Linux and UNIX Management with Altiris Server Management Suite

Linux and UNIX Management with Altiris Server Management Suite
Linux and UNIX Management
with Altiris Server
Management Suite 7.1 from
Symantec
The software described in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
Documentation version:
PN:
Legal Notice
Copyright © 2012 Symantec Corporation. All rights reserved.
Symantec and the Symantec Logo, Altiris, and Ghost are trademarks or registered trademarks
of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may
be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product features
and functionality. The Technical Support group also creates content for our online
Knowledge Base. The Technical Support group works collaboratively with the
other functional areas within Symantec to answer your questions in a timely
fashion. For example, the Technical Support group works with Product Engineering
and Symantec Security Response to provide alerting services and virus definition
updates.
Symantec’s support offerings include the following:
■
A range of support options that give you the flexibility to select the right
amount of service for any size organization
■
Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
■
Upgrade assurance that delivers software upgrades
■
Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
■
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site
at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in case it is necessary to replicate
the problem.
When you contact Technical Support, please have the following information
available:
■
Product release level
■
Hardware information
■
Available memory, disk space, and NIC information
■
Operating system
■
Version and patch level
■
Network topology
■
Router, gateway, and IP address information
■
Problem description:
■
Error messages and log files
■
Troubleshooting that was performed before contacting Symantec
■
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
■
Questions regarding product licensing or serialization
■
Product registration updates, such as address or name changes
■
General product information (features, language availability, local dealers)
■
Latest information about product updates and upgrades
■
Information about upgrade assurance and support contracts
■
Information about the Symantec Buying Programs
■
Advice about Symantec's technical support options
■
Nontechnical presales questions
■
Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan
[email protected]
Europe, Middle-East, and Africa
[email protected]
North America and Latin America
[email protected]
Contents
Technical Support ............................................................................................... 3
Chapter 1
Introducing UNIX/Linux Management in Altiris
Server Management Suite 7.1 from Symantec ...
1
5
About this Guide .......................................................................... 15
Altiris Server Management Suite 7.1: UNIX and Linux management
capabilities ........................................................................... 16
Section 1
Provisioning UNIX and Linux Servers .............. 19
Chapter 2
About the provisioning process ....................................... 21
About automatically provisioning Linux servers ................................ 21
Chapter 3
Imaging and scripted installation .................................... 23
Performing a Linux scripted OS installation ......................................
Deploying a Linux preboot environment .....................................
Copying Linux OS installation files to an FTP server .....................
Create a kickstart installation file ..............................................
Creating a scripted Linux OS installation job ...............................
Deploying a Linux scripted OS installation job to a target
computer ........................................................................
Using tasks to capture a Linux image ...............................................
Installing Deployment Plug-in ..................................................
Creating and running a task to create an image ............................
Creating a task to boot the system into the Linux preboot
environment ...................................................................
Creating a task to reboot the Linux computer into the production
environment ...................................................................
Combining tasks into a job .......................................................
About hardware integration toolkits ................................................
IBM Deployment Solution for Altiris ..........................................
Altiris Deployment Solution for Dell Servers from
Symantec .......................................................................
23
24
25
26
27
27
28
29
30
31
31
32
33
33
34
8
Contents
Dell Management Console ........................................................ 34
HP Insight Rapid Deployment software (RDP) ............................. 35
Fujitsu ServerView Integration Pack for Altiris Deployment
Solution ......................................................................... 36
Chapter 4
Server configuration ........................................................... 37
About system configurations .........................................................
About initial deployment settings ...................................................
Creating system configuration settings ............................................
Adding tokens .............................................................................
Creating an Apply System Configuration task ....................................
Setting advanced Deploy Image options ...........................................
37
37
38
39
39
40
Section 2
Configuration Management .................................. 43
Chapter 5
Symantec Management Agent for UNIX, Linux, and
Mac ................................................................................... 45
About the Symantec Management Agent for UNIX, Linux, and
Mac .....................................................................................
About methods of installing the Symantec Management Agent for
UNIX, Linux, and Mac .............................................................
Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites .........................................................................
About the Symantec Management Agent for UNIX, Linux, and Mac
push installation ....................................................................
Installing the Symantec Management Agent for UNIX, Linux, and
Mac with a manual push ..........................................................
Installing the Symantec Management Agent for UNIX, Linux, and
Mac with a manual pull ...........................................................
Manually installing the ULM agent using the aex-bootstrap file ............
Manually installing the ULM agent using the aex-nsclt package ............
Selecting UNIX, Linux, and Mac computers for a Symantec
Management Agent manual installation .....................................
Creating a .csv file for importing UNIX, Linux, and Mac
computers ............................................................................
Specifying the Symantec Management Agent for UNIX, Linux, and
Mac installation settings .........................................................
About configuring the Symantec Management Agent .........................
Configuring the global agent settings ...............................................
Symantec Management Agent Settings – Global: General
tab ................................................................................
46
47
48
49
50
52
54
55
56
57
58
59
60
61
Contents
About the Tickle/Power Management settings .............................
About the Package Multicast settings .........................................
Symantec Management Agent Settings – Global: Authentication
tab ................................................................................
Symantec Management Agent Settings – Global: Events tab
.....................................................................................
Configuring the targeted agent settings ...........................................
Targeted Agent Settings: General tab .........................................
Recommended Symantec Management Agent data update
intervals .........................................................................
Targeted Agent Settings: UNIX/Linux/Mac tab ............................
Targeted Agent Settings: Downloads tab ....................................
About multicasting packages ....................................................
Targeted Agent Settings: Blockouts tab .....................................
Adding a blockout period to the targeted agent settings ................
Targeted Agent Settings: User Control tab .................................
Targeted Advanced Settings: Advanced tab ................................
About maintenance windows for managed computers .........................
Configuring maintenance window policies ........................................
.................................................................................................
Chapter 6
63
64
64
65
66
68
69
69
71
74
75
76
77
78
78
79
81
Discovery and Inventory .................................................... 83
About Network Discovery .............................................................. 84
Discovering UNIX and Linux computers ........................................... 85
About Inventory Solution .............................................................. 87
About Inventory Pack for Servers .................................................... 88
Gathering inventory on managed computers ..................................... 89
Enabling the inventory plug-ins for UNIX and Linux computers ........... 90
Enabling the server inventory policy ............................................... 91
About methods for gathering software inventory on UNIX or Linux
platforms ............................................................................. 92
About gathering UNIX/Linux software inventory ............................... 92
Gathering and viewing software inventory of the native UNIX/Linux
package system ..................................................................... 93
About software inventory using the filescan.rule file ...................... 94
Running software inventory using the filescan.rule file ................... 95
About gathering custom inventory .................................................. 96
About custom inventory data classes ............................................... 97
Gathering custom inventory .......................................................... 98
Creating and customizing a data class .............................................. 99
Creating a custom inventory script task .......................................... 100
9
10
Contents
Customizing the custom inventory sample script for UNIX, Linux,
and Mac ..............................................................................
Custom inventory sample script for UNIX, Linux, and Mac ...........
About gathering agentless inventory ..............................................
Gathering agentless inventory ......................................................
Creating agentless inventory tasks using the wizard .........................
Manually creating, scheduling, modifying, and stopping agentless
inventory tasks ....................................................................
Viewing agentless inventory results ...............................................
About gathering and viewing Apache HTTP Server inventory .............
About gathering and viewing VMware ESX Virtualization
inventory ............................................................................
Gathering and viewing MySQL and Oracle Database inventory ...........
Chapter 7
103
104
106
107
108
109
111
111
112
112
Patch Management for Linux .......................................... 115
About Patch Management Solution for Linux ...................................
Implementing Patch Management Solution for Linux ........................
System requirements for Patch Management Solution ......................
Platforms supported by Patch Management Solution for Linux ...........
About installing Patch Management Solution ..................................
About uninstalling Patch Management Solution ...............................
About the software update plug-in .................................................
Installing the software update plug-in ............................................
Configuring software updates download location .............................
Creating and assigning custom severity levels .................................
Configuring Linux remediation settings ..........................................
Configuring software updates installation settings ...........................
Configuring the system assessment scan interval ............................
Linux patch remediation settings pages ..........................................
Default Software Update Plug-in Settings page ................................
Run System Assessment Scan on Linux Computers task ....................
About Patch Management Solution server tasks ...............................
Downloading the software updates catalog ......................................
Import Patch Data for Novell and Import Patch Data for Red Hat
pages .................................................................................
About errata and patches .............................................................
About downloading and distributing software updates ......................
Downloading software updates .....................................................
Downloading and distributing software updates ...............................
Viewing the software update delivery summary report ......................
116
116
118
118
119
119
119
120
121
121
122
123
123
124
126
127
128
128
130
132
133
133
135
136
Contents
Chapter 8
Software Management ..................................................... 137
About Software Management Solution ...........................................
Components of Software Management Solution ...............................
What you can do with Software Management Solution ......................
Implementing Software Management Solution ................................
About the agents and plug-ins that Software Management Solution
uses ...................................................................................
Installing or upgrading the Software Management Solution
plug-in ...............................................................................
About Software Management Solution settings ................................
Schedule settings for Managed Software Delivery .............................
Download settings in Software Management Solution .......................
Run settings in Software Management Solution ...............................
Results-based actions settings in Software Management
Solution ..............................................................................
Advanced options in Managed Software Delivery policies ..................
Advanced options for tasks in Software Management Solution ...........
Methods for delivering software ....................................................
About Software Management Solution reports .................................
Running a Software Management Solution report ............................
Chapter 9
138
139
139
140
142
143
145
145
147
149
149
151
151
152
156
157
Managed Software Delivery ............................................ 159
About creating and delivering a software package ............................
Creating a software delivery package .............................................
Delivering a software package ......................................................
Supported packages ....................................................................
About advanced software deliveries ...............................................
Advanced delivery actions that Managed Software Delivery can
perform ..............................................................................
About the execution of Managed Software Delivery policies ...............
About policy compliance and remediation .......................................
Creating a Managed Software Delivery policy with the Managed
Software Delivery wizard in the enhanced console views .............
Select software resource page .......................................................
Policy Rules/Actions section .........................................................
Policy Rules/Actions: Software tab ................................................
Policy Rules/Actions: Policy settings tab .........................................
159
160
161
162
163
164
165
168
170
171
174
174
176
11
12
Contents
Chapter 10
Virtualization Management ............................................. 177
About Virtual Machine Management on UNIX and Linux
systems ..............................................................................
About server virtualization ..........................................................
About Virtual Machine Management home page ..............................
About Virtual Machine Management tasks ......................................
What you can do with Virtual Machine Management .........................
What's new in Virtual Machine Management 7.1 SP2 .......................
Getting started with the Virtual Machine Management
component ..........................................................................
Discovering and adding a single host ..............................................
Discovering the hosts ..................................................................
About Virtual Machine Management Task Server Plug-in ..................
Installing the Virtual Machine Management Task Server Plug-in ........
About virtual machines ...............................................................
Creating a virtual machine ...........................................................
Deleting a virtual machine ...........................................................
Viewing Virtual Machine Management reports ................................
Permissions that Virtual Machine Management requires ...................
Preventing the Virtual Machine Management protocol from being
replaced ..............................................................................
Deploying ESX/ESXi servers .........................................................
About troubleshooting Virtual Machine Management .......................
Tables populated during the Network Discovery and Run Inventory
tasks ..................................................................................
Connection profile information .....................................................
About Log Viewer .......................................................................
178
180
180
181
182
183
185
186
186
188
188
189
190
192
193
194
196
197
197
198
199
200
Section 3
Server health ................................................................ 203
Chapter 11
Monitor Solution and Monitor Packs ............................. 205
About Monitor Solution ...............................................................
Introducing Monitor Solution in UNIX/Linux environments ...............
Components of Monitor Solution ...................................................
About Monitor Packs, policies, rules, metrics, and tasks .....................
About Monitor Pack for Servers ....................................................
What you can do with monitor pack for servers ................................
Configuring the monitor server .....................................................
Importing monitor packs .............................................................
Downloading custom Monitor packs from the Symantec Connect
Community .........................................................................
206
206
207
209
210
210
211
212
213
Contents
About agentless monitoring .........................................................
About agent-based versus agentless monitoring ...............................
About monitor service .................................................................
Setting up a remote monitoring site server ......................................
Installing the Pluggable Protocols Architecture (PPA) client
computer component on a site server .................................
Adding monitor service to a site server .....................................
Configuring remote monitoring server settings ..........................
Monitor site server reports .....................................................
Setting up credentials for agentless monitoring ...............................
Creating protocol-specific credentials ......................................
Associating credentials with a connection profile .......................
Discovering resources to which to bind connection profiles ..........
About scalability best practices for Monitor Solution ........................
Chapter 12
218
219
221
221
222
223
223
224
225
Event Console ..................................................................... 227
About alerts ..............................................................................
About alert management .............................................................
About Event Console alert filters ...................................................
Filtering alerts ...........................................................................
Chapter 13
214
214
215
216
227
227
228
230
Historical and Real-Time Monitoring ............................ 233
About the Monitoring and Alerting home page .................................
Viewing historical performance data ..............................................
Viewing real-time performance data ..............................................
Viewing Monitor Solution reports ..................................................
Viewing the Monitor Alerts dashboard ...........................................
Generate a report on Monitor Solution metrics, trends, alerts, and
actions ...............................................................................
Generating ad-hoc reports with the IT Analytics Monitor Metrics
cube ...................................................................................
233
234
235
236
236
238
240
Section 4
Process Automation ................................................. 243
Chapter 14
Built-in Workflow capabilities ......................................... 245
About Symantec Workflow integration with UNIX and Linux
clients ................................................................................
Pieces of Symantec Workflow .......................................................
What you can do with Symantec Workflow .....................................
Executing scripts on UNIX and Linux systems through SSH ...............
About Process Manager reporting ..................................................
245
247
250
252
253
13
14
Contents
Section 5
Centralized management ...................................... 255
Chapter 15
Topology View .................................................................... 257
About Portal page .......................................................................
Accessing the Portal page ............................................................
About Topology View Web part .....................................................
Viewing network topology ............................................................
Chapter 16
257
257
258
259
Remote Management ........................................................ 261
Methods for remotely managing UNIX/Linux servers ........................ 261
About Server Resource Manager Home page .................................... 262
Accessing Server Resource Manager Home page .............................. 263
Chapter 17
Package server for Linux .................................................. 265
About package server for Linux .....................................................
About integrating Apache Web Server with package server for
Linux .................................................................................
About detecting the Apache Web Server .........................................
Requirements to configure package server and the Apache Web
Server ................................................................................
Requirements to configure HTTPS and HTTP ..................................
Package server configuration example that uses main web directory
for package server links .........................................................
Package server configuration example using an alias for package
server links .........................................................................
265
266
267
269
270
271
273
Index ................................................................................................................... 277
Chapter
1
Introducing UNIX/Linux
Management in Altiris
Server Management Suite
7.1 from Symantec
This chapter includes the following topics:
■
About this Guide
■
Altiris Server Management Suite 7.1: UNIX and Linux management capabilities
About this Guide
The number one goal of server administrators is to ensure uptime of their servers
and to avoid any business interruptions. This guide offers an overview of the tools
that Altiris Server Management Suite from Symantec provides towards those
goals, specifically in a UNIX and Linux server environment.
Server Management Suite provides an integrated set of tools for managing servers,
on a common platform. Each tool or "solution" extends the capabilities of the
system. Here is a list of solutions and components that this guide covers, with
emphasis on their out-of-box capabilities.
■
Altiris Deployment Solution from Symantec
■
Symantec Management Agent
■
Altiris Inventory Solution from Symantec
■
Altiris Inventory Pack for Servers from Symantec
16
Introducing UNIX/Linux Management in Altiris Server Management Suite 7.1 from Symantec
Altiris Server Management Suite 7.1: UNIX and Linux management capabilities
■
Altiris Patch Management Solution for Linux from Symantec
■
Altiris Software Management Solution from Symantec
■
Symantec Virtual Machine Management
■
Altiris Monitor Solution for Servers from Symantec
■
Altiris Monitor Pack for Servers from Symantec
■
Symantec Workflow
■
Altiris IT Analytics Solution from Symantec
Each solution builds on another, without putting additional demands on the
architecture. Each solution also leverages the information that is collected by the
previous solution. This capability is made possible through the use of the CMDB,
a single repository of data, logic, and automated processes, including access rights.
This guide takes you through all aspects of managing UNIX/Linux servers, from
the moment the hardware is received, through configuration management,
patching, software management, and server health monitoring, to process
automation (workflow) and integration by centralized management.
Altiris Server Management Suite 7.1: UNIX and Linux
management capabilities
Altiris Server Management Suite 7.1 from Symantec was designed with
cross-platform management in mind. You discover and manage UNIX and Linux
computers in much the same way that you discover and manage Windows
computers.
In the table, a "Yes" in the UNIX, Linux, or Windows column indicates that the
capability exists for that platform. Unless all Linux or UNIX platforms support a
capability, the table also specifies which UNIX or Linux platforms do.
Table 1-1
Key cross-platform capabilities of Server Management Suite
Server Management
Suite capability
UNIX
Linux
Heterogenous OS support
IBM AIX1
Novell SUSE Linux2 Microsoft
Windows Server
Redhat Enterprise
2003
Linux2
Microsoft
VMware ESX2
Windows Server
2008
Oracle Solaris1
HP-UX1
Windows
Introducing UNIX/Linux Management in Altiris Server Management Suite 7.1 from Symantec
Altiris Server Management Suite 7.1: UNIX and Linux management capabilities
Table 1-1
Key cross-platform capabilities of Server Management Suite
(continued)
Server Management
Suite capability
UNIX
Linux
Windows
Network discovery
Yes
Yes
Yes
Network discovery of
virtual machines
Solaris Zones
VMware
Hyper-V
Hardware, software, and
user inventory
Yes
Yes
Yes
Imaging
No
Yes
Yes
Scripted OS installation
No
Yes
Yes
Software delivery
Yes
Yes
Yes
Intelligent software
management
Yes
Yes
Yes
Software detection rules
No
Basic software
detection rules for
Linux .rpm
detection
Yes
Application metering
Future release
Future release
Yes
Remote control
Yes (VNC)
Yes (VNC; custom
Yes (pcAnywhere)
right-click actions to
leverage tools for
xwindows, telnet,
ssh sessions;
pcAnywhere)
Automated software
updates (Patch
Management Solution)
No
Yes
Yes
Advanced software
inventory
Yes
Yes
Yes
Custom inventory
Yes
Yes
Yes
Cross-platform reporting
Yes
Yes
Yes
Power control
Yes
Yes
Yes
IBM AIX Lpars
VMware
17
18
Introducing UNIX/Linux Management in Altiris Server Management Suite 7.1 from Symantec
Altiris Server Management Suite 7.1: UNIX and Linux management capabilities
Table 1-1
Key cross-platform capabilities of Server Management Suite
(continued)
Server Management
Suite capability
UNIX
Server health monitoring
Monitor Packs for Yes
Solaris and AIX3
Yes
Event monitoring
Yes
Yes
Yes
Supported package
delivery formats
Solaris: .pkg
.rpm
HP-UX: .depot
archive formats: tar
(gz, bz2, z, zip)
Microsoft
Windows .msi
AIX: .bff
Linux
Windows
archive formats:
tar (gz, bz2, z, zip)
Workflow
Yes
Yes
Yes
Agentless server
monitoring
Yes
Yes
Yes
1Altiris
Server Management Suite from Symantec supports the following UNIX
operating systems:
■
IBM AIX: 5.2, 5.3, 6.1
■
Oracle Solaris: 9 (SPARC), 10 (SPARC, x86/x64)
■
HP-UX: 11i. iv2, iv3
2Altiris
Server Management Suite from Symantec supports the following Linux
operating systems:
■
Red Hat Enterprise Linux: 4, 5, 6
■
Novell SUSE Linux Server: 10, 11
■
VMware ESX: 3.5 (agent), 4/i4 (agent-less), 5/i5 (agent-less)
3A
Monitor Pack for HP-UX is available on Symantec Connect:
https://www-secure.symantec.com/connect/downloads/monitor-pack-hp-ux-basic.
See “Altiris Server Management Suite 7.1: UNIX and Linux management
capabilities” on page 213.
Section
1
Provisioning UNIX and Linux
Servers
■
Chapter 2. About the provisioning process
■
Chapter 3. Imaging and scripted installation
■
Chapter 4. Server configuration
20
Chapter
2
About the provisioning
process
This chapter includes the following topics:
■
About automatically provisioning Linux servers
About automatically provisioning Linux servers
Server Management Suite lets you preconfigure newly purchased hardware before
the hardware arrives. When it arrives, the MAC address of the device is discovered
on the network, whether the device is a blade or a new server. The moment the
computer appears, you can configure the system. After the computer is discovered,
the operating system is deployed to it and the build is completed. This approach
ensures build speed as well as consistency and reliability.
See “Performing a Linux scripted OS installation” on page 23.
See “Using tasks to capture a Linux image” on page 28.
Note: Automated provisioning with Altiris Deployment Solution from Symantec
works for Windows and Linux platforms only.
22
About the provisioning process
About automatically provisioning Linux servers
Chapter
3
Imaging and scripted
installation
This chapter includes the following topics:
■
Performing a Linux scripted OS installation
■
Using tasks to capture a Linux image
■
About hardware integration toolkits
Performing a Linux scripted OS installation
Linux deployment can be done by an image-based installation, or by a scripted
installation process. A scripted OS installation has the following advantages over
an image-based installation:
■
It has a smaller footprint.
■
It is easily customizable.
A scripted OS install allows customers to interject anything that is specific to a
computer into the deployment process .
Table 3-1
Process for performing a Linux scripted OS installation
Step
Action
Description
Step 1
Deploy a Linux preboot environment See “Deploying a Linux preboot
environment” on page 24.
Step 2
Copy the installation files to an FTP See “Copying Linux OS installation
or HTTP source.
files to an FTP server” on page 25.
24
Imaging and scripted installation
Performing a Linux scripted OS installation
Table 3-1
Process for performing a Linux scripted OS installation (continued)
Step
Action
Description
Step 3
Create a kickstart installation file.
See “Create a kickstart installation
file” on page 26.
Step 4
Create a Linux scripted OS
installation job
See “Creating a scripted Linux OS
installation job” on page 27.
Step 5
Deploy Linux to a target computer
See “Deploying a Linux scripted OS
installation job to a target computer”
on page 27.
Deploying a Linux preboot environment
You choose which PXE preboot environments you want to build and turn on the
PXE server rollout policy. The preboot configurations that you build during
first-time setup are available to use later for deployment tasks.
See “Performing a Linux scripted OS installation” on page 23.
To deploy a Linux preboot environment
1
In the Symantec Management Console, click Home > Notification Server
Management > First Time Setup.
2
On the Welcome to the Symantec Management Console page, click Setup
Deployment.
In the Setup Deployment window, you must select which PXE Preboot
Automation environment you want to build.
3
In Step 1 PXE Image, select Linux.
The PXE Preboot Automation environments table lists the available operating
systems with their architecture and OEM extensions.
4
After you choose the operating system or operating systems, click Next.
(If you need to create other preboot environments at a later time, you can do
so. Navigate to Settings > Deployment > Create Preboot Configurations.)
5
In Step 2 PXE Servers , choose whether to roll out PXE servers to your site
servers.
If you plan to perform deployment tasks, you should roll out PXE servers to
site servers; click Setup Deployment.
Imaging and scripted installation
Performing a Linux scripted OS installation
6
On Notification Server, navigate to Start > All Programs > Administrative
Tools > Services.
Notice four services whose names start with _Symantec_netboot. These are
the services that allow a computer to boot into Linux without having Linux
on the hard drive.
7
Change the startup type of these four services to Automatic.
8
Start the four services in the following order: First, start the Server service,
then start the NSI Signal service, then start the Mtftp service. The fourth
service starts automatically.
Allow Notification Server schedules to run. The default delta update schedule
is set to 15 minutes. Then the agent on Notification Server receives the new
task to build the Linux preboot environment.
9
To see that the new preboot environment has been set up on Notification
Server, navigate to Settings > Deployment > Create Preboot Configurations.
10 Click the Status link to the far right of the menu bar.
You should see an entry in the task server's Configuration column named
LinuxPE-PXE. If you do not see this entry, the schedule on Notification Server
has not run yet.
This entry must appear or the preboot configuration does not exist on your
server and will not work with PXE.
Copying Linux OS installation files to an FTP server
You can deploy Linux by using an image-based install or by using a scripted
installation process. This procedure sets up and configures a scripted Linux
operating system installation for use within IT Management Suite 7.1. This
example uses Red Hat Enterprise Linux (RHEL) as the Linux distribution.
See “Performing a Linux scripted OS installation” on page 23.
The first step in the process to do a scripted OS installation is to set up an FTP
site (or an HTTP source). This site can provide the RHEL installation files to your
deployment job. Creating an FTP site offloads traffic from Notification Server.
The following example shows the source files as located on Notification Server
itself. However, they can also be placed on a separate server.
To copy Linux OS installation files to an FTP server
1
Mount the .ISO image in Notification Server, or burn a DVD with the .SO
image and mount the DVD in Notification Server.
2
Open Windows Explorer and create a directory called C:\RHEL.
25
26
Imaging and scripted installation
Performing a Linux scripted OS installation
3
Copy the entire contents of the RHEL installation media to C:\RHEL.
4
In Notification Server, click Start > Administrative Tools > Internet
Information Services (IIS) Manager.
5
Expand the folder next to your Notification Server and click the Sites folder.
6
Click Add FTP site.
7
Add the FTP site name; for example RHELSOI.
8
Browse to the directory C:\RHEL and click OK, then click Next.
9
In the Binding and SSL Settings page, under Binding, select the Notification
Server computer's IP address and leave the port setting at 21.
10 Leave the checkbox next to Enable Virtual Host names unselected.
11 Leave the checkbox next to Start FTP site automatically unselected.
12 In the SSL section, select the radio button next to No SSL, then click Next.
13 In the Authentication section, select Anonymous.
14 In the Authorization section, select All users.
15 In the Permissions section, check the box next to Read, then click Finish.
Create a kickstart installation file
After you create a site where you can access the source files for your scripted OS
installation, you must configure the kickstart file to use this site. The kickstart
file is used primarily (but not exclusively) by the Red Hat Enterprise Linux
operating system. It automates the unattended installation and configuration of
the operating system.
See “Performing a Linux scripted OS installation” on page 23.
To create a kickstart installation file
1
On the Notification Server computer, browse to
\\<server_name>\NSCap\bin\UNIX\Deployment\Linux\x86\SOI\AnswerFile.
2
Using Notepad, edit the file rhelx.cfg, where x is the Red Hat Enterprise
Linux version number.
Read the information at the top of the file to find out which lines need to be
modified. Many of the default values work without modification.
3
Under Network Configuration, change the dhcp network line to read as
follows:
network --bootproto=dhcp --hostname=yourhostnameSOI --device=eth0
Imaging and scripted installation
Performing a Linux scripted OS installation
4
Check your configuration to ensure that it is reflected correctly in the kickstart
file.
5
Save the kickstart file and close Notepad.
Creating a scripted Linux OS installation job
See “Performing a Linux scripted OS installation” on page 23.
To create a Linux scripted OS installation job
1
In the Symantec Management Console, browse to Manage > Jobs and Tasks.
2
In the left pane, right-click the folder where you want to create the job and
select New > Client Job.
3
Rename the job; for example to RHEL Scripted OS Install Job, and then click
Enter.
4
In the right pane, in the Jobs/Tasks section, click New and then select Task
5
Browse to Deployment and Migration and select the task Install Linux OS.
6
In the right pane, change the name of the task to Install RHEL using the SOI
task.
7
In the OS Flavor dialog, select the appropriate Linux distribution and version
from the drop-down box.
8
In the OS File Location dialog, select ftp and in the ftp properties, modify
the window to the IP address of the ftp site.
9
In the Configuration File dialog box, click Browse.
10 Browse to C:\Program
Files\Altiris\Notification
Server\NSCap\bin\UNIX\Deployment\Linux\x86\SOI\AnswerFile and select
the answer file.
11 Click OK to save this task.
12 Click Save changes to save this job.
Deploying a Linux scripted OS installation job to a target computer
You need to schedule the deployment of a Linux scripted OS installation (SOI) job
to a target computer. Then you need to boot the Linux server into the LinuxPE-PXE
boot environment.
See “Creating a scripted Linux OS installation job” on page 27.
27
28
Imaging and scripted installation
Using tasks to capture a Linux image
To deploy a Linux SOI job
1
In the Symantec Management Console, navigate to Manage > Computers.
2
Select the RHEL computer.
3
In the Jobs/Tasks pane, click New schedule.
4
Click the Select a job or Task link at the top and browse to the scripted
installation job you created. Click OK to accept the job.
You can modify other options on the New Schedule dialog. They include
changing the actual time, overriding maintenance windows, and determining
which devices are targeted.
5
Click Schedule to run this job now.
You can also kick off the job and click Quick Run.
6
You can view scheduled jobs in the Jobs/Tasks pane.
Now that you have kicked off the process on the Symantec Management
Platform, you need to boot the Linux server.
To boot the Linux server into PXE
1
Turn on the Linux server.
2
Once the system boots, you have 5 seconds to force a network boot to this
system. (Depending on the hardware vendor, forcing a network boot is often
done by pressing F12.)
Within a short time, the following process unfolds:
3
■
The system DHCP boots and connects to the PXE server.
■
PXE loads your designated preboot environment (LinuxPE-PXE.)
■
The Symantec Management Agent loads, connects to Notification Server
, and receives the predefined deployment task.
■
The system loads the necessary operating system components locally,
restarts, and performs the Linux scripted OS installation. This installation
takes about 40-60 minutes.
In the Symantec Management Console, under Jobs/Tasks, view the status
indicate success.
Using tasks to capture a Linux image
You can create tasks to capture an image of your Linux client system. As server
environments are becoming more proficient at standardizing on common
Imaging and scripted installation
Using tasks to capture a Linux image
configurations, imaging is the fastest way to deploy. After the image is rolled out,
you can run Symantec Management Platform tasks for additional configuration.
Note that imaging via Deployment Solution does not work for AIX, HP-UX , or
Solaris platforms. However, tasks within Symantec Management Platform can
start the imaging tools for those technologies, kickstart and jumpstart.
Table 3-2
Process for capturing a Linux image
Step
Action
Description
Step 1
Push the Symantec Management Agent
to the Linux client
See “Installing the Symantec
Management Agent for UNIX, Linux,
and Mac with a manual push”
on page 50.
Step 2
Install the Deployment Solution plug-in
for Linux
See “Installing Deployment Plug-in”
on page 29.
Step 3
Create a task to create a Linux image
See “Creating and running a task to
create an image” on page 30.
Step 4
Create a task to boot the system into the See “Creating a task to boot the
Linux pre-boot environment
system into the Linux preboot
environment” on page 31.
Step 5
Create a task to reboot the system into
the production environment
Step 6
Create and run a client job that combines See “Combining tasks into a job”
the tasks created in steps 3-5
on page 32.
See “Creating a task to reboot the
Linux computer into the production
environment” on page 31.
Installing Deployment Plug-in
Deployment Solution is installed on Symantec Management Platform and
Deployment Plug-in is a component of Deployment Solution. Deployment Plug-in
is installed on client computers to manage deployment tasks. This plug-in enables
you to create and deploy disk images, perform remote OS installation, change
your system settings, and migrate the personality settings.
Predefined policies to install, upgrade, and uninstall the Deployment plug-in are
provided with Deployment Solution. It provides installation policies for 32-bit
and 64-bit client computers. Hence, it supports Windows x64, Windows x86, and
Linux x86. You can install the policy on your target computer.
If you plan to install Deployment Plug-in on a Linux operating system that has a
static IP environment, ensure that you have manually entered the site server's
29
30
Imaging and scripted installation
Using tasks to capture a Linux image
and Symantec Management Platform server's name, and their IP addresses in
/etc/hosts file.
You cannot install the Deployment Solution plug-in in a maintenance window by
using the Run once ASAP in maintenance window only option. You are required
to schedule the installation using the Add Schedule option.
To install Deployment Plug-in
1
In the Symantec Management Console, on the Settings menu, click
Agent/Plug-ins > All Agents/Plug-ins.
2
In the left pane, expand the Agents/Plug-ins > Deployment and Migration
folders.
3
Choose either a Linux or Windows installation and expand the corresponding
folder.
4
Click the Deployment Plug-in - Install policy.
5
In the right pane, in the Program name box, ensure that the correct policy
is selected.
6
Under Applied to, select the computers that you want to install the plug-in
on.
7
(Optional) Under Schedule, select when you want to install the plug-in.
8
(Optional) Click Advanced to check if the computers you selected are available
at the exact time that you scheduled.
You can also select start and end dates on this page.
9
Under Extra schedule options, select the options that you want.
10 Ensure that the policy is enabled.
A green On symbol shows in the top right corner.
11 Click Save changes.
Creating and running a task to create an image
See “Using tasks to capture a Linux image” on page 28.
To create an imaging task
1
In the Symantec Management Console, navigate to Manage > Jobs and Tasks.
2
Right-click the Jobs and Tasks folder and select New > Folder, then name
the folder and click OK.
3
Right-click the folder and select New > Task.
4
Under Deployment and Migration, click Create Image.
Imaging and scripted installation
Using tasks to capture a Linux image
5
Fill in the name of the image and select the imaging tool. Ghost is the default
tool.
6
Click Create.
7
To run the task immediately, select the task you created. Then, under Task
Status, click Quick Run.
Creating a task to boot the system into the Linux preboot environment
See “Using tasks to capture a Linux image” on page 28.
You can create a task to boot a system into the Linux preboot environment. You
must be in the same preboot environment as the operating system that you are
about to image and deploy.
To boot into the Linux preboot environment
1
Navigate to Manage > Jobs and Tasks.
2
Right-click System Jobs and Tasks and select New > Task.
3
Under Deployment and Migration, click Reboot To.
4
Name the task something similar to Reboot to Linux Pre-boot.
5
Click the option button next to PXE.
6
Select the Linux boot environment.
7
Click OK to save this task.
Creating a task to reboot the Linux computer into the production
environment
See “Using tasks to capture a Linux image” on page 28.
When the imaging task has completed, you need to reboot the system back into
the production environment.
To reboot into the production environment
1
In the Symantec Management Platform, right-click the folder where you save
your Linux deployment tasks and select New > Task.
2
In the Create New Task dialog, browse to Deployment and Migration and
select the task Reboot To.
3
Rename the task to Reboot to Production.
This task is generic and can be used any time you want to reboot a system
into production, regardless of the operating system.
31
32
Imaging and scripted installation
Using tasks to capture a Linux image
4
Check the option button next to Production.
5
Click OK to save this task.
6
When the task has been saved, in the Task Status area, click Quick Run.
7
In the Quick Run Now dialog, enter SOL and then select the Linux computer.
8
Click Run to execute this task on the server.
9
On the Deployment Server, see the Linux server reboot back into the
production OS.
Combining tasks into a job
You can use jobs to group several tasks together, so that they all run consecutively.
You can combine deployment-specific tasks with other tasks in a single job.
Jobs also have the condition statements that you can specify. Your tasks are then
executed only if they meet the conditions that you specify.
Jobs can be renamed, deleted, cloned, moved, and scheduled by right-clicking the
job and selecting the corresponding option.
You can drag and drop jobs to other folders and manually create folders. Any
folders that you create do not display until you create a task or job in that folder.
For more information, search for topics on creating a job in the Symantec
Management Platform Help.
To combine tasks into a job
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, right-click the folder where you want the job to be stored in,
and then click New Client Job or New Server Job.
3
In the right pane, create or add the tasks you want.
You can click New to add new jobs or tasks to your job. You can also click Add
Existing to add existing jobs or tasks to your job.
You can use the arrows to order the tasks.
4
Select whether the job should fail if any task fails.
5
Click OK.
You can edit, order, and add or delete the tasks in a job. Right-clicking selects the
job that you want to change, and then you can use the options in the right pane.
Imaging and scripted installation
About hardware integration toolkits
About hardware integration toolkits
Symantec has strategic relationships with several hardware vendors that provide
extensions to Altiris Deployment Solution by Symantec.
These vendors include the following:
■
IBM
See “IBM Deployment Solution for Altiris” on page 33.
■
Dell
See “Altiris Deployment Solution for Dell Servers from Symantec” on page 34.
See “Dell Management Console” on page 34.
■
HP
See “HP Insight Rapid Deployment software (RDP)” on page 35.
■
Fujitsu
See “Fujitsu ServerView Integration Pack for Altiris Deployment Solution”
on page 36.
IBM Deployment Solution for Altiris
The IBM Deployment Solution for Altiris 7.1 is an extension to the Altiris
Deployment Solution from Symantec. Deployment Solution provides the jobs and
tasks that automate deployment and migration functions such as hardware
configurations, operating system imaging, and system data collection. IBM
Deployment Solution for Altiris adds predefined jobs and tasks that perform these
operations on IBM System x servers and blades.
See “About hardware integration toolkits” on page 33.
These operations include the following:
■
System settings configuration using ToolsCenter Advanced Settings
Utility(ASU)
■
RAID configuration using ToolsCenter ServerGuide pRAID
■
Firmware update using ToolsCenter UXSPi (UpdateXpress System Pack
Installer)
■
Diagnostics capture for service and support using ToolsCenter DSA (Dynamic
System Analysis)
■
Operating system imaging using Symantec’s Rapideploy and Ghost
33
34
Imaging and scripted installation
About hardware integration toolkits
OEM product
Download links
IBM Deployment Product:
Solution for Altiris
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5088633
7.1
Documentation:
http://download.boulder.ibm.com/ibmdl/pub/systems/support/system_x_pdf/ibm_altiris_v7.1_users_guide.pdf
IBM Serverguide
scripting toolkits
(for DS 6.9)
Product:
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=SERV-TOOLKIT
Documentation:
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5089004
Altiris Deployment Solution for Dell Servers from Symantec
This software addition to Deployment Solution lets you manage your Dell servers.
You can create tasks from the predefined task types that Deployment Solution
for Dell provides. These tasks can configure your BIOS interfaces, DRAC (Dell
remote access controller) cards, and RAID systems. You can also create a task to
define dynamic types of RAID configurations. You can install an operating system
using a scripted install or image and update hardware configurations.
See “About hardware integration toolkits” on page 33.
You can also use Deployment Solution for Dell to remotely provision servers using
zero-touch functionality. You can remotely install servers out of the box and
manage those servers across their life cycle.
OEM product
Download links
Altiris Deployment Solution for Dell Servers Product:
from Symantec
http://dell.symantec.com/dell-downloads
Documentation
http://dell.symantec.com/DSforDellDoc
Dell Management Console
Dell Management Console is a one-to-many systems management application
that provides enhanced discovery, inventory, monitoring, patch updates, and
reporting features. Dell Management Console is a Web-based graphical user
interface (GUI) with a scalable, modular console. Use it for basic hardware
management as well as for advanced functions, such as asset management,
Imaging and scripted installation
About hardware integration toolkits
enhanced security, and compliance. You can install Dell Management Console on
a management station in a networked environment.
See “About hardware integration toolkits” on page 33.
Dell Management Console is free software that you can download from the Dell
support Web site at support.dell.com; however, you must register at the Dell Web
site at dell.com/openmanage/register for a free permanent license. The registration
enables you to continue using Dell Management Console after the 30-day trial
period. Dell Management Console also supports a variety of Symantec plug-ins
like the Symantec Server Management Suite.
OEM product
Download location
Dell Management
Console
Product
http://dell.symantec.com/dell-management-console-powered-symantec
Documentation
http://dell.symantec.com/dell-management-console-powered-symantec
HP Insight Rapid Deployment software (RDP)
HP Insight Rapid Deployment software (RDP) is a server deployment solution that
facilitates the installation, configuration, and deployment of high-volumes of
servers through either a GUI-based or a Web-based console, using either scripting
or imaging technology. Server configuration time is reduced, making it possible
to scale server deployments to high volumes in rapid fashion. RDP encompasses
the HP SmartStart Scripting Toolkit, drivers, agents and configuration utilities,
HP supplied deployment jobs, easy-to-use installation process, and important
support & documents. Tightly integrated with HP Systems Insight Manager, this
deployment solution makes deploying a server as easy as selecting one, a few or
hundreds of target servers and selecting predefined images or scripts and click
"Run".
See “About hardware integration toolkits” on page 33.
RDP provides support for the following operating systems:
■
Support for deploying Microsoft Windows Server 2008 R2
■
Support for deploying VMware ESX 4.0 on ProLiant servers and Windows guest
VMs on VMware ESX 4.0
■
Support for deploying VMware ESX 3.5 U4 on ProLiant servers and Windows
guest VMs on VMware ESX 3.5 U4
■
Support for deploying SLES 11 and RHEL 4.8
35
36
Imaging and scripted installation
About hardware integration toolkits
Note: RDP is currently available for Deployment Solution 6.9 only.
OEM product
Download location
HP Insight Rapid
Deployment software
Product:
http://h18013.www1.hp.com/products/servers/management/rdp/index.html
Documentation:
http://h18004.www1.hp.com/products/servers/management/tryinsightcontrol/index.html
Fujitsu ServerView Integration Pack for Altiris Deployment Solution
The ServerView Integration Pack is a collection of WinPE-based tools and sample
jobs for the Altiris Deployment Solution from Symantec. It is intended to enable
users to configure, install and manage PRIMERGY servers using Altiris Deployment
Solution.
See “About hardware integration toolkits” on page 33.
This ServerView Integration Pack currently supports Altiris Deployment Solution
from Symantec 6.9.
OEM product
Download location
Fujitsu ServerView Integration Product
Pack for Altiris Deployment
http://download.ts.fujitsu.com/prim_supportcd/SVSSoftware/
Solution
Navigate to Serverview > Deployment Tools.
Documentation
http://manuals.ts.fujitsu.com/file/4304/altiris-int-en.pdf
Chapter
4
Server configuration
This chapter includes the following topics:
■
About system configurations
■
About initial deployment settings
■
Creating system configuration settings
■
Adding tokens
■
Creating an Apply System Configuration task
■
Setting advanced Deploy Image options
About system configurations
You can create or update system configuration settings of the client computers.
These settings are applied to computers after you deploy a disk image or apply a
system configuration. The system configuration settings contain the network,
domain, and other settings that are applied to computers after the computers are
imaged. The credentials that are specified are either of a local administrator
account or of a domain account if you join the computer to a domain.
You create or update the system configuration settings through the Create System
Configuration dialog box that is invoked through the Add option of the Settings
> Deployment > System Configurations dialog box.
See “Creating system configuration settings” on page 38.
About initial deployment settings
Initial deployment lets you select a task or a job to run on the client computers
that are connected in a network but are unknown to the Symantec Management
38
Server configuration
Creating system configuration settings
Platform. The client computers, which are unknown to the Symantec Management
Platform are known as unmanaged computers.
The unmanaged computer boots from a network card and asks for a PXE server.
The PXE server receives this request and compares the computer against the list
of known computers. After the PXE server determines that the computer is
unknown it sends a preboot image to the computer. This preboot image is the
image that you configured in the PXE Server Configuration page to respond to
the unknown computers.
After the unknown computer receives the preboot PXE image, the pre-OS runs
and requests a task server. Because the computer is unknown, it receives an initial
deployment menu that contains a preconfigured job or task. According to the
default job or the task set for the initial deployment, the task is scheduled on the
client computers.The menu also specifies how long the preconfigured tasks must
display on the client computers.
You can configure the initial deployment settings through the following options:
■
Settings > Deployment > Initial Deployment menu
■
Settings > All Settings > Deployment and Migration > Initial Deployment
option
Creating system configuration settings
The system configuration settings contain the network, domain, and other settings
that are applied to computers after they are imaged. You can create or update
system configuration settings. These settings are applied to computers after you
deploy a disk image or apply a system configuration.
When you distribute a generic Sysprep-enabled image, the system configuration
settings are applied to the computer for the initial setup. The same configuration
settings can be applied to multiple computers using the name range feature.
You can create a backup image or distribute a Sysprep-enabled image to computers
that have the Deployment plug-in installed on them. In this case, you can choose
to retain and restore all existing configuration settings. You can also choose to
reconfigure these settings.
After the image is deployed, you are required to create the System Configurations
to bring the client computers to domain in the following scenarios.
■
Client computers are bare metal computers
■
Client computers were not on domain before the image was deployed.
The credentials are either a local administrator account or a domain account if
you join the computer to a domain.
Server configuration
Adding tokens
To create system configuration settings
1
In the Symantec Management Console, on the Settings menu, click
Deployment > System Configurations.
2
Click New system configuration.
3
In the System Configuration Editor dialog box, type a name and description
for the new configuration settings.
