Re: FYI for eTrust AV 7.x Users
- From: "Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx>
- Date: Mon, 22 Dec 2008 12:48:14 -0700
Thanks for the info. I got it working on my regular XP clients. Also
installed the new remote install utility which works the same as v7 did -
just edited the .ICF file the way I wanted it and ran the client upgrades
from the server. Worked great - all clients picked up the licence file and
phone home properly for updates, etc.
I think my issues had to do with my first client upgrade - our Windows 2003
terminal server. For some reason it does not have the Windows Firewall
configured. When I go to look at it it prompts:
---------------------------
Windows Firewall
---------------------------
Windows Firewall cannot run because the Windows Firewall/Internet Connection
Sharing (ICS) service is not running. To use Windows Firewall, you must
start the Windows Firewall/ICS service. If you configure exceptions for
applications or services that were running before you started Windows
Firewall, you might have to restart your computer so that these applications
and services run properly. Do you want to start the Windows Firewall/ICS
service?
---------------------------
Yes No
---------------------------
I think this is why the updates did not go through (although you'd think
without a firewall they would?).
Not sure why its not installed on my TS but the ICS should not be, correct?
I'm not sure if this is a problem or not...
--
Allan Williams
"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23pF8q9FZJHA.5520@xxxxxxxxxxxxxxxxxxxxxxx
When you upgraded the eTrust on the SBS, did you install the
redistribution component? I can't remember if it's a separate install, or
if you have to click a box when you do the Agent install, but
redistribution server is not installed by default. If it's not installed
now, it's a separate option available on the main installer screen. Also,
this is important and it's a horrible design, if you reinstall the Agent
for any reason, it will blow away redistribution, and you have to do that
separately _again_.
There are several places you have to configure distribution. First of
all, on the SBS with version 8 installed, open eTrust from the r-click
menu on the tray icon (this is the agent, not the console). On the
Updates tab, you have to configure Redistribution Components for 8, and
Legacy if you have any 7.x clients left. You have to select all the
components you want, and you have to click the Redistribution Server check
box at the top of each tab. If you forget to check the box, it won't
work. If the Redistribution option isn't active, that's your notice that
the component is not installed.
Now to the eTrust Console. On the Policy Mgmt. Tab, you configure 7.x by
setting the drop-downs to eTrust and Legacy Distribution. In addition to
the other settings, you have to click the box on the Outgoing tab to
indicate that this server provides updates.
Now for 8.x, you change the drop-downs to Common and Content Update.
Again make all the settings, and make sure that you check the
Redistribution Server box on the Redistribution Components tab. Make sure
the Legacy settings are right in this section too.
You don't need the firewall client to get updates. On the client PCs, the
server list should just show the SBS server name (not the FQDN or
anything, just the netbios name). In the Server section, it should just
show the name, HTTP, and port 42511. These should be the defaults. It
appears that when installing it on the client, it takes care of the
Windows Firewall - I didn't have to change any firewall settings on the
client PCs.
As for Phone Home, that's apparently how the clients pick up their
licenses from the server. You can set it in a policy. It needs the
Schedule set to Disabled (not a very obvious or friendly name for a
required setting). Then on the Additional tab, port 42508 (the default),
host name is the SBS and approved servers is the SBS IP. I'm not sure how
I got to this but it works. Since I'm updating clients from 7.1 to 8.1
and choosing to retain the settings, it's not clear how fast new policies
are getting applied (in other words, can't always tell if I'm looking at
something that was set in the upgrade, versus something that was later set
by the policy). Anyway, Phone Home will eventually get set by the policy
but it may take a while. What I'm doing is to set it manually and make
sure the license gets configured correctly on the client PC. That way, I
don't care how long the policy takes to apply, and I don't have to go back
and monitor that the license is OK. Unfortunately, and I learned this the
hard way, if you have an incorrect setting that keeps the license from
getting applied, the red shield from Security Center will be your first
warning.
On the subject of ISA, you should not have to do anything to enable eTrust
on the SBS to get updates from CA. The Localhost Access Rule covers this.
