Altiris™ IT Management Suite 7.1 SP2 from Symantec™ Planning

Transcription

Altiris™ IT Management Suite
7.1 SP2 from Symantec™
Planning and Implementation
Guide
Altiris™ IT Management Suite 7.1 SP2 from Symantec™
Planning and Implementation Guide
The software described in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
Legal Notice
Copyright © 2011 Symantec Corporation. All rights reserved.
Symantec and the Symantec Logo, Altiris, and any Altiris or Symantec trademarks are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.
and other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required
to provide attribution to the third party (“Third Party Programs”). Some of the Third Party
Programs are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under
those open source or free software licenses. Please see the Third Party Legal Notice Appendix
to this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product features
and functionality. The Technical Support group also creates content for our online
Knowledge Base. The Technical Support group works collaboratively with the
other functional areas within Symantec to answer your questions in a timely
fashion. For example, the Technical Support group works with Product Engineering
and Symantec Security Response to provide alerting services and virus definition
updates.
Symantec’s support offerings include the following:
■
A range of support options that give you the flexibility to select the right
amount of service for any size organization
■
Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
■
Upgrade assurance that delivers software upgrades
■
Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
■
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site
at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in case it is necessary to replicate
the problem.
When you contact Technical Support, please have the following information
available:
■
Product release level
■
Hardware information
■
Available memory, disk space, and NIC information
■
Operating system
■
Version and patch level
■
Network topology
■
Router, gateway, and IP address information
■
Problem description:
■
Error messages and log files
■
Troubleshooting that was performed before contacting Symantec
■
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
Customer service
Customer service information is available at the following URL:
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
■
Questions regarding product licensing or serialization
■
Product registration updates, such as address or name changes
■
General product information (features, language availability, local dealers)
■
Latest information about product updates and upgrades
■
Information about upgrade assurance and support contracts
■
Information about the Symantec Buying Programs
■
Advice about Symantec's technical support options
■
Nontechnical presales questions
■
Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan
[email protected]
Europe, Middle-East, and Africa
[email protected]
North America and Latin America
[email protected]
Contents
Technical Support ............................................................................................... 4
Section 1
Planning for IT Management Suite ................... 17
Chapter 1
Introducing IT Management Suite ................................... 19
About IT Management Suite ...........................................................
What you can do with IT Management Suite ......................................
How IT Management Suite works ....................................................
What's new in Symantec Management Platform 7.1 SP2 ......................
What's new for ITMS solutions .......................................................
Where to get more information .......................................................
Chapter 2
19
20
21
25
29
31
Understanding the components of IT Management
Suite ................................................................................. 33
About the Symantec Management Platform ......................................
Core architectural components of Symantec Management
Platform ...............................................................................
Components of the Symantec Management Platform ..........................
About Notification Server ..............................................................
About the Symantec Management Console ........................................
About the Configuration Management Database ................................
About site services .......................................................................
About the Symantec Management Agent ..........................................
Solutions of IT Management Suite ..................................................
About Asset Management Suite ......................................................
About Barcode Solution .................................................................
About CMDB Solution ...................................................................
About Deployment Solution ..........................................................
About Inventory Solution ..............................................................
About IT Analytics Solution ...........................................................
About Symantec Mobile Management ..............................................
About Monitor Solution .................................................................
About Monitor Pack for Servers ......................................................
About Out of Band Management Component .....................................
34
35
36
37
38
39
39
40
41
42
43
43
44
45
46
46
47
47
47
8
Contents
About Patch Management Solution for Windows ...............................
About Patch Management Solution for Linux ....................................
About Patch Management Solution for Mac ......................................
About pcAnywhere Solution ...........................................................
About Real-Time System Manager ...................................................
About Endpoint Protection Integration Component ............................
About Software Management Solution .............................................
About Symantec Workflow ............................................................
Chapter 3
Planning for IT Management Suite .................................. 53
IT Management planning considerations ..........................................
About planning your SQL Server configuration ..................................
About hard drive configuration for off-box SQL Server .................
About hard drive configuration for on-box SQL Server ..................
Throughput metrics of SQL Server ............................................
About database sizing for SQL Server ........................................
About memory management for SQL Server considerations ...........
About planning your site servers .....................................................
About site maintenance ...........................................................
About the task service .............................................................
How task server uses the tickle mechanism .................................
About the package service .......................................................
About the deployment site service .............................................
Symantec Management Agent deployment planning ..........................
How agent-based inventory communications work .............................
How agent check-in intervals and basic inventory settings
interact ................................................................................
How Patch Management Solution data communications work ..............
Components of Deployment Solution ...............................................
How capturing master disk images works ...................................
How deploying disk images works .............................................
Methods of delivering preboot environments to computers ............
How Deployment Solution imaging jobs work ..............................
How asset management data communications work ...........................
Chapter 4
48
49
49
49
50
51
51
52
53
55
56
57
59
60
61
62
63
64
65
67
68
70
71
73
73
76
80
82
82
83
87
Reference of topics about multi-Notification Server
environments ................................................................. 89
About MultiCMDB reporting with IT Analytics ..................................
What's new in IT Analytics 7.1 SP2 ............................................
Adding and configuring external Symantec CMDB
connections ....................................................................
Editing external Symantec CMDB connections .............................
89
90
91
92
Contents
Editing the Report Integration URLs for an external Symantec
CMDB ............................................................................ 93
Deleting external Symantec CMDB connections ........................... 94
Including or excluding the local Symantec CMDB ......................... 94
Updating the Solution Dependencies ......................................... 95
About global policy distribution ...................................................... 95
What you can do with global policy distribution ........................... 96
About hierarchy ..................................................................... 96
How global policy distribution works with hierarchy .................... 97
Hierarchy requirements .......................................................... 97
About hierarchy topology ........................................................ 98
About creating and managing hierarchical relationships ............... 99
Setting up a hierarchical relationship between two Notification
Server computers ........................................................... 100
How deployment site servers work in a hierarchy ....................... 102
About hierarchy editable properties ......................................... 102
Global policy distribution implementation considerations for
Software Management Solution ........................................ 102
Global policy distribution implementation considerations for
Patch Management Solution ............................................. 103
Limitations of global policy distribution in a hierarchy ................ 103
Limitations of hierarchy ........................................................ 104
Replication types in the Symantec Management Platform .................. 105
About hierarchy replication ................................................... 106
About hierarchy replication rules ............................................ 107
About configuring replication ................................................. 107
Replicating custom items in a hierarchy ................................... 109
Configuring replication rules .................................................. 110
Replication rule settings ........................................................ 111
Specifying destination Notification Servers in a replication
rule .............................................................................. 113
Overriding the hierarchy differential replication schedule ........... 114
Replicating selected data manually .......................................... 114
Running a hierarchy report .................................................... 115
Section 2
Implementing IT Management Suite .............. 117
Chapter 5
Performance and scalability recommendations for
IT Management Suite .................................................. 119
Symantec Management Platform performance factors ...................... 119
About tuning the SQL Server computer for performance .............. 120
9
10
Contents
About tuning Notification Server Event processing for
performance ..................................................................
About predefined inventory policies ........................................
Scheduling resource membership updates ................................
About tuning the Symantec Management Agent for
performance ..................................................................
Targeted Agent Settings: General tab .......................................
Recommended configuration settings based on managed
endpoints ......................................................................
Recommended ranges of component totals for IT Management Suite
7.1 .....................................................................................
Recommended IT Management Suite 7.1 hardware ...........................
Recommended configuration for Notification Server with locally
installed SQL database ..........................................................
Supported operating systems for Notification Server and site
servers ...............................................................................
SQL Server recommendations and third-party software
requirements .......................................................................
Chapter 6
Chapter 7
120
121
123
124
126
126
128
129
132
132
135
Preparing for the installation of IT Management
Suite ...............................................................................
139
About developing an installation plan ............................................
About the migration guides ..........................................................
About supported SQL Server collations ...........................................
Considerations before you install Notification Server ........................
Agent configuration considerations ...............................................
139
140
141
141
142
Installing IT Management Suite ...................................... 145
About installing the Symantec Management Platform products ..........
Overview of the installation process ...............................................
Managing the installation of the Symantec Management Platform
products .............................................................................
Installing Symantec Installation Manager .................................
Starting Symantec Installation Manager ...................................
Delaying the update of Symantec Installation Manager ...............
About creating an installation package .....................................
Creating an installation package .............................................
Creating an update installation package ...................................
Installing the Symantec Management Platform products ...................
Install New Products page, Product Updates page, or Products
page .............................................................................
Install Readiness Check page ..................................................
146
147
148
151
153
154
155
156
157
158
161
162
Contents
Notification Server Configuration page ....................................
Database Configuration page ..................................................
About installation tasks you can perform after the initial
installation .........................................................................
Reconfiguring an installed product ..........................................
Installing a hotfix or an additional product ...............................
About installing optional components ......................................
Installing optional components ...............................................
Uninstalling or repairing optional components ..........................
Applying licenses to a solution ................................................
Repairing the installation of an installed product .......................
Creating a support package ....................................................
Uninstalling the Symantec Management Platform products .........
About Symantec Installation Manager logs ...............................
Disabling the creation of verbose Symantec Installation Manager
logs ..............................................................................
Viewing Symantec Installation Manager logs .............................
About modifying the installation of a product ..................................
Adding a product listing file .........................................................
Updating the product listing .........................................................
About upgrading from IT Management Suite 7.1 to 7.1 SP2 ...............
Upgrading from IT Management Suite 7.1 to 7.1 SP2 .........................
Preparing to upgrade from IT Management Suite 7.1 to 7.1 SP2 ..........
Performing an upgrade to IT Management Suite 7.1 SP2 ....................
Chapter 8
163
165
166
167
167
169
170
171
172
173
174
174
175
176
176
177
177
178
179
180
180
182
Installing the Deployment Solution ............................... 185
About installing Deployment Solution ............................................
Preinstallation requirements for Deployment Solution ......................
Installing Deployment Solution components ...................................
Installing Deployment Plug-in ......................................................
Installing an automation folder .....................................................
Installing Deployment site server components .................................
Setting up ACC .....................................................................
Installation path of Deployment Solution tools ................................
Upgrading Deployment Solution components ..................................
Uninstalling Deployment Solution components ...............................
Enabling the uninstallation policy .................................................
Uninstalling Deployment Solution through Symantec Installation
Manager .............................................................................
Repairing Deployment Solution ....................................................
185
188
189
190
191
192
194
195
195
196
197
198
199
11
12
Contents
Chapter 9
Configuring Notification Server ...................................... 201
About configuring Notification Server ............................................
Configuring the Configuration Management Database ......................
Purging the Configuration Management Database ............................
Saving resource data history in the CMDB .......................................
Configuring Notification Server settings .........................................
Notification Server processing settings ....................................
Notification Server processing settings ....................................
Configuring Notification Server settings .........................................
Email server and address settings ............................................
Status message logging settings ..............................................
Opening the Log Viewer .........................................................
Proxy server settings ............................................................
Distribution point credential settings .......................................
Configuring Notification Server settings with NS Configurator ...........
Performing a first-time setup configuration ....................................
Chapter 10
Setting up managed computers ..................................... 217
Discovering computers ................................................................
Installing the Symantec Management Agent ....................................
Agent and task setting options ......................................................
Collecting inventory information ..................................................
Deploying preboot environments ..................................................
Chapter 11
201
202
204
205
210
209
209
210
211
212
212
213
213
214
215
217
219
223
224
226
Configuring security .......................................................... 227
About Symantec Management Platform security ..............................
Setting up Symantec Management Platform security ........................
About security roles ....................................................................
Predefined security roles .............................................................
About security privileges .............................................................
Connection Profile privileges ..................................................
Management privileges .........................................................
System privileges .................................................................
Credential privileges .............................................................
Workflow Directory privileges ................................................
Symantec Management Console privileges ................................
Software Management Framework privileges ............................
Right-click Menu privileges ....................................................
Right-click Menu - Connector Samples privileges .......................
Right-click Menu - Hierarchy privileges ....................................
Right-click Menu - Actions privileges .......................................
227
229
231
232
233
235
235
237
239
239
240
240
241
242
243
244
Contents
Right-click Menu - Set Asset Status privileges ............................
About Symantec Management Platform user accounts ......................
Creating and configuring Symantec Management Platform user
accounts .............................................................................
Specifying general Symantec Management Platform user account
details ..........................................................................
Configuring credentials for a Symantec Management Platform
user account ..................................................................
Assigning a Symantec Management Platform user account to a
security role ..................................................................
Configuring password complexity and lockout settings .....................
Unlocking locked out credentials ...................................................
About security role permissions ....................................................
Resource Management permissions .........................................
System permissions ..............................................................
Task Server permissions ........................................................
Report permissions ...............................................................
Policy permissions ................................................................
Folder permissions ...............................................................
Filter permissions .................................................................
Connection Profile permissions ...............................................
Credential Manager permissions .............................................
About the Security Role Manager ..................................................
Accessing the Security Role Manager .......................................
Assigning security permissions to folders and items ...................
Customizing permission inheritance ........................................
Role Selection window ...........................................................
Taking ownership of a folder or item ........................................
About credential manager ............................................................
Creating a credential ...................................................................
Editing a credential .....................................................................
Chapter 12
245
245
247
249
249
252
252
255
255
257
257
258
258
259
259
259
259
260
260
261
262
263
265
265
266
266
267
Configuring Schedules ..................................................... 269
About Symantec Management Platform schedules ............................
About schedule active periods and time zones ............................
About schedule triggers .........................................................
About schedule modifiers .......................................................
How Symantec Management Platform uses schedules .................
Managing shared schedules ..........................................................
Configuring a schedule ................................................................
Viewing the Notification Server internal schedule calendar ................
269
270
270
272
273
274
275
276
13
14
Contents
Chapter 13
Configuring site servers ................................................... 279
Managing sites ...........................................................................
Creating a new site ...............................................................
Modifying a site ...................................................................
Managing manually assigned agents ........................................
Managing site servers .................................................................
Creating and modifying site servers .........................................
Assigning a site server to a site manually ..................................
About configuring the site service settings ......................................
About package service settings ...............................................
About removing automatic site assignments .............................
Configuring package service settings .......................................
About task service settings .....................................................
Configuring task service settings .............................................
About package server for Linux .....................................................
About integrating Apache Web Server with package server for
Linux ...........................................................................
About detecting the Apache Web Server ...................................
Requirements to configure package server and the Apache Web
Server ..........................................................................
Requirements to configure HTTPS and HTTP ............................
Package server configuration example that uses main web
directory for package server links ......................................
Package server configuration example using an alias for package
server links ...................................................................
Chapter 14
279
281
281
282
283
284
286
286
287
289
290
290
291
292
293
294
295
296
297
299
Getting started with IT Management Suite .................. 303
About the enhanced console views .................................................
About the Computers view ...........................................................
Searching for a computer and saving the search ...............................
Creating and populating an organizational view or group in the
enhanced console views .........................................................
Managing subnets ......................................................................
Creating a new subnet ...........................................................
About the Jobs / Tasks view ..........................................................
Running a job or task using drag and drop .......................................
About the Policies view ................................................................
Searching for a software and saving the search ................................
Tracking the software licenses in the enhanced console views ............
About the Software Catalog window ...............................................
About resource scoping ...............................................................
Considerations for resource scoping ..............................................
304
304
305
306
307
308
309
310
310
311
312
313
314
314
Contents
Design considerations for resource scoping ..................................... 315
Appendix A
Symantec IT Management Suite Platform Support
Matrix ............................................................................. 319
Introduction ..............................................................................
Current Shipping Information ......................................................
Symantec Management Platform ...................................................
Notification Server and Workflow Server ..................................
Microsoft SQL Server ............................................................
Microsoft SQL Server Collations ..............................................
Microsoft IIS .......................................................................
Microsoft .NET .....................................................................
Console/Browser ..................................................................
Console/Silverlight ...............................................................
Workflow Designer ...............................................................
Site Server ..........................................................................
Client Management Suite .............................................................
Client OS Support Matrix .......................................................
Server Management Suite ............................................................
Server OS Support Matrix ......................................................
Language Support ......................................................................
Core Localization ..................................................................
Windows Agent Localization ..................................................
319
320
320
321
322
323
323
324
324
325
325
326
331
331
335
335
341
342
342
Index ................................................................................................................... 345
15
16
Contents
Section
1
Planning for IT Management
Suite
■
Chapter 1. Introducing IT Management Suite
■
Chapter 2. Understanding the components of IT Management Suite
■
Chapter 3. Planning for IT Management Suite
■
Chapter 4. Reference of topics about multi-Notification Server environments
18
Chapter
1
Introducing IT Management
Suite
This chapter includes the following topics:
■
About IT Management Suite
■
What you can do with IT Management Suite
■
How IT Management Suite works
■
What's new in Symantec Management Platform 7.1 SP2
■
What's new for ITMS solutions
■
Where to get more information
About IT Management Suite
IT Management Suite (ITMS) combines client and server configuration
management with IT asset and service management. It promotes effective service
delivery and helps reduce the cost and complexity of managing corporate IT assets.
These assets may include desktops, laptops, thin clients, and servers in
heterogeneous environments running Windows, Linux, UNIX, and Mac. You can
manage all of the features of the suite through a central console on a common
platform: the Symantec Management Platform. This common platform integrates
management functions to accelerate automation for better service, value, and IT
efficiency.
See “What you can do with IT Management Suite” on page 20.
IT Management Suite is comprised of the following management capabilities:
■
Server management
20
Introducing IT Management Suite
The server management capabilities support not only the Windows operating
system, but also the UNIX and the Linux operating systems. In addition, the
same management disciplines are applied to both physical systems and virtual
systems, including both Microsoft Hyper-V and VMware.
■
Client management
The client management capabilities support Windows and a growing number
of other platforms, including Mac OS and Linux operating systems.
■
IT asset management
IT asset management builds upon solid inventory foundations for configuration
management. It helps you accurately value both your discoverable and
non-discoverable assets, and track your assets and your asset-related
information. You can manage contracts, software license compliance, and
procurement processes as well as the configuration items that are associated
with your assets.
See “How IT Management Suite works” on page 21.
See “What's new in Symantec Management Platform 7.1 SP2” on page 25.
IT Management Suite (ITMS) helps you improve service delivery, increase
efficiency, and reduce costs.
You can do the following with IT Management Suite:
■
Manage from a central console.
You can centrally manage heterogeneous client and server endpoints.
■
Manage remotely.
One-to-one remote-management capabilities let you avoid desk-side or
server-side visits.
■
Automate tasks.
The task engine lets you perform multiple remote-management tasks
simultaneously.
■
Automate policy enforcement.
The policy engine lets you detect and remediate automatically, without human
involvement.
■
Automate processes.
The workflow engine lets you automate human and system interactions to
eliminate latency errors and omissions.
■
Create self-service.
The service catalog lets you avoid calls or requests entirely with best-practice
self-service.
■
Centrally manage software.
Software management includes software inventory, patching, delivery, and
license management.
See “About IT Management Suite” on page 19.
IT Management Suite (ITMS) is a bundling of Symantec products and software.
IT Management Suite helps you deploy, manage, support, and retire the various
computers, devices, servers, and IT assets in your organization. IT Management
Suite includes IT asset management and client and server configuration
management.
IT Management Suite has the following key features and functions:
■
Centralized management platform
All of the parts of IT Management Suite are built on a common foundation
that is called the Symantec Management Platform. The Symantec Management
Platform is a set of core services that all of the parts of IT Management Suite
share. These services can include aspects such as security, reporting,
communications, and data storage.
IT Management Suite 7.1 introduces an improved management interface that
gets you where you want to be faster. Common concepts such as managing
computers, delivering software, and managing licenses and deployment are
consolidated into an integrated experience. When you click on a computer,
resource management details are immediately visible. Powerful search features
help you drill down and build filters in a short period of time. You can quickly
save the searches for future use. Drag-and-drop functionality lets you select
tasks and drag them to one or more selected computers.
■
Common database and management console
The different parts of the platform can read and write from a common database.
The database is called the Configuration Management Database (CMDB). Even
though IT Management Suite covers a wide variety of IT-related capabilities,
you interact with all of its technologies through a common Web-based user
interface. This interface is called the Symantec Management Console.
■
Management agent and management server
21
22
IT Management Suite can discover the computers that are present in your
environment. You can install the Symantec Management Agent on these
computers. The agent lets you gather very detailed information about them.
It regularly sends information about the computer to a management server
computer called Notification Server. Notification Server processes the
information about your computers and stores it in a common database. The
Symantec Management Agent gives you robust control and visibility into the
hardware and software on your managed computers and servers. It helps you
to maintain your corporate standards and policies remotely from the Web-based
Symantec Management Console.
■
Asset Management
You can use the data in the CMDB to manage your assets more efficiently. For
example, you can use this information with reports and filters to gain visibility
into and track metrics on the assets in your environment
■
License management
License management and asset management and usage are tightly integrated.
Within the software display is an at-a-glance view of the current deployments
and cost details. These details are based on the current installations and the
purchasing details. A graphic can help you to determine if a software product
is over-deployed or under-deployed, and evaluate its current usage. It gives
visibility into the financial implications of a product. You can see the potential
savings from harvesting licenses, and you can see the cost effect when a product
is over-deployed.
■
Software Management
You can see what software is installed, how often it is used, and how many
licenses for it you have purchased. This type of information can help you
determine the IT assets you need to purchase. You can also use this information
to determine how to maximize your software investment and when to replace
or decommission software. In addition, you can use IT Management Suite to
take action on the information that it gathers. For example, IT Management
Suite may discover that certain software is installed and licensed but is not
used. You can configure the suite to remove the unused software.
In ITMS 7.1, the Software Catalog interface is streamlined and redesigned.
Any software that is found is stored in the newly discovered list. From this list
you can quickly determine whether you want to make the identified software
a managed product. If not, you can assign it to unmanaged software. After you
identify software as a managed software product, you can manage all elements
of it in a single interface. Inventory, metering, delivery, and license tracking
are all presented in a single interface.
The Managed Delivery feature separates the schedule for delivery and the
schedule for execution. You can first stage packages in advance, and then later
schedule the execution.
■
Task and policy engines
Notification Server has two components that are called the task engine and
the policy engine. These components let you do work on your managed
computers. You can use policies to maintain consistent standards, and you
can use tasks to execute sequential steps. Policy-based management can allow
the managed computer autonomy whether it is in a connected or disconnected
state. Task-based management follows the traditional server to client
communications paradigm.
■
Managed computers
Managed computers have the management agent installed. They regularly
communicate with the Notification Server computer. When a managed
computer contacts Notification Server, it checks to see if you have configured
any work for it to do.
The agent can check to see if the computer on which it is installed is compliant
with a policy. For example you can set up a policy to ensure that all of your
managed computers have the latest version of software. If it is not compliant,
then the agent can download and install the software according to your settings.
When software is remotely executed on target computers with Notification
Server, this software is called a software package.
■
Patch Management
You can use IT Management Suite to keep your computers secure, patched,
and compliant. IT Management Suite lets you manage all aspects of applying
Microsoft Windows security updates and patches.
■
Provisioning
You can remotely provision and deploy standardized operating system images
to your computers. This functionality includes bare-metal deployment and
re-imaging computers to return them to known-good states.
■
Migration and deployment
Deployment Solution is natively integrated with the Symantec Management
Platform. Consequently, you work with Deployment Solution and Symantec
Management Platform through a single console, database, and agent. IT
Management Suite 7.1 provides many enhancements to the Deployment
Solution console.
The DeployAnywhere capability supports all plug-and-play driver types for
hardware-independent imaging. This addition complements the support for
hardware abstraction layers (HAL), network interface cards, and
mass-storage-controller drivers to provide a complete hardware-independent
23
24
imaging solution. Management for the driver database is now available through
the console. You can consolidate driver management because both imaging
and scripted operating system installations consume the drivers in the
DeployAnywhere database.
Ghost imaging supports the familiar style of RapiDeploy multicasting. PC
transplant supports Microsoft Office 2010 (32-bit and 64-bit).
Enhanced Virtual Machine Management capabilities streamline configuration
and extend the virtual machine creation wizard. The wizard can execute any
Deployment Solution job as part of the virtual machine creation process. This
ability lets you leverage existing server provisioning jobs and apply them to
virtual server provisioning.
■
Server health monitoring
IT Management Suite also lets you monitor and maintain the health of your
servers. You can monitor key metrics and indicators of your server health
performance. These metrics can be viewed in real time. With the task engine,
you can proactively manage your servers. For example, you can automate
complex sequences of fail-safe measures such as provisioning a backup server
in the event that a server crashes. You can configure the system to alert you
if a specific metric starts to indicate a potential problem. You can then resolve
that problem so that it does not manifest in the future.
■
Workflow engine
IT Management Includes a workflow engine that lets you automate human
and system interactions. You can set up robust workflows to automatically
complete many of the sequential tasks that are required for efficient service
management.
In addition to form builders and drag-and-drop process designer capabilities,
you can use the full component generator capability for access to third-party
technologies. These technologies include HR or finance systems, and the
Workflow portal. The Workflow portal lets you track the overall process as a
workflow moves through the various stages.
■
Advanced reporting and IT Analytics
The executive dashboard and trend analysis give you a representative view of
your IT assets. Key performance indicators let you measure critical success
factors for your organization and quickly assess trends of how these measures
change over time. You can use ad-hoc data mining to construct pivot table
reports. The reports are based on predefined measures and dimensions. The
functionality allows for easy manipulation of the data so you do not have to
be a SQL expert to access the information you need. Multidimensional analysis
and robust graphical reporting are incorporated to help you arrive at your
answers with very little customization and without waiting.
The MultiCMDB feature provides global IT Analytics reporting across multiple
CMDBs without the need to replicate large amounts of data.
■
Symantec Workspace Virtualization
A key challenge to moving to Windows 7 is that many legacy Web applications
depend on Internet Explorer 6. Symantec Workspace Virtualization includes
a new update that solves this challenge. You can virtualize Internet Explorer
6 directly in Windows 7. This ability lets you concurrently run Internet Explorer
6, 7, and 8. You can also run multiple Java versions on the native operating
system to achieve normal visibility.
This approach enables side-by-side usage, and offers a secure implementation
that is invisible to the user. You can determine which applications should have
access to that specific browser. Users are never prompted to choose a browser.
The correct version automatically opens for them based on policy. This option
helps you move faster and more efficiently to Microsoft Windows 7. Browser
plug-ins such as Acrobat and Flash can be installed into the base or into a
virtual layer. Multiple Java versions can be installed in the base, or in a layer,
and used by a virtual Internet Explorer. Workspace Virtualization automatically
supports any group policy objects that your enterprise may have in place for
Internet Explorer.
What's new in Symantec Management Platform 7.1
SP2
In the 7.1 SP2 release of Symantec Management Platform, the following new
features are introduced:
25
26
List of new features
Table 1-1
Component
Description
General
■
Core
■
Symantec Help Center
The Symantec Management Platform 7.1 SP2 release provides Symantec
Help Center. This search-based Help system implements many Web 2.0
features, such as autosuggest and filtering. It also deploys the
customized search logic that helps you get more relevant answers to
your questions.
■ Symantec ServiceDesk no longer installed as a part of IT Management
Suite in Symantec Installation Manager
To install Symantec ServiceDesk, you must select the product separately
in the product listing in Symantec Installation Manager.
Support for Microsoft MED-V virtualization
This enhancement adds the ability for Symantec Management Agents
on Microsoft MED-V virtual devices to communicate through devices
in NAT mode. It is now supported in 6.x or later.
■ NSE processing improvements enable faster inventory updates and
consume less processing power on Notification Server and Microsoft
SQL systems.
■ Registry keys can be used to change the path to Logs and the Event
queue.
■ Scalability - One Notification Server now supports up to 300 task servers.
■
Support for SQL 2008 R2 SP1
■
Support for SQL 2005 SP4
■
Support for Windows Internet Explorer 9 in compatibility mode
■
A 5,000-seat environment was tested and documented to provide
hardware recommendations and to minimize hardware expenses for
SMB environments.
For more information, see the IT Management Suite Planning and
Implementation Guide at http://www.symantec.com/docs/DOC4827
List of new features (continued)
Table 1-1
Component
Description
Symantec Installation Manager
■
Ability to perform offline upgrades
You can export a server's installation history and import it to an
Internet-connected computer to create an installation package.
■ Log files for support packages
Symantec Installation Manager lets you create and view verbose and
non-verbose log files for inclusion in a support package.
■ Ability to create installation packages on Windows XP/7 computers
You can now run Symantec Installation Manager on the platforms that
Notification Server does not support. Examples of these platforms are
Windows XP/7, but only for the purpose of creating offline installation
packages.
■ Improvements to SSL configuration
New options for supplying a certificate during installation. The options
include Create self-signed, Import, and using a certificate available on
the computer.
For more information, see the Symantec Management Platform 7.1 SP2
Installation Guide.
http://www.symantec.com/docs/DOC4798
Enhanced Console Views
New Software Management privileges
Software Management privileges grant specific abilities to the user role.
They also allow the user to perform specific tasks in the Software view
and Software Catalog window from the enhanced console views.
■ Improved Licenses tab
Improvements in the Licenses tab, on the Software Product dialog box,
let you choose whether to license a software product. These
improvements also let you create additional licenses for the same
software product.
■
■
Improved Delivery tab
Improvements in the Delivery tab, on the Software Product dialog box,
let you import software packages, add software packages, and add
command lines.
■
Additional search options
Improvements in the Enhanced Views Setting dialog box let you
configure search settings for the Software view and Computer view
center panes (list panes).
See Altiris IT Management Suite 7.1 SP2 from Symantec Enhanced
Console Views Getting Started Guide at the following URL:
http://www.symantec.com/docs/doc4858
27
28
Table 1-1
Component
Description
Symantec Workflow
■
■
Symantec Workflow is delivered through Symantec Management
Platform.
The Configuration and Logging Tool in Workflow Designer was renamed
to Workflow Explorer.
Users can now enter platform credentials during installation, but AD
credentials were removed from the installation.
Improvements in Active Directory synchronization let you selectively
synchronize users with Symantec Workflow.
New import profiles and export profiles are available.
■
Symantec Workflow includes a refreshed Sharepoint component library.
■
■
■
All integration projects are now multi-generator container projects by
default.
■ A new application installer is included for partners.
■
Software Management Framework
■
Support of virtualization package format XPF
This enhancement ensures that the software catalog adds support of
the default package format of Symantec Workspace Virtualization.
Changes in Software Management Framework Agent inventory report
To prevent accidental loss of Software Management Framework
inventory data, a periodical send of full inventory data ia added.
For more information, see the following knowledge base article at the
following URL:
http://www.symantec.com/docs/HOWTO60920.
■ Automatically generate command lines when a package is created
checkbox in Add or Edit Package dialog box
This checkbox lets you generate appropriate command lines when a
new package is added to either a new software resource or an existing
software resource.
■
Table 1-1
Component
Description
UNIX, Linux, Mac Agent
■
NSE events
You can now select specific resource keys to be ignored when you
generate NSE events.
For more information, see the knowledge base article at the following
URL:
■ Support for 64-bit RHEL 6
A 64-bit bootstrap module is added to the solution package to support
installation on the RHEL 6 64-bit platforms without a 32-bit
compatibility layer.
■ Various enhancements for Client Task Agent
Changes in agent packaging for Mac platform
ULM Agent distribution for MacOS now contains signed files (libraries,
binary executables, and application bundles). Files are signed with the
official Symantec certificate.
■ Support for Mac OS X 10.7.x and Mac OS X Server 10.7.x
■
See “About the Symantec Management Platform” on page 34.
The following links take you to the release notes for individual ITMS solutions.
Each release note contains a "What's New" topic.
Table 1-2
Document
Location
Altiris™ Client Management Suite 7.1 SP2 from http://www.symantec.com/docs/DOC4723
Symantec™ Release Notes
Altiris™ Server Management Suite 7.1 SP2
from Symantec™ Release Notes
Altiris™ Asset Management Suite 7.1 SP2 from http://www.symantec.com/docs/DOC4670
Altiris™ Barcode Solution 7.1 SP2 from
Altiris™ Deployment Solution 7.1 SP1a MR1
29
30
Table 1-2
What's new for ITMS solutions (continued)
Document
Location
Symantec™ Endpoint Protection Integration
Component 7.1 SP2 Release Notes
Altiris™ Inventory Solution™ from Symantec™ http://www.symantec.com/docs/DOC4782
7.1 SP2 Release Notes
Altiris™ Inventory Pack for Servers from
Symantec™ 7.1 SP2 Release Notes
Altiris™ Inventory for Network Devices 7.1 SP2 http://www.symantec.com/docs/DOC4781
Altiris™ IT Analytics Solution 7.1 SP2 from
Altiris™ Monitor Solution for Servers 7.1 SP2 http://www.symantec.com/docs/DOC4691
and Event Console 7.1 SP2 from Symantec™
Release Notes
Altiris™ Monitor Pack for Servers 7.1 SP2 from http://www.symantec.com/docs/DOC4692
Altiris™ Out of Band Management Component http://www.symantec.com/docs/DOC4688
7.1 SP2 from Symantec™ Release Notes
Altiris™ Patch Management Solution for
Windows 7.1 SP2 from Symantec™ Release
Notes
Altiris™ Patch Management Solution for Linux http://www.symantec.com/docs/DOC4817
Altiris™ Patch Management Solution for Mac http://www.symantec.com/docs/DOC4819
Symantec™ pcAnywhere Solution™ 12.6 SP2
Release Notes
Altiris™ Real-Time Console Infrastructure 7.1 http://www.symantec.com/docs/DOC4689
SP2 from Symantec™ Release Notes
Altiris™ Real-Time System Manager Solution http://www.symantec.com/docs/DOC4690
Altiris™ Software Management Solution 7.1
SP2 from Symantec™ Release Notes
Table 1-2
What's new for ITMS solutions (continued)
Document
Location
Symantec™ Virtual Machine Management 7.1 http://www.symantec.com/docs/DOC4797
SP2 Release Notes
Wise™ Connector 7.1 SP2 Release Notes
Symantec™ Workflow 7.1 SP2 Release Notes
Use the following documentation resources to learn about and use this product.
Table 1-3
Documentation resources
Document
Description
Location
Release Notes
Information about new
features and important
issues.
The Supported Products A-Z page, which is available at the following
URL:
Information about how
to use this product.
■
User guides
http://www.symantec.com/business/support/index?page=products
The Documentation Library, which is available in the Symantec
Management Console on the Help menu.
The Documentation Library provides a link to the PDF User Guide
This information is
on the Symantec support Web site.
available in PDF format.
■ The Supported Products A-Z page, which is available at the
following URL:
http://www.symantec.com/business/support/index?page=products
Open your product's support page, and then under Common Topics,
click Documentation.
31
32
Table 1-3
Documentation resources (continued)
Document
Description
Location
Help
Information about how
to use this product.
The Documentation Library, which is available in the Symantec
Management Console on the Help menu.
Help is available at the Context-sensitive help is available for most screens in the Symantec
solution level and at the Management Console. To open context-sensitive help, click inside the
suite level.
window, pane, dialog box, or other screen element about which you
want more information. Then do one of the following:
This information is
available in HTML help ■ Press the F1 key.
format.
■ In the Symantec Management Console, click Help > Context.
In the Symantec Help Center window, type your search string to search
within the installed documentation. To expand your search to the
Symantec Knowledge Base, check Include online search.
For more information on how to use the Symantec Help Center, click
the Home symbol.
In addition to the product documentation, you can use the following resources to
learn about Symantec products.
Table 1-4
Symantec product information resources
Resource
Description
Location
Best practices
Support
Knowledgebase
Compilation of "how to" http://www.symantec.com/docs/HOWTO32608
and best practice articles
for IT Management
Suite.
SymWISE
Support
Knowledgebase
Articles, incidents, and
issues about Symantec
products.
Symantec
Connect
An online resource that http://www.symantec.com/connect/endpoint-management
contains forums, articles,
blogs, downloads, events,
videos, groups, and ideas
for users of Symantec
products.
http://www.symantec.com/business/theme.jsp?themeid=support-knowledgebase
Chapter
Understanding the
components of IT
Management Suite
■
About the Symantec Management Platform
■
Core architectural components of Symantec Management Platform
■
Components of the Symantec Management Platform
■
About Notification Server
■
About the Symantec Management Console
■
About the Configuration Management Database
■
About site services
■
About the Symantec Management Agent
■
Solutions of IT Management Suite
■
About Asset Management Suite
■
About Barcode Solution
■
About CMDB Solution
■
About Deployment Solution
■
About Inventory Solution
■
About IT Analytics Solution
2
34
Understanding the components of IT Management Suite
■
About Symantec Mobile Management
■
About Monitor Solution
■
About Monitor Pack for Servers
■
About Out of Band Management Component
■
About Patch Management Solution for Windows
■
About Patch Management Solution for Linux
■
About Patch Management Solution for Mac
■
About pcAnywhere Solution
■
About Real-Time System Manager
■
About Endpoint Protection Integration Component
■
About Software Management Solution
■
About Symantec Workflow
The Symantec Management Platform provides a set of services that IT-related
solutions can leverage. Solutions plug into the platform and take advantage of
the platform services, such as security, reporting, communications, package
deployment, and Configuration Management Database (CMDB) data. Because
solutions share the same platform, they can share platform services as well as
data. Shared data is more useful than data that is only available to a single solution.
For example, one solution collects data about the software that is installed on
company computers and another solution uses the data to manage software
licenses. A third solution can also use this data to help you update software. This
close integration of solutions and the platform makes it easier for you to use the
different solutions because they work in a common environment and are
administered through a common interface.
The platform provides the following services:
■
Role-based security
■
Client communications and management
■
Execution of scheduled or event-triggered tasks and policies
■
Package deployment and installation
■
Reporting
■
Centralized management through a single, common interface
■
Configuration Management Database (CMDB)
■
When you install a solution or suite, the platform is also installed if it is not already
installed.
See “Components of the Symantec Management Platform” on page 36.
Core architectural components of Symantec
Management Platform
Symantec Management Platform has four main architectural components.
See “IT Management planning considerations” on page 53.
They are as follows:
■
Notification Server and its Web-based Symantec Management Console
See “About Notification Server” on page 37.
■
SQL Server
See “About the Configuration Management Database” on page 39.
■
Site servers
Site servers can include task servers, package servers, and deployment site
servers.
See “About site services” on page 39.
■
Managed computers
See “About the Symantec Management Agent” on page 40.
35
36
Figure 2-1
The Symantec Management Platform includes the following core components:
■
Notification Server and Symantec Management Console
The Symantec Management Platform service that processes events, facilitates
communications with managed computers, and coordinates the work of the
other Symantec Management Platform services. The console is the Notification
Server computer's Web-based user interface that lets you manage the platform
and its solutions.
See “About configuring Notification Server” on page 201.
See “About the Symantec Management Console” on page 38.
■
Configuration Management Database (CMDB)
The database that stores all of the information about managed computers.
See “Configuring the Configuration Management Database” on page 202.
■
Site servers
The Symantec Management Platform can host several types of middleware
components, such as package services, task services, and deployment site
services. The official name for a middleware component is "site service." Any
component that hosts a site service is known as a site server. Site servers can
host one or more of these services.
■
Symantec Management Agent
The software that is installed on a computer to enable Notification Server to
monitor and manage it. After the Symantec Management Agent is installed,
that computer becomes a managed computer.
See “About the Symantec Management Agent” on page 40.
■
An interface that lets you create and manage the software resources that are
in the Software Catalog. It also lets you manage the packages that are in the
Software Library. The Software view provides a central location for initiating
the software-related tasks that are performed in your organization.
■
Reports
A way to gather automated information. You can view reports for any managed
computer from the Symantec Management Console.
See “About the Symantec Management Platform” on page 34.
Notification Server is the primary server component within the Symantec
Management Platform. Notification Server coordinates the various solutions and
provides the primary user interface, policy-based administration, reporting, and
notification. Notification Server hosts the Web-based management console that
lets you manage the components of your Symantec Management Platform.
See “Components of the Symantec Management Platform” on page 36.
Notification Server is responsible for managing the predefined policies and tasks
that are available in each installed solution. These policies and tasks activate
components of Notification Server that process several functions.
Notification Server functions include the following:
■
Discovering resources on the network
■
Installing and configuring the management agent on the endpoints
■
Collecting client-reported information and storing it in the CMDB
37
38
■
Generating detailed Web Reports
■
Sending policy information to the endpoints
■
Distributing software packages
The Symantec Management Console (usually referred to as "the console") is a
Web-based user interface that is the primary tool for interacting with Notification
Server and its components, and for managing resources.
The Symantec Management Console is divided into the following areas:
Header
The top portion of the console that includes the following:
Menus, which let you access console pages and dialogs that provide
the management functionality for Notification Server. Symantec
solutions that are installed on the system may add new items to
the menu.
■ Search box, which lets you search the resource data for the
resources that you want. When you perform a search, a search
panel appears under where you input the search.
■
■
Content area
A breadcrumb bar that shows the menu path to the currently
displayed page.
The portion of the console that is below the header can show one of
the following:
View
A view is composed of a tree view and content pane. The tree view,
in the left pane, shows a hierarchical arrangement of items that
you can select and work with. The content pane, on the right,
displays pages based on tree view selections.
■ Portal page
A portal page displays a collection of different pieces of information
that are contained in Web parts. Notification Server includes
predefined portal pages, and other portal pages might be included
with solutions. You can also create your own portal pages.
■
■
Full page
A full page has a single content pane without the treeview.
Some console pages support personalization, which is the ability for a console
page to preserve the state of its controls on a per-user basis. For example, one day
user A may open a filter page and, to suit their personal preference, re-order the
columns in the grid. Meanwhile, user B opens the same page but leaves the grid
in its default configuration. The following day, when the users open that filter
page, user A sees the page as they configured it on the previous day. User B still
sees the default view as they left it on the previous day.
Personalization is currently applied to the reporting pages and filter pages, and
to the state of the navigation tree in the view pages. In addition, the My Portal
page is personalized for each user.
Database processing is one of the largest consumers of resources on the Symantec
Management Platform. The number of solutions that are installed in your
environment and how they are used influences the database requirements. The
number of managed computers that report to each Notification Server computer
also influences the database requirements.
Each Notification Server computer can be configured to use a local Configuration
Management Database (CMDB) or to use a remote CMDB. A Notification Server
computer with a local database requires more resources than a Notification Server
computer with a remote database configuration.
See “About planning your SQL Server configuration” on page 55.
You can use the following configurations for the CMDB:
■
Local CMDB configuration
In a local CMDB server configuration, you install the CMDB on the same
computer as Notification Server. This configuration is acceptable for the
environments that have 1,000 to 5,000 endpoints. In these environments there
is minimal contention of resources between Notification Server services and
the CMDB services.
■
Remote CMDB configuration
In a remote CMDB configuration, you install the CMDB on a different computer
from the Notification Server computer. This configuration is recommended
for most environments. In this configuration the workload of the CMDB is
offloaded from the Notification Server computer. The CMDB server and
Notification Server computer must have a high-speed network connection
between them. Symantec recommends 1GB Ethernet.
About site services
The Symantec Management Platform can host several types of middleware
components, such as package servers, task servers, and boot servers. Middleware
39
40
components can be installed on computers other than the Notification Server
computer. These services act as the first point of contact for the Symantec
Management Agents, thus reducing the load on Notification Server.
The official name for a middleware component is “site service.” Any computer
that hosts a site service is known as a site server. A site server can have one or
more site services installed on it. For example, if you install the package server
site service (the "package service") onto a computer, that computer becomes a
site server.
Site servers can assist Notification Server. Site servers can extend the architecture,
improve distribution efficiency, and reduce network bandwidth requirements.
Notification Server handles the deployment, configuration, and ongoing
maintenance of site services. Package service, task service, and the boot service
provide the Symantec Management Agents with packages, tasks, and PXE
broadcasts.
Notification Server performs the following functions for site management:
■
Handles the deployment and removal of site services to and from site servers
■
Ensures that the site service is installed only on the computers that satisfy
the minimum system requirements
You use site maintenance to create logical groups of endpoints to balance the load
on site servers. For example, you can distribute packages efficiently to your
Symantec Management Agents with multiple package servers. The package servers
handle most of the package distribution functions, which frees up Notification
Server to perform other activities.
See “About site maintenance” on page 63.
The Symantec Management Agent is the software that establishes communication
between the Notification Server computer and the computers in your network.
Computers with the Symantec Management Agent installed on them are called
managed computers. The Notification Server computer interacts with the Symantec
Management Agent to monitor and manage each computer from the Symantec
Management Console.
The Notification Server computer and the Symantec Management Agent work
together to provide the following types of functionality for managed computers:
■
Monitoring hardware and software
■
Scheduling software installations and file updates
■
Collecting basic inventory information
■
Managing policies and packages
You can install the Symantec Management Agent on Windows, Linux, UNIX, and
Mac computers. The Symantec Management Agent also lets you install and manage
solution agent plug-ins that add additional functionality to the agent. For example,
installing the Inventory plug-in lets you gather detailed hardware and software
information from all of your managed computers.
IT Management Suite includes many solutions and components.
Table 2-1
IT Management Suite 7.1 solutions and components
Suite/Platform
Solution/Component
Symantec Management
Platform 7.1
Includes the components such as Network Discovery, Notification Server, Symantec
Management Console, and Symantec Management Agent
■
Symantec Workflow 7.1
■
IT Analytics 7.1
Asset Management Suite 7.1 ■ Asset Management Solution 7.1
■
Barcode Solution 7.1
■
CMDB Solution 7.1
Client Management Suite 7.1 ■ Deployment Solution 7.1 SP1 with a license for 6.9 SP5
■
Inventory Solution 7.1
■
IT Analytics Client and Server Pack 7.1
■
IT Analytics SEP Pack 7.1
■
Out-of-Band Management Component 7.1
■
Patch Management Solution 7.1
■
pcAnywhere Solution 12.6
■
Real-Time System Manager 7.1
■
Software Management Solution 7.1
■
Symantec Endpoint Protection Integration Component 7.1
■
Wise Connector 7.1
■
Workspace Virtualization 7.1
■
Wise Connector 7.1
41
42
Table 2-1
Suite/Platform
IT Management Suite 7.1 solutions and components (continued)
Solution/Component
Server Management Suite 7.1 ■ Deployment Solution 7.1 SP1 with a license for 6.9 SP5
Other
■
Inventory Solution 7.1
■
Inventory Pack for Servers
■
IT Analytics Client and Server Pack 7.1
■
IT Analytics SEP Pack 7.1
■
Monitor Pack for Servers 7.1
■
Monitor Solution 7.1
■
Patch Management Solution 7.1
■
Real-Time System Manager 7.1
■
Software Management Solution 7.1
■
Symantec Endpoint Protection Integration Component 7.1
■
Virtual Machine Management 7.1
■
Wise Connector 7.1
■
IT Analytics ServiceDesk Pack 7.1
Asset Management Suite provides a management console, a database environment,
and a suite of solutions that let you track assets and asset-related information.
The suite includes Asset Management Solution, Barcode Solution, and CMDB
Solution. Asset Management Suite specializes in tracking IT-related assets, such
as computers and software. You can also use it to track other types of assets, such
as furniture and company cars.
In association with assets, you can record and track many types of documents
and documented details. For example, you can track lease schedules, NDAs
(non-disclosure agreements), SLAs (Service Level Agreements), and warranty
information. Contracts and contract details can be associated with assets so that
you can easily view the contractual information that is related to specific assets.
You can also configure the software so that it notifies you of the upcoming actions
that are specified in a contract.
You can use the Symantec Management Console to view the value of an asset or
a group of assets. You can use it to view the department, cost center, and user
that is assigned to an asset. You can use it to improve your ability to allocate
software and hardware costs to specific users and departments. You can also use
it to keep track of software license details so that you avoid paying for the licenses
that you do not need.
Additionally, Asset Management Suite aligns with IT Infrastructure Library (ITIL)
standards. It also helps you comply with international IT standards such as COBIT
and U.S. federal laws such as the Sarbanes-Oxley Act and HIPAA.
Barcode Solution provides your organization with a simpler, more accurate way
of gathering and verifying asset information in the field. This solution integrates
information directly into Altiris Asset Management Solution and Altiris CMDB
Solution so that data input errors, accounting irregularities, and redundancies
are eliminated.
Barcode Solution supports the following barcode formats:
■
Code 39
■
Code 128
■
Interleaved 2 of 5
■
UPC barcode symbologies formats
Barcode Solution also works with the Radio Frequency Identification (RFID) dot
point tracking.
Barcode Solution supports numerous handheld devices and dedicated barcode
and RFID devices. The most up-to-date list of the supported devices you find in
the Barcode Solution Release Notes.
About CMDB Solution
CMDB (Configuration Management Database) Solution is a component of Asset
Management Suite. This solution lets you model configuration items for any
component in your environment and the relationships between them in a
centralized database.
CMDB Solution lets you identify all components and relationships and to instigate
any required changes. The solution actively manages configuration items according
to user-specified instructions in jobs, tasks, configuration policies, and custom
CMDB rules.
43
44
Deployment Solution lets you integrate standard deployment features with
Symantec Management Platform. It helps reduce the cost of deploying and
managing servers, desktops, and notebooks from a centralized location in your
environment. The solution offers OS deployment, configuration, PC personality
migration, and software deployment across hardware platforms and OS types.
The following are the key features of Deployment Solution:
■
Lets you mass-deploy hardware-independent images to new systems and
existing systems using Symantec Ghost and RapiDeploy imaging tools.
■
Lets you migrate to the latest Windows version; migrates user data, personality
settings, and OS and application settings to the new operating system.
■
Lets you configure each system based on standardized criteria, such as job
function, user type, or location.
■
Lets you change the system and the network settings.
■
Supports the deployment of heterogeneous client and server operating systems,
including Windows and Linux.
■
Supports the deployment of heterogeneous client and server operating systems
such as Windows and Linux on client and server computers.
■
Lets you easily create the jobs and tasks that automate deployment and
migration functions such as imaging, scripted OS installations, configurations,
and software deployments.
■
Supports industry-standard hardware-management capabilities such as Intel
vPro, Pre-boot eXecution Environment (PXE), and Wake on LAN technologies.
■
Lets you use role- and scope-based security to secure management features
from unauthorized personnel.
■
Supports the WinPE and the Linux preboot environments.
■
Integrates with many Symantec products built on Symantec Management
Platform: for example, Altiris solutions and security, backup and recovery,
virtualization, data loss prevention, vulnerability assessment, and and other
products.
The following are the key benefits of Deployment Solution:
■
Reduces the costs that are associated with deploying, migrating, and
provisioning desktops, laptops, and servers throughout the organization.
■
Saves time and reduces human error over traditional PC deployments.
■
Reduces end-user downtime by automating the deployment process.
■
Increases IT efficiency through automated, repeatable deployment tasks.
■
Provides tools for zero-touch migrations to reduce the costs that are associated
with moving to a new operating system.
Obtaining and analyzing accurate inventory data is an important part of managing
and securing your network. Inventory Solution lets you gather inventory data
about computers, users, operating systems, and installed software applications
in your environment. The application metering feature also lets you monitor and
deny the usage of software applications on your network.
You can collect inventory data from the computers that are running the following
platforms: Windows, UNIX, Linux, and Mac.
You use policies and tasks to perform inventory and application metering
functions. The policies and tasks are easily configured and managed using a central
Web console.
Predefined inventory policies let you gather inventory with little effort.
See “About predefined inventory policies” on page 121.
The inventory data is stored in the Configuration Management Database (CMDB).
The CMDB provides a central store of data that is used across the Symantec
Management Platform.
You can use different methods for gathering the following types of inventory data:
Basic inventory data:
Computer name, domain, installed operating system, etc.
Standard inventory data:
Hardware and software components, file properties, etc.
Custom inventory data:
Additional data beyond the predefined data classes in
Inventory Solution.
Application metering
inventory data:
Start, stop, deny events and summary data of monitored
software applications.
Baseline inventory data:
Information about files and registry settings on computers.
To help maximize your investment, Inventory Solution does more than gather
data. Inventory Solution provides a Web-based management console, policies to
alert you about critical information, and professional quality predefined or custom
Web reports that let you analyze gathered inventory data. Thus Inventory Solution
45
46
includes the tools that you need to transform your inventory data into useful
information.
Inventory Solution also has the following features:
■
Supports zero-footprint configuration.
■
Operates in always connected, sometimes connected, and stand-alone
computing environments.
■
Can be installed to run on a recurring basis with the Symantec Management
Agent.
■
Posts data through SMB and/or HTTP.
■
Lets you meter, track, or deny the usage of one or more software applications
and harvest unused software licenses.
You can use Inventory Pack for Servers, which is a separate product that lets you
gather server-based inventory data from servers.
You can also use additional Symantec products to gather inventory data from
handheld computers, network devices, and Windows, UNIX, Linux, and Mac
servers.
IT Analytics Solution software complements and expands upon the reporting that
is offered in many Symantec solutions. It brings multi-dimensional analysis and
robust graphical reporting features to Symantec Management Platform. This
functionality lets you explore data on your own, without advanced knowledge of
databases or third-party reporting tools. It also lets you ask and answer you own
questions quickly and easily.
See “What's new in IT Analytics 7.1 SP2” on page 90.
About Symantec Mobile Management
Symantec Mobile Management lets you manage, secure, and troubleshoot the
mobile devices in your organization. Using Mobile Management, you can automate
repetitive tasks to reduce the resources that you spend to control your IT
environment. You can also see what mobile devices you have, where each device
is located, and what state each device is in. The flexible reporting tools in Mobile
Management let you identify any problems in your IT framework. You can then
take immediate action to fix those problems from within the reports.