4
In the Create System Configuration dialog box, specify the settings that are
required.
On the Computer Information tab and the Network Adapters tab, select and
enter the required information.
5
Click OK.
Adding tokens
Deployment Solution provides you with the option to create tokenized scripts. It
also provides you with some predefined tokens that you can use.
To add tokens
1
In the Symantec Management Console, on the Settings menu, click
Deployment > Token.
2
Click New token.
3
Enter a name for the token in the Token name filed.
4
Enter the SQL statement for the token.
5
Click Validate SQL to validate the SQL statement.
6
Click Save changes.
Creating an Apply System Configuration task
You can create or update system configuration settings with the configuration
editor. These settings are applied to computers after you deploy a disk image or
apply a system configuration using a task server.
For computer names, host name can also use tokens. For
example:%CustomerToken, %SERIALNUMBER%.
The credentials are either a local administrator account or a domain account (if
you join the computer to a domain).
See “Creating system configuration settings” on page 38.
39
40
Server configuration
Setting advanced Deploy Image options
To create an Apply System Configuration task
1
In the Symantec Management Console, from the Manage menu select Jobs
and tasks.
2
On the right pane, right-click Jobs and tasks and select New > Task.
3
On the Create new task page, select Apply System Configuration.
4
Specify a name for the task on the first field.
5
Select one of the following options:
Use a predefined Select the relevant configuration from the drop-down list or click
system
New to create a new configuration. You can also click edit to edit
configuration
the system configurations.
For more information on System Configuration settings:
Restore system
configuration
using inventory
data
If you select this option you have to provide the following
credentials if the client computer is a member of a domain.
■
Domain Name
■
User name
■
Password
■
Confirm Password
6
Click OK.
7
Schedule the task.
If you execute this task on a Linux client computer, ensure that you run the
send basic inventory command on the client computer. This command updates
the inventory details on the Symantec Management Platform.
Setting advanced Deploy Image options
The Advanced option on the Deploy Image task lets you configure additional
options.
You can also set up other imaging options for this task.
Server configuration
Setting advanced Deploy Image options
Table 4-1
Advanced Deploy Image options
Option
Description
Partition
This setting determines what partitions are deployed.
You can change the destination partition size by clicking
the partition number.
Note: For Data Partition or System reserve partition
deployment do not use DeployAnywhere.
For Linux, only Data Partition deployment is supported.
To deploy Windows 7 with system reserved partition,
create a job to run deploy system reserved partition and
system partition in same Preboot environment.
Command-line
Lets you add command-line options for the imaging
tool.
For Ghost partition deployment, following command
lines should not be used:
MODE,Size,SRC and DST values should not
be used for command line.
Multicasting
You can configure the number of computers on which
you want to multicast the image. You can override the
default multicast settings that were set in Settings >
Deployment > Image Multicasting . If the threshold
count is 2, there must be at least two client computers
and one master computer before multicasting is used
in this session.
Deployment Solution does not support Multicast and
Unicast options simultaneously if you use the Ghost
imaging tool.
File Preservation
You can specify the files and folders that you want to
preserve when the image is restored. This option is not
supported if the client computer has Linux operating
system.
HTTP
Adds the credentials that are needed to deploy an image
that was obtained from an HTTP site.
41
42
Server configuration
Setting advanced Deploy Image options
Section
2
Configuration Management
■
Chapter 5. Symantec Management Agent for UNIX, Linux, and Mac
■
Chapter 6. Discovery and Inventory
■
Chapter 7. Patch Management for Linux
■
Chapter 8. Software Management
■
Chapter 9. Managed Software Delivery
■
Chapter 10. Virtualization Management
44
Chapter
5
Symantec Management
Agent for UNIX, Linux, and
Mac
This chapter includes the following topics:
■
About the Symantec Management Agent for UNIX, Linux, and Mac
■
About methods of installing the Symantec Management Agent for UNIX, Linux,
and Mac
■
Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites
■
About the Symantec Management Agent for UNIX, Linux, and Mac push
installation
■
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a
manual push
■
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a
manual pull
■
Manually installing the ULM agent using the aex-bootstrap file
■
Manually installing the ULM agent using the aex-nsclt package
■
Selecting UNIX, Linux, and Mac computers for a Symantec Management Agent
manual installation
■
Creating a .csv file for importing UNIX, Linux, and Mac computers
■
Specifying the Symantec Management Agent for UNIX, Linux, and Mac
installation settings
46
Symantec Management Agent for UNIX, Linux, and Mac
About the Symantec Management Agent for UNIX, Linux, and Mac
■
About configuring the Symantec Management Agent
■
Configuring the global agent settings
■
Configuring the targeted agent settings
■
About maintenance windows for managed computers
■
Configuring maintenance window policies
■
About the Symantec Management Agent for UNIX,
Linux, and Mac
The Symantec Management Agent is the software that establishes communication
between the Notification Server computer and the computers in your network.
Computers with the Symantec Management Agent installed on them are called
managed computers. The Notification Server computer interacts with the Symantec
Management Agent to monitor and manage each computer from the Symantec
Management Console.
The Notification Server computer and the Symantec Management Agent work
together to provide the following types of functionality for managed computers:
■
Monitoring hardware and software
■
Scheduling software installations and file updates
■
Collecting basic inventory information
■
Managing policies and packages
You can install the Symantec Management Agent on Windows, Linux, UNIX, and
Mac computers. The Symantec Management Agent also lets you install and manage
solution agent plug-ins that add additional functionality to the agent. For example,
installing the Inventory plug-in lets you gather detailed hardware and software
information from all of your managed computers.
See “About methods of installing the Symantec Management Agent for UNIX,
Linux, and Mac” on page 47.
Symantec Management Agent for UNIX, Linux, and Mac
About methods of installing the Symantec Management Agent for UNIX, Linux, and Mac
About methods of installing the Symantec
Management Agent for UNIX, Linux, and Mac
You can install the Symantec Management Agent for UNIX, Linux, and Mac in
four different ways:
■
Via a "push" installation from the Symantec Management Console.
See “About the Symantec Management Agent for UNIX, Linux, and Mac push
installation” on page 49.
A push installation can be accomplished from the Symantec Management
Console without touching individual client machines. You must enter root or
admininistrator user credentials at the console. A push installation uses SSH,
which may not be considered secure for passing credentials.
■
Via a "pull" installation from a browser on a client computer.
See “Installing the Symantec Management Agent for UNIX, Linux, and Mac
with a manual pull” on page 52.
If SSH is not available, or if you want to install the Symantec Management
Agent for UNIX, Linux, and Mac on remote the computers that have limited
network access, or the target computers are behind a firewall, you can pull the
Symantec Management Agent to each computer. You, or anybody else with
administrator rights, can log on to each computer, access Symantec
Management Platform through a URL, and download the install bootstrap
program that performs the Symantec Management Agent for UNIX, Linux,
and Mac installation.
■
Manually, using the aex-bootstrap file.
See “Manually installing the ULM agent using the aex-bootstrap file”
on page 54.
A manual installation is a more controlled process typically performed by
UNIX/Linux admininistrators, with a high degree of control over the client
computers or systems. On the other hand, manual installations require that
you manually create scripts or touch each server computer individually to
complete the installation.
■
Manually, using the aex-nsclt package.
See “Manually installing the ULM agent using the aex-nsclt package”
on page 55.
47
48
Symantec Management Agent for UNIX, Linux, and Mac
Symantec Management Agent for UNIX, Linux, and Mac installation prerequisites
Symantec Management Agent for UNIX, Linux, and
Mac installation prerequisites
Your computer must meet the hardware and software prerequisites before you
can install the Symantec Management Agent for UNIX, Linux, and Mac.
This topic is a step in the process for installing the Symantec Management Agent
manually.
Table 5-1
Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites
Prerequisite
Description
Operating system
Any of the following operating systems:
■
Solaris 9
■
Solaris 10 (x86 and SPARC)
Red Hat Enterprise Linux 4, 4 (x86_64), 5, 5 (x86_64),
5.1, 5.1 (x86_64), 5.2, 5.2 (x86_64), 5.3, 5.3 (x86_64), 5.4,
5.4 (x86_64), 5.5, 5.5 (x86_64), 5.6, 5.6 (x86_64), 6.0, 6.0
(x86_64), 6.1, 6.1 (x86_64)
■ SUSE Linux Enterprise Server 10, 10 (x86_64), 11, 11
(x86_64)
■ SUSE Linux Enterprise Desktop 10, 10 (x86_64), 11, 11
(x86_64), 11 SP1, 11 SP1 (x86_64)
■ VMware ESX Server 3.0.1, 3.0.2, 3.0.3, 3.5
■
■
VMware vSphere / ESX / ESXi 4.0 (Agentless)
■
VMware vSphere/ ESX / ESXi 5.0 (Agentless)
Mac OS X 10.4.x (Universal binary), 10.5.x (Universal
binary), 10.6.x (Universal binary), 10.7.x (Universal
binary)
■ Mac OS X Server 10.4.x (Universal binary), 10.5.x
(Universal binary), 10.6.x (Universal binary), 10.7.x
(Universal binary)
■ HP-UX 11.11 (PA-RISC), 11.23 (PA-RISC/IA64), 11.31
(PA-RISC/IA64)
■ AIX 5.2, 5.3, 6.1
■
Hard disk space
35 MB minimum
RAM
15 MB minimum
Access rights
Root user access rights are required on all UNIX/Linux
platforms. For Mac OS X administrative or root user access
rights are required.
Symantec Management Agent for UNIX, Linux, and Mac
About the Symantec Management Agent for UNIX, Linux, and Mac push installation
Table 5-1
Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites (continued)
Prerequisite
Description
Remote SSH connections
enabled
Remote SSH connections must be enabled. There must be
an SSH server running on the client computer and the
firewall must be configured to allow an incoming SSH
connection.
Outgoing connection to
Notification Server enabled
The firewall must be configured to allow an outgoing
connection to a WEB port on Notification Server.
About the Symantec Management Agent for UNIX,
Linux, and Mac push installation
The push installation of the Symantec Management Agent for UNIX, Linux, and
Mac is performed by the Symantec Management Platform computer.
See “Installing the Symantec Management Agent for UNIX, Linux, and Mac with
a manual push” on page 50.
Table 5-2
The Symantec Management Agent for UNIX, Linux, and Mac push
installation process
Step
Description
Step 1
The Symantec Management Platform attempts to connect to the target
computer through SSH.
The SSH protocol supports logon with either privileged or unauthorized
user accounts and multiple passwords.
Step 2
When connection is established, the Symantec Management Platform
determines the client computer’s operating system and environment, and
then it launches the appropriate platform-specific push-install script.
Step 3
The push-install script creates a directory structure on the client computer,
and then it attempts to download the aex-bootstrap utility from the
Symantec Management Platform computer.
The push-install script tries each of the following methods, in order, until
one succeeds: SCP/SFTP, wget, curl.
If all of these methods fail, the script uses dd command to transfer the
aex-bootstrap.Z.uu archive to the target computer. It then uses uudecode
to convert the archive to a native format.
49
50
Symantec Management Agent for UNIX, Linux, and Mac
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a manual push
Table 5-2
The Symantec Management Agent for UNIX, Linux, and Mac push
installation process (continued)
Step
Description
Step 4
The .aex-agent-install-config.xml file that contains all of the
Symantec Management Agent installation settings is downloaded to the
client computer.
Step 5
The aex-bootstrap script is executed, and the connection to Symantec
Management Platform is closed.
Step 6
The aex-bootstrap script downloads the rest of the Symantec Management
Agent from the Symantec Management Platform computer and configures
the Symantec Management Agent with settings from the
.aex-agent-install-config.xml file.
Step 7
When the Symantec Management Agent for UNIX, Linux, and Mac runs
for the first time, it collects basic inventory and posts it to the Symantec
Management Platform.
Step 8
The Symantec Management Agent for UNIX, Linux, and Mac receives the
appropriate tasks and policies from the Symantec Management Platform.
Installing the Symantec Management Agent for UNIX,
Linux, and Mac with a manual push
You can push the Symantec Management Agent for UNIX, Linux, and Mac to any
of the computers that are listed in the Symantec Management Agent Install page.
The push installation of the Symantec Management Agent for UNIX, Linux, and
Mac is performed by the Symantec Management Platform computer. The Symantec
Management Platform computer establishes a connection to the target UNIX,
Linux, or Mac computer, uploads the required files, and then executes them on
the target computer.
Note: Third-party firewalls must be configured to allow an SSH connection from
Symantec Management Platform to the ULM client for a manual push to work.
The firewalls configuration should use the same credentials that you provide in
the Installation Settings dialog box in step 4.
See “About the Symantec Management Agent for UNIX, Linux, and Mac push
installation” on page 49.
Symantec Management Agent for UNIX, Linux, and Mac
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a manual push
This task is a step in the process for installing the Symantec Management Agent
manually.
To install the Symantec Management Agent for UNIX, Linux, and Mac with a manual
push
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, click the Install Agent
for UNIX, Linux, and Mac tab.
3
On the Install Agent for UNIX, Linux, and Mac tab, under Rollout Agent for
UNIX, Linux, and Mac to Computers, select the UNIX, Linux, and Mac
computers on which to install the Symantec Management Agent.
See “Selecting UNIX, Linux, and Mac computers for a Symantec Management
Agent manual installation” on page 56.
4
Click Installation Settings, and then in the Installation Settings dialog box,
specify the appropriate installation settings.
If you added computers manually, you need to specify the appropriate
installation settings for each target computer before you install the Symantec
Management Agent for UNIX, Linux, and Mac. If you imported computers
from a .csv file, you may have specified the installation settings for each
computer in the .csv file. You can change these settings for individual
computers or groups of computers.
See “Specifying the Symantec Management Agent for UNIX, Linux, and Mac
installation settings ” on page 58.
5
(Optional) In the Simultaneous Tasks box, specify the number of installations
to run simultaneously.
This value defines the number of threads running in parallel and serving
Symantec Management Agent pushing. All of the threads share a common
queue from which they take the next computer to install to. The default value
is 5, but you may want to use a different value to suit the performance of the
Symantec Management Platform, the client computers, and the network
capacity. Increasing the number of simultaneous tasks may reduce the total
installation time.
6
Click Install.
51
52
Symantec Management Agent for UNIX, Linux, and Mac
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a manual pull
7
In the Push install dialog box, check the checkbox to agree to 3rd-party
software installation, and then click OK.
Note: If the target platform is 64-bit RHEL 6.0 or higher and doesn’t have
32-bit compatibility layer installed, the agent push fail if you do not agree to
3rd-party software installation.
The Status column in the computer list shows the success or failure of the
installation on each computer. Note that the newly installed Symantec
Management Agent reports its status back to the originating Notification
Server, even if another Notification Server manages it.
8
If the computer list does not refresh automatically, in the toolbar, click
Refresh to view the current push installation status for each computer.
9
When the installation process is complete, which can take up to 10 minutes,
view the Status Report to confirm that the Symantec Management Agent
has been installed successfully on all of the computers.
Installing the Symantec Management Agent for UNIX,
Linux, and Mac with a manual pull
If SSH is not available, or if you want to install the Symantec Management Agent
for UNIX, Linux, and Mac on remote the computers that have limited network
access, or the target computers are behind a firewall, you can pull the Symantec
Management Agent to each computer. You, or anybody else with administrator
rights, can log on to each computer, access Symantec Management Platform
through a URL, and download the install bootstrap program that performs the
Symantec Management Agent for UNIX, Linux, and Mac installation.
The URL of the Download Symantec Management Agent for UNIX, Linux and
Mac page is shown on the Symantec Management Agent Install page, under
Download Page URL for UNIX, Linux and Mac. You can view the page, but you
cannot change this setting.
This task is a step in the process for installing the Symantec Management Agent
manually.
Symantec Management Agent for UNIX, Linux, and Mac
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a manual pull
To preview the Download Symantec Management Agent for UNIX, Linux and Mac
page
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, click the Install Symantec
Management Agent for UNIX, Linux and Mac tab.
3
Under Download Page URL for UNIX, Linux and Mac, in the Select platform
drop-down list, select the appropriate platform.
4
Click View page.
To pull the Symantec Management Agent for UNIX, Linux and Mac to a remote
computer
1
Log on to the remote computer as an administrator.
2
Ensure that the remote computer meets the Symantec Management Agent
for UNIX, Linux, and Mac installation prerequisites.
See “Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites” on page 48.
3
On the remote computer, open a Web browser , and then go to the following
URL:
http://SMPName/Altiris/UnixAgent/AltirisUnixAgentDownload.aspx?ID=Platform
where SMPName is the name of your Symantec Management Platform
computer and Platform is the appropriate one of the following options:
4
■
Linux
■
Solaris (SPARC)
■
Solaris (x86)
■
Mac
■
AIX
■
HP-UX (PA-RISC)
■
HP-UX (IA64)
Follow the instructions that are displayed on the Download Symantec
Management Agent for UNIX, Linux and Mac page for downloading and
running the install bootstrap program on the remote computer.
53
54
Symantec Management Agent for UNIX, Linux, and Mac
Manually installing the ULM agent using the aex-bootstrap file
Manually installing the ULM agent using the
aex-bootstrap file
Note: The use of the configuration file .aex-agent-install-config.xml is optional.
If the bootstrap file does not find this .xml file, it uses default installation settings.
If you do not wish to use the .aex-agent-install-config.xml file, start with step
below.
Note: Note that this procedure uses the aex-bootstrap-linux file as the example.
To obtain filenames for other UNIX or L:inux platform bootstrap file, see the
article Installation Files and Command Lines for the Unix, Linux and Mac Agent
and Solutions Using Native Packages at:
http://www.symantec.com/docs/HOWTO54203.
To manually install the ULM agent using the aex-bootstrap file
1
Make sure you are logged in to the UNIX or Linux server as root.
2
Set up name resolution via DNS or by adding the Notification Server's
hostname and IP address to the UNIX or Linux server's /etc/hosts file.
3
In the Symantec Management Console, on the Settings tab, go to
Agents/Plug-ins > Symantec Management Agent > Settings > Symantec
Management Agent install
4
Select the Install Agent for UNIX, Linux and Mac tab.
5
In the Download Page URL for UNIX, Linux, and Mac Users pane, select the
appropriate platform from the Select platform drop-down list.
Allow the screen to refresh.
6
Click View page
7
Click install bootstrap program to download the program to the Linux server.
8
On the Linux server, save the file as aex-bootstrap-linux in the same directory
as the .aex-agent-install-config.xml file.
Symantec Management Agent for UNIX, Linux, and Mac
Manually installing the ULM agent using the aex-nsclt package
9
Go to the directory where you saved aex-bootstrap-linux.
10 Enter the command chmod
u+x aex-bootstrap-linux &&
./aex-bootstrap-linux http://<NS Server hostname>.
When run, the install bootstrap program connects to the specified Notification
Server and downloads the full Symantec Management Agent package. It then
passes execution to the agent-upgrade script inside that package. The
agent-upgrade script installs, configures, and starts the agent. If the
aex-bootstrap program cannot contact the Notification Server, it schedules
itself to run again in a few minutes, using the at command.
The agent should now install to the /opt/Altiris/notification/nsagent directory
on the UNIX or Linux server. After the resource membership update runs on the
Notification Server, the agent should report basic inventory. It should also appear
in the All platforms filters and targets. At that point, you can enable inventory
policies or other solutions you may be working with.
Manually installing the ULM agent using the aex-nsclt
package
This is the most direct command-line-based installation of the Symantec
Management Agent. However, it does require configuration either before or after
installation. All other installation methods have a default configuration, but this
one does not.
To install the aex-nsclt package
1
Copy the platform-specific aex-nsclt file from the Notification Server.
2
Set up appropriate environment variables, if desired.
3
Log in to the UNIX or Linux server as root.
4
On the Linux or UNIX server, run the installer for the desired platform by
entering the following at the command line:
rpm -i aex-nsclt<version number>.rpm
If you did not use environment variables in step 2, configure the agent in one of
two ways.
To configure the agent after installation (method 1)
1
Copy an .aex-agent-install-config.xml to an appropriate location.
2
Run aex-configure -configure
55
56
Symantec Management Agent for UNIX, Linux, and Mac
Selecting UNIX, Linux, and Mac computers for a Symantec Management Agent manual installation
To configure the agent after installation (method 2)
1
Run aex-configure –iconfigure and answer all prompts.
2
Enter the name of the Notification Server. You can acceot the defaults on all
other values by pressing Enter.
Selecting UNIX, Linux, and Mac computers for a
Symantec Management Agent manual installation
You can select UNIX, Linux, and Mac computers for a manual Symantec
Management Agent installation.
If you install the Symantec Management Agent, verify that each computer meets
the Symantec Management Agent installation prerequisites.
See “Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites” on page 48.
This task is a step in the process for installing the Symantec Management Agent
manually.
To select UNIX, Linux, and Mac computers for a Symantec Management Agent
manual installation
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
(Optional) On the Symantec Management Agent Install page, select the
Install Agent for UNIX, Linux, and Mac tab.
3
On the Symantec Management Agent Install page, under Rollout Agent to
Computers, select the computers on which to install the Symantec
Management Agent.
To manually add a computer In the text box, type the computer name (which must
be a DNS-resolvable name) or IP address and then click
Add.
To select from the available
computers
Click Select Computers, in the Select Computers dialog
box, add the appropriate computers from the Available
computers list to the Selected computers list, and
then click OK.
Symantec Management Agent for UNIX, Linux, and Mac
Creating a .csv file for importing UNIX, Linux, and Mac computers
To import computers from a 1
.csv file
2
In the toolbar, click Import computers from a
selected file.
In the Select File to Import dialog, select the
appropriate .csv file, and then click Open.
See “Creating a .csv file for importing UNIX, Linux,
and Mac computers” on page 57.
4
If you want to remove a computer from the list, select it in the list, and then
click Remove Computer.
Creating a .csv file for importing UNIX, Linux, and Mac
computers
If you want to install the Symantec Management Agent for UNIX, Linux, and Mac
on a large number of computers that require different connection and
configuration settings, we recommend that you use a .csv file to import the
computers and configure the installation settings. The .csv file is a
comma-delimited text file that includes the DNS names or the IP addresses of the
client computers on which you want to install the Symantec Management Agent.
Each line in the .csv file represents a computer entry that is imported into the
Symantec Management Agent Install page. The .csv file can also contain the
installation settings for each computer.
See “Installing the Symantec Management Agent for UNIX, Linux, and Mac with
a manual push” on page 50.
A .csv template file for importing UNIX, Linux, and Mac computers
(CSVTemplate.csv) is provided with the Symantec Management Platform. The
column header of the .csv template indicates the data that is required and the
valid values that you can use.
Warning: The .csv file format (list separator) must meet the regional settings of
the server. For example, the sample CSVTemplate.csv file uses the "English (United
States)" regional settings with a comma "," as a list separator. You can view the
Symantec Management Platform’s regional settings in the Windows Control
Panel.
This task is a step in the process for installing the Symantec Management Agent
manually.
57
58
Symantec Management Agent for UNIX, Linux, and Mac
Specifying the Symantec Management Agent for UNIX, Linux, and Mac installation settings
To create a .csv file for importing UNIX, Linux, and Mac computers
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, click the Install Agent
for UNIX, Linux and Mac tab.
3
On the Symantec Management Agent Install page, under Rollout Agent to
Computers, right-click CSV file template, and then click Save Target As.
4
In the Save As dialog box, type a suitable file name for the CSVTemplate.csv
file, browse to the appropriate location, and then click Save.
5
Open the saved .csv file in a text editor and enter the information for each
computer on which you want to install the Symantec Management Agent for
UNIX, Linux, and Mac.
You do not have to use all of the fields. You can use only the fields that you
need, such as computer name, root name, root password, and so on.
The settings that you can specify in the .csv file are identical to the settings
that you can set from the Install Settings window in the Symantec
Management Console.
6
When you have finished, save the .csv file.
Specifying the Symantec Management Agent for UNIX,
Linux, and Mac installation settings
The Symantec Management Agent installation settings are the communication
and the authentication settings for the Symantec Management Agent for UNIX,
Linux, and Mac. You must specify the appropriate privileged account login name
and password for each target computer.
See “Installing the Symantec Management Agent for UNIX, Linux, and Mac with
a manual push” on page 50.
When you import computers from a .csv file, you can specify the appropriate
installation settings for each computer in the .csv file. If you do not specify any
settings in the .csv file, or if you added computers manually, you need to specify
the appropriate settings for each target computer before you install the Symantec
Management Agent for UNIX, Linux, and Mac.
You can specify installation settings for a particular computer or for multiple
computers. If you select multiple computers, the same installation settings are
Symantec Management Agent for UNIX, Linux, and Mac
About configuring the Symantec Management Agent
applied to each computer. You can also clone the current installation settings
from a computer and apply it to other computers.
See “Creating a .csv file for importing UNIX, Linux, and Mac computers”
on page 57.
This task is a step in the process for installing the Symantec Management Agent
manually.
To specify the Symantec Management Agent installation settings
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, click the Install Agent
for UNIX, Linux and Mac tab.
3
Under Rollout Agent to Computers, in the computer list, click the computer
for which you want to change the Symantec Management Agent installation
settings.
If you want to specify identical installation settings for multiple computers,
or if you want to clone the current installation settings from another
computer, select the appropriate computers.
4
Click Installation settings.
5
(Optional) If you want to clone the current installation settings from a
particular computer, in the Installation Settings dialog box, in the Load
settings drop-down list, select the appropriate computer.
The option Load settings of appears at the upper right of the Installation
Settings dialog box if you have selected multiple computers.
6
Specify the appropriate installation settings for the selected computers.
7
In the Installation Settings dialog box, click OK.
About configuring the Symantec Management Agent
The default Symantec Management Agent configuration settings are suitable for
a small Symantec Management Platform environment. As your environment
grows, or if your organization has particular requirements, you need to make the
appropriate configuration changes.
The agent configuration settings are applied to the appropriate managed
computers using agent configuration policies. You can modify these policies to
change the settings at any time. The new configuration settings are applied to
the agents when the managed computers get their next policy updates (which is
typically once a day).
59
60
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the global agent settings
The Symantec Management Platform provides the following types of agent
configuration policies:
Global settings
The global configuration settings apply to all Symantec
Management Agents on all managed computers. These settings
are applied as a single policy that automatically targets every
managed computer.
See “Configuring the global agent settings” on page 60.
Targeted settings
The targeted agent settings are the general parameters that
control the Symantec Management Agent, including how the agent
communicates with Notification Server. You can modify the default
policies that are supplied with the Symantec Management
Platform. You can create your own targeted agent settings policies
and apply them to the appropriate managed computers.
See “Configuring the targeted agent settings” on page 66.
Maintenance windows A maintenance window is a scheduled time and duration when
maintenance operations may be performed on a managed
computer. A maintenance window policy defines one or more
maintenance windows. You can modify the default policy that is
supplied with the Symantec Management Platform. You can create
your own maintenance window policies and apply them to the
appropriate managed computers.
See “About maintenance windows for managed computers”
on page 78.
The targeted settings policies and maintenance window policies are applied to
the managed computers that are included in the specified policy targets. These
targets may not be mutually exclusive. Two or more policies of the same type may
apply to the same managed computer.
If a managed computer has two or more targeted settings policies that are applied
to it, Notification Server selects the policy to use. The selection is based on the
policy GUID, and is not transparent to the user. You cannot determine beforehand
which policy is chosen. However, once the selection has been made, it is used
consistently to ensure that the same policy is applied at every policy update.
If two or more maintenance window policies apply to the same managed computer,
the policies are merged. All of the specified maintenance windows are used.
Configuring the global agent settings
The global configuration settings are those that you would not need to set
differently on different computers, so they apply to all Symantec Management
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the global agent settings
Agents on all managed computers. These settings are applied as a global agent
settings policy, so they are updated in the same way as any other policy. By default,
the global agent settings policy is refreshed hourly. You cannot delete or disable
the global agent settings policy, or create alternative versions of it.
If you want to specify agent settings for particular groups of managed computers,
you need to configure the appropriate targeted agent settings policies.
See “Configuring the targeted agent settings” on page 66.
To configure the global agent settings
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > Global Settings.
2
Make the appropriate configuration settings on the following tabs:
General
Specify the Tickle/Power Management and Package Multicast
settings.
See “Symantec Management Agent Settings – Global: General
tab” on page 61.
See “About the Tickle/Power Management settings”
on page 63.
See “About the Package Multicast settings” on page 64.
Authentication
Specify the user name and password that the Symantec
Management Agent uses when it connects to Notification
Server or a package server.
See “Symantec Management Agent Settings – Global:
Authentication tab ” on page 64.
Events
Specify Notification Server events that you want to capture.
See “Symantec Management Agent Settings – Global: Events
tab ” on page 65.
3
Click Save Changes.
Symantec Management Agent Settings – Global: General tab
The General tab contains the Tickle/Power Management settings and the Package
Multicast settings.
The Tickle/Power Management settings are the TCP/IP Port numbers and IP
addresses, which the Symantec Management Agents use to communicate with
the Power Management tool.
61
62
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the global agent settings
See “About the Tickle/Power Management settings” on page 63.
Table 5-3
Tickle/Power Management settings
Setting
Description
TCP/IP port
The TCP/IP Port number must be between 1024 and 65535.
The default is port 52028.
TCP/IP multicast address
The IP address that the Symantec Management Agents use
to listen to multicast Power Management commands on the
network.
The TCP/IP Multicast Addresses should be between 224.0.0.1
and 239.255.255.254. The last octet should not be 255.
The default IP address is 224.0.255.135.
TCP/IP multicast port
The port number that the Symantec Management Agents
use to listen to Power Management messages on the
network.
The TCP/IP Multicast Port number must be between 1024
and 65535.
The default is port 52029.
The Package Multicast settings are the IP addresses, which the Symantec
Management Agents use for multicasting.
See “About the Package Multicast settings” on page 64.
Table 5-4
Package Multicast settings
Setting
Description
TCP/IP multicast address
The IP address that the Symantec Management Agents use
to listen to multicast negotiation messages on the network.
The default IP address is 224.0.255.135.
TCP/IP multicast port
The port number that the Symantec Management Agents
use to listen to multicast messages on the network.
The TCP/IP multicast port number must be between 1024
and 65535.
The default port is 52030.
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the global agent settings
Table 5-4
Package Multicast settings (continued)
Setting
Description
TCP/IP Listener range
The range of IP addresses from which a multicast session
chooses to use during the multicasting of the package by
the master.
You can add new ranges, and specify the appropriate IP
addresses for each range.
TCP/IP Exclusion range
The range of IP addresses that cannot be used for
multicasting.
You can add new ranges, and specify the appropriate IP
addresses for each range.
About the Tickle/Power Management settings
The Power Management tool lets Notification Server communicate directly with
an Symantec Management Agent. Under normal working conditions, the agent
requests its targeted agent settings policies from Notification Server and then
responds accordingly. With power management, Notification Server can contact
the agent directly through a tickle, and instruct it to act immediately.
See “Configuring the global agent settings” on page 60.
See “Symantec Management Agent Settings – Global: General tab” on page 61.
Power management allows Notification Server to perform the following tasks:
Wake on LAN
Notification Server immediately sends a signal to turn on
the managed computer if it is currently turned off .
The managed computer must have a Wake on LAN-enabled
network card, and Wake On LAN must be enabled in the
managed computer’s BIOS settings.
If you tickle an agent, Notification Server starts the
computer using Wake on LAN, and then waits five minutes
before sending the tickle. This delay allows time for the
managed computer to turn on.
Get Client configuration
Notification Server contacts the agent and instructs it to
request its targeted agent settings immediately.
Send basic inventory
Notification Server contacts the agent and instructs it to
send its basic inventory immediately.
63
64
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the global agent settings
If a multicast address and port are not supplied, only the Wake on LAN action
works when performing power management on multiple computers in a single
operation.
The subnet or the proxy computers (relay computers) are never pinged to
determine whether they are alive. To determine the most suitable relay computers,
data from the CMDB is evaluated to create a prioritized list of computers. For each
subnet, Notification Servers are given the highest priority, followed by package
servers. All other computers in that subnet have priority in the order that they
last communicated with Notification Server (the more recent the communication,
the higher the priority). The computers on the list are tried in order of priority
until communication with a relay computer is successful. The attempt stops after
the first 50 computers have been tried without success.
Some solutions use power management to perform solution-specific functions.
Consult the appropriate solution Help for information.
The Tickle/Power Management settings are relevant only when power
management has been enabled on a managed computer. This setting is specified
in the targeted agent settings policy.
See “Targeted Agent Settings: General tab” on page 68.
See “Targeted Advanced Settings: Advanced tab ” on page 78.
About the Package Multicast settings
The Package Multicast settings are applied to a managed computer only if multicast
is enabled in the appropriate targeted agent settings policy.
See “Symantec Management Agent Settings – Global: General tab” on page 61.
See “Targeted Agent Settings: Downloads tab ” on page 71.
See “Configuring the global agent settings” on page 60.
When you change these settings, be aware of the following:
■
There must be at least one listener IP address range specified that cannot be
deleted.
■
The Exclusion IP address ranges can be a subset of Listener IP address ranges
but not vice versa.
Symantec Management Agent Settings – Global: Authentication tab
The Authentication tab contains the Agent Connectivity Credential (ACC)
settings, which are the user name and password that the Symantec Management
Agent uses to connect to a secured resource. The package server also uses the
Agent Connectivity Credential to add file-based security to download package
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the global agent settings
files, if so configured. The credentials that you specify must be a known account
on Notification Server and every package server.
See “Configuring the global agent settings” on page 60.
Table 5-5
Settings on the Authentication tab
Setting
Description
Use application credentials Use the application identity credentials that you specified
on the Processing tab of the Server Settings page.
Use these credentials
Specify the appropriate ACC user name and password.
This account usually has a lower level of rights than the
Application Identity account, and is a dedicated account
created for use on package servers.
Warning: You cannot use special characters (any of the
following: ~!#$%^&(){}) in the user name or password. You
may use only alphanumeric characters.
Symantec Management Agent Settings – Global: Events tab
The Events tab lets you enable or disable individual Notification Server event
captures. We recommend that you leave the Notification Server Event options
enabled. However, if you have a large number of managed computers and receive
unneeded events, you can disable them. You specify Notification Server events
that you want to capture by checking the appropriate checkboxes.
See “Configuring the global agent settings” on page 60.
Table 5-6
Settings on the Events tab
Setting
Description
AeX Package Server
Package Event
Sent when a package server has started or finished
downloading a package.
AeX Package Server IIS
Status
Contains IIS data that describes what has been downloaded
and any errors encountered by Symantec Management
Agents performing downloads.
AeX Client LogOn
Sent when users log on and off a computer.
Agent Install Status
Sent during push and pull installs to keep track of how the
install progresses.
AeX SWD Execution
Sent when a software management task is run.
65
66
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
Table 5-6
Settings on the Events tab (continued)
Setting
Description
AeX SWD Package
Sent when a package is modified or downloaded.
AeX SWD Status
Sends status information about the software management
tasks that the Symantec Management Agent receives. For
example, when a new task is received or existing tasks have
been updated or disabled.
NS Client Pkg Info Request
Generated internally by Notification Server when Symantec
Management Agents request information on packages.
Configuring the targeted agent settings
The targeted agent settings policy lets you configure the general parameters that
control the Symantec Management Agent, including how the agent communicates
with Notification Server . You can apply these settings to particular groups of
computers. For example, some groups of computers may have different purposes,
or you may want to treat servers differently from other managed computers. You
can modify the default policies that are supplied with Notification Server or create
your own targeted agent settings policies.
See “About configuring the Symantec Management Agent” on page 59.
The targeted agent settings policies supplied with Notification Server are as
follows:
■
All Desktop computers (excluding ‘Site Servers’)
■
All Site Servers
■
All Windows Mobile
■
All Windows Servers (excluding ‘Site Servers’)
If you want to specify some configuration settings that apply to all Symantec
Management Agents on all managed computers, you need to configure the global
agent settings policy.
See “Configuring the global agent settings” on page 60.
To configure the targeted agent settings
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > Targeted Agent Settings.
2
In the left pane, do one of the following:
■
To create a new targeted agent settings policy, click Create New.
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
■
3
To modify an existing targeted agent settings policy, click the appropriate
policy.
To set or change the policy name, click Rename.
In the Rename Item dialog box, type the new name, and then click OK.
4
In the right pane, make the appropriate configuration settings on the following
tabs:
General
General settings include the policy download and inventory
collection frequencies, and the computers, users, or resource
targets to which the policy applies.
See “Targeted Agent Settings: General tab” on page 68.
UNIX/Linux/Mac If the Symantec Management Agent for UNIX, Linux, and Mac
is installed, this tab is available and provides general settings for
UNIX, Linux, and Mac managed computers.
See “Targeted Agent Settings: UNIX/Linux/Mac tab” on page 69.
Downloads
Download settings control how each agent downloads packages
during software deliveries. You can enable multicast downloads
and configure multicast for both master and client sessions.
See “Targeted Agent Settings: Downloads tab ” on page 71.
See “About multicasting packages” on page 74.
You can override these settings for individual software delivery
policies and tasks.
For more information, see the topics about Software Management
settings in the Software Management Solution User Guide.
Blockouts
Blockout periods are times when all communication between the
agent and Notification Server is disabled. You can set up any
number of blockout periods.
See “Targeted Agent Settings: Blockouts tab ” on page 75.
User Control
The user control settings are the options that affect what the
user of the managed computer can see.
See “Targeted Agent Settings: User Control tab ” on page 77.
Advanced
Lets you specify an alternate URL that the Symantec Management
Agent can use to access Notification Server, and turn on the
power management feature.
See “Targeted Advanced Settings: Advanced tab ” on page 78.
67
68
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
5
(Optional) To restore the policy to its default settings, click Restore Defaults.
6
Click Save changes.
Targeted Agent Settings: General tab
The targeted agent general settings include the policy download and inventory
collection frequencies, and whether to compress large events when sending them
to Notification Server. You also need to specify the computers, users, or resource
targets to which the targeted agent settings policy applies.
See “Configuring the targeted agent settings” on page 66.
See “Recommended Symantec Management Agent data update intervals”
on page 69.
Table 5-7
Settings on the General tab
Setting
Description
Download new
configuration
The interval at which the Symantec Management Agent requests
new policy information from Notification Server.
The default and recommended interval is one hour.
When you first set up your Notification Server, set this time to 1,
5, or 15 minutes. This setting lets you find out how Notification
Server interacts with the Symantec Management Agents. This
time should then be increased to suit the number of managed
computers that you have.
Upload basic
inventory
The interval at which the Symantec Management Agent sends
basic inventory to Notification Server.
The default interval is one day. You should adjust this value
according to the number of managed computers in your
organization.
Compress events over Select this option to compress events when they are sent to
Notification Server, and set the minimum size.
The recommended minimum size is 200 KB, which is a compromise
between bandwidth and CPU usage.
The value you choose here is a trade-off between bandwidth usage
and CPU usage on the server. For example, you may want to set a
low value for the events that are sent from mobile computers. You
can set a higher value for events on well-connected LAN
computers.
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
Table 5-7
Settings on the General tab (continued)
Setting
Description
Applies to
Displays the details of the resource targets, computers, or users
to which the agent settings policy currently applies. You can set
or change the policy target as appropriate.
Recommended Symantec Management Agent data update intervals
The Symantec Management Agent regularly sends basic inventory data to and
receives agent configuration data from Notification Server. You can configure
the intervals for these updates. The more computers you manage, the less
frequently you should update the data to reduce the load on Notification Server.
See “Configuring the targeted agent settings” on page 66.
Table 5-8
Recommended Symantec Management Agent data update intervals
Number of managed
computers
Basic inventory
Configuration request
0 - 499
30 minutes
15 minutes
500 - 1999
8 hours
4 hours
> 2000
24 hours
8 hours
Notification Server includes an automation policy that automatically sends you
an email when the update intervals are lower than the recommended values. This
policy, the Scalability Check, saves you from regularly checking the update
intervals as computers are added to or removed from your network. You can turn
the Scalability Check policy on or off as necessary, and set the appropriate
schedule.
Targeted Agent Settings: UNIX/Linux/Mac tab
The UNIX/Linux/Mac tab lets you define the settings that apply to UNIX, Linux,
and Mac computers in the targeted group of computers.
See “Configuring the targeted agent settings” on page 66.
69
70
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
Table 5-9
Settings on the UNIX/Linux/Mac tab
Setting
Description
Symantec log directory
The directory where the Agent log is written.
Default: %INSTDIR%/var
Symantec log name
The name of the log file.
Default: aex-client.log
Symantec log size
The maximum amount of disk space that the Agent log uses.
Default: 1024 KB
Symantec logging level
The Agent log detail level: Error, Warning, Info.
Default: Error
Syslog logging level
The system logging level: None, Error, Warning, Info.
This option lets you specify whether the Symantec Management Agent should post
messages to the system log and set the appropriate log level.
Default: None
Enable NIC error
When this option is enabled, the Symantec Management Agent for UNIX, Linux, and
Mac will report an error when the client computer’s host name and IP address are
not the same as reported by DNS.
You can view the NameServ Error in the Symantec Management Console, in the
Resource Manager, at View > Inventory > Data Classes > Inventory > Basic Inventory
> AeX AC TCPIP > DNS Server 3.
Enforce host certificate is in When this option is enabled, the local certificate authority is used to validate the
CA
host for all HTTPS connections.
Name of the CA certificates Specifies the full path to the file containing one or more CA certificates in PEM (Base64
file
encoded) format.
Enforce hostname
verification for HTTPS
connection
When this option is enabled, the Symantec Management Agent communicates with
a host using HTTPS only if that host’s name matches the name in the host’s certificate.
Return the following
information as computer
name
Specifies which name the client computer will report as its computer name: DNS
Name or Computer Name (the local computer name).
Return the following
information as computer
domain
Specifies what the client computer will report as its domain: Empty (an empty string)
or DNS Domain (its DNS domain name).
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
Table 5-9
Setting
Settings on the UNIX/Linux/Mac tab (continued)
Description
Read computer DNS domain When this option is enabled, the Symantec Management Platform reads the client
name from /etc/resolv.conf computer’s domain name from the resolv.conf file, instead of performing a host
name lookup.
Software Delivery
The settings in this section specify the preferred values for each process priority
level that is used by software delivery tasks.
Use proxy server for
agent/server
communication
When this option is enabled, the ULM Agent communicates with Notification Server
via the specified proxy server.
You can specify the following proxy server settings:
■
Proxy server URL
■
Port number
■
Username
■
Password
Targeted Agent Settings: Downloads tab
The Downloads tab lets you define the throttling settings and configure multicast
settings.
See “Configuring the targeted agent settings” on page 66.
The tab contains the following groups of settings:
Throttling
Lets you define the throttling settings, which
enable throttling of downloads to the agent
and set the slow-connection threshold.
See Table 5-10
Throttling periods
Lets you create and modify the throttling
periods that you want to use.
See Table 5-11
Multicast Configuration Settings
Lets you enable multicast downloads and
configure multicast for both master session
and client session.
See Table 5-12
71
72
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
Table 5-10
Throttling settings
Setting
Description
Use bandwidth throttling
Enables bandwidth throttling.
Only throttle when
bandwidth is below ... KB/s
Specifies a slow-connection threshold.
If the connection speed falls below the value that you specify, the bandwidth throttling
settings that you specify are applied.
Table 5-11
Throttling Periods settings
Setting
Description
Add throttling period
You can specify any number of throttling periods. If two or more periods overlap, the
lowest throttling value is used.
For each throttling period, you can set the following:
■
Start time
Duration
The start time and duration of the throttling period.
■ Value
■
■
Unit
The amount of throttling, where the numerical value is either a percentage of the
maximum download rate, or a specific download rate in KB/sec.
Delete
Deletes the selected throttling period from the list.
Time zone
The time zone to use for defining the throttling periods.
The available time zones are as follows:
Use agent time
The times are specified without time zone information, and are applied at the
local time at each managed computer. Throttling periods start and end at different
times depending on the time zones of the managed computers.
■ Use server time
The times are specified with time zone information, where the time zone offset
is that of the server’s time zone where the policy is defined. The throttling periods
start simultaneously irrespective of time zones, and are compensated for daylight
saving.
This option ensures that throttling periods are always coordinated with the
specified local time on the server where the policy is created.
■ Coordinate using UTC
The times are specified with time zone information, where the time zone offset
is 0. The throttling periods start simultaneously irrespective of time zones and
are not affected by daylight saving.
■
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
Table 5-12
Setting
Multicast Configuration settings
Description
Allow Symantec
Enables multicasting for downloading packages.