However, I have the client PCs configured to first get updates from the
SBS, then if that fails, to get them from CA. So I did create a rule in
ISA to allow the client PCs access to the CA site. You can just pattern
that rule after the MS Update rule. I have one called "Software Updates
Access Rule" that allows client PCs to access certain sites like that, the
one that Acrobat uses to check for downloads, etc.
Once you get this all installed and configured to your satisfaction, you
need to remember that anything you do in the way of another install is
likely to mess you up. The one example that comes to mind is when I
reinstalled the Agent and it bombed out the Redistribution Server. The
installer asks if you want to preserve the existing settings or revert to
defaults, and in my mind, preserving the settings should prevent this from
killing off a previously functioning feature. Unfortunately whoever coded
the eTrust installer doesn't agree.
There are a bunch of potential pitfalls with redistribution. For example,
if you forget to check any one of the redistribution server boxes, the SBS
will update but the clients will not. Even with that box checked, if you
have not selected the necessary components, redistribution will run but
not update anything. I'm confident that if you spend enough time looking
at the settings, you'll figure it out. If it's any comfort, I've looked
at competing products quite a bit without finding any of them compelling
enough to switch. Good luck!
"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in message
news:ebtcYG6YJHA.3844@xxxxxxxxxxxxxxxxxxxxxxx
OK, got it on the server & exchange no problem.
Installed it manually on the first client and it runs, but I can't get it
to update via the SBS server.
Licensing is OK (I imported the licence.xml file) but it's having issues
getting through ISA for updates. First, it looks like I need the
firewall client to get updates (I don't install it by default as most
just need web access and IE handles that on its own). Even after
installing the firewall client I tried opening port 42511 but the ISA
logs show it going through but for some reason a RST occurs during the
packet. Not sure if I need to configure the proxy in CA - even if I do
the authentication options don't appear to work right.
For now, I opened up ISA to allow direct updates from the CA site for all
clients but I'd like to get it working use the "redistribution server"
from the SBS.
How did you set up updates for the clients?
Still not clear on the phone home thing for the clients, did you need to
add each client to the organization in the CA console discovery tab or
what?
Thx
--
Allan Williams
"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:eU%237L8VXJHA.868@xxxxxxxxxxxxxxxxxxxxxxx
1. I had a bad experience trying to install this from a download when
we got the first Vista box a year or so ago, and had to reinstall it
from the CD. Since then, I've done all the rest from the CD. Either
way, the updating thing does seem to make it less relevant as long as
you get some version of 8.1. It'll be current after the first download
either way.
2. I want to touch each PC anyway, to make sure the licensing is
configured properly. So, I have not tried the remote install. I'm just
doing them individually as time allows, since all the XP boxes are doing
fine with version 7. When I renewed the license last, I had one Vista
desktop that failed to pick up the renewal and stopped updating, so I
want to see that none of the desktops are showing the trial license.
3. You do need a contract to get signatures now - as far as I know,
it's the regular CA thing that includes support, software updates, etc.
If I remember right, it costs in the neighborhood of $12 per seat per
year, including the server and Exchange. If you don't have a CA open
license vendor, try SoftwareONE. I get my MS open licenses from them
too - they're great.
4. I've done all in-place upgrades. I did the console first (the 8
console works with 7, but the 7 console does not work with 8). Once the
console was done, I did the Vista boxes as I deployed them (7 doesn't
work on Vista). Now I've been doing the XP boxes one or two at a time
until I get them all upgraded. In-place upgrade retains your existing
settings (if you choose the option). However, for settings that don't
exist in 7, they'll be at the defaults. That means in particular, the
"phone home" feature will not be configured. That's what gets you the
licensing from the SBS, so you need to make sure that's done. You can
control that setting from the console, but if you do that without
verifying that the setting applied correctly, you'll need to monitor
that the desktops don't fail to update after the expiration of the trial
license.
5. Have not tried it on a TS, but I can't see any reason it wouldn't
work as expected.
"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in message
news:OZ7HV0KXJHA.5272@xxxxxxxxxxxxxxxxxxxxxxx
A few Q's:
1) Did you use the v8.1 CD or did you get updates from the web? With
7.1 my CD was so old it needed upteen patches but I don't see any
updates for v8.1 up on CA's site (unless I'm looking int he wrong
place). Maybe with this new update system you mention updates are
obsolete...