Monitor Solution lets you monitor various aspects of computer operating systems,
applications, and devices. These aspects can include events, processes, and
performance. This ability helps you ensure that your servers and your devices
work and reduces the costs of server and network monitoring.
Monitor Solution lets you do the following tasks:
■
Identify the health of your environment by collecting detailed data from
servers, applications, and network devices.
■
Analyze trends and isolate recurring issues by collecting comprehensive
real-time and historical performance data.
■
Pinpoint problems, define their cause, and take automated actions to resolve
them.
Monitor Solution supports both agent-based and agentless monitoring methods.
It runs on the Symantec Management Platform and is a key component of Server
Management Suite.
About Monitor Pack for Servers
Monitor Pack for Servers works with the Monitor Solution core components of
the Symantec Management Platform. It lets you monitor operating system
performance, services, and events of your Windows, Linux, or UNIX server
environment.
This pack includes several reports to help you evaluate and tune the performance
of your server components.
About Out of Band Management Component
Altiris Out of Band Management Component software (formerly known as Altiris
Out of Band Management Solution) lets you discover computers with ASF, DASH,
and Intel AMT in your environment and configure the computers for out-of-band
management.
Out-of-band management is the ability to manage client computers regardless of
the state of their power, operating system, or management agents. You can
remotely change the power state of the computer, collect hardware inventory,
and perform other management tasks that would normally require a visit to a
client computer.
47
48
Figure 2-2
Out of Band Management Component features
Patch Management Solution for Windows lets you inventory managed computers
to determine the software updates (patches) that they require. The solution then
lets you download the required software updates from the software vendor and
provides you with the tools to install the software updates. Software updates
include but are not limited to security updates, hot fixes, and service packs.
Software from vendors such as Microsoft, Adobe, Mozilla, Google, Sun
Microsystems, and many others can be patched.
Key features include a software repository that provides comprehensive data on
software bulletins, software updates, and inventory rules, such as technical details,
severity ratings, and number of executables. The process of populating the
information repository from the patch management metadata files can be started
after you complete the installation of the solution.
Integration with Notification Server 7.x includes features such as hierarchy and
maintenance windows. Hierarchy lets you configure features and settings for a
parent Notification Server computer, then pass the settings down to child
Notification Server computers.
Patch Management Solution for Linux ensures that your Red Hat Linux and SUSE
Linux computers have the most up-to-date patches applied and protected against
security threats. The solution lets you inventory the managed Linux computers
for security vulnerabilities and then reports on the findings. It provides you with
the tools that let you download and distribute the needed software updates. Patch
Management Solution for Linux lets you set up an automatic update schedule to
ensure that managed computers are up-to-date and protected on an on-going
basis.
About Patch Management Solution for Mac
Patch Management Solution for Mac lets you scan Mac computers for the updates
that they require. The solution then reports on the findings and lets you automate
the downloading and distribution of needed software updates. You can distribute
all or some of the updates.
Patch Management Solution for Mac can update only the software that the Mac
OS X software update utility supports. The solution integrates with the software
update utility, and lets you collect needed update information from the target
Mac computers and initiate a software update. Mac computers download software
updates from the Apple Web site or from a Software Update Server (SUS) and
report installation status information to Notification Server.
Patch Management Solution for Mac provides the preconfigured rollout jobs that
let you automate installing a large number of updates. For example, the
preconfigured rollout jobs can install all updates, all recommended updates, and
so on.
About pcAnywhere Solution
Symantec pcAnywhere Solution provides secure, remote access to computers and
servers. This remote access lets you quickly resolve help desk and server support
issues or stay productive while you work away from your office. You can use your
desktop computer or laptop to work across multiple platforms, including the
Windows OS, Linux OS, and Macintosh OS.
Connectivity features help facilitate connections through firewalls, routers, and
other types of network address translation (NAT) devices. Robust security features
help protect your computers and servers from unauthorized access.
You can use pcAnywhere Solution in the following ways:
49
50
Table 2-2
What you can do with pcAnywhere
Features
Description
Manage computers remotely
pcAnywhere Solution lets help desk
providers and administrators troubleshoot
and quickly resolve computer problems. You
can remotely perform diagnostics, check and
modify settings, and deploy and install
software.
Support and maintain servers
pcAnywhere Solution lets administrators
connect to servers across their organizations
to perform routine maintenance. It also
helps administrators deploy and install
software patches and upgrades, assess
performance, and troubleshoot network
problems.
Transfer files between computers
pcAnywhere Solution lets you connect to
your home computer or office computer to
quickly get the files that you need. You can
perform automatic file transfers from one
computer to another or exchange multimedia
and other files that are too large to send by
email.
Work from a remote location
pcAnywhere Solution lets you remotely
connect to another computer. You can then
work as though you are sitting in front of
that computer. You can view and edit files,
run software, print files to a printer at your
location or at the host’s location, or give
demonstrations.
The Altiris Real-Time System Manager software lets you manage a single computer
from the Symantec Management Console in real time. Real-Time System Manager
can connect to the target computer using the following protocols:
■
WMI - Microsoft Windows Management Instrumentation
■
ASF - Alert Standards Format 2.0
■
Intel® AMT - Intel® Active Management Technology
■
DASH - Desktop and mobile Architecture for System Hardware
■
SNMP - Simple Network Management Protocol
■
IPMI - Intelligent Platform Management Interface
With Real-Time System Manager, you can view detailed real-time information
about the managed computer and remotely perform various administrative tasks.
For example, you can restart the computer, reset a password, run a port scan,
terminate a process, and more.
Real-Time System Manager also lets you run some of the management tasks on
a collection of computers, immediately or on a schedule.
The Symantec Endpoint Protection Integration Component combines Symantec
Endpoint Protection with your other Symantec Management Platform solutions.
You can inventory computers, update patches, deliver software, and deploy new
computers. You can also back up and restore your systems and data, manage DLP
agents, manage Symantec Endpoint Protection clients. You can do this work from
a single, Web-based Symantec Management Console.
You can perform common Symantec Endpoint Protection client management
operations from the Symantec Management Console.
About Software Management Solution
Software Management Solution provides intelligent and bandwidth-sensitive
distribution and management of software from a central Web console. It
significantly reduces desktop visits and lets you easily support your mobile work
force.
Software Management Solution also lets users directly download and install
approved software or request other software.
Software Management Solution integrates with the Software Catalog and the
Software Library that are part of the Symantec Management Platform. By
leveraging this information, Software Management Solution ensures that the
correct software gets installed, remains installed, and runs without interference
from other software. This integration lets your administrators focus on delivering
the correct software instead of redefining the packages, command lines, and so
on for each delivery.
Software Management Solution combines the functionality of earlier versions of
Software Delivery Solution and Application Management Solution. It also supports
51
52
the software virtualization technology that was available in Altiris Software
Virtualization Solution.
Software Management Solution supports packages for the Windows, UNIX, Linux,
and Mac operating systems. With few exceptions, all the functions in Software
Management Solution work the same for all platforms. For example, you use the
same method to create a delivery task for a Windows, UNIX, Linux, or Mac OS
package.
For a complete list of the platforms that Software Management Solution supports,
see the Software Management Solution Release Notes.
Symantec Workflow is a graphical .NET application process development
framework. This tool provides advanced logic and workflow to Symantec Enterprise
products. You can use it to edit and implement pre-built workflows. You can also
build your own workflows.
Symantec Workflow is a security process development framework that you can
utilize to create both automated business processes and security processes. These
processes provide for increased repeatability, control, and accountability while
reducing overall workload. The Symantec Workflow framework also lets you
create Workflow processes that integrate Symantec tools into your organization's
unique business processes. After Workflow is deployed, Workflow processes can
respond automatically to environmental variables. Workflow processes can also
allow for human interface points when a process calls for someone to make a
decision with accountability.
The applications that you design can create human interaction through a variety
of user interfaces. You can create human interaction through email, Web forms,
handheld devices, or a task list.
In addition to basic workflow capability, Symantec Workflow includes Process
Manager. Process Manager is a Web portal for managing the various parts of a
workflow process, such as tasks, documents, data, and so on. Process Manager
can be integrated with Active Directory for user authentication, proper access
control, and user management. You can also customize Process Manager. For
example, you can change pages, symbols, Web parts, and so on to create an
interface that works for you. You can also add new pages to Process Manager that
embed Process Manager content or content from the Web or other servers.
You can also run the Symantec ServiceDesk Solution product on Symantec
Workflow.
Chapter
3
Planning for IT
Management Suite
■
IT Management planning considerations
■
About planning your SQL Server configuration
■
About planning your site servers
■
Symantec Management Agent deployment planning
■
How agent-based inventory communications work
■
How agent check-in intervals and basic inventory settings interact
■
How Patch Management Solution data communications work
■
Components of Deployment Solution
■
How asset management data communications work
Many factors and considerations may influence an implementation plan. To design
your Symantec Management Platform infrastructure, you must assess your specific
organizational features and requirements.
See “Core architectural components of Symantec Management Platform”
on page 35.
Your requirements can include several variables. Some of these variables may
include the following:
■
The geographic implications of the environment.
54
Planning for IT Management Suite
A centralized management design uses multiple Notification Server computers
to support a variety of IT distribution models. For example, you can have
central corporate office with thousands of managed computers as well as both
large branches and small branches. The centralized design can be effective
for managing global policies and tasks. If your IT organization is primarily
centralized, then the Symantec Management Platform can be designed to
support it. In such an environment, the platform may use a parent Notification
Server computer that is connected to additional child Notification Server
computers in a hierarchy.
A decentralized management design consists of multiple dispersed sites and
network segments that support subordinate sites and network segments. The
decentralized design does not use hierarchy but instead it uses multiple
Notification Server computers that operate independently.
■
The future growth of the organization.
The infrastructure design may require room for growth. If possible the
architecture should reflect both the current organization and the vision for
the organization in the coming years.
■
The IT management team's distribution and its policies.
The operations that IT manages centrally and locally influence design. Some
IT tasks may need to be done from a central location or some tasks may need
to be done from local sites. The security policies of the organization influence
the design.
Your organizational structure may determine the component placement and
design of the infrastructure. How the organization’s staff works on a daily
basis and how the business process is established influences the plan. Different
branches of the organization, security requirements, or geographical
requirements may all require separate Notification Server management
domains. Different groups and roles managing endpoints may require
Notification Server role and scope-based security. Role and scope-based security
adds load on the Notification Server computer.
■
The connectivity ranges of the environment.
The connectivity ranges of the environment may determine the placement of
components. For example, there may be a first-tier site that is well connected,
but the second tier sites are poorly connected. Traveling users may dial in or
use a VPN from a remote location.
■
The installed solutions and how actively they are used.
The number of installed and actively used solutions influences the number of
managed computers that a Notification Server can support. For example, a
server with only Inventory Solution installed can serve more managed
endpoints than a server with all of IT Management Suite.
■
The concurrent console usage and reporting needs.
Concurrent use of the console can add additional processor utilization for
heavy use of the Symantec Management Console. You can use the console to
create custom reports to view information about the environment. Many
custom reports are written with advanced Structured Query Language (SQL)
statements that require significant database processing power. Having many
users run these reports concurrently on the Notification Server computer can
degrade its performance.
If the organization requires heavy custom reporting, consider implementing
a separate Reporting Notification Server. While it does mean that the
organization needs to invest in an additional server, it provides for the
separation of duties in the infrastructure. The Notification Server computer
responsible for managing endpoints is able to dedicate its processing to that
function. The Notification Server computer responsible for providing reports
dedicates its process to that other function. With this configuration, you can
use stand-alone replication to forward resource inventory information from
the agent-facing Notification Server computer to the reporting Notification
Server computer.
Another consideration is the memory cost of each of the concurrent console
sessions from IIS on the Notification Server computer . You can calculate this
memory requirement at approximately 20MB per console connection.
The following information provides guidelines for SQL server configuration for
a Symantec CMDB computer. You can follow these guidelines to tune the
performance of the SQL Server computer that hosts the Configuration Management
Database (CMDB). These guidelines are not exclusive, and additional configuration
options may be appropriate depending on the specifics of your environment. For
detailed information about SQL Server configuration, refer to Microsoft’s
documentation.
Many additional articles about SQL server setup, configuration, and maintenance
are available on the SymWISE Support Knowledgebase. The SymWISE Support
Knowledgebase is available at
www.symantec.com/business/theme.jsp?themeid=support-knowledgebase.
For additional resources, see the article Links to Notification Server/SQL Server
Maintenance and Tuning Articles on the SymWISE Support Knowledgebase.
55
56
Table 3-1
Considerations for planning your SQL Server configuration
Consideration
Description
Hardware
You can use recommended hardware guidelines to help tune
the performance of your SQL Server computer.
See Table 5-6 on page 129.
Hard drive configuration
The way that you configure the hard drives of your SQL
Server computer influences your overall performance. You
can use disk configuration recommendations to maximize
throughput and tune the performance of your SQL Server
computer.
See “About hard drive configuration for off-box SQL Server”
on page 56.
See “About hard drive configuration for on-box SQL Server”
on page 57.
Database sizing
You can use database sizing guidelines to help tune the
performance of your SQL Server computer.
See “About database sizing for SQL Server” on page 60.
Memory management
You can use memory management guidelines to help tune
the performance of your SQL Server computer.
See “About memory management for SQL Server
considerations” on page 61.
About hard drive configuration for off-box SQL Server
The throughput of the SQL Server is a primary consideration for Symantec
Management Platform performance. The way that you configure your hard drives
on SQL Server influences throughput. The hard drive speed also has an influence
on throughput. It is recommended to use high performance hard disks: for example,
10k rpm to 15k rpm SAS drives in a striped array.
For the best performance, make sure that the operating system, SQL data file,
TempDB database, and the log file each has a dedicated volume. To improve
performance further, you can split the data file and the TempDB database across
multiple volumes. The number of volumes that you use should match the number
of processor cores in your SQL Server. A recommendation for high performance
is to use parallelism with the same number of disk volumes as the number of
processor cores. You can split the SQL data file and the transaction log file to
match the number of processor cores.
The data file requires both high read-write performance and redundancy. RAID
10 and RAID 0+1 are good configurations for the data file. RAID 0+1 has similar
throughput as RAID 10, but its configuration helps simplify additional storage
growth. RAID level 5 is not ideal for the CMDB performance because it requires
additional Read/Write activities for parity.
The TempDB database needs high read-write performance, but redundancy is not
necessary. The TempDB database acts as a temporary working area for many
processes. The TempDB database requires very high speed; however, it is not used
for storage and it is cleared regularly.
The transaction log also requires high disk throughput for optimal system
performance. It should be hosted on RAID 10.
Table 3-2
Example of an off-box SQL server disk configuration
Component
Configuration
Operating system
RAID 1 Mirror
Data file
RAID 10 or RAID 0+1
TempDB database
RAID 0 (Striping)
Transaction log
RAID 10 or RAID 0+1
About hard drive configuration for on-box SQL Server
Caution: We recommend supporting no more than 5,000 managed computers with
an on-box SQL configuration. Even with fewer than 5,000 managed computers,
performance is unlikely to be as robust as with an off-box SQL configuration.
See “Recommended configuration for Notification Server with locally installed
SQL database” on page 132.
A combined Notification Server and SQL database installation can be installed on
spindle drives, solid-state drives, or a combination of the two. We recommend
that you use mirrored spindle drives for the operating system and Notification
Server, and SSD for the SQL database. This approach provides the best combination
of performance, cost effectiveness, and ease of implementation. If you use SAN
storage for SQL, verify that your SAN IOPS meet the needs of the SQL database.
See “Throughput metrics of SQL Server” on page 59.
57
58
If you choose to install the SQL database on SSD disks, the following
recommendations apply:
■
Place the operating system and Notification Server on a mirrored spindle drive.
■
All SQL files (the SQL data file, TempDB, and the log file) should be placed on
a medium-grade SSD.
■
To improve performance, you can split the data file and TempDB across
multiple hard drives.
In addition, verify that the bus supports the maximum disk speed.
Table 3-3
Example of an on-box SQL server disk configuration using SSD
Component
Configuration
Operating system and Notification Server
RAID 1 mirror on spindle disk
Data file, TempDB database, and transaction SSD
log
If you choose to install the SQL database on spindle disks, the following
recommendations apply:
■
The OS and Notification server should be combined on one volume.
■
The data file(s) should be on its own volume.
■
TempDB should be on its own volume.
■
The logs should be on their own volume.
Note: For more information on Microsoft SQL best practices, consult the Microsoft
Web site.
Table 3-4
Example of an on-box SQL server disk configuration using spindle
disks
Component
Configuration
Operating system and Notification Server
RAID 1 (mirrored)
Data file/s
RAID 10
TempDB database
RAID 0 (striped)
Transaction log
RAID 10
Note: Often, using dedicated external storage that is connected to the server is
the best way to incorporate enough disks to facilitate requested IOPS.
Throughput metrics of SQL Server
The Symantec Configuration Management Database (CMDB) has high throughput
requirements. Input/Outputs per second (IOPS) are used to measure the
throughput.
You can use the following IOPS metrics to select the right disk performance for
your SQL Server. It represents SQL performance statistics during a one hour time
period during peak hour processing. The database that is represented here serves
20,000 endpoints and 20 concurrent console sessions and 45 maximum persistent
connections over 2311 concurrent transactions.
Table 3-5
SQL data file I/O per second
Metric
Value
Number of I/O per second.
238.7
Percent of write I/O per second.
98%
Percent of read I/O per second.
2%
Table 3-6
TempDB database I/O per second
Metric
Value
1.3
49%
Percent of read I/O per second.
51%
Table 3-7
Log files I/O per second
Metric
Value
593.8
100%
Percent of read I/O per second
0%
59
60
About database sizing for SQL Server
You can use database sizing guidelines to help tune the performance of your SQL
Server computer. A Symantec Management Platform installation with no solutions
and no managed computers creates a database size of about 300 MB. This size is
about 7 percent of the maximum database size of SQL Express. An additional 500
managed computers can increase the size to approximately 500 MB. Databases
also grow as solutions are introduced and used.
Allow between 750KB and 1 MB of space in the database for every managed
computer. This sizing does not account for database fragmentation beyond initial
creation. Actual sizes vary based on the solutions that are installed and the specific
configuration of policies, tasks, and schedules. The database maintenance strategy
that you use also influences your database size.
When suites are installed in a large environment, you can expect the database to
grow up to 6 GB to 12 GB. When choosing a database growth strategy, be sure to
account for data growth.
Autogrow is a SQL Server setting you can use to help with unexpected data growth.
However, do not rely on autogrow to manage your database file sizes. You should
monitor the files and re-size them according to your projected needs during
maintenance.
To choose your autogrow setting, estimate the expected maximum sizes of the
data file and the transaction log file. To estimate this size you can monitor the
growth of these files in a pre-production environment. Set the autogrow increment
for your data file and transaction log files to 10 to 20 percent higher than your
initial estimate.
Do not use the autoshrink feature with the Symantec Management Platform. Auto
shrink runs periodically in the background. It consumes CPU and I/O cycles which
can cause unexpected performance degradation. Autoshrink can continually
shrink and re-grow the data files. This process causes fragmentation of the
database file. This fragmentation may degrade both sequential transfers and
random accesses.
After you have estimated the approximate size of the database, you should create
a database file of this size before you install Notification Server. This step ensures
that adequate space is available. It also reduces negative performance from a
database that continually grows. To further improve performance, you should
defragment and re-index the database after its initial installation.
The CMDB SQL Server should not host additional third-party database applications
because Symantec Management Platform has very high performance demands.
However, additional CMDB databases can be hosted on the same SQL Server
because each database has similar traffic requirements and hardware configuration
needs.
You can have a single SQL instance that shares a single TempDB database, or
multiple database instances can each have a dedicated TempDB database. Multiple
database instances minimize risk for potential contention but require more disk
arrays.
You may require the individual databases of each Notification Server computer
to exist on a separate instance. They may need to be separate instances to avoid
TempDB database contention.
About memory management for SQL Server considerations
Memory management is an important part of tuning SQL Server performance.
Memory management is especially important when SQL is run locally on the
Notification Server computer.
Consider the following memory configuration options for SQL Server:
■
3GB
This 32-bit Windows boot option limits the operating system to 1GB of RAM,
reserving 3GB for applications.
■
Maximum server memory
This SQL setting limits the memory that SQL can consume.
■
PAE
This 32-bit Windows boot option allows SQL Server to use more than 4GB of
RAM.
■
AWE
This SQL option allows SQL Server to use more than 2GB of RAM. If the server
has more than 2GB of physical memory, enable AWE memory in SQL Server.
This memory mode is recommended. When AWE is enabled, SQL Server always
attempts to use AWE-mapped memory. It uses wrapped memory for all memory
configurations, including computers that provide applications with less than
3 GB of user mode address space. If AWE memory is enabled in SQL, make sure
that the SQL Server account has the correct Lock Pages in Memory setting.
Both AWE and the Lock Pages in Memory setting can benefit 64-bit SQL Servers
as well as 32-bit SQL Servers.
■
Windows memory usage
61
62
Set Windows memory usage to favor Programs over System Cache. SQL Server
does its own data caching to improve performance.
■
32-bit OS
If you use a 32-bit OS, make sure that PAE is enabled at the hardware level.
Enabling PAE lets SQL Server use AWE to map physical memory addresses
higher than 4 GB.
■
64-bit SQL
This option eliminates the memory limitations that are associated with 32-bit
systems. By using a 64-bit operating system (Windows 2003 or 2008) and 64-bit
SQL, you do not need to use PAE or AWE. SQL Server 2008 x64 is recommended
for dedicated SQL Servers with more than 4 GB of physical memory.
A site is a management construct that allows mappings of subnets to site services.
Site services are an extension of the Symantec Management Agent. When a site
service is installed on a managed node, it promotes the Symantec Management
Agent to a site server.
Task, package, and deployment site services are all site server roles. These site
services can be deployed in multiple combinations to meet endpoint demands. A
remote site may only need a package server. A task server may be needed only at
the datacenter. However, a deployment site server requires that the task service
and package services be installed on the same computer. Your topology and your
use of solutions determines if you should combine site services onto a single
computer or use dedicated computers.
Site servers may use either a Windows workstation operating system or a Windows
server operating system. Distributed and large environments may require
numerous site servers to meet configuration management demands. Notification
Server makes sure that the site service is installed only on the computers that
satisfy the minimum requirements. Your primary consideration is the number of
concurrent sessions that you need when you choose between a server operating
system and a workstation operating system. A Windows workstation is limited
to 10 concurrent TCP connections and a server OS does not have the same
limitations. A site with fewer than 100 endpoints may only require 10 sessions;
however; a Windows server may be required for larger remote sites.
If you install a site service on a Windows 7/2008 computer, you must install the
IIS 6 compatibility mode services on it.
See “About the package service” on page 67.
See “About the task service” on page 64.
See “About the deployment site service” on page 68.
About site maintenance
Site maintenance is the management of sites, subnets, and site services in your
organization. You can manage your computers according to site and subnet, which
lets you control groups of computers while you minimize bandwidth consumption.
A site is typically a physical location in your organization (such as a particular
building, or a level of a building). A subnet is a range of logical addresses on your
network.
Under normal operating conditions, each package server or task server services
only the Symantec Management Agents that exist within the assigned sites. If no
sites have been defined, all site servers are available to service all Symantec
Management Agents (although this method is not recommended).
If no sites are defined for a package server or a task server, Notification Server
uses the following rules:
■
Notification Server first tries to find any site servers on the same subnet as
the requesting computer. If any are found, these site servers are returned to
the Symantec Management Agent.
■
If no site servers are in the same subnet as the requesting computer, all site
servers are returned to the Symantec Management Agent.
■
If no site servers are available, the agent is directed to the Notification Server
computer.
You can assign site servers to sites by using the following methods:
■
Assign the subnet that contains the site server to a site.
See “Managing subnets” on page 307.
■
Assign the site server to a site.
See “Assigning a site server to a site manually” on page 286.
■
Use Connector for Active Directory to perform the task.
Connector for Active Directory overrides any subnets and sites that conflict
with it. For example, if you manually assign subnets to a site that conflicts
with what is in Connector for Active Directory, the Active Directory information
is used.
After the list of available site servers is returned to the Symantec Management
Agent, the agent chooses the most suitable site server.
Site servers and managed computers may have multiple NICs and IP addresses;
therefore, they may belong to more than one site through subnet assignment.
63
64
See “Managing sites” on page 279.
See “Managing site servers” on page 283.
About the task service
Task communications are unique from policy communications. Managed
computers start policy communications, and the server starts task
communications.
You can do the following with the task service:
■
Execute multiple tasks in a defined sequence that is called a Job.
■
Provide logic to handle task errors or other return codes.
■
Deliver command-line and VBscript capabilities to managed computers.
■
Provide out-of-the-box power management.
■
Execute client-side and server-side tasks.
■
Reuse tasks in multiple Jobs. Tasks can be cloned and modified as required.
Symantec recommends at least one task server per Notification Server. Tasks
place a high performance demand on the Notification Server computer’s processor
and memory because it must regularly send tickle packets and receive execution
status. This demand can negatively influence SQL data loading and user interface
responsiveness. You can offload the handling of tasks to a task server. A dedicated
task server handles agent tickle communications, task sequencing, and automation
capabilities. Distributing the handling of tasks to a task server reduces the load
on Notification Server. It reduces the load by minimizing the interruption to
Notification Server.
See “About planning your site servers” on page 62.
Task servers use a high number of operating system sessions. If a task server
supports more than 100 managed computers, a Windows Server operating system
is recommended. Use the Windows Server operating because it supports many
more concurrent operating system sessions. If a task server supports less than
100 managed computers, a workstation operating system might be adequate.
Task servers do not require high-performance hardware. A moderate speed
processor is adequate. Disk IO is not a significant factor in task server performance.
However; task communications can consume multiple concurrent connections to
task server. A Windows workstation is limited to only 10 concurrent TCP
connections and a Windows Server OS does not have the same limitations.
Therefore, you may require a Windows Server operating system on your task
server. Symantec recommends a Windows Server operating system for the task
servers that support more than 100 managed computers.
Task servers are good at offloading performance demands from Notification
Server. They are not designed to address network bandwidth limitations. You can
put a task server in the same subnet as Notification Server because it has little
influence on minimizing network traffic.
Use the following guidelines to configure task services within your infrastructure:
■
Symantec recommends at least one task server per Notification Server. After
the initial dedicated task server, add additional task servers for every 5,000
to 7,500 endpoints.
■
You can load-balance multiple task servers within large sites to make sure that
agents have the latest task execution.
■
You can reduce the load on task servers if you increase the Task Update Interval
and the Maximum Time Between Tickle Events settings. By default these are
set to every 5 minutes. Consider changing these settings to a value greater
than 10 minutes.
■
You must use site management to force computers to use the task server if
Notification Server and the task server are in the same site.
How task server uses the tickle mechanism
The tickle server is a component of Task Management. The tickle server component
runs only on the Notification Server computer and is responsible for notifying
task servers of pending tasks for their client computers. Task servers also have
the native ability to tickle their registered client computers. This tickle ability is
separate from the tickle server component on the Notification Server computer.
The tickle server sends IP tickle packets to task servers when any of their registered
client computers have a job or task to run. After the tickle packet is received, the
task server immediately requests the task or the job information from Notification
Server for its registered client computers. It also tickles its client computers.
When the Client Task Agent receives the tickle packet, it requests the job or the
task information from its registered task server. Only after the Client Task Agent
receives the task information is the task executed. Status events for completed
tasks are sent back to the registered task server upon completion.
If the tickle packets are blocked or otherwise cannot reach the destination, the
Client Task Agent automatically checks back to its registered task server for any
new job information. It performs this check every 5 minutes. This Task Request
Interval is configurable in the Symantec Management Console. Task Server task
and job information is not received through the Symantec Management Agent
configuration policy. It is received directly by the Client Task Agent from its
65
66
registered task server. If you force the Symantec Management Agent to update
its configuration policy, it does not force the Client Task Agent to receive pending
task information.
By default, the Tickle Server uses port 50123 for task servers and task servers use
port 50124 to tickle Client Task Agents.
The following example assumes the Client Task Agent for ComputerA is registered
with RemoteTaskServer1.
Table 3-8
Sequence for how the task server tickle works
Sequence
Description
One
A Notification Server administrator assigns a task to run
immediately on ComputerA.
Two
The Tickle Server on the Notification Server computer sends
a tickle packet to notify RemoteTaskServer1 of the pending
task.
Three
RemoteTaskServer1 receives the tickle packet and
immediately requests the job information from Notification
Server.
Four
RemoteTaskServer1 tickles ComputerA to notify it of the
pending task.
Five
ComputerA receives the tickle packet and immediately
requests the job information from its registered task server
– RemoteTaskServer1.
Six
ComputerA receives the job information and executes the
task.
Seven
Upon completion of the task, ComputerA sends a status
event back to RemoteTaskServer1.
Eight
RemoteTaskServer1 caches the status event and
immediately attempts to forward it back to Notification
Server.
Nine
Notification Server receives the status event from
RemoteTaskServer1 and records the information in the
database.
Figure 3-1
Sequence for how task server tickle works
About the package service
Package servers are deployment mechanisms to efficiently move data into a site.
They work with Notification Server as local file servers for managed computers
at a site. Package servers do not require server-class hardware and software.
Package servers help you reduce network traffic by allowing a package to copy
across the network only once per site. You can place a package server locally at a
site to store and deliver packages. This architecture can help you manage sites
with low-bandwidth connections to Notification Server.
When you enable a package on Notification Server, it is copied to all of the package
servers that Notification Server knows about. Once the copy is successful, managed
computers download the packages from the local package server instead of the
remote Notification Server.
The number of package servers that you require is dependent on your network
topology and bandwidth. It also depends on the size of your packages and
frequency of the packages to be delivered.
You can stagger the deployment of packages to the package servers to reduce
load. You can deploy a limited number of packages at a time to all package servers.
You can also only deploy to select group of package servers at a time.
67
68
A constrained package server can operate only within the sites to which it is
assigned. An unconstrained package server can get packages and other resources
from anywhere in the system. The unconstrained package server collects any
required resources from outside the site and makes them available to all of the
constrained package servers. A site server can function as a package server only
when there is at least one unconstrained package server that is assigned to it.
There must be at least one unconstrained package server in a site with one or
more constrained package servers.
About the deployment site service
A deployment site server's purpose is to provide PXE Boot services and boot
packages for network segments. The most common purpose is for restoring a
standard image for support or for rolling out new computers during initial
provisioning. Typically, PXE protocol is controlled on a network. It may be limited
to work within a subnet or other defined range based on IP helpers. If many
systems must be reimaged simultaneously, you can place deployment site servers
within each network subnet and add more in a large subnet. In addition to
providing PXE services, a deployment site server is similar to a package server in
that it hosts packages called boot images.
You must enable deployment, package, and task site services on the deployment
site server. Each subnet must have access to a deployment site server. However,
routers normally block PXE broadcast packets.
You can use the following three methods to provide each subnet with access:
■
Use “DHCP forced mode,” which is a DHCP setting that forwards client PXE
requests to the closest deployment site server. This method works even when
the client computer is on a different subnet than the deployment site server.
DHCP determines the correct server by using subnet mask and ping tests.
■
Use “IP Helpers,” which is a setting you can configure at each router that lets
you forward PXE requests across subnets.
■
Install a deployment site server on each subnet. This method is not
recommended because it creates unnecessary overhead.
A deployment site server contains the following objects:
■
PXE service
■
Boot images
■
The deployment share with the imaging executables
■
The driver database
When new settings are applied to an existing boot image, an updated boot image
is compiled locally at each deployment site server. These changes are delivered
with a policy and are dependent on the Symantec Management Agent update
schedule.
A deployment site server requires that you also install task services and package
services locally.
Table 3-9
Sequence for deployment site server configuration
Sequence
Description
One
Deployment Solution is installed on the Notification Server
computer. The administrator configures and manages
deployment jobs and tasks from the Symantec Management
Console.
Two
The administrator enables and configures the deployment
site server on a site server computer.
Three
The DHCP server can route PXE requests from the client
computers to the deployment site servers that are on
multiple subnets.
69
70
Figure 3-2
Sequence for deployment site server configuration
In some environments, computers are set up with a corporate software image or
a standard base list of software. If you add the agent image to the computer image,
you can save time and effort. The Symantec Management Agent can be preinstalled
and placed in a directory with a “Run Once” operating system directive.
See “About tuning the Symantec Management Agent for performance” on page 124.
You can also use scripting mechanisms to install the agent. You can push the
Symantec Management Agent from the Symantec Management Console if you do
not want to add the agent to an image build.
Push requires less outside intervention than other methods of deploying the agent
to computers already in service. With this method Notification Server contacts
the client computer, and then the client computer requests the agent from
Notification Server. The push method requires you to disable the file-sharing
setting.
You can still deploy the agent with file-sharing enabled. The client computer still
has the ability to initiate this request itself. For example, with email, either a
script can be emailed or a Web link can be sent to pull the agent.
Inventory Solution lets you see detailed reports about the hardware and software
in your environment. You can target computers for policies and tasks based on
this information. It includes predefined inventory policies. Some predefined
inventory policies are enabled by default. However, you can modify them to meet
your specific needs.
See “About Inventory Solution” on page 45.
These policies include the following settings:
■
What to inventory.
■
When to run.
■
Which computers to run on (targets); by default, this setting targets all
computers with the Inventory Solution plug-in installed.
■
Optional advanced settings.
Notification Server delivers the initial inventory task-based policy to the managed
computer. The Inventory Solution plug-in runs its first inventory immediately.
After the Inventory Solution plug-in has its policy settings, it continues to run
the inventory task. It runs the task according to the settings and the schedule
that are defined in the policy. If a policy setting is ever changed, then the task
server pushes the new settings to the plug-in immediately. The Inventory Solution
plug-in then immediately runs an inventory collection.
Inventory Solution runs independent of the Symantec Management Agent's
configuration request. It uses tasks and task servers to perform its operations.
The time that the inventory runs applies to the time zone of the managed
computers. It does not use the time zone of the Notification Server computer.
You can create your own custom schedules in the policy or you can use one of the
following predefined schedules:
■
Daily. This time is at 6:00 P.M. every day.
■
Weekly. This time is at 6:00 P.M. every Monday.
■
Monthly. This time is at 6:00 P.M. on the first Monday of each month.
When the Inventory Solution plug-in runs, it gathers hardware inventory, file
scans, Microsoft add or remove programs and UNIX, Linux, and Mac software
listings. The Inventory Solution plug-in immediately sends the data to Notification
71
72
Server. The data is compiled as Notification Server Events (NSEs). Notification
Server stores the NSEs in the Configuration Management Database. The data is
then available for reporting from the Symantec Management Console.
Table 3-10
Sequence for Inventory communications
Sequence
Description
One
Predefined inventory policies are available for managed
computers on Notification Server.
Two
After the initial Inventory plug-in deployment, inventory
tasks are pushed to the managed computer from task
services.
Three
By default the Inventory plug-in runs ASAP. The Inventory
plug-in then gathers the inventory according to its defined
schedule.
Four
After inventory is gathered, by default it is immediately
sent to the Notification Server computer.
Five
The Notification Server computer stores the inventory in
the CMDB.
Figure 3-3
Sequence for Inventory communications
How agent check-in intervals and basic inventory settings interact
How agent check-in intervals and basic inventory
settings interact
A number of client-side and server-side settings interact to influence when for
example, an application is deployed to a number of endpoints.This might explain
why, after you added a set of computers to a policy, nothing seems to be happening.
Table 3-11
Sequence for agent-server communications
Sequence Location
Description
One
Client
The basic inventory provides basic client information. For
example, it provides agent version, sub-agent information,
unique ID, etc.
Two
Server
The resource membership update adds the computer to one
or more targets. This is based on the basic inventory and
other inventory variables that may apply, such as conditional
parameters, policies, and such.
Three
Server
The policy refresh schedule uses the membership tables to
update policy tables. When a user saves a policy, it is
immediately updated.
Four
Client
The agent configuration request runs and finds which policies
apply.
How Patch Management Solution data
communications work
Patch Management Solution takes inventory of managed computers to determine
the operating system and software updates (patches) they require. The solution
then downloads the required patches and provides wizards to help you deploy
patches. The solution enables you to set up a patch update schedule to ensure
that managed computers are kept up-to-date with the latest vendor security
updates. Managed computers are then protected on an on-going basis.
See “About Patch Management Solution for Windows” on page 48.
You can schedule Patch Management Solution to automatically download critical
security bulletins into the CMDB. Symantec recommends setting this schedule to
daily for Windows computers and weekly for Linux computers. This schedule does
not download the patch installation files, only the information about them in the
73
74
security bulletins. This download is called the software updates catalog. The first
software updates catalog import on a new platform can take several hours.
However, subsequent imports typically take less than an hour because each import
only performs delta downloads of often only a few MBs. If you choose to enable
multiple languages, then the number of security bulletins to download, the size
of downloads, and the time to download increases. You can customize software
updates catalog updates by creating exclusions for the software that you do not
want to patch. You can create custom schedules for the download.
By default, every four hours the Software Update Plug-in contacts Notification
Server to check for patches. If new security bulletins are added to the CMDB by
the software updates catalog, the Software Updated Plug-in checks to see if they
are applicable. It also checks if the updates have already been installed. It sends
the results of the check to the Notification Server computer. The data is available
for compliance reporting.
After the software updates catalog import has completed, you can select which
security bulletins you want to stage on Notification Server. This staging processes
triggers a download of the patch installation files to a folder on the Notification
Server computer.
After the download of the patches has finished, you can create and enable your
patch distribution policy. If you use multiple package servers, your site
management settings for package distribution determine how the patch installation
files get distributed to the package servers.
The policy is not applied until the Symantec Management Agent has checked in.
By default, every hour the Symantec Management Agent contacts the Notification
Server computer and requests its configuration updates. However, your schedule
may be different.
The Notification Server computer sends the patch distribution policy to the
Symantec Management Agent. The Notification Server computer advertises the
location of the package server to the Symantec Management Agent. The Symantec
Management Agent connects to the package server and downloads the patches.
After the patches are downloaded, the installation waits for the next scheduled
maintenance window to run. It waits unless you set it to ignore the maintenance
windows for zero-day exploits.
It then does the following:
■
Verifies that patches have been downloaded.
■
Installs the patches and restarts the computer.
You can configure restart settings so that servers do not restart immediately
after patching updates. A no restart window may be given to client computers
so that users can defer the restarts.
■
Runs a vulnerability analysis.
If a restart has not occurred, the computer may still appear in reports as
vulnerable.
After the patching process completes, the Software Update Plug-in sends the
updated vulnerability analysis to Notification Server and stores it in the CMDB.
You can use the compliance reports to view vulnerability information from the
The patching process has multiple dependencies, so order of operations is
important. The Software Update Plug-in is used to determine vulnerability. The
Symantec Management Agent performs the software update. They each may have
a different update schedule. The larger schedule defines the window for patches
to be delivered to managed computers. The maintenance window defines when
the patches are installed. Compliance reports do not show success until after these
steps are completed.
Table 3-12
Sequence for patch communications
Sequence
Description
One (a)
Import runs automatically on Notification Server and pulls
security bulletins into the CMDB.
Two (a)
You select the patches from the security bulletin and they
are staged to a local folder on the Notification Server
computer.
Three (a)
You create a patch delivery policy and include the patches
that were downloaded.
Four (a)
After the agents have completed, you run a compliance
report to check the patch status.
One (b)
Patch plug-in checks in every four hours by default. It uses
the latest patch management import data and runs a
vulnerability scan. The scan is dependent on patch
management import being complete.
Two (b)
The Symantec Management Agent checks in and receives
the latest Patch policies and the location of the patches.
Three (b)
The Symantec Management Agent downloads the patch
packages from the Notification Server computer or its
assigned packaged server.
Four (b)
During the next maintenance window, the Symantec
Management Agent installs the patches. After installation,
the computer restart settings are run.
75
76
Table 3-12
Sequence for patch communications (continued)
Sequence
Description
Five (b)
After the package is installed, a vulnerability analysis is run
again and the information is sent to the Notification Server
computer.
Figure 3-4
Sequence for patch communications
When you install Deployment Solution on Symantec Management Platform, the
Deployment Solution components get integrated with Symantec Management
Platform. The Deployment Solution leverages the platform capabilities to execute
and schedule tasks, jobs, and policies, and set up site servers, use filters, and
generate reports. The components of Deployment Solution help you manage the
client computers in your environment.
Table 3-13
Deployment Solution components
Component
Description
Deployment Plug-in
The Deployment Plug-in is installed on client
computers to manage deployment tasks. This
plug-in enables you to create and deploy disk
images, perform remote OS installation, change
your system settings, and migrate the personality
settings.
The Deployment Plug-in replaces the former
Deployment Solution 6.X agents, such as AClient,
DAgent, or ADLAgent. If you need them, AClient
and DAgent can coexist with the Deployment
Plug-in.
You can enable the Symantec firewall on the client
computer and enable the Windows firewall on
Notification Server. However, to install the
Deployment Plug-in by pushing it to computers, you
need to disable one of these firewalls.
See “Installing Deployment Plug-in” on page 190.
77
78
Table 3-13
Deployment Solution components (continued)
Component
Description
Deployment site server component
Deployment site server components let you offload
some of the traffic and workload from your primary
Symantec Management Platform. You can set up
multiple task servers and Deployment site server
components to handle your jobs and tasks. Symantec
Management Agent then uses the assigned
Deployment site server components for all
deployment processes. These processes include
imaging, scripted OS installation, Copy file, and the
tasks that are associated with packages.
See “Installing Deployment site server components”
on page 192.
Deployment site server components can be installed
on the site servers that are configured with both
Package Services and Task Services. For more
information, search for task server topics in the
Symantec Management Platform Help.
The components also include all of the tools that
Deployment Solution needs. These tools include
RapiDeploy, Ghost, and Boot Disk Creator.
A Deployment share is created when the
Deployment site server component is installed on
a site server. The Deployment share is the location
where all the tools, such as Ghost and RapiDeploy,
other utilities, and images that are created are
stored.
The site server components also include the PXE
service.
Table 3-13
Component
Description
Automation folder
Automation folder stores the preboot environment.
With the help of the preboot environment (WinPE
and Linux PE) the client computers are rebooted to
the automation environment. The PXE server and
automation folder can be used to reboot the client
computer to the automation environment to
perform deployment tasks.
See “Installing an automation folder” on page 191.
The preboot environment (WinPE) contains the
Boot.wim file. This file is used to execute
Deployment tasks.
To reboot the client computer to an automation
environment, the DNS should be configured on the
network. Also, all computers in the network should
be able to perform a Name Server Lookup.
WinPE 2.1 and Linux are the only automation
operating systems that Deployment Solution
supports. Both preboot operating systems are
installed with Deployment Solution.
PXE server
The PXE server can be configured on Symantec
Management Platform and the site server. This
configuration helps to reboot the client computers
to WinPE and Linux PE environments using the
network interface.
Imaging tools
Ghost and RapiDeploy are two disk imaging tools
that run on the Windows (x86,x64)and
Linux(x86)operating systems. These tools can also
be used for creating backup disk images and image
of disk partitions.
These tools support NTFS,FAT(16,32),EXT2/3,and
RAW file system,and HTTP and multicast imaging
options. These tools support Windows only
hardware-independent disk imaging which can be
deployed to diverse client computers by using
drivers from a centrally managed driver database.
Although backup images are not
hardware-independent and intended to be deployed
on the same client.
79
80
Table 3-13
Component
Description
Boot Disk Creator
Boot Disk Creator creates a boot disk using Windows
and Linux preboot environment. Boot Disk Creator
is run on the client computer to boot it in WinPE or
LinuxPE. It can also create a bootable CD or USB.
Resource Import Tool
The Resource Import tool is used for importing
existing Windows and Linux images. It is also used
for adding Windows-scripted OS installation files.
Driver Manager
Driver Manager provides the interface to perform
driver operations such as adding and deleting data
from the DeployAnywhere driver database and the
Boot Disk Creator driver database.
DeployAnywhere
Deploy Anywhere enables you to deploy the
Windows operating system image to dissimilar
hardware. It also enables you to perform a
Windows-scripted installation on bare metal
hardware.
How capturing master disk images works
You capture a master disk image of a managed computer with Deployment Solution
in the Symantec Management Console. You do this task by creating a disk imaging
task. When you create the disk imaging task, you should use a meaningful name
to identify the disk image. When you later select the disk image to deploy, you
must rely entirely on the image name to locate it.
See “About Deployment Solution ” on page 44.
The master image of the computer can already contain the Symantec Management
Agent. Adding the agent to the image eliminates the need to roll out new agents
every time a computer is deployed or reimaged. When you restore the image, the
Symantec Management Agent in the image attempts to connect to the same
Notification Server computer as the source computer. To force the agent to connect
to a new Notification Server computer, you must include a run-script task in the
deployment job. The run-script task runs in the preboot environment and
reconfigures the agent with the location of the correct Notification Server
computer. If you have multiple Notification Server computers in your environment,
it may be easier to create a separate deployment job for each Notification Server
computer.
The disk image is captured and stored on its assigned package server. The disk
imaging task creates a disk image package, and then creates a resource object for
the package in the CMDB. You leverage the relationship between the image file
and its resource in the database. The relationship lets you create, manage, and
deploy all of your disk images from the console.
Use a dedicated package server to store and host your master disk images. A
dedicated server addresses growth issues because each image is uniquely identified,
and images do not overwrite each other. Every time you capture an image, a new
package is created that is not related to any earlier versions. You should not
manually delete any master disk images from the package server because it creates
orphaned resources in the CMDB.
Table 3-14
Sequence for capturing a master disk image
Sequence
Description
One
The administrator uses the Symantec Management Console
to create a master disk image of a managed computer.
Two
The administrator stores the disk image package on a
dedicated deployment site server.
Three
Notification Server creates a resource object for the disk
image package in the CMDB.
Figure 3-5
Sequence for capturing a master disk image
81
82
How deploying disk images works
A deployment site server is a package server; it must include the package services.
Site management, package settings, and package servers all determine how your
disk images are distributed to the package servers. By default, package servers
check for updates every 15 minutes.
You must use site management to select one of the following global package
distribution settings:
■
Wait for a managed computer to request a specific package (default)
This method is called manual pre-staging. When a managed computer gets a
policy or task that requires a package, it then requests its package information.
Site management distributes the package to the applicable package server(s)
only. Tasks can track the availability of the package and know when the package
is available on the package server execution.
■
Copy to all package servers
This method copies your packages to all of the package servers in your
production environment.
■
Copy to specific package servers
This method copies your packages only to the servers that you define. You can
create a custom distribution setting for specific packages.
Methods of delivering preboot environments to computers
You must deliver and load a preboot environment to run deployment Solution
imaging tasks. The way that you choose to deliver the preboot environment
depends on your deployment site server settings. It also depends on the current
state of the computer that you want to image.
You can deliver preboot environments to computers in the following ways:
■
Deploy to a managed computer.
The computer must have the Symantec Management Agent installed. Because
the computer is managed, you can target it directly from the console and start
your deploy image job. You can configure this option to either deliver the
preboot environment over the network in real time, or to use an automation
folder. That automation folder must be preinstalled on the managed computer.
Using a preinstalled automation folder simplifies and accelerates the reimaging
process. Once the preboot environment is loaded, the job is completed.
■
Deploy to a predefined computer.
One job per computer is required. You must enter the MAC, serial number, and
UUID of the hardware into the Symantec Management Console in advance.
When the computer connects to the network, PXE loads the preboot
environment and the job is started.
■
Deploy to an unknown computer when any unknown computer connects to
the network.
PXE loads the preboot environment, and the job is started.
This feature is intended to be used in isolated provisioning environments. Do
not enable this option in your production network as it can result in
unintentionally re-imaging computers.
■
Boot from a local media device such as a boot disk, CD/DVD, or USB drive.
With local access to the computer, you can use boot media to load the preboot
environment. Once the computer is connected to the network and the preboot
environment is loaded, the job is started.
How Deployment Solution imaging jobs work
The two main use cases for Deployment Solution imaging are to deploy standard
images to new computers, and to restore backup images on production computers.
For information see the topic “Deploying new computers” in the Altiris Deployment
Solution from Symantec User Guide.
For information see the topic “Restoring a backup image” in the Altiris Deployment
Solution from Symantec User Guide.
Your Deployment Solution imaging jobs may contain several custom elements,
but each imaging job must accomplish the following tasks:
■
Load a preboot environment.
■
Boot to an automation environment.
■
Deploy an image.
■
Restart to a production environment.
Table 3-15
Sequence for re-imaging a managed computer
Sequence
Description
One
You configure a disk image package to only be distributed
to package servers when it is needed.
Two
A deployment job is created and delivered as a task to a
managed computer.
83
84
Table 3-15
Sequence for re-imaging a managed computer (continued)
Sequence
Description
Three
The managed computer requests the package from
Notification Server which makes the package available for
the managed computer’s package server.
Four
The package server checks for packages every 15 minutes
and copies the disk image package only to the applicable
package server.
Five
The deployment site server delivers the WinPE automation
environment. The automation environment contains the
PECT agent.
Figure 3-6
Sequence for re-imaging a managed computer
Table 3-16
Sequence for deploying a new computer
Sequence
Description
One
You configure a disk image package to be distributed to all
package servers.
Two
A predefined computer job is created and enabled for
imaging a bare-metal computer.
Three
The predefined computer connects to the network and sends
a PXE request.
Four
The deployment site server delivers the WinPE automation
environment. The automation environment contains the
PECT agent.
Five
The PECT agent requests the package from Notification
Server which is already available on all package servers.
Figure 3-7
Sequence for deploying a new computer
85
86
Table 3-17
Sequence for image restoration completion
Sequence
Description
One
The preboot environment is loaded onto the targeted
computer. The PECT agent is run. The PECT is a Symantec
Management Agent that runs in a preboot environment.
Two
The PECT agent requests information about which task
server it should communicate with from Notification Server
.
Three
The PECT agent requests jobs from the task server.
Four
The task server distributes the deployment job to the PECT
agent. The deployment job contains the path to the imaging
.EXE and to the disk image package. They must both be
stored on the same server because it uses the same name
for the task server and the package server.
Five
The image is pulled from the package server and is restored
on the computer and the computer restarts to the production
OS.
Six
The Symantec Management Agent collects and sends basic
inventory and is able to load any additional policies and
tasks that apply to it. Any custom tasks that are included
in the job are run at this time.
Figure 3-8
Sequence for image restoration completion
Asset Management Suite provides a management console, a database environment,
and a suite of solutions that let you track assets and asset-related information.
See “About Asset Management Suite” on page 42.
The suite includes Asset Management Solution, Barcode Solution, and CMDB
Solution. It specializes in tracking IT-related assets, such as computers and
software. You can also use it to track other types of assets, such as office equipment
or vehicles.
Table 3-18
Sequence for asset management communications
Sequence
Description
One
Asset Management Solution relies on Inventory Solution to
gather and deliver data about managed computers.
Two
Administrator adds non-managed assets using the Symantec
Management Console.
87
88
Table 3-18
Sequence for asset management communications (continued)
Sequence
Description
Three
Data that is stored in the CMDB is available for reporting
and administrator can use reports to create management
policies.
Figure 3-9
Sequence for asset management communications
Chapter
4
Reference of topics about
multi-Notification Server
environments
■
About MultiCMDB reporting with IT Analytics
■
About global policy distribution
■
Replication types in the Symantec Management Platform
IT Analytics includes a new feature called MultiCMDB. MultiCMDB lets you run
global IT Analytics reporting across multiple CMDBs. You do not need to replicate
large amounts of data. You can populate existing cubes from many Notification
Server computers. It does not matter if Notification Servers are configured in a
hierarchy or are standalone. MultiCMDB supports connections to both external
7.0 CMDBs and 7.1 CMDBs. You can enable the cubes that you have data for and
not enable others. This ability lets you use CMDBs with different solutions
installed. They do not have to be consistent.
You currently cannot create filters (for policy targets, for example) from the ITA
reports. MultiCMDB provides reporting but it does not provide top-down
management. You should also note that the MultiCMDB feature does not support
reporting on the ServiceDesk data. The MultiCMDB feature only covers data that
is in a Symantec CMDB. ServiceDesk uses a separate database
See “Adding and configuring external Symantec CMDB connections” on page 91.
IT Analytics MultiCMDB can provide the following:
90
Reference of topics about multi-Notification Server environments
■
Efficient global ITA reporting across multiple CMDBs in environments without
hierarchy.
MultiCMDB does not replace hierarchy. It allows for global IT Analytics
reporting without the need to replicate large amounts of data. Hierarchy is
still needed for management for the top use cases. MultiCMDB capability is
not hierarchy-aware. You must manually point IT Analytics to all the CMDBs
that you want ITA reporting on. This operation can be done in the IT Analytics
configuration page.
■
Efficient global ITA reporting across multiple CMDBs in environments with
hierarchy.
You must pay specific attention to whether to include the top-level node in
the hierarchy into the global reporting. You should exclude the top-level node
from the MultiCMDB if your top-level server is used to receive data from a
child level. Excluding the top node helps address an asset duplication issue.
Currently this feature is not a good fit for the hierarchical environments that
use Asset Management Solution.