Management Agents to use
See “About multicasting packages” on page 74.
multicast for downloading
packages
By default the Symantec
If multicast is set as the default for downloading packages in the Global Agent Settings
Management Agent should policy, this option lets you turn it off. However, individual packages may override
use multicast when
this setting.
downloading packages
If the Global Agent Settings policy has multicast turned off, you cannot turn it on
with this option.
Maximum master sessions
per computer
The maximum number of concurrent sessions for which a Symantec Management
Agent can be the master.
The default value is 2 for new policies and for most of the default targeted agent
settings policies that are supplied with Notification Server. The exception is the All
Package Servers policy, which has a default value of 10. This is the suggested default
for package servers.
Minimum receiving
computers per session
The minimum number of Symantec Management Agents (excluding the master) that
must join the session before package multicasting can proceed.
Wait time to begin session
The maximum time to wait for the minimum number of Symantec Management
Agents (excluding the master) to join the session, before the session times out.
This value can be defined as a percentage of the Download new configuration interval
on the General tab, or in minutes.
The default value is 50% of the Download new configuration interval.
The larger the value, more agents will join the session and reduce bandwidth
utilization on the local segment, but it will take longer for the package to arrive.
Configure this value higher than the minimum time to start multicast (around 10
minutes).
If a session times out, the Symantec Management Agents that were members of the
session will attempt to download the package again through multicast, until the
Maximum transmission attempts per package value is reached.
73
74
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
Table 5-12
Setting
Multicast Configuration settings (continued)
Description
Number of receiving
The number of Symantec Management Agents (excluding the master) that must join
computers required to begin a session to enable multicasting to begin.
session before wait time has
The default value is 100.
expired
This setting cannot be less than the value that you specified for Minimum receiving
computers per session.
This setting can be used to override the wait time when enough agents have joined
the session to represent significant bandwidth savings. The wait time is specified in
the Wait time to begin session field.
Maximum bandwidth to use The maximum bandwidth that multicasting can use per package.
for multicasting
The default value is 125 Kbytes/sec.
Maximum transmission
attempts per package
The maximum number of times that the Symantec Management Agent may attempt
to receive the same package through multicast. If all attempts fail, the agent reverts
to the normal package download procedure.
The default number is 3.
Maximum sessions per
physical subnet
Specifies the maximum number of multicast sessions that can occur concurrently
per physical subnet.
The default number is 10.
Disable multicast for
packages smaller than
Specifies the minimum package size that may be downloaded using multicast.
The default size is 512 KB.
About multicasting packages
Multicasting lets you transmit packages to a select group of recipients. It improves
package server performance on large networks and protects package servers from
being overloaded, especially when distributing large packages. It also reduces the
load on package servers by reducing the number of Symantec Management Agents
that connect to each package server. It decreases network utilization by enabling
agents to multicast package data to other managed computers.
See “Configuring the targeted agent settings” on page 66.
Multicasting can reduce WAN utilization in the remote sites that do not have a
dedicated package server. In such situations, only one agent needs to cross the
WAN to download the package. The other Symantec Management Agents on the
same site can then download the package from that agent using multicast.
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
Symantec Management Agents revert to unicast for downloading packages in the
following conditions:
■
The Maximum sessions per physical subnet value has been reached more times
than the Maximum transmission attempts per package value specified.
■
The Symantec Management Agent connection to the multicast session falls
below 64 Kbytes/sec.
■
The maximum bandwidth that is used for multicasting has been reached.
■
The Maximum sessions per physical subnet value has been reached.
■
The package is smaller than the Disable multicast for packages smaller than
value.
Targeted Agent Settings: Blockouts tab
The targeted agent blockout periods are times when all communication between
the Symantec Management Agent and Notification Server is disabled. The
Blockouts tab lets you set up any number of blockout periods in a targeted agent
settings policy.
See “Configuring the targeted agent settings” on page 66.
Table 5-13
Settings on the Blockouts tab
Setting
Description
Disable
communication at
startup and after
blockouts for up to
Disables the communication between Notification Server and the Symantec Management
Agents for a specified period after the computer is turned on and after a blockout period
has expired.
This setting prevents all Symantec Management Agents communicating with Notification
Server at the same time. For example, at the start of the working day when all the computers
are turned on, or after blockouts have finished. The actual time that communication is
disabled is a random interval from 0 to the time specified.
75
76
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
Table 5-13
Settings on the Blockouts tab (continued)
Setting
Description
Time zone
The available time zones are as follows:
Use agent time
The times are specified without time zone information, and are applied at the local time
at each managed computer. Blockouts start and end at different times depending on
the time zones of the managed computers.
■ Use server time
The times are specified with time zone information, where the time zone offset is that
of the server's time zone where the policy is defined. The blockout periods start
simultaneously irrespective of time zones, and are compensated for daylight saving.
■ Coordinate using UTC
The times are specified with time zone information, where the time zone offset is 0. The
blockout periods start simultaneously irrespective of time zones and are not affected
by daylight saving.
■
Blockout periods
The blockout periods that you want to have available.
See “Adding a blockout period to the targeted agent settings” on page 76.
Adding a blockout period to the targeted agent settings
You need to specify the blockout periods that you want to use. You can specify
any number of blockout periods.
See “Configuring the targeted agent settings” on page 66.
See “Targeted Agent Settings: Blockouts tab ” on page 75.
If a blockout prevents a software delivery package download, the package download
starts immediately when the blockout expires, according to the download options
you selected.
To add a blockout period
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > Targeted Agent Settings.
2
In the left pane, click the policy for which you want to add a blockout period
to the targeted agent settings.
3
In the right pane, click Blockouts.
4
On the Blockouts tab, click Add blockout period.
5
Specify the Start Time and Duration in the corresponding boxes.
Symantec Management Agent for UNIX, Linux, and Mac
Configuring the targeted agent settings
6
7
In the Unit drop-down list, select the blockout period type:
Download
The package server and Symantec Management Agent do not
download any software delivery packages. However, the Symantec
Management Agent still sends events and gets Symantec
Management Agent Settings policy requests from Notification
Server . Events and Symantec Management Agent Settings policy
requests are typically small amounts of information and have
minimal effect on the network traffic. However, packages can be
large and can affect the network load. This setting can help
minimize the effect of package servers and Symantec
Management Agents on the network during business hours.
Total
There is no communication between the package server/Symantec
Management Agent and Notification Server during the specified
time period. All events from the Symantec Management Agent
are queued (on the Agent) and are sent after the blockout.
Click Save changes.
Targeted Agent Settings: User Control tab
The targeted agent user control settings are the options that affect what the user
of the managed computer can see.
See “Configuring the targeted agent settings” on page 66.
Table 5-14
Settings on the User Control tab
Setting
Description
Show client tray icon
Displays the Symantec Management Agent icon in the
system tray on the managed computer.
Display locale
The language that the Symantec Management Agent
displays as the chosen language regardless of the operating
system locale.
The default is Local Regional Settings.
Warning Countdown
duration
The Software Delivery task notification countdown prior
to running the task or restarting the target computer.
The options are 1, 2, 3, 5, 10, 15, 30, 60, and 120 minutes.
The default is 5 minutes.
77
78
Symantec Management Agent for UNIX, Linux, and Mac
About maintenance windows for managed computers
Targeted Advanced Settings: Advanced tab
The Advanced tab lets you specify an alternate URL that the Symantec
Management Agent can use to access Notification Server, and turn on the power
management feature.
See “Configuring the targeted agent settings” on page 66.
Table 5-15
Settings on the Advanced tab
Setting
Description
Alternate URL for accessing Specifies an alternate URL that the Symantec Management
NS
Agent can use to access Notification Server. You may need
to change these settings when you configure Notification
Server to use SSL.
Server Name
We recommend that you use the fully qualified domain
name.
Server Web
The Server Web address should be in the following format:
http://<NS_FQDN>:<port>/Altiris/
https://<NS_FQDN>:<port>/Altiris/
Enable tickle on Symantec
Management Agents
Turns on the power management feature. The relevant
settings are specified in the global agent settings policy.
See “About the Tickle/Power Management settings”
on page 63.
About maintenance windows for managed computers
A maintenance window is a scheduled time and duration when maintenance
operations may be performed on a managed computer. A maintenance operation
is one that changes the state of a computer, causes it to restart, or interferes with
a user’s ability to operate the computer. For example, installing software and
operating system patches, or running a virus scan.
A maintenance window policy defines one or more maintenance windows and is
applied to a resource target in the same way as any other policy. These policies
provide the maximum flexibility for assigning maintenance windows to computers,
without complicating the management of agent settings. If multiple maintenance
window policies apply to a single computer, changes to the computer are permitted
during any of the maintenance windows.
See “About configuring the Symantec Management Agent” on page 59.
Symantec Management Agent for UNIX, Linux, and Mac
Configuring maintenance window policies
Using maintenance windows lets you schedule maintenance work on managed
computers with minimal impact on work flow and productivity. Also, you can
schedule maintenance work on critical servers at different times so no two servers
are ever restarted at the same time. A maintenance window may be scheduled for
certain times, such as daily, weekly or monthly. The maintenance window may
be available indefinitely or restricted to a particular date range.
When you apply a maintenance window to a managed computer, maintenance
tasks, such as patches and software deliveries, can only be carried out on them
in the scheduled time period. Symantec Management Agents can download
software delivery packages any time, but associated programs can be run only
during the maintenance windows.
The Symantec Management Agent processes the policy and provides the
functionality that solutions use to determine whether a maintenance window is
currently open. Functionality is also provided to allow solutions to inform
Notification Server that a maintenance task has been performed.
If the Symantec Management Agent is performing a task as part of a job when the
maintenance window expires, the maintenance window is automatically extended
until all tasks that are contained in the job are completed.
See “Configuring maintenance window policies” on page 79.
Configuring maintenance window policies
You can create and modify the maintenance window policies that you need and
apply them to the appropriate targets. The default maintenance window policy
is applied to all managed computers.
See “About maintenance windows for managed computers” on page 78.
To configure maintenance window policies
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > Maintenance Windows.
2
In the left pane, in the Maintenance Windows folder, do one of the following:
■
To create a new maintenance window policy, right-click and then click
New > Maintenance Window. In the right pane, edit the default new policy
name and description as appropriate.
■
To modify an existing maintenance window policy, select the appropriate
policy.
79
80
Symantec Management Agent for UNIX, Linux, and Mac
Configuring maintenance window policies
3
In the right pane, in the Time Zone box, select the appropriate option:
Use agent time
The times are specified without time zone information and
are applied at the local time at each managed computer.
Maintenance windows open and close at different times
depending on the time zones of the managed computers.
Use server time
The times are specified with time zone information, where
the time zone offset is that of the server’s time zone where
the policy is defined. The maintenance windows open
simultaneously irrespective of time zones and are
compensated for daylight saving.
This option ensures that maintenance windows are always
coordinated with the specified local time on the server where
the policy is created.
Coordinate using UTC The times are specified with time zone information, where
the time zone offset is 0. The maintenance windows open
simultaneously irrespective of time zones and are not
affected by daylight saving.
The time zone applies to all of the maintenance windows that are specified
in this policy.
4
If you want the policy to take effect on a particular date, rather than as soon
as it is enabled, in the upper right corner, click Advanced, then in the
Advanced Options dialog box, set the start date and end date, and click OK.
Start
The date that the policy takes effect. The policy must be enabled
in the same way as any other policy. You can enable the policy
at any time before or after the start date.
End
If you want the policy to be available for a limited period of time,
set the appropriate end date. The policy is unavailable after this
date, whether or not it is enabled.
This setting is optional. If no end date is specified, the policy is
available indefinitely.
5
Create the maintenance windows that you want to include in the policy.
To add a new maintenance
window
Click Add Maintenance Window.
To delete a maintenance
window
Click anywhere in the maintenance window that you
want to delete, and then click Delete.
Symantec Management Agent for UNIX, Linux, and Mac
Configuring maintenance window policies
6
In each maintenance window, under Daily Times, specify the start time of
the maintenance window and either the end time or the duration in the
corresponding boxes.
Alternatively, you can drag the green (start time) and red (end time) arrows
to the appropriate places on the time line.
7
8
Under Repeat Schedule, in the Repeat every box, select a schedule and then
specify the appropriate schedule filters:
No repeat
The maintenance window is open only once, on the day
that it is applied to the managed computer.
Day
The maintenance window is open every day.
Week
Specify the weekdays on which the maintenance
window is open.
Month (week view)
Specify the days of the week and the weeks of the
month on which the maintenance window is open.
Month (date view)
Specify the dates of the month on which the
maintenance window is open.
Yearly (week view)
Specify the days of the week, the weeks of the month,
and the months on which the maintenance window is
open.
Year (date view)
Specify the dates of the month and the months on
which the maintenance window is open.
In the Applied to panel, specify the maintenance window policy target.
You can select an existing organizational group, filter, or resource target.
You can also select individual resources.
Details of the selected items are displayed in the grid. You can view the list
by targets, resources, computers, or users, and make any necessary additions
and deletions.
9
Click Save Changes.
81
82
Symantec Management Agent for UNIX, Linux, and Mac
Configuring maintenance window policies
Chapter
6
Discovery and Inventory
This chapter includes the following topics:
■
About Network Discovery
■
Discovering UNIX and Linux computers
■
About Inventory Solution
■
About Inventory Pack for Servers
■
Gathering inventory on managed computers
■
Enabling the inventory plug-ins for UNIX and Linux computers
■
Enabling the server inventory policy
■
About methods for gathering software inventory on UNIX or Linux platforms
■
About gathering UNIX/Linux software inventory
■
Gathering and viewing software inventory of the native UNIX/Linux package
system
■
About software inventory using the filescan.rule file
■
Running software inventory using the filescan.rule file
■
About gathering custom inventory
■
About custom inventory data classes
■
Gathering custom inventory
■
Creating and customizing a data class
■
Creating a custom inventory script task
■
Customizing the custom inventory sample script for UNIX, Linux, and Mac
84
Discovery and Inventory
About Network Discovery
■
About gathering agentless inventory
■
Gathering agentless inventory
■
Creating agentless inventory tasks using the wizard
■
Manually creating, scheduling, modifying, and stopping agentless inventory
tasks
■
Viewing agentless inventory results
■
About gathering and viewing Apache HTTP Server inventory
■
About gathering and viewing VMware ESX Virtualization inventory
■
Gathering and viewing MySQL and Oracle Database inventory
About Network Discovery
Network Discovery lets you discover all IP devices that are connected to your
network. Network Discovery lets you find new network devices and find the
network devices whose discovery properties have changed.
Network Discovery is bundled with many Symantec suites and may be included
depending on the products you have installed.
Network Discovery can discover routers, switches, hubs, network printers, Novell
NetWare servers, and the computers that are running Windows, UNIX, Linux, and
Macintosh. You can use a variety of protocols to discover devices, such as AMT,
SNMP, WMI, and others.
The information that is collected can help you do the following:
■
Plan for imaging
■
Updating drivers on specific types of hardware
■
Configuring changes to routers or switches
■
Identifying the computers that are running the operating systems not currently
supported by the Symantec Management Agent
You can also update categories so that the new devices that are added to the
network can be identified during discovery.
Because Network Discovery integrates with Symantec Management Platform,
when devices are discovered, they are automatically created as resources in the
platform’s cental database (CMDB). Using the platform’s task management
component, you can schedule discovery tasks to run when it best meets your
needs.
Discovery and Inventory
Discovering UNIX and Linux computers
You can also discover Windows-based computers through domains or importing
through Microsoft Active Directory.
Discovering UNIX and Linux computers
Network Discovery can be done during initial setup by going to Home >
Notification Server Management > First Time Setup. After first time setup, you
can access it (for periodically running discovery tasks) on the Network Discovery
portal page. Navigate to Home > Discovery and Inventory > Network Discovery.
On the portal page, you can create discovery tasks, run them on demand, or set
them up to run on a schedule. Multiple discovery tasks can be created to discover
different physical or functional portions of your network, or to target specific
types of devices.
You can discover UNIX, Linux computers using several different methods:
■
Using a network scan, also known as a ping sweep, for an IP range that you
select. A ping sweep is a method that can establish a range of IP addresses
which map to live hosts.
■
Using the discovery module to find network devices by interrogating (using
SNMP) the switches and routers that it finds on the network.
■
Using the SSH protocol, you can find IBM AIX computers and Solaris/Sparc
servers.
Using the SSH protocol for these servers also discovers LPARs defined on AIX
servers and Zones defined on Solaris servers. In addition, it creates Notification
Server resources for them, and resource associations between virtual devices
and their host.
See “About Network Discovery” on page 84.
To discover computers using a ping sweep during first time setup
1
Enable SNMP on your Linux or UNIX server computer. Refer to the operating
system's documentation on how to enable SNMP.
2
In Symantec Management Console, navigate to Home > Notification Server
Management > First Time Setup.
3
On the Welcome to the Symantec Management Console page, click Discover
Computers.
4
Click Step 2: Network.
5
Check the box next to Discover networked computers and devices (ping
sweep).
85
86
Discovery and Inventory
Discovering UNIX and Linux computers
6
Enter a ping sweep range.
Consider whether you need to scan all IP addresses. For a first-time setup,
you may need to include all subnets to ensure that you identify every device.
However, you can limit the scope as needed. For example, you can run multiple
scans on specific subnets if that simplifies the discovery task.
7
If you want to communicate with network devices and classify them more
accurately, click Turn on additional protocols.
If you cannot connect remotely, your network or computers may have firewalls
turned on. You may need to turn these off to perform discovery.
8
After you have made all your selections in the Discover Computers dialog
box, click Discover.
To discover IBM AIX and Solaris/Sparc computers using SSH during first time setup
1
Follow the steps in the procedure above until you get to Step 7.
2
Click turn on additional protocols.
Enable the protocol by clicking on the red button to the right of the red Off
button and selecting On.
3
Enter access credentials by clicking on the “+” sign .
4
Select SSH credentials from the drop-down list.
5
Provide a name, user name, and password for the credential.
The credentials for SSH discovery can be the “root” credentials, but that is
not a requirement. However, the supplied credentials do need to provide
sufficient privileges. They need to be able to collect name, interface, system,
and virtual device information. Otherwise, important information cannot be
obtained.
6
Specify whether this credential can be used only by you or by other users as
well.
7
Modifying other characteristics as wanted. For example, the default timeout
value of 3 seconds for SSH is probably too short for many devices. A better
value might be 13 seconds.
8
Click OK.
Discovery and Inventory
About Inventory Solution
To discover computers using SNMP
1
In Symantec Management Console, navigate to Home > Discovery and
Inventory > Network Discovery.
2
In the Network Discovery Quick Start Actions pane, click SNMP Device
Classification.
3
The SNMP Device Clarification dialog displays a list of devices. Look for
"UNIX" or "Linux" in the Device Type column to find any discovered
UNIX/Linux computers.
About Inventory Solution
Obtaining and analyzing accurate inventory data is an important part of managing
and securing your network. Inventory Solution lets you gather inventory data
about computers, users, operating systems, and installed software applications
in your environment. The application metering feature also lets you monitor and
deny the usage of software applications on your network.
Inventory Solution works on a wide range of supported platforms enabling you
to easily gather data in a heterogeneous environment. You can gather inventory
on Windows, UNIX, Linux, and Mac computers.
For a complete list of supported platforms and versions, see the Inventory Solution
Release Notes at the following URL:
http://www.symantec.com/business/support/overview.jsp?pid=55266
You use policies and tasks to perform inventory and application metering
functions. The policies and tasks are easily configured and managed using a central
Web console.
Predefined inventory policies let you gather inventory with little effort.
The inventory data is stored in the Configuration Management Database (CMDB).
The CMDB provides a central store of data that is used across the Symantec
Management Platform.
For more information, see the topics about the CMDB in the Symantec Management
Platform User Guide.
You can use different methods for gathering the following types of inventory data:
Basic inventory data:
Computer name, domain, installed operating system, etc.
Standard inventory data:
Hardware and software components, file properties, etc.
87
88
Discovery and Inventory
About Inventory Pack for Servers
Custom inventory data:
Additional data beyond the predefined data classes in
Inventory Solution.
Application metering
inventory data:
Start, stop, deny events and summary data of monitored
software applications.
Baseline inventory data:
Information about files and registry settings on computers.
To help maximize your investment, Inventory Solution does more than gather
data. Inventory Solution provides a Web-based management console, policies to
alert you about critical information, and professional quality predefined or custom
Web reports that let you analyze gathered inventory data. Thus Inventory Solution
includes the tools that you need to transform your inventory data into useful
information.
Inventory Solution also has the following features:
■
Supports zero-footprint configuration.
■
Operates in always connected, sometimes connected, and stand-alone
computing environments.
■
Can be installed to run on a recurring basis with the Symantec Management
Agent.
■
Posts data through SMB and/or HTTP.
■
Lets you meter, track, or deny the usage of one or more software applications
and harvest unused software licenses.
You can use Inventory Pack for Servers, which is a separate product that lets you
gather server-based inventory data from servers.
See “About Inventory Pack for Servers” on page 88.
You can also use additional Symantec products to gather inventory data from
handheld computers, network devices, and Windows, UNIX, Linux, and Mac
servers.
About Inventory Pack for Servers
Inventory Pack for Servers is a separate product with a separate license. It runs
on top of Inventory Solution and uses the Inventory Pack for Servers Plug-in.
Inventory Pack for Servers lets you use different methods of Inventory Solution
for gathering inventory data about server-class software that is installed on
servers.
You can gather the following types of server-based inventory data:
Discovery and Inventory
Gathering inventory on managed computers
■
Microsoft Windows server operating systems
■
Red Hat Enterprise Linux
■
SUSE Linux Enterprise Server
■
VMware ESX
■
ORACLE
■
Microsoft SQL Server
■
Microsoft SQL Server clusters
■
MySQL
■
Microsoft Exchange Server
■
Microsoft DHCP server
■
Microsoft DNS server
■
Microsoft RAS server
■
Microsoft IIS
■
Apache
■
Network load balancing
■
System DSN
For a complete list of supported platforms and versions, see the Inventory Pack
for Servers Release Notes at the following URL:
http://www.symantec.com/business/support/overview.jsp?pid=55266
See “About Inventory Solution” on page 87.
Gathering inventory on managed computers
You can gather inventory data by running automated policies and tasks on
managed computers. This method requires that you install the Symantec
Management Agent and the Inventory Plug-in on target computers. The inventory
policies and tasks use the Inventory Plug-in to perform the inventory scan on the
target computer. The inventory data is sent to the CMDB.
Table 6-1
Process for gathering inventory on managed computers
Step
Action
Description
Step 1
Prepare managed computers for
inventory.
Target computers must be managed and have the Inventory
Plug-in installed.
89
90
Discovery and Inventory
Enabling the inventory plug-ins for UNIX and Linux computers
Table 6-1
Process for gathering inventory on managed computers (continued)
Step
Action
Description
Step 2
Enable an inventory policy or
create an inventory policy.
You need to enable and configure a policy to collect inventory.
You can use an existing policy or create and configure your own
policies or tasks.
Step 3
(Optional) Configure custom
inventory policy schedules.
An inventory policy with the custom schedule does not run
automatically as soon as possible after the custom schedule is
created and on any new computer that joins the target collection.
You can configure the two custom schedules to run the policy
immediately once and on a recurring schedule later.
Step 4
View inventory results.
You can view the gathered inventory data by viewing reports and
data in the Resource Manager.
Enabling the inventory plug-ins for UNIX and Linux
computers
To gather detailed inventory about UNIX and Linux server computers, you must
enable the Inventory plug-in and the Inventory Pack for Servers plug-in. Since
Linux and UNIX are classified as server operating systems, the Inventory Pack
for Servers is required to gather a full inventory. Without the Inventory Pack for
Servers, you can see only basic inventory details such as any installed RPM
packages, or basic system properties provided by the Symantec Management
Agent inventory.
See “About Inventory Pack for Servers” on page 88.
Before you install the Inventory plug-ins, you must install the Symantec
Management Agent for UNIX, Linux, and Mac computers.
See “About methods of installing the Symantec Management Agent for UNIX,
Linux, and Mac” on page 47.
To enable the Inventory plug-in on UNIX and Linux computers
1
In the Symantec Management Console, on the Settings menu, go to
Agents/Plug-ins > All Agents/Plug-Ins > Discovery and Inventory >
Windows/UNIX/Linux/Mac.
2
Click the Inventory plug-in Install policy.
3
Select the target computers on which you want to enable the policy.
Discovery and Inventory
Enabling the server inventory policy
4
In the right pane, turn the policy On.
5
Click Save changes.
The policy is now enabled on the target computers. It will be installed the
next time the Symantec Management Agent checks in for policy changes. In
a production setting, the agent will check in at least once a day for new policy
updates.
To enable the Inventory Pack for Servers plug-in on UNIX and Linux computers
1
In the Symantec Management Console, on the Settings menu, go to
Agents/Plug-ins > All Agents/Plug-Ins > Discovery and Inventory >
Windows/UNIX/Linux/Mac.
2
Click Inventory Pack for Servers plug-in Install.
3
Select the target computers on which you want to enable the policy.
4
In the right pane, turn the policy On.
5
Click Save changes
Enabling the server inventory policy
To run inventory scans and gather data, you must enable inventory policies for
UNIX and Linux computers. The Collect Full Server Inventory policy lets you
gather data about server computers. Make sure you have enabled the inventory
plug-ins before you enable the inventory policies.
To enable the Collect Full Server Inventory Policy for UNIX, Linux, and Mac computers
1
In the Symantec Management Console, on the Actions menu, go to Inventory
> Agent-based.
2
In the left pane, go to Policies > Discovery and Inventory > Inventory.
3
Click the Collect Full Server Inventory policy.
4
To change the schedule, click the time period and click Save Changes
The schedule applies to the time zone where the managed computer resides.
5
To change teh type of software and hardware inventory that is gathered,
modify the Types of inventory.
6
To target the computers you want to run the policy on, selec them in the
Applies To/Compliance section.
7
Click Save changes.
8
In the right pane, turn the policy On.
91
92
Discovery and Inventory
About methods for gathering software inventory on UNIX or Linux platforms
About methods for gathering software inventory on
UNIX or Linux platforms
The method by which you gather software inventory on UNIX or Linux platforms
differs if the software is listed in the package system native to the operating
system.
To gather inventory of the native package system, use the predefined Collect Full
Server Inventory policy that is enabled by default or create and configure a new
software inventory policy.
See “Gathering and viewing software inventory of the native UNIX/Linux package
system” on page 93.
Identifying the software that is not listed in the native package system requires
detection rules to be run on the client for each individual software title. If all the
conditions of the rule are met, the agent reports to the Notification Server
computer that the software is installed. On UNIX and Linux, detection rules are
called "filescan" rules. These rules for UNIX/Linux systems are activated when
the File properties option of the inventory policy is enabled. Enabling the File
Properties on UNIX option does not automatically cause all files on UNIX/Linux
systems to be reported to the Notification Server computer . The user-defined
software that is contained within the filescan.rule will be reported and the results
can be viewed in the Installed Software report.
See “About software inventory using the filescan.rule file” on page 94.
See “Running software inventory using the filescan.rule file” on page 95.
For more information, see the Altiris Inventory Solution for Symantec User Guide
at the following URL:
http://www.symantec.com/docs/DOC4729.
About gathering UNIX/Linux software inventory
Software inventory collects information about the applications that are installed
on your managed computers and helps you analyze different aspects of your
resources.
See “About software inventory using the filescan.rule file” on page 94.
See “Running software inventory using the filescan.rule file” on page 95.
For example, you can identify the computers that do not meet minimum security
requirements. You can collect information about the computers that do not have
antivirus software or application updates installed. You can also prepare for a
Discovery and Inventory
Gathering and viewing software inventory of the native UNIX/Linux package system
software license audit by finding out the number of installed instances of an
application. Or you can quickly check whether a specific software is installed on
your managed computers.
Software inventory tasks or policies scan the target computers for the available
software applications and report the collected information to Notification Server.
You can collect information about both standard applications and custom software
applications that are installed on your UNIX or Linux server computers.
The installed software that you can identify and inventory on your managed
computers is defined as a software component. You can have software components
automatically associated with the predefined software products that Inventory
Solution provides. Thus Inventory Solution lets you manage and track software
usage at the product level instead of the file level. For example, you can manage
software such as LAMP (Linux + Apache + MySQL + PHP), Firefox, OpenOffice,
and Oracle DB.
For more information, see the topics about managing software in the Altiris IT
Management Suite 7.1 from Symantec Enhanced Console Views Getting Started
Guide at the following URL:
http://www.symantec.com/docs/DOC3563
Gathering and viewing software inventory of the
native UNIX/Linux package system
The majority of software data on UNIX or Linux platforms can be collected by
querying the native package system for the OS. This action is comparable to
gathering Add/Remove programs on Microsoft Windows platforms. You can either
create a new policy or by modify or clone the default inventory policy.
See “About methods for gathering software inventory on UNIX or Linux platforms”
on page 92.
To gather software inventory of the native package system
1
In the Symantec Management Console, navigate to Manage > Policies >
Discovery and Inventory > Inventory
2
Right-click the Collect Full Server Inventory policy and select Clone.
3
Modify the schedule to include a daily, weekly, monthly, or custom inventory
schedule.
4
Select Software - Windows Add/Remove Programs and UNIX/Linux/Mac
software packages.
5
Apply this policy to the UNIX or Linux servers of your choice.
93
94
Discovery and Inventory
About software inventory using the filescan.rule file
After a software inventory of the targeted systems has been gathered, you can
view the results
To view software inventory results
1
In the Symantec Management Console, navigate to Reports > Discovery and
Inventory>Inventory>Cross-platform>Software/Applications>Software.
2
Double-click the Installed Software report.
Note that you can also create a modified report that includes software version
information.
About software inventory using the filescan.rule
file
(UNIX, Linux, and Mac only)
Software inventory using the filescan.rule file lets you collect information
about the installed applications on your UNIX, Linux, and Mac computers.
A file scan agent that is included in software inventory uses the filescan.rule
file to detect the applications that are installed on your client computers. The
filescan.rule file contains the data sets that represent information regarding
different applications. The file scan agent compares each data set to the actual
file system data to find out whether an application is installed.
See “Running software inventory using the filescan.rule file” on page 95.
Each data set in the filescan.rule file consists of two lines of data. The first line
is the application description data, and the second line is the matching criteria
data. The application description data consists of the product name, the
manufacturer, the version, and the description of the application. The matching
criteria data includes a file name or the absolute path to the file that is part of the
application, file size, and cyclic redundancy check (CRC). When the file scan agent
finds this file in the specified directories, the associated product is reported as
part of the inventory on that system.
A data set that represents information about an application in the filescan.rule
file looks as follows:
product name = "Watcher" manufacturer = "Company" version = "3.24"
description = ""
file = "/opt/secret/eys/watcher" size = "45698" CRC = ""
Discovery and Inventory
Running software inventory using the filescan.rule file
A default filescan.rule file is included in the Inventory Plug-in installation
package for each platform. It contains an example list of some common
applications.
Symantec recommends that you customize the default filescan.rule file to
include the additional applications that the software inventory should report.
You can also add entries for the applications that are developed in-house.
After you customize the filescan.rule file, you can create a Quick Delivery task
to redistribute it to all UNIX, Linux, and Mac client computers.
For more information, see the topics about creating a Quick Delivery task in the
Software Management Solution User Guide.
Running software inventory using the filescan.rule
file
(UNIX, Linux, and Mac only)
To run the software inventory using the filescan.rule file, you must have the
Symantec Management Agent and the Inventory Plug-in installed on your UNIX,
Linux, and Mac client computers. The Inventory Plug-in installation package
includes a default filescan.rule file that contains an example list of some
common applications.
You can customize the default filescan.rule file and add the applications that
you want to be reported. You can also use the aex-filesurveyor utility to scan your
UNIX, Linux, and Mac systems for executables. The output of the scan is formatted
for use as a filescan.rule file. After you create or customize a filescan.rule
file, you can distribute it to the client computers.
The file scan agent uses the settings of the Inventory task or policy to scan the
directories. If you want to change the set of the directories that are scanned, you
must edit the advanced settings of the Inventory task or policy. When no
directories are specified, then all local drives are scanned.
See “About software inventory using the filescan.rule file” on page 94.
95
96
Discovery and Inventory
About gathering custom inventory
To run software inventory using filescan.rule file
1
(Optional) Copy the default filescan.rule file from the client computer to
the Notification Server computer and customize it.
2
(Optional) To distribute the customized filescan.rule file to the client
computers, create a Quick Delivery task in the Symantec Management
Console.
The filescan.rule file should be copied to the following folder:
/opt/altiris/notification/inventory/etc/
You can use the following universal path with custom installation directories:
`aex-helper info path -s INVENTORY`/etc/
For more information, see the topics about creating a Quick Delivery task
in the Software Management Solution User Guide.
3
For the Inventory policy that gathers software inventory, ensure that the
option File properties - manufacturer, version, size, internal name, etc. is
checked.
About gathering custom inventory
Custom inventory helps you extend the type of inventory you gather by adding
the new data classes that are not included by default.
Custom inventory also lets you extend the use of a predefined data class by
customizing it. For example, the attributes of the Processor Extension data class
are Device ID, L2 Cache Size, and L2 Cache Speed. You can customize this data
class by adding or removing attributes.
See “Gathering custom inventory” on page 98.
See “Creating and customizing a data class” on page 99.
If a custom data class is saved in the Configuration Management Database (CMDB)
and is empty, you can modify it in the following ways:
■
You can add nullable, non-nullable, key, and non-key attributes to it.
■
You can delete its attributes.
■
You can change the properties of its attributes.
If the custom data class contains data, you cannot modify it.
After you customize a data class, you create a task with scripting logic and schedule
it to run on the target computers.
See “Creating a custom inventory script task” on page 100.
Discovery and Inventory
About custom inventory data classes
Warning: Use caution if you gather inventory using the custom data class and the
same data class is also part of the standard inventory. When a standard inventory
follows a custom inventory, the data that the standard inventory gathers
overwrites the data that the custom inventory gathers. To prevent the custom
inventory data from being overwritten, you must perform the custom inventory
after the standard inventory.
About custom inventory data classes
Custom inventory data classes store the custom inventory data. A data class is a
table in the Configuration Management Database (CMDB). For example, the
Processor_Ex data class is the Inv_Processor_Ex table in the CMDB. Each data
class has a set of attributes that define its properties.
Table 6-2
Example of attributes of the Processor Extension data class
Attribute
Description
Device ID
Specifies the unique index that is used to identify the device.
L2 Cache Size
Specifies the size of the Level 2 processor cache in kilobytes.
L2 Cache Speed
Specifies the clock speed of the Level 2 processor cache in
megahertz.
You can create a data class, and then customize it by adding, editing, and deleting
its attributes. A data class that is customized is referred to as a custom data class.
See “Creating and customizing a data class” on page 99.
After you customize a data class, you can create a task, customize the task script,
and roll it out to the target computers.
See “Creating a custom inventory script task” on page 100.
The custom inventory script task that runs on the client computers generates a
Notification Server Event (NSE) that contains inventory for a data class. A unique
GUID identifies each data class. The inventory in the NSE is coupled with the
GUID of a data class. For Windows platforms, the NSE loads the inventory in the
data class that has the same GUID associated with it. For UNIX, Linux, and Mac
platforms, the data class name is used instead of the GUID to identify the data
class in which to store the collected inventory information.
97
98
Discovery and Inventory
Gathering custom inventory
Note: The script that gathers inventory on Windows computers contains a
reference to the GUID of a custom data class. Every time you create or edit an
existing custom data class, the data class is assigned with a new GUID. You must
manually update the script with the new GUID, if it refers to the older GUID for
the same custom data class.
Gathering custom inventory
Custom inventory lets you customize the set of inventory data that is gathered
and reported to the Configuration Management Database (CMDB).
See “About gathering custom inventory” on page 96.
Table 6-3
Process for gathering custom inventory
Step
Action
Description
Step 1
Prepare managed computers for
inventory.
Target computers must be managed
and have the Inventory Plug-in
installed.
Step 2
Create a custom data class.
Create a custom data class from the
data class manager user interface. After
you create a custom data class, you can
add, edit, and delete its attributes.
See “Creating and customizing a data
class” on page 99.
Step 3
Create a task with scripting logic You can create a new task or clone an
and schedule it to run on the
existing sample task. To gather the
target computers.
inventory you want, you can use the
script that is included in the sample
task or you can create your own logic.
Depending on the platform, you can
write the logic in JavaScript, shell
script, or other scripting languages.
See “Creating a custom inventory script
task” on page 100.
Step 4
View custom inventory results.
Use the Resource Manager to view the
gathered custom inventory data for a
data class.
Discovery and Inventory
Creating and customizing a data class
Creating and customizing a data class
This task is a part of the process for manually migrating your custom inventory
script files.
From the Symantec Management Console, you can create a custom data class.
You can add, edit, and delete attributes of the data class and you can change the
position of the attribute. You can also find the GUID and view the data in the data
class.
Be aware that every time you modify an attribute and you save the changes, the
data class is assigned a new GUID.
See “About custom inventory data classes” on page 97.
See “About gathering custom inventory” on page 96.
This task is a step in the process for gathering custom inventory.
See “Gathering custom inventory” on page 98.
For more information, see the topics about custom inventory data classes and
about gathering custom inventory in the Inventory Solution User Guide.
To create and customize a data class
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, under Settings, expand Discovery and Inventory > Inventory
Solution, and then click Manage Custom Data classes.
3
To create a data class, do the following:
4
■
On the Manage Custom Data Classes page, click New data class.
■
On the New Data Class page, enter a name and a description for the data
class and click OK.
The name of the new data class must be unique.
To customize a data class, on the Manage Custom Data Classes page, in the
data classes list, click the data class.
You customize the data class by adding, editing, and deleting its attributes.
5
(Optional) To add an attribute to the data class, do the following:
■
Click Add attribute.
■
In the Data Class Attributes dialog box, specify the details of the attribute.
To add an attribute that uniquely defines a row in the data class, in the
Key drop-down list, click Yes. You enforce that the attribute always has
a unique value that is other than NULL.
99
100
Discovery and Inventory
Creating a custom inventory script task
To add an attribute that should never be empty or blank, in the Data
required drop-down list, click Yes.
If in the Key drop-down list, you click Yes, the Data required option is
automatically set to Yes. You cannot change it unless in the Key drop-down
list, you click No.
■
Click OK.
6
(Optional) To edit or delete the attributes, select the attribute, and then click
the Edit or Delete symbols.
7
(Optional) To let the data class store inventory of multiple objects, on the
Manage Custom Data Classes page, check Allow multiple rows from a single
computer resource. The data class can store the inventory of services, user
accounts, files, network cards, and other objects.
8
(Optional) To specify the sequence of the attributes, on the Manage Custom
Data Classes page, click the attribute, whose position you want to change,
and then click the up arrow or down arrow.
When you report inventory values for the columns in a Notification Server
Event (NSE), the attributes are identified by the column ID and not by the
column name. As a result, the order of attributes in a data class must be
correct.
9
Click Save changes.
Warning: The final step of saving changes is very important. When you create
any data class or add any attributes, all the information is stored in memory.
Nothing is created in the database and on details page, no GUID is yet assigned.
As a result, a 00000000-0000-0000-0000-000000000000 GUID is displayed
in the property of the data class. Only after you click Save changes on the
Manage Custom Data Classes page, the data class is saved in the database,
and the GUID is generated. Note that the GUID changes every time you make
changes to the definition of the data class and save it.
10 (Optional) Copy and paste the GUID of the data class that you created for
further use.
Creating a custom inventory script task
This task is a part of the process for manually migrating your custom inventory
script files.
Discovery and Inventory
Creating a custom inventory script task
After you have created the custom inventory data class, you create a custom
inventory script task that gathers the custom inventory. The script task is
configured with the script to gather the custom inventory and the schedule of the
task.
See “Creating and customizing a data class” on page 99.
To create a custom inventory script task, you can clone a sample script task and
modify it with the custom data classes that you created. You can also create and
confgure a custom inventory script task on the Jobs and Tasks portal page.
When you customize your custom inventory script, you can benefit from different
options that let you easily insert a token to the script and create or edit tokens
for use in the script.
For more information, see the topics about the Run script task page and the
Tokens page in the Symantec Management Platform User Guide.
Note: The process of creating a custom inventory script task is the same across
all platforms: Windows, UNIX, Linux, and Mac. However, the scripting language
and the logic that is used in the scripts are different.
For more information, see the topics about running a task and about task advanced
options in the Symantec Management Platform User Guide.
See “About gathering custom inventory” on page 96.
This task is a step in the process for gathering custom inventory.
See “Gathering custom inventory” on page 98.
For more information, see the topics about gathering custom inventory in the
Inventory Solution User Guide.
To clone a sample custom inventory script task
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, under Jobs and Tasks, expand Samples > Discovery and
Inventory > Inventory samples > Custom.
3
Right-click the sample custom inventory script task and click Clone.
4
In the Clone dialog box, give the cloned script a descriptive name and click
OK.
101
102
Discovery and Inventory
Creating a custom inventory script task
5
(Optional) Customize the sample script, and then click Save changes.
Depending on the selected script type, you have different options to customize
the sample script.
See “Customizing the custom inventory sample script for UNIX, Linux, and
Mac” on page 103.
6
7
Under Task Status, do one of the following:
■
To schedule the task to run on client computers, click New Schedule.
■
To perform a quick run of the task on client computers, click Quick Run.
Click Save changes.
To create a custom inventory script task
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, navigate to the folder where you want to create a custom
inventory script task, right-click the folder, and then click New > Task.
For example, to create the task in the Jobs and Tasks folder, right-click Jobs
and Tasks, and then click New > Task.
To create the task in the Inventory folder, expand Jobs and Tasks > System
Jobs and Tasks > Discovery and Inventory, right-click Inventory, and then
click New > Task.
3
In the Create New Task dialog box, in the left pane, click Run Script.
4
In the right pane, enter a descriptive name for the task.
5
In the Script type drop-down list, select the script type.
6
Enter your own script or copy a sample custom inventory script to the script
editor.
To easily insert a token to your custom inventory script, do the following:
■
In the Insert token drop-down list, select the token that you want to insert.
■
Click Insert.
To access a sample custom inventory script, do the following:
■
In the Symantec Management Console, on the Manage menu, click Jobs
and Tasks.
■
In the left pane, under Jobs and Tasks, expand Samples > Discovery and
Inventory > Inventory samples > Custom.
Discovery and Inventory
Customizing the custom inventory sample script for UNIX, Linux, and Mac
7
(Optional) In the Create New Task dialog box, in the script editor, customize
the copied sample script or your own script.
Depending on the selected script type, you have different options to customize
the script.
See “Customizing the custom inventory sample script for UNIX, Linux, and
Mac” on page 103.
8
9
(Optional) To configure the advanced options for running the custom
inventory script task, do the following:
■
Click Advanced, and on the Script tab, specify the user account that the
task runs in and other script options.
■
In the Task options tab, specify the settings for running the script task
simultaneously with other tasks and the maximum possible length of the
script task.
■
Click OK.
In the Create New Task dialog box, click OK.
10 On the Run Script page, under Task Status, do one of the following:
■
To schedule the task to run on client computers, click New Schedule.
■
To perform a quick run of the task on client computers, click Quick Run.
11 Click Save changes.
Customizing the custom inventory sample script for
UNIX, Linux, and Mac
(UNIX, Linux, and Mac only)
This task is a part of the process for manually migrating your custom inventory
script files.
The custom inventory script for UNIX, Linux, and Mac generates a text output
that contains the collected inventory data in a specified format. This data is used
to create the NSE and is posted into the Configuration Management Database
(CMDB). The logic of creating the NSE and posting the data is hidden from the
user.
When you customize the sample script, you can modify the output that the script
generates.
See “Creating a custom inventory script task” on page 100.
See “Gathering custom inventory” on page 98.
103
104
Discovery and Inventory
Customizing the custom inventory sample script for UNIX, Linux, and Mac
For more information, see the topics about gathering custom inventory in the
Inventory Solution User Guide.
To customize the custom inventory sample script for UNIX, Linux, and Mac
1
Clone or open an existing sample of the custom inventory script task.
Note that the first lines of the script should not be changed. Changes should
be made after the # SCRIPT_BEGINS_HERE label.
2
Specify the data class.
Example:
echo UNIX_PS_List
3
Specify the delimiters.
Example:
echo "Delimiters=\" \" "
4
Specify the data type and the length of each column.
Example:
echo string20 string20 string20 string256
5
Specify the column names.
Example:
echo PID Terminal Time Command
Note that the column names are not used in 7.x custom inventory. The column
names are left for backward compatibility with 6.x Inventory Solution. You
can leave this line empty in 7.x but keep the echo command intact.
