ... > download, but at the very end of the process it says that the ... I havent been able to get any updates ... First - cleanup your machine and ready it for Service Pack 2. ... Then install Service Pack 2 from the downloaded install file (not the ...
    (microsoft.public.windowsxp.general)
Loading