■
Efficient global ITA reporting during the 7.0 to 7.1 migration (where at least
one server is already on 7.1 and the rest are on 7.0), with or without hierarchy.
You can use the MultiCMDB feature during IT Management Suite 7.0 to 7.1
migration. The MultiCMDB feature lets you report on a mix of 7.0 data and 7.1
data. This reporting can be helpful if the environment leverages hierarchy
because hierarchy must be recreated during a 7.0 to 7.1 migration.
What's new in IT Analytics 7.1 SP2
In the 7.1 SP2 release of IT Analytics, the following new features are introduced.
Table 4-1
New features
Feature
Description
Display resource list
This feature lets users right-click a cell that contains a valid
measure cell and open the Resource List window. This
window displays all of the resources that can be derived
from this cell. In this window, users can select one or more
resources and launch any Item Action that is valid to those
resources.
Table 4-1
New features (continued)
Feature
Description
Cube exclusion
This feature lets users select cubes to exclude from external
CMDBs cube processing to avoid duplication of data or for
other purposes. For example, the user may have multiple
client-facing Symantec Management Platform servers. In
addition, the user may have a top tier Symantec
Management Platform that serves as an Asset Management
Server. The user can prevent data duplication by excluding
the Asset Management Server from processing the Inventory
cube, Patch Management cube, etc.
Localization support
IT Analytics supports the following languages, which
Symantec Management Platform console also supports:
■
English
■
French
■
German
■
Italian
■
Japanese
■
Korean
■
Portuguese (Brazil)
■
Russian
■
Simplified Chinese
■
Spanish
■
Traditional Chinese
Improved prerequisite
checking
This enhancement adds Installation Readiness checks to
the installation process. The checks ensure that all of the
components that are necessary to properly configure IT
Analytics are installed on the Symantec Management
Platform server.
Improved the automatic
configuration and
installation process
This enhancement automatically configures the Analysis
and Reporting Services settings when SQL Analysis and
Reporting Services are detected on the server during
installation. In addition, any cubes and reports that can be
installed are automatically installed.
Adding and configuring external Symantec CMDB connections
IT Analytics Solution lets you add Symantec CMDB connections so their relevant
data can be leveraged for reporting purposes.
91
92
You need to complete these steps only if the IT Analytics Client and Server
Management Pack is installed.
The IT Analytics Client and Server Management Pack lets you view data from one
or more Symantec CMDBs. By default, the local Symantec CMDB on which IT
Analytics is installed is used. If the local Symantec CMDB is the desired
configuration, then you do not need to carry out this procedure.
If the local Symantec CMDB is part of a hierarchy for inventory replication, you
must configure the local CMDB as an external connection.
External Symantec CMDB connections provide global IT Analytics reporting across
multiple CMDBs without the need to replicate large amounts of data. It allows
multiple Notification Servers to populate all existing cubes. Notification Server
computers can be configured in a hierarchy or standalone.
See “Editing external Symantec CMDB connections” on page 92.
See “Deleting external Symantec CMDB connections” on page 94.
See “Including or excluding the local Symantec CMDB” on page 94.
See “Updating the Solution Dependencies” on page 95.
To add and configure external Symantec CMDB connections
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > IT Analytics Settings.
2
In the left pane, expand the Connections folder.
3
Click Symantec CMDB.
4
Click Add External Connection.
If you have already added a connection and want to add another under
External Symantec CMDB Connections, click Add.
5
In the Add/Edit CMDB Connection dialog box, enter the information for each
of the connection fields.
6
Click Create.
7
After the connection is configured, click Close.
Editing external Symantec CMDB connections
IT Analytics Solution lets you edit Symantec CMDB connections so that data can
be leveraged for reporting purposes.
See “Deleting external Symantec CMDB connections” on page 94.
See “Editing the Report Integration URLs for an external Symantec CMDB”
on page 93.
To edit Symantec CMDB connections
1
2
3
4
In the right pane, under the External Symantec CMDB Connections section,
select the server that you want to edit from the drop-down list. The
information appears for the server that you selected.
5
Click Change Credentials.
6
In the Add/Edit CMDB Connection dialog box change the credentials to
connect to this Symantec CMDB for any of the following fields:
■
Symantec CMDB Database Username
■
Symantec CMDB Database Password
■
Symantec CMDB Database Password Confirmation
7
Click Save.
8
After the connection is edited, click Close.
Editing the Report Integration URLs for an external Symantec CMDB
The Report Integration URLs are used to specify the appropriate URL to the
Resource Manager and Resource Edit screens. A number of reports provide the
capability to open a resource in the Resource Manager or Resource Edit pages. If
these URL for an external Symantec CMDB connection needs to be changed, it
can be done here.
To edit the Report Integration URLs for an external Symantec CMDB
1
2
3
4
In the right pane, under the External Symantec CMDB Connections section,
select the external Symantec CMDB connection that you want to change the
URLs for.
93
94
5
Click Change Report Integration URLs.
6
In the Edit Report Integration URLs dialog box, make the edits to URLs, and
click Save.
Deleting external Symantec CMDB connections
IT Analytics Solution lets you delete Symantec CMDB connections to remove data
from reports.
To delete Symantec CMDB connections
1
2
3
4
In the right pane, under External Symantec CMDB Connections, select the
server that you want to delete from the drop-down list.
5
Click Delete.
6
After the Updating Dependencies dialog box is complete, click Close.
Including or excluding the local Symantec CMDB
If you add an external Symantec CMDB connection, you can select whether you
want to include the data in the local Symantec CMDB. Depending on your
environment, you may want to include this local CMDB.
See “Editing the Report Integration URLs for an external Symantec CMDB”
on page 93.
You can include the local CMDB if you have configured external Symantec CMDBs
that are not part of the same hierarchy. However, if the local CMDB is part of
hierarchy for inventory replication, you may encounter some duplicate information
if you include this local CMDB. To avoid duplication of data and still process the
local CMDB, you must configure the local CMDB as an external connection.
To include or exclude the local CMDB
1
2
3
4
In the right pane, under Local Symantec CMDB Connection, select to include
or exclude the local Symantec CMDB.
5
Click Save Changes.
6
Updating the Solution Dependencies
Each time an external connection to a Symantec CMDB is added or removed, IT
Analytics reviews all configured connections. IT Analytics evaluates what solutions
are installed that should be queried when cubes are processed. If the set of
solutions using a configured connection is changed, updating the dependencies
ensures that all relevant solutions are queried from each external CMDB. You
ensure that this change is incorporated by updating the solution dependencies.
To update the solution dependencies
1
2
3
4
In the right pane, under the Dependencies section, click Update
Dependencies.
5
Global policy distribution uses a hierarchy to let you create and control global
policies from a parent Notification Server computer. Hierarchy gives you some
global management capabilities but still preserves regional Notification Server
autonomy. Policies, jobs, and tasks are managed at each child Notification Server
computer, while global policies are managed centrally from the parent Notification
Server computer.
See “What you can do with global policy distribution” on page 96.
95
96
The majority of your day-to-day management work should be performed from
each Notification Server computer using the Web-based console. However, you
can control some policies that apply to all endpoints from the single global
Notification Server computer. These global policies can be forced to run on every
child Notification Server computer in the hierarchy.
At the global Notification Server computer, you can create global reports. However,
to make these reports contain the data you need, you may need to specify the data
for replication that is required to populate them.
A global administrator can distribute policies to regional Notification Server
computers where the local administrator may make changes and apply the policy.
These distributed policies can be made either editable or non-editable.
A non-editable policy is used to force consistent policy behavior across all
Notification Server computers. Regional administrators cannot override these
rights without you specifying the properties of the policy that they may edit. An
editable policy lets regional administrators modify a common policy to apply to
specific targets and schedules.
A non-editable policy can be cloned. All properties of the cloned policies can then
be edited. Whether a policy may be cloned is controlled through role-based security
rights.
See “About hierarchy editable properties” on page 102.
What you can do with global policy distribution
Global policy distribution provides limited centralized management opportunities.
See “About global policy distribution” on page 95.
Global policy distribution lets you do the following:
■
Create and distribute central policies.
■
Replicate packages.
■
Forward inventory for limited centralized reporting.
■
Manage security roles centrally.
About hierarchy
Hierarchy is a topology that lets you perform global policy distribution. Global
policy distribution is a method to centrally manage policies when multiple
Notification Server computers are required.
A hierarchy uses parent-to-child relationships to define how information flows
across multiple Notification Server computers. These relationships are called
your hierarchy topology.
See “How global policy distribution works with hierarchy” on page 97.
How global policy distribution works with hierarchy
The purpose of hierarchy is to combine multiple Notification Server computers
into a single Symantec Management Platform. It lets you manage some policies
from a single Symantec Management Console. However, hierarchy does not
increase the number of endpoints that each Notification Server computer can
independently support.
For example, you can replicate a software delivery policy. Replicating a policy
also replicates the associated data. This data includes a software package so that
the software can be delivered to the applicable client computers of the child
Notification Server computers.
In a hierarchy you can manage from both the parent Notification Server computer
and the child Notification Server computers. Management from the parent server
applies to all child servers. Management at a child server only applies to its
endpoints. This functionality lets you combine both global management practices
and regional management practices into a single platform. For example, a global
policy can be distributed from the parent Notification Server computer to all
managed endpoints. Regional administrators can also create policies for their
specific region.
See “About hierarchy” on page 96.
Hierarchy requirements
To share or receive common configuration settings and data with multiple
Notification Server computers, you must first add the Notification Server computer
to a hierarchy. Because Notification Server computers can be managed locally,
each Notification Server computer must be added or removed from a hierarchy
individually with the appropriate access credentials. Typically, the Symantec
Administrator managing the topology design accesses the Notification Server
computers in other sites remotely to add them to a hierarchy.
The requirements for configuring hierarchy are as follows:
■
Network traffic must be routable between adjoining Notification Server
computers within the hierarchy.
97
98
■
HTTP/HTTPS traffic must be permitted between adjoining Notification Server
computers within the hierarchy.
■
Trust relationships must exist between adjoining Notification Server computers
within the hierarchy, or credentials for the privileged accounts that facilitate
trust must be known.
■
Each Notification Server computer must be able to resolve the name and the
network address of any adjoining Notification Server computers within the
hierarchy.
■
There must be sufficient bandwidth between Notification Server sites to support
package and data replication.
Bandwidth and the hardware that is required depend on the size of your
hierarchy topology and the data replicated.
■
A site must exist for each Notification Server computer, and must include the
subnet that contains Notification Server. The site must also contain a package
server (a site server that is running the package service) that serves the
About hierarchy topology
The hierarchy topology is a set of one-to-one parent-to-child relationships between
two or more Notification Server computers. Each Notification Server computer
in the hierarchy can have multiple child servers, but each child server may only
connect to a single parent server. Each Notification Server computer is only aware
of its immediate parent and its immediate children. The servers are unaware of
peer members in the hierarchy.
You can manage from both the parent and the child Notification Server computers.
If management is done from a parent server, it can apply to all of the child servers
and their managed computers. If management is done from a child server, the
task only applies to the child server’s managed computers.
When you set up the relationships of your hierarchy topology, you must add them
two at a time. You must have administrative rights on both Notification Server
computers. The relationships can be established from either the child server or
the parent server.
Symantec Management Platform has security privileges for manipulating hierarchy
topology settings such as establishing relationships, editing schedules, and
configuring replication rules. Your administrators can force hierarchy to replicate
individual items without being assigned this security role.
About creating and managing hierarchical relationships
You can add your Notification Server (the one that you are logged on to, which
may be a remote logon) to a hierarchy as a child of an existing remote Notification
Server computer, or as its parent. To create a hierarchical relationship, you require
a Symantec Administrator account (or an account with equivalent privileges) on
both computers. To add or remove Notification Server computers from a hierarchy,
you need the Manage Hierarchy Topology privilege on the Notification Server
computer where the action is carried out.
See “Hierarchy requirements” on page 97.
You can view and configure the Notification Server computer hierarchy using the
Symantec Management Console. If you are the Hierarchy administrator, you can
see only the parent and children (down to all levels) of your Notification Server.
Note that all actions that you take are based on your Notification Server.
Right-clicking a Notification Server computer does not perform a remote logon
to any remote Notification Server computers. It opens a context menu containing
the actions that you can perform on that server, which is different for local and
remote computers. A full set of actions is available for the local server, but only
a limited set is available for remote servers. Actions such as extracting reports
are performed on the appropriate database.
The actions that you can perform on the hierarchy are relative to your Notification
Server computer, which is the computer that you are logged on to. If you have the
Manage Hierarchy privilege on a remote Notification Server computer, you can
perform a remote logon to that computer. You can then open the Symantec
Management Console, and perform hierarchy configuration relative to that
computer.
You can enable or disable hierarchy replication on specific Notification Server
computers at any time. For example, you can use this facility to temporarily disable
hierarchy replication during maintenance tasks such as solution installation,
upgrades, or uninstallation. Disabling replication on one Notification Server
computer does not affect the replication schedule on the other Notification Server
computers in the hierarchy. However, no data is passed through the disabled
computer, so replication down stops at the parent, and replication up stops at the
children.
A colored symbol on the Hierarchy Management page indicates any hierarchy
alerts. The colors that you might see and the corresponding alert status are as
follows:
Yellow
Low alert status
Orange
Medium alert status
99
100
Red
Critical alert status.
For example, if you attempt to replicate the same data both up and
down the hierarchy from the same Notification Server computer, a
critical alert is raised. Data should be replicated one way only. If the
parent or the child Notification Server computer has the same
hierarchy replication rules implemented, or you could set up a data
clash.
Setting up a hierarchical relationship between two Notification Server
computers
You can set up a hierarchical relationship (either Parent of or Child of) between
your Notification Server computer and a remote Notification Server computer.
You need to specify the name, URL (which should include any non-default port
configurations or HTTPS), and access details of the remote Notification Server
computer. You also need to provide the access details of your local Notification
Server computer. By default, the hierarchy replication schedule staggers the
replication between each pair of Notification Server computers. You can change
the replication schedule to suit your requirements, but you should ensure that
replication staggering is maintained.
See “Hierarchy requirements” on page 97.
See “About creating and managing hierarchical relationships” on page 99.
Both Notification Server computers must have a package server available within
their respective sites. The package server is required for performance reasons.
You cannot create a hierarchical relationship between two Notification Server
computers if either one does not have a package server available.
Notification Server application credentials should be stable and not be changed
regularly like some user account passwords. If the Notification Server computer
application account password becomes invalid, a message is displayed in the
console. The message prompts you to use the ASConfig command-line tool to
make the necessary updates.
To set up a hierarchical relationship between two Notification Server computers
1
Notification Server Management > Hierarchy.
2
On the Hierarchy Management page, on the Topology tab, right-click your
Notification Server, and then click the appropriate option:
■
Add > Parent
■
Add > Child
■
Edit > Parent
■
Edit > Child
3
In the Add Hierarchy Node Wizard, on the first page, enter the name and URL
of the remote Notification Server computer.
4
Supply the appropriate access credentials.
The access credentials must be a Symantec Administrator account or
equivalent account on the remote Notification Server computer.
5
Click Advanced.
6
In the Return Credential Settings dialog box, specify the Symantec
Administrator (or equivalent) account that the remote Notification Server
computer uses to communicate with the local Notification Server computer.
7
Click OK to close the Advanced dialog box.
8
Click Next.
9
On the Replication Schedules page, set up the differential and the complete
replication schedules, and enable those that you want to use on the
By default, only the differential replication schedule is enabled. Complete
replication is rarely used because it puts a heavy load on the Notification
Server computer, but you can enable it when necessary. You should schedule
the replication at the times that do not clash with replication schedules on
other Notification Server computers in the hierarchy.
See “Managing shared schedules” on page 274.
See “Configuring a schedule” on page 275.
10 Click Next.
11 On the Confirm Settings page, verify that the settings are correct, and then
click Finish.
The local Notification Server computer uses the specified information to
locate and verify the remote Notification Server computer and set up the
appropriate hierarchical relationship with it.
If the remote Notification Server computer does not have a package server
available within its site, the verification fails and the hierarchical relationship
cannot be established.
101
102
How deployment site servers work in a hierarchy
Hierarchy replication uses site services to operate. There must be a package server
in each Notification Server computer site and this server must be off-box. You
must offload package services on adjoining Notification Server computers to a
managed device candidate capable of running package services. Ensure that the
site server running those services is “assigned” to a site or subnet to which
Notification Server belongs before setting up hierarchy.
In addition to the deployment site server, there must either be a task server and
a package server for each site. If you do not use Deployment Solution, then it may
be cost-effective to use the task services on the Notification Server computer. If
you use Deployment Solution then you must dedicate a computer to host both the
task services and the package services. This computer is called a deployment site
server. You must have a dedicated deployment site server on each Notification
Server computer site. When you use a dedicated task server you must manually
configure site management to restrict all client computers to use the dedicated
task server.
About hierarchy editable properties
Hierarchy editable properties allow the parent administrator to control what
aspects of replicated policies a child administrator is permitted to edit. Subsequent
replications of the policy do not override a child administrator's changes.
You can define whether a regional administrator has rights to do the following:
■
Turn on and off a global policy.
■
Change the schedule of a global policy.
■
Modify the targets of global policy.
Global policy distribution implementation considerations for Software
Management Solution
Before you implement a global policy distribution plan, be aware of certain
considerations about Software Management Solution.
The following are implementation considerations with Software Management
Solution:
■
Hierarchy replication replicates software delivery policies and packages to
child Notification Server computers for distribution.
■
Policies, filters, and packages are replicated automatically down the hierarchy.
■
Software delivery typically takes more than 48 hours.
■
Replication rules must be customized to include the software inventory details.
The details are needed for reporting.
Global policy distribution implementation considerations for Patch
Management Solution
This section includes specific considerations about Patch Management Solution
to be aware of before you implement a global policy distribution plan.
The following are implementation considerations with Patch Management
Solution:
■
Use patch management in a hierarchy to replicate software updates down the
hierarchy for distribution and receive vulnerability reports at the top of the
hierarchy.
■
In a hierarchy, patches must be imported at the parent Notification Server.
■
To minimize distribution times, replication schedules must account for the
following order of operations: Patch import schedule; Patch import replication
rule; site server download; agent update interval.
■
Without aligning schedules, patch distribution typically takes more than 48
hours.
■
A compliance summary is all that’s available at the parent Notification Server
computer. Full vulnerability analysis reports drill down to each child
Notification Server .
Limitations of global policy distribution in a hierarchy
Global policy distribution in a hierarchy topology does not replace regional
management needs. Understand some limitations and considerations before you
create a global policy distribution plan.
Global policy distribution has the following limitations:
■
Hierarchy does not provide a central view of all report data in an environment.
In a hierarchy, administrators must manage and report at the child and the
parent Notification Servers to view all data.
■
Setting up a hierarchy does not increase the ability to scale.
103
104
■
Hierarchy is not a replacement for organizational views and groups. Hierarchy
does not provide scope-based management in an environment.
■
Hierarchy is not a data replication strategy for Notification Server failover.
Limitations of hierarchy
Hierarchy can simplify the management of multiple Notification Server computers.
However, having multiple Notification Server computers does not necessarily
indicate that you should implement a hierarchy. Even if a hierarchy simplifies
your administration, it increases your Notification Server computer infrastructure
overhead.
Consider the following limitations before you implement a hierarchy:
■
Three-tier hierarchies are not supported at this time.
■
Notification Server hierarchy supports between one and six child Notification
Server computers. This number depends on the hardware capabilities of each
server and your IT management requirements. For example, the frequency
and amount of inventory that you gather affects the number of clients each
Notification Server computer can support. In a highly complex hierarchy
scenario, you should contact Symantec Consulting Services to analyze your
requirements and fine-tune the platform architecture to meet your needs.
■
Hierarchy adds the cost of a very robust Notification Server computer to act
as the parent server.
■
Replication has some effect on the performance of all the Notification Server
computers. This additional load on the child Notification Server computer
may influence its maximum supported client count.
■
Replicating information is subject to a time-delay of replicating information.
■
Replicating more than once a day can have negative consequences.
■
Not all solutions in the Symantec Management Platform support hierarchy
replication.
■
All Notification Server computers must have the same version of the Symantec
Management Platform and Solutions installed. To determine the version you
can open the Symantec Installation Manager locally on each Notification Server
computer and record them.
To perform Symantec Management Platform updates, hierarchy replication
must be disabled first to avoid conflicts between dissimilar versions. You can
easily enable or disable hierarchy replication on specific Notification Server
computers with a single step. To perform Solution updates, use Symantec
Installation Manager locally on each Notification Server computer.
For more information, see the IT Management Suite migration guides.
■
You cannot get real-time data with hierarchy replication. When data is moved
through the hierarchy, there is a time delay. If you use the default schedule
for software distribution, then you require up to 24 hours for each tier in the
hierarchy. You can force individual items to replicate by using the Replicate
Now option instead of waiting for the schedule.
■
If clients are configured with SSL (HTTP or HTTPS), then their Notification
Server computer must also be configured for it. Mixed SSL and non-SSL
environments should not be supported. If one Notification Server computer
has SSL, then all of them must have it configured.
■
Asset Management 7.1 and CMDB 7.1 are designed to work with hierarchy and
with Standalone Replication Rules. The Asset Management/CMDB server must
be the uppermost server (the parent) in a hierarchy. Asset Management/CMDB
cannot be on a child server. Standalone Replication Rules can forward inventory
to the Asset Management/CMDB server, but not from this server.
■
Asset Management 7.0 and CMDB 7.0 are not designed to work with hierarchy
and Standalone Replication Rules. Asset Management/CMDB 7.0 in a hierarchy
with the Asset Management/CMDB server off the ITMS/CMS parent (as a
reporting server) is not a supported architecture. Attempting to do so will
result in unexpected resource issues. The only solutions are to either flatten
the hierarchy to one Symantec Management Platform server or to upgrade to
7.1.
Replication types in the Symantec Management
Platform
Symantec Management Platform uses two types of replication.
These include the following types:
■
Hierarchy replication. Copies the information between multiple Notification
Server computers. It defines which items are replicated, the direction that
each item type flows, and when the replication occurs on each server in the
platform. You can use replication to copy policies and tasks and reporting
information to other Notification Server computers.
■
Peer-based replication. Requires you to specifically define the items to replicate
and the direction that they replicate. You must configure the rules very
selectively because there is no automatic conflict prevention in peer-based
replication. You can use both hierarchy replication and peer-based replication
105
106
concurrently within a single Symantec Management Platform environment.
This method of replication was called "inventory forwarding" in previous
releases.
About hierarchy replication
Hierarchy replication specifies what is replicated in the hierarchy. It has no effect
on the stand-alone replication that you can set up between any two Notification
Servers. Any data that is replicated down from a parent Notification Server has
priority, and overwrites the corresponding data on its child servers.
See “Setting up a hierarchical relationship between two Notification Server
computers” on page 100.
Note: Hierarchy replication is not supported from a 7.1 server to a 7.0 server or
from a 7.0 server to 7.1 server.
The replicated configuration and management items received from a parent server
are usually read-only so they cannot be modified. The read-only setting ensures
that it is replicated unchanged down the hierarchy. If you want to allow additions
to replicated items on child servers, you need to unlock the relevant items on the
Notification Server computer on which they were created. For example, you may
want to allow policies to be enabled and disabled on the child Notification Servers.
Hierarchy replication does not let you replicate the same data up and down the
hierarchy. If you set up two rules that have the same resource type being replicated
in both directions, a critical alert is raised and the replication rules are not
executed.
Hierarchy has two modes of replication:
Differential
Replicates the objects and the data that have changed since the last
replication. This mode is enabled by default and reduces the load and
the bandwidth that hierarchy uses.
Complete
Replicates all objects and data. This mode is disabled by default.
To minimize the load on the network and to prevent data collisions, you should
schedule hierarchy replication at a different time for each Notification Server in
your hierarchy.
See “About Symantec Management Platform schedules” on page 269.
Hierarchy replication synchronizes different types of objects in the following
ways:
Security objects
Security objects, such as roles and privileges, always use complete
replication. Differential replication is not an option for read-only
objects such as these.
Items
Items use differential replication, which is handled by hashing each
item to check for changes and replicating those that have changed.
Resources
Resources use differential replication. Differential replication is based
on the "last changed" timestamp on the source data. Any data that
has changed since the last replication is replicated to the destination
server. The data on the destination is then verified, if data verification
has been enabled in the appropriate replication rule.
Data verification imposes significant processing load on Notification
Server. To reduce this load, you can verify a specified percentage of
data on the destination server with each replication. For example, if
you verify 10% of the data for each replication, that ensures that all
data has been verified after 10 replications.
About hierarchy replication rules
Hierarchy replication relies on replication rules. These rules define the data that
replicates to other Notification Server computers. Many items are configured to
replicate by default. However, there are practical constraints, particularly on the
number of items that can replicate up the hierarchy. For example, many inventory
data classes are not enabled to replicate up the hierarchy by default. Without
those data classes, some reports do not function at the parent Notification Server
computer. You should be selective in choosing which data classes to replicate up.
You can disable a replication rule at any time and enable it again later; it is not
deleted.
Events are another item that can overwhelm a parent Notification Server computer
when replicated. By default, no events are enabled to replicate. These should be
replicated only with great caution and for limited time periods. Note that because
replication does not occur real-time, raw event data cannot be used for alerting
at the parent Notification Server computer.
About configuring replication
Before you start replicating data from one Notification Server to another, you
need to plan your replication. This is to ensure that similar data is not passed in
both directions. If any of your servers are part of a hierarchy, you need to ensure
that the replication does not conflict with the hierarchy replication process.
107
108
Notification Server does not check to ensure that your replication configuration
is consistent with the hierarchy. A poorly planned implementation may create
data clashes or overwrites in the affected CMDBs.
See “Configuring replication rules” on page 110.
Note: Replication is not supported from a 7.1 server to a 7.0 server or from a 7.0
server to 7.1 server.
To configure replication, you need to set up the appropriate replication rules on
each Notification Server computer. Each rule specifies the data to replicate from
that server (the source server) to one or more specified destination servers and
the schedule to use. You should use different replication schedules for each
Notification Server computer. For example, stagger the times to ensure that each
runs at a different time. Replicating to and from multiple Notification Server
computers at the same time can cause problems in the CMDB.
The rule must be enabled for the specified replication to take place. You can enable
and disable replication rules at any time, according to the needs of your
organization. For each rule that is enabled, the specified data is replicated
according to the defined schedule.
You can replicate data at any time by running the appropriate replication rules.
In the console, right-click on the rule and click Run. Running a replication rule
overrides its schedule and replicates the specified data to the destination servers
immediately. Running a replication rule is a once-only operation and does not
change the replication schedule. All replication rules continue to be run as
scheduled.
Table 4-2
Replication rule types
Type
Description
Events
Replicates Notification Server events.
Items
Replicates Notification Server configuration and management items such as policies, filters,
and reports.
Table 4-2
Replication rule types (continued)
Type
Description
Resources
Replicates Notification Server resource types, resource targets, and specific data classes.
If you include resource targets in a resource replication rule, remember that resource scoping
applies to the contents (resources) of the replicated target. Therefore, the resources that are
replicated depend on the owner of the resource target. The Notification Server administrator
can choose to replicate resource targets in their current state (owned by somebody else, with
the corresponding scope). Alternatively, they can take ownership of the targets, save them with
the administrator’s scope (which usually contains more resources) and replicate them in that
state. All the current members of a resource target are replicated. The actual resource target
item is replicated in the background as a dependent item. The target that is applied to a
stand-alone rule is replicated when the stand-alone rule itself is replicated. When the rule is
run, the target is not sent.
Security
Replicates Notification Server security roles and privileges. Two types of security replication
rules are available: Privilege and Role. The configuration procedure is identical for each.
When you include a security role in a replication rule, you must also configure a replication
rule to replicate all of the privileges in the role. The replicated security role does not recognize
any privileges that already exist on the destination Notification Server computer.
Replicating custom items in a hierarchy
You can replicate custom items for configuration items and management items.
In the Hierarchy Management page there is an option available called Custom.
When you enable the option and apply the page, console users can then replicate
the custom items.
See “Replication types in the Symantec Management Platform” on page 105.
To replicate custom items in a hierarchy
1
In the console tree view, right-click a configuration management item or
folder.
2
In the context menu, click Hierarchy – Enable/disable Replication.
109
110
3
If you selected a folder, a dialog window appears. It lets you also choose to
enable all subfolders and enable all sub-items, or to only enable the selected
folder.
Choose your required option and click OK.
4
This operation only replicates the selected items when the replication schedule
is triggered.
When you run the Replicate Now operation on a custom item, it is
automatically enabled for future replication. When a differential or a complete
replication schedule next runs, any modifications to the item are sent.
Configuring replication rules
The replication rules that you configure on a Notification Server are items on that
server. Therefore it is possible to replicate them to other Notification Servers.
You may want to set up your item replication rules to ensure that replication rules
are not included.
Note: Replication is not supported from a 7.1 server to a 7.0 server or from a 7.0
server to 7.1 server.
When a replication rule is replicated, its settings remain unchanged. A rule that
is enabled on the source server is immediately enabled on the destination servers.
However, the destination that is specified in the replication rule cannot be resolved.
Each Notification Server uses its own unique GUIDs to identify resources, so the
destination is valid only on the source Notification Server. You need to update
the replication rule to point to the correct destination Notification Server.
See “About configuring replication” on page 107.
To configure a replication rule
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand the Settings > Notification Server > Replication
folder.
3
In the Replication folder, do any of the following:
Create a new replication rule Right-click the appropriate folder and click New >
Replication Rule.
The new rule appears in the folder and is selected
automatically.
Modify an existing
replication rule
Expand the appropriate folder, and then select the
replication rule that you want to modify.
Enable or disable a
replication rule
Expand the appropriate folder, and then right-click
the replication rule and click Enable or Disable,
whichever is appropriate.
You can also enable or disable a rule in the Replication
Rule page, by clicking the rule status (On/Off) icon to
toggle the setting.
Run a replication rule
4
Expand the appropriate folder, and then right-click
the replication rule that you want to run and click Run.
On the Replication Rule page, specify the appropriate settings.
See “Replication rule settings” on page 111.
5
Click Save changes.
Replication rule settings
Some replication rule settings apply only to a particular rule type.
Table 4-3
Replication rule settings
Setting
Description
Rule name and
description
The first line of the page heading is the name of the replication rule. The second line of the
page heading is its description.
To change these, you can click the text to make it editable, and then type the rule name or
description.
111
112
Table 4-3
Replication rule settings (continued)
Setting
Description
Rule status symbol
The current status of the replication rule:
■
On (Green light) – The rule is active.
■
Off (Red light) –The rule is idle.
You can click the symbol to toggle the status to its alternative setting.
Resource Types
Applies to resource replication rules and event replication rules.
Resource Targets
Specifies the resources that you want to replicate. These two options are alternatives.
You can click the appropriate option to activate the one that you want:
Resource Types
Replicates the selected resource types.
If you choose this option, you need to click Resource Types.
In the Select Resource Type window, select the resource types that you want to include.
■ Resource Targets
Replicates the selected resource targets.
If you choose this option, you need to click Resource Targets.
In the Select a Group window, select the resource targets that you want to include.
■
Data Classes
Applies to resource replication rules only.
If you want to specify particular data classes to include, you need to click Data Classes.
In the Inventory Data Classes window, select the classes that you want.
Event Classes
Applies to event replication rules only.
The event classes to include. To select these, click Event Classes and, in the Event Classes
window, select the classes that you want.
Items
Applies to item replication rules only.
The items to include in the replication rule. To select these, click Items and, in the Select
Items window, select the items that you want.
Roles
Applies to security replication rules only.
Privileges
The roles or privileges to replicate, according to the rule type. These settings are alternatives
and only the appropriate option is displayed on the page.
To select these, click Roles/Privileges and, in the Select Roles/Privileges window, select
the roles or privileges that you want.
Destination
The Notification Server computers to which the data is replicated.
See “Specifying destination Notification Servers in a replication rule” on page 113.
Table 4-3
Replication rule settings (continued)
Setting
Description
Credentials
The credentials that are required to connect to the destination Notification Servers.
Maximum Rows
Specifies the maximum number of table rows to replicate.
Resend events that
have been sent
previously
Use this schedule
In the drop-down list, select the schedule that you want to use.
You should use this option if a destination server has recently purged its event classes or
if you have experienced network problems between servers.
If you select Custom Schedule, you need to click Define Custom Schedule and, in the
Schedule Editor, specify the schedule parameters.
Verify maximum of
nn% of data during
each replication
Applies to resource replication rules only.
To reduce the load that is imposed on the server, you can verify small amounts of resource
data on every replication. You can specify a verification percentage in the replication rule.
For example, if you verify 10% of the data for each replication, that ensures that all data
has been verified after 10 replications.
Specifying destination Notification Servers in a replication rule
You need to specify the Notification Server computers to which a replication rule
replicates data. This procedure is the same for all replication rule types.
To specify the destination Notification Servers in a replication rule
1
Settings.
2
In the left pane, expand the Settings > Notification Server > Replication
folder.
3
In the Replication folder, click the replication rule you want to edit.
4
On the Replication Rule page, click Specified Notification Servers.
5
In the Notification Servers window, in the Available Notification Servers
list, select the appropriate destination Notification Servers.
6
If necessary, you can add new Notification Servers to the list, or modify
existing Notification Servers.
113
114
7
Click Save changes.
The selected Notification Servers are listed in the Destination field.
Overriding the hierarchy differential replication schedule
The Notification Server computers in a hierarchy are normally synchronized
according to the replication schedule that is set up in the replication rules. If
necessary, you can manually override the differential replication schedule for
your Notification Server and trigger the hierarchy replication rules immediately.
It triggers the hierarchy differential schedule to the selected child node. Any
hierarchy replication rules that are set to run on the differential schedule is run
immediately. Any rules that are set to run on custom schedules are not triggered
to run at the time. You can manually replicate data to your Notification Server
from a remote parent or child Notification Server only.
You cannot manually override replication to a remote Notification Server. You
can only perform an operation that affects your Notification Server. You can log
on to a remote Notification Server to make it your Notification Server, and
manually override the differential replication schedules on its parent or its child
Notification Servers.
See “About hierarchy replication” on page 106.
To override the hierarchy differential replication schedule
1
Notification Server > Hierarchy.
2
On the Hierarchy Management page, on the Topology tab, right-click the
Notification Server computer from which you want to replicate data.
3
Click Hierarchy > Replicate To....
This option triggers the hierarchy replication rules that point to the local
(currently logged on) Notification Server. You cannot replicate data from the
remote Notification Server to any other remote servers.
4
In the confirmation dialog box, click OK.
Replicating selected data manually
You can override the replication rules for your Notification Server by performing
a manual hierarchy replication of a particular folder or item. Manual replication
replicates the selected data to the child Notification Servers immediately. The
data is replicated regardless of the replication schedules or whether the data is
included in the replication rules.
See “About hierarchy replication” on page 106.
To manually replicate selected data from your Notification Server
1
In the Symantec Management Console, in the left pane, right-click the folder
or item that you want to replicate.
If you select a folder, the replication includes all of its content (all levels of
subfolders and items that it contains). Any parent folders (but not their
contents) are also replicated to preserve the folder paths within the structure.
2
Click Hierarchy > Replicate Now....
3
In the confirmation dialog box, click OK.
Running a hierarchy report
Some hierarchy reports are supplied with Notification Server, and solutions may
provide additional reports. You can run a report on any Notification Server in the
hierarchy to extract data from its CMDB.
You may want to update the summary data prior to running a hierarchy report.
You can update the summary data on demand or schedule updates.
Some installed solutions may supply hierarchy federated reports. These reports
summarize the relevant data across the hierarchy, and the results contain a single
line for each Notification Server. You can run the full report on a particular
Notification Server by double-clicking on the appropriate line.
To run a hierarchy report
1
Notification Server > Hierarchy.
2
On the Hierarchy Management page, on the Topology tab, right-click the
Notification Server computer on which you want to run a report.
3
Click Reports and click the appropriate report.
4
In the report page, specify any parameters that you want to use, and refresh
the report.
115
116
Section
2
Implementing IT
Management Suite
■
Chapter 5. Performance and scalability recommendations for IT Management
Suite
■
Chapter 6. Preparing for the installation of IT Management Suite
■
Chapter 7. Installing IT Management Suite
■
Chapter 8. Installing the Deployment Solution
■
Chapter 9. Configuring Notification Server
■
Chapter 10. Setting up managed computers
■
Chapter 11. Configuring security
■
Chapter 12. Configuring Schedules
■
Chapter 13. Configuring site servers
■
Chapter 14. Getting started with IT Management Suite
118
Chapter
5
Performance and scalability
recommendations for IT
Management Suite
■
Symantec Management Platform performance factors
■
Recommended ranges of component totals for IT Management Suite 7.1
■
Recommended IT Management Suite 7.1 hardware
■
Recommended configuration for Notification Server with locally installed SQL
database
■
Supported operating systems for Notification Server and site servers
■
SQL Server recommendations and third-party software requirements
Many factors influence the performance of your infrastructure.
The following are some of the common items that influence performance:
See “About tuning the SQL Server computer for performance” on page 120.
See “About tuning the Symantec Management Agent for performance” on page 124.
See “About tuning Notification Server Event processing for performance”
on page 120.
120
Performance and scalability recommendations for IT Management Suite
About tuning the SQL Server computer for performance
The throughput of the SQL Server is a primary consideration for Symantec
Management Platform performance. The configuration of SQL server and its
hardware will influence overall performance. Most of the decisions you make that
influence performance are related to architectural choices. For example, SQL
Server will perform better if it is installed on a separate server from the
Notification Server. This is referred to as installing SQL "off box." It offloads the
work of data processing and frees resources for Notification Server processing.
Another decision that influences SQL performance is to use high performance
disks and to configure their RAID arrays appropriately.
For more information about SQL Server setup see the following:
See “Symantec Management Platform performance factors” on page 119.
About tuning Notification Server Event processing for performance
A notification sever event (NSE) is the standard mechanism by which Notification
Server receives data. NSE processing directly influences performance on the
Notification Server computer. The most direct method to influence the processing
of NSEs is to adjust the volume and the frequency of your inventory gathering
settings. You can also influence the processing of NSEs by adjusting the schedules
for resource membership updates.
The following schedules influence the processing of NSEs:
■
Collect full inventory
Full inventory lets you gather data about managed computers. It includes data
about hardware, operating system, installed software, and file properties. This
data is sent to Notification Server in the NSE format. Full inventory can be
resource-intensive . The default schedule runs full inventory once per month.
Best practice is to collect full inventory once a month during non-production
hours. We do not recommend that you run full inventory more often than once
a week, even in small environments.
Custom inventory can be run more frequently and more efficiently than full
inventory. Custom inventory lets you collect very specific data points.
■
Collect delta inventory
Delta inventory and Full inventory have similar resource consumption on
managed computers. A delta inventory contains all the information that was
added, removed, or changed since the previous inventory. The delta inventory
file is smaller than the complete inventory file. Collect delta inventory can be
run daily or weekly. You can improve the Symantec Management Console's
UI performance if collect delta inventory is run during non-production hours.
We recommend that you run delta inventory weekly rather than every day for
environments with more than 10,000 clients per Notification Server.
Environments with less than 10,000 clients can consider a daily delta inventory
schedule.
Delta inventory cannot track removed software. Only full inventory tracks
removed software.
■
Resource membership updates.
The resource membership update schedules determine how accurate and
current your resource filters, organizational groups, and resource targets are.
Notification Server has three resource membership update schedules:the
complete update schedule, the delta updates schedule, and the policy update
schedule. The more frequently resource membership updates run, the less
latency there is on updates or remediation. However, when resource
membership updates run, Notification Server must read and analyze the data
in the CMDB. When Notification Server runs resource membership updates,
computing resources are consumed. An example of how the resource
membership update schedule can influence your day-to-day use is with
assigning software from the Software Portal . Users that request software
from the Software Portal must wait until after the delta resource memberships
update completes.
See “Scheduling resource membership updates” on page 123.
About predefined inventory policies
You can use predefined inventory policies to quickly start gathering inventory
data. You can use the predefined policies as they are or modify them. If you want
to modify a predefined policy, Symantec recommends that you clone the original
policy and then modify the copy.
To use inventory policies or tasks, you must install the Inventory Plug-in on target
computers.
121
122
Table 5-1
Predefined inventory policies and tasks
Policy
Enabled by Default
default?
schedule
Default
target
Notes
Collect Full
Inventory
Yes
All
computers
with the
Inventory
Plug-in
installed
This policy collects a full inventory. By default it collects
hardware and operating system, software, and file
properties inventory data.
Weekly,
every
Monday at
18:00 (6:00
P.M.)
You can use this default to gather an initial inventory, and
then again weekly.
Even though this policy is enabled by default, you must
install the Inventory Plug-in on target computers before
inventory data is gathered.
Collect Delta No
Hardware
Inventory
Monthly,
every first
Monday at
18:00 (6:00
P.M.)
All
computers
with the
Inventory
Plug-in
installed
By default, this policy collects only the hardware inventory
data and the operating system inventory data that has
changed since the last full hardware inventory.
Collect Delta No
Software
Inventory
Weekly,
every
Monday at
18:00 (6:00
P.M.)
All
computers
with the
Inventory
Plug-in
installed
By default, this policy collects only the software inventory
data that has changed since the last full software inventory.
Collect Full
Server
Inventory
(Inventory
Pack for
Servers
required)
Weekly,
every
Monday at
18:00 (6:00
P.M.)
All
computers
with the
Inventory
Pack for
Servers
Plug-in
installed
This task only exists if the Inventory Pack for Servers
product is installed.
Weekly,
every
Monday at
18:00 (6:00
P.M.)
All
computers
with the
Inventory
Pack for
Servers
Plug-in
installed
By default, this policy collects only the server applications
inventory data that has changed since the last full server
inventory.
Yes
Collect Delta No
Server
Inventory
(Inventory
Pack for
Servers
required)
Even though this policy is enabled by default, you must
install the Inventory Plug-in on target computers before
inventory data is gathered.
Scheduling resource membership updates
You can keep all of your resource filters, organizational groups, and resource
targets up to date by configuring the appropriate filter update schedules. These
schedules let you update the filters, organizational groups, and targets that you
need at suitable intervals. These schedules help you manage the processing load
that is imposed on Notification Server.
Predefined resource membership update schedules are supplied with the Symantec
Management Platform. These schedules are suitable for most purposes and you
should not need to change them. However, as the requirements of your
organization change, you can make the necessary changes.
Table 5-2
Schedule
Resource membership update schedules
Description
Delta Update schedule Updates the membership of the following:
Filters that have had membership changes since the last
update.
■ All dynamic organizational groups.
■
■
All invalid targets.
A target may be invalidated by the following events:
■ Its definition is saved.
■
A filter that it uses has membership changes.
An organizational group that it uses has membership
changes.
■ The security that is applied to an organizational group that
it uses changes.
■
By default, this schedule runs every five minutes.
Complete Update
schedule
Completely re-creates the membership of all filters, organizational
groups, and targets, regardless of inventory status or any changes
to policies. The complete update may impose a significant load
on Notification Server and should be scheduled accordingly.
By default, this schedule once a day.
Policy Update schedule Updates the membership of filters that a policy uses, if the policy
has changed since the last update.
This schedule ensures that when you update or create a policy,
all the filters that are included in the new policy targets or
modified policy targets are updated automatically.
By default, this schedule runs every five minutes.
123
124
See “Viewing the Notification Server internal schedule calendar” on page 276.
To configure the resource membership update schedules
1
Notification Server > Resource Membership Update.
2
On the Resource Membership Update page, configure the update schedules
that you want to use.
3
If you want to run an update schedule immediately, in the appropriate panel,
click Run.
For example, you can ensure that all the changes to your filters take effect
immediately, rather than waiting until the scheduled update.
4
Click OK.
About tuning the Symantec Management Agent for performance
The Symantec Management Agent has three general settings that can affect your
Notification Server computer’s performance and network bandwidth usage. You
can access these settings in the Symantec Management Console, in the Settings
> Agents/Plug-in Settings > Targeted Agents Settings page.
See “Targeted Agent Settings: General tab” on page 126.
The agent has the following general settings:
■
Download new configuration.
This setting is the interval at which the Symantec Management Agent requests
new policy information from Notification Server. Modifications to the setting
influence your Notification Server computer's performance.
The Symantec Management Agent communicates regularly with Notification
Server to determine if it has work to do. This interval is the primary setting
for agent communication time frames and determines how quickly work is
delivered to managed computers. The more frequently your managed
computers request a new configuration, the more total load is placed on the
Notification Server computer’s resources and the network. The configuration
request itself does not increase the load on Notification Server computer.
Rather, the work that the Notification Server computer must do to respond to
each request increases the load. You can change the request interval to adjust
the total number of requests and the total volume of network traffic that is
generated.
The default request interval to download new configuration settings is one
hour. A typical request generates approximately 3 kbits of network traffic
For example, 5,000 managed computers make 120,000 total requests to
Notification Server each day, totaling approximately 360,000 kbits of network
traffic. However, by adjusting the setting to every two hours, you reduce the
number of requests to 60,000. You also reduce the volume of network traffic
to 180,000 kbits. This schedule halves the network traffic on the Notification
Server computer; however, it also doubles the time between updates to the
managed computers.
Use the following guidelines to determine the appropriate value for the
Symantec Management Agent configuration update interval:
Number of managed computers
Agent configuration update interval
< 1,000 endpoints
Every hour
1,000 to 5,000 endpoints
Every hour
Every two hours
Every three hours
Every four hours
■
Upload basic inventory.
This setting is the interval at which the Symantec Management Agent sends
basic inventory to Notification Server. Notification Server uses the information
to uniquely identify each managed computer. Basic inventory contains
information such as a list of installed agent/plug-ins and the TCP/IP address.
The default interval uploads basic inventory once a day. A typical basic
inventory update is between 20 kbit and 25 kbit in size.
■
Compress events.
This setting determines at what size Notification Server events are compressed
before the agent sends them to Notification Server. If you increase this value,
you reduce bandwidth load; however, you increase the use of CPU resources
on managed computers and Notification Server. This increase occurs because
the computers must compress and decompress the data before it can be
processed. The recommended minimum size for compressing a Notification
Server event is 200 KB. This setting balances bandwidth usage with CPU usage.
For example, you may want to set a low value for the events that are sent from
mobile computers. You can set a higher value for events on well-connected
LAN computers.
125
126
Targeted Agent Settings: General tab
The targeted agent general settings include the policy download and inventory
collection frequencies, and whether to compress large events when sending them
to Notification Server. You also need to specify the computers, users, or resource
targets to which the targeted agent settings policy applies.
Table 5-3
Settings on the General tab
Setting
Description
Download new
configuration
The interval at which the Symantec Management Agent requests
new policy information from Notification Server.
The default and recommended interval is one hour.
When you first set up your Notification Server, set this time to 1,
5, or 15 minutes. This setting lets you find out how Notification
Server interacts with the Symantec Management Agents. This
time should then be increased to suit the number of managed
computers that you have.
Upload basic
inventory
The interval at which the Symantec Management Agent sends
basic inventory to Notification Server.
The default interval is one day. You should adjust this value
according to the number of managed computers in your
organization.
Compress events over Select this option to compress events when they are sent to
Notification Server, and set the minimum size.
The recommended minimum size is 200 KB, which is a compromise
between bandwidth and CPU usage.
The value you choose here is a trade-off between bandwidth usage
and CPU usage on the server. For example, you may want to set a
low value for the events that are sent from mobile computers. You
can set a higher value for events on well-connected LAN
computers.
Applies to
Displays the details of the resource targets, computers, or users
to which the agent settings policy currently applies. You can set
or change the policy target as appropriate.
Recommended configuration settings based on managed endpoints
This section displays recommendations for common configuration settings for
the agent, inventory, resource membership updates, and the task service update
schedule that can influence the performance of IT Management Suite.
Table 5-4
Setting
Configuration settings based on number of managed endpoints
< 1,000
endpoints
1,000 5,000
endpoints
5,000 10,000
endpoints
10,000 15,000
endpoints
> 15,000
endpoints
Agent
Every one
configuration hour.
schedule
Every one
hour.
Every two
hours.
Every three
hours.
Every four
hours.
Full
Inventory
collection
schedule
Monthly.
Monthly.
Monthly.
Monthly.
Monthly.
Delta
Inventory
collection
schedule
Weekly.
Weekly.
Weekly.
Weekly.
Weekly.
Full resource Daily
membership
update
schedule
Daily
Daily
Daily
Daily.
Delta
resource
membership
update
schedule
Every 15
minutes.
Every 20
minutes.
Every 30
minutes.
Every 45
minutes.
Every one
hour.
Policy
resource
membership
update
schedule
Every 15
minutes
Every 20
minutes.
Every 30
minutes.
Every 45
minutes.
Every one
hour.
Task Service
update
schedule
Every 5
minutes.
Every 5
minutes.
Every 15
minutes.
Every 15
minutes.
Every 15
minutes.
127
128
Recommended ranges of component totals for IT Management Suite 7.1
Recommended ranges of component totals for IT
Management Suite 7.1
The following information is based on IT Management Suite 7.1 scalability testing
in a 1x6x20k hierarchy configuration.
See “Recommended IT Management Suite 7.1 hardware” on page 129.
Table 5-5
Ranges of recommended component totals for IT Management Suite
7.1
Components
Range
Managed computers per Notification Server.
1 - 20,000
Managed computers per package server.1
1 - 7,500
Managed computers per task server.2
1 - 7,500
Managed computers per deployment site server.3
1 - 7,500
Concurrent PXE sessions per deployment site server.3
200
Concurrent console sessions per Notification Server.
100 (75 managers + 25 Asset
managers)
Package servers per Notification Server.
1 - 500
Task servers per Notification Server.
1 - 300
Deployment site servers per Notification Server (requires
local task service and local package service).
1 - 300
1This
number depends on package use and frequency. The appropriate number
for a specific architecture should be determined using Microsoft Windows file
transfer speeds, because package servers are basically file servers.
2If
you plan to use tasks excessively, this number needs to be lower due to the
number of tasks to process. In this case, the client computer node count is
secondary.
3Deployment
Solution has a dependency on task services. As a result, this client
computer number should match the task server number. However, care should
be taken to not initiate deployment jobs on more than 200 clients per task server
at a time. This scenario can have multiple constraints:
■
The disk speed of the task server hosting WinPE and the images.
■
The number of available IP addresses in a given DHCP scope for newly
discovered computers.
■
The size of the image/s.
To determine your hardware requirements, use the recommendations in this
topic. The following are general hardware recommendations for most
environments with IT Management Suite 7.1. Depending on your specific
circumstances, the appropriate hardware may vary.
Note: These recommendations are NOT minimum specifications. Implementing
them should ensure reasonable Notification Server performance for inventory
collection and UI response times.
IT Management Suite 7.1 hardware recommendations for Microsoft
SQL Server
Table 5-6
Component
Proof of
concept
100 - 1,000
endpoints
1,000 - 5,000
5,000 - 10,000
10,000 - 20,000
endpoints
Processors
One core
Four cores
Eight cores
Eight cores
Eight cores
Disk Speed
SAS 10k
SAS 10k in
SSD or SAS in
high-performance RAID 10
disk array.
configuration
SAS 15k in
SSD or SAS 15k
high-performance equivalent in a
disk array.
high-performance
disk array.
Disk Capacity
80 GB
80 GB
120 GB
400 GB
400 GB
RAM
16 GB
16 GB
24 GB
32 GB
48 GB
Note: Running Microsoft SQL Server on virtual hardware is not recommended.
Table 5-7
IT Management Suite 7.1 physical and virtual hardware
recommendations for Notification Server
Component
Proof of concept 100 - 1,000
endpoints
1,000 - 5,000
5,000 - 10,000 10,000 - 20,000
Processors
One core
Eight cores
Eight cores
Eight cores
Eight cores
Disk Speed
SAS 10k
SAS 10k
SAS 10k
SAS 15k
SAS 15k
129
130
recommendations for Notification Server (continued)
Table 5-7
Component
Proof of concept 100 - 1,000
endpoints
1,000 - 5,000
5,000 - 10,000 10,000 - 20,000
Disk Capacity
80 GB
80 GB
80 GB
80 GB
80 GB
RAM
12 GB
16 GB
16 GB
16 GB
16 GB
Note: The services in the following three tables an be combined on one site server
or deployed separately, depending on your environment. However, deployment
site services always have to include task and package services on the same site
server.
Table 5-8
recommendations for Task Server
Component
10 - 100 endpoints 100 - 1,000
endpoints
1,000 - 5,000
5,000 - 7,500
Operating system
Desktop operating
system
Server operating
system
Server operating
system
Server operating
system
Processors
One core
Two cores
Four cores
Four cores
Disk Capacity
5 GB
5 GB
5 GB
5 GB
RAM
4 GB
4 GB
4 GB
8 GB
Table 5-9
recommendations for package server
Component
10 - 100 endpoints 100 - 1,000
endpoints
1,000 - 5,000
5,000 - 7,500
Operating system
Desktop operating
system
Server operating
system
Server operating
system
Server operating
system
Processors
One core
Two cores
Four cores
Four cores
Disk Capacity
100 GB - 250 GB
100 GB - 250 GB
100 GB - 250 GB
100 GB - 250 GB
RAM
4 GB
4 GB
4 GB
4 GB
Table 5-10
recommendations for deployment site server
Component
10 - 100 endpoints 100 - 1,000
endpoints
1,000 - 5,000
5,000 - 7,500
Operating system
Desktop operating
system
Server operating
system
Server operating
system
Server operating
system
Processors
One core
Two cores
Four cores
Four cores
Disk Capacity
100 - 250 GB
100 - 250 GB
100 - 250 GB
100 - 250 GB
RAM
4 GB
4 GB
4 GB
8 GB
Please take note of the following details:
■
All of the recommendations in this topic assume that you install SQL Server
on a dedicated computer.