Example:
echo
6
Specify commands to retrieve data from system.
Example:
ps -e
7
Click Save changes.
Custom inventory sample script for UNIX, Linux, and Mac
(UNIX, Linux, and Mac only)
The sample inventory script for UNIX, Linux, and Mac does the following:
Discovery and Inventory
Customizing the custom inventory sample script for UNIX, Linux, and Mac
■
Includes a helper script that implements the logic of creating NSE and posting
it to Configuration Management Database (CMDB).
■
Specifies the data class.
■
Specifies delimiters for use in parsing the data that is returned from the
command that runs.
■
Specifies the data type and length of each column.
■
Specifies the column names. The column names are only required when the
command that runs does not already include column headings.
■
Runs the desired command. In this case, appropriate platform-specific
commands run.
See “Customizing the custom inventory sample script for UNIX, Linux, and Mac”
on page 103.
The following is a sample script:
. `aex-helper info path -s INVENTORY`/lib/helpers/custominv_inc.sh
#
# Sample script for custom inventory
# The first line of code should be always included at the begin of
the script
# Actual script for collecting inventory data begins after the
following label:
# SCRIPT_BEGINS_HERE
#!/bin/sh
echo UNIX_PS_List
echo "Delimiters=\" \" "
echo string20 string20 string20 string256
echo PID Terminal Time Command
if [ "`uname -s`" = "Darwin" ] ; then
ps -ax | sed -e "1d" | awk '{print $1 " " $2 " " $4 " " $5 " " }'
else
ps -e | sed -e "1d" | awk '{print $1 " " $2 " " $3 " " $4 " " }'
fi
105
106
Discovery and Inventory
About gathering agentless inventory
About gathering agentless inventory
You can gather agentless inventory data of discovered SNMP network devices
such as computers, network printers, network-attached storage devices, and
network backup devices. The inventory is performed by running agentless tasks
on discovered devices and reporting the data to Notification Server. The discovery
data is stored in the CMDB. You configure the automated tasks that are scheduled
to run at regular intervals to keep your inventory data current.
When you configure agentless inventory tasks, you specify the following:
■
Which devices to inventory
■
Which network protocols to use to communicate with devices (connection
profile)
■
When to run the task
You can configure multiple tasks to meet your needs.
For example, you can create the tasks that are based on the following questions:
■
Which devices you want to inventory
■
How often you want to run the inventory tasks
You can create and configure agentless inventory tasks in the following ways:
Using the Agentless
Inventory wizard.
The wizard guides you through the creation and
configuration of agentless inventory tasks. You can later
edit the advanced settings and schedules of a task on the
task page.
See “Creating agentless inventory tasks using the wizard”
on page 108.
Manually creating a task.
You can manually create tasks from the Agentless
Inventory Tasks Web Part. This option lets you configure
more advanced settings and schedules.
See “Manually creating, scheduling, modifying, and stopping
agentless inventory tasks” on page 109.
You can only gather inventory of the SNMP-enabled devices on your network that
are already discovered. Use the Network Discovery task to discover your network
devices and create resources for them in the CMDB. Make sure that the connection
profile of the Network Discovery task has the SNMP turned on.
See “About Network Discovery” on page 84.
Discovery and Inventory
Gathering agentless inventory
For more information, see topics about Network Discovery in the Symantec
Management Platform User Guide.
Agentless inventory tasks use connection profiles to manage the protocols that
are used to communicate with network devices. Connection profiles are
components of the Symantec Management Platform. When a device is discovered,
a resource for that device is created in the CMDB. The resource keeps a record of
the protocols that were used to communicate with the device. When you use
agentless inventory tasks, you do not specify a connection profile or protocols.
Agentless inventory tasks use the same protocols that were enabled when the
device was discovered.
For more information, see the topics about resource discovery and using
connection profiles in the Symantec Management Platform User Guide.
Gathering agentless inventory
You can gather agentless inventory data of discovered SNMP-enabled network
devices and enter that data in the CMDB.
See “About gathering agentless inventory” on page 106.
Process for gathering inventory of network devices
Table 6-4
Step
Action
Description
Step 1
Discover network devices
You can gather inventory only of the devices
that are already discovered.
For more information, see the topics about
Network Discovery in the Symantec
Management Platform User Guide.
See “Discovering UNIX and Linux computers”
on page 85.
Step 2
Create agentless inventory
tasks.
You create and schedule tasks to collect
inventory. You can use two methods for creating
tasks: using the Inventory wizard and creating
tasks manually.
See “Creating agentless inventory tasks using
the wizard” on page 108.
See “Manually creating, scheduling, modifying,
and stopping agentless inventory tasks”
on page 109.
107
108
Discovery and Inventory
Creating agentless inventory tasks using the wizard
Process for gathering inventory of network devices (continued)
Table 6-4
Step
Action
Description
Step 3
View agentless inventory
data.
You can view the status of agentless inventory
tasks and discovery results.
See “Viewing agentless inventory results”
on page 111.
Creating agentless inventory tasks using the wizard
The wizard guides you through the process of creating agentless inventory tasks
and configuring basic settings. You can later edit the advanced settings and
schedules of the tasks on the task page.
This task is a step in the process for gathering agentless inventory.
To create agentless inventory tasks using the agentless inventory wizard
1
In the Symantec Management Console, on the Home menu, click Discovery
and Inventory > Agentless Inventory.
2
In the Agentless Inventory Quick Start, click Run inventory wizard.
3
To inventory a group of devices, in the wizard, perform the following steps
in order:
■
Click Choose devices, and then in the drop-down list, click the group of
target devices that you want to inventory.
You use the Organizational views feature of Notification Server to filter
the target devices you want to inventory. You can use pre-existing filters
or create your own. For example, you can use filters to target devices in
a certain location or department. You can also filter by a certain asset or
network resource type. For a default filter, you can select Default > All
Resources > Asset > Network Resource.
For more information, see topics about using filters and organizational
views in the Symantec Management Platform User Guide.
■
Under Include Device Types, check the check box that corresponds to
the type of devices you want to inventory.
To inventory an individual device, in the wizard, click Individual device, and
then in the drop-down list, click the device that you want to inventory.
This list includes all SNMP-enabled devices that have been previously
discovered and have resources in the CMDB.
4
Click Next.
Discovery and Inventory
Manually creating, scheduling, modifying, and stopping agentless inventory tasks
5
Name the task, and then click Next.
6
Schedule the task.
7
Click Finish.
8
To view the created task, do one of the following:
■
View the lists of tasks on the Agentless Inventory Home page, under
Agentless Inventory Tasks.
To view newly created task, you may need to click the Refresh symbol.
■
Click Manage > Jobs and Tasks > System Jobs and Tasks > Discovery and
Inventory.
Manually creating, scheduling, modifying, and
stopping agentless inventory tasks
You can manually create, modify, and stop agentless inventory tasks on the
Agentless Inventory Home page.
See “About gathering agentless inventory” on page 106.
This task is a step in the process for gathering agentless inventory.
To manually create agentless inventory tasks
1
In the Symantec Management Console, on the Home menu, click Discovery
and Inventory > Agentless Inventory.
2
In the Agentless Inventory Tasks Web part, on the Available Tasks tab, click
New.
3
In the New Agentless Inventory Task dialog box, give the task a descriptive
name.
4
To inventory a group of devices, perform the following steps in order:
■
Click Group of Devices, and then in the drop-down list next to Group of
Devices, click the group of target devices you want to inventory.
You use the Organizational views feature of Notification Server to filter
the target devices you want to inventory. You can use pre-existing filters
or create your own. For example, you can use filters to target devices in
a certain location or department. You can also filter by a certain asset or
network resource type. For a default filter, you can click Default > All
Resources > Asset > Network Resource.
For more information, see the topics about using filters and organizational
views in the Symantec Management Platform User Guide.
109
110
Discovery and Inventory
Manually creating, scheduling, modifying, and stopping agentless inventory tasks
■
Under Group of Devices, check the check box that corresponds to the
type of devices you want to inventory.
To inventory an individual device, click Individual device, and then in the
drop-down list, click the device that you want to inventory.
This list includes all SNMP-enabled devices that have been previously
discovered and have resources in the CMDB.
5
(Optional) Check the checkbox to turn on and configure the option to only
inventory the devices that were not inventoried in the specified period of
time.
6
(Optional) Click Advanced, configure the maximum number of threads per
inventory task, and then click OK.
During the inventory process, a separate thread is used for each device. You
can increase or decrease this number. This number is based on the amount
of traffic you want this task to generate or on the capacity of your Notification
Server. For example, if you run the task during the night and are not concerned
about network traffic, you can increase this number. This method lets you
gather inventory from many devices. If you are concerned about the
processing load on your server, you may want to decrease this number.
7
Click OK.
To schedule agentless inventory tasks
1
In the Agentless Inventory Tasks Web part, on the Available Tasks tab, click
the task that you want to schedule, and then click Schedule.
2
In the New Schedule dialog box, click the option Now or Schedule, and then
click Schedule.
To modify agentless inventory tasks
1
In the Agentless Inventory Tasks Web part, on the Available Tasks tab,
right-click the task that you want to modify
2
In the dialog box, modify the task and click OK.
To stop agentless inventory tasks
1
In the Agentless Inventory Tasks Web part, click Tasks Run.
To view newly created tasks, you may need to click the Refresh symbol.
2
Click the task that you want to stop, and then click Stop.
Discovery and Inventory
Viewing agentless inventory results
Viewing agentless inventory results
After an agentless inventory has been performed, the data about the devices is
stored in the CMDB.
You can view discovered devices in the Resource Manager to see the results of
your agentless inventory and the additional details about the devices.
For more information, see the topics about Resource Manager in the Symantec
Management Platform User Guide.
The Agentless Inventory Home page presents a data summary of inventoried
network devices. On this page you can also see the status of agentless inventory
tasks.
This task is a step in the process for gathering agentless inventory.
To view agentless inventory data in the Resource Manager
1
In the Symantec Management Console, on the Manage menu, click Resource.
2
Click the resource that you want to view, and then click OK.
To view agentless inventory data on the Agentless Inventory Home page
1
In the Symantec Management Console, on the Home menu, click Dicovery
and Inventory > Agentless Inventory.
2
On the Agentless Inventory Home page, view the Devices Inventoried By
Type (Last 30 Days) and Agentless Inventory Tasks web parts.
About gathering and viewing Apache HTTP Server
inventory
Inventory Pack for Servers provides the predefined server inventory policies that
let you gather data about Apache HTTP Server 2 or higher.
See “About gathering UNIX/Linux software inventory” on page 92.
You can gather data only about the following types of Apache HTTP Servers:
■
Apache HTTP Servers that are part of an initial operating system distribution
and that are installed from a native package.
■
The first discovered Apache HTTP Server among multiple Apache HTTP Server
installations that reside in different locations on the target computer.
You can view the inventory that is gathered from Apache HTTP server in two
ways:
■
View the target computer in Notification Server's Resource Manager.
111
112
Discovery and Inventory
About gathering and viewing VMware ESX Virtualization inventory
See “About Server Resource Manager Home page” on page 262.
■
Use the default server inventory policies to collect data.
See “Enabling the server inventory policy” on page 91.
Note: No information about the modules and servlets that Apache runs (such as
PHP or Tomcat) is available.
About gathering and viewing VMware ESX
Virtualization inventory
Inventory Pack for Servers provides predefined server inventory policies that let
you gather data about VMware ESX 3.0.1, 3.0.2, 3.0.3, and 3.5.
You can gather a wide range of VMware ESX Virtualization inventory data. The
most convenient way to see this data is to view the following inventory reports:
■
The Guest-Host Mapping report at Reports > Discovery and Inventory >
Inventory > Server > Server Virtualization > ESX > Guest-Host Mapping.
■
The Host-Virtual Machine Configuration report at Reports > Discovery and
Inventory > Inventory > Server > Server Virtualization > ESX > Host-Virtual
Machine Configuration.
You can also see VMware ESX Virtualization inventory data when you view the
target platforms in the Resource Manager.
See “About Server Resource Manager Home page” on page 262.
Gathering and viewing MySQL and Oracle Database
inventory
See “About gathering UNIX/Linux software inventory” on page 92.
To obtain all possible MySQL or Oracle Database information, your environment
must meet the following requirements:
■
Database services and instances are up and running.
■
You specify valid credentials for the inventory process to be able to log in and
retrieve “internal” info.
When you specify multiple credential sets, multiple Oracle Database instances
can be detected and their configuration reported. Multiple credential sets are also
Discovery and Inventory
Gathering and viewing MySQL and Oracle Database inventory
the best way to ensure proper database logon when a user it not sure which
credentials are the right ones.
To view database-related information in the Symantec Management Console
1
Navigate to Reports > All Reports > Discovery and Inventory > Inventory
> Server > Database Servers.
2
View the following reports:
3
■
In theMySQL folder, the Servers running MySQL Database Server report.
■
In the Oracle folder, the reports Oracle Databases mounted to Oracle
Instance and Servers running Oracle Database Server.
Alternatively, you can view reports in Resource Manager.
113
114
Discovery and Inventory
Gathering and viewing MySQL and Oracle Database inventory
Chapter
Patch Management for
Linux
This chapter includes the following topics:
■
About Patch Management Solution for Linux
■
Implementing Patch Management Solution for Linux
■
System requirements for Patch Management Solution
■
Platforms supported by Patch Management Solution for Linux
■
About installing Patch Management Solution
■
About uninstalling Patch Management Solution
■
About the software update plug-in
■
Installing the software update plug-in
■
Configuring software updates download location
■
Creating and assigning custom severity levels
■
Configuring Linux remediation settings
■
Configuring software updates installation settings
■
Configuring the system assessment scan interval
■
Linux patch remediation settings pages
■
Default Software Update Plug-in Settings page
■
Run System Assessment Scan on Linux Computers task
7
116
Patch Management for Linux
About Patch Management Solution for Linux
■
About Patch Management Solution server tasks
■
Downloading the software updates catalog
■
Import Patch Data for Novell and Import Patch Data for Red Hat pages
■
About errata and patches
■
About downloading and distributing software updates
■
Downloading software updates
■
Downloading and distributing software updates
■
Viewing the software update delivery summary report
About Patch Management Solution for Linux
Patch Management Solution for Linux ensures that your Red Hat Linux and SUSE
Linux computers have the most up-to-date patches applied and protected against
security threats. The solution lets you inventory the managed Linux computers
for security vulnerabilities and then reports on the findings. It provides you with
the tools that let you download and distribute the needed software updates. Patch
Management Solution for Linux lets you set up an automatic update schedule to
ensure that managed computers are up-to-date and protected on an on-going
basis.
See “Platforms supported by Patch Management Solution for Linux” on page 118.
See “Implementing Patch Management Solution for Linux” on page 116.
Implementing Patch Management Solution for Linux
Patch Management Solution for Linux requires some components to be configured
or enabled before others to function correctly. The recommended workflow is as
follows:
See “About Patch Management Solution for Linux” on page 116.
Table 7-1
Process for implementing Patch Management Solution for Linux
Step
Action
Description
Step 1
Install or upgrade the
solution.
Use Symantec Installation Manager to install the solution.
See “About installing Patch Management Solution” on page 119.
Patch Management for Linux
Implementing Patch Management Solution for Linux
Table 7-1
Process for implementing Patch Management Solution for Linux
(continued)
Step
Action
Description
Step 2
Install or upgrade the
Symantec Management
Agent.
Install or upgrade the Symantec Management Agent for UNIX, Linux,
and Mac on every computer to which you want to send patches.
Install or upgrade the
software update plug-in.
Install the plug-in that manages all of the Patch Management Solution
for Linux functionality on a client computer.
Step 3
For more information, see topics about installing or upgrading the
Symantec Management Agent in the Symantec Management Platform
User Guide.
See “Installing the software update plug-in” on page 120.
Step 4
Configure the Patch
Management Solution core
settings.
(Optional)
Configure the software update files storage location settings.
See “Configuring software updates download location” on page 121.
Step 5
Type the credentials.
Type the Novell Mirror Credentials and Red Hat Network account
credentials.
See “Configuring Linux remediation settings” on page 122.
Step 6
Configure the software
Configure when do you want to perform software update installation.
updates installation settings.
See “Configuring software updates installation settings” on page 123.
Step 7
Configure the system
assessment scan interval.
Configure when to run the system assessment scan, which inventories
managed computers for the software updates that they require.
See “Configuring the system assessment scan interval ” on page 123.
Step 8
Download the Linux software Download the Novell announcements and Red Hat errata metadata.
updates metadata.
Configure the metadata update schedule.
See “Downloading the software updates catalog” on page 128.
Table 7-2
Process for installing software updates
Step
Action
Description
Step 1
Review and distribute
available software updates.
View which software errata or announcements you need to install,
then download updates and create software update policies.
See “Downloading software updates” on page 133.
See “Downloading and distributing software updates” on page 135.
117
118
Patch Management for Linux
System requirements for Patch Management Solution
Table 7-2
Process for installing software updates (continued)
Step
Action
Description
Step 2
Evaluate the results.
Evaluate the results by running the Software Update Delivery
Summary report and revisiting compliance reports.
See “Viewing the software update delivery summary report”
on page 136.
System requirements for Patch Management Solution
Patch Management Solution requires the following:
■
Symantec Management Platform 7.1 SP2
For details on Symantec Management Platform implementation, see the IT
Management Suite 7.1 SP2 Planning and Implementation Guide at the following
URL:
http://www.symantec.com/docs/DOC4827
When you install or upgrade Patch Management Solution through the Symantec
Installation Manager, Symantec Management Platform is installed automatically.
See “About installing Patch Management Solution” on page 119.
Platforms supported by Patch Management Solution
for Linux
The Patch Management Solution for Linux component of Patch Management
Solution supports the following operating systems:
■
SUSE Linux Enterprise Server 10, 10 SP1-SP4, x86, x86_64
■
SUSE Linux Enterprise Server 11, 11 SP1, x86, x86_64
■
SUSE Linux Enterprise Desktop 10, 10 SP1-SP4, x86, x86_64
■
SUSE Linux Enterprise Desktop 11, 11 SP1, x86, x86_64
■
Red Hat Enterprise Linux AS/WS/ES 4 x86, x86_64
■
Red Hat Enterprise Linux Server/Desktop 5 x86, x86_64
■
Red Hat Enterprise Linux Server/Workstation/Client 6.0, 6.1, x86, x86_64
See “About Patch Management Solution for Linux” on page 116.
Patch Management for Linux
About installing Patch Management Solution
About installing Patch Management Solution
Starting from version 7.1, the Patch Management Solution installation includes
the following components:
■
Patch Management Solution for Windows
■
Patch Management Solution for Linux
■
Patch Management Solution for Mac
You install this product by using the Symantec Installation Manager. You can
download the installation files directly to your server or you can create offline
installation packages.
For details on Symantec Management Platform implementation, see the IT
Management Suite 7.1 SP2 Planning and Implementation Guide at the following
URL:
http://www.symantec.com/docs/DOC4827
See “About Patch Management Solution for Linux” on page 116.
About uninstalling Patch Management Solution
Use the Symantec Installation Manager to uninstall this product.
See “About Patch Management Solution for Linux” on page 116.
About the software update plug-in
The software update plug-in manages all of the Patch Management Solution for
Windows functionality on a client computer. When the system assessment scan
tool reports to Notification Server that a certain software update is required for
a managed computer, the update is then sent to the software update plug-in. The
software update plug-in ensures that the update is applicable and not already
installed, and then installs it.
After you install the software update plug-in on a managed computer, the Software
Updates tab appears in the Symantec Management Agent user interface. This tab
displays the status software updates for that computer. To open the Symantec
Management Agent user interface, click the Symantec Management Agent icon
in the system tray of the managed computer.
The software update plug-in manages patch management functionality on a client
computer. When a client computer requires a certain software update, the update
is sent from the Notification Server computer to the software update plug-in. The
119
120
Patch Management for Linux
Installing the software update plug-in
software update plug-in ensures that the update is applicable and not already
installed, and then installs it.
See “Installing the software update plug-in” on page 120.
Installing the software update plug-in
The software update plug-in manages all of the Patch Management Solution for
Windows functionality on a client computer. When the system assessment scan
tool reports to Notification Server that a certain software update is required for
a managed computer, the update is then sent to the software update plug-in. The
software update plug-in ensures that the update is applicable and not already
installed, and then installs it.
After you install the software update plug-in on a managed computer, the Software
Updates tab appears in the Symantec Management Agent user interface. This tab
displays the status software updates for that computer. To open the Symantec
Management Agent user interface, click the Symantec Management Agent icon
in the system tray of the managed computer.
The software update plug-in manages patch management functionality on a client
computer. When a client computer requires a certain software update, the update
is sent from the Notification Server computer to the software update plug-in. The
software update plug-in ensures that the update is applicable and not already
installed, and then installs it.
See “Installing the software update plug-in” on page 120.
The software update plug-in manages all of the Patch Management Solution
functionality on a client computer.
See “About the software update plug-in” on page 119.
Note: If you have a large number of computers on which to install the software
update plug-in, consider deploying it during off-peak hours to minimize network
traffic. Deploying the software update plug-in can take some time, depending on
the number of managed computers and the Symantec Management Agent settings.
See “Implementing Patch Management Solution for Linux” on page 116.
To install the software update plug-in
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Rollout Agents/Plug-ins.
2
In the left pane, click Software > Patch Management > Software Update
Plug-in Install.
Patch Management for Linux
Configuring software updates download location
3
(Optional) In the right pane, make any wanted changes.
For help, press F1 or click Help > Context.
4
Turn on the policy.
5
Click Save changes.
Configuring software updates download location
On the Core Services page you can configure to which location the software
updates should be downloaded. You can also create custom severity levels that
you can later apply to software updates.
The settings that you configure on the Core Services page apply to Windows and
Linux components of Patch Management Solution.
See “About Patch Management Solution for Linux” on page 116.
To configure patch management Core Services settings
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Software > Patch Management > Core Services.
3
In the right pane, make any wanted changes.
4
Click Save Changes.
Creating and assigning custom severity levels
A software update deemed critical may not necessarily be critical in your
environment. You can create your own custom severity levels and assign them to
software bulletins.
Errata or announcements deemed critical may not necessarily be critical in your
environment. You can create your own custom severity levels and assign them to
errata and patches.
You first create custom severity levels, and then assign them to bulletins. You
can alter custom severity levels. You cannot alter the vendor-specified severity
levels.
See “About errata and patches” on page 132.
121
122
Patch Management for Linux
Configuring Linux remediation settings
To create a custom severity level
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Software > Patch Management > Core Services.
3
In the right pane, click the Custom Severity tab.
4
In the Severity Level box, type the name that you want to give the custom
severity level. For example, "Install right away!"
5
Click Add.
6
Click Move Up or Move Down to position custom severity levels in the list.
7
Click Save Changes.
To assign a custom severity level to a software bulletin
1
In the Symantec Management Console, on the Actions menu, click Software
> Patch Remediation Center.
2
On the Patch Remediation Center page, in the software bulletin list,
right-click a software bulletin, and then click Custom Severity.
3
Click a severity level.
4
Click Refresh to view the new data in the Custom Severity column.
Configuring Linux remediation settings
You can set up how you want Linux software updates distributed. You can configure
package distribution and program settings.
See “About errata and patches” on page 132.
See “Implementing Patch Management Solution for Linux” on page 116.
To configure remediation settings
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Software > Patch Management.
3
Do one of the following:
■
Click Novell Settings > Novell Patch Remediation Settings.
■
Click Red Hat Settings > Red Hat Patch Remediation Settings.
Patch Management for Linux
Configuring software updates installation settings
4
In the right pane, make any wanted changes.
See “Linux patch remediation settings pages” on page 124.
5
Click Save changes.
Configuring software updates installation settings
You can configure when the software update plug-in installs the software updates
and when to restart the target computer.
See “About the software update plug-in” on page 119.
See “Implementing Patch Management Solution for Linux” on page 116.
To configure the software updates installation settings
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > All Agents/Plug-ins.
2
In the left pane, click Software > Patch Management > Linux > Default
Software Update Plug-in Settings.
3
In the right pane, configure when and how you want to install updates.
See “Default Software Update Plug-in Settings page” on page 126.
4
Click Save changes.
Configuring the system assessment scan interval
The system assessment scan lets you periodically inventory operating systems,
applications, and installed patches on managed computers with the software
update plug-in installed. System assessment information is then used to determine
which software updates the managed computer requires. Based on this information,
filters are automatically created to assist with the targeting of software update
policies.
You can configure how often you want to run the system assessment scan.
See “Implementing Patch Management Solution for Linux” on page 116.
To configure the system assessment scan interval
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Software > Patch Management > Linux System
Assessment Scan.
123
124
Patch Management for Linux
Linux patch remediation settings pages
3
In the right pane, under Schedule, configure how often to perform the system
assessment scan on the managed computers and report it back to Notification
Server.
4
Do not change the targeted filter from Linux Computers with Software Update
Plug-in Installed Target unless you have a specific reason to do so.
5
Click Save changes.
Linux patch remediation settings pages
The Novell Patch Remediation Settings and Red Hat Patch Remediation Settings
pages let you set up how you want Linux software updates distributed.
See “Configuring Linux remediation settings” on page 122.
Some of these settings are used as default values in the Distribute Software
Updates wizard.
All new Linux software updates that are downloaded have these package settings
and program settings by default. After you click Save changes, in a dialog box
that appears, you can choose to update existing software update policies and
packages. Note that updating existing packages can be time-consuming. If you do
not want to update existing packages at this time, you can click Save only.
See “Downloading and distributing software updates” on page 135.
Table 7-3
Options on the Software Update Options tab of the vendor settings
page
Option
Description
Verify authenticity of downloaded
Software Updates
Ensures that all software updates are certified. This
option is checked by default.
Patch Filter Update Interval
Specifies when to update the target filters for all
software updates.
By default, the filter update is performed every 30
minutes.
The default Resource Target used by Specifies the filter that is used by default when you
the Software Update Policy Wizard create a new software update policy using the
Distribute Software Updates wizard.
The default target is Linux Computers with
Software Update Plug-in Installed Target.
Patch Management for Linux
Linux patch remediation settings pages
Options on the Policy and Package Settings tab of the vendor
settings page
Table 7-4
Option
Description
Delete packages after
Lets you specify after what time to delete the software
update packages that are no longer needed.
Default: one week.
Assign package to
Lets you select the package distribution method.
For more information on assigning packages to package
servers, see the Symantec Management Platform User Guide.
Use alternate download
Lets you specify a different location on a package server to
location on Package Server which to download packages.
This setting accepts the following values:
■
C:\myfolder\
■
\\myserver\myshare\
■
\\%computername%\myshare\
In this case, %computername% is a token that will be
substituted with a package server computer name. The
share must exist on the package server and be accessible
with the Agent Connectivity Credentials (ACC). If these
conditions are not met, the packages will be marked as
invalid.
If you are using Linux package servers in your environment,
the Windows path that you specify is converted to UNIX
paths automatically. You must use the trailing slash for the
conversion to work correctly.
For example, c:\path\ is converted to /path/ on Linux
package servers.
Use alternate download
location on client
Table 7-5
Option
This option is disabled for Linux computers.
Options on the Programs tab of the vendor settings page
Description
Terminate after Lets you specify a time after which to terminate a running software
update program.
Default: two hours.
125
126
Patch Management for Linux
Default Software Update Plug-in Settings page
Table 7-6
Options on the Novell Customer Center tab of the vendor settings
page
Option
Description
Novell mirror credentials (Novell Patch Remediation Settings policy only)
Type the Novell mirror credentials.
Patch Management Solution for Linux uses these credentials
to download the software updates catalog from the Novell
Web site.
Table 7-7
Options on the Red Hat Network tab of the vendor settings page
Option
Description
Red Hat Network access
credentials
(Red Hat Patch Remediation Settings policy only)
Type the Red Hat Network credentials.
Patch Management Solution for Linux uses these credentials
to download the software updates catalog from the Red Hat
Web site.
All managed computers on the same Notification Server
must use the same Red Hat Network account.
Default Software Update Plug-in Settings page
This page lets you specify settings for the software update plug-in to use when
you install software updates on managed computers.
By default, the settings that you specify on this page apply to all Linux computers
that have the software update plug-in installed.
See “About the software update plug-in” on page 119.
See “Configuring software updates installation settings” on page 123.
Table 7-8
Options on the Installation Schedules tab of the Default Software
Update Plug-in Settings page
Option
Description
Schedule
Lets you configure a schedule when software updates get
installed on the managed computer.
If maintenance windows are specified in Notification Server
configuration policies, this schedule is ignored unless you
check Override maintenance windows settings.
Patch Management for Linux
Run System Assessment Scan on Linux Computers task
Options on the Installation Schedules tab of the Default Software
Update Plug-in Settings page (continued)
Table 7-8
Option
Description
Reinstallation attempts
after task failure
Lets you set the number of times Patch Management Solution
should attempt to reinstall a software update if the initial
install attempt fails.
Default: three times.
Allow user to run
Lets a user initiate software update installation on the target
Linux computer by running the aex-patchinstall -i
command.
Override maintenance
windows settings
If maintenance windows are set up for Linux computers, you
can install software updates only within maintenance
windows. If an update is scheduled to install outside of a
maintenance window, it is not installed.
Check this option to override this behavior and use the install
options that you specified in this policy.
Uncheck to abide by the maintenance windows that are
specified in Notification Server configuration policies.
Table 7-9
Options
Options on the Notification tab of the Default Software Update
Plug-in Settings page
Description
Notify user Lets you choose to send a message to the users of the computer on which a
patch management task is about to run. Specify for how long the message
should be displayed before a task is run.
You can type a custom message: for example, “Software updates will install
on your computer in 10 minutes. Please ensure that all work is saved”.
Run System Assessment Scan on Linux Computers
task
This task lets you run a system assessment scan on the target computers outside
of the normal system assessment schedule that is defined on the System
Assessment Scan Settings page.
See “Configuring the system assessment scan interval ” on page 123.
127
128
Patch Management for Linux
About Patch Management Solution server tasks
About Patch Management Solution server tasks
You must configure server tasks (previously known as background actions) to run
automatically at regular intervals.
Examples of server tasks include Import Patch Data for Novell and Import Patch
Data for Red Hat. Automated server tasks ensure that you have the latest, most
accurate data, and that your software update tasks are kept up-to-date. To
configure a task to run automatically, set a schedule for it.
The Import Patch Data for Novell and Import Patch Data for Red Hat tasks must
successfully run before you can download or distribute any software updates for
Linux computers.
These tasks download software updates catalog files and import all software
management resources from these files into the CMDB.
See “Downloading the software updates catalog” on page 128.
See “Implementing Patch Management Solution for Linux” on page 116.
Other server tasks ensure data integrity or assist in automating software update
distribution processes.
Downloading the software updates catalog
You must download the Novell and Red Hat software updates catalog (patch
management metadata, or patch management import files) before you can
distribute updates.
See “Implementing Patch Management Solution for Linux” on page 116.
The software updates catalog is downloaded from the following URLs:
■
Red Hat — http://xmlrpc.rhn.redhat.com
■
Novell — https://nu.novell.com
You need to make sure that your firewall configuration and proxy configuration
allow network communication to these URLs.
You may want to create a schedule for this task as well. This procedure ensures
that you have the latest, most accurate data, and your software update tasks are
kept up-to-date. Symantec recommends that you configure the task to run weekly.
Note: If the Altiris Log Viewer is open, close it before you perform this task. By
closing the viewer, you can improve the task’s performance by as much as 50
percent.
Patch Management for Linux
Downloading the software updates catalog
See “Implementing Patch Management Solution for Linux” on page 116.
To download the software updates catalog immediately
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, expand Jobs and Tasks > System Jobs and Tasks > Software
> Patch Management.
3
Click one of the following:
■
Import Patch Data for Novell
This task downloads the Novell patches metadata.
■
Import Patch Data for Red Hat
This task downloads the Red Hat errata metadata.
4
In the right pane, click Import channels.
5
When the software channels import is complete, check the channels for which
you want to download the patch management metadata.
For Red Hat, check only the base channels (operating system names) for which
you want to download the metadata. If you want, you can expand the tree
and check any additional components, such as development tools.
For Novell, checking the base channels (operating system names) selects all
of the child items in the tree for download. You can reduce the metadata
download time by unchecking unnecessary subchannels. However, Symantec
recommends that for each of the Update channels you also check the
respective Pool channel. Doing so improves dependency resolving.
6
(Optional) Make any wanted changes.
See “Import Patch Data for Novell and Import Patch Data for Red Hat pages”
on page 130.
7
Click Save changes.
8
Under Task Status, click New Schedule.
9
In the New Schedule dialog box, click Now, and then click Schedule.
129
130
Patch Management for Linux
Import Patch Data for Novell and Import Patch Data for Red Hat pages
To configure a schedule for downloading the software updates catalog
1
On the Import Patch Data for Novell or Import Patch Data for Red Hat page,
under Task Status, click New Schedule.
2
In the New Schedule dialog box, click Schedule, and then configure a schedule
on which to run this task.
Symantec recommends that you configure the task to run weekly.
3
Click Schedule.
Import Patch Data for Novell and Import Patch Data
for Red Hat pages
This task downloads the software update catalog files and imports all software
update resources from these files into the CMDB. These resources are necessary
for populating the Patch Remediation Center and performing the system
assessment scan on the managed computers.
This task downloads the information about the updates that are available for
download. It does not download the actual software update files.
See “Downloading the software updates catalog” on page 128.
Table 7-10
Options on the Import Patch Data page
Option
Description
Incremental Import
Check to import only the updates that have been
added since the last successful import.
Automatically revise Software Update Automatically updates software update policies
policies after importing patch data
with the latest data.
Each download of the patch management
metadata files may contain data and fixes for the
software bulletins that were published earlier. By
checking this option, you can use the new data to
resolve any known issues with existing software
bulletins.
Patch Management for Linux
Import Patch Data for Novell and Import Patch Data for Red Hat pages
Table 7-10
Options on the Import Patch Data page (continued)
Option
Description
Enable distribution of newly added
Software Updates
Enables the distribution of the software updates
that were added to existing software bulletins by
the software vendor.
If you check this option, the software updates that
are added to existing software update policies will
be enabled for distribution.
If you do not check this option, the software
updates will be added to the policy, but not
enabled.
131
132
Patch Management for Linux
About errata and patches
Table 7-10
Options on the Import Patch Data page (continued)
Option
Description
Select software channels for import
Lets you choose the operating systems and
channels for which you want to import the
updates catalog.
When you run this task for the first time, you
must click Import channels to download the list
of available software channels.
You should check only the operating systems that
are installed on the computers that you want to
manage.
For Red Hat, check only the base channels
(operating system names) for which you want to
download the metadata. If you want, you can
expand the tree and check any additional
components, such as development tools.
For Novell, checking the base channels (operating
system names) selects all of the child items in the
tree for download. You can reduce the metadata
download time by unchecking unnecessary
subchannels.
Note that Novell has an overlap period of support
for six months after a new service pack is released.
After the six-month overlap period, Novell stops
publishing new updates for the previous service
pack. Novell recommends that you migrate to the
latest service pack within this six-month period.
However, the computers that have not been
migrated can continue receiving updates from
Patch Management Solution for Linux. To do this,
select a software channel for the latest available
service pack. Some updates from this channel can
also be applied to the Novell systems with a lower
service pack version.
For more information, see the end of life
announcements on the Novell Web site.
About errata and patches
Software bulletins that contain security updates for Red Hat Linux servers are
called errata. Periodically, Red Hat issues the Red Hat Security Advisories (RHSA),
Patch Management for Linux
About downloading and distributing software updates
Red Hat Bug Advisories (RHBA), and Red Hat Enhancement Advisories (RHEA),
which are the equivalent of Microsoft software bulletins. The advisories are either
security fixes, bug fixes, or enhancements. Each advisory contains one or more
patches (rpm packages). All the RHSAs, RHBAs, and RHEAs are available at the
following URL: https://rhn.redhat.com/errata.
Software bulletins that contain SUSE security updates for Novell Linux servers
are called patches. Novell patches for different products may be released several
times in a month.
See “About downloading and distributing software updates” on page 133.
About downloading and distributing software updates
You can download errata or patches on the Patch Remediation Center page, where
all available software updates are listed. You can also do this from any Patch
Management Solution report.
See “About errata and patches” on page 132.
When you choose to download an erratum or patch, all associated updates are
downloaded to the Notification Server computer.
You can choose to download the software update packages now but distribute
them at a later time. You also have an option to download and distribute the
software update to managed computers at once.
When in the All Software Bulletins report, the value in the Staged column changes
to True, all updates for the erratum or patch have been downloaded.
See “Downloading software updates” on page 133.
To reduce workload on the Notification Server computer, Symantec recommends
that you create software update policies in monthly increments. Including a large
number of errata or patches into a software update policy can affect performance
and make managing updates difficult.
See “Downloading and distributing software updates” on page 135.
Warning: Patch Management Solution for Linux does not support the rollout of
kernel updates because the automatic restart functionality is not available. Do
not stage and distribute kernel updates.
Downloading software updates
You can download an erratum or patch and its associated updates.
133
134
Patch Management for Linux
Downloading software updates
You can download all errata or patches. However, Symantec recommends that
you download only the errata or patches that the target computers require. On
the Patch Remediation Center page, in the compliance reports, you can view how
many computers require an update.
After the updates are downloaded, you must create a software update policy to
distribute the updates to managed computers.
See “Downloading and distributing software updates” on page 135.
When you choose to download an erratum or patch, a task is created that
downloads the software updates. You can view the status of this task to
troubleshoot the download of software updates.
See “About downloading and distributing software updates” on page 133.
See “Implementing Patch Management Solution for Linux” on page 116.
To download software updates
1
In the Symantec Management Console, on the Actions menu, click Software
> Patch Remediation Center.
2
In the right pane, in the Show drop-down list, click Red Hat Compliance by
Erratum or SUSE Compliance by Announcement, and then click the Refresh
symbol.
These reports let you see which updates the target computers require.
3
Click the errata or patches that you want to download.
For example, click the errata or patches that have a lower number in the
Compliance column. You can select multiple items while holding down the
Shift or Control key.
4
Right-click the selected errata or patches, and then click Download packages.
You can close the status dialog box and the download continues in the
background.
To view the status of a software updates download
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, expand Jobs and Tasks > System Jobs and Tasks > Software
> Patch Management, and then click Download Software Update Package.
3
In the right pane, view the status of download tasks.
Patch Management for Linux
Downloading and distributing software updates
Downloading and distributing software updates
To deliver and install the software updates to the appropriate computers, you
must create software update policies.
The Distribute Software Updates wizard lets you create software update policies.
If the associated software updates are not yet downloaded, Patch Management
Solution creates a download task. When download is completed, the software
update policy is distributed to the target computers.
To reduce workload on the Notification Server computer, Symantec recommends
that you create software update policies in monthly increments. Including a large
number of errata or patches into a software update policy can affect performance
and make managing updates difficult.
The policies that you create are stored in the Manage > Policies > Software >
Patch Management > Software Update Policies folder. You can view the details
of the policy and change settings if necessary.
You can view the software update policies distribution results in reports.
See “Viewing the software update delivery summary report” on page 136.
Warning: Patch Management Solution for Linux does not support the rollout of
kernel updates. Do not distribute kernel updates.
See “About downloading and distributing software updates” on page 133.
See “Implementing Patch Management Solution for Linux” on page 116.
To distribute software updates
1
In the Symantec Management Console, on the Actions menu, click Software
> Patch Remediation Center.
2
In the right pane, in the Show drop-down box, click SUSE Compliance by
Announcement or Red Hat Compliance by Errata, and then click the Refresh
symbol.
These reports let you see which updates the target computers require.
3
Click the errata or patches that you want to distribute.
For example, click the errata or patches that have a lower number in the
Compliance column. You can select multiple items while holding down the
Shift or Control key.
4
Right-click the selected bulletins, and then click Distribute Packages.
5
(Optional) Configure the settings as needed.
135
136
Patch Management for Linux
Viewing the software update delivery summary report
6
Click Next.
7
(Optional) On the second page of the wizard, check the updates that you want
to distribute.
8
If you want to activate the new software update policy, turn on the policy. To
turn on the policy, click the colored circle and then click On.
You can also turn on the policy later.
9
Click Distribute software updates.
Viewing the software update delivery summary report
The Linux Software Update Tasks Delivery Summary report summarizes the
results of all scheduled software update policies. It tells you which computers the
software update tasks target, and if the updates have been successfully installed.
The report also tells you if any software update tasks failed, or if they have not
yet completed.
Patch Management Solution for Linux also provides other reports that you can
view.
See “Implementing Patch Management Solution for Linux” on page 116.
To view the software update delivery summary report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, expand Software > Patch Management > Remediation Status,
and then click Linux Software Update Tasks Delivery Summary.
3
In the right pane, leave the default settings, and then click Refresh.
Chapter
8
Software Management
This chapter includes the following topics:
■
About Software Management Solution
■
Components of Software Management Solution
■
What you can do with Software Management Solution
■
Implementing Software Management Solution
■
About the agents and plug-ins that Software Management Solution uses
■
Installing or upgrading the Software Management Solution plug-in
■
About Software Management Solution settings
■
Schedule settings for Managed Software Delivery
■
Download settings in Software Management Solution
■
Run settings in Software Management Solution
■
Results-based actions settings in Software Management Solution
■
Advanced options in Managed Software Delivery policies
■
Advanced options for tasks in Software Management Solution
■
Methods for delivering software
■
About Software Management Solution reports
■
Running a Software Management Solution report
138
Software Management
About Software Management Solution
About Software Management Solution
Software Management Solution is included in Altiris Server Management Suite
from Symantec and should already be installed and deployed on your network.
Software Management Solution provides intelligent and bandwidth-sensitive
distribution and management of software from a central Web console.
Software Management Solution also lets users directly download and install
approved software or request other software.
Software Management Solution integrates with the Software Catalog and the
Software Library that are part of the Symantec Management Platform. By
leveraging this information, Software Management Solution ensures that the
correct software gets installed and runs. This integration lets your administrators
focus on delivering the correct software instead of redefining the packages,
command lines, and so on for each delivery.
It is possible to define detection rules for UNIX, Linux, and Mac packages. However,
detection rules only work on Windows computers.
For more information, see the topics about the Software Catalog and the Software
Library in the Symantec Management Platform User Guide.
Software Management Solution combines the functionality of earlier versions of
Software Delivery Solution and Application Management Solution.
Software Management Solution supports packages for the Windows, UNIX, Linux,
and Mac operating systems. With few exceptions, all the functions in Software
Management Solution work the same for all platforms. For example, you use the
same method to create a delivery task for a Windows, UNIX, Linux, or Mac OS
package.
One exception is Software detection rules. Software detection rules work on Linux
platforms with .rpm detection. On Linux platforms, Software detection rules affect
Software Management Solution's ability to detect if software is already installed
when software is being deployed.
For a complete list of the platforms that Software Management Solution supports,
see the Software Management Solution Release Notes.
See “Components of Software Management Solution” on page 139.
See “What you can do with Software Management Solution” on page 139.
See “Implementing Software Management Solution” on page 140.
Software Management
Components of Software Management Solution
Components of Software Management Solution
The components of Software Management Solution let you deliver and manage
software on client computers.
Table 8-1
Component
Components of Software Management Solution
Description
Software delivery tasks You can use any of several methods to deliver software to client
and policies
computers. The method that you use to create the task or policy
depends on your delivery requirements.
See “Methods for delivering software” on page 152.
Reports
Predefined reports let you easily view and analyze your software
management data. You can also create your own custom reports.
See “About Software Management Solution reports” on page 156.
See “About Software Management Solution” on page 138.
See “What you can do with Software Management Solution” on page 139.
What you can do with Software Management Solution
Software Management Solution lets you distribute and manage the software that
is used in your organization.
Table 8-2
What you can do with Software Management Solution
Task
Description
Configure the default
settings for Managed
Software Delivery policies.
Configuration settings control the behavior of Managed Software Delivery policies.
Rather than configuring these settings individually for each policy, you can configure
the default settings that apply to all new Managed Software Delivery policies. Then
you can change the settings for a specific policy only when needed.
See “About Software Management Solution settings” on page 145.
For more information about configuring the default settings, see the Altiris Software
Management Solution from Symantec User Guide.
139
140
Software Management
Implementing Software Management Solution
Table 8-2
What you can do with Software Management Solution (continued)
Task
Description
Perform an advanced
software delivery.
Managed Software Delivery simplifies your advanced software deliveries by letting
you deliver software as a unit, which can include multiple software resources and
their dependencies. For example, you can create a single Managed Software Delivery
policy that installs an application and its associated patches and service packs.
Managed Software Delivery can also run any task at any stage of the delivery.