2) Were you able to remotely upgrade the client PC's as well? I used
their remote install in 7.1 and it worked OK (other than not going
through the Windows XP firewall) and was wondering if v8.1 worked
similarly.
3) So they changed it so you need a contract to get signatures? Oh
well, it was cheap while it lasted.
4) Did you uninstall the 7.1 exchange part before upgrading or does it
maintain your exclusions etc. if you install over top? I see CA doc
TEC432016 documents a bug if you install over-top but wasn't sure if it
applies.
5) Do you know of any issues running it on a terminal server?
Thanks.
--
Allan Williams
"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23ug$yeKXJHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
I can't really say that Apache has caused me any problems. It runs two
services, and eTrust runs five. Probably using about 100 MB of RAM or
so on the server. The interface, changing settings, etc. definitely
performs noticeably slower than 7.x, although it doesn't seem to have
much more impact on the workstations.
Version 8 enforces licensing, so you need to be sure that all the
workstations are properly licensed. Otherwise, the default is a 30
day trial license, and they'll stop getting signature updates at that
point. There's a thing called "phone home" that you can configure to
point to the SBS (assuming that's where the server part of eTrust is
installed). Then you set the phone home schedule to "disabled," and
somehow that makes it pick up the license from the server install.
(This licensing thing is because you now need to be under a paid
support contract in order to get signature updates).
The best thing about it is that all the parts are upgraded through the
regular distribution, not just signature files. So if there's a
driver update or other part that gets a new version, it'll be
installed automatically when the signatures update.
Also, Exchange is a separate install. If you just run the eTrust
installer once to update the server install, it'll leave Exchange at
7.x. You have to run the installer a second time to upgrade Exchange.
Let me know if you have questions - I've probably messed with this
enough by now that I might be able to help at least a little.
"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in message
news:et2F9JJXJHA.5272@xxxxxxxxxxxxxxxxxxxxxxx
Still using CA 7.1 on our SBS 2003 Sp2 Premium - always liked CA
because it works well (once configured which can be a pain) and is
cheap to maintain (no service contract needed for updates).
Was planning on moving to v8.1 in the near future. What sort of
issues do you know of and any tips appreciated. I wasn't aware of
the Apache thing does that cause issues?
--
Allan Williams
"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23M%23mxk%23WJHA.868@xxxxxxxxxxxxxxxxxxxxxxx
I doubt there are many SBS'ers using eTrust antivirus, but I'll
mention this just in case. Apparently the 7.x versions are going off
support on December 31, including that the signature files will no
longer be updated. If you're using one of these, you'll have to
upgrade to the newer version or a different product by then. I can
comment on version 8 if anyone is interested - it installs Apache on
the server, which may be a deal breaker for some all by itself.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=172833&productID=156
.
- Follow-Ups:
- Re: FYI for eTrust AV 7.x Users
- From: Dave Nickason [SBS MVP]
- Re: FYI for eTrust AV 7.x Users
- References:
- OT: FYI for eTrust AV 7.x Users
- From: Dave Nickason [SBS MVP]
- Re: FYI for eTrust AV 7.x Users
- From: Al Williams
- Re: FYI for eTrust AV 7.x Users
- From: Dave Nickason [SBS MVP]
- Re: FYI for eTrust AV 7.x Users
- From: Al Williams
- Re: FYI for eTrust AV 7.x Users
- From: Dave Nickason [SBS MVP]
- Re: FYI for eTrust AV 7.x Users
- From: Al Williams
- Re: FYI for eTrust AV 7.x Users
- From: Dave Nickason [SBS MVP]
- OT: FYI for eTrust AV 7.x Users
- Prev by Date: Re: Detach PC client from domain
- Next by Date: Re: no ISA in sbs2008
- Previous by thread: Re: FYI for eTrust AV 7.x Users
- Next by thread: Re: FYI for eTrust AV 7.x Users
- Index(es):
Relevant Pages
|