■
The primary influence on SQL performance is disk throughput.
See “About hard drive configuration for off-box SQL Server” on page 56.
See “About hard drive configuration for on-box SQL Server” on page 57.
■
Symantec does not recommend that you install SQL Server on a virtual
computer.
■
Your Notification Server disk capacity requirements may increase depending
on your specific strategy for storing Deployment Disk Images, Patch
Management Bulletins, and your Software Library.
■
When Notification Server is installed on a virtual computer, the data loader
show performance degradation (approximately 25%).
■
If you choose to install the task service and the package service on the same
computer, increase your hardware to account for the additional load.
■
Site servers may use either a Windows workstation operating system or a
Windows server operating system. Distributed and large environments may
require numerous site servers to meet configuration management demands.
Your primary consideration is the number of concurrent sessions that you
need when you choose between a server operating system and a workstation
operating system. Windows workstations are limited to 10 concurrent TCP
connections sessions but Windows Server OS does not have the same limitation.
A site with fewer than 100 endpoints may only require 10 sessions; however;
a Windows server may be required for larger remote sites.
■
When a site server supports more than 7,500 managed computers, additional
site servers should be used.
131
132
Recommended configuration for Notification Server with locally installed SQL database
■
You might need to add more disk capacity, depending on your use case scenario.
Recommended configuration for Notification Server
with locally installed SQL database
For environments with up to 5,000 managed computers, a Notification Server
with a locally installed SQL database might perform adequately. However, this
depends on the demands that are placed on it. Symantec Management Platform
environments with SQL installed locally are also referred to as "on-box" SQL
environments.
See “About hard drive configuration for on-box SQL Server” on page 57.
Installing the SQL database locally will not result in maximum performance, but
it can deliver acceptable performance. To ensure maximum performance, you
should still install SQL on a separate server class computer. Optimal configuration
is especially important for on-box SQL environments. Performance is most
noticeable with user interface responsiveness and the time it takes to collect
computer inventory.
Table 5-11
IT Management Suite 7.1 physical hardware recommendations for
Notification Server with on-box SQL
Component
Proof of concept
1 - 5,000 endpoints
Processors
One core
Eight cores
Disk Speed
SAS 10k
RAID 10 or SSD
Disk Capacity
80 GB
80 GB
RAM
12 GB
32 GB
Supported operating systems for Notification Server
and site servers
Symantec Management Platform 7.1 requires Windows Server 2008 R2 or Windows
Server 2008 R2 SP1. However, the Symantec Management Platform can host
middleware components on computers other than the Notification Server. These
middle ware components support several operating systems.
For more information on Symantec IT Management Suite platform support, see
The official name for a middleware component is a "site service." Any computer
that hosts a site service is known as a site server. Examples of site services are
package service and task service. A site server can have one or more site services
installed on it. For example, if you install the package server site service (the
"package service") onto a computer, that computer becomes a site server.
Table 5-12
Supported operating systems for Notification Server
Type of operating system
Supported operating system
Microsoft Windows server
Windows Server 2008 R2 and Windows Server
2008 R2 SP1.
Windows Server 2008 R2 requires a 64-bit
computer. If you migrate to Symantec
Management Platform 7.1, Symantec recommends
that you migrate on a new computer.
Virtual Host
VMware ESX 3.5, 4.0, and 5.0
Microsoft Hyper-V Server 2008 R2
Site servers can use either a Windows workstation operating system or a Windows
server operating system. A site server with a package service installed can also
use a Linux server operating system.
Distributed and large environments may require numerous site servers to meet
configuration management demands. Notification Server makes sure that the site
service is installed only on the computers that satisfy the minimum requirements.
Your primary consideration is the number of concurrent sessions that you need
when you choose between a server operating system and a workstation operating
system. A Windows workstation is limited to 10 concurrent TCP connections and
a server operating system does not have the same limitations. A site with fewer
than 100 endpoints may only require 10 sessions. However, a Windows server
may be required for larger remote sites.
133
134
Table 5-13
Supported operating systems for package service
Microsoft Windows desktop
Windows XP SP2
Windows XP SP3
Windows Vista SP1
Windows Vista SP2
Windows 7
Windows 7 SP1
Windows Server 2003 SP2
Windows Server 2003 R2 SP2
Windows Server 2008
Windows Server 2008 R2 and R2 SP1
Linux Desktops
Red Hat Enterprise Linux WS 4
Novell SUSE Linux Desktop 10, 11, 11 SP1
Linux servers
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux ES 4
Red Hat Enterprise Linux Server 5.1, 5.2, 5.3, 5.4,
5.5, 5.6
Red Hat Enterprise Linux 6.0
Red Hat Enterprise Linux 6.0 Server
Red Hat Enterprise Linux 6.1 Server
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 11, 11 SP1
Table 5-14
Supported operating systems for task service
Microsoft Windows desktop
Windows XP SP2
Windows XP SP3
Windows Vista SP2
Windows 7
Windows 7 SP1
Windows Server 2008
Windows Server 2008 R2, R2 SP1
See “SQL Server recommendations and third-party software requirements”
on page 135.
SQL Server recommendations and third-party
software requirements
Symantec Management Platform 7.1 requires SQL Server either installed on-box
or off-box. The version of SQL Server that you need depends on the number of
endpoints that you manage.
135
136
Table 5-15
Proof of Concept
100-1,000
endpoints
Symantec Management Platform 7.1 SQL Server recommendations
1,000 to 5,000
endpoints
Microsoft SQL Server Microsoft SQL Server Microsoft SQL Server
2005 or 2008 Express 2005 or 2008
2005 or 2008 Standard
Standard or
or Enterprise
Enterprise
On-box SQL is
On-box SQL is
supported; off-box SQL
supported; off-box
is recommended.
SQL is recommended.
5,000-10,000
endpoints
10,000-80,000
endpoints
Microsoft SQL Server Microsoft SQL Server
2005 or 2008
2005 or 2008
Standard or
Enterprise
Enterprise
Symantec
Symantec
recommends that you
recommends that you host SQL server off
host SQL server off
box.
box.
See “About supported SQL Server collations” on page 141.
The Symantec Management Platform products also require additional third-party
software.
Table 5-16
Symantec Management Platform 7.1 required third-party software
Software
Purpose
Adobe Flash Player 10
The Adobe Flash Player plug-in for Internet Explorer is required for the
Resource Association Diagram in the Asset Management Suite.
Adobe Reader
Adobe Reader is required to open the PDFs of the user guides.
AJAX 1.0
Ajax is used to enable asynchronous calls to allow for a dynamic user
interface. For example, loading menus on demand and rendering on the
fly. Ajax is fundamental to many of the user interface control behaviors —
menus, grids, trees, lists, component art controls, etc.
Microsoft Access 2010 OLEDB driver
Data Connector requires this driver to be able to communicate with Access
(.mdb) and Excel (.xls) files. Install the 64-bit version of the driver.
Microsoft .NET 3.5 SP1
Symantec Management Platform depends on the Microsoft .NET framework.
Microsoft IE 7, IE 8, or IE 9
(compatibility mode only)
Microsoft Internet Explorer is the browser that supports the Symantec
Management Console.
Microsoft Silverlight 4.0
Silverlight is required for the First Time Setup page in the Symantec
Management Console.
Table 5-16
Software
Symantec Management Platform 7.1 required third-party software
(continued)
Purpose
Server Manager roles and role services Application Server role and IIS 6 Management Compatibility, ASP, and
Web Server role services
Note: If the required IIS Role Services are not installed, you are prompted
to install them on the Install Readiness Check page.
Sun Java Runtime 6
Java JRE is required for LiveState and Altiris Package Conversion. Java JRE
is also required on any computer that remotely accesses the Symantec
Management Console when the Software Library is used as the package
source.
See “Supported operating systems for Notification Server and site servers”
on page 132.
137
138
Chapter
6
Preparing for the
installation of IT
Management Suite
■
About developing an installation plan
■
About the migration guides
■
About supported SQL Server collations
■
Considerations before you install Notification Server
■
Agent configuration considerations
About developing an installation plan
You use Symantec Installation Manager to install the Symantec Management
Platform products. Before you install and run Symantec Installation Manager,
you should develop an installation plan.
For information about upgrading an existing Notification Server environment,
see the documents at https://www-secure.symantec.com/
connect/articles/altiris-endpoint-management-migrations-and-upgrades-71.
As you develop an installation plan, you should answer the following questions:
■
What type of installation should you perform?
You must determine if the installation is a first-time installation or a migration
from a previous version of the product. For both a first-time installation or a
migration, you must also determine whether the computer can have an Internet
140
Preparing for the installation of IT Management Suite
connection. Although the overall process for each of these types of installations
is very similar, the type of installation affects how you install the product.
See “About installing the Symantec Management Platform products”
on page 146.
See “Overview of the installation process” on page 147.
■
How many computers do you plan to manage with the Symantec Management
Platform products?
You configure the installation differently depending on the size of your
environment. For example, in a large environment you would not install SQL
Server on the same computer where you install the Symantec Management
Platform products.
■
Does the computer meet the system requirements?
During the installation process, Symantec Installation Manager performs a
readiness check to determine if the computer is ready for the installation.
However, this check only verifies that the computer meets the minimum
requirements. Before you begin the installation, you should make sure that
the computer meets the system requirements that are appropriate for your
environment.
■
Is the installation for a production environment or for evaluation purposes?
If you are an evaluator, you can quickly install and begin testing the products.
In a production environment, Symantec recommends that you install the
products in a test environment before you install them in a production
environment. Use the test environment to evaluate and validate the Symantec
Management Platform 7.1 functionality. Throughout the process, keep the
test server available to test, troubleshoot, and validate hot fixes and updates.
Testing offline solution
The migration guides are intended to help you upgrade and migrate your
infrastructure to version 7.1 SP2.
Migration guide from version 6.x to 7.1 SP2 IT Management Suite Migration Guide 6x to
7.1 SP2
Migration guide from version 7.0 to 7.1 SP2 IT Management Suite Migration Guide 7.0
to 7.1 SP2
The guides include information about the following categories of information:
■
Migration wizard instructions
This release includes a tool that is called the migration wizard. Migration
wizard is designed to automate the gathering of data from your previous system
so you can bring it into your new system. When you run the wizard, it gathers
this data and stores it in a file. After you install version 7.1 SP2 you can use
the wizard to import the data in this file into your new system.
■
Manual data migration instructions
Some data is not stored in your current installed database. The data migration
wizard is unable to locate and migrate this data. You must manually copy this
data from its previous location to its new equivalent location. After the data
has been moved there may be additional steps you must take to make that data
function in your new environment.
Note: Notification Server was renamed Symantec Management Platform (SMP)
on December 03, 2010. All previously categorized articles and references that are
listed as Notification Server are now found under Symantec Management Platform.
This document lists all Notification Server references for 7.1 as Symantec
Management Platform. It lists version 6.0 of the comparable architectural objects
by their previous names (Notification Server 6.0, etc.)
Symantec Management Platform supports the following SQL Server collations:
■
Latin1_General_BIN - Legacy binary format
■
Latin1_General_BIN2 - Binary format
■
Latin1_General_CI_AI - Latin (“normal”) alphabet, case insensitive, accent
insensitive
■
Latin1_General_CI_AS - Latin alphabet, case insensitive, accent sensitive
■
Latin1_General_CS_AI - Latin alphabet, case sensitive, accent insensitive
■
Latin1_General_CS_AS - Latin alphabet, case sensitive, accent sensitive
Considerations before you install Notification Server
Before you install and run Symantec Installation Manager, you should develop
an installation plan.
As you develop a Notification Server installation plan, answer the following
questions:
■
What type of installation should you perform?
141
142
You must determine if the installation is a first-time installation or an upgrade.
For both a first-time installation and an upgrade, you must also determine
whether the computer can have an Internet connection. Although the overall
process for each of these types of installations is very similar, the type of
installation affects how you install the product.
■
How many computers do you plan to manage with the Symantec Management
Platform products?
You configure the installation differently depending on the size of your
environment. For example, in a large environment you would not install SQL
Server on the same computer where you install the Symantec Management
Platform products.
■
Does the computer meet the system requirements?
During the installation process, Symantec Installation Manager performs a
readiness check to determine if the computer is ready for the installation.
However, this check only verifies that the computer meets the minimum
requirements. Before you begin the installation, you should make sure the
computer meets the system requirements that are appropriate for your
environment.
■
Is the installation for a production environment or for an evaluation
environment
If you are an evaluator, you can quickly install and begin testing the products.
In a production environment, Symantec recommends that you install the
products in a test environment before you install them in a production
environment.
The default agent configuration settings are suitable for a small Notification
Server environment. As your environment grows, or if your organization has
particular requirements, you need to make the appropriate configuration changes.
Some configuration options to consider are as follows:
■
Enable Power Management settings if you need to turn managed computers
on for any solution tasks.
■
Clone the default policies and divide the targeted systems between these
policies in larger environments.
■
Make sure that each managed node has a single Symantec Management Agent
policy applied.
■
Increase the agent communication parameters as node count increases. A
general rule of thumb may be one hour for every 2,500 nodes.
■
Use bandwidth throttling where WAN or LAN links are slow.
■
To prevent server contention when a large number of managed computers
turn on every day, set the communication startup delay to one hour .
■
The All site servers policy influences the site servers throughout the
environment. This policy should be set to communicate regularly with
Notification Server and receive updates with a reduced bandwidth throttle.
■
The All Windows Mobile policy influences all workstations which primarily
connect to the network by a WAN/VPN connection. Set the policy to
communicate with Notification Server every hour to help these systems to
receive and download packages. Set the agent to not download packages if the
available bandwidth is less than 100Kb/sec.
■
Do not use non-ASCII characters in the files and the directory names when
you configure installation settings.
■
The Default installation of Notification Server has no maintenance window
policies enabled.
■
When multiple maintenance window policies are applied to a computer, task
execution is permitted during any available window. The agent checks to see
if any windows are “activated” at the time of the scheduled execution.
Do not run a large distribution of the Symantec Management Agent during
implementation. A best practice is to create specific filters to call a small subset
of the systems that need an agent. You can build in dynamic elements to remove
the computers from the filter after the agent is installed.
143
144
Chapter
7
Installing IT Management
Suite
■
About installing the Symantec Management Platform products
■
Overview of the installation process
■
Managing the installation of the Symantec Management Platform products
■
Installing the Symantec Management Platform products
■
About installation tasks you can perform after the initial installation
■
About modifying the installation of a product
■
Adding a product listing file
■
Updating the product listing
■
About upgrading from IT Management Suite 7.1 to 7.1 SP2
■
Upgrading from IT Management Suite 7.1 to 7.1 SP2
■
Preparing to upgrade from IT Management Suite 7.1 to 7.1 SP2
■
Performing an upgrade to IT Management Suite 7.1 SP2
146
Installing IT Management Suite
About installing the Symantec Management Platform products
About installing the Symantec Management Platform
products
Platform products. Symantec Installation Manager manages the entire installation
process including licensing, data migration, and updates.
The following types of installations can be performed with Symantec Installation
Manager:
■
First-time installation
A first-time installation is for anyone who currently does not have Notification
Server 6.x or Symantec Management Platform 7.x installed.
See “Installing the Symantec Management Platform products” on page 158.
■
On-box upgrade
You can do an on-box upgrade if you are moving from ITMS 7.1 or 7.1 SP1 to
ITMS 7.1 SP2. You need to use the same hardware, server operating system,
and CMDB that you are currently using.
See “About upgrading from IT Management Suite 7.1 to 7.1 SP2 ” on page 179.
■
Off-box migration
An off-box migration installs the Symantec Management Platform 7.1 products
on a new computer. After you install Symantec Management Platform 7.1, you
can migrate Notification Server 6.x or 7.0 data to the 7.1 Notification Server.
How you migrate data and the data that is migrated depends on whether you
are currently on Notification Server 6.x or Symantec Management Platform
7.0.
For more information, see the Altiris IT Management Suite from Symantec
Migration Guide version 6x to 7.1 SP1 or the Altiris IT Management Suite from
Symantec Migration Guide version 7.0 to 7.1 SP1.
Note: If your current Notification Server is installed on a 64-bit server, you
can install the Symantec Management Platform 7.1 products on that computer.
However, before you install the Windows 2008 R2 operating system, you must
complete all of the required migration steps. Because the risk is high that some
of these migration steps might not complete successfully, Symantec discourages
the reuse of the current server. For more information about installing the
Symantec Management Platform 7.1 products on your current Notification
Server, see HOWTO32427.
■
Offline installation
An offline installation installs the Symantec Management Platform 7.x products
on a computer that does not have an Internet connection. An offline installation
can be a first-time installation or a migration. To perform an offline installation,
you have to create an installation package. To create the installation package,
you use Symantec Installation Manager on a computer that has an Internet
connection. You then run the installation package on the computer that does
not have an Internet connection.
See “Creating an installation package” on page 156.
After you install Symantec Management Platform and the products that run on
the platform, you use Symantec Installation Manager to perform additional
installation tasks. These tasks include updating installed products, adding
products, applying licenses to products, installing optional components, creating
support packages, reconfiguring installed products, and repairing installations.
See “About installation tasks you can perform after the initial installation”
on page 166.
Symantec Installation Manager manages the installation of the Symantec
Management Platform products. As Symantec Installation Manager works through
the installation process, it manages different types of tasks.
See “Managing the installation of the Symantec Management Platform products”
on page 148.
See “About installing the Symantec Management Platform products” on page 146.
Note: Symantec recommends that you install and test Symantec Management
Platform in a test environment before you install it in a production environment.
Table 7-1
Type of task
Description
Preinstallation
When you run Symantec Installation Manager, a wizard
walks you through a set of preinstallation tasks. These tasks
configure the installation, Notification Server, and the SQL
Server.
See “Starting Symantec Installation Manager” on page 153.
See “Installing the Symantec Management Platform
products” on page 158.
147
148
Table 7-1
Overview of the installation process (continued)
Type of task
Description
Installation
After you complete the preinstallation tasks, Symantec
Installation Manager performs the following installation
tasks:
Installs the platform, the selected products, and the
selected optional components.
■ Configures the installed products.
■
■
Lets you apply licenses to the products.
See “About installing optional components” on page 169.
See “Applying licenses to a solution” on page 172.
(Migration only) Data
migration
If you migrate to Symantec Management Platform 7.1, you
can also migrate the Notification Server 6.x or 7.0 data. How
you migrate data and the data that is migrated depends on
whether you are currently on Notification Server 6.x or
Symantec Management Platform 7.0.
When migrating from Symantec Management Platform 7.0,
you can connect to the 7.0 database to migrate all of its data.
You can also use the migration wizard to migrate data that
is not in the database.
When migrating from Notification Server 6.x, you have to
create a new database. However, you can use the migration
wizard to migrate a lot of the data that is in your Notification
Server 6.x database. Most of the data that the migration
wizard migrates is actionable although some of it is
read-only. You can also migrate data that is not in the
database.
For more information, see the Altiris IT Management Suite
from Symantec Migration Guide version 6x to 7.1 SP1 or
the Altiris IT Management Suite from Symantec Migration
Guide version 7.0 to 7.1 SP1.
Managing the installation of the Symantec
Management Platform products
You use Symantec Installation Manager to manage the installation of the Symantec
Management Platform products. Symantec Installation Manager manages the
entire installation process including licensing, data migration, and updates.
Platform 7.1 in a test environment before you install it in a production
environment.
Table 7-2
Process for managing the installation of the Symantec Management
Platform products
Step
Action
Description
Step 1
Configure your system to meet the When you install Symantec Management Platform products,
recommended system
Symantec Installation Manager checks for the minimum system
requirements.
requirements. If the minimum system requirements are not met,
it does not proceed with the installation. However, the minimum
system requirements may not be sufficient for your environment.
Before you install Symantec Management Platform products,
you should determine what the recommended system
requirements are for your environment and configure your
system accordingly. The recommended system requirements
primarily depend on the number of your managed endpoints.
For more information, see the Altiris IT Management Suite from
Symantec Planning and Implementation Guide at the following
URL:
Step 2
Install Symantec Installation
Manager.
You install Symantec Installation Manager in one of the following
ways:
■
Download and install it from http://www.symantec.com.
■
If the Symantec Management Platform product is distributed
on a CD, install it from the CD.
See “Installing Symantec Installation Manager” on page 151.
Except for an offline installation, you install Symantec
Installation Manager on the computer where you plan to install
the Symantec Management Platform products.
With an offline installation, you install Symantec Installation
Manager and then use it to create an installation package. You
then use the installation package to install Symantec Installation
Manager and the Symantec Management Platform products on
an offline computer.
149
150
Table 7-2
Platform products (continued)
Step
Action
Description
Step 3
Install the Symantec Management You use Symantec Installation Manager to install the Symantec
Platform products.
Management Platform products. If the installation is a migration,
Symantec Installation Manager manages this process as well.
See “Installing the Symantec Management Platform products”
on page 158.
Symantec Migration Guide version 6x to 7.1 SP2 or the Altiris IT
Management Suite from Symantec Migration Guide version 7.0
to 7.1 SP2.
By default, when the installation is complete the Symantec
Management Console opens. It opens to the Getting Started
Web part if the products you installed do not specify that a
different page in the console should open. You can also access
the Getting Started Web part if you click My Portal on the Home
menu. The Getting Started Web part contains videos and links
to the help topics that explain the key concepts and tasks of the
platform.
Step 4
(Migration only) Migrate
When you migrate from Symantec Management Platform 7.0 to
Notification Server 6.x or 7.0 data Symantec Management Platform 7.1, you can keep your 7.0
to the 7.1 computer.
Notification Server database. You can also migrate data that is
not in the database.
When you migrate from Notification Server 6.x to Symantec
Management Platform 7.1, you have to create a new database.
However, you can migrate a lot of the data that is in your
Notification Server 6.x database although some of the migrated
data is read-only. You can also migrate data that is not in the
database.
Symantec Migration Guide version 6x to 7.1 SP2 at the following
URL: http://www.symantec.com/docs/doc4742
or the Altiris IT Management Suite from Symantec Migration
Guide version 7.0 to 7.1 SP2 at the following
URL:http://www.symantec.com/docs/doc4743.
Table 7-2
Platform products (continued)
Step
Action
Description
Step 5
Perform installation tasks after
After you install the Symantec Management Platform products,
the initial installation of the
you can use Symantec Installation Manager to perform the
Symantec Management Platform following installation tasks:
products.
■ Reconfigure installed products.
■
Update installed products.
■
Install new products.
■
Install optional components.
■
Apply licenses.
■
Repair broken installations.
■
Create a support package.
■
View installation logs.
See “About installation tasks you can perform after the initial
installation” on page 166.
Installing Symantec Installation Manager
Symantec Installation Manager manages the installation of the Symantec
Management Platform products. Symantec Installation Manager manages the
entire installation process, including licensing, data migration, and updates.
Except for offline installations, you install Symantec Installation Manager on the
computer where you plan to install the Symantec Management Platform products.
With an offline installation, you install Symantec Installation Manager on a
computer that has an Internet connection. You then use Symantec Installation
Manager to create an installation package that you run on the computer that does
not have an Internet connection.
If you migrate from Symantec Management Platform 7.0, use the same installation
path for Symantec Installation Manager that you used on the 7.0 computer. For
example, if the installation path is C:\Program Files on the 7.0 computer, then
use C:\Program Files on the 7.1 computer. If the installation path is D:\Program
Files on the 7.0 computer, then use D:\Program Files on the 7.1 computer.
151
152
Warning: If you change the installation path for Symantec Installation Manager
from 7.0 to 7.1, you cannot upgrade the Symantec Management Agent and the
agent plug-ins. We strongly recommend that you keep the installation path the
same.
To install Symantec Installation Manager
1
Run the Symantec Installation Manager EXE file.
If a Symantec Management Platform product has a Software Download page
at www.symantec.com/business/products/downloads, you download the
Symantec Installation Manager EXE file from that page. Go to Infrastructure
Operations and click the product’s Trialware link. When you click the option
to Download Now on the Software Download page, the Symantec Installation
Manager EXE file is downloaded. The name of the file is
symantecinstallationmanagersetup.exe.
If a Symantec Management Platform product is distributed on a CD, the EXE
file runs from the CD.
2
If Microsoft Windows Installer 4.5 is not installed, click Yes in the dialog box
that asks you to install it.
After you click Yes, a Software Update Installation Wizard appears and
walks you through the installation of Windows Installer 4.5. After you install
Windows Installer, you may have to restart your computer.
Microsoft Windows Installer 4.5 is a prerequisite for the installation of
Symantec Installation Manager.
3
If Microsoft .NET Framework 3.5 SP1 is not installed, click Yes in the dialog
box that asks you to install it.
After you click Yes, a Welcome to Setup dialog box appears where you initiate
the installation of .NET Framework. After you install .NET Framework, you
may have to restart your computer.
.NET Framework 3.5 SP1 is a prerequisite for the installation of Symantec
Installation Manager.
4
If Microsoft SQL Server is not installed on the computer, in the dialog box
that appears, click one of the following options:
Yes
Opens Web Platform Installer that installs Microsoft SQL Server
2008 Express. Before SQL Server Express is installed, a dialog
box appears where you must select the authentication mode.
Microsoft recommends the use of Windows Integrated
Authentication mode. Symantec recommends that you always
use a strong password with the authentication mode that you
select.
No
Proceeds with the installation of Symantec Installation Manager
without installing Microsoft SQL Server. Use this option when
Microsoft SQL Server is installed off-box.
Cancel
Cancels the installation of Symantec Installation Manager. Use
this option when you want to install Microsoft SQL Server
Standard or Enterprise before installing Symantec Installation
Manager.
5
In the Welcome dialog box, click Next.
6
In the License Agreement dialog box, check I accept the terms in the license
agreement, and click Next.
7
In the Destination Folder dialog box, click Begin install to install the files
in the default location.
To install the files in a different location, click Browse, and specify a different
location.
8
In the final dialog box, click Finish.
By default, the Automatically launch Symantec Installation Manager option
is selected on this page. This option opens Symantec Installation Manager
to the Install New Products page.
Starting Symantec Installation Manager
After you use Symantec Installation Manager to install the Symantec Management
Platform products, you then use Symantec Installation Manager to perform
additional installation tasks. To perform these tasks, you must first start Symantec
153
154
on page 166.
When you start Symantec Installation Manager, if a new version is available, you
are prompted to update to the new version. You can choose to update immediately
or you can choose to delay the update.
See “Delaying the update of Symantec Installation Manager” on page 154.
To start Symantec Installation Manager
◆
On the Start menu, click All Programs > Symantec > Symantec Installation
Manager > Symantec Installation Manager.
Delaying the update of Symantec Installation Manager
When you start Symantec Installation Manager, if a new version is available, you
are prompted to update to the new version. You can choose to update immediately
or you can choose to delay the update. For example, if the latest version must pass
change control before you can use it, you might choose to delay the update. You
can delay the update until the new version of Symantec Installation Manager is
approved.
If you delay the update of Symantec Installation Manager, you do not lose any of
its current functionality. However, Symantec Installation Manager is not able to
update the product listing. An updated product listing contains the latest products
and updates. If you do not update Symantec Installation Manager, you also cannot
take advantage of any changes in the functionality of the updated version.
Note: Symantec recommends that you update Symantec Installation Manager
when an updated version is available.
When you delay updating Symantec Installation Manager, you can specify when
Symantec Installation Manager should remind you to perform the update. If you
then start Symantec Installation Manager after the specified time has elapsed,
you are again prompted to perform the update. Each time the prompt appears,
you can update Symantec Installation Manager or delay the update. If the specified
time to delay the update has not elapsed, you can update the product listing to
begin the update process.
See “Updating the product listing” on page 178.
To delay the update of Symantec Installation Manager
1
When the Update Symantec Installation Manager dialog box appears, select
when you want to be reminded to perform the update.
This dialog box appears only when an updated version of Symantec
Installation Manager is available. If you previously selected to delay the
update, the dialog box does not appear until the delayed time expires.
You can select to be reminded in one day, three days, one week, or one month.
2
Click OK.
About creating an installation package
To install the Symantec Management Platform products on a computer that does
not have an Internet connection, you must create an installation package. The
installation package that Symantec Installation Manager creates is a ZIP file. It
contains the MSI files that are needed to install the products that you selected
when you created the package. It also contains any licenses you purchased for
the products.
You can use Symantec Installation Manager to create an installation package for
32-bit and for 64-bit operating systems. Symantec Management Platform 7.0 is
a 32-bit platform, whereas Symantec Management Platform 7.1 is 64 bit.You
create the same installation package for both versions. The product listing file
(.pl.xml) in the ZIP file is a platform-neutral XML file.
You can create an installation package even on a computer running an operating
system that does not support the installation of Notification Server (the central
component of the Symantec Management Platform). Only Microsoft Windows
Server 2003 and Microsoft Windows Server 2008 platforms support the installation
of Notification Server. Microsoft Windows XP and Windows 7 do not, but they do
support Symantec Installation Manager. Note, however, that not all Symantec
Installation Manager functionality is available on Windows XP (x86 and x64) and
Windows 7 (x86 and x64).
For an overview of the available functionality, please see the following table.
Table 7-3
Available Symantec Installation Manager functionality
OS where Symantec Installation
Manager can be installed
Available Symantec Installation Manager
functionality
MS Windows Server 2003
All SIM functionality
MS Windows Server 2008
All SIM functionality
155
156
Table 7-3
Available Symantec Installation Manager functionality (continued)
OS where Symantec Installation
Manager can be installed
Available Symantec Installation Manager
functionality
MS Windows XP
Only the Create Installation Package link
MS Windows 7
Only the Create Installation Package link
Creating an installation package
See “About creating an installation package” on page 155.
To create an installation package
1
Install Symantec Installation Manager on any computer with Internet access.
You use this installation of Symantec Installation Manager to create the
installation package.
2
Start Symantec Installation Manager.
When you install Symantec Installation Manager, it starts by default. You
can also start it manually.
3
If the Install New Products page appears, click Cancel, and click Yes to
confirm the cancellation.
4
On the Installed Products page, click Create installation package.
5
On the Products page, select the products to include in the package, specify
the location for the ZIP file, and click Next.
See “Install New Products page, Product Updates page, or Products page”
on page 161.
6
On the Optional Installations page, check the optional components that you
want to install and click Next.
7
On the End User License Agreement page, verify that the correct products
were selected, check I accept the terms in the license agreements, and click
Next.
If you need to change the product selection, click Back twice.
8
On the Contact Information page, type the answers for the requested
information, and click Next.
9
(Optional) On the Product Licensing page, apply licenses, and click Next.
If you do not apply licenses, trial licenses are applied when the products are
installed. You can use Symantec Installation Manager to apply licenses at
any time.
10 On the Review Package Details page, review the information about the
installation package, and click Begin build.
The package is created and is saved in the location that is specified on this
page.
11 On the Installation Package Complete page, click Finish.
Creating an update installation package
If you previously installed Symantec Management Platform products on a
computer without an Internet connection, you created an installation package to
install the products.
On Internet-connected servers, updates to Symantec Management Platform
products automatically get flagged by Symantec Installation Manager. This
functionality is not available if the computer is not connected to the Internet.
Symantec Installation Manager does, however, let you export your product history
as an .xml file. You then import this file to an Internet-connected computer. This
import lets you create an installation package with only those products that need
to get updated.
To export your server's product history
1
Go to the Notification Server computer that is not connected to the Internet
and whose installation package you want to update.
2
Go to Start > All Programs > Symantec > Symantec Installation Manager
to start Symantec Installation Manager.
3
4
On the Settings page, click Export Product History.
5
Save this history file (for example, history.xml) to a portable device or shared
drive.
157
158
To import your server's product history
1
Go to the Symantec Management Platform computer that is connected to the
Internet and used to create installation packages.
2
Launch Symantec Installation Manager.
3
4
On the Installed New Products page, click Create installation package.
5
On the Products page, click Import Installed History to import the other
server's history.
6
Browse to the location of the history file.
7
Click Open.
8
Mark all products you want to update and click Next.
9
Select optional components and click Next.
10 Accept the license agreements.
11 Fill in your contact information.
12 Click Begin build. Symantec Installation Manager now builds the installation
package.
13 Click Finish.
14 Copy the installation package to the Notification Server computer without
Internet connectivity.
15 Install Symantec Installation Manager and the Symantec Management
Platform products.
Installing the Symantec Management Platform
products
Symantec Installation Manager manages the entire installation process for the
Symantec Management Platform products.
Platform in a test environment before you install it in a production environment.
For an offline installation, you must create and run an installation package before
you can install the Symantec Management Platform products.
The following procedure is for an initial installation that installs the Symantec
Management Platform and any other products that are selected. After the initial
installation, you also use Symantec Installation Manager to install updates or
additional products.
See “Installing a hotfix or an additional product” on page 167.
To install the Symantec Management Platform products
1
When you complete the installation of Symantec Installation Manager, it
starts by default. You can also start it on the Start menu at All Programs >
Symantec > Symantec Installation Manager > Symantec Installation
Manager.
2
On the Install New Products page, select the products to install, and click
Next.
on page 161.
Warning: When migrating from Symantec Management Platform 7.0, be sure
to have exact product parity. This means you need to install at least the same
equivalent products that you installed on the previous version of the platform.
Failure to have exact product parity can result in the corruption of the
database and the operating system when you connect to the 7.0 database.
Before you begin migration, create a list of the products that you have
currently installed.
3
On the Optional Installations page, select the optional components that you
When migrating to Symantec Management Platform 7.1, be sure to select the
option to install the migration wizard components.
4
On the Install Location Configuration page, select the drive on which you
want to install Symantec Management Platform products. These products
can be installed on a drive different from where Symantec Installation
Manager is installed.
159
160
5
Next.
6
On the Contact Information page, type the answers for the requested
information, and click Next.
7
On the Install Readiness Check page, verify that the computer meets the
minimum requirements, and click Next.
See “Install Readiness Check page” on page 162.
8
On the Notification Server Configuration page, configure Notification Server,
and click Next.
See “Notification Server Configuration page” on page 163.
9
On the Database Configuration page, configure the database, and click Next.
When migrating from Symantec Management Platform 7.0, connect to the
restored 7.0 database.
See “Database Configuration page” on page 165.
10 On the Review Installation Details page, verify the installation details, and
click Begin install.
The selected products are installed.
11 (Optional) On the Product Licensing page, apply licenses, and click Next.
This page appears only when you initially install a product that requires a
license.
If you do not apply licenses, trial licenses are applied. You can use Symantec
Installation Manager to apply licenses at any time.
When migrating to Symantec Management Platform 7.1, you must first copy
your product licenses to a location that is accessible from the 7.1 computer.
For more information, see topics on migrating licenses in the Altiris IT
Management Suite from Symantec Migration Guide version 6x to 7.1 SP1 or
the Altiris IT Management Suite from Symantec Migration Guide version 7.0
to 7.1 SP1.
12 On the Installation Complete page, click Finish.
If you installed the migration wizard, Run Notification Server Migration
Wizard is checked on the Installation Complete page. If Run Notification
Server Migration Wizard is checked when you click Finish, a dialog box
displays the instructions for migrating Notification Server 6.x or 7.0 data.
Migration Guide version 6x to 7.1 SP2 or Altiris IT Management Suite from
Install New Products page, Product Updates page, or Products page
These pages let you select the products to install, update, or include in an
installation package. On each of these pages, the options for selecting the products
are the same.
You access these pages from the Installed Products page as follows:
■
The Install new products option lets you access the Install New Products
page.
■
The View and install updates option lets you access the Product Updates
page.
■
The Create installation package option lets you access the Products page.
The Installed Products page also has the filtering and search options that appear
on these product pages.
161
162
Table 7-4
Options on the product pages
Option
Description
Filter by
Defines what options appear in the Filter drop-down list.
Filter
Filters the products to display. The Filter by drop-down list
defines the options that appear.
Search
Filters the displayed products. After you type a value, only
the products with that value in their name or description
appear.
Product summary
A summary of a product displays when you click a product
name.
Product check box
A product is included in the installation when you check its
check box.
If you select a product that has one or more dependencies
that are not checked, a dialog box appears that lists the
dependencies. Click OK in the dialog box to install the
dependencies. If you click Cancel, the check box for the
product is also unchecked.
Show all available versions Displays the previous versions of the products that are still
available.
Output location
(Products page only) Displays the location of the ZIP file
for the installation package. By default, the file is put on
your desktop.
Install Readiness Check page
This page verifies whether the computer meets the minimum requirements for
the installation. It also provides the recommended requirements for the
installation.
When a requirement is not met or includes a recommendation, a link in the
requirement provides additional information or lets you install the required
product. If a link does not let you install a required product, you must install the
requirement yourself. After you install a requirement yourself, you can click
Check install readiness again to recheck the readiness of your computer.
A symbol precedes each installation requirement as follows:
The requirement and any recommendations are met.
The requirement is met and you can continue with the installation, but
there are some recommendations to consider.
The requirement is not met. Do not continue with the installation until you
meet the requirement .
Notification Server Configuration page
This page lets you configure Notification Server credentials and its Web site and
email settings. On this page, you must either import, select, or have Symantec
Installation Manager create a security certificate. You also have the option to use
HTTPS to access the Symantec Management Console.
Table 7-5
Options on the Notification Server Configuration page
Option
Description
User name
The user name to access Notification Server. Include the
domain name or use ./username or
computername/username. The user name must be a
Windows user with local administrator rights to the
Password
The password for the account.
163
164
Table 7-5
Options on the Notification Server Configuration page (continued)
Option
Description
Web site
The Web site for Notification Server.
After you configure a Web site, the Refresh option lets you
see the Web site in the drop-down list.
After you configure a Web site, a Service Unavailable
message may occur when you click Next, if one or more of
the following conditions is true:
The Network Service account does not have Local
Activation permissions to the Internet Information
Services Admin service.
■ The ASP.NET worker process account on Notification
Server does not have the correct file permissions.
■ Microsoft Windows SharePoint Services 3.0 is installed
on the same Web site as Notification Server.
■
For more information, see the Microsoft knowledge base
article 930461 that describes how to resolve these same
issues for a different product.
Fully Qualified Domain
Name
The Fully Qualified Domain Name must resolve to the same
computer where Notification Server is installed.
Certificate
Provides the following options for supplying a certificate:
Create self-signed
When you click Next on this page, a dialog box appears
that informs you that Symantec Installation Manager
automatically creates a self-signed certificate.
■ Import
This option lets you browse to a security certificate file
and import it.
■ <Available certificate>
When you select this option, a Select Certificate
drop-down appears that displays the certificates that
already exist on the computer. Select the certificate you
want to use from the list.
■
You can click the Certificate Requirements link to see the
minimum requirements for certificates that are supported
by Symantec Management Platform.
Table 7-5
Options on the Notification Server Configuration page (continued)
Option
Description
Require HTTPS to access the (Optional) Requires the use of HTTPS to access the Symantec
Management Platform
Management Console. If you check this option, SSL port 443
is enabled and port 80 access is disabled.
HTTP is unsecured and is subject to man-in-the-middle and
eavesdropping attacks, which can let attackers gain access
to Web site accounts and sensitive information. HTTPS is
designed to withstand such attacks and is considered secure
against such attacks.
Configure my email
information now
(Optional) Lets you configure how Notification Server events
are emailed. You must enter the DNS name or IP address of
your SMTP server. If the server requires authentication,
you must enter a valid user name and password. The Send
Test Email option lets you verify that Notification Server
sends the email to the correct address.
You can also configure the email in the Symantec
Management Console after you install the product.
Database Configuration page
This page lets you configure the Notification Server database.
Table 7-6
Options on the Database Configuration page
Option
Description
SQL Server name
The name of the server that runs Microsoft SQL Server. You
can install the Configuration Management Database to a
specific SQL Server instance by entering the server name
and SQL instance. Example: SQL server name\SQL instance.
For the logon, you can use Windows authentication or SQL
server authentication.
The Browse for SQL on the Network button starts a search
for a database. If you do not select this button, SIM does not
search for databases (either local or on the network.) If you
installed a SQL Express database through Symantec
Installation Manager, this database automatically populates
the SQL Server name field.
165
166
Table 7-6
Options on the Database Configuration page (continued)
Option
Description
Database name
The Create new option lets you create a new SQL database
whose default name is Symantec_CMDB. You can change
this name to one that better fits your environment.
The Use existing option lets you reinstall the Symantec
Management Platform products on a different computer
and access the existing database. When you migrate from
Symantec Management Platform 7.0, it also lets you access
a restored 7.0 database. If you used SQL credentials, the
Refresh option lets you view an existing database.
For more information, see topics on restoring the
Configuration Management Database in the Altiris IT
Management Suite from Symantec Migration Guide version
7.0 to 7.1 SP1.
Database timeout
The number of seconds before the database times out. You
can increase this value if you generate reports with large
amounts of data.
About installation tasks you can perform after the
initial installation
Platform products, you can then use Symantec Installation Manager to perform
the following tasks:
■
Reconfigure an installed product.
See “Reconfiguring an installed product” on page 167.
■
Install updates or additional products.
■
Install optional components.
See “Installing optional components” on page 170.
■
Apply licenses to products.
■
Repair installations.
See “Repairing the installation of an installed product” on page 173.
■
Uninstall products.
See “Uninstalling the Symantec Management Platform products” on page 174.
■
Create a support package.
See “Creating a support package” on page 174.
■
View installation logs
See “About Symantec Installation Manager logs” on page 175.
You initiate these tasks from the Installed Products page.
Reconfiguring an installed product
After Symantec Installation Manager installs the products that you selected, it
configures those products. Normally, Symantec Installation Manager configures
the installed products without any problems. However, sometimes Symantec
Installation Manager can successfully install a product, but then be unable to
configure the product successfully. This failure to configure a product successfully
can have many causes. For example, a Web communication problem can cause
the configuration to fail. If Symantec Installation Manager is unable to configure
any products, a list of these unconfigured products appears at the end of the
installation. You can then access these unconfigured products on the Installed
Products page and attempt to reconfigure them.
on page 166.
If you reconfigure a product and it is still not properly configured, uninstall and
reinstall the product. If reinstalling a product does not resolve the problem, create
a support package that you can send to support.
To reconfigure an installed product
1
On the Installed Products page, in the list of Installed products, click the
product that you want to reconfigure.
2
Click Reconfigure and click Yes on the dialog box that appears.
If the option to reconfigure a product does not appear, the product is properly
configured. The option to reconfigure a product appears only if a product is
installed but not configured.
3
When the configuration is complete, click Finish on the Configuration
complete page.
Installing a hotfix or an additional product
Platform products, you then use Symantec Installation Manager to install hot
167
168
fixes or additional products. The installation process is similar to an initial
installation, but with fewer steps.
When hot fixes for installed products are available, the text following View and
install updates on the Installed Products page is green and displays the number
of available updates. An update can be a hotfix or a service pack.
To install a hotfix or add a product
1
2
3
On the Installed Products page, click one of the following options:
■
View and install updates
■
Install new products
If you clicked View and install updates, on the Product Updates page, select
the updates to install, and click Next.
on page 161.
4
If you clicked Install new products, on the Install New Products page, select
the products to install, and click Next.
on page 161.
5
On the Optional Installations page, check the optional components that you
If an optional component is already installed, the option to install it is disabled.
If no optional components are available, this page does not appear.
6
Next.
7
On the Contact Information page, click Next.
8
On the Review Installation Details page, verify the installation details, and
The selected products are installed.
9
(Optional) On the Product Licensing page, apply licenses, and click Next.
This page appears only when you add a new solution.
If you do not apply licenses, trial licenses are applied. You can use Symantec
Installation Manager to apply licenses at any time.
10 On the Installation Complete page, click Finish.
About installing optional components
Symantec Installation Manager has an Optional Installations page that lets you
choose whether to install several components. These components are optional
because you may not need them. If you do not need them, you can choose not to
install them. If you do not install them, it reduces the installation time and the
amount of space the installation uses on the computer.
The Optional Installations page appears after you select a product on the Install
New Products page and click Next. This page does not appear if no optional
installations are available. You can also access the Optional Installations page
at any time to install the optional components.
See “Installing optional components” on page 170.
The optional components that can appear on the Optional Installations page are
as follows:
■
Install Documentation
This option installs the documentation for any products that you selected and
for any installed products that do not have installed documentation.
■
Install Language Support
This option installs language packs for any products that you selected and for
any installed products that do not have installed language packs.
■
Install Migration Wizard Components for migrating Notification Server
data
This option installs the migration wizard components that you use to migrate
Notification Server 6.x or 7.0 data to Symantec Management Platform 7.1.
You can install this option without installing any of the Symantec Management
Platform products.
169
170
Note: If you install the Symantec Management Platform 7.1 products on your
current Notification Server, you must migrate any Notification Server data
before you upgrade the operating system. You can install Symantec Installation
Manager on another computer and install only the migration wizard
components on that computer. You can then copy the migration wizard
installation package to your current Notification Server and migrate the
Notification Server data. For more information about installing the Symantec
Management Platform 7.1 products on your current Notification Server, see
HOWTO32427.
If a component is already installed, it is not enabled on the Optional Installations
page except when you create an installation package.
After you install an optional component, you can access it on the Installed
Products page to uninstall or repair it.
See “Uninstalling or repairing optional components” on page 171.
Installing optional components
choose whether to install several components.
When you install Symantec Management Platform products, the Optional
Installations page appears if any of the optional components are not installed.
You can also use Symantec Installation Manager to access the Optional
Installations page at a later time to install any optional components that are not
installed. The following procedure describes how to access this page at a later
time to install optional components.
To install optional components
1
2
On the Installed Products page, click Install optional components.
3
On the Optional Installations page, check the components that you want to
install and click Next.
4
On the End User License Agreement page, check I accept the terms in the
license agreements and click Next.
5
On the Contact Information page, click Next.
6
On the Review Installation Details page, verify the installation details, and
7
On the Installation Complete page, click Finish.
If you installed the migration wizard, Run Notification Server Migration
Wizard is checked on the Installation Complete page. If Run Notification
Server Migration Wizard is checked when you click Finish, a dialog box
displays the instructions for migrating the Notification Server 6.x or 7.0 data.
Migration Guide version 6x to 7.1 SP1 or the Altiris IT Management Suite
from Symantec Migration Guide version 7.0 to 7.1 SP1.
Uninstalling or repairing optional components
choose whether to install several components. If you install any of these optional
components, you can also use Symantec Installation Manager to uninstall or
repair them.
See “Uninstalling the Symantec Management Platform products” on page 174.
To uninstall or repair optional components
1
2
To display the optional components that are installed, on the Installed
Products page, press Ctrl+Shift+O.
If you press Ctrl+Shift+O again, the optional components are removed from
the Installed Products page.
3
In the list of installed products, select the optional component that you want
to uninstall or repair.
An optional component has (Optional component) below its name. When
you select an optional component, the Repair and Uninstall options appear.
4
5
To uninstall an optional component, complete the following steps:
■
Click Uninstall, and click Yes to confirm the removal of the product.
■
On the Uninstallation Complete page, click Finish.
To repair an optional component, complete the following steps:
■
Click Repair.
Windows Installer performs a repair of the installation.
171
172
■
On the Repair Complete page, click Finish.
Applying licenses to a solution
When you purchase a Symantec Management Platform product, you receive license
files for each solution. You use Symantec Installation Manager to apply the
licenses. You can apply the licenses when you install a product or at a later time.
When you apply licenses, you can add new licenses or update existing licenses. If
you do not apply licenses, Symantec Installation Manager applies trial licenses.
If you are connected to the Internet, it applies trial licenses that are good for at
least 30 days. If you are not connected to the Internet, it applies seven-day trial
licenses.
When migrating to Symantec Management Platform 7.1, you must first copy your
product licenses to a location that is accessible from the 7.1 computer. You then
use Symantec Installation Manager to reapply the licenses.
Migration Guide version 6x to 7.1 SP2 or the Altiris IT Management Suite from
After a license is applied, it appears on the Product Licensing page of Symantec
Installation Manager. If a license is expired, it still appears on the Product
Licensing page. If a Symantec Management Platform 7.x solution has an expired
license, it uses a trial license.
Note: Because some Notification Server 6.x solutions bundle with other solutions
on Symantec Management Platform 7.x, their licenses cannot be reused.
To apply licenses to a solution
1
To apply licenses to a solution when you install it with Symantec Installation
Manager, on the Product Licensing page, click Install licenses.
The Product Licensing page appears after the product is installed.
2
To apply licenses to a solution at any time after you install it, complete the
following steps:
■
■
On the Installed Products page, click Add/Update licenses.
■
On the Product Licensing page, click Install licenses.
3
In the Select License Files dialog box, select the license files to apply, and
click Open.
To select multiple licenses, press Ctrl when you select the license files.
4
Read the message that explains how the licenses affect the applicable products,
and click Yes to proceed.
5
After you apply the licenses, on the Product Licensing page, click Next or
Close.
6
On the dialog box that appears, click Restart services to restart the
Notification Server services or Apply without restart to continue without
restarting the services.
If you restart the services, the licenses are applied immediately. If you do not
restart the services, the licenses might not be applied for 30 or more minutes.
This dialog box also has an Always perform this action when installing
licenses option. If you check this option, the dialog box does not appear when
you apply additional licenses and the action you select is always performed.
7
If you apply the licenses to a solution when you install it, the Installation
Complete page appears.
8
If you apply the licenses to a solution at any time after you install it, the
Installed Products page appears.
Repairing the installation of an installed product
Platform products. You also use Symantec Installation Manager to repair the
installation of any Symantec Management Platform product. Because all of the
installation files are MSIs, Symantec Installation Manager invokes Windows
Installer to repair an installation.
If you have optional components installed, you can also repair them.
To repair the installation of an installed product
1
2
On the Installed Products page, select a product to repair.
When you select a product, the Repair option appears.
173
174
3
Click Repair.
Windows Installer performs a repair of the installation.
4
On the Repair Complete page, click Finish.
Creating a support package
If you encounter problems with the installation of Symantec Management Platform
products, you can create a support package that you can send to Symantec Support.
The support package is a ZIP file that includes Notification Server logs, Symantec
Installation Manager logs, installation history information, and registry
information.
Note: The option Enable Windows Installer logging in the Symantec Installation
Manager's Settings dialog enables the creation of verbose logs. ("Verbose" is
another word for "very detailed.") Verbose logs are valuable for troubleshooting
and are enabled by default.
The name of the support package is support with the date and time appended. By
default, the support package is created in the C:\Program Files\Altiris\Symantec
Installation Manager\Support directory.
To create a support package
1
2
On the Installed Products page, click Settings.
3
In the Settings dialog box, click Create Support Package.
4
To access the support package, in the dialog box that appears, check Open
containing folder and click OK.
Uninstalling the Symantec Management Platform products
You can uninstall the Symantec Management Platform products with Symantec
Installation Manager. Symantec Installation Manager lets you uninstall a specific
product. If you uninstall the Symantec Management Platform, the platform and
the other installed products are uninstalled. When you uninstall the platform
with Symantec Installation Manager, Symantec Installation Manager is not
uninstalled.
You can also use Windows Add/Remove Programs to uninstall the Symantec
Management Platform products. Add/Remove Programs uninstalls the platform,
all installed products, and Symantec Installation Manager. If you used Symantec
Installation Manager to uninstall the platform, you can use Add/Remove Programs
to uninstall Symantec Installation Manager.
If you have optional components installed, you can also uninstall them.
To uninstall products with Symantec Installation Manager
1
2
On the Installed Products page, select the product to uninstall.
When you select a product, the Uninstall option appears.
3
Click Uninstall, and click Yes to confirm the removal of the product.
The product is uninstalled from the Symantec Management Platform. The
solution no longer appears in the console and all entries in the database are
deleted.
4
On the Uninstallation Complete page, click Finish.
To uninstall products with Add/Remove Programs
1
Access Windows Add/Remove Programs.
2
Click Symantec Platform and Solutions, and click Remove.
If you uninstalled the Symantec Management Platform products with
Symantec Installation Manager, this action uninstalls Symantec Installation
Manager.
About Symantec Installation Manager logs
Symantec Installation Manager creates logs during its installation, repair, and
uninstallation. It can create two types of logs: verbose and non-verbose. Verbose
logs contain more detailed information about events and are thus more useful for
troubleshooting. They can also affect performance by creating large log files.
Non-verbose logs contain much less information, such as the event's timing and
a minimal description. By default, verbose logging is enabled. When you create a
Support package, logs are included in the package to facilitate troubleshooting.
See “Viewing Symantec Installation Manager logs” on page 176.
Types of logs include install logs, uninstall logs, and repair logs.
175
176
■
Install logs detail what happens during the installation of all installed .msi
files.
■
Uninstall logs list the uninstall behavior of all .msi files that were uninstalled.
■
Repair logs list what happened when a .msi file was repaired.
The logs are stored in one of two locations:
■
Before Symantec Management Platform is installed, SIM logs are generated
in the directory C:/Users/<username>/AppData/Local/temp/SIM Logs.
(The user name refers to the user who installed Symantec Installation Manager.)