For more information about advanced software deliveries and performing an advanced
software delivery, see the Altiris Software Management Solution from Symantec User
Guide.
Perform a quick delivery of
a single software resource.
You can perform a quick delivery of a single software resource that runs with
minimum configuration. You can use the task-based Quick Delivery method to specify
the software to deliver, the action to perform, and the computers to which to deliver.
Because the software resources and the delivery settings are predefined, Quick
Delivery makes it easy for administrators and non-administrators to deliver software.
For more information about quick deliveries of a single software resource and about
performing a quick delivery of a single software resource, see the Altiris Software
Management Solution from Symantec User Guide.
Deliver a package without
Package Delivery lets you quickly push out any package regardless of whether it is
defining a software resource. associated with a software resource.
For more information about package deliveries and delivering a package without
defining a software resource, see the Altiris Software Management Solution from
Symantec User Guide.
See “About Software Management Solution” on page 138.
Implementing Software Management Solution
Before you use Software Management Solution, you must set it up and prepare it
for use.
The prerequisites for implementing Software Management Solution are as follows:
■
Symantec Management Platform and Software Management Solution must
be installed on the Notification Server computer.
For details, see the IT Management Suite 7.1 Planning and Implementation
Guide at http://www.symantec.com/docs/DOC4827.
■
The Symantec Management Agent must be installed or upgraded on the
computers that you plan to manage.
Software Management
Implementing Software Management Solution
Software Management Solution requires that target computers be managed.
A managed computer is one on which the Symantec Management Agent is
installed.
The Symantec Management Agent for UNIX, Linux, and Mac must be installed
or upgraded on the non-Windows computers that you plan to manage.
For more information, see the topics about installing or upgrading the
Symantec Management Agent for UNIX, Linux, and Mac in the Symantec
Management Platform User Guide.
Table 8-3
Process for implementing Software Management Solution
Step
Action
Description
Step 1
Install or upgrade the Software
The Software Management Solution plug-in is required for you
Management Solution plug-in on to deliver and manage software on client computers.
managed computers.
Perform this step every time that you need to install the Software
Management Solution plug-in on the client computers that do
not have it.
The unified Software Management Solution Plug-in Install
policy lets you install the solution plug-in on all supported
operating systems.
You may have performed this step when you installed the
Symantec Management Platform or when you added new
computers to the network.
See “Installing or upgrading the Software Management Solution
plug-in” on page 143.
Step 2
Configure security privileges for
Software Management Solution.
Administrators need the appropriate privileges to deliver and
manage the software in your organization.
You or another administrator may have already performed this
step when you configured security for the Symantec Management
Platform.
For more information, see the topics about setting up security
and Software Management Solution settings in the Symantec
Management Platform User Guide.
For more information about security privileges, recommended
security privileges, and system privileges, see the Altiris Software
Management Solution from Symantec User Guide.
141
142
Software Management
About the agents and plug-ins that Software Management Solution uses
Table 8-3
Process for implementing Software Management Solution
(continued)
Step
Action
Description
Step 3
Configure default settings for
Managed Software Delivery.
You can configure the settings that control the behavior of
Managed Software Delivery policies. Rather than configuring
these settings individually for each policy, you can configure the
default settings that apply to all new Managed Software Delivery
policies.
For more information about configuring the default settings for
managed software delivery, see the Altiris Software Management
Solution from Symantec User Guide.
See “About Software Management Solution” on page 138.
About the agents and plug-ins that Software
Management Solution uses
Certain agents and plug-ins must be installed on the client computers to manage
and run the Software Management Solution functions.
Predefined tasks are provided to install these agents and plug-ins.
Table 8-4
Agents and plug-ins that Software Management Solution uses
Agent or plug-in
Description
Software Management
Framework agent
Manages all the software delivery functions in Software Management Solution.
Software deliveries are closely integrated with the software resources in the Software
Catalog. The Software Management Framework agent manages the package downloads
and other aspects of software delivery.
The Software Management Framework agent is installed on the client computers
when the Symantec Management Agent is installed.
For more information, see the topics about the Software Management Framework
agent in the Symantec Management Platform Help.
Software Management
Installing or upgrading the Software Management Solution plug-in
Table 8-4
Agents and plug-ins that Software Management Solution uses
(continued)
Agent or plug-in
Description
Software Management
Solution Plug-ins
Although Software Management Solution plug-ins for Mac, UNIX, and Linux-based
platforms differ from plug-ins for Windows clients, the policies that manage client-side
installation, upgrade, and uninstallation are unified on the console side for all
platforms. A unified plug-in means that you enable the same installation, upgrade,
or uninstallation policy for managing the Software Management plug-in on all clients.
You use the same plug-in for Mac, UNIX, and Linux clients that you use for Windows
clients.
The software resources that comprise this plug-in are as follows, in alphabetical
order:
■
Software Management Plug-in for AIX
■
Software Management Plug-in for HP UX
■
Software Management Plug-in for Linux
■
Software Management Plug-in for Mac
■
Software Management Plug-in for Solaris
See “Installing or upgrading the Software Management Solution plug-in” on page 143.
Installing or upgrading the Software Management
Solution plug-in
Before you use Software Management Solution to deliver or manage software on
managed computers, you must install the Software Management Solution plug-in
on those computers.
If you upgraded from a 7.x version of Software Management Solution, you must
upgrade the Software Management Solution plug-in that is installed on the
managed computers.
Upgrade from a 6.x version of Software Management Solution plug-in is not
supported. You must upgrade the Symantec Management Agent first, and then
use the Software Management Solution Plug-in Install policy to install the plug-in.
See “About the agents and plug-ins that Software Management Solution uses”
on page 142.
For more information about upgrade and data migration, see the Symantec
Management Platform Installation Guide at the following URL:
http://www.symantec.com/docs/DOC4798
143
144
Software Management
Installing or upgrading the Software Management Solution plug-in
You install the Software Management Solution plug-in to Windows and
non-Windows computers using the same installation policy: SoftwareManagement
Solution Plug-in Install.
To install or upgrade the Software Management Solution plug-in
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > All Agents/Plug-ins.
2
In the left pane, expand Software > Software Management.
3
Click one of the following policies:
4
■
Software Management Solution Plug-in Install
Click if it is a new installation or if you upgraded from the 6.x version of
the product.
■
Software Management Solution Plug-in Upgrade
Click if you upgraded from the 7.x version of the product.
Check or uncheck Enable Verbose Reporting of Status Events as appropriate.
This option records the detailed events that are related to the installation
and posts them to the Notification Server computer.
5
Under Applied to, select where to install the agent or you can keep the default
settings.
For more information, see the topics about specifying the targets of a policy
or task in the Symantec Management Platform User Guide.
6
Under Schedule, set the schedule for the policy or you can use the default
Run once ASAP option to run the policy as soon as possible.
Note that if you turn off and then turn on the policy, it cannot run on the
same computer again. To run a policy on the same computer again, you must
configure it to run on a schedule.
For more information, see the topics about specifying a policy schedule in
the Symantec Management Platform User Guide.
7
(Optional) Under Extra schedule options, configure other options.
8
Turn on the policy.
At the upper right of the page, click the colored circle and then click On.
9
Click Save changes.
See “Implementing Software Management Solution” on page 140.
Software Management
About Software Management Solution settings
About Software Management Solution settings
Software Management Solution settings control the behavior of the
software-related policies and tasks. The default settings let administrators create
policies and tasks without having to enter the details that they are not familiar
with. Instead, a more experienced administrator can configure the default settings
that apply to all the new policies and tasks that are created. When necessary, the
administrator who runs the specific policies and tasks can change the settings.
Table 8-5
Sources of default settings for Software Management policies and
tasks
Policy or task
Source of default settings
Managed Software Delivery
All new managed software delivery policies inherit the
default settings that are defined on the Managed Delivery
Settings page. You can override the default settings for
specific Managed Software Delivery policies.
Changing the default settings for managed software delivery
does not affect the execution of the managed software
delivery policies that were created earlier.
For more information about configuring the default settings
for managed software delivery, see the Altiris Software
Management Solution from Symantec User Guide.
Package Delivery
Quick Delivery
Some of the task settings are predefined. Other settings for
these tasks are obtained from the Task Management
settings.
The Managed Delivery Settings pages are found in the Symantec Management
Console at the following location: Settings>All Settings>Software>Managed
Delivery Settings. Some of the settings hat might benefit UNIX/Linux users
include Power on computers if necessary, settings in the User Interaction section,
and the Reporting section.
Schedule settings for Managed Software Delivery
The Schedule settings let you define the schedule on which a Managed Software
Delivery policy runs. You schedule the compliance check and the remediation
action separately.
Managed Software Delivery policies perform compliance checks and remediations.
A compliance check uses the software resource’s unique identifier to determine
the state of the software on a managed computer. If the software is not in the
145
146
Software Management
Schedule settings for Managed Software Delivery
correct state, the compliance check fails and remediation occurs. The nature of
the remediation depends on the action that the Managed Software Delivery policy
performs. For example, the remediation can consist of installing or uninstalling
the software.
See “About policy compliance and remediation” on page 168.
The Schedule settings appear in multiple places in the Symantec Management
Console as follows:
On the Managed Delivery
Settings page
Lets you define the default settings for all new Managed
Software Delivery policies. You can override these settings
for a specific policy.
For more information about configuring the default settings
for managed software delivery, see the Altiris Software
Management Solution from Symantec User Guide.
On the Schedule delivery
Lets you change the settings for a specific policy.
page that appears during the
See “Creating a Managed Software Delivery policy with the
Managed Software Delivery
Managed Software Delivery wizard in the enhanced console
wizard
views” on page 170.
Under the Schedule section Lets you change the settings for a specific policy.
that appears when you create
For more information about editing a managed software
or edit a Managed Software
delivery policy, see the Altiris Software Management Solution
Delivery policy
from Symantec User Guide.
For more information, see the topics on specifying a policy schedule in the
Symantec Management Platform Help.
Table 8-6
Schedule settings for Managed Software Delivery: Compliance
Option
Description
Add Schedule
Lets you add one or more schedules to the policy. You can specify as many schedules
as you need, and you can have any number of schedules active at one time.
Time zone
Lets you specify the time zone to apply to the schedule.
No repeat
Lets you specify the interval at which to rerun the Managed Software Delivery, if
any. This option is available only when you schedule a specific time or a specific
window.
Use this option to perform recurring compliance checks and remediation actions.
For more information about recurring software deliveries, see the Altiris Software
Management Solution from Symantec User Guide.
Software Management
Download settings in Software Management Solution
Table 8-6
Schedule settings for Managed Software Delivery: Compliance
(continued)
Option
Description
Advanced
Lets you set the options that determine the conditions under which the check is
performed and the effective dates for the policy.
Table 8-7
Option
Schedule settings for Managed Software Delivery: Remediation
Description
Your point of entry into
Specify when to perform any remediation action that is defined for the Managed
these settings determines
Software Delivery.
what text appears, as follows: The options are as follows:
■ When computers are
■ Don't run remediation
found to be out of
Lets you run a Managed Software Delivery policy without performing the
compliance, run
remediation. For example, you might want to perform an applicability check or a
remediation actions
compliance check to determine if a certain configuration exists. A report of the
■ Choose when to
results of the check might be all you need, or you might perform some action other
remediate when
than installing or uninstalling software.
compliance fails
■ Immediately
At next maintenance window
Lets you delay the remediation until the next maintenance window. If a
maintenance window is not set up for the target computer, remediation is run
immediately.
For more information about maintenance windows, see Symantec Management
Platform Help.
■ Schedule
You can run remediation at a specific time.
■
Download settings in Software Management Solution
The Download settings let you define how the packages and command lines are
downloaded for a policy or a task in Software Management Solution.
These settings appear in the following places:
On the Managed Delivery
Settings page
Lets you define the default settings for all new Managed
Software Delivery policies. You can override these settings
for a specific policy.
For more information about configuring the default settings
for managed software delivery, see the Altiris Software
Management Solution from Symantec User Guide.
147
148
Software Management
Download settings in Software Management Solution
In the Advanced Options
dialog box that you can
access when you edit a
Managed Software Delivery
policy.
Lets you change the settings for any specific software
resource that the policy contains. The changes that you
make for a specific policy do not change the defaults for
other policies.
In a Software Management
Solution task, these settings
appear in the Advanced
Options dialog box, on the
Download Options tab.
Lets you change the default settings for a specific Software
Management Solution task.
For more information about editing a managed software
delivery policy, see the Altiris Software Management Solution
from Symantec User Guide.
You cannot change the default settings in a Software
Virtualization task.
For more information about advanced options for tasks, see
the Altiris Software Management Solution from Symantec
User Guide.
Table 8-8
Download settings
Option
Description
Destination download
location
Lets you define the directory on the client computer in which to place the package
file. The package downloads to and runs from this location.
Options for the download location are as follows:
Symantec Management Agent cache
Places the package files in the default directory for software packages. The default
location is as follows:
installation_path\Altiris\Altiris Agent\Agents\SoftwareManagement\Software
Delivery\package_GUID\cache
■ Location on destination computer
Lets you override the default directory and download the package directly to a
directory that you specify.
This option applies to Windows computers only. On UNIX, Linux, and Mac
computers the package files are always downloaded to the default location.
For more information about the alternate download location for packages, see
the Altiris Software Management Solution from Symantec User Guide.
■
Use the default Symantec
Management Agent
download settings to
download
Lets you download and run the package with the default Download and Execute
settings that are defined in the global Symantec Management Agent settings. These
settings determine whether the package runs from the server or on the client
computer.
The Software Management Solution tasks do not support the multicasting option,
even if it is selected in the global Symantec Management Agent settings.
Software Management
Run settings in Software Management Solution
Table 8-8
Download settings (continued)
Option
Description
Delete package from client
computer
Deletes the packages that are downloaded to the client computer but are not used for
the amount of time you select in the If unused for drop-down list.
Run settings in Software Management Solution
The Run settings let you define how a Managed Software Delivery policy runs on
the client computer. They also let you define how much you let the user interact
with the policy.
The Run settings are arranged in sections. The appearance and location of the
sections depend on how you access the settings.
Table 8-9
Sections on the Run tab
Section
Description
Results-based actions
section
The options in this section let you define the actions that occur
during or after the policy runs on the client computer.
In a Managed Software Delivery policy, the Results-based actions
section appears in the Advanced Options dialog box, on its own
tab.
See “Results-based actions settings in Software Management
Solution” on page 149.
Reporting section
The option in this section defines the level of detail that is logged
when a policy runs on the client computer.
In a Managed Software Delivery policy, the Reporting section
appears on the Policy settings tab.
Results-based actions settings in Software
Management Solution
These settings let you define the actions that occur during or after the Software
Management Solution policy runs on the client computer.
These settings appear in the following places:
149
150
Software Management
Results-based actions settings in Software Management Solution
On the Managed Delivery
Settings page, on the Run
tab.
Lets you define default settings for all new Software
Management Solution policies.
In a Managed Software
Delivery policy, these
settings appear in the
Advanced Options dialog
box, on the Results-based
actions tab.
Lets you change the settings for a specific software resource
that the policy contains. The changes that you make for a
software resource in a specific policy override the global
settings.
Table 8-10
For more information about configuring the default settings
for managed software delivery, see the Altiris Software
Management Solution from Symantec User Guide.
Options in the Results-based actions section or tab
Option
Description
Upon success run
Lets you define an action to occur after the policy runs successfully.
The options are as follows:
■
No action required
■
Restart computer
■
Log off user
Terminate after
Lets you define the amount of time to wait before the policy terminates if it stops
responding.
Upon failure
Defines whether the policy aborts, continues, or restarts when it fails.
When you create a Managed Software Delivery policy, this setting is the same for
each software resource and task that the policy contains. You can edit the policy to
override this setting for each software resource and task. For example, if the execution
of the first software resource fails, you can run subsequent items. Conversely, if one
execution in the sequence fails, you can abort the remaining items in the sequence.
This option applies to both the applicability check and the execution. Therefore, if
an applicability rule fails for a software resource that is set to abort upon failure,
then the policy does not continue. This failure occurs even if other applicability rules
succeeded. Also, any subsequent tasks and software resource deliveries that are in
that policy do not continue either. If you want to evaluate all rules, choose Continue.
If you choose Continue, compliance status of the policy is not affected with the
software.
Max retries
Defines the number of times that the policy retries when it fails.
Software Management
Advanced options in Managed Software Delivery policies
Advanced options in Managed Software Delivery
policies
This dialog box lets you change the settings for the individual software resources
that are in a specific Managed Software Delivery policy. For example, you might
download this software’s package to a different location or allow the user to
interact with this software’s installation but not others.
These settings are inherited from the policy but you can change them for any and
all the software resources in the policy. The changes that you make for a specific
policy do not change the defaults for other policies.
The Advanced options dialog box appears when you edit a Managed Software
Delivery policy, select a specific software resource, and click Advanced options.
For more information about editing a managed software delivery policy, see the
Altiris Software Management Solution from Symantec User Guide.
Table 8-11
Tabs in the Advanced options dialog box
Tab
Description
Download tab
Defines how a specific software resource downloads to the client
computer.
Results-based actions
tab
Defines the actions that occur during or after the policy runs on
the client computer.
See “Results-based actions settings in Software Management
Solution” on page 149.
Advanced options for tasks in Software Management
Solution
This dialog box lets you change the settings that define how a specific task runs.
These settings are predefined to make task creation easier and to maintain
consistency across your organization. However, you can change the default settings
for a specific task. For example, you can run the task with different user
credentials. The changes that you make for a specific instance of a task do not
change the defaults for other instances of that task.
When you create or edit a task in Software Management Solution, the Advanced
option provides access to the task settings.
For more information about editing tasks, see the Altiris Software Management
Solution from Symantec User Guide.
151
152
Software Management
Methods for delivering software
Table 8-12
Tab
Tabs in the Advanced settings dialog box
Description
Download Options tab Contains the settings that define how a specific task downloads
and runs on the client computer. The default for some of these
settings are inherited from the Symantec Management Agent
settings.
Run Options tab
Defines how a specific software resource runs on the client
computer.
The tasks that use these settings are as follows:
■
Package Delivery
For more information about package delivery, see the Altiris Software
Management Solution from Symantec User Guide.
■
Quick Delivery
For more information about quick delivery of a single software resource, see
the Altiris Software Management Solution from Symantec User Guide.
Methods for delivering software
You can deliver software to one or more managed computers by creating and
running a Software Management task or policy. The method that you use to create
the task or policy depends on your delivery requirements.
Software Management
Methods for delivering software
Table 8-13
Methods for delivering software
Your requirement
Delivery method
Deliver software to a specific Drag and drop
computer or to a group of
computers.
Description
In Symantec Management
Console under Manage >
Software, you can click and
drag Deliverable software to
a target. The target can be a
single computer or a group
of computers that you have
already defined under
Manage > Computers.
In the Manage > Software
window, the Installed
Software subpane lists the
deliverable software
packages that are on the
server, including software
releases and software
updates.
Deliverable software is the
software that has a package
or command line associated
with it. If you drag and drop
the package onto a computer,
the package or command line
installs the software. If
software appears in this list,
then it is ready to deploy.
When you double-click a
deliverable software package,
the installation details open
and you can define or make
changes to the installation
details.
153
154
Software Management
Methods for delivering software
Table 8-13
Methods for delivering software (continued)
Your requirement
Delivery method
Description
Perform a quick delivery of
a single software resource.
Quick Delivery
You can use the task-based
Quick Delivery method to
specify the software to
deliver, the action to
perform, and the computers
to deliver to. Quick Delivery
uses the default task settings,
which you can change when
necessary.
Because of its simplicity,
Quick Delivery is an ideal
way for non-administrators,
such as help desk personnel,
to deliver software safely and
accurately.
The software that you deliver
in this way must be defined
as a deliverable software
resource in the Software
Catalog.
For more information about
quick delivery of a single
software resource, see the
Altiris Software Management
Solution from Symantec User
Guide.
Software Management
Methods for delivering software
Table 8-13
Methods for delivering software (continued)
Your requirement
Delivery method
Perform one or more of the Managed Software Delivery
following advanced delivery
actions:
■
■
■
■
■
Deliver on a recurring
schedule.
Install software with the
other software that it
depends on.
Install a software
resource that replaces
other software.
Sequentially install
multiple software and
tasks.
Run any client task at any
stage of the delivery.
A client task is one that is
defined in Notification
Server and is intended to
run on a client computer.
Description
Managed Software Delivery
is a policy-based delivery
method that lets you fulfill
advanced delivery
requirements. A single
Managed Software Delivery
policy can perform multiple
delivery actions.
The software that you deliver
in this way must be defined
as a deliverable software
resource in the Software
Catalog.
Managed Software Delivery
leverages the software
resource information and the
logic that is in the Software
Catalog. For example,
Managed Software Delivery
uses the software resource’s
dependencies, package, and
detection rule.
For more information about
advanced software deliveries,
see the Altiris Software
Management Solution from
Symantec User Guide.
155
156
Software Management
About Software Management Solution reports
Table 8-13
Methods for delivering software (continued)
Your requirement
Delivery method
Description
Deliver software with a
policy that you migrated
from Software Delivery
Solution 6.x.
Legacy Software Delivery
When you upgrade from
Notification Server 6.x to
Symantec Management
Platform 7.x, you can migrate
your 6.x software delivery
tasks to Legacy Delivery
policies. You can continue to
use those policies as they are.
You can also assign their
packages to software
resources to deliver a 6.x
software package with Quick
Delivery or Managed
Software Delivery.
For more information about
legacy software deliveries,
see the Altiris Software
Management Solution from
Symantec User Guide.
About Software Management Solution reports
Predefined reports let you easily view and analyze your Software Management
Solution data. The reports are grouped in folders by type in the Symantec
Management Console.
See “Running a Software Management Solution report” on page 157.
You can also create your own custom reports.
For more information, see the topics about custom Notification Server reports in
the Symantec Management Platform User Guide.
By default, all the Software Management Solution reports support resource
scoping, which limits the data that users can access based on their security roles.
The Software Management Solution reports use the scoping feature as follows:
■
When a user runs a report, the report contains only the data that the user has
permissions for.
■
When a user saves a snapshot of a report, the snapshot is scoped according to
that user’s permissions. The users who have a lower security role than the
original user cannot view the snapshot. The users who have a higher security
Software Management
Running a Software Management Solution report
role than the original user can see only the data that the original user was
allowed to access.
■
You can clone a report and edit the clone’s SQL query to customize how the
data is scoped when it is extracted for that report. You can also include scoping
information when you create an SQL query for a custom report.
■
You can clone a report and edit the clone to select the fields that are scoped
when data is extracted from that report’s snapshots.
For more information, see the topics about configuring the scoping fields in a
report and about defining an SQL query in the Symantec Management Platform
User Guide.
Table 8-14
Types of predefined reports in Software Management Solution
Report type and folder
Description
6.0 Legacy Reports
Contains the reports that appeared in Software Delivery
Solution 6.x. This folder does not contain any custom reports
that were defined in 6.0.
The Legacy Reports can contain data from Software
Management Solution 7.x as appropriate. They can also
contain any data that you might have migrated from
Software Delivery Solution 6.x.
Compliance
Contains the reports that display information about the
compliance actions and the remediation actions that
Managed Software Delivery performs.
Delivery
Contains the reports that display information about the
status of the software downloads and executions.
If you migrated software delivery data from Software
Delivery Solution 6.x, the new delivery reports contain data
from both 6.x and 7.x.
Portal
Contains the reports that display the status of software
requests that are made through the Software Portal.
Virtualized Software
Resources
Contains the reports that display information about the
actions (events) that have been performed on the virtual
layers that are installed on client computers.
Running a Software Management Solution report
You can view reports to get information about the actions that you perform in
Software Management Solution.
157
158
Software Management
Running a Software Management Solution report
For more information, see the topics about reports in the Symantec Management
Platform User Guide.
To run a Software Management Solution report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, expand Software, and then expand the folder that contains
the report that you want to run.
3
Under the folder that you expanded, click a report.
4
When the report appears in the right pane, you can print the report or save
it in a variety of formats. Other actions might be available depending on the
type of report.
See “About Software Management Solution reports” on page 156.
Chapter
9
Managed Software Delivery
This chapter includes the following topics:
■
About creating and delivering a software package
■
Creating a software delivery package
■
Delivering a software package
■
Supported packages
■
About advanced software deliveries
■
Advanced delivery actions that Managed Software Delivery can perform
■
About the execution of Managed Software Delivery policies
■
About policy compliance and remediation
■
Creating a Managed Software Delivery policy with the Managed Software
Delivery wizard in the enhanced console views
■
Select software resource page
■
Policy Rules/Actions section
■
Policy Rules/Actions: Software tab
■
Policy Rules/Actions: Policy settings tab
About creating and delivering a software package
A package can be distributed to one or more computers. Packages may contain
file updates, shell scripts, or program files. This software delivery example shows
how to create and deliver an rpm package to a Linux client.
160
Managed Software Delivery
Creating a software delivery package
Table 9-1
Creating and delivering a software package to a Linux client
Step
Description
Step 1
Create a software delivery package.
See “Creating a software delivery package”
on page 160.
Step 2
Deliver a software delivery package.
See “Delivering a software package”
on page 161.
See “Supported packages” on page 162.
Creating a software delivery package
This section shows how to create an Adobe Reader 9.4 Linux software package.
This is a simple package because it is a stand-alone with no required dependencies.
To create a software delivery package
1
On the Notification Server computer , create a new folder and call it Adobe
Reader 9.4 in C:\Linux.
2
Copy the Adobe Reader 9.4 .rpm file into the C:\Linux\Adobe Reader 9.4
folder.
3
In the console, click Manage > Software Catalog. This launches the software
page and the Manage Software Catalog dialog.
This dialog lets you manage managed and unmanaged software. Managed
software is software that you track. Unmanaged software is software that is
discovered but not tracked.
4
In the Newly discovered/undefined software section, click Import. In the
Import Software wizard, click Add.
5
Browse to C:\Linux\Adobe Reader 9.4. Change the package name to be more
readable, such as Adobe Reader 9.4 – Linux.
Note that the .rpm file is in bold. The system bolds the file that it believes is
the installation file in the package. You can also reset the installation file by
selecting an entry and clicking Set Installation File. You can only have one
installation file set at a time per package.
6
Set the Software type to Software Release and the Source to Software
Library. Click Next.
Managed Software Delivery
Delivering a software package
7
On the Software Details screen, change the version of the package to 9.4.
Make sure that the Open software resource box is checked and click OK to
create the software resource and open it in the software resource editor. This
may take a few minutes.
8
In the Package editor, leave the default values in each field except Software
Product. In the Software Product field change the value to Adobe Reader 9.
9
Click Save changes to complete the software delivery package.
Note: You must save your changes before you change tabs. If you do not save
your changes before you change tabs your changes are lost.
10 Now you must set up the delivery of the software package. Click the Package
tab. The system has supplied default values for the command lines for Install,
Uninstall, and Upgrade based on the package properties. The list below shows
what each command line represents:
■
-i : Install
■
-h : Presents 50 hash marks as the package archive is unpacked
■
-v : Verbose reporting
■
-e : Erase
■
-U : Upgrade
11 For the software delivery package to be a silent installation, you must edit
the Install and Upgrade command lines to remove the -h and -v options.
Highlight the Install Command lines option and click the edit icon.
12 In the Command Line field, remove the –h and -v options. Click OK to save
your changes.
13 Repeat steps 11-12 with the Upgrade Command lines option.
14 Click Save changes to finish creating the software package.
See “About creating and delivering a software package” on page 159.
Delivering a software package
Once you have a software package created, you can deliver it to your target system.
The quickest way to deliver a software package is to use the drag-and-drop method.
This example shows you how to deliver an Adobe Reader 9.4 software package to
a Linux client.
161
162
Managed Software Delivery
Supported packages
To deliver a software package
1
On the Notification Server computer , click Manage > Computers.
2
In All Computer Views, select All Computers.
3
In the middle pane, type rhel in the Search in All Computers box. This
searches for the systems that have rhel in the computer name field. In this
example, the target Linux system should appear.
4
Drag the computer down to the Software section and hover over that section
until the software information is revealed. You may then need to hover over
the Software Releases section.
5
Drop the computer on the Adobe Reader 9.4 - Linux software package.
6
In the Deliver software dialog box, select Deliver software once using a task.
The Deliver software and keep it installed using a policy option is available
if you want to set up a policy that keeps the software installed.
7
In the New Schedule window, set the software to be delivered now and select
Schedule. This is the same scheduling interface that is used throughout the
console.
8
After you schedule the task, switch to the Linux computer that the package
was delivered to.
9
If you want to check the status of the package, open a command terminal and
execute the aex-cta list command from
/opt/Altiris/notification/ctagent/bin. At the bottom of the list, there
is an entry similar to the following:
2012-02-15 12:22:09 Running New Adobe Reader 9.4 - Linux Delivery
Task
10 When the task finishes, the Adobe Reader 9 icon appears on the desktop of
the client computer. The task also shows as successful on the Linux client in
the Computers view in computer Jobs/Tasks.
See “About creating and delivering a software package” on page 159.
Supported packages
Software Management Solution supports the following native package formats
locally:
■
Linux: .RPM
■
Solaris: Solaris Native Packages
Managed Software Delivery
About advanced software deliveries
■
AIX: .BFF and .RTE
■
HP-UX: .DEPOT
Software Management Solution also supports the following archive formats on
Linux, Solaris, HPUX, and AIX platforms:
■
.BZ2
■
.GZ
■
.TGZ
■
.TAR.BZ2
■
.TAR.GZ
■
.TAR.Z
■
.Z
■
.ZIP
Linux, Solaris, HPUX, and AIX platforms support the following rule:
■
RPM-based Detection
See “About creating and delivering a software package” on page 159.
About advanced software deliveries
In many organizations, administrators spend the majority of their software
delivery time on a minority of advanced delivery activities. Managed Software
Delivery simplifies advanced software deliveries by letting you deliver software
as a unit, which can include multiple software resources as well as dependencies.
For example, you can create a single Managed Software Delivery policy that installs
an application and its associated patches and service packs. Managed Software
Delivery can also run any task at any stage of the delivery. For example, it can
run a task that performs a restart or runs a script.
Managed Software Delivery is a policy-based delivery method that lets you respond
to an assortment of advanced delivery requirements.
For more information about advanced software deliveries and performing an
advanced software delivery, see the Altiris Software Management Solution from
Symantec User Guide.
The power of Managed Software Delivery lies in the following abilities:
■
To intelligently perform the compliance checks and the remediation actions
that let you not only deliver software but also manage it.
163
164
Managed Software Delivery
Advanced delivery actions that Managed Software Delivery can perform
■
To leverage the software resource information and the logic that is in the
Software Catalog such as dependencies, packages, and detection rules.
■
To conserve bandwidth by downloading packages only when they are needed.
If a client computer does not have the appropriate configuration for the
software or if the software is already installed, the package is not downloaded.
■
To perform multiple delivery actions with a single policy.
See “Advanced delivery actions that Managed Software Delivery can perform”
on page 164.
Note that the Software Catalog and detection rules only work on Windows
platforms.
For more information, see the topics about the Software Catalog in the Symantec
Management Platform User Guide.
If you need to perform a Quick Delivery of a single software resource, use Quick
Delivery instead of Managed Software Delivery.
For more information about quick deliveries of a single software resource and
performing a quick delivery of a single software resource, see the Altiris Software
Management Solution from Symantec User Guide.
Advanced delivery actions that Managed Software
Delivery can perform
Managed Software Delivery is a policy-based delivery method that lets you respond
to an assortment of advanced delivery requirements. A single Managed Software
Delivery policy can perform multiple delivery actions.
See “About advanced software deliveries” on page 163.
Table 9-2
Advanced delivery actions that Managed Software Delivery can
perform
Delivery action
Description
Deliver software
In its simplest form, Managed Software Delivery delivers a single software resource with
its associated package and command line. It downloads the software and installs it on the
managed computer according to a defined schedule. It does not perform a compliance
check and it always considers the computer to be compliant.
Remediate software on Managed Software Delivery installs the software to a specific known state on the client
the client computer.
computer. If the state of the software is out of compliance, Managed Software Delivery
performs a remediation to restore the correct state.
Managed Software Delivery
About the execution of Managed Software Delivery policies
Table 9-2
Advanced delivery actions that Managed Software Delivery can
perform (continued)
Delivery action
Description
Deliver software
dependencies to the
client computer as
needed
Managed Software Delivery checks the client computer for the dependencies of a software
resource that it delivers.
Sequentially install
multiple software
resources and tasks
When a client computer does not contain the dependency software, Managed Software
Delivery can perform either of the following actions:
■
Trigger a compliance failure and stop the delivery.
■
Perform a remediation by installing the missing dependency.
You can deliver multiple software resources and tasks with a single Managed Software
Delivery policy. When Managed Software Delivery evaluates compliance for a group of
software, only the software that is out of compliance is downloaded and installed. You can
add any client tasks to the execution queue to perform custom operations before, during,
or after the software remediation process. For example, you can add a task that performs
a restart or runs a script. A client task is one that is defined in Notification Server and is
intended to run on a client computer.
For more information about delivering multiple software resources, see the Altiris Software
Management Solution from Symantec User Guide.
Execute software
installations offline
In a Managed Software Delivery policy, you can set different schedules for the compliance
check and the remediation (in this case, installation). The separate schedules allow for the
offline execution of the Managed Software Delivery. When the compliance check determines
that a remediation is required, the policy downloads the appropriate package. Remediation
can occur even if the client computer is not connected to the server because the client
computer already has the package that it needs.
For more information about deferring the execution of software remediation, see the
Altiris Software Management Solution from Symantec User Guide.
For more information about advanced software deliveries and performing an
advanced software delivery, see the Altiris Software Management Solution from
Symantec User Guide.
About the execution of Managed Software Delivery
policies
When a Managed Software Delivery policy runs, it performs a series of tasks that
are grouped into the following phases:
■
Compliance
See Table 9-3 on page 166.
165
166
Managed Software Delivery
About the execution of Managed Software Delivery policies
■
Remediation
See Table 9-4 on page 167.
When you schedule a Managed Software Delivery policy, you can assign different
schedules for compliance and remediation. For example, you can schedule the
compliance status to be reported during the day and the remediation to occur
only during a maintenance window.
See “About policy compliance and remediation” on page 168.
The ability to separate compliance and remediation also allows for the offline
execution of Managed Software Delivery policies. When the compliance check
determines that a remediation is required, the policy downloads the appropriate
package. Remediation can occur even if the client computer is not connected to
the server because the client computer already has the package that it needs.
Table 9-3
How the compliance phase of Managed Software Delivery works
Step
Action
Description
Step 1
Policy execution
Starts the policy’s compliance process at the scheduled time on the client
computer.
Step 2
Compliance check
Evaluates the software resource’s unique identifier or detection rule to
determine whether the software resource is installed on the client computer.
The software resource’s unique identifier is used when the software resource
is not associated with a detection rule.
The compliance check runs for each software resource in the Managed
Software Delivery policy.
This compliance check determines whether the software is in the correct
state. The correct state of a software resource can mean that it is installed
or that it is not installed.
If all the software in the Managed Software Delivery policy is in the correct
state, it is compliant. Therefore, remediation is not needed and the policy
execution stops. If any or all of the software is not in the correct state, it
is out of compliance. Therefore, remediation is required and the policy
execution continues.
Managed Software Delivery
About the execution of Managed Software Delivery policies
How the compliance phase of Managed Software Delivery works
(continued)
Table 9-3
Step
Action
Description
Step 3
Package download
Downloads the package for each software resource or task in the Managed
Software Delivery policy that requires a package.
The package download might not be required when the remediation action
is to uninstall the software. In that case, the package download is skipped.
The Managed Software Delivery policy downloads the package as follows:
■
Download the package to the client computer.
Create a snapshot of the package that is on the client computer and
compare it to the snapshot on the package server.
If the package is already on the client computer because of a recurring
delivery or a delivery re-attempt, its existing snapshot is used for
comparison.
■ If the snapshots do not match, re-download the package.
A mismatch can occur when some kind of interception has corrupted
the package.
■
When the package download is successful, the compliance process is
finished and the policy is ready for the remediation process.
Table 9-4
How the remediation phase of Managed Software Delivery works
Step
Action
Description
Step 1
Compliance check
Determines whether the software is installed on the client computer.
This compliance check ensures that the software is still in the same state
as it was during the compliance process. For example, if the remediation
was scheduled to run later than the compliance process, the software might
have been installed or uninstalled in the interim.
If the remediation is still required, the process continues.
Step 2
Remediation action
Installs, uninstalls, or performs any other remediation action that the
software requires.
If the Managed Software Delivery policy contains multiple software
resources and tasks, they are executed in the order in which they appear
in the policy.
You can override the policy’s remediation settings and schedule for
individual software resources and tasks within the policy.
167
168
Managed Software Delivery
About policy compliance and remediation
Table 9-4
How the remediation phase of Managed Software Delivery works
(continued)
Step
Action
Description
Step 3
Compliance check
Determines whether the software resource is installed on the client
computer.
This compliance check provides the information for reporting the results
to Notification Server.
Step 4
Report to Notification
Server
The Symantec Management Agent on the client computer reports the
results of the Managed Software Delivery process to Notification Server.
You can obtain information about the results from the compliance reports
and the delivery reports in Software Management Solution.
See “Running a Software Management Solution report” on page 157.
See “About advanced software deliveries” on page 163.
About policy compliance and remediation
Managed Software Delivery can intelligently perform the compliance and
remediation actions that let you not only deliver software but also manage it.
These actions ensure that you deliver the correct software to the correct computers
and that the software remains in the correct state on the computers.
See “About the execution of Managed Software Delivery policies” on page 165.
When you schedule a Managed Software Delivery policy, you can assign different
schedules for compliance and remediation. For example, you can schedule the
compliance process to occur during the day and the remediation to occur only
during a maintenance window.
The compliance process and remediation process in Managed Software Delivery
are especially effective when you schedule the policy to run on a recurring basis.
The recurring policy ensures that the software remains in the correct state on
the client computers.
Table 9-5
Compliance and remediation actions
Action
Description
Applicability
(Windows only) The applicability check determines whether the client computer has the correct
environment for an installation of the software. If the computer does not have the correct
environment, the policy execution stops.
Managed Software Delivery
About policy compliance and remediation
Table 9-5
Compliance and remediation actions (continued)
Action
Description
Compliance
A compliance check uses the software resource’s unique identifier to determine whether the
software is installed on the client computer. For Windows-based software, you can define a
detection rule that contains additional information about the software and makes the detection
process even more accurate.
For more information, see the topics about detection and applicability rules in the Symantec
Management Platform User Guide.
The compliance check always checks for the presence of the software on the client computer.
The check returns True if the software is installed and False if the software is not installed.
The correct state of a software resource can mean that it is installed or that it is not installed.
A Managed Software Delivery policy is considered compliant if all the software resources that
it contains are in the correct state on the client computer. If the software is not in the correct
state, it is considered to be out of compliance.
For more information about detection and applicability rules, see the Altiris Software
Management Solution from Symantec User Guide.
Remediation
Remediation is the act of fixing any software that is out of compliance on the client computer.
The nature of the remediation depends on the command-line action that the Managed Software
Delivery policy performs. For example, an installation command runs when the compliance
check returns False, and an uninstall command runs when the compliance check returns True.
Examples of how the type of command line determines the remediation action are as follows:
Installation command line
You want to install Symantec AntiVirus 2008 on all managed computers that do not have
it installed. You create the Managed Software Delivery policy and select an installation
command line. When the policy runs, the compliance check determines whether Symantec
AntiVirus 2008 is installed.
If the software is installed, the check returns True. Because the correct state of the software
is to be installed, the software is considered to be compliant and the policy execution stops.
If the software is not installed, the check returns False. The software is out of compliance
and must be installed.
■ Uninstall command line
You want to ensure that Solitaire is not installed on any managed computers. You create
the Managed Software Delivery policy and select an uninstall command line. When the
policy runs, the compliance check determines whether Solitaire is installed.
If the software is installed, the check returns True. Because the correct state of the software
is to be uninstalled, the software is out of compliance and must be uninstalled. If the software
is not installed, the check returns False. The software is considered to be compliant and the
policy execution stops.
■
For more information about deferring the execution of software remediation, see
the Altiris Software Management Solution from Symantec User Guide.
169
170
Managed Software Delivery
Creating a Managed Software Delivery policy with the Managed Software Delivery wizard in the enhanced console
views
Creating a Managed Software Delivery policy with the
Managed Software Delivery wizard in the enhanced
console views
You can perform one or more advanced software delivery actions with a single
Managed Software Delivery policy. Creating a Managed Software Delivery policy
is the first step in performing an advanced software delivery.
For more information about advanced software deliveries and performing an
advanced software delivery, see the Altiris Software Management Solution from
Symantec User Guide.
The Managed Software Delivery wizard provides a quick way to create and
schedule a policy for a single software resource and its dependency software. We
recommend that you use the wizard because it can include any dependency
software and warn you of software associations.
When you create a Managed Software Delivery policy with the Managed Software
Delivery wizard, the policy is enabled automatically. If you do not want the policy
to be available to managed computers immediately, edit the policy, and disable
it. You also might edit the policy to add information about what to deliver.
For more information about editing a managed software delivery policy, see the
Altiris Software Management Solution from Symantec User Guide.
The software that you deliver in this way must be defined as a software resource
in the Software Catalog. If the software resource is not defined, contact an
administrator who can edit the Software Catalog.
You can run the Managed Software Delivery wizard from the Manage > Software
view or from other areas of the Symantec Management Console. Your point of
entry into the Managed Software Delivery wizard determines the amount of
default information that is populated.
Create the policy without the wizard if you need to perform any of the following
tasks:
■
Add multiple software resources and tasks.
■
Override the default settings.
For more information about creating a managed software delivery policy, see the
Altiris Software Management Solution from Symantec User Guide.
If you have installed IT Management Suite, Server Management Suite, Client
Management Suite, or Deployment Solution, you perform this task in the enhanced
Symantec Management Console views.
Managed Software Delivery
Select software resource page
To create a Managed Software Delivery policy with the Managed Software Delivery
wizard in the enhanced console views
1
In the Symantec Management Console, on the Manage menu, click Software.
2
In the left pane, under Deliverable Software, click Software Releases.
3
Right-click a software resource and then click Actions > Managed Software
Delivery.
If the Managed Software Delivery option is not available, the software
resource does not have a package associated with it and cannot be delivered.
Click Actions > Edit Software Resource and configure the software resource.
4
In the Managed Software Delivery wizard, on the Select software page,
specify the software to deliver and other delivery options and then click Next.
5
On the Select destinations page, specify the destinations to deliver the
software to and then click Next.
For more information about the destinations for a managed software delivery
policy, see the Altiris Software Management Solution from Symantec User
Guide.
6
On the Schedule delivery page, define the schedule for running the Managed
Software Delivery and then click Next.
See “Schedule settings for Managed Software Delivery” on page 145.
7
(Optional) On the Specify dependencies and updates page, select any
dependencies, updates, or service packs that are defined for this software
resource and then click Next.
Dependencies
Check Verify dependencies and select the check box for each
dependency to include.
Updatesorservice Select the check box for each update or each service pack to
packs
include.
8
To complete the wizard, click Deliver Software.
Select software resource page
This page lets you specify the software to deliver and the options for its delivery.
This page appears in the Managed Software Delivery wizard.
See “Creating a Managed Software Delivery policy with the Managed Software
Delivery wizard in the enhanced console views” on page 170.
171
172
Managed Software Delivery
Select software resource page
Table 9-6
Options on the Select software resource page
Option
Description
Software
Lets you select the software resource to deliver. If you started Managed Software
Delivery from the Software Catalog, the software resource that you selected in the
catalog appears.
You can use the Select software option to select a software resource if one does not
appear by default or to select a different software resource.
Command line
Lets you select the command line to run. This list contains all the command lines
that are defined for this software resource. You can select a command line other than
the default command line that appears.
A policy that contains a custom type command line does not perform an applicability
check or compliance check. Those checks are valid only when the type of action that
the command line performs is known. Currently, the applicability check and
compliance check are run with installation and uninstall command lines only.
The additional options for selecting a command line are as follows:
Omit the command line if the package does not require one.
For example, if the package is a Word template that is placed in a directory on the
client computer but does not require installation.
■ Edit an existing command line before you select it.
■
■
Create a new command line.
For more information, see the topics about adding and editing command lines in
the Symantec Management Platform User Guide.
Warning: Any additions or changes that you make to the command lines here are
applied to the software resource in the Software Catalog. Those changes affect any
other policies that use the changed command line.
Package
Lets you select a package to download if the command line requires a package. The
list contains all the packages that are associated with this software resource. The
package that is defined in the command line is the default.
You can omit the package if the command line does not require one. For example, if
the command line uninstalls a package that is already on the client computer, it can
use the package ID.
Managed Software Delivery
Select software resource page
Table 9-6
Option
Options on the Select software resource page (continued)
Description
Automatically upgrade
Uninstalls and replaces the software that this software supersedes. Select this option
software that has been
when a software upgrade requires the earlier version of the software to be uninstalled
superseded by this software instead of updated.
This option is available only if you meet the following conditions:
■
You select a software resource that supersedes other software
■
You select an installation command line
For this option to work, the superseded software resource must have a default uninstall
command line.
Warning: When you uninstall software from a client computer, you can break other
applications that depend on the uninstalled software.
For more information about installing software that replaces other software, see the
Altiris Software Management Solution from Symantec User Guide.
Do not install if a newer
version of this software is
already installed
Does not install the software if a newer version of this software is already installed
on the client computer. For example, use this option if you do not want to install
Norton AntiVirus 2008 on a computer that has Norton AntiVirus 2009.
This option is available only if you meet the following conditions:
■
You select a software resource that other software supersedes.
■
You select an installation command line.
Warning: If you try to install when a newer version is installed, and both versions
cannot coexist on the same computer, the installation fails.
For more information about installing software that replaces other software, see the
Altiris Software Management Solution from Symantec User Guide.
Install this policy’s software (Windows only) Installs Windows-based software into a virtual software layer on a
into a virtual layer
managed computer. The Symantec Workspace Virtualization Agent must be installed
on the managed computer; otherwise, the software is installed normally.
For more information about methods for virtualizing software, see the Altiris Software
Management Solution from Symantec User Guide.
Layer Name
Lets you type the name of the virtual software layer into which this software is
installed. The layer’s GUID is assigned automatically.
If you do not provide a layer name, the layer name defaults to the installation file
name plus the command-line name.
173
174
Managed Software Delivery
Policy Rules/Actions section
Policy Rules/Actions section
This section appears when you create or edit a Managed Software Delivery policy.
It lets you add software resources and tasks to the policy and change the settings
for the policy.
For more information about creating and editing a managed software delivery
policy, see the Altiris Software Management Solution from Symantec User Guide.
Table 9-7
Tabs in the Policy Rules/Actions section
Tab
Description
Software
Lets you define the software and tasks to deliver and set the
options for each software resource and task.
See “Policy Rules/Actions: Software tab” on page 174.
Policy settings
Lets you change the default settings for the Managed Software
Delivery policy.
See “Policy Rules/Actions: Policy settings tab” on page 176.
Policy Rules/Actions: Software tab
This tab lets you define the software to deliver. You can select a single software
resource or you can select multiple software resources and tasks to create a
sequential delivery policy. This tab also lets you set options for the individual
software resources and tasks.
This tab appears when you create or edit a Managed Software Delivery policy.
For more information about creating and editing a managed software delivery
policy, see the Altiris Software Management Solution from Symantec User Guide.
This tab contains the following sections:
Left pane
Displays the sequence of software resources and task that this policy
delivers. You can add software resources and tasks.
When you click a specific software resource or task, its settings appear
in the right pane.
Right pane
Lets you override the policy settings for the specific policy or task.
The settings that appear differ depending on whether you click a
software resource or a task.
Managed Software Delivery
Policy Rules/Actions: Software tab
Table 9-8
Options for adding software resources and tasks
Option
Description
Add
Lets you add a software resource or a task to the delivery sequence.
For more information about delivering multiple software resources, see the Altiris
Software Management Solution from Symantec User Guide.
Up and down arrow symbols Let you arrange the sequence in which the software resources and tasks are run. Plan
the sequence before you enable the policy.
If you change the sequence after the policy runs, you trigger the following actions:
■
The policy is updated on the client computers the next time it is requested.
■
The policy’s schedule is reset so that it runs again, even if you originally scheduled
the policy to run one time only.
Table 9-9
Settings for software resources
Option
Description
Perform software
compliance check using
Displays a link that indicates the software resource whose detection rule is used for
the compliance check. You can click the link to view and edit the rule.
For more information, see the topics about editing inventory rules and about detection
and applicability rules in the Symantec Management Platform User Guide.
Command line
Lets you select the command line to run. This list contains all the command lines
that are defined for the software resource that you selected. You can select a command
line other than the default command line that appears.
You can omit the command line if the package does not require one.
Package
Lets you select the package to download if the command line requires a package. The
list contains all the packages that are associated with this software resource. The
package that is defined in the command line is the default.
You can omit the package if the command line does not require one. For example, if
the command line uninstalls a package that is already on the client computer.
Advanced options
Change the settings for this software resource only. For example, you might download
this software’s package to a different location or allow the user to interact with this
software’s installation but not others.
For more information about advanced options for tasks, see the Altiris Software
Management Solution from Symantec User Guide.
175
176
Managed Software Delivery
Policy Rules/Actions: Policy settings tab
Table 9-10
Option
Settings for tasks
Description
Override the policy settings Enables the remaining options in this section and lets you configure settings for
for this task
delivering this specific task.
Upon failure the Managed
Delivery will
Defines whether the task aborts, continues, or restarts when it fails.
Terminate after
Lets you define the amount of time to wait before the task terminates if it stops
responding.
Max retries
Defines the number of times that the task retries when it fails.
Show Task
Opens the task editing dialog box so you can view or edit the task.
When you create a Managed Software Delivery policy, this setting is the same for
each task that the policy contains. You can edit the policy to override this setting for
each ask. For example, if the execution of the first task fails, you can run subsequent
software resource and tasks. Conversely, if one execution in the sequence fails, you
can abort the remaining items in the sequence.
When you edit the task itself instead of its settings, any other instances of that task
are also changed. For example, you create a Package Delivery task to install an FTP
client and you add that task to several Managed Software Delivery policies. If you
change that task in one Managed Software Delivery policy, the change affects that
task as well as all the policies that contain it.
Policy Rules/Actions: Policy settings tab
This tab lets you change the settings for a Managed Software Delivery policy.
Table 9-11
Options on the Policy Settings tab
Option
Description
Display name
Lets you define the name that appears in the Symantec Management Agent for this
policy. The default name is New Managed Software Delivery.
Make the name descriptive enough for users to easily identify this software.
Display description
Lets you type a description to further identify this software and make it more
recognizable on the Symantec Management Agent.
Enable verbose reporting of Records the details of policy status, package download, and execution events and
status events
posts them to the Notification Server computer.
See “Policy Rules/Actions section” on page 174.
Chapter
10
Virtualization Management
This chapter includes the following topics:
■
About Virtual Machine Management on UNIX and Linux systems
■
About server virtualization
■
About Virtual Machine Management home page
■
About Virtual Machine Management tasks
■
What you can do with Virtual Machine Management
■
What's new in Virtual Machine Management 7.1 SP2
■
Getting started with the Virtual Machine Management component
■
Discovering and adding a single host
■
Discovering the hosts
■
About Virtual Machine Management Task Server Plug-in
■
Installing the Virtual Machine Management Task Server Plug-in
■
About virtual machines
■
Creating a virtual machine
■
Deleting a virtual machine
■
Viewing Virtual Machine Management reports
■
Permissions that Virtual Machine Management requires
■
Preventing the Virtual Machine Management protocol from being replaced
■
Deploying ESX/ESXi servers
178
Virtualization Management
About Virtual Machine Management on UNIX and Linux systems
■
About troubleshooting Virtual Machine Management
■
Tables populated during the Network Discovery and Run Inventory tasks
■
Connection profile information
■
About Log Viewer
About Virtual Machine Management on UNIX and
Linux systems
Virtual Machine Management is included in Altiris Server Management Suite
from Symantec and should already be installed and deployed on your network.
Virtual Machine Management lets you perform the virtualization process on your
network. Virtualization is a technology that lets you make optimum use of the
hardware resources of your organization. You can create various virtual server
environments on a single physical server. Each virtual environment is isolated
and functions independently from the physical server and from the other virtual
environments.
Virtualization enhances the efficiency and productivity of the hardware resources
and helps to reduce administrative costs.
The features of the Virtual Machine Management component let you get
information from your virtualization infrastructure and bring it to your Server
Management Suite environment. From there, this information can be consumed
in the context of the broader systems management landscape. The pervasiveness
of virtualization has made this a necessity as it becomes increasingly impractical
to properly manage a server environment without intimate knowledge of the
virtualization stack that is present and the ability to access key virtualization
operations. The following three scenarios illustrate this critical need:
Scenario
Description
Host/VM ratio
Performing a traditional management
operation, such as patch and virus scans on
highly dense VM environments, produces
unacceptable performance degradation.
Using the knowledge of host/guest
relationship in systems management policies
enables intelligent, no-impact maintenance
to be performed on those environments.
Virtualization Management
About Virtual Machine Management on UNIX and Linux systems
Scenario
Description
VM cloning
The bare-metal portion of server builds has
been replaced by VM provisioning.
Administrators need access to VM creation
and cloning capabilities from within their
systems management console to preserve
their fine-tuned and highly customized
automated build processes. A complete set
of VM management options enables them to
find the right balance between VM template
proliferation and server build customization
needs.
Host/VM resource consumption
Overall system performance is exponentially
more sensitive to resource utilization in
virtual environments. To aggravate matters,
the hosting of increasing numbers of VMs
on a single physical server means that
glitches to a single operating environment
can disrupt thousands of users. Having
access in the systems management console
for information on key virtualization
performance indicators enables systems
administrators to take a holistic approach
to preventing and remediating critical
system conditions.
Virtual Machine Management supports several guest operating systems. The
Hyper-V Integration Services and VMware Tools are available for many of these
guest operating systems. The Shut Down and Restart tasks are supported in the
guest operating systems that support Hyper-V Integration Services and VMware
Tools
Virtual Machine Management does not have any UNIX/Linux-specific functionality.
However, you can leverage the same tasks that you complete on Windows guest
operating systems on UNIX and Linux systems. Creating and managing virtual
machines (including inventory, discovery, and patching) functionality with Virtual
Machine Management is the same, no matter what the operating system of the
virtual machine.
See “What you can do with Virtual Machine Management” on page 182.
179
180
Virtualization Management
About server virtualization
About server virtualization
Server virtualization lets you divide a single physical server into multiple virtual
environments. The virtual servers share the hardware resources of the physical
server. The physical server is called the host and the virtual server is called the
guest.
The virtual machines behave like physical computers. Virtual machine shares the
hardware resources of the host server. Each virtual machine also is independent
and unaware of the other virtual machines that run on the same physical server.
Server virtualization can be attained with the three different methods: the virtual
machine method, paravirtualization, and operating system level virtualization.
The Virtual Machine Management component uses the virtual machine method.
The virtual machine method requires that you install the virtual machine monitor
software on your host server. The virtual machine monitor software is also called
hypervisor. Hypervisor serves as a platform for the operating system of the virtual
server. You can install the hypervisor on the operating system or directly on the
hardware of your server.
The Virtual Machine Management component currently supports the following
hypervisors:
■
Hyper-V
■
VMware
These platforms support the virtualization features, which are provided in the
Virtual Machine Management component.
See “About Virtual Machine Management on UNIX and Linux systems” on page 178.
See “What you can do with Virtual Machine Management” on page 182.
About Virtual Machine Management home page
The Virtual Machine Management home page lets you view information and
perform numerous functions on your virtual resources. To view the virtual resource
information and execute different tasks, ensure that all the prerequisites are met.
On the Virtual Machine Management home page, in the left pane, you can view
the physical servers that have the supported virtualization software installed.
The Virtual Machine Management component currently supports Hyper-V and
VMware. The installed virtualization software is the base for how the hosts are
grouped. You can further expand the host and view the list of the virtual machines
that are created on it.
Virtualization Management
About Virtual Machine Management tasks
On the Virtual Machine Management home page, in the right pane, you can view
the detailed information and run management tasks on your physical servers and
virtual machines. In the left pane, click a resource that you want to manage.
On the host page, you can see the detailed information about the physical server
and the virtual resources that are created on it: virtual machines, virtual disks,
and virtual networks. You also can create and manage virtual resources.
On the virtual machine page, you can see the detailed information about the virtual
machine such as snapshot details, virtual network, associated disks etc., run power
management tasks, and manage its snapshots.
See “About Virtual Machine Management on UNIX and Linux systems” on page 178.
See “What you can do with Virtual Machine Management” on page 182.
About Virtual Machine Management tasks
To create or manage your virtual resources, you must create and run respective
tasks on the host.
For general information about creating and running the tasks, see the Symantec
Management Platform User Guide.
After you specify the details for the Virtual Machine Management task, the task
page opens. On the task page, you can schedule the task and select the resources
to run the task on.
For more information, see the topics about specifying the schedule and the target
of a task in the Symantec Management Platform User Guide.
The tasks use the Symantec Management Platform connection profiles to manage
the network protocols that are used to communicate with the hosts. When you
run the tasks, you can use the default connection profile or create your own profile.
When you run discovery tasks, use the WMI Credentials for Hyper-V computers
and the VMWare Credentials for VMware computers. The same credentials are
then used automatically for all other tasks.
Note: The default firewall settings block WMI connections. You must enable
Hyper-V server to work with WMI calls.
For more information, see the topics about creating connection profiles in the
Symantec Management Platform User Guide.
See “About Virtual Machine Management on UNIX and Linux systems” on page 178.
See “What you can do with Virtual Machine Management” on page 182.
181
182
Virtualization Management
What you can do with Virtual Machine Management
What you can do with Virtual Machine Management
The Virtual Machine Management component lets you manage the virtual
resources of your network.
Table 10-1
What you can do with the Virtual Machine Management component
Option
Description
Create virtual machine
You can create new virtual machines.
See “Creating a virtual machine” on page 190.
Create virtual disk
You can create virtual disks for the virtual machines that
you create.
For more information about creating virtual disks, see the
Virtual Machine Management User Guide.
Create virtual network
You can create virtual network for the virtual machine. Each
virtual machine requires a virtual network to connect to
the host.
For more information about creating virtual network for
the virtual machine, see the Virtual Machine Management
User Guide.
Run power management
tasks on virtual machines
You can change the power state of your virtual machines.
Create snapshot of a virtual
machine
You can create snapshots to preserve certain states of your
virtual machines.
For more information about changing the power state of
your virtual machines, see the Virtual Machine Management
User Guide.
For more information about creating snapshots, see the
Virtual Machine Management User Guide.
Revert snapshot of a virtual You can use the revert snapshot option to restore a
machine
previously saved state of a virtual machine.
For more information about reverting snapshots, see the
Virtual Machine Management User Guide.
Delete snapshot of a virtual
machine
You can use the delete snapshot option to delete a snapshot.
For more information about deleting snapshots, see the
Virtual Machine Management User Guide.
Virtualization Management
What's new in Virtual Machine Management 7.1 SP2
What you can do with the Virtual Machine Management component
(continued)
Table 10-1
Option
Description
Collect inventory of the
virtual environment
You can collect the inventory data of the hosts and their
virtual environment.
For more information about collecting inventory data, see
the Virtual Machine Management User Guide.
View Virtual Machine
Management reports
You can view the details of the host and its virtual
environment.
See “Viewing Virtual Machine Management reports”
on page 193.
What's new in Virtual Machine Management 7.1 SP2
In the 7.1 SP2 release of Virtual Machine Management, the following new features
are introduced:
List of new features
Table 10-2
Feature
Description
Enhanced Virtual Machine
Management Run Inventory Task.
Run Inventory Task now creates new task instance instead of creating a
new task every time. This feature is consistent with other solutions.
New Virtual Machine Management
reports
Two new reports have been added to Virtual Machine Management. These
reports display a comprehensive list of hosts and their virtual guests. The
new reports are as follows:
■
Host Summary Report
■
Guest Summary Report
183
184
Virtualization Management
What's new in Virtual Machine Management 7.1 SP2
List of new features (continued)
Table 10-2
Feature
Description
New Virtual Machine Management
New Virtual Machine Management tasks are provided through the Manage
tasks are provided through the Manage > Jobs and Tasks > System Jobs and Tasks > Virtual Machine Management
> Jobs and Tasks menu.
list. The Virtual Machine Management list includes the following tasks:
Execute consolidated Virtual Machine
Management tasks through the
vCenter with different passwords for
the hypervisor and the vCenter.
■
Create Virtual Network
■
Delete Virtual Network
■
Create Virtual Disk
■
Delete Virtual Disk
■
Create Snapshot
■
Delete Snapshot
■
Revert Snapshot
■
Power Management
The power control options are start, stop, suspend, resume, shut down,
and restart.
Consolidated Virtual Machine Management tasks can be performed on
the hypervisor, which is managed and discovered by the vCenter. Now these
tasks can be executed even if the passwords for the hypervisor and the
vCenter are different.
Enhanced default settings in the Create In the Create Virtual Machine wizard, the following default settings are
Virtual Machine wizard.
enhanced:
Support for new hypervisors.
■
In Virtual Machine Details > Memory, the default memory size is
changed from MB to GB.
■
In Virtual Machine Details > CPU, the number of CPUs are now available
for selection in the drop-down list. The values in the drop-down list are
displayed based on the number of logical processors on the host server.
■
In Select Disk > Capacity, the default capacity is changed from MB to
GB.
Virtual Machine Management now supports the following new hypervisors:
■
Hyper-V (Win 2K8 R2 SP1).
■
vCenter 4.1 and vCenter 5.0 to manage ESX 4.0, ESX 4.1, ESXi 4.0, ESXi
4.1 and ESXi 5.0.
See “About Virtual Machine Management on UNIX and Linux systems” on page 178.
Virtualization Management
Getting started with the Virtual Machine Management component
Getting started with the Virtual Machine Management
component
The Virtual Machine Management component lets you manage your virtual
environment. To use the features of the Virtual Machine Management component,
you must perform some required tasks.
Table 10-3
Process for getting started with the Virtual Machine Management
component
Step
Action
Description
Step 1
Discover and add hosts
You can specify IP address of a single
host and quickly add it to the network.
See “Discovering and adding a single
host” on page 186.
You can discover all the hosts and their
virtual machines that are available in
the network. The discovery data is
added into the Configuration
Management Database (CMDB).
See “Discovering the hosts” on page 186.
Step 2
Install the Virtual Machine
The Virtual Machine Management Task
Management Task Server Plug-in Server Plug-in lets you run the
on the task server
management tasks on your virtual
machines.
The Virtual Machine Management Task
Server Plug-in install policy is enabled
by default. It installs the Virtual
Machine Management Task Server
Plug-in on the task server.
See “Installing the Virtual Machine
Management Task Server Plug-in”
on page 188.
Step 3
Collect the inventory on the hosts After you discover the Hyper-V and
VMware servers on your network, you
can gather inventory of these servers
and their virtual environments.
For more information about collecting
inventory data on the hosts, see the
Virtual Machine Management User
Guide.
185
186
Virtualization Management
Discovering and adding a single host
See “About Virtual Machine Management on UNIX and Linux systems” on page 178.
Discovering and adding a single host
The Add Host feature lets you find and add a specific host to your network. To
find and add a host, specify the IP address and run the network discovery task.
This discovery task uses the default connection profile to discover the host. When
the host is found, its data is added to the Configuration Management Database
(CMDB).
After a host is added, you can view its data on the Virtual Machine Management
home page. You also can run the Virtual Machine Management tasks on the host.
Before you discover and add a host, make sure the WMI connection profile for
Hyper-V servers, and WMware connection profile for ESX servers, are enabled.
To discover and add a single host
1
In the Symantec Management Console, on the Home menu, click Virtual
Machine Management.
2
In the left pane, click Actions > Add Host.
3
In the dialog box, type the IP address of the host and click OK.
See “Getting started with the Virtual Machine Management component”
on page 185.
Discovering the hosts
Before you can perform the Virtual Machine Management operations, you must
discover the hosts and their virtual machines, and gather inventory on the hosts.
You can discover the hosts and their virtual machines with the Network Discovery
wizard.
For more information, see the topics about discovering network devices in the
Symantec Management Platform User Guide.
After the hosts and their virtual machines are discovered, according corresponding
resources are created in the Configuration Management Database (CMDB). The
Virtual Machine Management home page displays the hosts and their virtual
machines that are available on your network.
Each time you add a host or a virtual machine, you must launch the network
discovery wizard to update the discovery data. You can also set up a recurring
Network Discovery task by using a custom connection profile. You can choose
Discover Virtual managers VMware and HyperV to target the new hosts and
virtual machines in your environment.
Virtualization Management
Discovering the hosts
For more information, see the topics about network discovery, connection profiles,
and scheduling tasks in the Symantec Management Platform User Guide.
To discover the hosts
1
In the Symantec Management Console, on the Home menu, click Virtual
Machine Management.
2
In the left pane, click Actions > Getting Started.
3
In the Getting Started dialog box, click Launch Network Discovery Wizard.
4
In the network discovery wizard, on the Choose method of device discovery
page, specify a discovery method and then click Next.
For more information, see the topic about methods for discovering network
devices in the Symantec Management Platform User Guide.
5
On the Enter network IP Ranges page, specify the portions of the network
to discover and then click Next.
For more information, see the topic about selecting network ranges to discover
in the Symantec Management Platform User Guide.
6
On the Select device communication profile page, select a connection profile.
For more information, see the topics about network discovery and connection
profiles in the Symantec Management Platform User Guide.
7
To specify the VMWare or WMI credentials, click the Edit symbol.
The credentials that you specify, are automatically used for all other tasks
that require credentials.
Make sure that the VMware protocol is always turned on for ESX servers and
that WMI protocol is turned on for Hyper-V servers.
8
In the Define Group Settings dialog box, click OK.
9
Click Next.
10 On the Enter task name page, name the task and then click Next.
11 On the Choose when to run the discovery page, schedule the task and then
click Finish.
For more information, see the topic about scheduling network discovery tasks
in the Symantec Management Platform User Guide.
See “Getting started with the Virtual Machine Management component”
on page 185.
187
188
Virtualization Management
About Virtual Machine Management Task Server Plug-in
About Virtual Machine Management Task Server
Plug-in
For the Virtual Machine Management actions that you want to perform, you must
create tasks on the host. The Virtual Machine Management Task Server Plug-in
lets you manage your hosts and their virtual machines. It runs the Virtual Machine
Management tasks that you create.
The Virtual Machine Management Task Server Plug-in is installed on the task
server. You can configure the task server on the Notification Server computer or
on a separate site server computer. The Virtual Machine Management Task Server
Plug-in install policy installs the Virtual Machine Management Task Server Plug-in
on the task server.
For more information, see the topics about deploying a task server in the Symantec
Management Platform User Guide.
The Virtual Machine Management Task Server Plug-in uses different components
to communicate with the hosts. The VMware platform uses the web service and
Hyper-V uses the Windows Management Instrumentation (WMI). The Virtual
Machine Management Task Server Plug-in remotely connects to the host and runs
the tasks that are applied to it.
The Virtual Machine Management Task Server Plug-in acts as a communication
channel between the Notification Server computer, task server, and the host. The
tasks are created in the Virtual Machine Management and sent to the task server
for the Virtual Machine Management Task Server Plug-in. The Virtual Machine
Management Task Server Plug-in selects the host where the task is specified to
run. After the task runs, the host sends the result to the Virtual Machine
Management Task Server Plug-in. The Virtual Machine Management Task Server
Plug-in then creates a Notification Server Event (NSE) and sends it to the
Notification Server computer. The Notification Server computer stores the event
in the Configuration Management Database (CMDB).
See “Installing the Virtual Machine Management Task Server Plug-in” on page 188.
Installing the Virtual Machine Management Task
Server Plug-in
To perform any Virtual Machine Management tasks, you must install the Virtual
Machine Management Task Server Plug-in on your task server.
The Virtual Machine Management Task Server Plug-in install policy is enabled
by default. The policy installs the Virtual Machine Management Task Server
Plug-in on your task server.
Virtualization Management
About virtual machines
See “About Virtual Machine Management Task Server Plug-in” on page 188.
To install the Virtual Machine Management Task Server Plug-in
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, under Settings, click Agents/Plug-ins > Virtual Machine
Management > Virtual Machine Management Task Server Plug-in - Install.
3
On the Virtual Machine Management Task Server Plug-in - Install page,
under Applied to, specify the target for the policy.
For more information, see the topics about applying a policy to targets,
computers, resources, and users in the Symantec Management Platform User
Guide.
4
Under Schedule, specify a schedule for the policy.
For more information, see the topics about specifying a policy schedule in
the Symantec Management Platform User Guide.
5
Turn on the policy.
At the upper right of the page, click the colored circle, and then click On.
6
Click Save changes.
See “Getting started with the Virtual Machine Management component”
on page 185.
About virtual machines
The virtualization process helps you optimally use the resources and applications
of your organization.
Running a single operating system and a single application on a physical computer
can be a too low utilization of the resource. Virtualization lets you create and run
multiple virtual machines on a single physical computer.
Each virtual machine has its own software-based processor, memory, hard disk,
and network interface card. Each virtual machine can run different operating
system and software applications. The virtual machines, though on the same
physical computer, stay isolated from each other. A virtual machine cannot be
differentiated from a physical computer.
Virtual machine is a software package that includes information about hardware
resources, applications, and operating system. You can easily move or copy the
virtual machine from one location to another.
189
190
Virtualization Management
Creating a virtual machine
Creating and managing virtual machines (including inventory, discovery, and
patching) functionality is the same, no matter what the operating system of the
virtual machine.
See “Creating a virtual machine” on page 190.
See “Deleting a virtual machine” on page 192.
Creating a virtual machine
Virtual machines are created on a host. You can create the virtual machine with
the Create Virtual Machine wizard. You can also manually create a task that
creates a virtual machine. When you create a virtual machine using a task that is
created manually, the network associated with the virtual machine can only be
of type internal.
You need to configure the Deployment Solution job before you provision a virtual
machine. This is optional and required only if you want to deploy an operating
system on the virtual machine.
For more information about configuring a Deployment Solution job, see the
Deployment Solution User Guide.
Things you should consider before you create a virtual machine and use the OS
deployment functionality with the Create Virtual Machine wizard:
■
Select only the Deployment Solution job that contains the Partition task and
Scripted OS installation task.
■
Initial Deployment task of the Deployment Solution should not be enabled.
■
When you select a network, make sure that it is external only.
To create a virtual machine and use the OS deployment functionality with the Create
Virtual Machine wizard
1
In the Symantec Management Console, on the Home menu, click Virtual
Machine Management.
2
In the left pane, do one of the following:
3
■
Click the host and on the host page, under Actions, click Create Virtual
Machine.
■
Right-click the host and click Create VM.
In the Create Virtual Machine wizard, on the Select Host page, select the
host from the list and then click Next. The Select Host page is displayed only
if you are accessing Create Virtual Machine wizard from the Action menu.
Virtualization Management
Creating a virtual machine
4
On the Virtual Machine Details page, specify the virtual machine details and
then click Next.
5
On the Select Disk page, create or select a virtual disk and then click Next.
6
On the Select Network page, create or select an external virtual network, and
then click Next.
7
On the Select Datastore and Deployment Job page, select a datastore and a
deployment solution job.
8
Click Finish.
After you finish the wizard, a job is created. This job contains a task that creates
a virtual machine and one task that schedules an operating system deployment
job on it. You must enable and configure the PXE service to send an automation
image to all unknown computers.
For more information about setting up the PXE service and creating images, see
the Deployment Solution User Guide.
To create a virtual machine with the Create Virtual Machine wizard
1
In the Symantec Management Console, on the Home menu, click Virtual
Machine Management.
2
In the left pane, do one of the following:
■
Click the host and on the host page, under Actions, click Create Virtual
Machine.
■
Right-click the host and click Create VM.
3
In the Create Virtual Machine wizard, on the Select Host page, select the
host from the list and then click Next. The Select Host page is displayed only
if you are accessing Create Virtual Machine wizard from the Action menu.
4
On the Virtual Machine Details page, specify the virtual machine details and
then click Next.
5
On the Select Disk page, create or select a virtual disk and then click Next.
6
On the Select Network page, create or select a virtual network, and then click
Next.
7
On the Select Datastore and Deployment Job page, select a datastore.
8
Click Finish.
After you finish the wizard, a task is created. This task creates a virtual machine
with the specified configuration.
191
192
Virtualization Management
Deleting a virtual machine
To manually create a task that creates a virtual machine
1
In the Symantec Management Console page, on the Manage menu, click Jobs
and Tasks.
2
In the left pane, under Jobs and Tasks, expand System Jobs and Tasks, and
click Virtual Machine Management.
3
Right-click the Create Virtual Machine folder and click New > Task.
4
In the tasks list, click Create Virtual Machine.
5
Give the task a name.
6
On the VM Details tab, specify the virtual machine details.
7
On the Disk Details tab, specify the disk details.
8
On the Network Details tab, specify the network details.
9
Click OK.
10 On the create virtual machine task page, under Task Status, specify a schedule
for the task.
For more information, see the topics about adding a schedule in the Symantec
Management Platform User Guide.
11 If you make changes in the task after you have created it, click Save changes.
See “About virtual machines” on page 189.
Deleting a virtual machine
You can delete a virtual machine from the host.
To delete a virtual machine
1
In the Symantec Management Console, on the Home menu, click Virtual
Machine Management.
2
In the left pane, click the host.
3
On the host page, under Virtual Machines, do one of the following:
■
Click the virtual machine and click Actions > Delete VM.
■
Right-click the virtual machine and click Delete VM.
Virtualization Management
Viewing Virtual Machine Management reports
4
In the Delete VM dialog box, click OK.
5
On the delete virtual machine task page, under Task Status, specify a schedule
for the task.
For more information, see the topics about adding a schedule in the Symantec
Management Platform User Guide.
See “About virtual machines” on page 189.
Viewing Virtual Machine Management reports
The information about the hosts and their virtual machines, virtual disks, and
virtual networks is stored in the Configuration Management Database (CMDB).
You can view the details of the host and its virtual environment from the Reports
or from the Resource Manager.
The supported Virtual Machine Management reports are as follows:
■
Guest Summary Report
■
Host Summary Report
■
Virtual Disks Details
■
Virtual Machine Details
■
Virtual Network Details
You can configure the report view to suit your requirements. You also can save
the reports in different formats.
For more information, see the topics about using reports, see the Symantec
Management Platform User Guide.
To view Virtual Machine Management reports
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, click Virtual Machine Management.
3
Select a report that you want to view.
For more information, see the topics about using reports in the Symantec
Management Platform User Guide.
See “About Virtual Machine Management on UNIX and Linux systems” on page 178.
193
194
Virtualization Management
Permissions that Virtual Machine Management requires
Permissions that Virtual Machine Management
requires
The following tables include information on the permissions that Virtual Machine
Management requires.
Table 10-4
vCenter permissions required
VMM task
Read-only
Administrator Power user
VM user
Discovery
x
x
x
x
Run Inventory
x
x
x
x
Create/Delete
VM
x
Create/Delete
Disk*
Create/Delete
Network
x
Deploy VM
(from
template)**
x
Create/Revert/
Delete Snapshot
x
x
Power Mgmt.
(Start, Stop,
Suspend,
Resume,
Shutdown,
Restart)
x
x
x
* Delete and Create virtual disk currently require direct communication to
ESX/ESXi
** Planned for an upcoming release
Table 10-5
ESX/ESXi permissions required
VMM task
Read-only
Administrator
Discovery
x
x
Run Inventory
x
x
Virtualization Management
Permissions that Virtual Machine Management requires
Table 10-5
ESX/ESXi permissions required (continued)
VMM task
Read-only
Administrator
Create/Delete VM
x
Create/Delete Disk
x
Create/Delete Network
x
Deploy VM (from template)*
Create/Revert/ Delete
Snapshot
x
Power Mgmt. (Start, Stop,
Suspend, Resume, Shutdown,
Restart)
x
* Planned for an upcoming release, requires vCenter
Table 10-6
Hyper-V permissions required
VMM task
Administrator
Discovery
x
Run Inventory
x
Create/Delete VM
x
Create/Delete Disk
x
Create/Delete Network
x
Deploy VM (from template)*
Create/Revert/ Delete Snapshot
x
Power Mgmt. (Start, Stop, Suspend, Resume, x
Shutdown, Restart)
* Not currently supported on Hyper-V
See “About Virtual Machine Management on UNIX and Linux systems” on page 178.
195
196
Virtualization Management
Preventing the Virtual Machine Management protocol from being replaced
Preventing the Virtual Machine Management protocol
from being replaced
The Virtual Machine Management protocol can be replaced by different protocols.
Agentless communication uses the first protocol and credential combination that
connect successfully to a server. NEtwork Discovery can swap node-protocol and
credential associations. VMM requires the VMware protocol for it to perform at
its full capacity.
To prevent the Virtual Machine Managment protocol from being replaced, you
can complete the following high-level steps. Completing these steps will cause all
VMM operations to that server to use the VMware protocol.
■
Exclude vCenter Servers from non-VMM discovery tasks
■
Create new task(s) to only discover vCenters using VMWare protocol
■
Run new VMM discovery tasks
The following diagrams demonstrate VMM relationships.
Figure 10-1
VMM agentless interaction
Virtualization Management
Deploying ESX/ESXi servers
Figure 10-2
VMM communication and connection profiles
Deploying ESX/ESXi servers
Several sources of information about ESX/ESXi servers are available, including
information about deployment.
Videos, demos, and documentation from Dell and Symantec around ESX are
available at the following URL:
dell.symantec.com/videos-demos
A guide on deploying and updating VMware vSphere 5.0 (which runs ESXi) on HP
ProLiant Servers is available at the following URL:
www.sallustio.ch/blade/Deploying%20and%20updating%20VMware%
20vSphere%205.0%20on%20HP%20ProLiant%20Servers.pdf
An article from Symantec about how to execute tasks on VMware Hypervisor
(ESX/ESXi host) and what permissions are required to execute tasks is available
at the following URL:
www.symantec.com/docs/TECH188201
See “About Virtual Machine Management on UNIX and Linux systems” on page 178.
About troubleshooting Virtual Machine Management
Use the following information to troubleshoot Virtual Machine Management:
197
198
Virtualization Management
Tables populated during the Network Discovery and Run Inventory tasks
Tables populated during the Network
Discovery and Run Inventory tasks.
Lets you know what are the tables, which get
populated during execution of the Network
Discovery and Run Inventory tasks. It also
tells you about the data entries in each of
these tables.
These tables can help you to resolve the
issues such as failure of the Run Inventory
task due to tasks getting queued up or tasks
timed out.
Connection profile information
Lets you know about the connection profile
information like discovery using SNMP or
WS-MAN, and VMware protocols.
This information is useful in resolving issues
such as failure of the Run Inventory task
due to protocol issues.
Use of Log Viewer
Lets you determine what happens during
execution of any Virtual Machine
Management specific task, including what
fails.
Tables populated during the Network Discovery and
Run Inventory tasks
Following are the tables, which get populated during execution of the Network
Discovery and Run Inventory tasks:
Table 10-7
Tables populated during the Network Discovery and Run Inventory
tasks
Table Name
Significance
Inv_VM_Host
Contains data related to the ESX or HyperV
host servers.
Inv_VM_Guests
Contains data related to the guest servers of
all the discovered ESX and HyperV hosts
servers.
Virtualization Management
Connection profile information
Table 10-7
Tables populated during the Network Discovery and Run Inventory
tasks (continued)
Table Name
Significance
Inv_Symantec_VMM_VirtualMachine
Contains data related to all the virtual
machines for the discovered host servers.
This includes following information:
Inv_Symantec_VMM_Disk
Inv_Symantec_VMM_Network
■
Virtual machine name
■
Associated virtual disk
■
Associated virtual network
■
Host server guid
■
Memory
■
State such as Running, Stopped,
Suspended, etc.
Contains data related to all the virtual disks
for the discovered host servers. This includes
following information:
■
Disk name
■
Device type
■
Capacity
■
Host server resource guid
Contains data related to all the virtual
networks for the discovered host servers.
This includes following information:
■
Network ID
■
Network name
■
Network description
■
Host server resource guid
See “About troubleshooting Virtual Machine Management” on page 197.
Connection profile information
Following are the connection profile information to perform Network Discovery
using different protocols:
199
200
Virtualization Management
About Log Viewer
Table 10-8
Connection profile information
Host Server
Protocol Required
Remarks
ESX Server
Following are the two
protocols that are required
for discovering the ESX
servers:
The VMware protocol must
be configured with proper
credentials and it must be in
ON state.
■
VMware
■
SNMP
Note: Only ESX 3.5 server is
discovered with the SNMP
protocol. For the execution
of any Virtual Machine
Management specific tasks,
the ESX server must be
discovered with the help of
VMware protocol.
HyperV Servers
Following is the protocol that The WMI protocol must be
is required for discovering
configured with proper
the HyperV servers:
credentials and it must be in
ON state.
■ WMI protocol
See “About troubleshooting Virtual Machine Management” on page 197.
About Log Viewer
The Log Viewer is a complete record of what happens when you perform a
particular action in Virtual Machine Management. Administrators can use this
information to debug issues that occur during the execution of Virtual Machine
Management specific tasks. Quality assurance personnel can also use the Log
Viewer to check the accuracy of task execution.
As you execute any Virtual Machine Management task, every action is logged in
the Log Viewer. This information includes failures of actions to execute, areas to
debug, and the changes that are made in your computer. You can use the Log
Viewer to determine the problems and their cause. In case of any problem, the
Log Viewer helps you to understand the problem and raise the issue to the technical
support team.
For example, you can use the Log Viewer to check whether the Virtual Machine
Management solution has been successful in establishing a connection with
vCenter. The Log Viewer provides details such as the IP address of the vCenter.
Virtualization Management
About Log Viewer
You can launch the Log Viewer from the Start > All Programs > Symantec >
Diagnostics > Altiris Log Viewer executable file.
See “About troubleshooting Virtual Machine Management” on page 197.
201
202
Virtualization Management
About Log Viewer
Section
Server health
■
Chapter 11. Monitor Solution and Monitor Packs
■
Chapter 12. Event Console
■
Chapter 13. Historical and Real-Time Monitoring
3
204
Chapter
11
Monitor Solution and
Monitor Packs
This chapter includes the following topics:
■
About Monitor Solution
■
Introducing Monitor Solution in UNIX/Linux environments
■
Components of Monitor Solution
■
About Monitor Packs, policies, rules, metrics, and tasks
■
About Monitor Pack for Servers
■
What you can do with monitor pack for servers
■
Configuring the monitor server
■
Importing monitor packs
■
Downloading custom Monitor packs from the Symantec Connect Community
■
About agentless monitoring
■
About agent-based versus agentless monitoring
■
About monitor service
■
Setting up a remote monitoring site server
■
Setting up credentials for agentless monitoring
■
About scalability best practices for Monitor Solution
206
Monitor Solution and Monitor Packs
About Monitor Solution
About Monitor Solution
Monitor Solution lets you monitor various aspects of computer operating systems,
applications, and devices. These aspects can include events, processes, and
performance. This ability helps you ensure that your servers and your devices
work and reduces the costs of server and network monitoring.
Monitor Solution lets you do the following tasks:
■
Identify the health of your environment by collecting detailed data from
servers, applications, and network devices.
■
Analyze trends and isolate recurring issues by collecting comprehensive
real-time and historical performance data.
■
Pinpoint problems, define their cause, and take automated actions to resolve
them.
Monitor Solution supports both agent-based and agentless monitoring methods.
It runs on the Symantec Management Platform and is a key component of Server
Management Suite.
See “Components of Monitor Solution” on page 207.
Introducing Monitor Solution in UNIX/Linux
environments
Monitor Solution lets you monitor various aspects of UNIX/Linux operating
systems, applications, and devices. These aspects can include events, processes,
and performance. This ability helps you ensure that your servers and your devices
work and reduces the costs of server and network monitoring.
See “About Monitor Packs, policies, rules, metrics, and tasks” on page 209.
Monitor Solution lets you complete the following tasks:
■
Identify the health of your environment by collecting detailed data from
servers, applications, and network devices.
■
Analyze trends and isolate recurring issues by collecting comprehensive
real-time and historical performance data.
■
Pinpoint problems, define their cause, and take automated actions to resolve
them.
Monitor Solution supports both agent-based and agentless monitoring methods.
It runs on the Symantec Management Platform and is a key component of Server
Management Suite.
Monitor Solution and Monitor Packs
Components of Monitor Solution
For more information, see the Monitor Solution for Servers User Guide at
www.symantec.com/docs/DOC4683.
Although most Monitor Solution functions work across all platforms, the following
differences exist between Windows support and support for UNIX/Linux:
■
Not all of the Application Detection Rules are cross-platform. Some work with
Windows only.
■
Several metric types are only applicable to Windows (for example, Windows
Processes, Windows Services, and Performance Counters). The most commonly
used metric type on UNIX/Linux is the Command Line metric type.
■
Monitor packs differ between Windows and UNIX/Linux; they collect most of
the same information but they use different methods.
■
The Agentless Monitor Pack applies only to Windows. However, you can
manually create policies for UNIX and Linux servers and include cross-platform
rules.
■
Symantec offers a Server Health Pack for Windows and Linux, but not for
UNIX.
Components of Monitor Solution
Monitor Solution lets you monitor different aspects of servers and applications.
This monitoring is done through multiple monitoring solutions that work together
using a common set of Monitor Solution components that are called the core
components. Each monitoring solution uses the core components and includes a
set of monitoring components specific to the purpose of the monitoring solution.
Each solution also includes numerous reports to help analyze data. This separation
of core functionality provides flexibility to comprehensively monitor aspects of
computer resources and network devices.
The core components of Monitor Solution are as follows:
■
Monitor Plug-in
The Monitor Plug-in performs the monitoring work on computers. The Monitor
Plug-in is a plug-in to the Symantec Management Agent, which is installed on
monitored computers. The Monitor Plug-in receives configuration data from
the Notification Server computer specifying what aspects of the computer are
to be monitored.
■
Agentless monitoring
A monitor service on a site server acts in place of a Monitor Plug-in. It lets you
monitor certain aspects of your computers that cannot have plug-ins installed
on them.
207
208
Monitor Solution and Monitor Packs
Components of Monitor Solution
See “About agentless monitoring” on page 214.
See “About monitor service” on page 215.
■
Real-time and historical performance viewers
Performance monitoring lets you view the performance of a computer in real
time or historically. This data makes it easy to analyze performance and
identify problems.
See “Viewing real-time performance data” on page 235.
See “Viewing historical performance data” on page 234.
■
Reports
Numerous predefined reports help you analyze your data; you can also create
custom reports if the predefined reports do not meet your needs.
See “Viewing Monitor Solution reports” on page 236.
■
Monitor packs
Monitor packs include the necessary monitor policies, metrics, rules, and tasks
for monitoring an operating system or application. Monitor packs also contain
preconfigured monitor policies with preset thresholds and severities.
■
Monitor policy
A monitor policy is group of monitoring rules. You apply monitor policies to
the groups of computers and devices that you want to monitor. Monitor policies
inform the Monitor Plug-in or the Remote Monitoring Server of what data you
want monitored and how that data should be analyzed. The data is evaluated
against the conditions of rules. Based on these rules the Monitor Plug-in can
run automated actions in response to data that reaches an undesired state or
range. The Monitor Plug-in returns the monitored data to the Notification
Server computer. The Notification Server computer uses monitored data to
run Task Server tasks for real-time performance monitoring and historical
performance reporting.
■
Rules
Rules specify how to analyze the metric data or the event data that the Monitor
Plug-in and the Remote Monitoring Server collect. Rules also define under
what conditions they are triggered and the actions taken.
■
Actions and Tasks
You can add actions and tasks to a rule or a policy. Rules are triggered when
monitored metric data reaches a determined value or goes beyond an acceptable
value range. A triggered rule sends an alert, and any actions or tasks that are
specified for that rule or policy are executed. Monitor actions and tasks can
also be scheduled or run on demand. You can run tasks from a task server or
you can choose from several Monitor Plug-in-specific task types.
■
Metrics
Monitor Solution and Monitor Packs
About Monitor Packs, policies, rules, metrics, and tasks
Metrics define how a Monitor Plug-in or the Remote Monitoring Server collects
data from supported data sources, called metric sources. Each plug-in can use
numerous metrics to define all of the data that you want to collect.
See “About Monitor Solution” on page 206.
About Monitor Packs, policies, rules, metrics, and
tasks
Each monitor pack contains policies, which contain rules and metrics used for
collecting data, and which can trigger tasks. The data collected can be used either
for trending (historical) or for alerting purposes.
See “About Monitor Pack for Servers” on page 210.
■
A policy is a category that describes the area you are monitoring. For example,
one of your policies might be a system health and tuning policy.