Note that these logs stay in this location even after Symantec Management
Platform is installed.
■
After the installation of the Symantec Management Platform, logs are
generated, by default, in C:\ProgramData\Symantec\SMP\Logs\”.
Disabling the creation of verbose Symantec Installation Manager logs
Verbose logging is turned on by default in Symantec Installation Manager. Verbose
logging is useful for troubleshotting purposes. However, it can create large log
files and can slow down performance. If you decide that you want to disable it,
follow these instructions.
See “Viewing Symantec Installation Manager logs” on page 176.
To disable the creation of verbose logs
1
In Symantec Installation Manager, on the Installed Productsscreen, click
Settings.
2
Uncheck the checkbox next to Enable Windows Installer logging.
Viewing Symantec Installation Manager logs
Symantec Installation Manager logs can give you and Symantec Support valuable
information. You can view logs about any errors that happened during the
installation, repair, or uninstallation of Symantec Installation Manager or the
products it installs. Logs are placed in different locations based on whether
Symantec Management Platform has been installed or not.
To view logs before the installation of Symantec Management Platform
1
Go to C:/Users/<username>/AppData/Local/temp/SIM Logs.
2
View the Symantec Installation Manager logs that were generated.
Note: The user name in step 1 is the name of the user who installed Symantec
To view logs after the installation of the Symantec Management Platform and its
products
1
The default location of these logs is C:/ProgramData/Symantec/SMP/Logs.
2
View the log or logs pertaining to the Symantec product you installed.
In Symantec Installation Manager, when you select a product on the Installed
Products page, a Modify option appears. At this time, the Modify option is disabled
for all products.
See “Repairing the installation of an installed product” on page 173.
Adding a product listing file
Symantec Installation Manager uses a product listing file to display a list of
products that you can install. If you purchase a product that has its own product
listing file, you must add that file to install the product.
The default product listing file is symantec.pl.xml.zip. A product listing file can
also be an uncompressed file.
To add a product listing
1
2
3
4
In the Settings dialog box, click Change product listing.
5
In the Manage Product Listings dialog box, click Add.
177
178
6
In the Add New Product Listing dialog box, specify the path to the new
product listing file, and click OK.
By default, the product listing file is refreshed daily. You can change this
value to any value in the Refresh interval drop-down list. If the path requires
a user name and password, specify them as well.
See “Updating the product listing” on page 178.
7
In the Manage Product Listings dialog box, click OK.
By default, the product listing file you added is selected in this dialog box.
8
In the Settings dialog box, click OK.
The products from the new products listing file appear on the Install New
Products page.
Symantec Installation Manager accesses a product listing file that lists the products
you can install and update. By default, it updates the product listing file once a
day. You can also manually update the product listing file at any time. You can
also edit how frequently Symantec Installation Manager gets the latest product
listing file.
See “Adding a product listing file” on page 177.
To update the product listing manually
1
2
3
4
In the Settings dialog box, click Update now.
To change when a product listing is updated
1
2
About upgrading from IT Management Suite 7.1 to 7.1 SP2
3
4
In the Settings dialog box, click Change product listing.
5
In the Manage Product Listings dialog box, select the product listing, and
click Edit.
6
In the Edit Product Listing dialog box, in the Refresh interval, select the
time interval.
About upgrading from IT Management Suite 7.1 to
7.1 SP2
To upgrade from IT Management Suite 7.1 or 7.1 SP1 to IT Management Suite
SP2, you must perform an upgrade process. An upgrade is warranted under these
circumstances:
■
Same server hardware (on box)
■
Same server operating system
■
Same IT Management Suite CMDB
See “Upgrading from IT Management Suite 7.1 to 7.1 SP2” on page 180.
To migrate from IT Management Suite 7.0 or 6.x to IT Management Suite SP2,
you must perform a migration process.
A migration is warranted under these circumstances:
■
New or consolidated hardware (off box)
■
Updated operating system
■
New CMDB
■
Moving from IT Management Suite 7.0
■
Moving from IT Management Suite 6.x
For migration instructions from 7.0 platforms to ITMS 7.1 SP2, see the Altiris™
IT Management Suite from Symantec™ Migration Guide version 7.0 to 7.1 SP2.
For migration instructions from 6.x platforms, see the Altiris™ IT Management
Suite from Symantec™ Migration Guide version 6x to 7.1 SP2.
179
180
You can upgrade from IT Management Suite 7.1 or 7.1 SP1 to IT Management
Suite 7.1 SP2. An upgrade happens on box or on the same server hardware, as
opposed to a migration, which involves migrating to new hardware.
For more information on migration, see:
■
Altiris™ IT Management Suite from Symantec™ Migration Guide version 7.0
to 7.1 SP2
■
Altiris™ IT Management Suite from Symantec™ Migration Guide version 6x
to 7.1 SP2
Table 7-7
Process for upgrading to IT Management Suite 7.1 SP2
Step
Action
Description
Step 1
Prepare to upgrade.
Before you upgrade to IT
Management Suite 7.1 SP2,
you must prepare your
environment.
See “Preparing to upgrade
from IT Management Suite
7.1 to 7.1 SP2” on page 180.
Step 2
Perform the upgrade.
After you prepare your
environment, you can
perform the upgrade.
See “Performing an upgrade
to IT Management Suite 7.1
SP2” on page 182.
Preparing to upgrade from IT Management Suite 7.1
to 7.1 SP2
Before you can perform an upgrade to IT Management Suite 7.1 SP2, you must
prepare for the upgrade.
Preparing for the upgrade is a step in the process for upgrading to IT Management
Suite 7.1 SP2.
Preparing to upgrade from IT Management Suite 7.1 to 7.1 SP2
To prepare for the upgrade
1
Back up the IT Management Suite server.
2
Back up the CMDB database.
3
In Symantec Management Console, click the Settings tab, and record the
following configuration settings:
■
Task server settings under Task Settings
■
Agent communication settings underAgents/Plug-ins
■
Policy refresh settings under Notification Server > Resource and Data
class Settings > Resource Membership Update
■
Membership update settings under Notification Server > Resource and
Data class Settings > Resource Membership Update
4
If hierarchy and replication are enabled, disable them. For more information,
see www.symantec.com/docs/HOWTO44016 .
5
In Symantec Management Console, click Reports > Notification Server
Management > Server > Replication, and click Current Replication Activity.
6
Verify that the Current Replication Activity report is blank.
If the report returns any results, you must wait until all replication activity
has been completed before you perform the upgrade.
7
In Symantec Management Console, click Settings > Notification Server >
Hierarchy > Hierarchy Management, and on the parent node, right-click
and then select Edit.
8
Select the schedule tab, uncheck the schedules, and click Save.
This action disables the complete and differential standard replication
schedules to prevent replication rules from running while the upgrade is in
progress.
9
In C:\ProgramData\ Symantec\SMP\EventQueue\, remove any existing NSE
files from the "\bad" folders:
■
EvtInbox\bad
■
EvtQFast\bad
■
EvtQLarge\bad
■
EvtQSlow\bad
■
EvtQueue\bad
10 Open the Log Viewer in Start > All Programs > Symantec > Diagnostics >
Altiris Log Viewer.
181
182
11 Check Symantec logs for existing errors or warnings. If any errors or warnings
are found, take note and try to resolve them before the upgrade.
12 Go to Start > All Programs > Accessories > System Tools > Task Scheduler
> Microsoft.
13 Select the task NS package refresh and click Run.
Now you can perform the upgrade according to the instructions in Performing
an upgrade to IT Management Suite 7.1 SP2.
Performing an upgrade to IT Management Suite 7.1
SP2
You must perform an upgrade if you move from IT Management Suite 7.1 or 7.1
SP1 on the same server hardware and configuration database.
To ensure that your upgrade runs without problems, you must first prepare your
system for the upgrade.
See “Preparing to upgrade from IT Management Suite 7.1 to 7.1 SP2” on page 180.
To perform an upgrade to IT Management Suite 7.1 SP2
1
Launch Symantec Installation Manager in Start > All Programs > Symantec
> Symantec Installation Manager.
Right-click the Symantec Installation Manager icon and select Run as
administrator.
2
To upgrade all installed products to IT Management Suite 7.1 SP2, select
Install new products. Then select the checkboxes next to all IT Management
Suite product suites that are currently installed.
Warning: Do NOT use the option View and install updates to upgrade your
system. This action may result in an unverified scenario.
3
In Symantec Management Console, click the Settings tab, and compare the
configuration settings to the ones you recorded when you prepared to upgrade.
See “Preparing to upgrade from IT Management Suite 7.1 to 7.1 SP2”
on page 180.
Revert to the settings you recorded to keep your system running as it did
before the upgrade.
4
If you have hierarchy implemented in your environment, upgrade all the
servers in the hierarchy.
The supported method is to upgrade the Notification Servers in the hierarchy
from the bottom up. This means that you should upgrade the lowest child
node first and then work your way up. Ensure that each child Notification
Server is upgraded to a higher version before its parent. You do not need to
break any hierarchy relationships in the process. For more information, see
www.symantec.com/docs/HOWTO21657.
Then turn hierarchy and replication back on.
5
Open the Log Viewer at Start > All Programs > Symantec > Diagnostics >
Altiris Log Viewer.
6
Check Symantec logs for errors or warnings and resolve them.
7
Perform a database defragmentation of the Symantec CMDB database.
For more information, go to the Microsoft TechNet site.
183
184
Chapter
8
Installing the Deployment
Solution
■
About installing Deployment Solution
■
Preinstallation requirements for Deployment Solution
■
Installing Deployment Solution components
■
Installing Deployment Plug-in
■
Installing an automation folder
■
Installing Deployment site server components
■
Installation path of Deployment Solution tools
■
Upgrading Deployment Solution components
■
Uninstalling Deployment Solution components
■
Enabling the uninstallation policy
■
Uninstalling Deployment Solution through Symantec Installation Manager
■
Repairing Deployment Solution
Deployment Solution can only be installed on Symantec Management Platform.
Symantec Management Platform has its own set of functionalities that are
extended to all of the solutions and suites that are integrated with it. Hence,
186
Installing the Deployment Solution
Deployment Solution also leverages the capabilities of Symantec Management
Platform and provides you with a wider range of functionalities.
After Deployment Solution is installed on Symantec Management Platform, you
have to enable different predefined policies to complete Deployment Solution
installation. These predefined policies install Deployment Plug-in, automation
folder, and Deployment site server components. Deployment Solution provides
several predefined policies for the Windows and Linux platforms.
These predefined policies are related to installing, upgrading, and uninstalling
different Deployment Solution installer components in your environment. Each
predefined policy uses a filter that specifies the client computers that it affects.
Also, policies update their targeted computers after those computers request any
policy updates. The policies run on the specified client computers only when they
are enabled. You can access each predefined policy by clicking the Settings menu
and then expanding the Agents/Plug-ins and the Deployment and Migration
folders.
Table 8-1
Deployment Solution predefined installation policies
Policy name
Description
Deployment Automation Folder - Install
Installs the automation folder in the
boot directory on the client computers.
The automation folder lets you reboot
the client computer to the preboot
environment using WinPE or Linux PE.
See “Installing an automation folder”
on page 191.
Deployment Automation Folder - Uninstall
Uninstalls the automation folder that
was previously installed.
See “Enabling the uninstallation policy”
on page 197.
Deployment Automation Folder - Upgrade
Upgrades the automation folder on the
client computer, which requires the
latest version of the automation folder.
To upgrade automation folder from x86
to x64 on Windows client computers,
you must first uninstall the automation
folder for Windows x86. Then, reinstall
the automation folder for Windows x64.
See “Upgrading Deployment Solution
components” on page 195.
Table 8-1
Deployment Solution predefined installation policies (continued)
Policy name
Description
Deployment Plug-in - Install
Installs the plug-in that performs the
Deployment Solution tasks.
See “Installing Deployment Plug-in”
on page 190.
Deployment Plug-in - Uninstall
Uninstalls the Deployment Plug-in that
was previously installed.
on page 197.
Deployment Plug-in - Upgrade
Upgrades the plug-in on the client
computer, which requires the latest
version of the plug-in.
Deployment Plug-in upgrade is not
supported for Linux operating system.
Deployment Site Server Components - Install
Installs the Deployment site server
components on the computers that
have Symantec Management Platform
or site server installed on them.
Deployment site server components
contain different tools, processes, and
Deployment Solution Task Handlers
that are required to perform
deployment tasks and store packages.
See “Installing Deployment site server
Deployment Site Server Components - Uninstall Uninstalls the site server components
that were previously installed.
on page 197.
Deployment Site Server Components - Upgrade Upgrades the site server component on
the client computer, which requires the
latest version of the site server
component.
187
188
See “Preinstallation requirements for Deployment Solution” on page 188.
See “Installing Deployment Solution components” on page 189.
Before you start the Deployment Solution installation, you must verify the
following:
■
Symantec Installation Manager (SIM) is installed.
■
Symantec Management Platform is installed.
■
Symantec Management Agent for UNIX and Windows is preinstalled on the
client computers.
■
Symantec Management Agent for Unix, Linux, and MAC is installed if you plan
to use UNIX and Mac client computers.
■
JRE 1.5 or later enabled browser is required.
■
Symantec Administrator Software Development Kit (SASDK) is installed if you
plan to use the Web Services API.
■
Client computers have Pre-boot eXecution Environment (PXE) enabled on
them.
■
DHCP is up and running with PXE support
■
Silverlight 4 is installed.
■
The storage and the network drivers in your environment are collected.
■
The remote site server is configured on the supported platform if you plan to
manage clients in different subnet. For a remote site server to be configured,
a package server and a task server should be installed on the supported
platform.
■
The package server is installed on Symantec Management Platform and on all
remote site servers.
■
DNS is properly configured. Clients computers inside different subnets should
be able to ping to Symantec Management Platform and the remote site server
using FQDN.
See “Components of Deployment Solution” on page 76.
You can install Deployment Solution on Symantec Management Platform through
Symantec Installation Manager (SIM). Symantec Installation Manager installs
Symantec Management Platform and also provides options to install its suites
and solutions. You can select the Deployment Solution option from the listed
solutions. Symantec Installation Manager downloads the selected product from
the product site and installs it on your server through an installation wizard. This
installation wizard verifies the installation and guides you through the product
installation.
After Deployment Solution is installed on Symantec Management Platform, you
have to enable different policies to complete the Deployment Solution installation.
These policies install the Deployment Plug-in, the automation folder, and the
Deployment site server components. For Linux, only x86 policies are supported
for Deployment Plug-in and automation folder.
Process for installing Deployment Solution components
Table 8-2
Step
Action
Description
Step 1
Install the Deployment
plug-in.
Enable the Deployment Plug-in - Install policy. The
Deployment Plug-in is required to run and manage
the deployment-specific tasks on the client
computers.
Ensure that you set proper filters while installing
the Deployment Plug-in. So that 64-bit policy gets
installed on 64 bit OS clients and 32-bit policies gets
installed on 32 bit OS clients. Otherwise, the Install
Windows OS task fails
Step 2
Install the automation
folder.
Enable the Automation Folder - Install policy. The
Automation folder is required to store the preboot
configuration.
See “Installing an automation folder” on page 191.
Ensure that you set proper filters while installing
the Automation Folder. So that 64-bit policy gets
installed on 64 bit OS clients and 32-bit policies gets
installed on 32 bit OS clients. Otherwise, the Install
Windows OS task fails.
189
190
Process for installing Deployment Solution components (continued)
Table 8-2
Step
Action
Description
Step 3
Install the Deployment site Enable the Deployment site server components server components, if
Install policy. Enable this policy only if you have
required.
the remote site server installed on the Symantec
Management Platform. Deployment site server
components are required to offload some of the
traffic to Symantec Management Platform. It is used
for all deployment processes.
See “Installing Deployment site server components”
on page 192.
See “About installing Deployment Solution” on page 185.
See “Upgrading Deployment Solution components” on page 195.
Deployment Solution is installed on Symantec Management Platform and
Deployment Plug-in is a component of Deployment Solution. Deployment Plug-in
is installed on client computers to manage deployment tasks. This plug-in enables
you to create and deploy disk images, perform remote OS installation, change
your system settings, and migrate the personality settings.
Predefined policies to install, upgrade, and uninstall the Deployment plug-in are
provided with Deployment Solution. It provides installation policies for 32-bit
and 64-bit client computers. Hence, it supports Windows x64, Windows x86, and
Linux x86. You can install the policy on your target computer.
If you plan to install Deployment Plug-in on a Linux operating system that has a
static IP environment, ensure that you have manually entered the site server's
and Symantec Management Platform server's name, and their IP addresses in
/etc/hosts file.
You cannot install the Deployment Solution plug-in in a maintenance window by
using the Run once ASAP in maintenance window only option. You are required
to schedule the installation using the Add Schedule option.
To install Deployment Plug-in
1
Agent/Plug-ins > All Agents/Plug-ins.
2
In the left pane, expand the Agents/Plug-ins > Deployment and Migration
folders.
3
Choose either a Linux or Windows installation and expand the corresponding
folder.
4
Click the Deployment Plug-in - Install policy.
5
In the right pane, in the Program name box, ensure that the correct policy
is selected.
6
Under Applied to, select the computers that you want to install the plug-in
on.
7
(Optional) Under Schedule, select when you want to install the plug-in.
8
(Optional) Click Advanced to check if the computers you selected are available
at the exact time that you scheduled.
You can also select start and end dates on this page.
9
Under Extra schedule options, select the options that you want.
10 Ensure that the policy is enabled.
A green On symbol shows in the top right corner.
11 Click Save changes.
See “Installing Deployment Solution components” on page 189.
An automation folder stores the preboot operating system. With the help of the
preboot operating system (WinPE and Linux PE) the client computers are rebooted
to the automation environment. Both the PXE server and the automation folder
can be used to reboot the client computer to the automation environment to
perform deployment tasks.
Predefined policies to install, upgrade, and uninstall the automation folder are
provided with Deployment Solution. The automation folder is supported on
Windows x64, Windows x86, and Linux x86. You can create your own 64-bit
automation packages and policies using the preboot configuration options.
Ensure that proper filters are set while installing the Deployment Plug-in and
Automation Folder. Ensure that a 64-bit policy gets installed on 64-bit clients and
32-bit policies gets installed on 32-bit clients.
191
192
To install an automation folder
1
2
folders.
3
Choose either a Linux or Windows installation and expand the corresponding
folder.
4
Click the Automation Folder - Install policy.
5
is selected.
6
Under Applied to, select the computers that you want to install the plug-in
on.
7
Under Schedule, select when you want to install the plug-in.
8
You can also select start and end dates on this page.
9
Deployment site server component lets you offload some of the traffic and
workload from your primary Symantec Management Platform. You can set up
multiple task servers and Deployment site server components to handle your jobs
and tasks. Symantec Management Agent then uses the assigned Deployment site
server components for all deployment tasks. These tasks include imaging, scripted
OS installation, copy file, and the tasks that are associated with packages. The
tasks can be scheduled to run immediately or at a later specified time. This process
improves scalability.
Before installing the Deployment components on a site server, you should install
the Package Service and Task Service on that site server.
The following are the supported operating systems for Deployment site server
components:
■
■
■
Windows Server 2008
■
Windows Server 2008 R2
■
For the Linux operating system, if there is no domain controller present in the
environment, then ensure that the Agent Connectivity Credential (ACC)
configuration is set up as expected. Also, ensure that ACC is enabled on every site
server that is configured in the environment. Ensure that user credentials for site
server and the Symantec Management Platform server are the same.
See “Setting up ACC” on page 194.
All Deployment computer images and Personality Packages are created on the
task server that each managed computer works with. To deploy an image that
was created on a different task server, you must replicate that image to your task
server. You can replicate the image using the package replication that is contained
in Symantec Management Platform. You can also configure specific replication
rules for disk image packages.
You must install the site server components before you can replicate packages,
including driver packages. After the components are installed, your packages
become valid and can then be replicated.
You can uninstall and upgrade the components by choosing the appropriate policy.
For more information, search for site server and task server topics in the Symantec
Management Platform Help.
To install Deployment site server components
1
2
> Windows folders.
3
Click the Deployment Site Server Components - Install policy.
4
is enabled.
5
(Optional) Under Schedule, select when you want to install the components.
193
194
6
7
8
Ensure that the policy is enabled.
9
Click Save changes.
See “Setting up ACC” on page 194.
Setting up ACC
For Linux operating system if there is no domain controller present in the
environment, then ensure that the Agent Connectivity Credential (ACC)
configuration is set up as expected. Also, ensure that ACC is enabled on every site
server that is configured in the environment.
To set up ACC
1
In the Symantec Management Console, select Settings > Agent/Plug-in >
Global settings.
2
Click the Authentication tab.
3
Select Use these credentials and enter the Symantec Management Platform
user name and password.
4
Click Save changes.
5
In the Symantec Management Console, select Settings > Notification Server
> Site Server Settings.
6
On the right pane, expand Site Management > Settings > Package Service
> Package Service Settings.
7
On the left pane, under Security Settings select Create the Agent
Connectivity Credential on Package Servers (provided the ACC is not a
domain account) check box.
8
Click Save changes.
After the site server retrieves the updated policies from Notification Server,
an ACC account is created on the site server for package download and task
server connectivity.
See “Installing Deployment site server components” on page 192.
Deployment Solution includes many of the tools that you might have used in the
traditional Deployment Solution product.
The main Deployment Solution tools are installed in the following default
installation locations on the Windows platform:
■
PC Transplant Editor
C:\Program Files\Altiris\Altiris Agent\Agents\Deployment\Task
Handler\PCT\PCTEdit.exe
■
PC Transplant Wizard
Handler\PCT\PCTWiz.exe
■
Boot Disk Creator
Handler\bootwiz.exe
■
RapiDeploy ImageExplorer
Handler\rdeploy\imgexpl.exe
■
Ghost Image Explorer
Handler\ghost\Ghostexp.exe
■
Image Importer
Handler\Tools\ResourceImporterTool.exe
See “Components of Deployment Solution” on page 76.
Upgrading Deployment Solution components
You can upgrade the Deployment Plug-in, Automation Folder, and Deployment
site server components to the latest version by using the upgrade policy. By default,
this policy is turned off. The Deployment Plug-in upgrade is not supported in the
Linux operating system.
The upgrade policy uses filters to determine if an upgrade is necessary. You can
access the filters that are used from the Manage > Filters > Software Filters >
Agent and Plug-in Filters menu.
195
196
To upgrade Deployment Solution components
1
2
folders.
3
Click the relevant upgrade policy.
4
is selected.
5
Under Applied to, select the computers that you want to upgrade the plug-in
on.
6
(Optional) Under Schedule, select when you want to upgrade the plug-in.
7
8
9
Ensure that the policy is enabled.
See “Repairing Deployment Solution” on page 199.
You can uninstall the Deployment Plug-in, an automation folder, or the
Deployment site server components from the client computers, if required. To
perform the uninstallation you have to enable the relevant uninstall policy.
Table 8-3
Process for uninstalling Deployment Solution components
Action
Description
Uninstall the Deployment
Plug-in
You can uninstall the Deployment plug-in by using the
Deployment Plug-in - Uninstall policy under the relevant
operating system. This policy is turned off by default.
To use this policy, turn off the install policy. Otherwise, the
plug-in can be reinstalled as soon as it is uninstalled.
After the uninstall policy is turned on, the plug-in is
uninstalled from all computers that meet the criteria of the
filter. If you change the Applied to option to Computers,
you can select individual computers.
Uninstall the Aautomation You can uninstall the automation folder by using the
folder
Automation Folder - Uninstall policy under the relevant
operating system.
After the uninstall policy is turned on, the automation folder
is uninstalled from all computers that meet the criteria of
the filter. If you change the Applied to option to Computers,
you can select individual computers.
Uninstall the Deployment
site server components
You can uninstall Deployment site server components by
using the Deployment site server components - Uninstall
policy under the relevant Windows operating system.
After the uninstall policy is turned on, the Deployment site
server components are uninstalled from all computers that
meet the criteria of the filter. If you change the Applied to
option to Computers, you can select individual computers.
See “Enabling the uninstallation policy” on page 197.
You can enable the uninstallation policy for Deployment Plug-in, automation
folder, and Deployment site server components. Enabling the uninstall policy
uninstalls the component from the selected client computers.
197
198
Uninstalling Deployment Solution through Symantec Installation Manager
To enable uninstall policy
1
2
folders.
3
Choose either a Linux or Windows and expand the relevant folder.
4
Click the relevant uninstall policy.
5
is selected.
6
Under Applied to, select the computers that you want to uninstall the plug-in
from.
7
( Optional) Under Schedule, select when you want to uninstall the plug-in.
8
9
Uninstalling Deployment Solution through Symantec
Installation Manager
You can uninstall Deployment Solution through Symantec Installation Manager
without uninstalling the Deployment Solution components.
To uninstall Deployment Solution through Symantec Installation Manager
1
From the Start menu, select Programs > Symantec > Symantec Installation
Manager.
2
On the Symantec Installation Manager console, select Deployment Solution
Suites from the Programs list.
3
Click Uninstall.
4
Click Finish when prompted that the repair is complete.
See “Uninstalling Deployment Solution components” on page 196.
You can repair Deployment Solution to bring it back to its default state. You can
use this option if you encounter an error while installing or setting up Deployment
Solution, or performing imaging tasks.
To repair Deployment Solution
1
On the Windows Start menu, click Programs > Symantec > Symantec
2
In the Symantec Installation Manager console, click Programs > Deployment
Solution Suites.
3
Click Repair.
4
Click Finish when the repair is complete.
See “Uninstalling Deployment Solution components” on page 196.
199
200
Chapter
9
Configuring Notification
Server
■
About configuring Notification Server
■
Configuring the Configuration Management Database
■
Purging the Configuration Management Database
■
Saving resource data history in the CMDB
■
Configuring Notification Server settings
■
■
Configuring Notification Server settings with NS Configurator
■
Performing a first-time setup configuration
About configuring Notification Server
The default Notification Server configuration settings are suitable for most
purposes and you do not normally need to change them. These default settings
are specified when you install the Symantec Management Platform. However, as
the needs of your organization change, you can make the appropriate configuration
changes.
For more information, see the Symantec Management Platform Installation Guide.
You can perform the following types of configurations:
202
Configuring Notification Server
Configure the Configuration
See “Configuring the Configuration Management
Management Database (CMDB) settings. Database” on page 202.
Set up database purging.
See “Purging the Configuration Management
Database” on page 204.
Configure resource data history
retention.
See “Saving resource data history in the CMDB”
on page 205.
Configure Notification Server settings. See “Configuring Notification Server settings”
These settings include event
on page 210.
processing, status message logging, the
email message server and default
addresses, and a proxy server.
Configure the Notification Server
settings that do not appear in the
See “Configuring Notification Server settings with
NS Configurator” on page 214.
Specify the software delivery package See “Distribution point credential settings”
distribution point credentials.
on page 213.
Notification Server has a database, called the Configuration Management Database
(CMDB). Both Notification Server and solutions use the CMDB to store
configuration items and resource data.
You can make any necessary changes to the CMDB configuration settings. When
Notification Server is installed, the CMDB is configured as part of the installation
process. You do not normally need to make any further changes.
However, there may be occasions when you need to change the CMDB configuration
settings. For example, if you upgrade the hardware on which your Microsoft SQL
Server runs, or if you are instructed to do so by Symantec Support.
Table 9-1
Configuration Management Database settings
Setting
Description
Database Server name
The name of the SQL server that contains the CMDB.
Use the format servername\instancename. For example, SydNS\sql_cp1_cs_as.
Table 9-1
Configuration Management Database settings (continued)
Setting
Description
Database Credentials
The user name and password that are required to access the CMDB.
You can use Notification Server application credentials for Windows authentication.
You may want to use this method to avoid being affected by any password change
policy that is enforced in your organization.
The application credentials are specified in the Processing tab of the Server Settings
page.
See “Notification Server processing settings” on page 209.
You also have the option to use SQL authentication. To use SQL authentication you
can specify the appropriate SQL login user name and password.
Note: If you want to switch database authentication to SQL, you must make this
change on both tabs (General and Reports). The General tab is the default tab that
appears when you open the Database Settings page. If you make the change only on
the General tab, Notification Server is not fully functional, and you may experience
errors with some operations.
Database Name
You can select an existing database from the list of those available or create a new
database.
If you select an existing database, ensure that it is the same version as Notification
Server.
Repair Database
Lets you repair the CMDB. You may need to do this procedure when you restore
Notification Server from a backup to a new computer.
Command Timeout
The length of time that Notification Server attempts to process a query, such as
running a report or updating a filter.
You may want to change this value for performance reasons, such as a high load on
the SQL server causing queries to time out.
We recommend that you set the ASP Script timeout value in Microsoft IIS to a value
equal to or greater than the command timeout value. Consult your database
administrator before making any changes.
Public report credentials
The security context to be used for running report queries on the CMDB.
These credentials provide less security than the database credentials (which are for
the database administrator). These credentials are used to access the database and
run the appropriate SQL query when a user runs a report.
203
204
To configure the Configuration Management Database
1
In the Symantec Management Console, in the Settings menu, click
Notification Server > Database Settings.
2
On the Database Settings page, on the General and Reports tabs, make the
appropriate configuration changes.
3
Click Apply.
To manage the size of the Configuration Management Database (CMDB), you can
specify how long certain types of data are stored. You can specify storage length
for data such as reports, managed computers, and event data. For example, if you
experience poor performance when running reports, try purging your events or
configure the event purging options to save less data.
The data that can be purged from the CMDB includes the following:
■
Report snapshots
Snapshots older than a specified amount of time can be deleted.
■
Managed computers that have not communicated with Notification Server for
longer than a specified amount of time
These can be deleted or set as retired. The CMDB is updated when the CMDB
purging schedule is run.
■
Resource event data
Event data older than a specified amount of time can be deleted. You can
optionally specify a maximum number of rows to retain. If the event data table
reaches this size, new rows continue to be added until the next scheduled
update. When the CMDB purging schedule runs, the table is trimmed back to
its maximum size. The table is trimmed by removing the oldest rows, even if
the oldest data has not been retained for the specified time.
You can have the same settings for all data classes, or you can set custom
settings for some or all data classes. A custom setting for a data class overrides
the global setting. If no custom setting is made for a data class, the global
setting is used for that data class. The same CMDB purging schedule is used
in all cases.
The CMDB purging schedule is a Windows schedule that you set when you install
Notification Server. You cannot change it through the Symantec Management
Console. If you want to make any changes, you can do so through the Windows
Control Panel.
To purge the Configuration Management Database
1
Notification Server > Purging Maintenance.
2
In the left pane, in the Purging Maintenance folder, click Purging
Maintenance.
3
On the Purging Maintenance page, on the Purging Maintenance tab, specify
the report purge settings and computer data purge settings that you want.
4
On the Resource Event Data Purge Settings tab, specify the resource event
data purging settings that you want.
5
To override the purging schedule and purge the CMDB immediately, on the
Purging Maintenance tab, click Purge Now.
6
Click Save Changes.
Notification Server captures resource data in real time as it collects inventory
data. You can choose to create a resource data history for each type of resource
and resource association. For each history, you can specify how long to retain the
history data in the CMDB.
A resource data history can include data from any of the data classes. A resource
association history can include data from any of the resource association types.
To save resource data history in the CMDB
1
Notification Server > Purging Maintenance.
2
In the left pane, in the Purging Maintenance folder, click Resource History.
3
On the Resource History page, for each resource data class type and resource
association type that you want to configure, take the following actions on the
appropriate tabs:
■
Expand the data class or association type.
■
Select the data classes or associations for which you want to create
resource data history.
205
206
■
For each data class or association, specify the period for which you want
to keep the resource data history.
In the corresponding drop-down list, select the time period (Days, Weeks,
or Months). Then enter the appropriate number of days, weeks, or months.
Any resource data older than the time that is specified for its type is deleted
from the CMDB on the purging schedule.
4
Click Save Changes.
Notification Server settings that you can configure include event processing,
status message logging, and the email message server and default addresses.
You can also configure other Notification Server settings with NS Configurator.
See “Configuring Notification Server settings with NS Configurator” on page 214.
To configure Notification Server settings
1
In the Symantec Management Console, in the Settings menu, click All
Settings.
2
In the left pane, in the Settings folder, click Notification Server > Notification
Server Settings.
3
On the Server Settings page, make the appropriate changes in the following
tabs:
Processing
You can enable or disable Notification Server Event (NSE)
processing, specify the application identity of Notification Server,
and restart Notification Server services manually.
Email
You can specify the mail server that Notification Server uses and
set the default To and From email addresses.
See “Email server and address settings” on page 211.
Logging
You can specify the types of status messages, such as Notification
Server errors, warnings and information messages, that you want
logged by Notification Server.
See “Status message logging settings” on page 212.
Proxy
If you don’t want to allow Notification Server users direct access
to the network, you can configure a proxy server.
See “Proxy server settings” on page 213.
Distribution Point You can specify the credentials that Notification Server uses to
Credential
access your package distribution points.
See “Distribution point credential settings” on page 213.
4
To confirm your changes, click OK.
Notification Server processing settings
You can enable or disable Notification Server Event (NSE) processing, and specify
the application identity of Notification Server. An NSE is an XML file that is passed
between Notification Server and the Symantec Management Agent (including
solution plug-ins).
See “Configuring Notification Server settings” on page 210.
Notification Server Events contain information such as the following:
■
Communication with the Symantec Management Agent
■
Events processing
■
Basic inventory or full inventory
■
Success or failure of package download
207
208
NSE processing is enabled by default when you install Notification Server, but
there may be occasions when you need to disable or reenable it. For example,
when you install a solution, all event processing is automatically paused. After
installation completes, event processing should restart automatically. If that does
not happen, a warning message appears in the Symantec Management Console,
and you are prompted to reenable NSE processing manually. Any NSEs that are
received while NSE processing is disabled are stored on the Notification Server
computer so are not lost.
To reenable NSE processing, click on the warning message and then, in the dialog
box that appears, click Resume.
The application identity of Notification Server is the account under which
Notification Server runs. You specify the appropriate user name and password
when you install Notification Server, and you only need to update it when
necessary. For example, if your organization has a password change policy, the
CMDB access credentials may be forced to change. The application identity no
longer has permission to log on to the SQL server.
Warning: You cannot use special characters in the application identity user name
or password. You may use only alphanumeric characters.
The user ID that you define requires the following permissions:
■
Local administrator permissions on Notification Server and any remote
Windows 2000/XP/2003/Vista computers to which you want to install the
Symantec Management Agent.
■
Permission to act as part of the operating system and log on as a batch job and
a service.
■
Permission to log on to the SQL server.
If the user ID does not have this permission, you can specify a different user
name and password to log on to the CMDB.
■
Permission to connect to any SQL server to which Notification Server may
attach.
For example, an SMS database for Web Administrator for SMS or Lease
database for Contract Management Solution.
Notification Server services are restarted automatically when the application
identity is changed. However, the Restart Services option lets you manually restart
the services when necessary. For example, if you make a change to the database,
you need to restart the services to make the changes take effect.
If the application identity password fails, Notification Server is unable to access
the CMDB. You cannot reset the application identity through the Symantec
Management Console, as the console uses the same password to access Notification
Server. You need to use the ASConfig utility to access the Web services directly
and reset the application identity password using the appropriate command line.
Notification Server processing settings
You can enable or disable Notification Server Event (NSE) processing, and specify
the application identity of Notification Server. An NSE is an XML file that is passed
between Notification Server and the Symantec Management Agent (including
solution plug-ins).
Notification Server Events contain information such as the following:
■
Communication with the Symantec Management Agent
■
Events processing
■
Basic inventory or full inventory
■
Success or failure of package download
NSE processing is enabled by default when you install Notification Server, but
there may be occasions when you need to disable or reenable it. For example,
when you install a solution, all event processing is automatically paused. After
installation completes, event processing should restart automatically. If that does
not happen, a warning message appears in the Symantec Management Console,
and you are prompted to reenable NSE processing manually. Any NSEs that are
received while NSE processing is disabled are stored on the Notification Server
computer so are not lost.
To reenable NSE processing, click on the warning message and then, in the dialog
box that appears, click Resume.
The application identity of Notification Server is the account under which
Notification Server runs. You specify the appropriate user name and password
when you install Notification Server, and you only need to update it when
necessary. For example, if your organization has a password change policy, the
CMDB access credentials may be forced to change. The application identity no
longer has permission to log on to the SQL server.
Warning: You cannot use special characters in the application identity user name
or password. You may use only alphanumeric characters.
The user ID that you define requires the following permissions:
209
210
■
Local administrator permissions on Notification Server and any remote
Windows 2000/XP/2003/Vista computers to which you want to install the
Symantec Management Agent.
■
Permission to act as part of the operating system and log on as a batch job and
a service.
■
Permission to log on to the SQL server.
If the user ID does not have this permission, you can specify a different user
name and password to log on to the CMDB.
■
Permission to connect to any SQL server to which Notification Server may
attach.
For example, an SMS database for Web Administrator for SMS or Lease
database for Contract Management Solution.
Notification Server services are restarted automatically when the application
identity is changed. However, the Restart Services option lets you manually restart
the services when necessary. For example, if you make a change to the database,
you need to restart the services to make the changes take effect.
If the application identity password fails, Notification Server is unable to access
the CMDB. You cannot reset the application identity through the Symantec
Management Console, as the console uses the same password to access Notification
Server. You need to use the ASConfig utility to access the Web services directly
and reset the application identity password using the appropriate command line.
Notification Server settings that you can configure include event processing,
status message logging, and the email message server and default addresses.
You can also configure other Notification Server settings with NS Configurator.
See “Configuring Notification Server settings with NS Configurator” on page 214.
To configure Notification Server settings
1
Settings.
2
In the left pane, in the Settings folder, click Notification Server > Notification
Server Settings.
3
On the Server Settings page, make the appropriate changes in the following
tabs:
Processing
You can enable or disable Notification Server Event (NSE)
processing, specify the application identity of Notification Server,
and restart Notification Server services manually.
Email
You can specify the mail server that Notification Server uses and
set the default To and From email addresses.
See “Email server and address settings” on page 211.
Logging
You can specify the types of status messages, such as Notification
Server errors, warnings and information messages, that you want
logged by Notification Server.
Proxy
If you don’t want to allow Notification Server users direct access
to the network, you can configure a proxy server.
See “Proxy server settings” on page 213.
Distribution Point You can specify the credentials that Notification Server uses to
Credential
access your package distribution points.
See “Distribution point credential settings” on page 213.
4
To confirm your changes, click OK.
Email server and address settings
You can define a mail server and the To and From email addresses for Notification
Server email messages. Notification Server uses SMTP to send email messages.
The email address can be any valid SMTP address that your SMTP server
recognizes.
You can enable Symantec solutions to send you the email messages that are based
on the data that Notification Server receives. The email address that you specify
can receive notices of reports successfully run, automation actions executed, and
system scalability checks. These emails help you monitor and manage your
Notification Server activities.
The email settings are configured when you install Notification Server, and you
do not normally need to change them. However, if the SMTP server changes, or
211
212
if you want someone else to receive the email messages, you need to make the
appropriate changes.
The Send Test Email option lets you test the email server and address settings
by sending a message using the current settings. You need to confirm the changes
by clicking OK before you send the test email.
Status message logging settings
You can specify the types of status messages, such as Notification Server errors,
warnings, and information messages, that you want logged by Notification Server.
Log messages that Notification Server generates are written to log files in the
installation path\Altiris\Notification Server\Logs directory (by default).
Note: When you upgrade Notification Server from 6.x to 7.x, the migration wizard
writes any messages to the 6.x log file location rather than the 7.0 log file location.
The 6.x log file location is C:\WINDOWS\system32\Altiris Logs. You need to look
in this log file to see any migration errors. The Log Viewer displays only the logs
that are filed at the default 7.0 location. The migration log entires are not included.
You can log any of the following message types:
■
Errors
■
Warnings
■
Information
■
Trace
You can also choose to archive log files that are older than a particular time. If
you set this option, the relevant log files are archived daily at 05:00 a.m.
See “Opening the Log Viewer” on page 212.
Opening the Log Viewer
You can view all status messages in the Log Viewer. Being able to view messages
can be helpful in troubleshooting and monitoring your Notification Server.
To open the Log Viewer
◆
In the Start menu, click All Programs > Symantec > Diagnostics > Altiris
Log Viewer.
Proxy server settings
If you don’t want Notification Server users to have direct access to the network,
you can configure a proxy server. For example, if you have Notification Server
and your managed computers inside your organization's firewall, a proxy server
provides security. You can set up a proxy server to provide a safe way through
the firewall without exposing Notification Server. This setup helps Notification
Server safely obtain patches or download solutions from external Web sites.
Using a proxy server may improve Notification Server performance by using less
bandwidth and filtering requests when requesting files from the Internet. One
example is PMImport data.
The Test Settings option validates the proxy server settings by attempting to
connect to an external Web site.
If error messages appear when you test the settings, ensure that your
authentication credentials are correct. Ensure that your proxy server is running
and that no general network errors exist.
Distribution point credential settings
You can specify the distribution point credentials (DPC) that Notification Server
uses to access software delivery packages. These packages are located on a network
share that is accessed through a UNC path. Notification Server publishes these
packages to a virtual HTTP directory that uses the DPC to connect to the UNC
share.
You must specify the distribution point credentials before you create a software
package that is accessed from an existing UNC path. The credentials must have
permission to validate user accounts and have read permission on all the files on
the remote distribution points.
Notification Server can use either of the following credentials:
Agent Connectivity
Credential
All Symantec Management Agents use the Agent
Connectivity Credential (ACC) to connect to a secured
resource. The ACC is set in the Global Agent Settings policy.
213
214
Configuring Notification Server settings with NS Configurator
User-specified credentials
If the packages are stored in a location that is not accessible
with the Agent Connectivity Credential, you can make them
accessible. To make packages accessible, specify the user
name and password of an account that does have the
appropriate access.
You cannot use special characters in the user name or
password. You may use only alphanumeric characters.
Configuring Notification Server settings with NS
Configurator
The NS Configurator is a configuration tool that lets you change most core
Notification Server configuration settings. These settings include many that are
not accessible from the Symantec Management Console. You should only use NS
Configurator to change these settings if you know the effect that each setting has
on the system.
When a user starts NS Configurator, a security check is performed to determine
if the user has permission to view or modify Notification Server settings. If a user
does not have permission, a warning message appears and the tool closes.
To configure Notification Server settings with NS Configurator
1
To start NS Configurator, run the NSConfigurator.exe file.
This file is at Program Files\Altiris\Notification Server\Bin\Tools. When you
run this tool, it opens the CoreSettings.config file that is at Program
Files\Altiris\Notification Server\Config.
2
3
Do one of the following to find the setting you want to change:
■
In the navigation tree in the left pane, locate the setting.
■
In the search field in the upper right-hand corner, enter your search text
and click Search. In the list of search results, click the Show link for that
setting.
In the right pane, change the setting and click Save.
If you enter an invalid value for a setting, an error message appears. You can
only save your changes if you enter a valid value.
4
To restore the default value, click Restore Default.
The Restore Default option appears only if the setting had a default value.
When you install Symantec Management Platform, you configure Notification
Server as part of the installation process. No further configuration is needed
before you can start using Notification Server.
In the unlikely event that you install Symantec Management Platform without
accompanying versions of certain products, you see a number of links to
configuration pages. In this scenario, you must configure the platform manually.
However, when you install Symantec Management Platform 7.1 and accompanying
versions of certain products, you see enhanced console views. In this scenario,
your first-time setup configuration provides a Welcome to the Symantec
Management Console portal page to simplify the initial configuration process.
Some of the solutions that are included in your suite may require configuration
before you can use them. The Welcome to the Symantec Management Console
portal page is a single point of entry for performing key configuration actions for
solutions in the suites that you have installed. These actions represent the essential
settings that you need to configure to start using the solutions.
You see the Welcome to the Symantec Management Console page if you install
any of the following products:
■
Deployment Solution
■
IT Management Suite
■
Server Management Suite
■
Client Management Suite
In the left pane of the Welcome to the Symantec Management Console page, the
key configuration actions are listed. In the right pane, a color key lists each task
next to an associated color. As you perform each action, a vertical bar on the right
changes color to show progress through the setup process, from discovery to
deployment.
After you perform the first-time setup configuration, you may need to perform
additional configuration tasks. The need to perform additional steps depends on
the solutions and suites that you have installed initially or that you install after
the first-time setup. Additional, advanced settings are available from the Settings
menu and may be available from other areas of individual solutions.
For more information about the configuration options for the individual solutions
and products, see the documentation for those products.
215
216
Table 9-2
Process for performing a first-time setup configuration
Step
Task
Description
Step 1
Discover computers.
Ping all connected computers.
See “Discovering computers”
on page 217.
Step 2
Installing the Symantec
Management Agent.
After you roll out the agent to
computers, those computers become
managed computers. Notification
Server can send information and data
to managed computers. It also receives
information from managed computers.
If you have installed the products that
make enhanced console views visible
in Symantec Management Console,
rolling out the agent includes an
auto-tuning step. This step lets you
automatically optimize the Symantec
Management Agent settings based on
the number of computers that are in
your environment.
See “Installing the Symantec
Management Agent” on page 219.
Step 3
Collect inventory.
In this step, Notification Server collects
the information that the newly
deployed agents gather from managed
computers.
See “Collecting inventory information”
on page 224.
Step 4
Deploy preboot
environments.
Finally, you can deploy preboot
environments.
See “Deploying preboot environments”
on page 226.
Chapter
10
Setting up managed
computers
■
Discovering computers
■
Installing the Symantec Management Agent
■
Agent and task setting options
■
Collecting inventory information
■
Deploying preboot environments
Discovering computers means identifying the computers that are in your
environment. Before you can manage computers, you must first identify the
available computers and select those that you want to manage using the Symantec
Management Agent.
To discover computers, you first select the type of computers on which you want
to install the Symantec Management Agent. You discover Windows computers
with Active Directory Import. You discover UNIX, Linux, and Mac computers with
a ping sweep for an IP range that you select.
Discovering computers is a step in the process for performing a first-time setup
configuration.
See “Performing a first-time setup configuration” on page 215.
218
Setting up managed computers
To discover computers
1
If you do not already see the Welcome to the Symantec Management Console
page, in Symantec Management Console click Home > Notification Server
Management > First Time Setup.
2
On the Welcome to the Symantec Management Console page, click Discover
Computers.
3
In the Discover Computers dialog box, complete the discovery steps.
Step 1 Windows
Lets you import Windows computers by either domain or
workgroup.
Note: If you prefer to discover computers using a network scan,
select nothing on this page, but click Next.
To import Windows computers by domain:
1
Check the box to import Windows computers.
2
Click a radio button to choose whether to import from
Microsoft Active Directory or through domain
membership/WINS.
3
Click the down-arrow next to Domain or Workgroup to
select a domain or a workgroup. Or, you can enter a domain
name or a workgroup name manually.
4
Enter the domain credentials.
5
Click the option next to Schedule recurring import to On
or Off.
If you expect to add new computers to your network, leave
this setting on. Leaving this setting on means that as you
add computers to your network, they are discovered
automatically.
6
Click Schedule.
Select a preset shared schedule for the recurring import.
This list is populated from the Shared Schedules page. You
modify, create, and use shared schedules at Settings >
Notification Server > Shared Schedules.
7
Click Next.
Step 2 Network
Lets you discover computers using a network scan (ping sweep).
Note: If you prefer to import Windows computers by domain or
workgroup, select nothing on this page, but click Back.
To discover computers using a network scan:
1
Check the box to discover networked computers and devices.
2
Enter a ping sweep range.
Consider whether you need to scan all IP addresses. For a
first-time setup, you may need to include all subnets to
ensure that you identify every device. However, you can
limit the scope as needed. For example, you can run multiple
scans on specific subnets if that simplifies the discovery
task.
3
If you want to communicate with network devices and
classify them more accurately, click turn on additional
ranges.
Note: If you cannot connect remotely, your network or
computers may have firewalls turned on. You may need to
turn these off to perform discovery.
4
4
If you want to proceed immediately to the second first-time
setup configuration step, check Run the Roll Out Symantec
Agent wizard.
After you have made all your selections in the Discover Computers dialog
box, click Discover.
See “Installing the Symantec Management Agent” on page 219.
The process of installing the agent includes the following procedures, which must
be completed in order:
■
Rolling out the agent to the network computers that you want to manage.
You select the computers on which you want to install the agent. You can select
all computers automatically or select from a list of discovered computers.
See “To roll out the agent” on page 220.
■
Rolling out the agent plug-ins.
Certain plug-ins are turned on by default. You can select additional plug-ins
to install. Plug-ins are installed to the list of computers to which you installed
219
220
the agent. Note that if you choose to deselect all plug-ins and select plug-ins
manually, the default plug-ins are also deselected.
See “To roll out the agent plug-ins” on page 221.
■
Optimizing the agent for the number of computers in your environment.
Optimizing the agent is an auto-tuning feature.
If you have installed a suite, you have a setup option for auto-tuning your
network. You can auto-tune the settings for the agents that you installed.
In the agent rollout wizard, you see a slider that lets you select from 0 to
15,000+ computers. Based on the number of computers you select, the wizard
auto-tunes your system to optimize performance.
See “To optimize the agent” on page 222.
Rolling out the Symantec Management Agent is a step in the process for
performing a first-time setup configuration.
To roll out the agent
1
page, in Symantec Management Console click Home > Notification Server
2
On the Welcome to the Symantec Management Console page, click Rollout
Agent.
3
In the rollout wizard, click Step 1 Computers.
4
In the Roll Out Symantec Agent dialog box, select an installation option.
Automatically
install to all
discovered
computers
Lets you install the agent to all discovered computers.
Only on selected
discovered
computers
Lets you type the name of or search for specific computers on
which to install the agent.
This installation option also lets you select a recurring
installation schedule from a drop-down list. This list is populated
from the Shared Schedules page. You modify, create, and use
shared schedules at Settings > Notification Server > Shared
Schedules.
This option presents a typical pick list. The left-hand column is
where you search and your discovered computers are listed. This
column is referred to in this topic as the discovery column. The
right-hand column is where you build your list of computers on
which to install the agent. This column is referred to as the
selected column.
In the discovery column, type all or part of a computer name.
You can also use search criteria such as XP, Win, or other letters
that a group of your preferred computer names contains. The
discovery column lists the discovered computers that match your
search criteria.
Use the arrow keys to move computers from the discovery column
to the selected column. As you move computers into the selected
column, you see the number of selected computers change in the
bottom right of the column.
This installation option also lets you add search criteria for
selected discovered computers. You can refine the results in the
selected column by searching for computers by name or IP
address.
5
Click Next.
The agent plug-in rollout opens.
To roll out the agent plug-ins
1
page, in the Symantec Management Console click Home > Notification Server
2
Agent.
3
In the rollout wizard, click Step 2 Plug-ins.
221
222
4
In the Rollout Agent dialog box, select the plug-ins that you want to install.
Click a plug-in to see its description. Review the plug-ins that you want to
install.
Select plug-ins for all of the solutions that you have installed. You should
also select plug-ins based on the management functions that you want
perform. For example, you want to collect inventory. You must ensure that
the Inventory plug-ins that are relevant for your environment are turned on.
5
Turn on all
Lets you turn on all plug-ins that are listed. When you turn on
all plug-ins, you see green shading along the left side of the list.
When you turn off all plug-ins, you see red shading.
On/Off bar
Lets you turn selected plug-ins on or off. Red or green shading
indicates which plug-ins are off (red) and which plug-ins are on
(green).
Click Next.
To optimize the agent
1
page, in the Symantec Management Console click Home > Notification Server
2
Agent.
3
In the rollout wizard, click Step 3 Optimize.
4
In the Rollout Agent dialog box, select the rollout environment:
Production
Environment
Lets you install the agent to your production environment. Select
the number of computers in your production environment.
The number of computers in your production environment
determines the optimal intervals for downloading agent settings
and checking for new tasks. When you select the number of
computers that operate in your environment, the intervals adjust
automatically. This automatic adjustment tunes your network
for optimal performance.
Using the slider, select the number of computers that are in your
production environment.
See “Agent and task setting options” on page 223.
To see details of the agent settings and the task settings, click
Show Details, and then click OK.
Testing
Environment (1 50 computers)
5
Lets you test the rollout on a subset of installed computers.
When you are satisfied with the settings, click Rollout Agent.
In the agent rollout wizard, you see a slider that lets you select from 0 to 15,000+
computers. Based on the number of computers you select, the wizard auto-tunes
your system to optimize performance.
Click Show details to view the optimized settings. The Optimized Settings dialog
box shows how often a new configuration is downloaded for agent settings. It also
lists the maximum time between tickle attempts for task settings.
The details in the wizard apply to the discovered computers on which you chose
to install the agent. If you need to set or modify agent setting options or task
setting options for other computers, you can do so. To modify agent settings, in
Symantec Management Console navigate to Settings > Agents/Plug-ins > Targeted
Agent Settings - Download new configuration every ___. To optimize task settings,
click Settings > Notification Server > Site Server Settings, and then in the left
pane click Site Management > Settings > Task Service > Task Service Settings.
In the right pane, set Minimum time between tickle attempts.
See “Installing the Symantec Management Agent” on page 219.
223
224
Table 10-1
Options for optimal agent and task settings
Number of computers in
production environment
Optimized agent settings Optimized task settings
0 - 100
5 minutes
1 minute
100 - 5000
one hour
5 minutes
5000 - 10000
two hours
5 minutes
10000 - 15000
three hours
5 minutes
15000 +
four hours
5 minutes
Collecting initial inventory information is key to managing your network. All
solutions use inventory, and the information that inventory collects populates
the computer views, software views, and other pages and fields in the console.
Knowing what is installed on your network is critical to gathering the right data
so that you can make essential management decisions.
Your network is unique. Therefore, you must determine which information you
want to collect, which resources you want to collect information about, and how
often to collect the information.
In the Collect Inventory policy window you can turn off the policy or turn on the
policy. You also select a default schedule or a custom schedule on which to ensure
that the policy is current. Before collecting inventory information, consider which
information you need to keep track of and how often you want to update that
information. You should also consider whether any circumstance exists under
which you would want to turn off the inventory policy. The default is to leave the
policy on.
You can collect the following types of inventory information:
Hardware and operating
system
Lets you collect inventory of CPUs, hard drives, memory,
firmware, users, and groups.
Software
Lets you collect inventory about Windows programs and
UNIX/Linux/Mac software packages.
File properties
Lets you collect information about manufacturers, versions,
size, and internal name.
Server applications
If you have Inventory Pack for Servers installed, lets you
collect information about server applications.
Collecting inventory information is a step in the process for performing a first-time
setup configuration.
To collect inventory information
1
In the Symantec Management Console, click Home > Notification Server
2
On the Welcome to the Symantec Management Console page, click Collect
Inventory.
The Collect Full Inventory policy shows the default settings and also shows
policy compliance.
3
In the Collect Full Inventory policy window next to Policy Rules/Actions,
leave the policy turned on.
If you have a particular need to stop running the policy for a time, click Off
to turn off the policy.
4
Select a schedule for keeping the policy current. You can select a default
schedule or create a custom schedule.
This list of schedules is populated from the Shared Schedules page. You
modify, create, and use shared schedules at Settings > Notification Server >
Shared Schedules.
5
In the Collect Full Inventory policy window, review the inventory details
and select the types of inventory to gather. Make changes as necessary.
To see details about the types of inventory you selected, in the Policy
Rules/Actions area of the window click Advanced. You can select additional
items about which you want to collect inventory data. If you make changes,
click OK.
6
In the Collect Full Inventory policy window in the Applies To/Compliance
area, review the details.
This area shows details about the inventory that is collected on targeted
computers. You can verify compliance to the inventory policy, modify which
computers collect inventory, and make other changes as needed.
7
Click Save changes.
8
After the window refreshes, click x in the upper right to close the policy
window.
225
226
You choose which PXE preboot environments you want to build and turn on the
PXE server rollout policy. The preboot configurations that you build during
first-time setup are available to use later for deployment tasks.
Deploying preboot environments is a step in the process for performing a first-time
setup configuration.
To deploy preboot environments
1
In the Symantec Management Console, click Home > Notification Server
2
On the Welcome to the Symantec Management Console page, click Setup
Deployment.
3
In the Setup Deployment window, select which PXE Preboot Automation
environments you want to build.
Step 1 PXE Image Lets you choose one or more of the following operating systems:
■
WinPE x86
■
WinPE x64
■
Linux
The PXE Preboot Automation environments table lists the
available operating systems with their architecture and OEM
extensions.
After you choose the operating system or operating systems,
click Next.
If you need to create other preboot environments at a later time,
you can do so. In Symantec Management Console, navigate to
Settings > Deployment > Create Preboot Configurations.
Step 2 PXE
Servers
4
Lets you choose whether to roll out PXE servers to your site
servers. If you plan to perform deployment tasks, you want to
roll out PXE servers to site servers.
Click Setup Deployment.
Chapter
11
Configuring security
■
About Symantec Management Platform security
■
Setting up Symantec Management Platform security
■
About security roles
■
Predefined security roles
■
About security privileges
■
About Symantec Management Platform user accounts
■
Creating and configuring Symantec Management Platform user accounts
■
Configuring password complexity and lockout settings
■
Unlocking locked out credentials
■
About security role permissions
■
About the Security Role Manager
■
About credential manager
■
Creating a credential
■
Editing a credential
The Symantec Management Platform uses role-based security, which means that
user access is based on the user's security role. A security role is a set of privileges
and permissions that is granted to all members of that role. Using role-based
security lets you create and maintain a small number of security roles. You can
228
then assign each Symantec Management Platform user account to the appropriate
role, rather than assign specific privileges and permissions to each individual
user. However, you can also assign specific permissions to individual user accounts.
See “About security roles” on page 231.
See “Setting up Symantec Management Platform security” on page 229.
User accounts, which are sometimes referred to as users, are not the same as user
resources in Symantec Management Platform. A user resource is an entity that
is used to associate managed devices with the owner of the device. The existing
user resources and the user accounts that can log on to the Symantec Management
Console or run a workflow are separate entities.
A security role controls user access to the Symantec Management Platform using
the following:
■
Privileges
A privilege applies system-wide. Privileges are assigned only to roles and
cannot be assigned directly to individual user accounts. A privilege assigned
to a role lets a user account that is a member of that role perform a particular
action on the Symantec Management Platform or in the Symantec Management
Console. In some cases, the user's role requires the corresponding permissions.
See “About security privileges” on page 233.
■
Permissions on folders and items
Permissions specify the access that a security role or user account has to a
Symantec Management Console folder or item. A permission on a security role
applies to all members of that role. A permission on a folder applies to all of
the items that are contained directly in that folder.
See “About security role permissions” on page 255.
■
Permissions on organizational views and groups
An organizational view is a hierarchical grouping of resources (as
organizational groups) that reflects a real-world structure or view of your
organization. You can set up resource security by assigning the appropriate
permissions for each security role on each organizational view. You also assign
the appropriate permissions on the organizational groups within each view.
A permission that is assigned to an organizational group applies to all resources
in that group. By default, the permission applies to all of its child groups. You
cannot assign permissions directly to a particular resource.
Privileges, permissions on folders and items, and permissions on organizational
views and groups work together. You need to assign the appropriate combination
to each security role to grant user accounts the access that they need to perform
their activities.
To give user accounts access to the Symantec Management Platform, installed
solutions, and the data that is contained in the CMDB, you need to set up your
security roles. You assign the appropriate privileges and permissions to each role.
You need to create your Symantec Management Platform user accounts and then
add each user account to the appropriate role (or roles). You configure and maintain
Symantec Management Platform security through the Symantec Management
Console.
See “About Symantec Management Platform security” on page 227.
Table 11-1
Process for setting up Symantec Management Platform security
Step
Action
Description
Step 1
Create and configure the security Security roles control access to the Symantec Management
roles that you require.
Platform, installed solution functionality, and all the data that
is contained in the CMDB.
You can create new security roles in the following ways:
■
Create completely new security roles.
■
Clone existing security roles.
■
Import domain groups and users from Active Directory.
Step 2
Assign the appropriate privileges A privilege allows a role member to perform a particular action
to your security roles.
on the Symantec Management Platform, or on items in the
Symantec Management Console. To perform an action on an
item, the role must have the necessary permission on the item.
Step 3
Create and configure the user
accounts that you require.
Each Symantec Management Platform user account contains the
credentials that the user needs to access the Symantec
Management Console or to run a workflow. The credentials may
be internal Symantec Management Platform user names and
passwords or Windows accounts.
Internal credentials are currently used for workflow integration
only. Windows credentials are required to access the Symantec
Management Console.
You can create new user accounts in the following ways:
■
Create completely new user accounts.
■
Clone existing user accounts.
■
See “Creating and configuring Symantec Management Platform
user accounts” on page 247.
229
230
Table 11-1
(continued)
Step
Action
Description
Step 4
Add user accounts to the
appropriate security roles.
A user gains access to the Symantec Management Platform,
installed solutions, and the data that is contained in the CMDB
through their security role membership.
You can assign a user to any number of security roles. A user
who is a member of multiple security roles has the union of all
the privileges and permissions that those roles grant.
Step 5
For each security role, assign
permissions on the folders and
items that are contained in the
Permissions specify the access that each security role has to a
Symantec Management Console folder or to a particular item. A
permission on an item applies only to the item. A permission on
a folder applies to all of the items that are contained directly in
that folder. By default, the contents of a folder inherit all the
permissions on the folder.
See “Assigning security permissions to folders and items”
on page 262.
Step 6
(Optional) For each security role,
modify the permission inheritance
on the Symantec Management
Console folder structure.
Modifying permission inheritance lets you customize permissions
on the Symantec Management Console folder structure. This
means that you can grant a particular permission on a parent
folder but remove that permission from some or all of the folder
contents.
Remember that you configure permissions on folders and the
items within those folders. If you configure a folder and grant
Write permissions for a particular role, that role has the Write
permission to the folder and all its contents. If the folder contains
100 items, and you do not want those items to inherit the Write
permission from the parent folder, you can break permission
inheritance. In that case, users who are members of the role to
which you granted the Write permission have the Write
permission on the folder only. However, they do not have the
Write permission on the items that the folder contains.
The permission inheritance on a folder or item applies to all
security roles. You cannot customize permission inheritance per
role.
See “Customizing permission inheritance” on page 263.
Table 11-1
(continued)
Step
Action
Description
Step 7
(Optional) Configure resource
security.
By default, all the predefined security roles have the Read
permission on resources.
Security-related resources are specially controlled in Symantec
Management Platform: Only users who are members of the
Symantec Administrators role have full access to security
resources by default. Users who are members of the Symantec
Supervisors role have Read permissions on security resources
by default. No other predefined security role has permissions on
any security resources.
See “Predefined security roles” on page 232.
If you want to restrict or otherwise control access to resources,
you can configure resource security. You configure resource
security by creating one or more organizational views that model
your resource structure. You control access to the resources by
assigning permissions to each security role on the appropriate
organizational views and groups.
A security role is a set of privileges and permissions that is granted to all members
of the role. Using role-based security lets you create and maintain a small number
of security roles and assign each user account to the appropriate role. You do not
need to assign privileges and permissions to each individual user account (although
you can if you want). You can assign a user account to multiple security roles: a
member of multiple security roles has the union of all the privileges and
permissions that those roles grant.
Security roles may be nested: a role may be a member of one or more other roles,
and its membership may include both roles and user accounts. The only restriction
is that you cannot create a circular role membership where a role is a member of
itself.
Privileges, permissions on folders and items, and permissions on organizational
views and groups work together. You need to assign the appropriate combination
to each security role to grant user accounts the access that they need to perform
231
232
their activities. Privileges can only be assigned to security roles, but permissions
may be assigned to security roles and user accounts.
You should decide what security roles to set up based on logical IT worker or user
groups in your organization. For example, you might want an IT level 1 worker
role, an upper-level management role, and a human resources role. All user
accounts in a security role receive the same privileges and permissions, therefore
they have the same level of access to the Symantec Management Platform.
The Symantec Management Platform and some solutions include predefined
security roles. If the predefined security roles do not meet the needs of your
organization, you can create new ones. You can also edit the predefined security
roles by specifying different privileges and permissions.
See “Predefined security roles” on page 232.
During Symantec Management Platform installation, the administrator installing
the Symantec Management Platform is automatically assigned to the Symantec
Administrators role. The administrator can then create any new security roles
that are required and assign each role the appropriate privileges and permissions.
The administrator can then assign each user to one or more roles.
You should set up security roles before Notification Server is deployed to your
production network.
The Symantec Management Platform includes a set of predefined security roles
that you can use. If the predefined security roles do not meet the needs of your
organization, you can create new ones. You can also edit the predefined security
roles by specifying different privileges and permissions.
Table 11-2
Predefined Symantec Management Platform security roles
Security role
Description
Everyone
A top-level role that contains all roles and user accounts.
This role replaces the Windows built-in groups Everyone
and Authenticated Users.
The membership of this role is calculated automatically and
cannot be modified manually. By default, this role has no
privileges assigned.
Table 11-2
Predefined Symantec Management Platform security roles
(continued)
Security role
Description
Symantec Administrators
Has all security privileges and permissions assigned, so it
has complete access to all aspects of the Symantec
Management Platform and any installed solutions. You can
modify the membership of this security role, but you cannot
change its privileges and permissions.
Symantec Supervisors
Has the complete Management and most of the Right-click
Menu privileges. Has limited System privileges assigned.
Has the Read permission on resources, including security
resources.
Symantec Level 2 Workers
Has the complete Management privileges and most of the
Right-click Menu privileges assigned.
Has the Read permission on resources, excluding security
resources.
Symantec Level 1 Workers
Has no privileges assigned.
Has the Read permission on resources, excluding security
resources.
Symantec Software
Librarian
Has the Software Management Framework privileges and
the Right-click Menu Actions privileges assigned. The
privileges are limited to those needed to create and manage
software packages.
Symantec Guests
Has no privileges assigned.
A privilege allows a user to perform a particular action on the Symantec
Management Platform, or on items in the Symantec Management Console. To
perform an action on an item, the user's role must have the necessary permission
on the item. The privileges that you can assign to a security role are grouped into
categories. However, when you assign privileges to a security role, you need to
select the appropriate privileges individually.
233
234
Table 11-3
Security privilege categories
Privilege category
Description
Connection Profile
Privileges
Lets you create and modify connection profiles.
Management Privileges
Lets you create management items, such as filters, targets, reports, and tasks, on the
Symantec Management Platform.
See “Connection Profile privileges” on page 235.
See “Management privileges” on page 235.
System Privileges
Lets you perform management activities, such as setting up security, managing
hierarchy, and importing XML files, on the Symantec Management Platform.
See “System privileges” on page 237.
Credential Privileges
Lets you use the Credential Manager to create and modify credentials. These
credentials are not the same as the Internal credentials and Windows credentials
that are associated with user accounts.
Note: The Credential Manager is a component of the extended Symantec Management
Platform, so may not be installed in your environment.
See “Credential privileges” on page 239.
Workflow Directory
Privileges
Lets you publish workflows from the workflow designer into Notification Server as
a task or item action (an option on the right-click menu).
See “Workflow Directory privileges” on page 239.
Console Privileges
Lets you customize the Symantec Management Console. These privileges include the
ability to edit the menu, and to create portal pages, Web parts, and views.
See “Symantec Management Console privileges” on page 240.
Software Management
Privileges
Lets you grant specific abilities to the user role and allow the user to perform specific
tasks in the Software view and Software Catalog window.
Software Management
Framework Privileges
Lets you manage the Software Management Framework. These privileges are the
ability to create the Software Library and to create and import software resources.
See “Software Management Framework privileges” on page 240.
Right-click Menu Privileges Lets you perform general actions on items in the Symantec Management Console.
When you right-click on an item, the options that are relevant to that item type are
available on the right-click menu. These privileges include the ability to delete an
item, edit views, Web links, and item links, and start, stop, and schedule tasks.
See “Right-click Menu privileges” on page 241.
Table 11-3
Security privilege categories (continued)
Privilege category
Description
Right-click Menu Connector Samples
Privileges
Examples of user-creatable right-click actions.
Right-click Menu Hierarchy Privileges
Lets you manage hierarchy replication. These privileges let you include or exclude
specific items from hierarchy replication, and let you replicate items immediately.
See “Right-click Menu - Connector Samples privileges” on page 242.
See “Right-click Menu - Hierarchy privileges” on page 243.
Right-click Menu - Actions
Privileges
Lets you perform the actions that are relevant to the Software Management
Framework. Additional solutions that are installed on the Symantec Management
Platform may add further privileges to this category.
See “Right-click Menu - Hierarchy privileges” on page 243.
Right-click Menu - Set Asset Lets you change the status of an asset. These privileges let you set the status of a
Status Privileges
resource to Active or Retired.
Solutions that are installed on Symantec Management Platform may add more
privileges.
See “Right-click Menu - Set Asset Status privileges” on page 245.
Connection Profile privileges
Connection Profile privileges let you create and modify connection profiles.
Connection profiles store the information that is required to communicate with
computers and other network devices using standard network monitoring
protocols. These protocols include SNMP, WMI, WSMan, and several others.
Table 11-4
Connection Profile privileges
Privilege
Description
Create Connection Profile
Lets you create and modify connection profiles.
Management privileges
Management privileges let you create management items, such as filters, targets,
reports, and tasks, on the Symantec Management Platform.
235
236
Table 11-5
Management privileges
Privilege
Description
Create Agent Settings
Lets you create a new targeted agent settings policy, or clone an existing policy. The
targeted agent settings are the general parameters that control the Symantec
Management Agent, including how the agent communicates with Notification Server.
Create Automation Policies Lets you create new automation policies. An automation policy is dynamic and
specifies automated actions to perform on the Notification Server computer. It targets
the appropriate computers when the policy is activated and performs whatever action
is required based on the current state of each target computer.
Create Filters
Lets you create new resource filters. A resource filter, usually known as a filter, is a
dynamic definition of a set of resources. Filters are used with organizational groups
to identify the resources (a resource target) that a task or policy applies to.
Create Jobs or Tasks
Lets you create a new job or task, or clone an existing job or task. Jobs can contain
multiple tasks, multiple tasks, and multiple conditions, which gives you great
flexibility in setting up the job sequence that you need.
Create Maintenance
Windows
Lets you create a new maintenance window policy, or clone an existing policy. A
maintenance window is a scheduled time and duration when maintenance operations
may be performed on a managed computer. A maintenance window policy defines
one or more maintenance windows.
Create New Client Job
Lets you create a new client job. Client jobs are deployed to managed computers by
a task server. The managed computer then runs the job and reports back to
Notification Server.
Create New Server Job
Lets you create a new server job. Server jobs run on Notification Server.
Create Organizational
Groups
Lets you create new organizational views and groups. An organizational view is a
hierarchical grouping of resources (as organizational groups) that reflects a real-world
structure or view of your organization.
Create Reports
Lets you create a new report, or clone an existing report.
Create Resource Targets
Lets you create new resource targets. A resource target, usually known as a target,
is a framework that lets you apply tasks and policies to a dynamic collection of
resources. A target consists of at least one organizational view or group, and a number
of filters. The filters refine the available resources to identify those that you want.
Discovery Task
Management
Lets you perform Network Discovery tasks.
System privileges
System privileges let you perform management activities, such as setting up
security, managing hierarchy, and importing XML files, on the Symantec
Table 11-6
System Privileges
Privilege
Description
Change Security
Lets you change the security configuration on the Symantec Management Platform.
You can create security roles, assign privileges and user accounts to security roles,
and assign permissions to management items for each role.
Create CMDB Rules
Lets you create CMDB rules in Data Connector.
You use Data Connector to transfer data between the CMDB and a data source, and
manipulate data within the CMDB. Data Connector is part of the extended Symantec
Edit SQL Directly
Lets you create or modify SQL queries in reports and filters. If a user is proficient in
SQL and familiar with the CMDB, this privilege lets them write very specific, efficient
reports. However, it can also be used to avoid security checks. For example, a user
can write a query that accesses resources that are outside their scope. That is, the
resources are not contained in the organizational groups that the user has permission
to view.
Warning: Poorly written SQL queries can return incorrect results or be inefficient,
consuming excessive memory and CPU time on the CMDB computer. Also, a malicious
SQL query can delete, modify, or add data anywhere in the CMDB. Therefore, this
privilege is very security sensitive and is only granted to the Symantec Administrators
role by default.
If you let security role members edit SQL directly, you should use the report-specific
application credentials to force reports to use an account with restricted CMDB access.
237
238
Table 11-6
System Privileges (continued)
Privilege
Description
Import/Export XML
Lets you import items and resources from specially structured XML files, and export
items and resources to XML files.
Take care when you create an item or resource in the Symantec Management Platform
by importing information that is stored in an XML file. Creating an item this way
bypasses all security checks.
For example, a user can create a report by importing its XML even when the user does
not have the necessary privileges and permissions. In this example the user needs
the Create Reports privilege and the Create Children permission to the folder in which
the report is stored.
This privilege is very security sensitive. By default, it is granted only to the Symantec
Administrators role and should not be granted to non-administrators.
Manage Data Connector
Lets you manage Data Connector. Data Connector is part of the extended Symantec
You use Data Connector to transfer data between the CMDB and a data source, and
manipulate data within the CMDB.
Manage Hierarchy
Replication
Lets you create and run hierarchy replication rules. The hierarchy replication rules
specify what is replicated to the parent Notification Server and to any child
Notification Servers.
Manage Hierarchy
Lets you add your Notification Server to a hierarchy, or remove it from a hierarchy.
You can add your Notification Server to a hierarchy as a child of an existing remote
Notification Server, or as its parent. Remember that your Notification Server is the
one that you are logged into, which may be a remote logon.
You require this privilege on both Notification Servers to create or change a
hierarchical relationship between them.
Take Ownership
Lets you take ownership of a security entity. This privilege grants the new owner full
permissions on the entity. For example, you would need to take ownership if all
permissions on the entity were accidentally removed.
See “Taking ownership of a folder or item” on page 265.
View Security
Lets you view the security configuration on the Symantec Management Platform.
This information includes details of the security roles, and the user accounts,
privileges, and permissions that are assigned to each role.
Credential privileges
Credential privileges let you create new credentials in Credential Manager.
Credential Manager provides a secure storage location for user names and
passwords. The types of credentials that the Credential Manager stores are defined
by the solutions that are installed on Symantec Management Platform.
When a credential is created, only the creator is granted access. If other users
need to perform a management operation that requires a credential, you need to
assign this privilege to the appropriate user account or role that contains the user
account.
Table 11-7
Credential privileges
Privilege
Description
Create Credential
Lets you create and modify credentials in Credential Manager.
See “About credential manager” on page 266.
Workflow Directory privileges
Workflow Directory privileges let you publish workflows from the workflow
designer into Notification Server as a task or item action (an option on the
right-click menu).
Workflow Designer is part of Workflow solution. When you install Workflow
solution, it adds a page to the Symantec Management Console that lets you
download and install the Workflow Designer. It is not included in the Symantec
Management Platform by default.
Table 11-8
Workflow Directory privileges
Privilege
Description
Register/Unregister
Workflows
Lets you publish workflows from the workflow designer into Notification Server as
a task or item action (an option on the right-click menu).
For more information, refer to the Workflow solution documentation.
239
240
Symantec Management Console privileges
Symantec Management Console privileges let you customize the Symantec
Management Console. These privileges include the ability to edit the menu, and
to create portal pages, Web parts, and views.
Table 11-9
Symantec Management Console privileges
Privilege
Description
Create Portal Pages
Lets you create new portal pages. A portal page is a Symantec Management Console
page that you can customize to suit your requirements. You can use a portal page to
consolidate key information into a single, easy-to-view page. A portal page can display
the status of the Symantec Management Platform and managed computers, or any
other information that you want to make available. For example, you can include
external Web pages, intranet pages, RSS feeds, or your own applications.
You need to have the Create Children permission on the folder in which you want to
create the new portal page.
Create Web Parts
Lets you create new Web parts. Web parts are the mini Web pages that you can use
as the building blocks for portal pages. A Web part can display a report or the contents
of a Web page .
You need to have the Create Children permission on the folder in which you want to
create the new Web part.
Create Views
Lets you create new views. A view is a two-pane layout with a navigation tree in the
left pane and content in the right pane. The navigation tree contains links to Symantec
Management Console items and lets you group items from different parts of the
console into a suitable structure. An item may appear multiple times in a view, and
in any number of different views. A view can include folders, item links, and Web
links.
Edit Console Menu
Lets you customize the Symantec Management Console menus. The menu options
that are supplied with the Symantec Management Platform are read-only and cannot
be modified. You can add new submenus, and can modify them as necessary. You can
move or delete any menu item, except those that have been designated as read-only.
Software Management Framework privileges
Software Management Framework privileges let you manage the Software
Management Framework. These privileges are the ability to create the Software
Library and to create and import software resources.
Table 11-10
Privilege
Software Management Framework privileges
Description
Manage Software Resources Lets you create, import, edit, and delete software resources.
A software resource is the metadata that describes a specific instance of a software
product. A software resource provides a common way to describe the software so
that all software-related actions can identify it accurately.
Typically, you should give software resource privileges to the user accounts who
deliver and manage software. The Symantec Software Librarian and Asset Manager
security roles has this privilege by default.
Manage Software Library
Settings
Lets you create and edit the Software Library Settings.
The Software Library is the physical directory location of the package files that are
associated with the software in the Software Catalog. Because the Software Library
is a repository of the definitive, authorized versions of the packages, you should
restrict library access to maintain its integrity.
The Symantec Software Librarian and Asset Manager security roles has this privilege
by default.
Create software deliveries
Lets you create software deliveries (Quick Delivery or Package Delivery tasks and
Manage Software Delivery policy) for selected software resource from the available
software list.
Lets you use the drag-and-drop feature to initiate software delivery from any software
list.
This privilege also allows the user to use the Delivery tab to create software deliveries.
Right-click Menu privileges
The Right-click Menu privileges (sometimes referred to as item action privileges)
let you perform general actions on items in the Symantec Management Console.
When you right-click on an item, the options that are relevant to that item type
are available on the right-click menu. These privileges include the ability to delete
an item, edit views, Web links, and item links, and start, stop, and schedule tasks.
241
242
Table 11-11
Right-click Menu privileges
Privilege
Description
Applies to Item
Types
Add to
organizational
group
Lets you add a resource to an organizational group. All resources
Write permission on
the organizational
group.
Clone
Lets you clone an item.
All item types
Clone permission on
the item.
Delete
Lets you delete an item.
All item types
Delete permission on
the item.
Edit Item Link
Lets you modify an item link.
Item links only.
Write permission on
the item link.
Edit Rule
Lets you edit an inventory rule.
Inventory rules
only.
Write permission on
the inventory rule.
Edit View
Lets you edit a view.
Views only.
Write permission on
the view.
Edit Web Link
Lets you modify a Web link.
Web links only.
Write permission on
the Web link.
Schedule
Lets you schedule a policy.
Policies only.
Write permission on
the policy.
Schedule Task
Lets you schedule a task. You can set the task to Tasks only.
run once at a particular time, or to repeat at regular
intervals.
Run Task permission
on the task.
Security Role
Manager
Lets you open the Security Role Manager.
All item types
Write permission on
the item.
Start Task
Lets you start a task immediately.
Tasks only.
Run Task permission
on the task.
Stop Task
Lets you stop a task immediately.
Tasks only.
Run Task permission
on the task.
See “About the Security Role Manager” on page 260.
Additional
Requirements
Right-click Menu - Connector Samples privileges
The Connector Samples privileges are examples of user-creatable right-click
actions.
Table 11-12
Right-click Menu - Connector Samples privileges
Privilege
Description
Applies to Item
Types
Additional
Requirements
Ping Computer
Lets you perform a TCP/IP ping on a computer.
Computer
resources only
Read permission on
the organizational
group that contains
the computer.
Right-click Menu - Hierarchy privileges
The Hierarchy privileges let you manage hierarchy replication. These privileges
let you include or exclude specific items from hierarchy replication, and let you
replicate items immediately.
Table 11-13
Right-click Menu - Hierarchy privileges
Privilege
Description
Applies to Item
Types
Additional
Requirements
Disable
Replication
Lets you prevent an item from participating in
hierarchy replication.
All item types
Manage Hierarchy
Replication privilege,
Write permission on
the item.
Lets you replicate selected data directly from a
All item types
Notification Server to all its child Notification
Servers without including it in a replication rule.
This operation is a once-off replication that takes
place immediately.
Manage Hierarchy
Write permission on
the item.
All configuration items and management items,
and security roles and privileges are replicated by
default. This option is available only when custom
hierarchy replication rules are used.
Replicate Now
See “Replicating selected data manually”
on page 114.
Enable
Replication
Lets you allow an item to participate in hierarchy All item types
replication.
All configuration items and management items,
and security roles and privileges are replicated by
default. This option is available only when custom
hierarchy replication rules are used.
Manage Hierarchy
Write permission on
the item.
243
244
Right-click Menu - Actions privileges
The Actions privileges let you perform the actions that are relevant to the Software
Management Framework. Additional solutions that are installed on the Symantec
Management Platform may add further privileges to this category.
Table 11-14
Right-click Menu - Actions privileges
Privilege
Description
Applies to Item
Types
Assign Type
Assigns a type to an unassigned software resource Software resources
in the Software Catalog.
only
An unassigned software resource is one that is not
categorized as a software release, an update, or a
service pack.
Create Installed
Software Filter
Creates filters to find managed computers by the Software resources
software that is installed on them.
only
Detailed Export
Exports a software resource and any of its
Software resources
associated resource information to a detailed XML only
file.
Edit Command
Line
Opens the selected command line for editing within Software resources
the software resource editing page.
only
Edit Package
Opens the selected package for editing within the Software resources
software resource editing page.
only
Edit Software
Resource
Opens the selected software resource for editing. Software resources
only
Import Package
Changes a package’s source to the Software Library Software resources
from a different source such as a directory on the only
server or a UNC path.
Merge Company
Resource
Merges the selected company resource with
another company resource. This privilege is useful
if you have two entries for the same company that
might be spelled slightly differently, such as
“Symantec” and “Symantec Corporation”. You can
select the items to merge and specify the
appropriate name to use.
Additional
Requirements
Table 11-14
Privilege
Right-click Menu - Actions privileges (continued)
Description
Applies to Item
Types
Additional
Requirements
Resolve Duplicate When two software resources represent the same Software resources
Software
software but have different identifiers, this dialog only
Resources
box lets the user associate both identifiers with
one software resource.
Right-click Menu - Set Asset Status privileges
The Set Asset Status privileges let you set the status of a resource to Active or
Retired.
Solutions that are installed on Symantec Management Platform may add more
privileges to this category. For example, Asset Management solution adds three
or four privileges here.
Table 11-15
Right-click Menu - Set Asset Status privileges
Privilege
Description
Applies to Item
Types
Additional
Requirements
Active
Sets the status of the selected resource as active.
Resources only
Write permission on
the organizational
group that contains
the resource.
Retired
Sets the status of the selected resource as retired. Resources only
Write permission on
the organizational
group that contains
the resource.
Symantec Management Platform 7.1 has its own user accounts. Previous versions
of Symantec Management Platform used Windows users and groups for user
security. Windows users are still used, but they are no longer the only security
mechanism.
User accounts, which are sometimes referred to as users, are not the same as user
resources in Symantec Management Platform. A user resource is an entity that
is used to associate managed devices with the owner of the device. The existing
245
246
user resources and the user accounts that can log on to the Symantec Management
Console or run a workflow are separate entities.
A Symantec Management Platform user account is linked to the Windows
credentials that the user requires to access the Symantec Management Console.
The user account may also be linked to internal credentials that it can use to
access other Symantec Management Platform services, such as workflows. The
user account can be added to the appropriate security roles: an account has the
union of all the privileges and permissions that are granted by the roles to which
it belongs.
See “Creating and configuring Symantec Management Platform user accounts”
on page 247.
A credential is something that a user account provides to prove its identity. In
Symantec Management Platform, a credential may be a user name and password
or a Windows account. The user account associates one or more credentials with
a particular user and lets the user access the Symantec Management Console or
Symantec Management Platform services.
Symantec Management Platform uses two types of credentials:
Internal credential
Lets a user access the appropriate Symantec Management Platform
services using a user name and password that is stored in the
CMDB. For security reasons, only the hash value of the password
is stored.
A user account cannot use internal credentials to access the
Symantec Management Console. The internal credentials are
currently used only for workflow integration.
Windows credential
Lets a user access the Symantec Management Console and
Symantec Management Platform services using a Windows user
name and password. To use Windows credentials, Notification
Server must be in the user's domain, or the user's domain must
be trusted by the Notification Server domain.
You should configure Windows credentials if your organization
uses Windows accounts internally. Using Windows credentials
lets you enforce password complexity requirements, periodically
change passwords, keep password history, and perform other
password management tasks in Windows.
Creating and configuring Symantec Management
Platform user accounts
You can configure your Symantec Management Platform user accounts to meet
the requirements of your organization. You need to create all of the accounts that
you want and assign them to the appropriate security roles. Each account has the
union of all the privileges and permissions that the roles to which it belongs
grants.
See “About Symantec Management Platform user accounts” on page 245.
Creating and configuring Symantec Management Platform user accounts is a step
in the process of setting up Symantec Management Platform security.
Create and configure a user account in one of the following ways:
■
Create a completely new user account or clone an existing user account.
See “To create a completely new user account or clone an existing user account”
on page 247.
■
See “To import domain groups and users from Active Directory” on page 248.
To create a completely new user account or clone an existing user account
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Accounts.
3
On the Accounts page, in the left pane, take one of the following actions:
To create a new account
Click Add.
In the New Account dialog box, type the new Symantec
Management Platform account name, and then click
OK.
The new account appears in the list of accounts. By
default, the new account status is Inactive.
To clone an existing account Right-click the Symantec Management Platform
account that you want to clone and configure.
Enter the name of the new copy of this account, and
click OK.
247
248
4
In the right pane, configure the appropriate settings in the following tabs:
General
The general account details. These include the full name and
email address of the user for whom the account is created,
the account status, and the account credentials.
See “Specifying general Symantec Management Platform
user account details” on page 249.
See “Configuring credentials for a Symantec Management
Platform user account” on page 249.
Member Of
The security roles to which the account belongs. The account
has the union of all the privileges and permissions that the
roles to which it belongs grants.
See “Assigning a Symantec Management Platform user
account to a security role” on page 252.
5
Click Save changes.
To import domain groups and users from Active Directory
1
In Symantec Management Console, on the Actions menu, click Discover >
Import Microsoft Active Directory.
2
On the Microsoft Active Directory Import page, in the description that is
labeled Import Role and Account resources from <data source>, from (none).
Perform this import on the specified schedule, click the user group (none).
3
(Optional) Create your own Role and Account import rules.
4
In the Select Security Groups dialog box, search for the domain groups from
which you want to import user accounts; for example, Administrators and
Users.
5
Click Add and then OK to add the selected groups.
6
Run the rule as a full import to import the selected domain groups.
7
(Optional) You can also schedule a full import to run at appropriate intervals.
You can use this schedule to synchronize your security role membership with
the domain group membership. This means that if you remove a domain user
from the domain group, the corresponding Security Account is removed from
the corresponding security role. Likewise if you add a domain user to the
domain group, the corresponding Security Account is created and added to
the corresponding security role. Note that if a domain user is removed from
a domain group, the corresponding security account is not deleted. Only the
membership to the security role is removed.
Specifying general Symantec Management Platform user account
details
You need to specify the full name and email address of the user for whom the
account is created. You can also change the account status from Inactive to Active
when appropriate.
on page 247.
To specify general Symantec Management Platform user account details
1
2
3
On the Accounts page, in the left pane, click the account that you want to
configure.
4
In the right pane, on the General tab, specify the account details by editing
the appropriate boxes:
Full Name
The full name of the user to whom the account belongs.
Email
The email address of the account user.
5
(Optional) If you want to activate or deactivate the account, click the status
icon in the title bar and then select Active or Inactive.
6
Click Save changes.
Configuring credentials for a Symantec Management Platform user
account
You need to configure the appropriate credentials to each Symantec Management
Platform user account. You can add one Symantec Management Platform internal
credential and one Windows credential to a user account. The Windows credential
emulates the behavior of previous versions of Symantec Management Platform.
on page 247.
249
250
An internal credential lets a user access the appropriate Symantec Management
Platform services using a user name and password that is stored in the CMDB.
Currently, internal credentials are used only for workflow integration.
A Windows credential lets a user account access the Symantec Management
Console and Symantec Management Platform services using a Windows user
name and password. To use Windows credentials, Notification Server must be in
the user's domain, or the user's domain must be trusted by the Notification Server
domain.
You should configure Windows credentials if your organization uses Windows
accounts internally. Using Windows credentials lets you enforce password
complexity requirements, periodically change passwords, keep password history,
and perform other password management tasks in Windows.
To configure credentials for a Symantec Management Platform user account
1
2
3
configure.
4
In the right pane, on the General tab, under Credentials, click Add Credential
and then do one of the following:
To add a Windows credential Click Windows and then, in the Windows Credential
to the account
dialog box, specify the appropriate Windows user name
in Domain/Username format.
If the Windows account is in the same domain as
Notification Server, you can omit the Domain and
specify the Username only.
If you specify a Windows account that is already
assigned to a user account, the Windows credential is
removed from the existing account. The Windows
credential is then added to the new user account.
To add an internal credential Click Internal and then, in the Create Internal
to the account
Credential dialog box, specify the appropriate
password.
The password must meet the password complexity
settings.
See “Configuring password complexity and lockout
settings” on page 252.
The credential user name is the name of the Symantec
Management Platform account and you cannot change
it.
5
Click OK.
The new credential is added to the Credentials list.
6
(Optional) If you want to modify a credential, select it in the Credentials list
and then click Edit. In the Edit Windows Credential dialog box or the Edit
Internal Credential dialog box, make the appropriate changes and then click
OK.
For security reasons, the Edit Internal Credential dialog box does not display
the current password. If you specify a new password, the credential is updated
accordingly. If you leave the Password box empty, the original password is
preserved.
7
(Optional) If you want to delete a credential, select it in the Credentials list
and then click Delete.
8
Click Save changes.
251
252
Assigning a Symantec Management Platform user account to a security
role
You need to assign each Symantec Management Platform user account to the
appropriate security roles. You need to be a member of the Symantec
Administrators role, or a member of a role that has the Change Security privilege,
to assign role membership. The account has the union of all the privileges and
permissions that the roles to which it belongs grants.
on page 247.
To assign a Symantec Management Platform account to a security role
1
2
3
configure.
4
In the right pane, on the Member Of tab, make the appropriate settings.
5
Click Add Role.
6
In the Select Role(s) dialog box, select the security roles to which you want
to add the account, and then click OK.
7
On the Member Of tab, verify that the list of security roles is correct. You
can remove any that you do not want.
8
Click Save changes.
The Password Settings page lets you configure the password complexity and
lockout settings for internal credentials. These settings apply to internal
credentials only: they do not apply to passwords that are managed externally,
such as a Windows account. These complexity and lockout settings are often
required to comply with an organization’s access control policy.
See “Unlocking locked out credentials” on page 255.
You need to specify appropriate password complexity requirements to prevent
Symantec Management Platform user accounts from creating weak passwords.
Any changes that you make to the password complexity settings do not affect
existing passwords. The password complexity rules are applied only when
passwords are created or changed.
You cannot specify temporal restrictions such as allowing user accounts to log
on only during certain time periods or on particular days of the week. To configure
this type of restriction, you can use a scheduled task, a workflow, or an automation
policy that disables and enables accounts at the appropriate times.
You cannot configure the maximum password age for internal credentials. The
maximum password age for Windows credentials should be managed using a
Windows policy.
Table 11-16
Settings on the Password Complexity tab
Setting
Description
Allow blank password
Specifies whether to allow a credential to have an empty
password.
If you enable this setting, the minimum password length is
disabled.
By default, this setting is disabled.
Minimum password length Specifies the minimum number of characters that the
password must contain.
If you want to set the length to zero (0), you must also enable
the allow blank password setting.
The default is six (6).
Minimum number of
non-alphabetic characters
Specifies the minimum number of non-alphabetic characters
that the password must contain.
Non-alphabetic characters are numbers (such as 1, 2, 3, etc.)
and special characters (such as !, ?, &, etc.)
The default is one (1).
Contain account name
Specifies whether to allow the password to contain the user
account name.
Note that this is not case sensitive.
By default, this setting is disabled.
You need to specify appropriate password lockout conditions to prevent
unauthorized access to Symantec Management Platform. Any changes that you
253
254
make to the password lockout settings are applied to all subsequent failed logon
attempts. The maximum allowable unsuccessful attempts setting is not applied
to the number of previous failed logon attempts.
Table 11-17
Settings on the Password Lockout tab
Setting
Description
Enable Credential Lockout
Specifies whether to lock the credentials when the specified
maximum number of unsuccessful logon attempts is
reached.
By default, this setting is enabled.
Internal Credential Lockout Specifies the maximum number of logon attempts that a
Threshold
user may make with any particular credential. If a user
attempts to authenticate with an incorrect password more
than this number, the credential is locked for the specified
lockout period.
Unsuccessful logon attempts are counted from when the
credential is created. The failed attempts do not need to
happen within a minimum time period. There is no
maximum time after which a failed attempt is no longer
counted.
If you change this setting to reduce the maximum number
of unsuccessful attempts allowed, the new value is not
applied to any account until the next logon attempt. If the
next attempt is successful, the count is reset to zero (all
previous failures are erased). However, if the next attempt
fails, the count of failed attempts is evaluated. If the
maximum number is reached (or possibly already exceeded),
the account is locked.
Lockout Duration
Specifies the duration that a locked out credential cannot
be used. The default period is 1800 minutes (30 hours).
All logon attempts that the user makes during this time
period fail, even if the correct credentials are supplied. When
the lockout period expires, the same credentials are valid
again. No automatic password reset is required.
You can specify an infinite lockout period by entering a
value of -1. In this scenario, a locked credential remains
locked until an administrator manually unlocks the
credential.
See “Unlocking locked out credentials” on page 255.
To configure password complexity and lockout settings
1
2
In the left pane, click Account Management > Password Settings.
3
On the Password Settings page, make the necessary configuration changes
in the appropriate tabs.
Password Complexity
Lets you specify the password complexity rules that
you want to apply to Internal credentials.
Password Lockout
Lets you specify the conditions that cause Symantec
Management Platform to lock Internal credentials.
4
Click Save changes.
The Unlock Credentials page lets you unlock internal credentials that have become
locked out after the maximum number of unsuccessful logon attempts has been
exceeded.
See “Configuring password complexity and lockout settings” on page 252.
To unlock locked out credentials
1
2
In the left pane, click Account Management > Unlock Credentials.
3
On the Unlock Credentials page, in the list of locked credentials, select the
credential that you want to unlock.
4
Click Unlock Credentials.
The permissions on an item in the Symantec Management Console determine the
access that a security role has to that item. Permissions on items are applied to
255
256
security roles, not to individual user accounts. For example, the Read permission
on an item lets a user view it, and the Write permission on the item lets the user
modify it.
See “Assigning security permissions to folders and items” on page 262.
Permissions are used with privileges to determine what actions a security role
may perform on an item. For example, to delete an item a security role must have
both the Delete privilege and the Delete permission on that particular item. Having
only the Delete privilege, or the Delete permission on the item, is not sufficient.
You can specify the permissions that apply to each folder or item for each security
role. Permissions that are applied directly to a folder or item (non-inherited
permissions) are combined with the permissions that are inherited from the parent
folder. The combined permissions determine the access that the security role has
to that particular folder or item.
By default, child items and folders inherit all permissions on a folder. You can
modify permission inheritance to suit your requirements.
Table 11-18 lists and describes the categories of security permissions that you
can set for each role.
Table 11-18
Security permission categories
Permission category
Description
Resource Management
These permissions apply to resources.
See “Resource Management permissions” on page 257.
System
These permissions apply to the system, such as reading,
writing, and deleting items.
See “System permissions” on page 257.
Task Server
These permissions apply to Task Server.
See “Task Server permissions” on page 258.
Report
These permissions apply to reports.
See “Report permissions” on page 258.
Policy
These permissions apply to policies.
See “Policy permissions” on page 259.
Folder
These permissions apply to folders.
See “Folder permissions” on page 259.
Table 11-18
Security permission categories (continued)
Permission category
Description
Filter
These permissions apply to filters.
See “Filter permissions” on page 259.
Connection Profile
These permissions let you use connection profiles.
See “Connection Profile permissions” on page 259.
Credential Manager
These permissions let you use the Credential Manager.
See “Credential Manager permissions” on page 260.
Resource Management permissions
These permissions apply to resources.
Table 11-19
Resource Management permissions
Permission
Description
Read Resource Data
Lets you read resource data.
Read Resource Association Lets you read resource association data.
Write Resource Data
Lets you write resource data.
Write Resource Association Lets you write resource association data.
System permissions
These permissions apply to the system, such as reading, writing, and deleting
items.
Table 11-20
System permissions
Permission
Description
Full Control
Lets you take full control of an item that another user owns.
Delete
Lets you delete items
257
258
Table 11-20
System permissions (continued)
Permission
Description
Write
Lets you create or modify items.
Clone
Lets you clone an existing item.
Read
Lets you open an item and views the item contents.
Change Permissions
Lets you change permissions on items.
Read Permissions
Lets you read the permissions for an item.
Task Server permissions
These permissions apply to Task Server.
Table 11-21
Task Server permissions
Permission
Description
Create New Task
Lets you create new tasks.
Run Script
Lets you run a script.
Run Power Control
Lets you run power control tasks.
Run Task
Lets you run tasks.
Run Control Service State
Lets you run a control service state.
Report permissions
These permissions apply to reports.
Table 11-22
Report Permissions
Permission
Description
Run Reports
Lets you run a report.
Save Reports
Lets you save a report.
Policy permissions
These permissions apply to policies.
Table 11-23
Policy permissions
Permission
Description
Apply to Resource Targets
Lets you apply resource targets to policies.
Enable Policy
Lets you enable or disable a policy.
Folder permissions
These permissions apply to folders.
Table 11-24
Folder permissions
Permission
Description
Create Children
Lets you add items and subfolders to a folder.
Filter permissions
These permissions apply to filters.
Table 11-25
Filter permissions
Permission
Description
Apply Agent Settings
Lets you change a targeted agent settings policy and apply
it to a resource target.
Apply Software Delivery
Tasks
Lets you apply software delivery tasks.
Connection Profile permissions
These permissions let you use connection profiles. Connection profiles store the
information that is required to communicate with computers and other network
devices using standard network monitoring protocols. These protocols include
SNMP, WMI, WSMan, and several others.
259
260
Connection profiles are associated with devices during network discovery. During
discovery, a connection profile is selected to define the protocols and credentials
to use. When discovery completes, this connection profile is then associated with
each discovered resource. When information is required, the associated connection
profile is used to connect.
Table 11-26
Connection Profile permissions
Permission
Description
Use
Lets you use connection profiles.
Credential Manager permissions
Credential Manager provides a secure storage location for user names and
passwords. The types of credentials that the Credential Manager stores are defined
by the solutions that are installed on Symantec Management Platform. These
permissions let you use the Credential Manager.
Table 11-27
Credential Manager permissions
Permission
Description
Use
Lets you use the Credential Manager.
The Security Role Manager is a special console that lets you view and set
permissions for security roles. The console lets you select a particular security
role and view the permissions that are associated with each item for that security
role. You can view the items by type, or view all the available items, and select the
folder or item on which to set permissions. By default, child items and folders
inherit all permissions on a folder. You can modify permission inheritance to suit
your requirements.
You can also use the Security Role Manager to take ownership of an item. You
may need to take ownership if permissions on an item are removed accidentally
so that the owner no longer has access to it. By taking ownership of an item, you
can reset the appropriate permissions and restore access for the original owner.
See “Accessing the Security Role Manager” on page 261.
Accessing the Security Role Manager
You can access the Security Role Manager in the following ways:
Directly from the Symantec
Management Console Settings
menu.
The Security Role Manager opens with your security
role selected, and the All Data Classes view shown.
From the right pane of the Roles
page.
The Security Role Manager opens with the appropriate
security role selected, and the All Data Classes view
shown.
From the Actions menu for a
security role.
The Security Role Manager opens with the appropriate
security role selected, and the All Data Classes view
shown.
From the right-click menu for an
item or folder in the left pane.
You would normally use this method to set
permissions on a particular item or folder.
The Security Role Manager opens with your security
role selected, and the appropriate folder selected.
To access the Security Role Manager from the Symantec Management Console
menu
◆
> Permissions.
To access the Security Role Manager for a specific security role
1
2
In the left pane, click Account Management > Roles.
261
262
3
On the Roles page, in the left pane, click the security role that you want to
configure.
4
Do one of the following:
■
In the right pane (the Security Role Name page), click Show Security Role
Manager Console.
■
Click Actions > Security Role Manager.
■
Right-click the security role that you want to configure and then click
Security Role Manager.
To access the Security Role Manager for a specific folder
1
In the Symantec Management Console, open a view that contains the folder
on which you want to set security permissions.
2
In the left pane, right-click the folder and then click Security.
Assigning security permissions to folders and items
You can specify the non-inherited permissions that apply to each folder or item
for each security role. These are combined with the permissions that are inherited
from the parent folder. The combined permissions determine the access that the
security role has to that particular folder or item. By default, any child folders or
items inherit the combined set of permissions.
Assigning security permissions to folders and items is a step in the process of
setting up Symantec Management Platform security.
To assign security permissions to folders and items
1
In the Security Role Manager, in the Role drop-down list, select the security
role for which you want to set permissions.
2
(Optional) In the View drop-down list, select an item category to view the
folder structure that contains the relevant items.
If you want to view the full folder structure, select All Items.
3
In the left pane, select the folder or item for which you want to set
permissions.
4
On the right pane, in the Noninherited panel, make the appropriate changes
to the permission settings.
5
(Optional) If you want to configure permission inheritance for this folder or
item, click Advanced.
6
Click Save changes.
Customizing permission inheritance
By default, permission inheritance is enabled for all folders and items. Child folders
and items inherit the security permissions for each role that is assigned to a folder.
The inherited permissions cannot be modified on the child folders and items, but
additional non-inherited permissions can be specified. The non-inherited
permissions are applied directly to the folder or item and can be modified at any
time. The permission settings on each folder or item are the combination of both
the inherited and non-inherited settings. The combined set of permissions is then
applied to any child folders or items. Any changes to permission settings for a
folder are immediately applied to all of its child folders or items.
You can disable permission inheritance for any folder or item. This lets you remove
some of the inherited permissions from the folder or item, but preserve them on
its parent folder. The permission inheritance settings that you apply to a folder
or item apply to every security role. You cannot customize inheritance settings
for particular roles.
Warning: Disabling permissions inheritance on a folder or item can cause
unexpected denials of access for user accounts. If you disable permissions
inheritance, ensure that there are explicitly specified permissions on the folder
or item for user accounts to have the appropriate access.
You can also remove all non-inherited permissions from folders or items, leaving
only the inherited permissions. You may want to remove all non-inherited
permissions to remove custom permissions that have been added to child folders
or items. You may also use this feature to restore a standard set of permissions
on all child folders and items.
263
264
Customizing permission inheritance is an optional step in the process of setting
up Symantec Management Platform security.
To customize permission inheritance for a folder or item
1
In the Security Role Manager, in the left pane, select the folder or item for
which you want to configure permission inheritance.
2
In the right pane, click Advanced.
3
In the Permissions for: Item Name window, in the Account/Group/Role list,
select the security role or user account for which you want to configure
permissions.
If you want to add another security role or user account to the list, click Add.
In the Role Selection window, choose the appropriate security role or user
account.
See “Role Selection window” on page 265.
4
(Optional) In the Permissions for panel, change the permissions that are
assigned to the selected security role for this folder or item.
You can use this feature only for the non-inherited permissions. You cannot
edit the inherited permissions.
5
Take any of the following actions:
To inherit permissions from Check Inherit the permission entries from parent
the parent folder
object that apply to child objects.
The inherited permission settings on the folder or item
are updated to reflect the current permission settings
on the parent folder.
To disable permissions
inheritance
Uncheck Inherit the permission entries from parent
object that apply to child objects.
You have the choice of copying the current inherited
permissions from the parent folder, or removing all
inherited permissions.
Any subsequent changes to the permission settings on
the parent folder do not affect the permission settings
on the folder or item.
To remove all non-inherited Check Replace permissions on all child objects.
permissions from child
The non-inherited permissions settings are cleared on
folders and items
all child folders and items, leaving only the inherited
permissions.
6
Click Save changes.
7
(Optional) If you have disabled permission inheritance, in the Inherited
Permissions Behavior dialog box, click the appropriate option:
Copy
The current inherited permissions are merged with the
non-inherited permission settings on this folder or item.
Remove
The current inherited permissions are cleared, leaving only the
non-inherited permissions.
Ensure that you have the appropriate non-inherited permissions
on the folder or item before you select this option.
8
Click Cancel to close the Permissions for: Item Name window.
Role Selection window
The Role Selection window lets you choose a security role to add to the list of
those available in the Permissions for: Item Name window.
Table 11-28
Options on the Role Selection window
Option
Description
Role list
The list of security roles that are available for selection.
Select
Adds the selected security role to the list of those available
in the Permissions for: Item Name window
Advanced
Opens the Select Accounts or Groups window, letting you
select the appropriate user accounts.
Taking ownership of a folder or item
You can also use the Security Role Manager to take ownership of an item. This
may be required if permissions on an item are removed accidentally so that the
owner no longer has access to it. By taking ownership, you can reset the
appropriate permissions and restore access for the original owner.
To take ownership of a folder or item, you require the Take Ownership privilege
and the Full Control permission on the folder or item. The Symantec Administrator
role has this privilege, and has this permission on all items and folders.
265
266
To take ownership of a folder or item
1
In the Security Role Manager, in the left pane, select the folder or item for
which you want to take ownership.
2
In the right pane, click Advanced.
3
In the Permissions for: Item Name window, click Take Ownership.
4
Click Save changes.
5
Click Cancel to close the Permissions for: Item Name window.
Credential manager provides a secure storage location for user names and
passwords. Your installed management solutions define the types of credentials
that the credential manager stores.
See “Credential Manager permissions” on page 260.
Access to credentials is controlled with the built-in role-based security of the
Symantec Management Platform. When a credential is created, only the creator
is granted access. If other users need to perform a management operation that
requires a credential, then they must be assigned the rights.
See “Creating a credential” on page 266.
Before you delete a credential, make sure that the credential is not required as
part of an active management task.
See “Editing a credential” on page 267.
Creating a credential
Management solutions typically create credentials when they are needed to
perform a task. To define a credential manually, you need to know the credential
type that is used and the information that is required for that credential type.
When a credential is created, only the creator is granted access. Additional users
and groups are assigned access by editing the credential after it is created.
To create a credential
1
Settings.
2
In the left pane, click Monitoring and Alerting > Credential Settings >
Credentials Management.
3
In the right pane, click Add Credentials.
4
In the Add Credential dialog box, select a credential type and then provide
the required values.
5
Click OK.
Editing a credential lets you update the password and lets you grant access to
additional users and groups.
To edit a credential
1
Settings.
2
In the left pane, click Monitoring and Alerting > Credential Settings >
Credentials Management.
3
In the right pane, select a credential and then click Edit.
4
In the Edit Credential dialog box, update the credential, and then click OK
to save your changes.
267
268
Chapter
12
Configuring Schedules
■
About Symantec Management Platform schedules
■
Managing shared schedules
■
Configuring a schedule
■
Viewing the Notification Server internal schedule calendar
Symantec Management Platform schedules let you perform both once-off and
repeating operations on the Notification Server computer and the managed
computers at appropriate times, without requiring manual intervention. For
example, resource filters need to be updated frequently, the CMDB needs to be
purged regularly, and packages must be refreshed at appropriate intervals. All of
these tasks should be scheduled to run at whatever times and frequencies best
suit the needs of your organization.
See “How Symantec Management Platform uses schedules” on page 273.
Symantec Management Platform uses two types of schedules:
Shared
These are defined on Notification Server as shared items that are
available for any scheduled operation to use.
Custom
These are configured independently within each task, policy, or rule
that is scheduled. They cannot be shared with any other tasks, policies,
or rules.
270
Table 12-1
Component
Components of a schedule
Description
Active period and time The active period and time zone define the time period within
zone
which a schedule may occur.
See “About schedule active periods and time zones” on page 270.
Triggers
A trigger is an event that causes the schedule to become active.
A trigger may be a specific time and date, or an event such as a
user logging on to a computer. Triggers control when the schedule
occurs and repeats. If a schedule contains multiple triggers, it
runs each time that any one of its triggers occurs.
See “About schedule triggers” on page 270.
Modifiers
Modifiers are the additional conditions that are required for the
schedule to be triggered.
See “About schedule modifiers” on page 272.
About schedule active periods and time zones
A schedule may occur only within its active period.
All schedules, triggers, and modifiers have the following properties:
Time Zone
The time zone in which the task is scheduled to run. The time
zone may be Local, Server, or UTC.
Start Date
The date and time when the schedule's active period begins. A
schedule cannot be triggered before its start date.
End Date
The date and time when the schedule's active period ends. If the
end date is not specified, the schedule remains active indefinitely.
A schedule cannot be triggered after its end date.
A schedule cannot run outside its active period. This applies even if the schedule
was triggered within its active period, but was prevented from running at that
time by a modifier.
About schedule triggers
A trigger is an event that causes the schedule to become active.
Table 12-2
Schedule triggers
Trigger
Description
Once
The task occurs at a specified date and time.
Daily
The task recurs on a daily basis. The frequency can be
specified to be a particular number of days. For example, a
task can be scheduled every second day.
Weekly
The task recurs on a weekly basis. The day of the week can
be specified, as can the frequency of the weeks.
Monthly by date
The task recurs on specified dates of the month.
Monthly by day of week
The task recurs on specified days of the week, in specified
weeks.
Yearly by date of month
The task recurs on specified dates of the month, in specified
months.
Yearly by day of week
The task recurs on specified days of the week, in specified
weeks, in specified months.
At system startup
The task recurs at system startup.
At user logon
The task recurs whenever a user logs on.
Schedule triggers may have the following properties:
271
272
Table 12-3
Schedule trigger properties
Property
Description
Exact
Determines the behavior when a scheduled task cannot be
performed at the exact time at which it is scheduled:
True - Perform the scheduled task at the exact time, or
not at all.
If the conditions are such that the task cannot be
performed at the exact scheduled time, the scheduled
task is not performed.
■ False - Perform the scheduled task at the exact time, or
as soon as possible afterwards.
If the task cannot be performed at the exact time for any
reason, it is performed as soon as possible after the
scheduled time. For example, a task is scheduled to run
every night at 2:00 A.M., but the computer is always off
at that time. The Exact setting lets you run the task
whenever the computer is turned on after that time.
■
This property applies to logon, startup, and other events,
as well as specified times.
Duration
The length of time that the schedule is active. The duration
may be up to 24 hours.
Repetition
The interval at which the task should be repeated during
the schedule's active period. The repetition interval may be
up to 24 hours.
About schedule modifiers
A schedule may contain one or more modifiers. Modifiers are the conditions that
must be true to enable any of the triggers to start the schedule. All of the modifiers
apply to all of the triggers.
Table 12-4
Schedule modifiers
Modifier
Description
Only when a user is logged
on
When the trigger occurs on a target computer, the Symantec
Management Agent on that computer checks to ensure that
a user is logged on before it runs the schedule. If no user is
logged on, the schedule is not run on that computer.
Table 12-4
Schedule modifiers (continued)
Modifier
Description
Only when no user is logged When the trigger occurs, the target computer is checked to
on
ensure that no user is logged on. If a user is logged on, the
schedule is not run on that computer.
How Symantec Management Platform uses schedules
Symantec Management Platform uses schedules for tasks and policies.
Table 12-5 describes how Symantec Management Platform uses schedules.
Table 12-5
Use
Schedule uses
Description
Scheduling server tasks and Many Symantec Management Platform operations are scheduled to occur at regular
server policies
intervals. Some of these operations need to be performed frequently. For example,
updating the membership of resource groups and filters, or they may be less frequent,
such as purging old records from the CMDB.
These schedules are usually configured to repeat at regular intervals, and they remain
active for an indefinite period.
Scheduling agent tasks
Schedules may be used when you want to perform operations on managed computers.
For example, rolling out a patch to fix a vulnerability in an application or gathering
inventory for compliance purposes. You would usually want to perform the operation
as soon as possible, and you would want to perform it one time only.
You can schedule agent tasks to run:
■
Immediately
■
Immediately, if a maintenance window is open
■
The next time a user logs on to the computer
■
The next time the computer is started.
On some occasions you may want to schedule the operation to take place at a specific
date and time. For example, 9:00 P.M. next Sunday evening, to ensure that it does
not interfere with the user's ability to work.
On rare occasions you may need to schedule a task to repeat. However, a repeating
operation would usually be considered a task-based policy.
273
274
Table 12-5
Schedule uses (continued)
Use
Description
Scheduling agent policies
An agent policy is a statement about how a computer should be managed.
For example, an agent policy may do the following:
■
Disallow software from being run
■
Require software to be installed
■
Require that inventory information about a computer be no older than N days
To function correctly, some agent policies need to be scheduled to run at appropriate
intervals. For example, a software compliance policy needs to periodically check that
the computer is in compliance, and perform the appropriate remediation if it is not.
Likewise, an inventory policy needs to ensure that the inventory data is current.
These schedules are usually recurring schedules with a possible repetition during
the working day. Agent policies are often scheduled to run when the computer starts
up, or when a user logs on. When you set up these schedules, you also need to consider
how they interact with the maintenance windows that are configured on the managed
computers.
Scheduling agent
maintenance windows
A maintenance window schedule is essentially a recurring schedule that has a
duration. You do not need to schedule maintenance windows using computer startup,
user logon, or other events. Maintenance windows have no need for any repetition
during the working day.
Any number of scheduled items (such as policies, tasks, or replication rules) may
use a shared schedule. The alternative to using a shared schedule is to define a
custom schedule within the policy or task.
Shared schedules cannot override maintenance windows. If you want a scheduled
item to run outside a maintenance window, you need to configure the appropriate
custom schedule.
A set of default shared schedules is supplied with Symantec Management Platform.
You can modify these to suit your requirements, but you cannot delete them. For
example, you can configure the business hours schedule to run at regular intervals
during your normal working hours. You may configure the package refresh
schedule to run at a suitable time outside working hours. You can also create any
new shared schedules that you require and delete them when they are no longer
required.
You can enable or disable each shared schedule as appropriate. All enabled shared
schedules are available to any scheduled item. If you disable a shared schedule,
any scheduled item that uses the schedule is disabled.
To manage shared schedules
1
Notification Server > Shared Schedules.
2
In the Shared Schedules page, do any of the following:
To add a new schedule Click Add Schedule and then, in the Schedule Editor, specify
the appropriate details.
To edit a schedule
Click the schedule name and then, in the Schedule Editor,
specify the appropriate details.
To enable a schedule
Check the appropriate check box. If you want to disable the
schedule, clear the check box.
To delete a schedule
At the right end of the appropriate row, click Delete.
To see which items
currently use a
schedule
In the Items Currently Using drop-down list, select the
appropriate schedule.
The names of all the items (such as tasks, policies, and
replication rules) that use the selected schedule are shown
in the lower panel.
The Schedule Editor lets you configure a schedule to suit your requirements.
To configure a schedule
1
In the Schedule Editor window, in the Name box, type the schedule name.
2
Under Schedule Task, select the schedule frequency or trigger.
3
In the Details tab, specify the schedule start time, and the days, weeks, or
months on which to run.
275
276
4
If you want the schedule to be active for a particular range of dates, in the
Advanced tab, specify the appropriate start and end dates.
By default a new schedule is active as soon as it is created (from the current
date). The schedule remains active indefinitely (no end date is specified).
5
If you want the schedule to repeat a task at regular intervals each time the
schedule runs, in the Advanced tab, check Repeat Task.
Specify the appropriate frequency and duration.
6
If you want this schedule to contain multiple schedules, check Use Multiple
Schedules.
7
For each additional schedule that you want to add to this schedule, click New,
and then complete steps 2 to 5.
8
If you want to remove a schedule, in the Will Occur drop-down list, select
the appropriate schedule and then click Delete.
9
Click OK.
Viewing the Notification Server internal schedule
calendar
You can view Notification Server schedule information in the Notification Server
internal schedule calendar. The scheduled items that you can view in the Calendar
include tasks running on Notification Server, policies, and automation policies.
They also include shared schedules, blockout periods, maintenance windows, and
Notification Server internal schedules. Symantec solutions may add additional
scheduled items to the calendar.
The following types of scheduled items are displayed:
Period items
These define only a start time, and run for an indefinite period.
Examples include maintenance windows, blockout periods, and shared
schedules.
Event items
These have a defined end time. Examples include tasks, jobs, custom
schedules, and policies.
Note that policies are not always run at the times that are shown in
the calendar. Policies are not as deterministic as tasks, so may be
subject to delay. Tasks and jobs are always run at the times that are
shown in the calendar.
The Calendar view lets you see what schedules are configured for particular time
periods, such as specific days, weeks, or months. In both the Week view and the
Month view, you can click a particular day to open the Day view for that day.
Some scheduled items use shared schedules, rather than define their own
schedules. Shared schedule relationships are represented in the left pane of the
Day view. The scheduled items are grouped under the shared schedule to which
they refer.
Each schedule has an associated symbol that links it to the appropriate
configuration page, if one is available. You can click the symbol to drill down to
the configuration page, which opens in a new window. If no configuration page
is available for a schedule, the default calendar symbol is used and no drill-down
functionality exists.
To view the Notification Server schedule calendar
1
Settings.
2
In the left pane, expand Settings > Notification Server and then click Internal
Schedules Calendar.
3
On the Calendar View for Internal NS Schedules page, in the View drop-down
list, select the view that you want to use:
Automation Policies
Shows the details of automation policies only.
Tasks/jobs
Shows the details of scheduled tasks and jobs only.
Shared schedules
Shows the details of shared schedules only.
Internal NS schedules
Shows the details of internal Notification Server
schedules only.
All server schedules
Shows the details of all schedules.
277
278
4
Select the time period that you want to view by clicking the appropriate
symbol:
Day
Shows the details of each schedule that runs one or more times per
day. The schedules are listed in order of their start times. The left
pane lists the schedules, and the right pane shows their occurrences
in the calendar. Day view is the default view.
Each occurrence of a period item is displayed as a diamond. Each
occurrence of an event item is normally displayed as a bar, but those
that occur with very short intervals are displayed as small diamonds.
For clarity on screen, events with an interval less than 15 minutes
(by default) are omitted.
The background color identifies the business hours that are defined
for the organization.
Week
Shows the details of each schedule that runs less than one time per
day but at least one time per week.
Month
Shows the details of each schedule that runs less than one time per
week are displayed.
Period items are omitted and event items are summarized to their
start times, end times, and titles.
5
To view earlier or later time periods, click Previous or Next, whichever is
appropriate.
Chapter
13
Configuring site servers
■
Managing sites
■
Managing site servers
■
About configuring the site service settings
■
About package server for Linux
Managing sites
You need to set up all the sites that you require in your organization. You can run
a site import rule to automatically collect the site information for your organization
from Active Directory. You can also create sites manually and assign the
appropriate subnets and site servers to them.
280
Managing sites
To manage sites
1
Notification Server > Site Server Settings.
2
Configure the sites to suit your requirements.
You can do any of the following:
Create a new site
In the left pane, click New > Site.
See “Creating a new site” on page 281.
Modify a site
In the left pane, select the site that you want to modify, and
then click Configure.
See “Modifying a site” on page 281.
Delete a site
In the left pane, select the site that you want to delete, and
then click Del.
Any subnets that are assigned to the site are not deleted.
They become unassigned and may be assigned to a different
site. Any site servers inside the affected subnets are not used
until they are assigned to a different site.
Remove a manually
assigned site server
from a site
In the left pane, under the site server, select the site that you
want to remove, and then click Del.
The site server is not affected, and it continues to serve any
other sites to which it is assigned. This option applies only
to the site servers that are manually assigned to sites. A site
server that belongs to a site through its subnet membership
cannot be removed from that site.
Remove a subnet from In the left pane, under the site, select the subnet that you
a site
want to delete, and then click Del.
Deleting a subnet makes the subnet unassigned to any site.
Any encompassed subnets that are not manually assigned
to a site also become unassigned. Any site servers on the
subnet, or the encompassed subnets, no longer serve the site.
However, they continue to serve any sites to which they are
manually assigned.
Manage manually
assigned agents
You can assign agents to a site and remove any that you no
longer require.
See “Managing manually assigned agents” on page 282.
Managing sites
Creating a new site
You can create sites manually. When you create a site, you can assign the
appropriate subnets to the site immediately. If you create a new site from the
context of a subnet, then the subnet is assigned to the new site by default. If you
create a site from the context of a site server, then that site server is manually
assigned to the new site by default.
To create a new site
1
2
In the left pane, click New > Site.
3
In the New Site window, in the Name box, type the new site name.
4
If you want to assign subnets to the site immediately, specify the appropriate
subnets by doing one or more of the following:
Click Add.
Add a new subnet and assign it to the site.
See “Creating a new subnet” on page 308.
Click Edit.
Assign existing subnets to the site.
In the Select Subnets window, select the appropriate subnets,
and then click OK.
Click Delete.
5
Remove the selected subnets from the list of those to be
assigned to the site.
Click OK.
Modifying a site
You can modify existing sites as required. You can change the site name, the
subnets that are assigned to it, and the site services that are installed on its site
servers.
To modify a site
1
2
In the left pane, select the site that you want to modify.
3
Click Configure.
281
282
Managing sites
4
If you want to modify the site servers that are manually assigned to the site,
in the Add/Remove Services window, make the appropriate selections.
Adding or removing services manually does not affect site servers that are
assigned to the site by subnet IP address encompassment.
5
If you want to change the site name, in the Edit Site window, in the Name
box, type the new name.
6
If you want to change the subnets that are assigned to the site, specify the
appropriate subnets by doing one or more of the following:
Click Add.
Add a new subnet and assign it to the site.
Click Edit.
Assign existing subnets to the site.
In the Select Subnets window, select the appropriate subnets,
and then click OK.
Click Delete.
Remove the selected subnets from the list of those to be
assigned to the site.
7
When the subnet list is complete, click OK.
8
Click OK.
Managing manually assigned agents
A manually assigned agent is a computer that has been manually assigned to a
site rather than assigned through its subnet. You may want to manually assign
particular computers to a site to break away from the subnet assignment. You
can manually assign new agents to a site by assigning the relevant resource targets
to the site. You can remove any agents that you don’t want in the site by assigning
the appropriate resource targets to a different site.
Note: When the manually assigned agent is a Task Server, the change does not
formalize unless you reset the Symantec Management Agent on the computer.
One way to reset the Symantec Management Agent is to click Reset Agent in the
Task Status tab in the Symantec Management Agent. Another way is to run the
Reset Task Agent task on the computer.
To manage manually assigned agents
1
2
In the left pane, expand the site or site server that you want to modify, and
then click Manually Assigned Agents.
3
On the Manually Assigned Agents page, do any of the following:
Add manually assigned
agents to a site
Click New and then, in the Select a group window,
select or create the appropriate resource targets.
Reassign manually assigned This option is available only under the Site node, not
agents to another site
the Site Services node.
Select the appropriate resource targets, and then click
Assign to Site.
In the Select a site window, select the appropriate site,
and then click OK.
Remove manually assigned
agents from a site
Select the appropriate resource targets, and then click
Delete.
You need to create all the site servers that you require in your organization and
assign them to the appropriate sites. You can also modify existing site servers by
adding or removing site services.
When a site server is selected, the Site Services page shows statistics for each site
service that is installed on it. The collapsed view shows summary details, while
the expanded view opens a pane for each site service that shows full details and
graphical information. Each site service pane also includes a link to the
corresponding global settings configuration page.
See “About package service settings” on page 287.
283
284
The title bar for each site service contains a symbol that shows its current status:
Green
The service is installed and running on the site server.
Yellow
The service is not currently installed on the site server.
Orange
The service is in a warning state.
Red
The service is unusable. A package is invalid.
To manage site servers
1
2
Configure the site servers to suit your requirements.
Create a site server
In the left pane, click New > Site Server.
See “Creating and modifying site servers” on page 284.
Modify a site server
In the left pane, select the site server that you want to modify,
and then click Configure.
See “Creating and modifying site servers” on page 284.
Manually assign a site Select the appropriate site server, and then click Assign to
server to a site
Site.
See “Assigning a site server to a site manually” on page 286.
Remove a manually
assigned site server
from a site
In the left pane, under the site server, select the site that you
want to remove, and then click Del.
The site server is not affected, and it continues to serve any
other sites to which it is assigned. This option applies only
to the site servers that are manually assigned to sites. A site
server that belongs to a site through its subnet membership
cannot be removed from that site.
Creating and modifying site servers
You can create the site servers that you require by selecting the computers that
you want to use and specifying the site services that you want to install on each.
You can modify existing site servers by adding or removing site services.
Notification Server deploys the appropriate installation packages to the selected
computers, and removes any that are no longer required. The changes are made
when the Symantec Management Agents on the target computers make their next
configuration request, so it may not happen immediately.
To create and modify site servers
1
2
Do one of the following:
Create a new site
server
1
In the left pane, click New > Site Server.
2
In the Select Computers window, select the computers
to which you want to add site services.
The list in the left panel contains all the computers that
are available to be used as site servers. When you install
the Symantec Management Platform, you need to allow
a few minutes for the system to populate this list.
Modify a site server
3
3
Click OK to confirm your selection.
1
In the Detailed Information table, ensure that the Site
Servers view is selected, and then select the appropriate
site server.
2
Click the Edit symbol.
In the Add/Remove Services window, check the appropriate check boxes to
select the site services that you want to install on each computer.
All of the available site services are listed under each computer, allowing you
to select any combination of services for each computer. The check boxes for
any service types that are not allowed to be installed on a particular computer
are grayed out. You can group the list by site servers or by services. Selecting
a parent node on the list selects all of its children.
If any check box is already checked, that indicates the corresponding site
service is already installed. If you want to remove it, uncheck the check box.
4
Click Next.
The installation and uninstallation actions that you have specified are
displayed. If necessary, click Back to return to the previous page and change
your selection.
5
Click OK.
285
286
Assigning a site server to a site manually
Site servers automatically serve the site to which their parent subnet is assigned.
Site servers may have multiple NICs/IPs and be in more than one subnet, so may
therefore belong to more than one site. You can also manually assign each site
server to one or more other sites. The Manually Assigned column in the Detailed
Information table indicates whether the site server is manually assigned to the
site.
When you manually assign a site server to a site, only the site server is assigned
to the selected site. The subnet to which the site server belongs is not affected.
To assign a site server to a site manually
1
2
In the Detailed Information table, ensure that the Site Server view is selected,
and then select the appropriate site servers.
3
Click Assign to Site.
4
In the Select a Site window, select the site to which you want to assign the
site server.
5
Click OK.
The site service settings are usually global default settings. Any changes that you
make to the settings for a particular site service type are applied to all site services
of that type. However, some site service types may have settings that can be
configured on individual services, overriding the global defaults. For example,
each package server can be configured as Constrained or Unconstrained, overriding
the default setting.
You can view and modify the global settings for each site service. Each site service,
such as package servers, has a page that lets you edit its global settings.
In the left pane, each installed service is shown underneath each site server. The
corresponding page shows the service summary for the site server. The panel is
expanded by default, rather than collapsed for statistics as on the Site Server
page. The Change Settings link lets you edit the global settings for that service
type.
For many services, the summary information that is shown here may be the same
as the summary information expandable on the Site Server page. However, the
Symantec Management Platform allows a service to provide a different control
in this context, if appropriate. For example, if there is a full page of data available,
it is displayed on the site service page. A condensed data set is displayed on the
Site Server page.
See “Configuring package service settings” on page 290.
See “About task service settings” on page 290.
See “Configuring task service settings” on page 291.
About package service settings
The Package Service Settings page contains the global package service settings.
These settings are applied to all package services that are installed on site servers
in your Symantec Management Platform environment.
See “Configuring package service settings” on page 290.
See “About configuring the site service settings” on page 286.
Table 13-1
Setting
Global package service settings
Description
Package File Settings You can delete package files if they have been unused for a specified time.
You can choose to remove automatic site assignments for a package that has been unused
for a specified time. This feature is activated for a package when you enable the Assign
packages to package servers automatically with manual prestaging option on the Package
Servers tab.
The Remove automatic site assignments if they are unused for setting relates to the
package delivery system as a whole, not specifically to package servers.
A software package that is configured for automatic assignment is automatically assigned
to a site when one of the following occurs:
An enabled task or policy that delivers the package targets one or more computers in
the site.
■ A Symantec Management Agent in the site requests the package.
■
An automatic assignment is flagged as unused if an agent in the site does not request the
package within the specified time period. Unused automatic site assignments are removed
automatically on a schedule. The site assignment is removed even if an enabled policy or
task is still associated with the package. The automatic site assignment is then restored
the next time an agent requests the package.
See “About removing automatic site assignments” on page 289.
287
288
Table 13-1
Global package service settings (continued)
Setting
Description
Published Codebase
Types
You can specify the codebase types to publish to the Symantec Management Platform.
Security Settings
You can publish the following types:
■
UNC codebase
■
IIS hosted codebase
This codebase can be either HTTP or HTTPS.
You can allow anonymous access to package codebases. This option enables all packages
that are downloaded to package servers to have anonymous access applied to the directories
containing the package files. Anonymous access is also enabled for the directory security
inside IIS for the hosted package server packages.
If this feature is disabled, the Agent Connectivity Credentials are used when you apply
security to the package server files. The Agent Connectivity Credentials are specified on
the Authentication tab on the Global Symantec Management Agent Settings page; it is a
global setting for all package servers and agents. This account usually has a lower level of
rights than the Application Identity account, and is a dedicated account created for use on
package servers. Any HTTP virtual directories that are mapped to packages on the package
server then have Windows authentication enabled.
Only authenticated users are allowed to download through UNC when anonymous access
is enabled. For example, if a package server in a non-trusted domain has anonymous access
enabled on its files and the Agent Connectivity Credential (ACC) account the Symantec
Management Agent uses to connect anonymously to the UNC source cannot be authenticated,
access is denied and no download occurs. However, you can download through HTTP from
a package server, in a non-trusted domain, using anonymous access because the ACC account
does not need to be authenticated.
You can create the ACC on package servers, provided the ACC is not a domain account.
During this procedure, you have the option to reenable the created local account if it has
been locked out. You also can create the ACC even if the package server is also a domain
controller.
Specifying a local account as the ACC facilitates the download of packages between a
non-trusted domain. A local account ensures there is always a common account for all
agents and package servers to use, rather than using a domain account that all parties may
not trust.
The local ACC account is usually specified as .\<account name> or <account name>.
For a site to function, there must be at least one unconstrained package server
that is assigned to it. Unconstrained package servers can download packages from
the Notification Server computer or package servers outside of its site. Constrained
package servers can only operate by downloading packages from other package
servers within their site that have the packages available. You need an
unconstrained package server to collect any required packages from outside the
site. The unconstrained package server then makes the package available to all
the constrained package servers within the site.
Each package server can be configured as constrained or unconstrained, overriding
the default setting.
About removing automatic site assignments
The Package Service Settings page has a Remove automatic site assignments if
they are unused for setting. This feature is activated for a package when you
enable the Assign packages to package servers automatically with manual
prestaging option on the Package Servers tab. An automatic site assignment is
removed if an agent has not requested the package for a time period that exceeds
the Remove automatic site assignments if they are unused for setting.
If you check the option to remove automatic site assignments, site assignments
are removed even if enabled tasks or policies are associated with the package.
When a package is unassigned from a site, it is not reassigned at the next package
refresh interval, even if an enabled task or policy is associated with the package.
A package is reassigned to a site only if a Symantec Management Agent in the
site requests the package.
When a package is unassigned from a site, the package servers that hosted the
package are no longer assigned as hosts. When a package server updates its
configuration, the package is not in the list of packages that the package server
should host. The package server then marks the package for deletion. When the
package is marked for deletion, the countdown for its deletion begins. The package
is deleted when the time that is specified in Delete package files if they are unused
for on the Package Service Settings is reached.
You cannot manually remove a package’s site assignment on the package’s Package
Servers tab. If you manually remove a package’s site assignment on the package’s
Package Server tab, the site assignment is restored when you save the changes.
You also cannot remove a package’s automatic site assignment by modifying the
polices that caused the assignment. To remove a package’s automatic site
assignment, you must use the Remove automatic site assignments if they are
unused for setting.
When you check Remove automatic site assignments if they are unused for , it
is possible for a package to not get unassigned from a site when the duration that
is specified is exceeded. This situation can occur if you used the Package Servers
by Site option to assign a package to a site and later changed this option to Package
Servers automatically with manual prestaging. Because the initial site assignment
289
290
was not automatically assigned, the option that removes automatic site
assignments does not remove it.
Note: You can check whether Notification Server considers a package to be
automatically assigned in the SWDPackageSite table of the CMDB. If the
AutoAssigned column for the package has a value of 1, the package is automatically
assigned.
Configuring package service settings
You need to configure the global package service settings. These settings are
applied to all package services that are installed on site servers in your Symantec
See “About configuring the site service settings” on page 286.
To configure package service settings
1
2
In the left pane, under the Settings node, expand the Package Service folder
and then click Package Service Settings.
3
On the Package Service Settings page, configure the appropriate settings:
To set the global package
service settings
In the Global Package Service Settings pane, make
the necessary changes.
To set up unconstrained
package servers
In the Constrained Package Server Selection panel,
set up each package server by checking or unchecking
the Constrained check box, as appropriate.
You can use the Site drop-down list to view the
summary information about all the package servers in
a specific site, or all sites.
4
Click Save changes.
About task service settings
The Task Service Settings page contains the task service settings. These settings
are applied to all task services that are installed on site servers in your Symantec
See “Configuring task service settings” on page 291.
Table 13-2
Task service settings
Setting
Description
Task update interval
The intervals when the task services download new
and updated tasks from Notification Server.
Minimum time between tickle
attempts
The minimum amount of time between tickle
attempts.
The tickle server sends a packet to a task server when
any of its client computers have a task or job to run.
It also collects status information and sends it to the
client computer’s Notification Server database
(CMDB).
Maximum computers to manage
per Task Server
The maximum number of computers that each task
server should manage.
Allow maximum computers to be
exceeded. . .
Whether a task server can manage more computers
if no other servers are available.
Send detailed task events
Whether to send detailed information for each task
server event, which requires more bandwidth and
might slow down your network’s performance.
Automatically restart services
Whether to restart the following services when
configuration changes are made:
■
Symantec Object Host Service
■
Client Task Data Loader
■
WWW Publishing
The data loader runs on each task server. It receives
status information from the task service and caches
it in memory until it can be sent to the CMDB.
Network ports
The ports to use for the Client to Task Server tickle
option and the Server to NS tickle options.
The ports to use for remote connections to the task
server, data loader, and tickle server.
Configuring task service settings
You can apply task service settings to the task servers that computers, users, or
resources use. Notification Server applies these settings to the chosen task services
that are installed on the site servers in your environment.
291
292
To configure task service settings
1
2
In the left pane, under the Settings node, expand the Task Service > Settings
folder and then click Task Service Settings.
3
On the Task Service Settings page, configure the appropriate settings.
See “About task service settings” on page 290.
4
In the Applied To panel, click Apply to to select the computers, users, or
resources to which these task service settings apply.
These settings apply to the task services that these computers, users, or
resources use.
5
Click Save changes.
To designate a Linux computer as a package server, ensure that the computer is
running the following software:
■
Symantec Management Agent 7.1 for UNIX, Linux, and Mac
This agent was previously known as the Altiris Agent for UNIX and Linux.
Symantec Management Agent for UNIX, Linux, and Mac runs on a managed
computer. That agent must match the version of the agent that is installed on
the Notification Server computer in Symantec Management Platform. If the
agent on the managed computer is older than the agent on Notification Server,
upgrade it. After the agent is upgraded, the managed computer can become a
package server.
■
Apache Web Server version 2.0 or 2.2
See “About integrating Apache Web Server with package server for Linux”
on page 293.
The following server platforms are supported:
■
Red Hat Enterprise Linux AS 4
■
Red Hat Enterprise Linux ES 4
■
Red Hat Enterprise Linux Server 5
■
SUSE Linux Enterprise Server 10
■
SUSE Linux Enterprise Server 11
Package server for Linux supports alternate download locations. Paths for alternate
locations are converted automatically from Windows style to UNIX style if you
include the trailing slash. For example, if you have Patch Management Solution
installed, you can change policy and package settings when rolling out patches.
In Symantec Management Console, under Settings > All Settings > Software >
Patch Management, you click a vendor settings page; for example, you would
click Red Hat Settings > Red Hat Patch Remediation Settings. When you click
the Policy and Package Settings tab, you see the Remediation Settings page for
the selected product. This is where you can check Use alternate download location
on Package Server. When you enter the alternate download location, you must
use the full Windows path. In this and similar instances, include a trailing slash
in the Windows-style path to ensure that it is converted correctly to a UNIX-style
path.
Correct:
C:\path\
Incorrect:
C:\path
Trailing slash means that the Windows path is converted
correctly to /path/.
If you omit the trailing slash, the Windows path is converted
incorrectly.
About integrating Apache Web Server with package server for Linux
You integrate package server for Linux with the Apache Web Server to expose
packages and Package Snapshots to Symantec Management Agent. Snapshots are
downloaded from Notification Server to Symantec Management Agent on all
supported platforms through HTTP URLs.
See “About package server for Linux” on page 292.
The packages and package snapshots are always downloaded to package server
directories. The only files that are created in the Apache Web Server are directories,
symbolic links, and .htaccess files. Symbolic links are created to the package files
and snapshot files. The .htaccess files lock down package files with passwords.
When a Linux computer becomes a package server, the agent on that computer
attempts to create two main HTTP shares.
These shares are created in the Apache Web Server virtual web space, as follows:
■
/Altiris/PS/Snapshots
■
/Altiris/PS/Packages Note /Altiris/PS
This second directory is created if required.
The Package Manifest file is not used when a package server for Linux downloads
a package for distribution. The exception is if the package is located in the same
293
294
directory for the package server for Linux and Software Delivery. All package file
permissions are set to allow Apache Web Server clients access. This access is
typically through 0x744.
Depending on the specific configuration of the Apache Web Server, directories
are created in the root of the web directory. An example is /var/www/html on a
typical Linux Red Hat system. The package server agent reads the Apache Web
Server configuration file to determine this location.
See “About detecting the Apache Web Server” on page 294.
If you choose, you can specify that package server create the directories in an
alternate location. Use an Apache Web Server alias directive to specify a separate
directory.
See “Requirements to configure package server and the Apache Web Server”
on page 295.
See “Requirements to configure HTTPS and HTTP” on page 296.
About detecting the Apache Web Server
You can detect the Apache Web Server automatically or manually.
See “About integrating Apache Web Server with package server for Linux”
on page 293.
on page 295.
If you choose Automatic Detection, Symantec Management Agent looks for the
Apache HTTPD or HTTPD2 executable in the following directory locations:
■
/bin:/usr/bin:/sbin:/usr/sbin:/usr/lbin:/usr/etc:/etc:/usr/bsd:/usr/local/bin:/
usr/contrib/bin/
■
System PATH variable
■
/opt/apache/bin:/usr/apache/bin:/usr/apache2/bin:/usr/local/apache/bin:/usr/
local/apache2/bin:/usr/local/bin:/opt/freeware/apache/bin:/opt/freeware/
apache2/bin:/opt/freeware/apache/sbin:/opt/hpws/apache/bin:/opt/apache2:/
usr/local/apache+php
If both HTTPD and HTTPD2 executables are found, then both Apache 2.0 and
Apache 2.2 are installed.
In addition, if both executable files are found, then the file that matches a running
process is used. The default file is HTTPD2.
If the Apache Web Server cannot be detected automatically, you may need to
detect it manually. The Apache Web Server might not be detected automatically
if the executable file is renamed. If multiple installations have occurred, then the
wrong Apache Web Server could be detected. In any of these situations, you should
specify the Apache Web Server location manually.
To specify the Apache Web Server manually you should edit the [httpd
Integration] section of the client.conf file in the agent. In this section, you should
specify the "apache_exe_location" setting.
When the Apache Web Server executable is located, it is used to determine the
default location of the Apache Web Server configuration file. The configuration
file is required to determine if the Apache Web Server setup is suitable for package
server use. The configuration file also lets the installation program determine
the settings that are applicable to the package server. Applicable settings include
the ports that are used or whether the server is SSL-enabled.
If Symantec Management Agent for UNIX, Linux, and Mac cannot find the Apache
Web Server configuration file, it searches in the following locations:
■
/etc/httpd/conf
■
/etc/httpd/2.0/conf
As an alternative to Automatic Detection you can edit the [Httpd Integration]
section of the Symantec Management Agent for UNIX, Linux, and Mac client.conf
file. When you edit the file, specify the apache_config_location. Any setting that
you change becomes the default.
You can use the Apache Web Server "-f" option during the installation to relocate
the configuration file from its default location. If you relocate the file, you must
specify the location of the apache_config_location. Package server for Linux does
not support mod_perl generated httpd.conf files.
Requirements to configure package server and the Apache Web Server
For the package server for Linux to work with the Apache Web Server, certain
requirements must be met. When these requirements are met, the Symantec
Management Agent for UNIX, Linux, and Mac sends the Apache HTTP Server role.
This role allows the computer to be used as a package server for Linux.
See “About detecting the Apache Web Server” on page 294.
The configuration requirements are as follows
■
Apache Web Server version 2.0 or 2.2 is installed.
■
The package server for Linux uses only the main Apache Web Server or the
default Apache Web Server.
All other virtual host sections in the Apache Web Server configuration are
ignored, with the following exceptions:
295
296
■
■
The global settings and the _default_ virtual host are read for the main
server settings.
■
The first virtual host that defines an SSL server is considered to be the
main SSL server. Its settings are used for integrating and all other SSL
virtual hosts are ignored.
The Apache Web Server web space location where the package server files and
directories are to be created must have the following options enabled:
■
FollowSymLinks
■
AllowOverride
The Apache Web Server web space location must also be accessible through
anonymous HTTP. The location is virtual directory /Altiris/PS/.
■
If both HTTP and HTTPS are defined for the Apache Web Server, the HTTPS
server is used.
■
Non-standard ports are detected and used, but the main Apache Web Server
must be accessible through the hostname of the computer. The Listen directive
for the main server must come before all other Port statements and Listen
directives in the configuration file.
■
The Apache Web Server must be running.
■
No compressing modules are used with the Apache Web Server. This
requirement exists because Package Delivery does not support those modules.
■
You may need to restart Symantec Management Agent for UNIX, Linux, and
Mac after you make changes to the httpd.conf file. The files may not take effect
until after you restart the agent.
Requirements to configure HTTPS and HTTP
Symantec Management Agent for UNIX, Linux, and Mac uses whichever type of
Apache Web Server is available. It can use either HTTP or HTTPS.
on page 295.
If the Apache Web Server supports both types of Web server, the package server
for Linux uses HTTPS. Integrating with SSL through HTTPS is the default option
because it is the most secure. If you want to use the HTTP server, you can change
the [httpd Integration] "integrate_with" setting.
We recommend one of the following approaches for installing the Apache Web
Server to support package servers for UNIX and Linux:
Install a packaged version of Apache Web
Server. On Linux, the distributed Apache
Web Server is most suitable.
This installation contains the executable
files and the technical support exe files in
/usr/sbin or /usr/bin.
Install the Apache Web Server package in
the recommended location.
An example of a suitable default location is
/usr/local or /opt.
Leave the Configuration directory in its
The default configuration directory is the
default location. This requirement ensures location that was compiled into your .exe, or
that Symantec Management Agent for UNIX, /etc/httpd/conf.
Linux, and Mac can easily detect the Apache
Web Server and the configuration file. If you
do not move the configuration directory, you
do not have to specify extra manual settings.
If you change the Apache Web Server configuration files while Symantec
Management Agent is running, data is sent to Notification Server after a short
time. After the Apache Web Server role data is sent to Notification Server, the
computer becomes a candidate package server . If you want to speed up this process
you should run the aex-sendbasicinventory executable file manually. Run the
executable file from the shell on the client computer that is targeted for the
package server installation. Update Notification Server with the changes.
Two configuration examples are available.
See “Package server configuration example that uses main web directory for
package server links” on page 297.
See “Package server configuration example using an alias for package server
links” on page 299.
Package server configuration example that uses main web directory
for package server links
This configuration generally requires the minimal modification to an
out-of-the-box or default Apache Web Server setup. In this configuration a virtual
directory that is called /Altiris/PS is created automatically under the main Apache
HTML directory.
The example configuration contains the following directories:
■
Snapshots
■
Packages
Symbolic links are created in these directories to each shared package. The
packages themselves are stored under the package server agent VAR directory.
297
298
This configuration includes both an HTTP and an HTTPS Apache server. The
package server uses the HTTPS server if it is available. The HTTPS server ensures
a more secure operating environment and allows the use of Package Access
credentials.
Several configuration file checks are performed. The configuration files that are
listed in this section are examples. These examples are from the default installation
of the Apache Web Server as part of a legacy Red Hat Linux Distribution.
Check number 1; Listen statement is as follows:
...## When we also provide SSL we have to listen to the ## standard
HTTP port (see above) and to the HTTPS port ## <IfDefine HAVE_SSL>
Listen 80 Listen 443 Listen 10.10.10.10:8080 </IfDefine>...
Ensure that the Listen statement for each of the main servers is the first Listen
statement of its type in the configuration file. The main HTTP and HTTPS servers
should be the first two Listen statements.
You should remove the IP or ensure that it is the same IP to which the hostname
resolves, as reported to Notification Server.
Check number 2; Main directory options is as follows:
...
# DocumentRoot: The directory out of which you will serve your
Notification Server Reference 62
# documents. By default, all requests are taken from this directory,
but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "/var/www/html" ...
# This should be changed to whatever you set DocumentRoot to.
#<Directory "/var/www/html">
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# does not give it to you.
Options Indexes FollowSymLinks
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options",
"FileInfo",
# "AuthConfig", and "Limit" AllowOverride AuthConfig
# Controls who can get stuff from this server.
Order allow,deny
Allow from all
</Directory>
...
Find the <Directory> node for the DocumentRoot directory, and ensure that the
following options are set:
■
FollowSymLinks
■
AllowOverride AuthConfig or Allow override All
Check number 3; Check SSL host is as follows:
## SSL Virtual Host Context
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/var/www/html"
ErrorLog logs/error_log
TransferLog logs/access_log Notification Server Reference 63
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
...
Ensure that the _default_ SSH Virtual host has the correct port. The port should
match the first SSH Listen. Ensure that the DocumentRoot of the virtual host is
the same as the DocumentRoot of the main server.
The DocumentRoot of the host can be different from the DocumentRoot of the
main server. The DocumentRoot of the host must have a <Directory> node that
is configured with the same options that are specified in Check number 2.
Package server configuration example using an alias for package server
links
You may want to keep the package server for Linux virtual directory completely
separate from the Apache Web Server directory. To keep them separate, follow
299
300
this configuration example. This configuration example keeps all the symbolic
links out of the main Apache Web Server directory. It ensures that the
FollowSymLinks options are not required in the main directory.
An alias is used in the Apache Web Server configuration file to separate the
/Altiris/ PS virtual directory. The package server for Linux automatically detects
this alias and creates the required subdirectories in the correct location.
The subdirectories are as follows:
■
Packages
■
Snapshots
The actual packages are downloaded to the VAR directory on the agent.
The configuration files that are used in this section are an example. The example
is from the default installation of the Apache Web Server as part of a legacy Red
Hat Linux Distribution.
The Check number 1; Listen statement is as follows:
...## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfDefine HAVE_SSL>
Listen 80
Listen 443
Listen 10.10.10.10:8080
</IfDefine>
...
Ensure that the Listen statement for each of the main servers is the first Listen
statement of its type in the configuration file. The main HTTP and HTTPS servers
should be the first two Listen statements.
You should remove the IP or ensure that it is the same IP to which the hostname
resolves, as reported to Notification Server. You can use port numbers other than
80 and 443. The package server for Linux detects the ports. However, it always
uses the port of the first Listen in the Apache Web Server configuration file.
Check number 2; Create Alias and aliases directory options is as follows:
...
# Aliases: Add here as many aliases as you need (no limit). The format
is
# Alias fakename realname
#
<IfModule mod_alias.c>
...
Alias /Altiris/PS /var/altiris/www/ps
<Directory /var/altiris/www/ps >
Options FollowSymLinks
AllowOverride All
</Directory> </IfModule>
# End of aliases.
You should perform these steps in the following order:
■
Create both the Alias statement and the <Directory> node for the destination
directory of the alias.
■
Ensure that the following options are set on that directory:
■
FollowSymLinks
■
AllowOverride AuthConfig or Allow override All
■
Create the destination directory.
■
Set the correct permissions on the destination directory to ensure that Apache
Web Server clients can download files from there.
■
To ensure that the directory works, place a text file in it. Then browse to a URL
such as http://your.server.name/ Altiris/PS/testfile.txt. In this example,
your.server.name and testfile.txt are your own server name and the name of
the text file that you created.
Check number 3; Check SSL host is as follows:
...
## SSL Virtual Host Context
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/var/www/html"
301
302
ErrorLog logs/error_log
TransferLog logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
...
Ensure that the _default_ SSH Virtual host has the correct port. It should match
the first SSH Listen. Ensure that its DocumentRoot is the same as the
DocumentRoot of the main server.
Chapter
14
Getting started with IT
Management Suite
■
About the enhanced console views
■
About the Computers view
■
Searching for a computer and saving the search
■
Creating and populating an organizational view or group in the enhanced
console views
■
Managing subnets
■
About the Jobs / Tasks view
■
Running a job or task using drag and drop
■
About the Policies view
■
Searching for a software and saving the search
■
Tracking the software licenses in the enhanced console views
■
About the Software Catalog window
■
About resource scoping
■
Considerations for resource scoping
■
Design considerations for resource scoping
304
Getting started with IT Management Suite
The enhanced console views (also known as Symantec Management Console
enhanced views and enhanced Symantec Management Console views) add
functionality to the management views for version 7.1 and later for computers,
jobs and tasks, policies, and software. The enhanced views add a Silverlight
interface. This interface increases speed, enables drag-and-drop, allows easy
access to status, and enhances searching and filtering that can be used for
targeting.
If you install Symantec Management Platform 7.1 and accompanying versions of
certain products, you can see the enhanced view.
You can access the following enhanced views through the Manage menu in the
Symantec Management Console:
■
Computers
See “About the Computers view” on page 304.
■
Software
■
Software Catalog
See “About the Software Catalog window” on page 313.
■
Jobs / Tasks
See “About the Jobs / Tasks view” on page 309.
■
Policies
See “About the Policies view” on page 310.
About the Computers view
The Computers view is one of the enhanced console views in the Symantec
Management Console. To access the enhanced Computers view, in the Symantec
Management Console, click Manage > Computers.
See “About the enhanced console views” on page 304.
The Computers view offers three panes: navigation pane on the left, a list of
computers and a search field pane in the center, and a content pane on the right.
The navigation pane contains saved searches and organizational views and groups.
The computer list pane displays the computers from the selected saved search or
organizational view or group. The content pane displays the details about the
computer or computers that you select.
The Computers view lets you perform the following tasks:
■
Search for computers, and save the search results to re-use as a custom filter
to target computers with jobs, tasks, policies, or software delivery.
See “Searching for a computer and saving the search” on page 305.
■
Create and manage organizational views and groups.
See “Creating and populating an organizational view or group in the enhanced
console views” on page 306.
■
Drag and drop computers to organizational views and groups.
In the Computers view, you can search for a specific computer or group of
computers by applying or modifying a predefined search. You can also create a
completely new search.
The All Computers list is the starting point that displays all computers and all
saved searches. To refine your search, you can only type the name of a computer,
or you can use multiple criteria.
To search for a computer and save the search
1
In the Symantec Management Console, on the Manage menu, click Computers.
2
In the list pane, in the search field, type the full name or part of the name of
a computer.
Full name
Enter the full name of a specific computer or group of computers
that you want to find.
Partial name
Enter a partial name if you want your search to return all
computers that contain a specific text string anywhere in the
name. To view all computers with a location prefix such as India,
you can enter Ind. The search results display all the computers
that contain the string.
3
(Optional) To use advanced search features, click the down-arrow next to the
search field, and then select the search criterion that you want to apply.
4
(Optional) To select multiple search criteria, click the down-arrow next to
the search criteria drop-down list, select a criterion, and then repeat the step
to add other criteria.
To remove a search criterion, leave its field empty.
305
306
Creating and populating an organizational view or group in the enhanced console views
5
6
(Optional) If the criteria that you want to use is not listed in the advanced
search drop-down list, create a custom search criteria. To create a custom
search criterion, do the following:
■
In the list pane, click the down-arrow next to the search field.
■
In the Add Search Criteria drop-down list, click Add Custom Criteria.
■
In the Add Search Criteria dialog box, check the data classes and columns
that you want to use for search criteria.
Note that selecting columns populates the search criteria in the drop-down
list and makes the additional criteria available as part of your search.
■
Click OK.
To save the search, click the save icon in the advanced search area.
Note that any field that does not contain a value is ignored in the query and
is not saved when you save the search.
7
In the Save Search dialog box, in the Name field, enter a name, and then click
OK.
The saved search appears under Saved Searches in the navigation pane and
becomes available for you to re-use.
8
(Optional) If you use a saved search only as a filter that you use to target jobs,
tasks, or policies, and you do not want it to appear in the navigation pane,
you can hide it. To hide the saved search, do the following:
■
Right-click Saved Searches, and then click Manage Saved Searches.
■
In the Manage Saved Searches dialog box, uncheck the box next to the
search that you do not want to be displayed.
■
Click Close.
Creating and populating an organizational view or
group in the enhanced console views
In the enhanced Computers view, you can easily create and populate organizational
views and groups.
To create and populate an organizational view or group
1
In the Symantec Management Console, on the Manage menu, click Computers.
2
Right-click All Computer Views, and click New > Organizational View.
Managing subnets
3
In the Organizational View dialog box, type the name for the organizational
view, and then click OK.
4
Right-click the new organizational view, and click New > Organizational
Group.
Note that you cannot add organizational groups to the default All computers
organizational view.
5
In the Organizational Group dialog box, type the name for the new group,
and then click OK.
6
To populate the new organizational group, do the following:
■
Under All Computer Views, click All Computers.
■
In the list pane, select the computers that you want to add to this
organizational group.
You can use the Shift or Ctrl keys to select multiple computers.
■
Drag the selected computers onto the new organizational group, or
right-click one of the selected computers, and then click Add to
organizational group. In the Add to organizational group dialog box,
click the group to which you want to add the computers, and then click
OK.
Managing subnets
You need to create all the subnets in your organization and assign them to the
appropriate sites. You can resynchronize subnets when necessary and delete any
subnets that no longer exist.
Subnets can be determined from basic inventory data, imported from Active
Directory, or added manually. You can run a subnet import rule to automatically
collect the subnet information from Active Directory.
Subnets are always suffixed with the number of bits that are set in the network
mask, for example, 192.168.0.0/24. The subnets are always displayed in a
hierarchical tree. Resource scoping applies, so you can see only the subnets that
contain resources to which you have access.
You need to assign each subnet to the appropriate site. By default, any
encompassed subnets (a subnet whose IP range is wholly contained within another
subnet) are automatically assigned to the same site. However, you can manually
override subnet encompassment by explicitly assigning an encompassed subnet
to a different site. By default, encompassed subnets are displayed under their
parent subnets in the left pane. However, when an encompassed subnet is manually
307
308
Managing subnets
assigned to a different site from its parent, it is displayed under the site to which
it is assigned.
Any site servers on a subnet are automatically assigned to the same site as the
subnet. This assignment is not broken if you manually assign a site server to a
different site. A site server can be manually assigned to any number of sites, in
addition to the site that it serves through its subnet assignment.
To manage subnets
1
2
Configure the subnets to suit your requirements.
Create a new subnet
In the left pane, click New > Subnet.
Delete a subnet
In the left pane, select the subnet that you want to delete,
and then click Del.
If you delete a subnet that you created manually, it is deleted
permanently. However, any subnets that were imported from
basic inventory or from Active Directory are restored when
the data is refreshed.
Assign a subnet to a
site
On the Subnets page, select the appropriate subnet, and then
click Assign to Site.
In the Site Selection window, select the site to which you
want to assign the subnet.
Resynchronize subnets On the Subnets page, click Re-synchronize Subnets.
Notification Server refers to the CMDB for the current subnet
information. It reads the subnet assignment that is included
in the results of the latest Agent Inventory scan. Notification
Server then updates the list of subnets accordingly.
Creating a new subnet
You can create new subnets manually and assign them to the appropriate sites.
To create a new subnet
1
2
In the left pane, click New > Subnet.
3
In the New Subnet dialog, specify the appropriate details:
Subnet
The subnet network address.
Subnet mask
When you press Tab or click in this box after typing the
subnet network address, a mask is automatically selected
according to the following rules:
The system examines the first octet of an IPv4 address
to determine if it is a class A, B, or C subnet. It then selects
the appropriate default mask.
■ If the network address is more specific (i.e. more non-zero
octet) than allowed for that class, then additional bytes
are set in the default mask.
■ If the address is not in a recognized format, or the last
octet is non-zero, then no default mask is suggested.
■
You can edit the default mask manually if necessary.
However, once you have manually edited the subnet mask,
updating the network address in the Subnet box no longer
updates the mask.
Assign to site
The site to which you want to assign the new subnet.
If you don’t want to assign the subnet to a site, select
Unassigned.
4
Click OK.
The Jobs / Tasks view is one of the enhanced console views in the Symantec
Management Console. To access the enhanced Jobs / Tasks view, in the Symantec
Management Console, click Manage > Jobs and Tasks.
The Jobs / Tasks view lets you view and work with all available jobs and tasks. For
example, you can run jobs and tasks by dragging and dropping them onto one or
more computers. You can also use the Quick Run option to target a job or task
without drilling down manually.
309
310
See “Running a job or task using drag and drop” on page 310.
In the enhanced Jobs / Tasks view, you can easily view, run, and schedule the jobs
and tasks.
See “About the Jobs / Tasks view” on page 309.
You can run jobs and tasks by dragging and dropping them onto one or more
computers. You can also use the Quick Run option to target a job or task without
drilling down manually.
To run a job or task using drag and drop
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the navigation pane, click the job or task that you want to run, and drag it
to the right to initiate the drag-and-drop operation.
The results of your most recent computer search appear in the list pane. If
you filtered your last computer search, the list displays the results of the
filtered search.
See “Searching for a computer and saving the search” on page 305.
3
4
To select the computers on which you want to run the job or task, do one of
the following:
■
To run the job or task on all listed computers, drop it onto the title icon
in the list pane.
■
To run the job or task on a specific computer, drop it onto the computer
in the list.
■
To run the job or task on a saved search, organizational view, or
organizational group, drag it to the Computers blade, and then drop it
onto a saved search, organizational view, or organizational group.
In the New Schedule dialog box, specify the schedule of the job or task, and
then click Schedule.
About the Policies view
The Policies view is one of the enhanced console views in the Symantec
Management Console. To access the enhanced Policies view, in the Symantec
Management Console, click Manage > Policies.
The enhanced Policies view lets you view and work with all available policies.
You can perform all the common functions of applying rules and remediation to
computers. You can set the compliance check schedules and turn on policies. You
can launch policies by dragging and dropping them onto one or more computers.
You can also use the Quick apply option to target a policy without drilling down
manually.
In the enhanced Software view, the search results that appear in the list pane are
not automatically filtered. You can use the search and the advanced search features
to narrow and refine your list, until the list pane contains the specific software.
You can save the custom software searches and reuse them later. Saved searches
appear in the navigation pane, in the Installed Software subpane. You can then
use the saved searches as filters to target software for tasks, jobs, and policies.
You can also use saved searches to deliver software to specific computers or groups
of computers.
To search for a specific software and save the search
1
In the Symantec Management Console, on the Manage menu, click Software.
2
In the navigation pane, click a saved search that you want to use as a starting
point of your search.
3
In the list pane, in the search field, type the search criteria.
You can search by full or partial software name, full or partial manufacturer
name, or version.
4
(Optional) To use advanced search features, click the down-arrow next to the
search field, and then select the search criterion that you want to apply.
5
(Optional) To select multiple search criteria, click the down-arrow next to
the search criteria drop-down list, select a criterion, and then repeat the step
to add other criteria.
6
(Optional) If the criteria that you want to use is not listed in the advanced
search drop-down list, create a custom search criteria. To create a custom
search criterion, do the following:
■
In the Add Search Criteria drop-down list, click Add Custom Criteria.
■
In the Add Search Criteria dialog box, check the data classes and columns
that you want to use for search criteria.
311
312
Tracking the software licenses in the enhanced console views
Note that selecting columns populates the search criteria in the drop-down
list and makes the additional criteria available as part of your search.
■
7
Click OK.
To save the search, click the save icon in the advanced search area.
Note that any field that does not contain a value is ignored in the query and
is not saved when you save the search.
8
In the Save Search dialog box, in the Name field, enter a name, and then click
OK.
The saved search appears under Installed Software in the navigation pane
and becomes available for you to re-use.
9
(Optional) If you use a saved search only as a filter that you use to target jobs,
tasks, or policies, and you do not want it to appear in the navigation pane,
you can hide it. To hide the saved search, do the following:
■
Right-click Installed Software, and then click Manage Saved Searches.
■
In the Manage Saved Searches dialog box, uncheck the box next to the
search that you do not want to be displayed.
■
Click Close.
Tracking the software licenses in the enhanced
console views
The enhanced Software view in the Symantec Management Console lets you easily
perform various software management tasks. For example, you can track software
licenses.
To manage software, you must identify the software components that make up a
specific software product. This action lets you track the usage and licenses for
the software product. After you specify components for a software product, it
appears in the Installed Products saved search.
To meter and track the software usage information, you must associate the
software product with the program that runs it. In the Software Product dialog
box, on the Meter / track usage tab, click Add Program to associate the software
product to a program. After you perform this task, check Turn on metering / usage
tracking for this software product to turn on the metering. An internal metering
policy tracks all of the managed software that is metered and then generates the
usage information.
Note: Application metering is a Windows-only feature. If you plan to meter
software, be careful when you fill out the information in the Software Product
dialog box, on the Identify inventory tab. Make sure that only the Windows
version of selected software appears in the result set.
To track software licenses, you must associate license with a software product.
After you associate a license to a software, it is listed in the Licensed saved search.
Note: To manage software licenses, you must have Asset Management Suite
installed in your environment.
To track software usage and software licenses
◆
In the Symantec Management Console, on the Manage menu, click Software.
The Software Catalog window appears within the enhanced Software view.
To access the Software Catalog window, in Symantec Management Console, click
Manage > Software Catalog. You can also navigate to Manage > Software,
right-click Installed Software, and then click Manage Software Catalog.
In the Software Catalog window, you can perform the following software
management tasks:
■
Import or add new software components and software products.
You can import software even if it is not found in inventory.
■
Add the newly discovered or undefined software that you intend to manage
to your list of managed software.
■
Move the newly discovered or undefined software that you do not intend to
manage to your list of unmanaged software.
■
Move software products from one list to another as your needs change.
■
Delete a software product. This action cancels the association between software
components and the packages through which they were delivered. When you
delete a software product, its components are listed again in the Newly
discovered / undefined software pane.
313
314
Resource scoping provides a secure means of segregating resources into
manageable, well structured units. These units are generic in nature so they can
be arranged to suit a wide variety of organizational requirements. In most cases
assessing the resource scoping requirements within your design will come down
to the following questions:
■
Who should have full access to the Altiris 7 infrastructure?
■
What roles exist within the management functions of day to day operations?
■
What areas of functionality require specific roles and rights?
■
Does Active Directory accurately reflect our management and/or business
model?
■
Do Active Directory groups exist that reflect the roles within the Altiris 7
architecture?
■
What are the types of resources that need to be managed?
Considerations for resource scoping
■
Filters are conceptually similar to Notification Server 6 collections. They are
implemented differently as they are applied to targets, not policies. They are
resources joined together by a defined set of criteria.
■
Targets are the intersection of organizational groups and filters. For example,
all computers in the Finance (Group) that have less than 1GB RAM (Filter).
■
Targets are applied to policies and tasks and can be pre-created or created at
the time of application.
■
Targets can only contain the resources that the target creator has access to.
They are not visible as objects anywhere in the console, but are accessible
using the Quick Apply option within a task or policy.
■
Consider an organizational view to represent an administrative security
structure or boundary which aligns with your IT environment.
■
Organizational views provide a simplified and a secure means to group and
manage resources.
■
An organizational view is a self-contained secure hierarchy of organizational
groups, which contain resources.
■
All resources in an organizational view (managed and unmanaged) are scoped
by default.
■
There are two types of organizational structures:
■
Default organizational view
■
Custom organizational view
■
Organizational views use a top-down security inheritance model.
■
Organizational groups contain other organizational groups and resources.
■
Security grants are assigned to organizational groups and are inherited from
the organizational group above it.
■
Resource security is the combination of Scope, Security Role, and Permissions.
■
Resources obtain all their permission grants from the scope collections that
they are a member of. The grants are cumulative in nature. By having
permission to perform an action on a resource in one scope collection, you
ensure that the user/role can continue to perform this action regardless of
whether the permission is applied to other scope collections containing the
resource.
■
Security roles are the user groups that let you assign privileges for
administrative and worker responsibilities and assign permissions for the
folders or items that those administrators and workers can view in the
■
Out-of-the-box roles are provided with a variety of privilege grants, and roles
can be assigned anywhere within the organizational view or organizational
group structure, depending on the administrative scope you choose to grant.
■
Filters should be created from a single attribute. Filters can be combined to
create complex targets, and by using fewer criteria you get a higher chance of
re-use and lower complexity, which results in a more efficient Notification
Server.
■
Resource membership within the system default view is dynamically updated,
and set at a 5-minute update interval. Depending on how you plan the creation
and the resource membership of your organizational structure, keep this issue
in mind when identifying the overall effect of resource membership updates.
■
You should set up security roles before performing any other console security
tasks and before Notification Server is deployed to your production
environment.
■
Organizational views only contain resources through the organizational groups.
An organizational view cannot contain any resources directly. All newly
315
316
discovered resources are automatically imported into the default organizational
view.
■
One resource item can belong to only one organizational group in each
organizational view. When you add a resource to an organizational group, it
is automatically removed from any other group to which it may be assigned.
■
Use organizational groups to apply a policy or task to selected computers,
users, and resources. To do this, use an organizational group in a target. In
this instance, an organizational group functions as a filter, but provides security
to ensure that only the resource to which the target owner has permission is
included.
■
Notification Server 7 allows multiple organizational views because
administrators may have multiple ways of organizing resources. Therefore,
you can have both a view by function and by region.
■
With the default organizational view, all resources are scoped and secure in
this view; resources (managed and unmanaged) are grouped by type; and the
resource membership is dynamic.
■
Only the Symantec administrator role has “full access”.
■
Mirror your Active Directory organizational model by using Active Directory
Import to avoid manual creation and population.
■
Group your resources by Type.
■
There are various update processes in place, and they should be considered
when you evaluate server performance:
■
■
Three Update Types (Filters, Targets, OG’s)
■
Shared Schedules (Delta, Complete, Policy).
When designing your resource framework, use the following implementation
checklist to ensure that it is completed in the correct order:
■
Identify users, security roles, and rights.
■
Create security roles.
■
■
■
Assign rights.
■
Assign user membership.
Create organizational views and groups structure.
■
Follow AD Import best practices.
■
Group by resource type (User, Computer).
Assign roles and permissions to specific organizational views and groups.
■
Generate reports for baseline system view of resources.
■
Back up the organizational view and group structure using Export .XML.
317
318
Appendix
A
Symantec IT Management
Suite Platform Support
Matrix
This appendix includes the following topics:
■
Introduction
■
Current Shipping Information
■
Symantec Management Platform
■
■
■
Language Support
Introduction
The Symantec IT Management Suite Platform Support Matrix (PSM) has been
created to provide current and future planned platform support information to
interested parties. It is organized to display supportability information based on
the Symantec IT Management Suite (ITMS) components as well as by ITMS release.
Many OS and database platforms include multiple versions that are based on the
same platform kernel. An example would be Windows Vista where there is Home
Basic, Home Premium, Business, and Ultimate. QA testing resources are limited;
therefore, we have only included a platform in the PSM if that platform has actually
been tested. This does not necessarily prevent a derivative platform from being
320
Symantec IT Management Suite Platform Support Matrix
used by a customer, however, it should be understood that if an untested derivative
platform were used, support would not be provided.1
Any forward-looking indication of plans for products is preliminary. All future
release dates are tentative and are subject to change. Any future release of the
product or planned modifications to product capability, functionality or feature
is subject to ongoing evaluation by Symantec, and should not be relied upon in
making purchasing decisions.
As changes occur, an updated version of this document will be made available.
Note: The PSM includes supportability matrices for the Symantec solutions
currently included in Client Management Suite (CMS), Server Management Suite
(SMS) or IT Management Suite (ITMS). For additional Symantec solution support
information, please refer to the solution Release Notes published with each
solution.
1
Requests to formally support currently untested platforms will be treated as an
enhancement request and will be considered in the context of the numbers of
customers who could benefit from support weighted against the amount of QA
and Engineering effort required to provide that support.
The current shipping version of the Symantec IT Management Suite (ITMS) is 7.1
SP2.
The following section contains the Microsoft platform support matrices for the
Symantec Management Platform. This section outlines which platforms are
supported for the installation of Symantec Management Platform components.
For information about supported agent platforms, please refer to the Symantec
Client Management Suite, and Server Management Suite sections provided later
in this document.
Notification Server and Workflow Server
Table A-1
Notification Server and Workflow Server
Microsoft Server
Operating Systems
SMP 6.x
SMP 7.0
SP5
SMP 7.1
SP1
SMP 7.1 SP2
Supported
Supported
Not
supported
Not supported
Windows Server 2003 R2 x86 Supported
Supported
Not
supported
Not supported
Windows Server 2003 R2 SP2 Not
x86
supported
Supported
Not
supported
Not supported
Microsoft Server 2003
x86
SuMicrosoft Server 2008
Not
supported
Not
supported
Supported
Supported
SP11
Not
supported
Not
supported
Supported
Supported
1
The Symantec Management Platform version 7.1 will support Windows Server
2008 R2 (64-bit only) Enterprise, Standard, and Datacenter editions. Core Edition
is not a supported platform.
Note: Workflow server includes the Workflow server and Process Manager
Components. The support matrix for the Workflow Designer is included in the
Designer and Tools section below.
Table A-2
Notification Server on a Virtual Host
Virtual Host version
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
VMware ESX 3.5
Supported
Supported
Supported
Supported
VMware ESX 4.0
Supported
Supported
Supported
Supported
VMware ESX 5.0
Not
supported
Not supported Not
supported
Supported
Windows Hyper-V Server
2008 R21
Not
supported
Not supported Supported
Supported
321
322
1
It should be noted that core Hyper-V Server 2008 requires that UAC be set to a
lower level (1 down from the max security level) to allow the Symantec
Management Agent to work.
Note: For more details about hosting the Notification Server on a virtual host,
please reference the knowledgebase article titled “Installing the Symantec
Management Platform on VMware”:
http://www.symantec.com/docs/HOWTO9692
Microsoft SQL Server
Table A-3
Version
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
Microsoft SQL Server 2005
SP2
R5
Supported
Supported
Supported
SP3
R10
Supported
Supported
Supported
SP4
R13
Not supported Not
supported
Supported
R13
Supported
Supported
Supported
SP1
Not supported Supported
Supported
Supported
SP2
Not supported Not supported Supported
Supported
R2
Not supported Not supported Supported
Supported
R2 SP1
Not supported Not supported Not
supported
Supported
Note: The Notification Server installation is tested with Microsoft SQL Express,
Standard, and Enterprise versions x86 and 64-bit. Using a 64-bit OS in combination
with an x64 version of SQL Server is highly recommended for dedicated SQL
servers that have more than 4GB of physical memory to take advantage of the
memory addressing capabilities of 64-bit hardware. For additional information,
please refer to the following article:
Microsoft SQL Server Collations
Table A-4
Microsoft SQL Server Collations
Collations
SMP 6.x
SMP 7.0
SP5
SMP 7.1
SP1
SMP 7.1
SP2
Latin1_General_BIN
Supported
Supported
Supported
Supported
Latin1_General_BIN2
Supported
Supported
Supported
Supported
Latin1_General_CI_AI
Supported
Supported
Supported
Supported
Latin1_General_CI_AS
Supported
Supported
Supported
Supported
Latin1_General_CS_AI
Supported
Supported
Supported
Supported
Latin1_General_CS_AS
Supported
Supported
Supported
Supported
Latin1_General_CP1_CI_AS
Supported
Supported
Supported
Supported
Microsoft IIS
Table A-5
Microsoft IIS
IIS Version
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
Microsoft IIS 6
Supported
Supported
Not
supported
Not
supported
Microsoft IIS 7.5 (IIS 6
compatibility)
Not
supported
Not
supported
Supported
Supported
323
324
Microsoft .NET
Table A-6
Microsoft .NET
.NET Version
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
Microsoft .NET Framework
1.1
Supported
Not
supported
Not
supported
Not
supported
3.5
Not
supported
Supported
Not
supported
Not
supported
3.5 SP1
Not
supported
Supported
Supported
Supported
Console/Browser
Table A-7
.NET Version
Console/Browser
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
Microsoft Internet Explorer Supported
6 SP1
Not supported Not
supported
Not supported
Microsoft Internet Explorer Supported
7
Supported
Supported
Supported
Microsoft Internet Explorer Not supported Supported
8 (compatibility mode only)
Supported
Supported
Microsoft Internet Explorer Not supported Supported
8
Supported
Supported
Microsoft Internet Explorer Not supported Not supported Not
9 (compatibility mode only)
supported
Supported
Note: Current referenced browser support is for the 32-bit version of Internet
Explorer.
Console/Silverlight
Table A-8
Silverlight versions supported
Silverlight version SMP 6.x
SMP 7.0 SP5
SMP 7.1 SP2
Silverlight 3.x
Not supported
Not supported
Supported
Silverlight 4.x
Not supported
Not supported
Supported
Silverlight 5
Not supported
Not supported
Supported
Workflow Designer
The Workflow Designer and Tools are the client tools used to design, publish, and
debug processes. The following matrix defines the Microsoft platforms that the
Designer and Tools are supported on.
Table A-9
Designer and Tools
Microsoft Windows
Operating Systems
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
Windows XP SP2 x86/x64
Supported
Supported
Supported
Supported
Supported
Supported
Supported
Supported
Supported
Supported
Not
supported
Not supported
Windows Vista SP1 x86/x64 Supported
Supported
Supported
Supported
Windows Vista SP2 x86/x64 Supported
Supported
Supported
Supported
Windows XP
Windows Vista
Windows Vista x86/x64
Windows 7
Windows 7 x86/x64
Supported
Supported
Supported
Supported
Windows 7 SP1 x86/x64
Supported
Supported
Supported
Supported
Supported
Supported
Not
supported
Not supported
Windows Server 2003
x86/x64
325
326
Table A-9
Designer and Tools (continued)
Microsoft Windows
Operating Systems
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
Windows Server 2003 R2 SP2 Not supported Supported
x86/x64
SMP 7.1 SP2
Supported
Supported
Windows Server 2008
x86/x64
Supported
Supported
Supported
Supported
Windows Server 2008
x86/x64
Supported
Supported
Supported
Supported
Windows Server 2008 R2 SP1 Not supported Not supported Supported
Supported
Site Server
Any server that has either the Package Service or the Task Service installed on it
is called a "Site Server”. The Site Server support matrix below indicates full support
for Package and Task Services on the specified platform unless otherwise indicated.
These services will also run on any supported Notification Server OS platform.
Table A-10
Site Server OS Support Matrix
Site Server Operating
Systems
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
Supported
Not
supported
Not
supported
Not
supported
Windows 2000 Professional
SP4
Supported
Not
supported
Not
supported
Not
supported
Supported
Supported
Supported
Supported
Supported
Supported
Supported
Supported
Not
supported
Support for
Package
Server only
Not
supported
Not
supported
Windows 2000
Windows XP
Windows Vista
Table A-10
Site Server OS Support Matrix (continued)
Systems
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
Windows Vista SP1 x86/x641 Not
supported
Support for
Package
Server only
Support for
Package
Server only
Support for
Package
Server only
Windows Vista SP2 x86/x641 R13
Supported
Supported
Supported
Windows 7
Windows 7 x86/x641
R13
Supported
Supported
Supported
Windows 7 SP1 x86/x64 1
R13
Not
supported
Supported
Supported
x86
R5
Supported
Supported
Supported
x641
R9
Supported
Supported
Supported
x86/x641
Supported
Supported
Not
supported
Not
supported
x86/x641
supported
Supported
Supported
Supported
Windows Server 2003
Windows Server 2008
Windows Server 2008
x86/x641
R8
Supported
Supported
Supported
x86/x641
R13
Supported
Supported
Supported
R13
Supported
Supported
Supported
Core
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Supported
Supported
Windows Server 2008 R2 SP1 R13
Red Hat Enterprise Linux 4
327
328
Table A-10
Systems
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
WS x86/x64
Support for
Package
Server only2
Not
supported
Support for Support for
Package
Package
Server only2 Server only2
ES x86/x64
Support for
Package
Server only2
Not
supported
Package
Package
AS x86/x64
Support for
Package
Server only2
Not
supported
Package
Package
Red Hat Enterprise Linux 5.1 Not
Server x86/x64
supported
Not
supported
Support for
Package
Server only
Support for
Package
Server only
Server x86/x64
supported
Not
supported
Support for
Package
Server only
Support for
Package
Server only
Server x86/x64
supported
Not
supported
Support for
Package
Server only
Support for
Package
Server only
Server x86/x64
supported
Not
supported
Support for
Package
Server only
Support for
Package
Server only
Server x86/x64
supported
Not
supported
Support for
Package
Server only
Support for
Package
Server only
Server x86/x64
supported
Not
supported
Support for
Package
Server only
Support for
Package
Server only
Not
supported
Not
supported
Support for
Package
Server only
x86/x64
supported
Table A-10
Systems
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
Red Hat Enterprise Linux
Server 6.0 x86/x64
Not
supported
Not
supported
Not
supported
Support for
Package
Server only
Server x86/x64
supported
Not
supported
Not
supported
Support for
Package
Server only
Novell SUSE Linux
Support for
Enterprise Server 9 x86/x64 Package
Server only
Not
supported
Not
supported
Not
supported
Novell SUSE Linux
Support for
Enterprise Server 10 x86/x64 Package
Server only
Not
supported
Support for
Package
Server only
Support for
Package
Server only
Novell SUSE Linux
Not
Enterprise Server 11 x86/x64 supported
Not
supported
Support for
Package
Server only
Support for
Package
Server only
Novell SUSE Linux
Enterprise Server 11 SP1
x86/x64
Not
supported
Not
supported
Support for
Package
Server only
Novell SUSE Enterprise Server
Not
supported
Novell SUSE Enterprise Desktop
Novell SUSE Linux
Enterprise Desktop 10
x86/x64
Support for
Package
Server only2
Not
supported
Package
Package
Novell SUSE Linux
x86/x64
Not
supported
Not
supported
Package
Package
Novell SUSE Linux
Enterprise Desktop 11 SP1
x86/x64
Not
supported
Not
supported
Not
supported
Support for
Package
Server only2
Support for
Package
Server only
Not
supported
Not
supported
Not
supported
Sun Solaris
Sun Solaris 7 Sparc
329
330
Table A-10
Systems
SMP 6.x
SMP 7.0 SP5 SMP 7.1
SP1
SMP 7.1 SP2
Sun Solaris 8 Sparc
Support for
Package
Server only
Not
supported
Not
supported
Not
supported
Sun Solaris 9 Sparc
Support for
Package
Server only
Not
supported
Not
supported
Not
supported
Sun Solaris 10
x86/x64/Sparc
Support for
Package
Server only
Not
supported
Not
supported
Not
supported
IBM AIX 4.3
Support for
Package
Server only
Not
supported
Not
supported
Not
supported
IBM AIX 5.1 PPC
Support for
Package
Server only
Not
supported
Not
supported
Not
supported
IBM AIX 5.2 PPC
Support for
Package
Server only
Not
supported
Not
supported
Not
supported
IBM AIX 5.3 PPC
Support for
Package
Server only
Not
supported
Not
supported
Not
supported
Support for
Package
Server only
Not
supported
Not
supported
Not
supported
Hewlett-Packard HP-UX 11i Support for
PA-RISC/IA-64
Package
Server only
Not
supported
Not
supported
Not
supported
IBM AIX
Hewlett-Packard HP-UX
Hewlett-Packard HP-UX 11
PA-RISC/IA-64
1 It should be noted that core 6.x agents running on x64 platforms currently only
support running in WOW64 (32-bit emulation mode). This limits the core agent
to seeing only those files and registry entries in the 32-bit environment. Starting
with Notification Server 7.1, the Symantec Management Agent adds native 64-bit
support.
2
The Package Service supports Red Hat Enterprise Linux 4 WS x86/x64, and
Novell SUSE Linux Enterprise Desktop version 10 and 11 when Apache Web Server
has been installed. Apache Web server is not installed by default on these operating
systems.
The following section includes OS support for the solutions used in Client
Management Suite (CMS). This suite includes full support for the following
solutions unless otherwise indicated:
■
Deployment Solution
■
Inventory for Network Devices
■
Network Discovery
■
Out of Band Management
■
Patch Management Solution,
■
pcAnywhere Solution
■
Real-Time System Manager
■
Software Management Solution
Note: Although CMS 7.1 and later versions connect over SSL, Deployment Solution
7.1 SP1 and later versions do not support communication over SSL.
Client OS Support Matrix
Table A-11
Agent on Client Operating 6.x
Systems
Client OS Support Matrix
7.0 SP5
7.1 SP1
7.1 SP2
Not Supported3
Not supported
Not supported
Windows 2000
Windows 2000 Professional
SP4
Windows XP
Supported
331
332
Table A-11
Client OS Support Matrix (continued)
Systems
7.0 SP5
7.1 SP1
7.1 SP2
Windows XP Professional
SP2 x86
Supported
Supported
Supported
Supported
SP2 x641
R9
Supported
Supported
Supported
SP3 x861
R8
Supported
Supported
Supported
Windows XP Tablet PC
Edition 2005
R8
Limited support 2 Limited support 2
Limited support 2
Windows XP Embedded SP3 Not supported
Limited support 2
Windows Embedded
Standard
Not supported
Limited support 2
Windows Embedded Point of Not supported
Service 1.0
Limited support 2
Windows Embedded Point of Not supported
Service 1.1 SP3
Limited support 2
Windows Embedded
POSReady 2009
Not supported
Limited support 2
Supported
Supported
Not supported
Not supported
Supported
Supported
Supported
Supported
Supported
Supported
Windows Embedded
Windows Vista
Windows 7
Windows 7 x86/x641
R13
Supported
Supported
Supported
Windows 7 x86/x64 SP1
R13
Not supported
Supported
Supported
Windows 7 XP Mode
Not supported
Not supported
Not supported
Supported
Table A-11
Systems
7.0 SP5
7.1 SP1
7.1 SP2
Limited support 4
Not supported
Not supported
Not supported
Limited support 4
Limited support 4
Not supported
Limited support 4
Red Hat Enterprise Linux 5.1 Not supported
x86/x64
Limited support 4
x86/x64
Limited support 4
x86/x64
Limited support 4
x86/x64
Not supported
Limited support 4
Limited support 4
x86/x64
Not supported
Limited support 4
Limited support 4
x86/x64
Not supported
Limited support 4
Limited support 4
x86/x64
Not supported
Not supported
Limited support 4
x86/x64
Not supported
Not supported
Limited support 4
WS x86/x64
WS x86/x64
x86/x64
Novell SUSE Linux Enterprise Desktop
Novell SUSE Linux
x86/x64
Limited support 4
Limited support 4
333
334
Table A-11
Systems
7.0 SP5
7.1 SP1
7.1 SP2
Novell SUSE Linux
x86/x64
Not supported
Not supported
Limited support 4
Limited support 4
Novell SUSE Linux
Enterprise Desktop 11 SP1
x86/x64
Not supported
Not supported
Not supported
Limited support 4
Apple Mac OS X (10.2) PPC
Limited support 5
Not supported
Not supported
Not supported
Apple Mac OS X (10.3) PPC
Limited support 5
Not supported
Not supported
Not supported
Apple Mac OS X (10.4)
Universal
Limited support 5
Limited support 5
Universal
Limited support 5
Limited support 5
Limited support7
Limited support 5
Not supported
Not supported
Limited support 5,
Limited support 5
Apple Mac OS X
6
1
Note that core 6.x agents running on Windows x64 platforms currently only
support running in WOW64 (32-bit emulation mode). This limits the core agent
to seeing only those files and registry entries in the 32-bit environment. Starting
with Notification Server 7.1, the Symantec Management Agent adds native 64-bit
support.
2
Windows Embedded support is limited. Please see the following article for
conditions and limitations:
3 Microsoft ended support for Windows 2000 on July 13, 2010, hence support for
Windows 2000 agents has been removed in the 7.0 SP5 release. Base agent
functionality using a 7.0 SP4 agent in a 7.0 environment will provide limited
functionality for the agent machines as they are upgraded.
4
The Linux agent does not support PC Transplant, Application Management,
Software Virtualization Client Functionality, the WiseScript scripting tool,
Software Portal, Application Metering, or the ability to evaluate software detection
rules that are not .rpm packages.
5 The Mac OSX agent does not support PC Transplant, Application Management,
Software Virtualization Client Functionality, the WiseScript scripting tool,
Application Metering, or the ability to evaluate software detection rules.
6 In 7.1 SP1, Mac OS X 10.7 is only available through a special point fix. posted on
September 19, 2011. Please refer to the following article:
7 In NS 6.x, Mac OS X 10.6 support is limited to the Symantec Management Agent
and basic inventory; none of the solutions support it. Basic inventory and Symantec
Management Agent support is available through a special point-fix. Please refer
to the following article: http://www.symantec.com/docs/HOWTO21457.
The following section includes OS support for the solutions used with Server
Management Suite (SMS). This suite includes full support for the following
solutions unless otherwise indicated: Deployment Solution10, Inventory for
Network Devices, Inventory Solution, Network Discovery, Out of Band
Management, Patch Management Solution, Real-Time System Manager, Software
Management Solution, and Monitor Solution for Servers.
Server OS Support Matrix
Table A-12
Server OS Support Matrix
Agent on Server Operating 6.x
Systems
7.0 SP5
7.1 SP1
7.1 SP2
Supported
Not
supported2
Not
supported
Not supported
x86
R5
Supported
Supported
Supported
x641
R9
Supported
Supported
Supported
Windows Server 2000
Windows Server 2003
335
336
Table A-12
Server OS Support Matrix (continued)
Systems
7.0 SP5
7.1 SP1
7.1 SP2
x86/x641
Supported
Supported
Not
supported
Not supported
x86/x641
supported
Supported
Supported
Supported
Windows Small Business
Server (SBS) 2003 R2
x86/x641
Not
supported
Not
supported
Supported
Supported
Windows Server 2008
x86/x641
R8
Supported
Supported
Supported
x86/x641
R13
Supported
Supported
Supported
Windows Server 2008 Core
x86/x641
R13
Supported
Supported
Supported
R13
Supported
Supported
Supported
supported
Not
supported
Supported
Supported
Core3
R13
Supported
Supported
Supported
Windows Hyper-V Server
2008
Not
supported
Not
supported
Supported
Supported
Windows Small Business
Server (SBS) 2008
Not
supported
Not
supported
Supported
Supported
Apple Mac OS X Server (10.2) Limited
PPC
support 4
Not
supported
Not
supported
Not supported
PPC
support 4
Not
supported
Not
supported
Not supported
Universal
support 4
Limited
support 4
Limited
support 4
Limited
support 4
Windows Server 2008
Apple Mac OS X Server
Table A-12
Systems
7.0 SP5
7.1 SP1
7.1 SP2
Universal
support 4
Limited
support 4
Limited
support 4
Limited
support 4
Apple Mac OS X Server (10.6) Not
supported
Limited
support 4
Limited
support 4
Limited
support 4
Apple Mac OS X Server (10.7) Not
supported
Not
supported
Limited
support 11
Limited
support 4
ES x86/x64
Limited
support 5
Not
supported
Not
supported
Not supported
AS x86/x64
Limited
support 5
Not
supported
Not
supported
Not supported
ES x86/x64
Limited
support 5
Limited
support 5
Limited
support 5
Limited
support 5
AS x86/x64
Limited
support 5
Limited
support 5
Limited
support 5
Limited
support 5
Not
supported
Limited
support 5
Limited
support 5
Limited
support 5
Server x86/x64
supported
Limited
support 5
Limited
support 5
Limited
support 5
Server x86/x64
supported
Limited
support 5
Limited
support 5
Limited
support 5
Server x86/x64
supported
Limited
support 5
Limited
support 5
Limited
support 5
Server x86/x64
supported
Not
supported
Limited
support 5
Limited
support 5
Server x86/x64
supported
Not
supported
Limited
support 5
Limited
support 5
Server x86/x64
337
338
Table A-12
Systems
7.0 SP5
7.1 SP1
7.1 SP2
Server x86/x64
supported
Not
supported
Limited
support 5
Limited
support 5
Not
supported
Not
supported
Not
supported
Limited
support 5
Server x86/x64
supported
Not
supported
Not
supported
Limited
support 5
Limited
support 5
Not
supported
Not
supported
Not supported
Novell SUSE Linux
Limited
Enterprise Server 9 x86/x64 support 5
Not
supported
Not
supported
Not supported
Novell SUSE Linux
Limited
Enterprise Server 10 x86/x64 support 5
Limited
support 5
Limited
support 5
Limited
support 5
Novell SUSE Linux
Not
Not
supported
Limited
support 5
Limited
support 5
Novell SUSE Linux
Not
Not
supported
Not
supported
Not supported
Server x86/x64
Novell SUSE Linux Enterprise Server
Novell SUSE Linux
Enterprise Server 8 x86
VMware vSphere / ESX / ESXi
VMware ESX / ESXi 3.0.1
Limited
support 6
Limited
support 6
Not
supported
Not supported
Limited
support 6
Limited
support 6
Not
supported
Not supported
Limited
support 6
Limited
support 6
Not
supported
Not supported
VMware ESX / ESXi 3.5
Limited
support 6
Limited
support 6
Limited
support 6
Limited
support 6
VMware vSphere / ESX /
ESXi 4.0 (Agentless)
Not
supported
Not
supported
Limited
support 8
Limited
support 8
Table A-12
Systems
7.0 SP5
7.1 SP1
7.1 SP2
VMware vSphere / ESX /
ESXi 5.0 (Agentless)
Not
supported
Not
supported
Not
supported
Limited
support 8
Sun Solaris 7 Sparc
Limited
support 7
Not
supported
Not
supported
Not supported
Sun Solaris 8 Sparc
Limited
support 7
Not
supported
Not
supported
Not supported
Sun Solaris 9 Sparc
Limited
support 7
Limited
support 7
Limited
support 7
Limited
support 7
Sun Solaris 10 x86/x64
Limited
support 7
Limited
support 7
Limited
support 7
Limited
support 7
Sun Solaris 10 Sparc
Limited
support 7
Limited
support 7
Limited
support 7
Limited
support 7
Sun Solaris 11 x86/x64
Not
supported
Not
supported
Not
supported
Not supported
Sun Solaris 11 Sparc
Not
supported
Not
supported
Not
supported
Not supported
Sun Solaris Zones
Not
supported
Not
supported
Not
supported
Limited
support 7
11.11 (11i) PA-RISC9
Limited
support 7
Limited
support 7
Limited
support 7
Limited
support 7
11.23 (11i v2)
PA-RISC/IA-649
Limited
support 7
Limited
support 7
Limited
support 7
Limited
support 7
11.31 (11i v3)
PA-RISC/IA-649
Not
supported
Limited
support 7
Limited
support 7
Limited
support 7
11.xx (11i v4) PA-RISC9
Not
supported
Not
supported
Not
supported
Not supported
Sun Solaris
339
340
Table A-12
Systems
7.0 SP5
7.1 SP1
7.1 SP2
IBM AIX
IBM AIX 4.3.3
Limited
support 7
Not
supported
Not
supported
Not supported
IBM AIX 5.1 PPC
Limited
support 7
Not
supported
Not
supported
Not supported
IBM AIX 5.2 PPC
Limited
support 7
Limited
support 7
Limited
support 7
Limited
support 7
IBM AIX 5.3 PPC
Limited
support 7
Limited
support 7
Limited
support 7
Limited
support 7
IBM AIX 6.1 PPC
Not
supported
Limited
support 7
Limited
support 7
Limited
support 7
IBM AIX 7.1 Standard
Not
supported
Not
supported
Not
supported
Not supported
IBM LPAR-s
Not
supported
Not
supported
Not
supported
Limited
support 7
1
It should be noted that core 6.x agents running on Windows x64 platforms
currently only support running in WOW64 (32-bit emulation mode). This limits
the core agent to seeing only those files and registry entries in the 32-bit
environment. Starting with Notification Server 7.1, the Symantec Management
Agent adds native 64-bit support.
2 Microsoft ended support for Windows 2000 on July 13, 2010, hence support for
Windows 2000 agents has been removed in the 7.0 SP5 release. Base agent
functionality using a 7.0 SP4 agent in a 7.0 environment will provide limited
functionality for the agent machines as they are upgraded.
3 Monitor Packs for Servers support only agentless monitoring of Windows Server
2008 R2 Core Edition servers.
4
The Mac OSX agent does not support PC Transplant, Monitor Solution,
Application Management, Software Virtualization Client Functionality, the
WiseScript scripting tool, Application Metering, or the ability to evaluate software
detection rules.
5
The Linux agent does not support PC Transplant, Application Management,
Software Virtualization Client Functionality, Software Portal, the WiseScript
Language Support
scripting tool, Application Metering, or the ability to evaluate software detection
rules that are not .rpm packages.
6
VMware ESX and ESXi 3.x supports Inventory for Network Devices, Inventory
Solution, Network discovery at a hardware level, and Monitor Solution only.
7
The UNIX agent does not support PC Transplant, Application Management,
Software Virtualization Client Functionality, Software Portal, the WiseScript
scripting tool, Application Metering, Patch Management, or the ability to evaluate
software detection rules.
8 VMware ESX and ESXi 4 supports Inventory for Network Devices, and Network
Discovery only. Starting with the Symantec Management Platform 7.1, ESX and
ESXi 4.x servers will be managed as agentless.
9
IA-64 support on NS 6.x is provided by running PA-RISC binaries under the
HP-UX Aries translation engine which is included as a core component of HP-UX.
IA-64 support with the 7.x version is provided natively.
10
For additional support information for Deployment 6.9, please refer to the
following article:
11
In 7.1 SP1, Mac OS X 10.7 is only available through a special point fix posted
on September 19, 2011. Please refer to the following
article:http://www.symantec.com/docs/HOWTO58968
Language Support
The following section contains the Symantec IT Management Suite language
support matrices for the core platform and the management agent.
Core Localization indicates the Console and Help files have been localized in the
referenced languages. It also indicates the supported language for the operating
system where the Notification Server installs.
Agent Localization indicates the Agent and Agent Help have been localized in the
referenced languages.
341
342
Language Support
Core Localization
Table A-13
Core Localization
Core
Localization
6.x
7.0 SP5
7.1 SP1
7.1 SP2
English
Supported
Supported
Supported Supported
German
Supported
Supported
Supported Supported
French
Supported
Supported
Supported Supported
Japanese
Supported
Supported
Supported Supported
Spanish
Supported
Supported
Supported Supported
Chinese
(Simplified)
Supported
Supported
Supported Supported
Italian
Supported
Supported
Supported Supported
Russian
Supported
Supported
Supported Supported
Portuguese
(Brazil)
Supported
Supported
Supported Supported
Korean
Not supported
Supported
Supported Supported
Chinese
(Traditional)
Not supported
Supported
Supported Supported
Windows Agent Localization
Table A-14
Windows Agent Localization
Core
Localization
6.x
7.0 SP5
7.1 SP1
7.1 SP2
English
Supported
Supported
Supported Supported
German
Supported
Supported
Supported Supported
French
Supported
Supported
Supported Supported
Japanese
Supported
Supported
Supported Supported
Spanish
Supported
Supported
Supported Supported
Language Support
Table A-14
Windows Agent Localization (continued)
Core
Localization
6.x
7.0 SP5
7.1 SP1
7.1 SP2
Chinese
(Simplified)
Supported
Supported
Supported Supported
Italian
Supported
Supported
Supported Supported
Russian
Supported
Supported
Supported Supported
Portuguese
(Brazil)
Supported
Supported
Supported Supported
Swedish
Supported
Supported
Supported Supported
Danish
Supported
Supported
Supported Supported
Finnish
Supported
Supported
Supported Supported
Polish
Supported
Supported
Supported Supported
Norwegian
Supported
Supported
Supported Supported
Dutch
Supported
Supported
Supported Supported
Korean
Supported
Supported
Supported Supported
Chinese
(Traditional)
Supported
Supported
Supported Supported
Turkish
Supported
Supported
Supported Supported
Czech
Supported
Supported
Supported Supported
343
344
Language Support
Index
A
About
creating installation packages 155
about
automation folder 79
Mobile Management 46
adding
external Symantec CMDB connections 91
agent
tuning 124
agent and task settings
auto-tuning 223
optimizing 223
agent settings
auto-tuning 219
optimizing 219
application identity
Notification Server 207, 209
architecture
planning 53
Symantec Management Platform 35
asset management
dataflow 87
Asset Management Suite
about 42
auto-tune agent settings 219
auto-tuning
agent and task settings 223
Automation Folder
uninstalling 197
automation folder
about 79
using Deployment policies to install, uninstall,
and upgrade 186
automation policy
viewing on internal schedule calendar 276
B
Barcode Solution
about 43
blockout period
Boot Disk Creator 195
C
Certificates
in Notification Server 164
cloning
policies 121
CMDB
about 39, 202
command timeout 202
configuring 202
database access credentials 202
database name 202
database server name 202
disk configuration 56–57
memory 61
public report credentials 202
purging old data 204
resource data history 205
size 60
SQL authentication 202
Windows authentication 202
CMDB Solution
about 43
collations, SQL
supported for Symantec Management
Platform 141
Complete Update schedule
configuring 123
components, optional
about 169
installation 169
language packs 169
migration wizard 169
computer
general targeted agent settings 126
searching 305
Symantec Management Agent 40
346
Index
computer search
performing 305
saving 305
computers
discovering 217
computers view
about 304
configuration
first-time solution setup 215
redoing 167
Configuration Management Database. See CMDB
about 39
configuration settings
configuring with NS Configurator 214
Configuring
Notification Server database 165
configuring
connections
adding external Symantec CMDB 91
deleting external Symantec CMDB 94
editing external Symantec CMDB 92
console. See Symantec Management Console
context-sensitive help 31
credential
creating 266
editing 267
credential manager
about 266
custom search criteria
creating 305, 311
D
DASH 50
data synchronization
hierarchy replication 106
hierarchy requirements 97
running hierarchy replication manually 114
data verification
replication rule 111
database configuration 165
deleting
Delta Update schedule
configuring 123
deployment handler
about 78
deployment handlers
installing 192
Deployment plug-in
uninstalling 197
upgrading 195
deployment site server
about 68
hierarchy considerations 102
uninstalling 197
Deployment Solution
about 44
about Automation Folder 76
about Deployment Plug-in component 76
about site server components 76
about task server handler 76
installer components 76
installing automation folder 186
installing plug-in 186, 190, 192
policy for installing site server 192
policy for uninstalling Automation Folder 197
policy for uninstalling Deployment site server
components 197
policy for uninstalling plug-in 197
policy for upgrading plug-in 195
predefined policies 186
preinstallation requirements 188
repair 199
tools 195
uninstalling Automation Folder 197
uninstalling automation folder 186
uninstalling Deployment site server
components 197
uninstalling plug-in 186, 197
upgrading automation folder 186
upgrading plug-in 186, 195
Disabling
verbose logs in Symantec Installation
Manager 176
discover computers 217
disk configuration
off-box SQL Server 56
on-box SQL Server 57
disk image
deployment 82
documentation 31
installing 170
optional component 169
uninstalling 171
drag and drop
running jobs and tasks 310
Index
E
editing
editing the Report Integration URLs
external Symantec CMDB 93
email notifications
configuring 211
endpoint protection management
about 51
enhanced console views
about 304, 309–310
computers view 304
jobs and tasks view 309
policies view 310
running jobs and tasks 310
tracking software 312
excluding
local Symantec CMDB 94
exporting
product history 157
external Symantec CMDB
editing the Report Integration URLs 93
external Symantec CMDB connections
adding 91
configuring 91
deleting 94
editing 92
F
filter
scheduling membership updates 123
first-time setup
portal 215
first-time setup configuration
deploying preboot environments 226
Flash
requirements 136
folder
setting permission inheritance 263
setting permissions 262
taking ownership 265
fully qualified domain name 164
G
global policy distribution
about 95
how it works 97
software management considerations 102
global policy distribution (continued)
topology 98
what you can do 96
global policy distributions
limitations 103–104
globalb policy distribution
patch management considerations 103
H
hardware
IT management 129
help
context-sensitive 31
hierarchy
about 96
alert status indicator 99
creating hierarchical relationships 99–100
deployment site server 102
editing 102
enabling replication 99
limitations 103–104
manually replicating selected data 114
modifying hierarchical relationships 100
removing a Notification Server 99
replication. See hierarchy replication
reports 115
requirements 97
topology 98
hierarchy replication
complete replication 106
differential replication 106
items 106
manually replicating selected data 114
overriding differential replication schedule 114
resources 106
security objects 106
history
product 157
I
Image Explorer 195
imaging jobs
dataflow 83
importing
product history 157
including
local Symantec CMDB 94
347
348
Index
installation
adding products 166
applying licenses 166
Deployment plug-in 190
first-time 146
modifying 177
offline 146
optional components 166, 169
overview 147
planning 139
process 148
reconfiguring a product 166
repairing 166, 173
system requirements 162
types 146
updating 166
installation logs
viewing 166
Installation package
about creating 155
installation package
creating 156
installation prerequisities
Deployment Solution 188
installed product
reconfiguring 167
Installed Products page 167
Installing
Symantec Installation Manager 151
Symantec Management Platform products 158
Intel AMT 50
Inventory
scheduling 121
inventory
dataflow 71
inventory data
about 45
inventory policies 121
cloning 121
Inventory Solution
about 45
IOPS
CMDB 59
IT Analytics 7.1 SP2
what's new 90
IT Analytics Solution
about 46
IT Management
about 19
IT Management (continued)
features 20
understanding 21
IT management
hardware 129
ratios of components 128
item
setting permissions 262
taking ownership 265
J
Java
requirements 137
jobs and tasks
running 310
jobs and tasks view
about 309
L
language packs
installing 170
uninstalling 171
licenses
applying 172
Linux 52
See also UNIX, Linux, and Mac
support in Software Management Solution 52
Log Viewer
opening 212
logs
installation, viewing 166
M
Mac 52
maintenance window
master disk image
dataflow 80
memory
SQL Server 61
Microsoft Access 2010
OLEDB driver 136
migration
off-box 146
Index
migration guide
about 140
migration wizard
installing 170
uninstalling 171
Mobile Management
about 46
Monitor Solution
about 47
MultiCMDB
reports 89
N
Notification Server
about 37
application identity 207, 209
Configuration Management Database 202
configuration overview 201
configuration procedure 206, 210
configuration settings overview 206, 210
configuring 163
configuring with NS Configurator 214
creating hierarchical relationships 99–100
database configuration 165
email 163
email address settings 211
functions 37
internal schedule calendar 276
NSE processing 207, 209
See also NSE processing
operating system requirements 132
overview 36
package server 286
See also package service
processing settings 207, 209
proxy server configuration 213
schedule usage 273
schedules 269
See also schedule
shared schedules 274
site. See services
site server. See site server
site services 40, 286
See also site service
status message logging 212
subnet. See subnet
viewing log file 212
viewing status messages 212
Notification Server (continued)
Web site 163
NS Configurator
about 214
NSE
performance impacts 120
NSE processing
configuration settings 207, 209
enabling manually 207, 209
O
off-box
migration 146
upgrade 146
offline installation
creating installation package 156
OLEDB driver
Microsoft Access 2010 136
on-box
upgrade 146
on-box SQL Server
disk configuration 57
optimize agent settings 219
optimizing
agent and task settings 223
optional components
about 169
installing 166, 170
uninstalling 171
organizational group
update schedule 123
organizational views and groups
creating 306
populating 306
P
package distribution points
specifying credentials 213
package server. See package service
operating systems, supported 133
Package Server for inux
configuration examples 297
Package Server for Linux
about 292
about configuring HTTPS and HTTP 296
about configuring with the Apache Web
Server 295
about integrating Apache Web Server 293
349
350
Index
Package Server for Linux (continued)
detecting the Apache Web Server 294
supported platforms 292
package service
about 67
configuring settings 290
global settings 287
package file settings 287
published codebase types 287
security settings 287
setting as unconstrained 290
package, software
removing automatic site assignments 289
patch management
dataflow 73
Patch Management Solution for Linux
about 49
Patch Management Solution for Mac
about 49
Patch Management Solution for Windows
about 48
PC Transplant 195
performance tuning
agent 124
factors 119
NSE 120
settings 126
SQL Server 120
permissions
about 256
assigning to security role 262
connection profiles 259
credential management 260
filters 259
folders 259
how to view 260
permission categories 256
policies 259
reports 258
resource management 257
system 257
task server 258
planning
IT management 53
platform support, Software Management Solution 52
policies
cloning 121
inventory 121
policies view
about 310
policy
Automation Folder
uninstalling 197
uninstalling 197
Deployment Solution
uninstalling 197
upgrading plug-in 195
Deployment Solution, about 186
for installing Deployment plug-in 192
for upgrading Deployment plug-in 195
Policy Update schedule
configuring 123
preboot enviroment
deployment 82
preboot environments
deploying 226
preinstallation requirements
Preparing
for an upgrade 180
privilege, security
asset status item 245
categories 233
connection profile 235
connector samples 242
credential 239
hierarchy 243
management 235
right-click action 241
software management action 244
Software Management Framework 240
solution-specific action 244
Symantec Management Console 240
system 237
workflow directory 239
product listing
adding a different file 177
updating 178
ProductName
about 47
products
adding 166–167
applying licenses 166, 172
modifying an installation 177
reconfiguring 166
Index
products (continued)
repairing an installation 166, 173
selecting 161
uninstalling 166, 174
updating 166–167
proxy server
configuring 213
PXE
deploying preboot environments 226
PXE server
about 68
R
reconfiguration
installed product 167
Release Notes 31
repair
replication
configuring 108
creating replication rules 110
deleting replication rules 110
destination Notification Servers, specifying 113
enabling replication rules 110
events 108
hierarchy. See hierarchy replication
items 108
replication rule settings 111
replication rules 108
resources 108
rules 107
running replication rules 110
security 108
types of 105
replication rules
replication 108
replications
custom 109
report
hierarchy reports 115
reports
MultiCMDB 89
resource data history
saving in CMDB 205
resources
scheduled filter updates 123
rolling out the agent 219
S
saved searches
managing 311
schedule
active date range 275
active period 270
agent policy 274
agent task 273
components 269
configuring 275
custom 269
including multiple schedules 275
maintenance window 274
modifiers 272
resource membership updates 123
server policy 273
server task 273
shared 269
time zone 270
trigger 270
uses in Notification Server 273
viewing Notification Server schedule
calendar 276
Schedule Editor
opening 274
using 275
searching for a computer 305
searching for a software 311
security
about 228
default roles 232
password complexity settings 252
password lockout settings 252
predefined roles 232
roles, overview 231
See also security role
setting up 229
unlocking locked out credentials 255
security role
about 231
asset status item privileges 245
assigning permissions 262
connection profile privileges 235
connector samples privileges 242
credential privileges 239
default 232
hierarchy privileges 243
item tasks privileges 241
management privileges 235
351
352
Index
security role (continued)
predefined 232
privilege categories 233
right-click action privileges 241
selecting 265
setting permission inheritance on folders 263
software management action privileges 244
privileges 240
Symantec Management Console privileges 240
system privileges 237
taking ownership of folder or item 265
workflow directory privileges 239
Security Role Manager
about 260
accessing 261
server processing
configuration settings 207, 209
shared schedule
about 274
creating 274
deleting 274
enabling 274
modifying 274
viewing schedule users 274
Silverlight
requirments 136
site
assigning subnet 307
assigning subnets 281
creating 281
deleting 279
managing 279
manually assigning agents 282
manually assigning site server 286
modifying 281
removing site server 279
removing subnet 279
site maintenance 63
site server 63
site services 40
unconstrained package server 290
site assignments, automatic
removing 289
site server
about 67
about task server handler 78
adding site services 285
site server (continued)
creating 285
deployment site server 68
managing 283
manually assigning to site 286
modifying 285
planning 62
removing from site 283
removing site services 285
status 283
task 64
site server component
about 78
site servers
installing task server handlers 192
managing deployment tasks 192
operating system requirements 132
using Deployment policies to install, uninstall,
and upgrade 186
site service
package service settings 287
task service settings 290
SNMP 50
software
managing 312
searching 311
Software Catalog window
about 313
software delivery 51
See also Software Management Solution
software license
tracking 312
about 37
Software Management Solution
about 51
platform support 52
software search
performing 311
saving 311
software, third-party
requirements 135
solution dependencies
updating 95
solutions
IT Management Suite 41
SQL Server
collations, supported 141
Index
SQL Server (continued)
disk configuration 56
IOPS 59
memory 61
performance tuning 120
planning configuration 55
recommendations 135
size 60
status messages
logging 212
viewing in Log Viewer 212
subnet
assigning to site 307–308
creating 308
deleting 307
managing 307
resynchronizing 307
subnet mask 308
support package
creating 166, 174
Symantec Installation Manager
delaying the update 154
installing 151
starting 153
Symantec Installation Manager logs
disabling verbose 176
viewing 175–176
Symantec Management Agent
about 40
embedding in image 70
general targeted settings 126
manually assigning to site 282
rolling out 219
Symantec Management Agent for UNIX, Linux, and
Mac
about 40
Symantec Management Console
about 38
personalization 38
about 34, 36
adding products 167
architecture 35
components 36
installation overview 147
installation process 148
installing products 158
introduction 34
planning the installation 139
Symantec Management Platform (continued)
security 228
types of installations 146
uninstalling 174
updating products 167
Symantec Management Platform 7.1 SP2
What's new 25
Symantec Workflow
about 52
system requirements
checking for 162
T
target
update schedule 123
task
task server 290
See also task service
operating systems, supported 133
tickle 65
task server handler
about 78
task server handlers
installing 192
task service
about 64
global settings 290
network ports used 290
tickle
task server 65
tools 195
troubleshooting
creating a support package 166, 174
U
uninstallation
Automation Folder 197
Deployment plug-in 197
Deployment site server components 197
UNIX 52
UNIX, Linux, and Mac
update
delaying 154
353
354
Index
update installation package
creating 157
updating
solution dependencies 95
upgrade
off-box 146
on-box 146
Upgrade to IT Management Suite 7.1 SP2
performing 182
preparing for 180
Upgrading
about 179
to IT Management Suite 7.1 SP2 179, 182
user
selecting 265
user account
assigning to security roles 252
configuring 247
creating 247
credentials, adding 249
credentials, modifying 249
credentials, types 246
general account details 249
overview 245
password complexity settings 252
password lockout settings 252
setting permission inheritance on folders 263
unlocking locked out credentials 255
V
Verbose logs
in Symantec Installation Manager 176
Viewing
Symantec Installation Manager logs 175–176
viewing
installation logs 166
W
Web site configuration
troubleshooting 164
What's new
Symantec Management Platform 7.1 SP2 25
what's new
in IT Analytics 7.1 SP2 90
WMI 50

Altiris™ IT Management Suite 7.1 SP2 from Symantec™ Planning

Transcription

Similar documents

Antivirus - Marshall University

Security Intelligence University/Symantec Research Intelligence

Symantec™ Messaging Gateway Small Business Edition

Confidence In A Connected World

Atlantis Energy Systems Inc.

Symantec Enterprise Messaging Management Solutions

Regions CD Check Viewer Installation Guide