■
A policy is made up of a number of rules. A rule is a threshold definition that
determines what conditions must occur in order for the rule to trigger. For
example, a policy might contain a rule that measures excessive disk activity.
■
Metrics within the rule constantly make values available to the rule evaluator
mechanism. They answer the question: Does this value exceed the threshold
mechanism defined in the rule?
■
If yes, an alert is generated and subsequent tasks are triggered. Tasks let you
define what should be done if a particular condition is met. There are two types
of tasks: task server-based tasks (server side tasks), and Monitor agent tasks.
209
210
Monitor Solution and Monitor Packs
About Monitor Pack for Servers
Figure 11-1
Monitor Solution structure
About Monitor Pack for Servers
Monitor Pack for Servers works with the Monitor Solution core components of
the Symantec Management Platform. It lets you monitor operating system
performance, services, and events of your Windows, Linux, or UNIX server
environment.
This pack includes several reports to help you evaluate and tune the performance
of your server components.
What you can do with monitor pack for servers
You can use monitor pack for servers to monitor several Windows-specific, and
Linux and UNIX-specific elements.
You can monitor the following Windows elements:
Monitor Solution and Monitor Packs
Configuring the monitor server
■
Active Directory
■
DNS
■
MTS
■
IIS
■
MSDTC
■
MSMQ
■
DHCP
■
.NET Framework
■
RAS/RRAS
■
WINS
■
Windows Terminal Services
You can monitor the following Linux and UNIX elements:
■
Disk
■
Memory
■
Ports
■
Printers
■
Processor
■
Security
■
DNS
■
DHCP
■
MSMQ
Configuring the monitor server
The following describes the process for preparing the monitor server.
211
212
Monitor Solution and Monitor Packs
Importing monitor packs
Table 11-1
Process for configuring the monitor server
Step
Action
Description
Step 1
Import a monitor pack. Monitor packs include the necessary monitor
policies, metrics, rules, and tasks for monitoring
an operating system or application. Monitor packs
also contain preconfigured monitor policies with
preset thresholds and severities. You must import
a monitor pack to monitor computers and devices.
See “Importing monitor packs” on page 212.
Step 2
Set up database
maintenance.
Monitor Solution collects data from monitor
computers and stores it in the database. You can
configure the database maintenance settings to
define when data is summarized and purged.
Step 3
Configure heartbeat
monitoring settings.
Monitor Solution collects heartbeat signals from
Monitor Plug-ins. You can configure the
server-side heartbeat settings to define how often
Monitor Solution checks for heartbeats. Specify
the number of failures that are allowed to occur
before Monitor Solution sends an alert to the
Event Console.
Importing monitor packs
Monitor packs are available for monitoring many aspects of your computer
resources and network to ensure their availabilityMonitor packs include the
necessary monitor policies, metrics, rules, and tasks for monitoring an operating
system or application. Monitor packs also contain preconfigured monitor policies
with preset thresholds and severities.
You must import monitor packs following the installation of Monitor Solution.
Importing monitor packs lets you choose what functionality you want installed
on your monitoring server, and when you want it to be installed. Importing a
monitor pack is accomplished by scheduling a monitor pack import in the Import
Monitor Pack page.
For more information about the options, click the page and then press F1
See “Configuring the monitor server” on page 211.
You can also import monitor packs from the Monitoring and Alerting section of
the First Time Setup portal. The First Time Setup portal is available on the Home
menu, under Notification Server Management.
Monitor Solution and Monitor Packs
Downloading custom Monitor packs from the Symantec Connect Community
For more information page, see the topic about performing the First Time Setup
configuration in the Symantec Management Platform User Guide.
To create an import policy to import a monitor pack
1
In the Symantec Management Console, on the Home menu, click Monitoring
and Alerting.
2
In the left pane, click Monitoring and Alerting > Monitor > Policies > Import
Monitor Pack.
3
On the Import Monitor Pack page, select the monitor pack to import.
4
Click Schedule.
5
In the Schedule Monitor Pack dialog box, choose from the following options:
6
Run now
Starts the import immediately after the dialog is
completed.
Run on a schedule
Lets you specify a time and date for when you want the
import to run.
Yield to system resources
Instructs the policy to aggressively consume system
resources during import.
Override existing items
Replaces any items that are already stored in the
database.
Click OK to apply the configuration settings to the policy and enable it to run.
Downloading custom Monitor packs from the
Symantec Connect Community
Symantec Connect is a source for both Symantec monitor packs and custom
monitor packs provided by users and third parties. Customers can submit any
type of Monitor pack that other customers may find useful. Monitor packs can
vary from a single custom rule and metric to complex rules and metrics. You can
also submit requests for Monitor packs on Symantec Connect. The product
manager usually responds with information on whether this particular pack is in
development or planned.
See “About Monitor Pack for Servers” on page 210.
213
214
Monitor Solution and Monitor Packs
About agentless monitoring
To download custom monitor packs
1
Find the IT Management Suite forum on Symantec Connect at
http://www.symantec.com/connect/endpoint-management/forums/it-management-suite.
2
Do a search on "Monitor pack."
3
For community guidelines and disclaimers on creating custom Monitor packs,
go to
http://www.symantec.com/connect/articles/monitor-packscommunity-guidelines-creating-custom-monitor-packs
About agentless monitoring
You use agentless monitoring to monitor the computers that do not have the
Monitor Plug-in. You monitor these computers with agentless monitoring policies.
Because the Monitor Plug-in is not available on the computer, fewer aspects of
the computer are available to be monitored. You use monitor service on a site
server to perform agentless monitoring.
See “About monitor service” on page 215.
All agentless monitoring policies have a list of resource targets. These resource
targets are the resources that are monitored. Each monitor service monitors the
resources that its site server is assigned if an agentless monitoring policy targets
those resources. Consequently, multiple site servers can monitor the same resource
that is targeted in an agentless monitor policy. Also, different site servers can
monitor the different resources that are targeted in the same agentless monitor
policy.
You use agentless monitoring for the following reasons:
■
You cannot install the Symantec Management Agent on the device that you
want to monitor.
For example, VMware recommends that you not run third-party software in
the VMware ESX Server service console. Another example would be a device
that has an embedded system.
■
You want to monitor the availability of a server.
In most cases you need to use agentless monitoring to perform an availability
(ping) monitor.
About agent-based versus agentless monitoring
Monitor Solution supports the following methods for monitoring servers:
Monitor Solution and Monitor Packs
About monitor service
■
Agent-based monitoring, using a plug-in that extends the Symantec
Management Agent
■
Agentless monitoring, using standard protocols like WMI, SNMP and WSMan,
and so forth. Monitor Solution Agentless is integrated into site servers and is
referred to as the Remote Monitoring Server (RMS). Agentless monitoring is
dependent on the credentials that are used during the Network Discovery
phase.
See “Setting up a remote monitoring site server” on page 216.
The general best practice is to use the plug-in where possible as it provides more
monitoring capabilities and auto remediation and is less intrusive on the network
bandwidth. The following table highlights some of the advantages and
disadvantages of each approach.
Table 11-2
Comparison of agent-based and agentless monitoring
Agent-based monitoring
Agentless monitoring
Gathers much more information
Provides more limited monitoring
capabilities (those available through the
standard protocols).
Provides auto remediation
Is limited to the remediation capabilities
through those protocols.
Is less intrusive on the network bandwidth. Is dependent on the network; the metric
values must be sent to the site server to be
For example, the agent will send events to
evaluated to determine if a threshold has
the central event console only when the
been triggered.
threshold has been triggered. The auto
remediation occurs even before the event
has reached the central event console and is
not dependent on the network.
About monitor service
Monitor service on a site server lets you perform agentless monitoring. Monitor
service is installed on the Notification Server computer by default.
See “About agentless monitoring” on page 214.
Because monitoring can be resource-intensive, you can distribute the monitoring
load to other site servers to reduce the load on Notification Server. You can also
remove monitor service from the Notification Server computer to further reduce
the load on this server.
See “Setting up a remote monitoring site server” on page 216.
215
216
Monitor Solution and Monitor Packs
Setting up a remote monitoring site server
Monitor service is integrated with the site server infrastructure. This integration
lets the user specify the resources that each site server monitors.
Setting up a remote monitoring site server
You use monitor service on a site server to perform agentless monitoring. By
default, monitor service is installed on the Notification Server computer. Because
monitoring can be resource-intensive, you can distribute the monitoring load to
other site servers to reduce the load on Notification Server. You can set up as
many monitoring site servers as needed.
See “About agentless monitoring” on page 214.
See “About monitor service” on page 215.
To install the monitor service on a remote site server, the server must be running
one of the following operating systems:
■
Microsoft Windows Server 2003 SP2 x86
■
Microsoft Windows Server 2008 R2 x64
The Potential Monitor Servers filter automatically determines possible site
servers. The Potential Monitor Servers filter is available on the Management
menu, under Filters. Your agentless monitor policies do not require any special
configuration to work with a monitor service on one or more site servers.
Warning: You should only install monitor service on a computer that is secure
and trusted. The security that is set up for the Notification Server computer must
also apply to the site server computer.
Monitor service requires that the following be installed on the site server:
■
The Symantec Management Agent
■
The Pluggable Protocols Architecture (PPA) client computer component
■
The credential manager client computer component
Monitor Solution and Monitor Packs
Setting up a remote monitoring site server
Table 11-3
Process for setting up a remote monitoring site server
Step
Action
Description
Step 1
Install the Symantec Management A remote monitoring server and its
Agent on the site server.
dependencies require the Symantec
Management Agent. If the Symantec
Management Agent is not installed on
the site server, install it.
For more information, see topics about
the Symantec Management Agent in
the Symantec Management Platform
User Guide.
Step 2
Configure connection profiles on Connection profiles must be configured
Notification Server.
on Notification Server for remote
monitoring to work. Configure your
connection profiles before you install
the Pluggable Protocols Architecture
(PPA) client computer component on
the site server.
For more information, see topics about
connection profiles in the Symantec
Management Platform User Guide.
Step 3
Install the Pluggable Protocols
Architecture (PPA) client
computer component on the site
server.
A remote monitoring server depends
on the Pluggable Protocols Architecture
(PPA) client computer component to
communicate with network devices and
computers. When the Pluggable
Protocols Architecture (PPA) client
computer component is installed, the
credential manager client computer
component is also installed.
See “Installing the Pluggable Protocols
Architecture (PPA) client computer
component on a site server” on page 218.
Step 4
Add monitor service to one or
more site servers.
You use the Site Management page to
add monitor service to a site server.
See “Adding monitor service to a site
server” on page 219.
217
218
Monitor Solution and Monitor Packs
Setting up a remote monitoring site server
Table 11-3
Process for setting up a remote monitoring site server (continued)
Step
Action
Description
Step 5
(Optional) Remove monitor service You can remove monitor service from
from Notification Server.
Notification Server to reduce the load
on this server.
Step 6
Configure the remote monitoring You can configure the remote
server settings.
monitoring server settings. These are
the global settings that apply to all
monitor site servers.
See “Configuring remote monitoring
server settings” on page 221.
Step 7
(Optional) View the monitor site
server reports.
The monitor site server reports let you
determine which site servers monitor
the resources that your agentless
monitor policies target.
See “Monitor site server reports”
on page 221.
Installing the Pluggable Protocols Architecture (PPA) client computer
component on a site server
Pluggable Protocols Architecture (PPA) includes a policy that can remotely install
the Pluggable Protocols Architecture (PPA) client computer component on a site
server. You must install this component on a site server before you can add monitor
service to the site server. When the Pluggable Protocols Architecture (PPA) client
computer component is installed, the credential manager client computer
component is also installed. The policy that installs the credential manager client
computer component configures the agent to automatically import credentials
from Notification Server.
See “Setting up a remote monitoring site server” on page 216.
Warning: You should only install monitor service on a computer that is secure
and trusted. The security that is set up for the Notification Server computer must
also apply to the site server computer.
Monitor Solution and Monitor Packs
Setting up a remote monitoring site server
To install the Pluggable Protocols Architecture (PPA) client computer component
on a site server
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, under Settings, click Monitoring and Alerting > Protocol
Management.
3
Expand the Protocol Management folder and click Install x86 Pluggable
Protocols Agent Package or Install x64 Pluggable Protocols Agent Package
.
4
On the Install Pluggable Protocols Agent Package page, complete the
following:
5
■
In the Applied to section, apply the policy to the site server.
For more information, see topics about specifying the targets of a policy
in the Symantec Management Platform User Guide.
■
In the Schedule section, schedule when and how you want the policy to
run.
For more information, see topics about specifying a policy schedule in the
Symantec Management Platform User Guide.
■
Turn on the policy.
At the upper right of the page, click the colored circle and then click On.
Click Save changes.
After Pluggable Protocols Architecture (PPA) and credential manager are
installed, wait until the Symantec Management Agent sends inventory
information before adding a monitor service. You can confirm that the
inventory information was sent on the SymantecManagementAgentSettings
tab of the Symantec Management Agent user interface on the site server.
Adding monitor service to a site server
You use monitor service on a site server to perform agentless monitoring. Monitor
service is installed on the Notification Server computer by default. You can also
add monitor service to one or more site servers.
See “About agentless monitoring” on page 214.
See “About monitor service” on page 215.
Before you can add monitor service to a site server, the following components
must be installed on that server:
■
Symantec Management Agent
219
220
Monitor Solution and Monitor Packs
Setting up a remote monitoring site server
■
Pluggable Protocols Architecture (PPA) client computer component
■
Credential manager client computer component
Credential manager client computer component is installed when you install
Pluggable Protocols Architecture (PPA) client computer component. After
Pluggable Protocols Architecture (PPA) and credential manager are installed,
wait until the Symantec Management Agent sends inventory information
before adding a monitor service.
See “Setting up a remote monitoring site server” on page 216.
Warning: You should only install monitor service on a computer that is secure
and trusted. The security that is set up for the Notification Server computer must
also apply to the site server computer.
When you add monitor service to a site server, it is installed on the selected site
server according to the schedule in the installation policy. Monitor service has
an installation policy for 64-bit and 32-bit computers. The installation policies
are in the Advanced folder for monitor service. To access these installation
policies, on the Settings menu, click Notification Server > Site Server Settings
> Monitor Service > Advanced.
To add monitor service to a site server
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
In the right pane, in the Detailed Information section, in the View menu,
click Site Servers.
3
Select the site server and click the Edit symbol.
4
In the Add/Remove Services dialog box, check Monitor Service and click
Next.
If Pluggable Protocols Architecture (PPA) and credential manager are not
installed on the site server, you cannot check Monitor Service.
5
In the dialog box that appears, confirm your addition of the monitor service
to the correct site server and click OK.
6
To check the status of the installation, on the Site Management page, expand
the Site Services section and then expand the Monitor Service section.
A pie chart displays the site servers that are installed, pending installation,
or not installed.
Monitor Solution and Monitor Packs
Setting up a remote monitoring site server
Configuring remote monitoring server settings
You can configure the settings for the remote monitoring servers. You use a remote
monitoring server and a monitor service to perform agentless monitoring.
See “About agentless monitoring” on page 214.
See “About monitor service” on page 215.
The remote monitoring server settings are the global settings that apply to all
monitor site servers.
See “Setting up a remote monitoring site server” on page 216.
See “Adding monitor service to a site server” on page 219.
To configure remote monitoring server settings
1
In the Symantec Management Console, on the Home menu, click Monitoring
and Alerting.
2
In the left pane, click Monitoring and Alerting > Monitor > Settings > Remote
Monitoring Server Settings.
3
On the Remote Monitoring Server Settings page, click the tabs to configure
the following settings:
General
Performance Tuning
Data Collection
4
Click Save changes.
Monitor site server reports
Monitor service on a site server lets you run agentless monitoring policies to
monitor the resources that do not have the Symantec Management Agent installed.
The monitor site server reports let you determine which site servers monitor the
resources that your agentless monitor policies target.
See “About agentless monitoring” on page 214.
See “About monitor service” on page 215.
To access these reports, on the Reports menu, click All Reports, and then under
Reports, click Monitoring and Alerting > Monitor > Configuration > Monitor
site server.
The monitor site sever reports are as follows:
221
222
Monitor Solution and Monitor Packs
Setting up credentials for agentless monitoring
■
Monitored resources by RMS
This report lists the resources that the selected site server monitors.
■
Resources not monitored by RMS
This report lists the resources that no site server monitors.
■
RMS by Monitored resources
This report lists the site servers that monitor the selected resource.
Setting up credentials for agentless monitoring
You must set up credentials so that the Remote Monitoring Server (RMS) agent
can connect to the computers to be monitored. To set up credentials, use Credential
Manager, which is a component of the Symantec Management Platform.
See “Setting up a remote monitoring site server” on page 216.
Credential Manager provides a secure storage location for user names and
passwords. The types of credentials that are stored are defined by the installed
management solutions. Access to credentials is controlled using the built-in
role-based security of the Symantec Management Platform. When a credential is
created, only the creator is granted access. If other users need to perform
management operations requiring a credential, they must be assigned rights.
The credential manager agent package installs on a Notification Server as part
of the Symantec Management Platform. This enables the Notification Server
computer to access the credential store.
Connection Profiles and the Pluggable Protocols Architecture store the information
that is required to communicate with computers and other network devices using
standard network monitoring protocols. The Pluggable Protocols Architecture
unifies the configuration of protocols across the Symantec Management Platform.
Connection Profiles is a feature of the Symantec Management Platform that other
solutions and components in the Symantec Management Platform leverage. It
provides the ability to update and add protocols without requiring a wholesale
upgrade of all dependent solutions. These protocols include SNMP, WMI, WSMAN,
as well as several others.
Monitor Solution and Monitor Packs
Setting up credentials for agentless monitoring
Process for setting up credentials for agentless monitoring
Table 11-4
Step
Action
Description
Step 1
Create protocol-specific
credentials.
You use Credential Manager to add
credentials specific to the protocol that is
used for monitoring.
See “Creating protocol-specific
credentials” on page 223.
Step 2
Associate the credential with a
connection profile.
You store the credential with the
associated protocol in a connection profile.
See “Associating credentials with a
connection profile” on page 223.
Step 3
Discover resources to bind the
connection profiles to them.
Connection profiles are associated with
devices during network discovery.
See “Discovering resources to which to
bind connection profiles” on page 224.
Creating protocol-specific credentials
You use Credential Manager to add credentials specific to the protocol that is used
for monitoring.
See “Setting up credentials for agentless monitoring” on page 222.
To create credentials
1
In the Symantec Management Console, navigate to Settings > Monitoring
and Alerting > Credentials Settings > Credential Management.
2
Click Add Credentials.
3
Select the type of credential from the list.
The credential type must correspond to the protocol that is monitored in the
agentless policy rules. For example, a policy containing rules that use HTTP
would need HTTP credentials for monitoring.
4
Add a user name, password, and domain (if applicable.)
5
Click Save.
Associating credentials with a connection profile
See “Setting up credentials for agentless monitoring” on page 222.
223
224
Monitor Solution and Monitor Packs
Setting up credentials for agentless monitoring
Connection profiles store the information that is required to communicate with
computers and other network devices using standard network monitoring
protocols. These protocols include SNMP, WMI, WSMan, and several others.
The credentials that are provided are stored securely by the credential manager.
If additional administrators need access to use a connection profile, they must be
granted rights to the credentials and to the connection profile. You can grant the
rights by editing the credential and the connection profile.
Typically, you should create a new connection profile for each segment of your
network that uses different network monitoring credentials. You can copy and
make changes to already existing connection profiles. This process is called
cloning.
To associate credentials with a connection profile
1
In the Symantec Management Console, navigate to Settings > Monitoring
and Alerting > Protocol Management > Connection Profiles > Manage
connection profiles.
2
Click Add settings, and provide a name for the new profile.
3
Click the arrow next to any protocols that you want enabled and provide the
required protocol details.
4
At the upper right, next to the protocols you want enabled, click the colored
circle, and then click On.
5
Click OK to save your changes.
Discovering resources to which to bind connection profiles
See “Setting up credentials for agentless monitoring” on page 222.
In order for the RMS Agent to connect to a resource using a specific protocol, you
must have the connection profile binding to that resource. Running a network
discovery task achieves that goal. It binds the computers that are specified in the
IP range to the connection profile that is used in that network discovery task. It
establishes the association between a resource and the connection profile to be
used. This “resource-to-connection-profile association” is needed for a resource
to be monitored in an agentless manner, using any of the following agentless
metric sources:
■
HTTP
■
SNMP
■
WMI
■
WS-MAN
Monitor Solution and Monitor Packs
About scalability best practices for Monitor Solution
Connection profiles are associated with devices during network discovery. During
discovery, a connection profile is selected to define the protocols and credentials
to use. When discovery completes, this connection profile is then associated with
each discovered resource. When information is required, the associated connection
profile is used to connect.
To discover resources to which to bind connection profiles
1
In the Symantec Management Console, navigate to Home > Discovery and
Inventory > Network Discovery.
2
Click Launch Discovery Wizard.
3
Specify an IP address range of resources you want to monitor in an agentless
manner and click OK.
4
Select a connection profile and click Finish.
The resources are now discovered, based on the connection profiles. The associated
protocols and credentials are bound to the resources.
The PPA Agent (as leveraged by the RMS) uses a stored procedure (dbo.
sp_PPA_GetResourceIPAddressList) to obtain a list of IP addresses by resource
GUID. Depending on the protocol, either the “primary” (best IP available) is used,
or all IP addresses are used. IP addresses in the Network Discovery tables take
precedence, but basic inventory tables are also called to obtain IP address
information.
If Network Discovery has not been run against the resource, the “default
connection profile ” is used. In that case, basic inventory that is gathered by the
Symantec Management Agent is referenced for available IP address information.
About scalability best practices for Monitor Solution
When implementing Monitoring and Alerting as part of Server Management
Solution, the following items should be reviewed:
■
Number of managed/monitored nodes or resources.
■
All Agent versions are up-to-date.
■
Number of enabled monitor packs/policies.
■
Metric polling interval
■
Configuration settings and data performance
■
Purging settings
■
CMDB database growth and Monitor table size
225
226
Monitor Solution and Monitor Packs
About scalability best practices for Monitor Solution
For more information about recommended settings for these items, see the article
at the following URL:
https://www-secure.symantec.com/connect/downloads/monitor-solution-best-practice-guide
.
Suggested scalability configuration and values for Monitoring and Alerting:
■
Number of Monitored Resources: 1500 per Symantec Management Platform
■
Agent Based: 1500 resources
■
Agent Less: 500 resources per Remote Monitoring Server RMS
■
Number of metrics: 40 total per server
■
Polling Interval: default
■
Data Collection: Record Process Value: default
■
Turn Off most machines: suggest separating them into classes/different
configuration policies
■
Server Settings: Purging Detailed Data Numeric: default
Chapter
12
Event Console
This chapter includes the following topics:
■
About alerts
■
About alert management
■
About Event Console alert filters
■
Filtering alerts
About alerts
Alerts are the status messages that contain information about device or network
health. Computers and many other devices can generate status messages using
standard monitoring protocols, such as SNMP. The Symantec Management
Platform collects and tracks these status messages.
Each status message that is received is converted from its native format into a
common format that is called an alert. During conversion, alerts are associated
with the affected resource in the CMDB and are assigned a severity and a status.
Severity ranges from normal to critical, and alert status can be new, acknowledged,
or resolved.
Alerts from multiple protocols are displayed using common severity and status.
All received alerts are displayed in the Event Console.
See “About Event Console alert filters” on page 228.
About alert management
Alert management shows a consolidated view of device health across your network.
You can view health by network layout, organizational group, or by directly
monitoring the list of received alerts in the Event Console.
228
Event Console
About Event Console alert filters
The Event Console reduces the need to maintain separate tools to monitor
computers, software, printers, and other devices. The Event Console collects SNMP
traps and other status messages and displays them in a single location. All status
messages are converted to a common format that links each received message to
the affected resource in the CMDB. These formatted messages are called alerts.
See “About alerts” on page 227.
Advanced search features let you find specific alerts or groups of alerts quickly,
using search operators similar to those found in common applications.
The Event Console also provides a rule-based triggering system that lets you
process alerts in the following ways by creating alert matching rules:
■
Discard specific alerts from the database.
■
Forward alerts to another management system.
■
Execute task server tasks in response to specific alerts.
■
Initiate a workflow in response to specific alerts.
About Event Console alert filters
The Event Console in Symantec Management Platform displays alerts in a grid
layout. This grid may contain thousands of alerts. Alert filters let you sort the
alerts so that you can analyze and manage them. You access this grid from
Symantec Management Console when you click Manage > Events and Alerts.
The Event Console in Symantec Management Platform contains several rule types
that represent automated, event-based actions. The rule types include discarding,
forwarding, task, and workflow rules. Discarding rules filter and discard matching
alerts. Forwarding rules forward a Simple Network Management Protocol (SNMP)
trap to a downstream listener. Task rules initiate Symantec Management Platform
task server tasks. Before version 7.1 of the platform, a direct way to initiate a
deployed workflow process was unavailable. With the addition of a workflow rule
in version 7.1 of the Event Console, an event can automatically start a workflow
process. This workflow process can pass along valuable event data.
Previous versions of the platform let you filter alerts into manageable subsets.
However, before version 7.1 you did not have the option to save and re-use those
filters. Beginning with version 7.1, you can create, save, and re-use filters.
See “About alerts” on page 227.
A new function with version 7.1 now lets you use advanced filters to manage
alerts. The advanced filter function is available from the Event Console grid.
The following alert filtering tools are available on the main Event Console page:
Event Console
About Event Console alert filters
■
■
A drop-down list of predefined filters. You can click Actions to see a list of
available filtering actions. You can also search by one of the following alert
criteria:
■
Alerts in last 24 hours
■
Alerts in last 7 days
■
Critical Alerts in last 24 hours
■
Critical Alerts Only
■
Exclude Informational Alerts
■
Exclude Monitor Alerts
■
Informational Alerts Only
■
Major Alerts Only
■
Monitor Alerts Only
■
Normal Alerts Only
■
Undetermined Alerts Only
■
Warning Alerts Only
A color-coded, left-click Status Progress Bar control. This control lets you see
the number of alerts by severity level, as follows:
Violet
Undetermined
Yellow
Warning
Orange
Major
Green
Normal
Blue
Informational
Red
Critical
You can access the color-coded status progress bar control using a left-mouse
click. This bar appears in the Alerts pane. When you click a color section on
the status bar, the grid view changes. The view shows only those alerts that
match the severity level of the color that you clicked. For example, if you click
yellow on the status bar, then the grid shows alerts with severity Warning.
After you filter by severity level, you may have to select Exclude Informational
Alerts or Monitor Alerts Only to see the complete list of alerts again.
See “Filtering alerts” on page 230.
229
230
Event Console
Filtering alerts
■
A status bar that presents the following icons:
■
Details. Opens the Alert Details dialog box for the selected alert.
■
Acknowledge. Lets you acknowledge a selected alert. In the State column,
a blue flag indicates an acknowledged alert.
■
Resolve. Flags the selected alert with a check mark in the State column.
When you right-click a resolved alert, you can view alert details. You can
also view the available rules for discarding the alert or open the Resource
Manager in a new window.
If you click Discarding Rules with a resolved alert selected, you can create
a global discard filter rule or create a resource discard filter rule.
■
Actions. When you select an alert and click the down-arrow next to this
icon, you see the options that were listed previously in this list. You also
see one addition.
When you click any alert, you can manage it by changing its severity to
any of the following:
■
Major
■
Warning
■
Informational
■
Undetermined
■
Normal
■
Critical
■
An Alert Filter Settings page for managing the filters that you save and reuse.
A tool icon next to the predefined filters drop-down list opens the Alert Filter
Settings page. This page is where you can create filters and save them for
re-use.
■
A search field that lets you enter custom search criteria.
The magnifying glass icon next to the search field opens the Advanced Search
pane.
Filtering alerts
The Event Console grid can contain thousands of alerts, which you can filter. If
the alerts that you expect to see are not displayed, they may be hidden, or a filtering
rule has blocked them. For example, some administrators prefer to hide warning
alerts.
See “About Event Console alert filters” on page 228.
Event Console
Filtering alerts
In the Event Console, the default filter is Exclude information alerts. When you
open the alert grid, this default filter is applied. Anytime you click the Refresh
icon in the browser window, the selected filter is reset. You can also clear filters
and select new ones.
To filter alerts
1
In the Symantec Management Console, on the Manage menu, click Events
and Alerts.
If the filter you see in the filter drop-down box is not the one you want to use,
perform the next step.
2
(Optional) In Event Console click the X icon to the right of the filter drop-down
box, or delete the filter text from the box.
The alerts are cleared from the grid, and Select a filter appears in the
drop-down box.
3
Click the down-arrow next to the drop-down box to select a different filter.
As soon as you select a different filter from the drop-down list, the grid view
changes. It shows only the alerts that pertain to the selected filter. You can
click any other control on the page, except Refresh, and the filter that you
chose remains active. If you need to view alerts for more than one filter, you
can open multiple instances of Event Console. You then select a different
filter in each window.
231
232
Event Console
Filtering alerts
Chapter
13
Historical and Real-Time
Monitoring
This chapter includes the following topics:
■
About the Monitoring and Alerting home page
■
Viewing historical performance data
■
Viewing real-time performance data
■
Viewing Monitor Solution reports
■
Viewing the Monitor Alerts dashboard
■
Generate a report on Monitor Solution metrics, trends, alerts, and actions
■
Generating ad-hoc reports with the IT Analytics Monitor Metrics cube
About the Monitoring and Alerting home page
Monitor Solution lets you monitor the state of your entire enterprise in a single
view through the Monitoring and Alerting home page. The home page makes it
easy to check and ensure that all monitored computers and applications function
properly.
The Monitoring and Alerting home page includes the following Web parts:
■
Launch Performance Viewer – Used to enter the name of a computer and run
the performance viewer.
See “Viewing real-time performance data” on page 235.
■
Monitored Resources by Status – Shows a chart of monitored resources. The
chart is organized according to severity status. The state of a computer is the
most severe state of any triggered rule on the computer.
234
Historical and Real-Time Monitoring
Viewing historical performance data
For example, if one rule state is warning and another is critical, the overall
state of the computer is critical. If all rule states are normal, and then one rule
state changes to warning, the computer state is set to warning. This Web part
also shows computers with the Monitor Plug-in installed. You can select a
computer and launch the Performance Viewer, the Resource Manager, or the
Event console.
■
Monitor Site Servers Status – Shows a list of Monitor Site Servers and their
Status.
■
Group View - Aggregate health by resource – Shows the aggregate health of
the devices and computers in your organizational groups.
■
Event Console – Shows a consolidated view of all alerts that are raised.
Viewing historical performance data
The historical performance viewer is a console included with Monitor Solution
that lets you view historical performance data. Historical data is available from
both the Monitor Plug-in and the Remote Monitor Server.
To view historical performance data
1
In the Symantec Management Console, on the Actions menu, click Monitor
> Historical.
2
Click the icon next to the Device field, and select a device that has historical
data.
3
In From and To, specify the time period for which you want to view data.
The time period that you specified in From and To may contain no data in
the beginning or at the end of the period. In this case Summarized View
shows only the actual time when the data is available. The empty time line
with no data in the beginning or at the end of the chart is not displayed.
4
To specify the metric data that you want to view, click Metrics, and use the
Available Metrics dialog box, and then click OK.
Historical and Real-Time Monitoring
Viewing real-time performance data
5
In the Summarized View, drag the mouse across the graph to specify a range
that you want to view.
6
In the Detailed View, select a point on the graph.
If available, the data that was last gathered for the selected point is displayed
in the following sections: Processes, Events, Ports, and Text Data. The
Metrics section continues to display the average, minimum, and maximum
values for the whole range of data that is displayed in the Detailed View.
However, the Last Value and Last Time columns in the Metrics section display
the value at the selected point. If the selected point has no value, these
columns display the value that precedes this point. If no value is available
for the metric in the Detailed View, the Last Value and Last Time columns
are left blank in the Metrics section.
See “Viewing real-time performance data” on page 235.
Viewing real-time performance data
The Performance Viewer is a console included with Monitor Solution that lets
you view real-time performance data. Performance data is available from both
the Monitor Plug-in and the Remote Monitor Server.
To view real-time performance data
1
In the Symantec Management Console, on the Home menu, click Monitoring
and Alerting.
2
In the Launch Performance Viewer Web part, either enter a name of the
computer or use the computer browser to choose a computer.
3
In the Registered Metrics dialog box, select the metric data that you want
to monitor, and then click OK (the limit is 50).
The performance viewer begins monitoring the computer and displays the
following information:
■
Graph – Displays graphical performance data. The data is scaled to fit
within the limits of the graph. If you place the mouse pointer over a point
on a graph line, the monitored metric data displays next to the mouse
pointer. If you monitor multiple instance metrics, each instance has a
separate graph line. You can use the select metrics option to monitor
different metrics.
■
Metrics – The metrics section displays all numeric metric data that is
monitored.
■
Processes – Displays the processes currently running on a monitored
computer.
235
236
Historical and Real-Time Monitoring
Viewing Monitor Solution reports
■
Events – Displays All Windows NT event data.
■
Ports – Displays the status of the monitored ports on the computer.
■
Text Data – Displays the retrieved text data for command, custom DLL,
custom COM object, WS-MAN, SNMP, SQL, and string-type Windows
Management Instrumentation (WMI) metrics. The predefined WMI metrics
are the only metrics that collect this type of data. If you create or use a
custom DLL, COM object, SNMP, or command metric that retrieves this
data, it is also displayed in this section.
See “Viewing historical performance data” on page 234.
Viewing Monitor Solution reports
Monitor Solution includes several reports that let you view data about your
monitored computers.
See “About the Monitoring and Alerting home page” on page 233.
To view Monitor Solution reports
1
In the Symantec Management Console, on the Home menu, click Monitoring
and Alerting.
2
In the left pane, click Monitoring and Alerting > Monitor > Reports.
3
Browse through the folders and click the report that you want to view.
Viewing the Monitor Alerts dashboard
After IT Analytics Solution is installed and configured, you can view any
dashboards in Symantec Management Platform. For more information, see the
IT Analytics Solution 7.1 SP2 from Symantec User Guide at the following URL:
http://www.symantec.com/docs/DOC4837
See “Generate a report on Monitor Solution metrics, trends, alerts, and actions”
on page 238.
See “Generating ad-hoc reports with the IT Analytics Monitor Metrics cube”
on page 240.
The dashboard displays the following information:
■
Alerts by category (such as memory, heartbeat, network, processor)
■
Alerts by severity level (critical, major, normal, warning)
Historical and Real-Time Monitoring
Viewing the Monitor Alerts dashboard
■
The most active rules that generate alerts (lists the rules that cause the most
problems)
To view the Monitor Alerts dashboard
1
In the Symantec Management Console, navigate to Home > Monitoring and
Alerting > Monitor.
2
Click IT Analytics Monitor Alerts Dashboard.
3
View the output, similar to the following screenshot:
237
238
Historical and Real-Time Monitoring
Generate a report on Monitor Solution metrics, trends, alerts, and actions
Generate a report on Monitor Solution metrics,
trends, alerts, and actions
After IT Analytics Solution is installed and configured, you can create IT Analytics
reports in Symantec Management Platform. For more information, see the IT
Analytics Solution 7.1 SP2 from Symantec User Guide at the following URL:
http://www.symantec.com/docs/DOC4837
See “Generating ad-hoc reports with the IT Analytics Monitor Metrics cube”
on page 240.
See “Viewing the Monitor Alerts dashboard” on page 236.
IT Analytics reports combine metrics, trends, alerts, and actions. They let you see
what occurs with a particular metric over a period of time.
The report shows the following information:
■
How the metric trends over time
■
Any alerts that were triggered
■
Any remediation tasks that resolved the alert
■
Notifications that were generated
■
Details on individual timestamps
To generate the Monitor Metrics Trend report
1
In the Symantec Management Console, navigate to Home > Monitoring and
Alerting > Monitor.
2
Select IT Analytics reports, then select the Monitor Metrics Trend report.
3
Select a date.
4
Select a computer resource.
5
Select a metric value, such as Available memory in MB.
6
Run the report.
7
View the output, similar to the following screenshot:
Historical and Real-Time Monitoring
Generate a report on Monitor Solution metrics, trends, alerts, and actions
239
240
Historical and Real-Time Monitoring
Generating ad-hoc reports with the IT Analytics Monitor Metrics cube
Generating ad-hoc reports with the IT Analytics
Monitor Metrics cube
After IT Analytics solution is installed and configured, you can create IT Analytics
reports in Symantec Management Platform. For more information, see the IT
Analytics Solution 7.1 SP2 from Symantec User Guide at the following URL:
http://www.symantec.com/docs/DOC4837
See “Generate a report on Monitor Solution metrics, trends, alerts, and actions”
on page 238.
See “Viewing the Monitor Alerts dashboard” on page 236.
IT Analytics Monitor cubes allow for quick ad-hoc reporting and data mining from
the data that is collected by Monitor Solution. IT Analytics currently ships with
one Monitor Solution-related cube that supports UNIX/Linux environments, the
Monitor Metrics cube.
The cube lets you do the following:
■
Build a report by selecting tables and attributes, such as computer count, alert
count, and action count, computer name, OS, event category, severity level,
event message.
■
Drill down into the computer, the OS, and see all the categories of alerts.
■
Drill down on the alert categories, such as memory alerts and their severity.
■
Turn this report into a chart for a graphical presentation.
■
Drag and drop different report elements and refine the report ad hoc.
The following screenshot is an example of what this report might look like.
Historical and Real-Time Monitoring
Generating ad-hoc reports with the IT Analytics Monitor Metrics cube
241
242
Historical and Real-Time Monitoring
Generating ad-hoc reports with the IT Analytics Monitor Metrics cube
Section
Process Automation
■
Chapter 14. Built-in Workflow capabilities
4
244
Chapter
14
Built-in Workflow
capabilities
This chapter includes the following topics:
■
About Symantec Workflow integration with UNIX and Linux clients
■
Pieces of Symantec Workflow
■
What you can do with Symantec Workflow
■
Executing scripts on UNIX and Linux systems through SSH
■
About Process Manager reporting
About Symantec Workflow integration with UNIX and
Linux clients
Symantec Workflow is a security process development framework that you can
use to create both automated business processes and security processes. These
processes provide for increased repeatability, control, and accountability. At the
same time, Workflow lets you reduce your overall workload.
The Symantec Workflow framework also lets you create Workflow processes that
integrate Symantec tools into your organization's unique business processes.
After Workflow is deployed, Workflow processes can respond automatically to
environmental variables. Workflow processes can also allow for human interface
points when a process calls for someone to make a decision with accountability.
The applications that you design can create human interaction through a variety
of user interfaces. You can create human interaction through email, Web forms,
handheld devices, or a task list.
See “What you can do with Symantec Workflow” on page 250.
246
Built-in Workflow capabilities
About Symantec Workflow integration with UNIX and Linux clients
Workflow is included as part of Altiris Server Management Suite from Symantec.
The Workflow Installer is available as a download from Symantec Management
Console on the Manage > Workflows menu.
Symantec Workflow runs natively on Windows Server. The best practice is to
install Workflow onto a separate server computer that runs Windows Server
software rather than installing it on the platform server. Refer to the Symantec
Workflow Installation and Configuration Guide for information about where and
how to install Workflow.
Although Workflow does not run natively on UNIX or Linux platforms, it can
integrate with UNIX/Linux client computers on your network through the following
methods:
■
Symantec recommends that you use an intermediary platform such as
Symantec Management Platform to run the tasks that are part of a Workflow
project. This method is the best practice.
Through the platform Administrator Software Developer Kit (ASDK), you can
design Workflow projects to coordinate platform activities and tasks. This
coordination lets you perform actions on UNIX and Linux client computers as
part of the Workflow project. Such actions can include but are not limited to
running scripts, collecting data, or deploying patches and software. In this
way, Workflow orchestrates activities on UNIX and Linux clients as well as
Windows clients.
For information about using the ASDK to integrate with Symantec Management
Platform, see the ASDK documentation. This documentation was installed on
your computer when you installed the ASDK. The documentation is a
stand-alone CHM file. Double-click the file to open and browse it.
■
Workflow can communicate through the applications that are hosted on UNIX
and Linux systems if those applications include the necessary integration
points. Integration points include an API, a Web services layer, or an ODBC
layer. The applications must follow the protocols with which Workflow can
communicate, including XML and flat files. Refer to the Symantec Workflow
User Guide for communication layer options.
■
If a Workflow project requires that actions be performed on a computer on
which the Symantec Management Agent cannot be installed, you have one
option. You can use a non-secure integration method.
Warning: This method is not secure and is not a best practice. However, you
may find it necessary to execute scripts if no agent is available to do so.
Ideally, you use the Symantec Management Agent to run scripts and commands
because the agent method is secure. However, Workflow can execute commands
Built-in Workflow capabilities
Pieces of Symantec Workflow
without the agent. Workflow can execute scripts on a UNIX or Linux client
through Secure Shell (SSH) if that client does not have Symantec Management
Agent installed.
If a Workflow project requires that actions be performed on a computer where
an agent cannot be installed, the script method provides a workaround. One
scenario in which you might need this workaround is if actions need to be
performed on a server. To use this method, you must pass the credentials to
run the command at the same time that you run the command.
See “Executing scripts on UNIX and Linux systems through SSH” on page 252.
See “Pieces of Symantec Workflow” on page 247.
Pieces of Symantec Workflow
When you install Symantec Management Platform in your environment, the
Symantec Workflow Installer is installed on the platform server. You find the
installer in the console under Manage > Workflows.
Workflow comprises the following pieces of software that you install as you run
the Workflow Installer:
■
Workflow Manager and Workflow Designer
■
Workflow Server
■
Process Manager
■
Client tools
247
248
Built-in Workflow capabilities
Pieces of Symantec Workflow
Table 14-1
Pieces of Workflow
Piece
Description
Symantec
Workflow
The Symantec Workflow installer is installed with the Symantec
Management Platform server.
The best practice is to download the installer and run it on a separate
server computer that has Windows Server installed on it. The installer
is an executable file that you run on the computer on which you want
to install Workflow.
In Symantec Management Console, you can view Workflow reports.
Workflow integrates Workflow Designer and Workflow Server with
the platform. This integration lets Workflow interact with Notification
Server, the central piece of the platform. Integration also lets Workflow
interact with the suites that run on the platform. In this example, a
Workflow process can cause Notification Server to create the tasks
that the installed suites can use.
The Workflow Enterprise Management page in Symantec Management
Console lets you manage Workflow Environments, Workflow Servers,
and published Workflow projects.
Workflow
Manager
Workflow Manager is the repository of Workflow projects and the
starting point for creating and modifying projects.
Workflow
Designer
Workflow Manager lets you create, edit, open, and manage projects.
Workflow Manager also lets you configure certain project settings;
for example, you can manage tool preferences and computer
information. These settings are available in the Tools menu.
Any time you open or create a project, that project opens automatically
in the Workflow Designer piece of Symantec Workflow. Workflow
Designer is the tool that you use to design Workflow projects, which
are typically a series of connected processes. The Designer contains
pieces of the code that are called components. You use these
components to build processes and connect them into a single project
that you publish to Workflow Server.
You should install Workflow Designer on a computer other than the
Symantec Management Platform host.
Built-in Workflow capabilities
Pieces of Symantec Workflow
Table 14-1
Pieces of Workflow (continued)
Piece
Description
Workflow Server
Workflow Server is not a standalone server computer; rather, it is a
process that runs in the background of each Workflow piece that you
install. Workflow Server manages published workflow projects. It is
the execution engine (or runtime engine) for all published processes.
Workflow Server is automatically installed on any computer with
Workflow Designer.
A common installation scenario is to install Process Manager,
Workflow Manager, and Workflow Designer on a designated server
computer. You should install Workflow on any server to which you
want to publish workflow projects. You can install on a designated
server, on your local server, or both.
Process Manager
The Process Manager piece of Workflow is a Web portal for managing
the various parts of a workflow process. These parts include tasks,
documents, data, and so on. You use Process Manager to interact with
and manage the published processes that include human interaction.
Process Manager can be integrated with Active Directory for user
authentication, proper access control, and user management.
The following list describes some of the functions of Process Manager:
■
Lets you view and manage tasks.
■
Lets you view reports on the processes that are running.
■
Lets you store documents, articles, and schedules to share.
Lets you change pages, symbols, Web parts, and so on to create an
interface that works for you.
■ Lets you add new pages to Process Manager that embed Process
Manager content or content from the Web or other servers.
■
Process Manager should be installed on a central Process Manager
server.
249
250
Built-in Workflow capabilities
What you can do with Symantec Workflow
Table 14-1
Pieces of Workflow (continued)
Piece
Description
Client tools
Workflow client tools are support applications for Workflow.
The following client tools are available:
Business TimeSpan Editor
Manages the information about the work hours and holidays for
your organization.
■ Credentials Manager
■
■
Critical Errors Viewer
■
License Status Manager
■
Local Machine Info Editor
■
Log Viewer
■
Messaging Console
■
Screen Capture Utility
■
Server Extensions Configurator
■
Task Tray Tool
■
Tool Preferences Editor
Web Forms Theme Editor
Lets you create new themes for the Web forms that you can use in
form components (for example, Form Builder).
■ Workflow Explorer
■
You do not need to install all of the pieces of Workflow on the same computer.
For information about installation configuration in your organization, see the
Symantec Workflow Installation and Configuration Guide.
See “About Symantec Workflow integration with UNIX and Linux clients”
on page 245.
What you can do with Symantec Workflow
You can use Workflow to create and implement an endless number of workflows
to automate business processes. You can create applications for a variety of
purposes. You can monitor hardware or software systems, manage communication,
and manage data analysis and delivery from databases or other sources. You can
also execute complex logic and use the functions of other tools (including any
Web service).
In many cases, business processes may be specific to UNIX or Linux systems. In
other cases, processes are OS-agnostic. You can use the same Workflow project
to run UNIX and Linux devices that you use to run Windows devices. You use the
Built-in Workflow capabilities
What you can do with Symantec Workflow
same workflow by making decisions in a Workflow process to call the agents to
run a Workflow task.
The ability to manage human interactions in a business process is one of the most
useful functions of Workflow. You can insert human interaction points in key
places while you leverage the data and existing solutions that are available through
the Symantec Management Platform. A component in the Workflow process
controls each point of interaction with a person or a technology. This interaction
can include communicating with a database or creating a task in Process Manager
or SharePoint. It can also include almost any supporting or third-party technology
necessary to accomplish the goal.
You can create the applications that work with Process Manager. Your applications
can work with many of the parts of Process Manager. For example, you can use
task management, knowledge base, document management, scheduling, reporting,
workflow tracking, and user management with Process Manager. You can create
a Workflow project and publish it to Process Manager so you can invoke it and
manage it in Process Manager. You can set up Workflow projects to create tasks
in Process Manager that users see in their task lists. You can also manage servers.
Table 14-2
What you can do with Symantec Workflow
Use case
Example
Make data actionable.
Almost every enterprise-level application creates thousands
of records of data. Use Workflow to manage that data by
exception within a defined process.
Automate manual tasks.
Use Workflow as a run book to automatically execute scripts,
procedures, Web services, or tasks to reduce manual effort.
Extend an existing
application
Use Workflow to create and manage specific access to an
existing application beyond the application's intended uses.
Integrate disparate user
groups and applications.
User groups include administrators and end users.
Control processes.
Use the Workflow auditing and reporting framework to
integrate control and accountability into your ITsecurity
and business processes.
Use Workflow to integrate several disparate user groups
and applications to transform a series of discrete products
into a single, comprehensive business solution.
See “About Symantec Workflow integration with UNIX and Linux clients”
on page 245.
251
252
Built-in Workflow capabilities
Executing scripts on UNIX and Linux systems through SSH
Executing scripts on UNIX and Linux systems through
SSH
You can execute scripts on a UNIX or Linux system by using a Secure Shell (SSH)
rather than Symantec Management Platform. Running scripts through SSH is
not secure like executing tasks through an agent is. For this reason it is not a best
practice; however, in some cases you may need to use this method.
See “About Symantec Workflow integration with UNIX and Linux clients”
on page 245.
Warning: Use this method with caution. Use it only if you must execute scripts
and no agent is available to do so.
The following options let you run scripts:
■
Execute Symantec Management Platform tasks from within Workflow.
In a Workflow project, you call a task. That task can run on client computers
on any platform, including UNIX and Linux.
See "Working with tasks" in the Symantec Workflow User Guide.
■
Run scripts directly through SSH.
You can run dynamic commands against a UNIX or Linux server from a
Workflow process. The commands are run using the SSH protocol by the
command-line plink.exe from Quest. This method secures all communications
between the Workflow and UNIX servers.
The following procedure describes how to run a UNIX command on the target
server, illustrating the flexibility of Workflow to interact with non-Windows
environments.
To run scripts through SSH
1
On the Workflow Server computer, download the Putty 0.60_q1.129 MSI file
from the following location:
http://rc.quest.com/downloads.php?release=Quest-PuTTY-0.60_q1
This installer lays down plink.exe and starts the installation wizard
automatically. The plink executable file is a command-line SSH tool through
which you can run SSH commands from Workflow.
2
Complete the installation wizard.
Built-in Workflow capabilities
About Process Manager reporting
3
Browse to C:\Program Files\Quest Software\PuTTY and check that the
version of the plink.exe file is correct. To check the file, right-click it and then
click Properties. On the Details tab, next to Product version you see the
product version listed.
4
Copy the location of the plink file, open a command prompt, and change the
directory to the location of the plink file. Enter plink <user name of the unix
computer that I want to have a trusted connection with>@<IP address> into
the command line to register the computer as a trusted connection.
5
After the command prompt, enter y. Entering the y command stores the key
in the cache and adds the computer as a permanent trusted connection. If
you initiate a non-interactive session, enter this command for any server
with which you want to create a trusted connection.
6
In Workflow Manager, click File > New to create an empty Web forms project
and build your workflow.
7
After you build the workflow, add a Merge Text component. This component
lets you merge all of the information that your workflow collects into a plink
command line.
8
Name the component, and next to Merge Data click the ellipses (…). In the
String Formatter, enter the following text and click OK:
-ssh < Server IP variable> -l <User Name variable> -pw <Server Password
variable> -no_in <Command variable>
You enter -no_in so that the workflow does not pass in any standard input.
If you use this command and have the wrong version of plink, you receive an
error message when you attempt to run this workflow.
9
Continue building the workflow. Then debug it and publish it.
When you use this method, ensure that each app pool user is given rights to
run plink.exe from its location on the Workflow Server.
About Process Manager reporting
Symantec Workflow includes a built-in auditing and reporting framework. The
reporting feature in Process Manager lets users access Process Manager data in
the form of predefined reports. Users can also create custom reports.
Note: If you want to report about something in the Symantec Management Platform
infrastructure, use the platform reporting capability that is found in Symantec
Management Console. The Workflow reporting framework that is built in to
Process Manager reports about the state and status of Workflow projects.
253
254
Built-in Workflow capabilities
About Process Manager reporting
The main Process Manager reporting features are as follows:
■
The predefined reports that are installed with Process Manager meet the ITIL
needs of many users.
■
Predefined reports can be easily customized by copying a report and changing
a few items so that the new report meets your exact needs.
■
A wizard interface is used to create new reports. The wizard eliminates the
need to use SQL for report creation.
All reports can be included on portal pages and dashboards, and the size and
placement of the report is customizable by the administrator.
■
During report creation, you can add run-time filters to the report definition.
Run-time filters allow users to scope the reports based on the data that they
want to see.
■
All reports can be configured to represent Process Manager data in a graphical
format.
Reports are easily customizable and can contain any Process Manager data.
For information about using the reporting feature, see the chapter titled "Reporting
in Process Manager" in the Symantec Workflow User Guide
Section
Centralized management
■
Chapter 15. Topology View
■
Chapter 16. Remote Management
■
Chapter 17. Package server for Linux
5
256
Chapter
15
Topology View
This chapter includes the following topics:
■
About Portal page
■
Accessing the Portal page
■
About Topology View Web part
■
Viewing network topology
About Portal page
Portal page consolidates the key information about your network resources into
a single view. The Web parts on the Portal page let you monitor the state of your
computers and view the inventory data. You can check the status of the recent
software deliveries and find out the number of the Microsoft patches that need
to be addressed. The network topology diagram provides you with an overview of
the physical structure of your network.
See “Accessing the Portal page” on page 257.
You can customize the Portal page according to your preferences. You can edit
and remove the predefined Web parts, or you can create new Web parts.
For more information, see the topics about editing portal pages in the Symantec
Management Platform User Guide.
Accessing the Portal page
Portal page provides you the key information about your network resources in a
single view. You can adjust the Portal page to display the Web parts that you find
the most useful.
See “About Portal page” on page 257.
258
Topology View
About Topology View Web part
To access the Portal page
1
In the Symantec Management Console, on the Home menu, click Portal.
2
(Optional) To customize the Portal page, click Edit.
About Topology View Web part
The Topology View Web part provides a view of the SNMP-enabled network
devices and the physical organization of your network. You see the status of all
the network devices that are connected to your network and you can access the
reports of each device.
Icons on the topology diagram let you identify the different SNMP-enabled network
devices that are found. Labels on the icon indicate the status of each device. You
can double-click the icon of the device to open the Event Console. When you
right-click the icon, you can access other reports of the device and run different
tasks.
In the Topology View Web part you can create groups and maps to document the
network, troubleshoot the subnets, or plan infrastructure expansions.
To view the topology diagram in the Topology View Web part, select the root
device for the network topology. Before you can select a device, you must collect
the data about the SNMP-enabled devices on your network. Use the Network
Discovery task to discover your network resources. Make sure that the connection
profile of the Network Discovery task has the SNMP turned on.
Network Discovery lets you find routers, switches, hubs, network printers, Novell
NetWare servers, and the computers that are running Windows, UNIX, Linux, and
Mac. The collected data is saved in the Configuration Management Database
(CMDB).
For more information, see the topics about discovering network devices in the
Symantec Management Platform User Guide.
Note: The Topology View Web part does not display the SNMP-enabled devices
that are discovered with the single device discovery task. When you create a
Network Discovery task to collect the data for the Topology View Web part, you
must set the range of the IP addresses that you want to discover.
The Topology View Web part is installed as a part of the .
See “Viewing network topology” on page 259.
Topology View
Viewing network topology
Viewing network topology
You can view the network topology diagram on the Topology View Web part that
is displayed on the Portal page.
See “About Portal page” on page 257.
See “About Topology View Web part” on page 258.
Options on the toolbar let you edit the view and the layout of the topology diagram.
After you make the changes, you can save the network topology view for further
use.
To view the network topology
1
In the Symantec Management Console, on the Home menu, click Portal.
2
On the Topology View Web part, click Select device.
3
(Optional) Edit the settings of the network topology view.
259
260
Topology View
Viewing network topology
Chapter
16
Remote Management
This chapter includes the following topics:
■
Methods for remotely managing UNIX/Linux servers
■
About Server Resource Manager Home page
■
Accessing Server Resource Manager Home page
Methods for remotely managing UNIX/Linux servers
You can remotely manage UNIX and Linux servers using a variety of tools and
methods.
Table 16-1
Remote management methods
Remote
management
method
Description
Integrated
with
Symantec
Management
Platform?
VNC (Virtual
Network
Computing)
You can install VNC on your remote computer and then
use it to connect to a host computer.
Yes
DRAC (DELL
remote access
controller) card
http://www.symantec.com/docs/HOWTO63438
HP iLo
iLO stands for 'integrated Lights-Out' and is a hardware
Yes
interface available in HP systems to remote control servers.
In the console, go to Actions > Remote Management >
Remote Control. From the Connect using drop-down list,
select VNC server.
Yes
http://www.symantec.com/docs/HOWTO63437
262
Remote Management
About Server Resource Manager Home page
Table 16-1
Remote
management
method
Remote management methods (continued)
Description
Integrated
with
Symantec
Management
Platform?
xwindows, telnet, You can add these and other remote control options to the Possible
ssh
console through user-defined right-click actions. For more
information, see the knowledge base article Adding
user-defined actions to the context menu at the following
URL:
http://www.symantec.com/docs/HOWTO62815
Altiris Out of
Band
Management
Component from
Symantec
For more information, see the Altiris Out of Band
Management Component 7.1 SP2 from Symantec
Implementation Guide at the following URL:
Yes
vPro
Covered by Altiris Out of Band Management Component
from Symantec.
Symantec
pcAnywhere
Solution
Requires the installation of an agent on the UNIX/Linux Yes
server. For more information, see the Symantec pcAnywhere
Solution User Guide at the following URL:
http://www.symantec.com/DOC4687
Yes
http://www.symantec.com/docs/DOC4856
About Server Resource Manager Home page
The Server Resource Manager Home page consolidates the most relevant
inventory and monitoring data of a server resource into a single view.
On the Server Resource Manager Home page you see the attributes of the server,
and current disk utilization for all attached disks. You can view the different
health and performance reports of your server. For example you can view the
reports of processor, physical memory, disk I/O, network bandwidth, and disk
space utilization.
The Web parts display the data in real time or for the last 24 hours. The real-time
data is received directly from the managed computer. The historical data is taken
from the Configuration Management Database (CMDB). When you want to see
the report for longer than 24-hour period, click the historical diagram.
Remote Management
Accessing Server Resource Manager Home page
The Server Resource Manager Home page lets you also access all the functions
that are available in the Resource Manager.
For more information, see the topics about the Resource Manager functions in
the Symantec Management Platform User Guide.
You can access the Server Resource Manager Home page from the Resource
Manager.
See “Accessing Server Resource Manager Home page” on page 263.
The Server Resource Manager Home page is installed as a part of the .
To gather the data for the Web parts that are displayed on the Server Resource
Manager Home page, you must install the following agent and plug-ins on the
target computers:
■
Symantec Management Agent
■
Inventory Plug-in
■
Monitor Plug-in
You need to enable an Inventory policy and the Windows Server Performance
Health Monitor Policy and assign them to a resource before the Server Resource
Manager Home page is populated.
For more information, see the topics about preparing managed computers for
inventory in the Inventory Solution User Guide, and about preparing managed
computers for monitoring in the Monitor Solution User Guide.
Accessing Server Resource Manager Home page
The Server Resource Manager Home page includes the Web parts that provide
quick overview of your server performance. Different reports let you easily check
and ensure that any of your Windows, UNIX, or Linux servers functions properly.
When you have selected the Server Resource Manager View for a resource, this
view is the default view for all resources.
See “About Server Resource Manager Home page” on page 262.
To access the Server Resource Manager Home page
1
In the Symantec Management Console, on the Manage menu, click Resource.
2
In the Select Resource dialog box, select the resource you want to manage,
and then click OK
3
In Resource Manager, in the Custom View drop-down list, click Server
Resource Manager View.
263
264
Remote Management
Accessing Server Resource Manager Home page
Chapter
17
Package server for Linux
This chapter includes the following topics:
■
About package server for Linux
■
About integrating Apache Web Server with package server for Linux
■
About detecting the Apache Web Server
■
Requirements to configure package server and the Apache Web Server
■
Requirements to configure HTTPS and HTTP
■
Package server configuration example that uses main web directory for package
server links
■
Package server configuration example using an alias for package server links
About package server for Linux
To designate a Linux computer as a package server, ensure that the computer is
running the following software:
■
Symantec Management Agent 7.1 for UNIX, Linux, and Mac
This agent was previously known as the Altiris Agent for UNIX and Linux.
Symantec Management Agent for UNIX, Linux, and Mac runs on a managed
computer. That agent must match the version of the agent that is installed on
the Notification Server computer in Symantec Management Platform. If the
agent on the managed computer is older than the agent on Notification Server,
upgrade it. After the agent is upgraded, the managed computer can become a
package server.
■
Apache Web Server version 2.0 or 2.2
See “About integrating Apache Web Server with package server for Linux”
on page 266.
266
Package server for Linux
About integrating Apache Web Server with package server for Linux
The following server platforms are supported:
■
Red Hat Enterprise Linux AS 4
■
Red Hat Enterprise Linux ES 4
■
Red Hat Enterprise Linux Server 5
■
SUSE Linux Enterprise Server 10
■
SUSE Linux Enterprise Server 11
Package server for Linux supports alternate download locations. Paths for alternate
locations are converted automatically from Windows style to UNIX style if you
include the trailing slash. For example, if you have Patch Management Solution
installed, you can change policy and package settings when rolling out patches.
In Symantec Management Console, under Settings > All Settings > Software >
Patch Management, you click a vendor settings page; for example, you would
click Red Hat Settings > Red Hat Patch Remediation Settings. When you click
the Policy and Package Settings tab, you see the Remediation Settings page for
the selected product. This is where you can check Use alternate download location
on Package Server. When you enter the alternate download location, you must
use the full Windows path. In this and similar instances, include a trailing slash
in the Windows-style path to ensure that it is converted correctly to a UNIX-style
path.
Correct:
C:\path\
Incorrect:
C:\path
Trailing slash means that the Windows path is converted
correctly to /path/.
If you omit the trailing slash, the Windows path is converted
incorrectly.
About integrating Apache Web Server with package
server for Linux
You integrate package server for Linux with the Apache Web Server to expose
packages and Package Snapshots to Symantec Management Agent. Snapshots are
downloaded from Notification Server to Symantec Management Agent on all
supported platforms through HTTP URLs.
See “About package server for Linux” on page 265.
The packages and package snapshots are always downloaded to package server
directories. The only files that are created in the Apache Web Server are directories,
symbolic links, and .htaccess files. Symbolic links are created to the package files
and snapshot files. The .htaccess files lock down package files with passwords.
Package server for Linux
About detecting the Apache Web Server
When a Linux computer becomes a package server, the agent on that computer
attempts to create two main HTTP shares.
These shares are created in the Apache Web Server virtual web space, as follows:
■
/Altiris/PS/Snapshots
■
/Altiris/PS/Packages Note /Altiris/PS
This second directory is created if required.
The Package Manifest file is not used when a package server for Linux downloads
a package for distribution. The exception is if the package is located in the same
directory for the package server for Linux and Software Delivery. All package file
permissions are set to allow Apache Web Server clients access. This access is
typically through 0x744.
Depending on the specific configuration of the Apache Web Server, directories
are created in the root of the web directory. An example is /var/www/html on a
typical Linux Red Hat system. The package server agent reads the Apache Web
Server configuration file to determine this location.
See “About detecting the Apache Web Server” on page 267.
If you choose, you can specify that package server create the directories in an
alternate location. Use an Apache Web Server alias directive to specify a separate
directory.
See “Requirements to configure package server and the Apache Web Server”
on page 269.
See “Requirements to configure HTTPS and HTTP” on page 270.
About detecting the Apache Web Server
You can detect the Apache Web Server automatically or manually.
See “About integrating Apache Web Server with package server for Linux”
on page 266.
See “Requirements to configure package server and the Apache Web Server”
on page 269.
If you choose Automatic Detection, Symantec Management Agent looks for the
Apache HTTPD or HTTPD2 executable in the following directory locations:
■
/bin:/usr/bin:/sbin:/usr/sbin:/usr/lbin:/usr/etc:/etc:/usr/bsd:/usr/local/bin:/
usr/contrib/bin/
■
System PATH variable
267
268
Package server for Linux
About detecting the Apache Web Server
■
/opt/apache/bin:/usr/apache/bin:/usr/apache2/bin:/usr/local/apache/bin:/usr/
local/apache2/bin:/usr/local/bin:/opt/freeware/apache/bin:/opt/freeware/
apache2/bin:/opt/freeware/apache/sbin:/opt/hpws/apache/bin:/opt/apache2:/
usr/local/apache+php
If both HTTPD and HTTPD2 executables are found, then both Apache 2.0 and
Apache 2.2 are installed.
In addition, if both executable files are found, then the file that matches a running
process is used. The default file is HTTPD2.
If the Apache Web Server cannot be detected automatically, you may need to
detect it manually. The Apache Web Server might not be detected automatically
if the executable file is renamed. If multiple installations have occurred, then the
wrong Apache Web Server could be detected. In any of these situations, you should
specify the Apache Web Server location manually.
To specify the Apache Web Server manually you should edit the [httpd
Integration] section of the client.conf file in the agent. In this section, you should
specify the "apache_exe_location" setting.
When the Apache Web Server executable is located, it is used to determine the
default location of the Apache Web Server configuration file. The configuration
file is required to determine if the Apache Web Server setup is suitable for package
server use. The configuration file also lets the installation program determine
the settings that are applicable to the package server. Applicable settings include
the ports that are used or whether the server is SSL-enabled.
If Symantec Management Agent for UNIX, Linux, and Mac cannot find the Apache
Web Server configuration file, it searches in the following locations:
■
/etc/httpd/conf
■
/etc/httpd/2.0/conf
As an alternative to Automatic Detection you can edit the [Httpd Integration]
section of the Symantec Management Agent for UNIX, Linux, and Mac client.conf
file. When you edit the file, specify the apache_config_location. Any setting that
you change becomes the default.
You can use the Apache Web Server "-f" option during the installation to relocate
the configuration file from its default location. If you relocate the file, you must
specify the location of the apache_config_location. Package server for Linux does
not support mod_perl generated httpd.conf files.
Package server for Linux
Requirements to configure package server and the Apache Web Server
Requirements to configure package server and the
Apache Web Server
For the package server for Linux to work with the Apache Web Server, certain
requirements must be met. When these requirements are met, the Symantec
Management Agent for UNIX, Linux, and Mac sends the Apache HTTP Server role.
This role allows the computer to be used as a package server for Linux.
See “About detecting the Apache Web Server” on page 267.
The configuration requirements are as follows
■
Apache Web Server version 2.0 or 2.2 is installed.
■
The package server for Linux uses only the main Apache Web Server or the
default Apache Web Server.
All other virtual host sections in the Apache Web Server configuration are
ignored, with the following exceptions:
■
■
The global settings and the _default_ virtual host are read for the main
server settings.
■
The first virtual host that defines an SSL server is considered to be the
main SSL server. Its settings are used for integrating and all other SSL
virtual hosts are ignored.
The Apache Web Server web space location where the package server files and
directories are to be created must have the following options enabled:
■
FollowSymLinks
■
AllowOverride
The Apache Web Server web space location must also be accessible through
anonymous HTTP. The location is virtual directory /Altiris/PS/.
See “Requirements to configure HTTPS and HTTP” on page 270.
■
If both HTTP and HTTPS are defined for the Apache Web Server, the HTTPS
server is used.
■
Non-standard ports are detected and used, but the main Apache Web Server
must be accessible through the hostname of the computer. The Listen directive
for the main server must come before all other Port statements and Listen
directives in the configuration file.
■
The Apache Web Server must be running.
■
No compressing modules are used with the Apache Web Server. This
requirement exists because Package Delivery does not support those modules.
269
270
Package server for Linux
Requirements to configure HTTPS and HTTP
■
You may need to restart Symantec Management Agent for UNIX, Linux, and
Mac after you make changes to the httpd.conf file. The files may not take effect
until after you restart the agent.
Requirements to configure HTTPS and HTTP
Symantec Management Agent for UNIX, Linux, and Mac uses whichever type of
Apache Web Server is available. It can use either HTTP or HTTPS.
See “Requirements to configure package server and the Apache Web Server”
on page 269.
If the Apache Web Server supports both types of Web server, the package server
for Linux uses HTTPS. Integrating with SSL through HTTPS is the default option
because it is the most secure. If you want to use the HTTP server, you can change
the [httpd Integration] "integrate_with" setting.
We recommend one of the following approaches for installing the Apache Web
Server to support package servers for UNIX and Linux:
Install a packaged version of Apache Web
Server. On Linux, the distributed Apache
Web Server is most suitable.
This installation contains the executable
files and the technical support exe files in
/usr/sbin or /usr/bin.
Install the Apache Web Server package in
the recommended location.
An example of a suitable default location is
/usr/local or /opt.
Leave the Configuration directory in its
The default configuration directory is the
default location. This requirement ensures location that was compiled into your .exe, or
that Symantec Management Agent for UNIX, /etc/httpd/conf.
Linux, and Mac can easily detect the Apache
Web Server and the configuration file. If you
do not move the configuration directory, you
do not have to specify extra manual settings.
If you change the Apache Web Server configuration files while Symantec
Management Agent is running, data is sent to Notification Server after a short
time. After the Apache Web Server role data is sent to Notification Server, the
computer becomes a candidate package server . If you want to speed up this process
you should run the aex-sendbasicinventory executable file manually. Run the
executable file from the shell on the client computer that is targeted for the
package server installation. Update Notification Server with the changes.
Two configuration examples are available.
See “Package server configuration example that uses main web directory for
package server links” on page 271.
Package server for Linux
Package server configuration example that uses main web directory for package server links
See “Package server configuration example using an alias for package server
links” on page 273.
Package server configuration example that uses main
web directory for package server links
This configuration generally requires the minimal modification to an
out-of-the-box or default Apache Web Server setup. In this configuration a virtual
directory that is called /Altiris/PS is created automatically under the main Apache
HTML directory.
See “Requirements to configure HTTPS and HTTP” on page 270.
The example configuration contains the following directories:
■
Snapshots
■
Packages
Symbolic links are created in these directories to each shared package. The
packages themselves are stored under the package server agent VAR directory.
This configuration includes both an HTTP and an HTTPS Apache server. The
package server uses the HTTPS server if it is available. The HTTPS server ensures
a more secure operating environment and allows the use of Package Access
credentials.
Several configuration file checks are performed. The configuration files that are
listed in this section are examples. These examples are from the default installation
of the Apache Web Server as part of a legacy Red Hat Linux Distribution.
Check number 1; Listen statement is as follows:
...## When we also provide SSL we have to listen to the ## standard
HTTP port (see above) and to the HTTPS port ## <IfDefine HAVE_SSL>
Listen 80 Listen 443 Listen 10.10.10.10:8080 </IfDefine>...
Ensure that the Listen statement for each of the main servers is the first Listen
statement of its type in the configuration file. The main HTTP and HTTPS servers
should be the first two Listen statements.
You should remove the IP or ensure that it is the same IP to which the hostname
resolves, as reported to Notification Server.
Check number 2; Main directory options is as follows:
...
271
272
Package server for Linux
Package server configuration example that uses main web directory for package server links
# DocumentRoot: The directory out of which you will serve your
Notification Server Reference 62
# documents. By default, all requests are taken from this directory,
but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "/var/www/html" ...
# This should be changed to whatever you set DocumentRoot to.
#<Directory "/var/www/html">
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# does not give it to you.
Options Indexes FollowSymLinks
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options",
"FileInfo",
# "AuthConfig", and "Limit" AllowOverride AuthConfig
# Controls who can get stuff from this server.
Order allow,deny
Allow from all
</Directory>
...
Find the <Directory> node for the DocumentRoot directory, and ensure that the
following options are set:
■
FollowSymLinks
■
AllowOverride AuthConfig or Allow override All
Check number 3; Check SSL host is as follows:
## SSL Virtual Host Context
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/var/www/html"
Package server for Linux
Package server configuration example using an alias for package server links
ErrorLog logs/error_log
TransferLog logs/access_log Notification Server Reference 63
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
...
Ensure that the _default_ SSH Virtual host has the correct port. The port should
match the first SSH Listen. Ensure that the DocumentRoot of the virtual host is
the same as the DocumentRoot of the main server.
The DocumentRoot of the host can be different from the DocumentRoot of the
main server. The DocumentRoot of the host must have a <Directory> node that
is configured with the same options that are specified in Check number 2.
Package server configuration example using an alias
for package server links
You may want to keep the package server for Linux virtual directory completely
separate from the Apache Web Server directory. To keep them separate, follow
this configuration example. This configuration example keeps all the symbolic
links out of the main Apache Web Server directory. It ensures that the
FollowSymLinks options are not required in the main directory.
See “Requirements to configure HTTPS and HTTP” on page 270.
An alias is used in the Apache Web Server configuration file to separate the
/Altiris/ PS virtual directory. The package server for Linux automatically detects
this alias and creates the required subdirectories in the correct location.
The subdirectories are as follows:
■
Packages
■
Snapshots
The actual packages are downloaded to the VAR directory on the agent.
The configuration files that are used in this section are an example. The example
is from the default installation of the Apache Web Server as part of a legacy Red
Hat Linux Distribution.
The Check number 1; Listen statement is as follows:
...## When we also provide SSL we have to listen to the
273
274
Package server for Linux
Package server configuration example using an alias for package server links
## standard HTTP port (see above) and to the HTTPS port
##
<IfDefine HAVE_SSL>
Listen 80
Listen 443
Listen 10.10.10.10:8080
</IfDefine>
...
Ensure that the Listen statement for each of the main servers is the first Listen
statement of its type in the configuration file. The main HTTP and HTTPS servers
should be the first two Listen statements.
You should remove the IP or ensure that it is the same IP to which the hostname
resolves, as reported to Notification Server. You can use port numbers other than
80 and 443. The package server for Linux detects the ports. However, it always
uses the port of the first Listen in the Apache Web Server configuration file.
Check number 2; Create Alias and aliases directory options is as follows:
...
# Aliases: Add here as many aliases as you need (no limit). The format
is
# Alias fakename realname
#
<IfModule mod_alias.c>
...
Alias /Altiris/PS /var/altiris/www/ps
<Directory /var/altiris/www/ps >
Options FollowSymLinks
AllowOverride All
</Directory> </IfModule>
# End of aliases.
You should perform these steps in the following order:
■
Create both the Alias statement and the <Directory> node for the destination
directory of the alias.
Package server for Linux
Package server configuration example using an alias for package server links
■
Ensure that the following options are set on that directory:
■
FollowSymLinks
■
AllowOverride AuthConfig or Allow override All
■
Create the destination directory.
■
Set the correct permissions on the destination directory to ensure that Apache
Web Server clients can download files from there.
■
To ensure that the directory works, place a text file in it. Then browse to a URL
such as http://your.server.name/ Altiris/PS/testfile.txt. In this example,
your.server.name and testfile.txt are your own server name and the name of
the text file that you created.
Check number 3; Check SSL host is as follows:
...
## SSL Virtual Host Context
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/var/www/html"
ErrorLog logs/error_log
TransferLog logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
...
Ensure that the _default_ SSH Virtual host has the correct port. It should match
the first SSH Listen. Ensure that its DocumentRoot is the same as the
DocumentRoot of the main server.
275
276
Package server for Linux
Package server configuration example using an alias for package server links
Index
A
adding
system configuration 38
advanced deploy options 40
advanced options
Managed Software Delivery 151
Software Management Solution tasks 151
advanced software delivery. See Managed Software
Delivery
advanced task options
Deploy Image 40
agent 143
See also plug-in
agent connectivity credentials
global Symantec Management Agent settings 65
agent-based monitoring
setting up credentials for 222
versus agentless monitoring 214
agentless inventory
about 106
portal page 111
task status 111
agentless inventory task 106
connection profile 107
creating 108–109
modify 110
protocol settings 107
schedule 110
stop 110
viewing status 111
agentless inventory wizard 106, 108
agentless monitoring 207
about 214
versus agent-based monitoring 214
agents, used by Software Management Solution 142
alert management
about 227
alerts
about 227
filtering 230
Altiris Agent. See Symantec Management Agent
analyzing vulnerabilities. See assessing systems
Apache HTTP server
gathering inventory 111
applicability check 168
assessing systems 123
assigning severity levels 121
B
best practices
Monitor Solution 225
blockout period
adding to targeted agent settings policy 76
settings 75
C
capabilities, of Server Management Suit for
UNIX/Linux 16
combining
task into job 32
command-line
advanced deploy options 40
compliance analysis. See system assesment scan
compliance check
about 168
how it works 167
reports 156
schedule settings 147
components, Software Management Solution 139
computer
agent connectivity credentials 65
blockout period settings 75
configuring blockout periods 76
configuring maintenance window 79
configuring Symantec Management Agent
policies 59
download throttling settings 71
enabling power management in targeted settings
policy 78
general targeted agent settings 68
global agent settings 61
maintenance window 78
278
Index
computer (continued)
multicast settings 71
Notification Server Event Capture settings 65
package multicast settings 64, 74
power management settings 63
pushing Symantec Management Agent for UNIX,
Linux, and Mac 50
setting alternate NS URL 78
Symantec Management Agent data update
intervals 69
Symantec Management Agent for UNIX, Linux,
and Mac pull installation 52
targeted agent settings 66
targeted UNIX/Linux/Mac agent settings 69
tickle settings 63
user control settings 77
configuration settings
Symantec Management Agent for UNIX, Linux,
and Mac 69
configuring
Novell settings 122
Patch Management Solution core settings 121
Red Hat settings 122
remediation settings 122
severity levels 121
updates installation settings 123
connection profiles 199
agentless inventory 106–107
associating credentials with 223
discovering resources to bind to 224
Core Services settings
configuring 121
Creating
scripted Linux OS installation job 27
creating
kickstart installation file 26
software package 160
credentials
associating with a connection profile 223
for agentless monitoring 222
protocol-specific 223
custom data class
about 97
attribute 99
creating 99
GUID 99
custom inventory
about 96
gathering 98
custom inventory (continued)
process 98
custom inventory script task
cloning 100
creating 100
D
Default Software Update Plug-in Settings
about 126
delivering, software package 161
Dell Management Console
about 34
download location 34
Deploy Image
advanced task options 40
Deploying
Linux preboot environment 24
Linux scripted OS installation job 27
Deployment Solution
about 34
download location 34
installing plug-in 29
destination download location, setting 148
device discovery 84
discovering
UNIX and Linux computers 85
discovery
network devices 84
Distribute Software Updates wizard 135
distributing software updates 135
about 133
viewing update summary reports 136
download location 121
package default 148
Symantec Management Agent cache
package 148
download settings, Software Management
Solution 147
downloading
patch management metadata 128
software updates catalog 128
downloading and distributing software updates 135
downloading software updates 133
about 133
E
errata. See software updates
Index
errata and patches
staging 133
ESX servers, deploying 197
ESXi servers, deploying 197
Event Console alert filters
about 228
F
filescan.rule file
about 94
customizing 94
software inventory 95
Fujitsu ServerView Integration Pack
about 36
download location 36
H
hardware integration toolkits 33
historical performance data
viewing 234
historical performance viewer 207
host
adding 186
discovering 186
HP Insight Rapid Deployment software
about 35
download location 35
HTTP
advanced deploy options 40
I
IBM Deployment Solution
about 33
download location 33
implementing
Patch Management Solution for Linux 116
Software Management Solution 140
Import Patch Data for Novell task
about 128, 130
Import Patch Data for Red Hat task
about 128, 130
import policy
creating 212
installation
Deployment plug-in 29
installation settings
Symantec Management Agent for UNIX, Linux,
and Mac 58
installing
Patch Management Solution 119
Software management solution plug-in 143
software update plug-in 120
system requirements 118
inventory
agentless inventory 106
Apache HTTP server 111
collecting. See system assesment scan
custom 96
methods for gathering 92
MySQL and Oracle DB 112
network devices 108
of the native UNIX/Linux package system 93
servers 88
SNMP devices 106
software 92
VMware ESX Virtualization 112
inventory on managed computers
gathering 89
process 89
Inventory Pack for Servers
about 88
inventory plug-ins
enabling 90
Inventory Solution
creating a custom data class for a custom
inventory script task 99
creating a custom inventory script task 100
custom inventory sample script for UNIX, Linux,
and Mac 104
customizing the custom inventory sample script
for UNIX, Linux, and Mac 103
supported platforms 87
IT Analytics, generating reports with 240
J
job
creating 32
K
kickstart installation file, creating 26
L
Linux 138
See also UNIX, Linux, and Mac
discovering computers 85
rebooting into a production environment 31
279
280
Index
Linux (continued)
Server Management Suite capabilities 16
support in Software Management Solution 138
supported functionality 16
Linux image
capturing using tasks 28
Linux imaging
creating a task for 30
Linux OS installation files, copying 25
Linux preboot environment
booting into 31
deploying 24
Linux scripted OS installation
performing 23
Linux scripted OS installation job
creating 27
deploying 27
Linux servers
automatically provisioning 21
booting into PXE 28
Linux System Assessment Scan page
about 123
Log Viewer 200
M
Mac 138
See also UNIX, Linux, and Mac
support in Software Management Solution 138
maintenance window
about 78
configuring policy 79
Managed Software Delivery
about 163
actions 164
advanced options 151
compliance. See compliance check
execution process 165
key tasks 164
policy creation 170
Policy Rules/Actions. See settings, Managed
Software Delivery
remediation. See remediation, software
settings. See settings, Managed Software
Delivery
software resource, selecting 171, 175
task
adding 175
settings 176
wizard 170
Monitor
report on metrics trends 238
Monitor Alerts dashboard, viewing 236
Monitor Metrics cube, generating reports with 240
monitor packs 207
components of 209
downloading custom 213
importing 212
Monitor Plug-in 207
monitor policies 207
monitor server
configuring 211
preparing 211
monitor service
about 215
adding to a site server 219
monitor site server
configuring settings 221
reports 221
Monitor Solution
about 206
best practices, scalability 225
components 207
in UNIX/Linux environments 206
Monitor Solution reports
viewing 236
Monitoring and Alerting
home page 233
Monitoring and Alerting home page
about 233
multicast
global Symantec Management Agent settings 64
multicasting
advanced deploy options 40
MySQL and Oracle DB
inventory 112
N
native package system
gathering inventory 93
network devices inventory. See agentless inventory
Network Discovery 84
Network Discovery task, tables populated during 198
network topology
saving 259
viewing 259
network topology diagram
about 258
saving 259
Index
network topology diagram (continued)
viewing 259
Notification Server Event Capture settings
global Symantec Management Agent settings 65
Novell Patch Remediation Settings page
about 124
Novell Updates Import Task. See Import Patch Data
for Novell task
O
options
advanced Deploy Image task 40
options, Managed Software Delivery. See settings,
Managed Software Delivery
options, Software Management Solution. See settings,
Software Management Solution
P
Package Delivery, advanced options 151
package download
alternate location 148
default location 148
Managed Software Delivery 167
Symantec Management Agent cache 148
Package Server for inux
configuration examples 271
Package Server for Linux 265
about 265
about configuring HTTPS and HTTP 270
about configuring with the Apache Web
Server 269
about integrating Apache Web Server 266
detecting the Apache Web Server 267
supported platforms 265
page
Default Software Update Plug-in Settings 126
Import Patch Data for Novell 130
Import Patch Data for Red Hat 130
Novell Patch Remediation Settings 124
Red Hat Patch Remediation Settings 124
partition
advanced deploy options 40
patch management import data. See patch
management metadata
patch management metadata
downloading 128
Patch Management Solution
components 118
Patch Management Solution (continued)
installing 119
system requirements 118
uninstalling 119
Patch Management Solution for Linux
about 116
implementing 116
supported platforms 118
Patch Management Solution server tasks
about 128
patches. See software updates
platform support, Software Management
Solution 138
plug-in 143
See also Software Management Solution plug-in
plug-ins, used by Software Management Solution 142
Pluggable Protocols Architecture
installing 218
policy
global agent settings 61
maintenance window policy 79
targeted agent settings 66
Policy Rules/Actions. See settings, Managed Software
Delivery
Portal page
about 257
accessing 257
viewing 257
power management
configuring 63
PPA. See Pluggable Protocols Architecture
prerequisites. See system requirements
Symantec Management Agent for UNIX, Linux,
and Mac installation 48
Process Manager, reporting 253
production environment, rebooting a Linux computer
into 31
protocol settings
agentless inventory task 107
protocol-specific credentials, creating 223
provisioning, Linux servers 21
PXE, booting Linux server into 28
R
RDP. See HP Insight Rapid Deployment software
real-time performance data
viewing 235
real-time performance viewer 207
rebooting, into a production environment 31
281
282
Index
recurring software delivery, scheduling 146
Red Hat errata. See software updates
Red Hat Errata Import Task. See Import Patch Data
for Red Hat task
Red Hat Patch Remediation Settings page
about 124
Red Hat Updates Import Task. See Import Patch Data
for Red Hat task
remediation settings
configuring 122
remediation, software
about 168
how it works 168
schedule settings 147
remote management
of UNIX/Linux servers, methods 261
Remote Monitoring Server
configuring 221
remote monitoring site server
setting up 216
reports
generate for Monitor Metrics trends 238
generating ad-hoc with IT Analytics 240
Process Manager 253
reports, software
6.x software delivery 156
about 156
compliance check 156
limiting access to data 156
running 157
scoping 156
software delivery 156
Software Portal 156
virtual software 156
resource scoping 156
restarts
configuring 123
results-based actions settings 149
Run Inventory task, tables populated during 198
run settings 149
S
sample inventory script
Linux 103–104
Mac 103–104
UNIX 103–104
schedule settings
compliance check 147
Managed Software Delivery 145
schedule settings (continued)
remediation 147
scoping resources. See resource scoping
scripts, executing on UNIX and Linux systems
through SSH 252
select software resource 171
Managed Software Delivery 175
server applications inventory data 88
server inventory
about 88
Server Management Suite, capabilities on
UNIX/Linux 16
Server Resource Manager
about 262
accessing 263
viewing 263
server virtualization method 180
server virtualization technique 180
settings
results-based actions 149
system configuration 39
settings, Managed Software Delivery
advanced options 151
compliance 147
download 147
Policy Rules/Actions 174
policy settings 176
remediation 147
run 149
schedule 145
software 174
settings, Software Management Solution
default 145
download 147
task. See task options, Software Management
Solution
severity levels
assigning 121
configuring 121
SMS. See Server Management Suite
software bulletins
configuring installation settings 123
software delivery 138, 163
See also Managed Software Delivery
See also Software Management Solution
advanced 163–164
methods 152
reports 156
Index
software inventory
gathering 92
UNIX, Linux, Mac 95
Software Management Solution 145, 156
See also reports, software
See also settings, Software Management Solution
about 138
components 139
implementing 140
key tasks 139
platform support 138
settings. See settings, Software Management
Solution
Software Management Solution agent. See Software
Management Solution plug-in
Software management solution plug-in
installing 143
upgrading 143
Software Management Solution plug-in, Mac 143
software package
about creating 159
about delivering 159
creating 160
delivering 161
software packages, supported formats 162
Software Portal, reports 156
software reports, running 157
software resource, selecting. See select software
resource
software update plug-in
about 119–120
installing 120
software updates
about 132
computer restart time 123
distributing 135
downloading 133
downloading and distributing 135
installation settings 123
installation time 123
viewing update summary reports 136
software updates catalog
downloading 128
source path update, advanced options 151
SSH, executing scripts through 252
staging. See downloading
staging software updates. See downloading. See
downloading software updates
supersedence association
delivery settings 173
SUSE patches. See software updates
Symantec Management Agent
about 46
agent connectivity credentials 65
blockout period settings 75
configuring agent policies 59
configuring blockout periods 76
configuring maintenance window policy 79
data update intervals 69
download throttling settings 71
enabling power management in targeted settings
policy 78
general targeted settings 68
global settings 61
local settings 66
maintenance window 78
multicast settings 71
Notification Server Event Capture settings 65
package multicast settings 64, 74
power management settings 63
setting alternate NS URL 78
targeted settings 66
tickle settings 63
user control settings 77
Symantec Management Agent cache 148
Symantec Management Agent for UNIX, Linux, and
Mac
.csv template file 57
configuration settings 69
creating .csv file for computer details 57
installation requirements 48
installation settings
specifying 58
installing on selected computers 50
manual pull installation 52
prerequisites 48
push installation process 49
pushing to computers 50
simultaneous installation tasks, setting 50
Symantec Workflow
about 247, 250
components 247
on UNIX and Linux 245
system assesment scan
configuring 123
System configuration
adding 38
283
284
Index
System configuration (continued)
settings 38
system configuration
editor 39
settings 39
system requirements 118
T
task
advanced Deploy Image options 40
combining jobs into 32
task options
advanced Deploy Image 40
task options, Software Management Solution
about 145
defaults, overriding 151
task settings, Software Management Solution. See
task options, Software Management Solution
task, Software Management Solution
advanced options 151
options. See task options, Software Management
Solution
settings, default 145
tasks
about using to capture a Linux image 28
creating and running to create an image 30
using to boot into a Linux preboot
environment 31
using to reboot a Linux computer into a
production environment 31
Topology View Web part
about 258
viewing 259
U
uninstalling
Patch Management Solution 119
UNIX 138
See also UNIX, Linux, and Mac
discovering computers 85
Server Management Suite capabilities 16
support in Software Management Solution 138
supported functionality 16
upgrading, Software management solution
plug-in 143
V
virtual machine
about 189
creating 190
deleting 192
discovering 186
wizard 190
Virtual Machine Management
about 178
features 182
getting started 185
home page 180
new features in SP2 183
permissions required 194
reports 193
tasks 181
troubleshooting 197
Virtual Machine Management Task Server Plug-in
about 188
installing 188
Virtual Machine Management Task Server Plug-in
policy
about 188
installing 188
virtual software, reports 156
virtualization management, troubleshooting 197
virtualization platforms 178
VMware ESX virtualization
inventory 112
vulnerability analysis. See system assesment scan
W
what you can do with Symantec Workflow 250
Windows
Server Management Suite capabilities 16
supported functionality 16
Windows Installer repair, advanced options 151
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement