IT Management Suite 7.5 SP1 HF5 is available through SIM. It has fixes for the following components:
Also added is official support for the following operating systems:
You can access the ITMS 7.5 SP5 HF5 release notes from the following location:
http://www.symantec.com/docs/DOC7954
We found bypass for Getpackageinfo.aspx. Use manually created computer resources like we use it in WinPE (https://www-secure.symantec.com/connect/forums/smp-75-and-getpackageinfo-unmanaged-computers) and put this Guid into xml request. Result is list of Package servers based on IP address. There is one limitation - PS manually asssigned are not in result.
Hello Arthur,
1. I am 100 % sure that clients were 7.5. We were using LAC ON. I think Symantec added encryption for 7.5 clients even if there is LAC ON.
2. According Ludovic it should work very similar ways but in our Envi we get only one record.
3. Can be but we need to solve the issue why we get only one record.
Thank you for your input.
HI Kada!
1)
> So I assume encryption was not working for 7.5 SP1 and now it was solved in HF5. What do you think? Can this be checked?
The conclusion is not correct. Encryption has been working since NS 7.5 (before SP1) .
Why it has worked on 7.5 SP1 HF3? The only explanation could be is that the agents on whose behalf the request was issued were still 7.1 SP2 or lower.(i.e not upgraded yet)
2) GetNearestPackageServer.aspx does NOT do exactly the same thing as GetPackageInfo.aspx. I don;t now what is required to accomplish but these ASPX pages are DIFFERENT.
3) The HOWTO mentioned abpove somehow is related to DS functionality.GetPackageInfo.aspx is not. Probably GetNearestPackageServer.aspx would be a better choice for you
Meanwhile I will try to forward your concerns about the VBS to the right people
Thank you !
Arthur
Hi Kada,
There is no need to use DS 7.x. The idea for using getpackageinfo originates from the time where DS was not integrated in NS / SMP and to be able to use Package Servers for delivering Software, Operating Systems.... using DS 6.9 within WINPE or within the client operating system...
We also still using DS 6.9 for the most of our Customers.
The point is: you should be able to use the getnearestpackageserver method even if you are not using DS7.x - but you are right - DS 7.x has to be installed (using SIM) to be able to use it the same way as getpackageinfo.vbs.
Have you tried to use the URL above on your SMP? (https://YOUR_SMP_SERVER_NAME/Altiris/Deployment/Agent/GetNearestPackageServerInfo.aspx)
If you want you can send me a private message and we can discuss this in more details...
Network23
PS: Please also take a look at Ludovics Post: https://www-secure.symantec.com/connect/downloads/cwoc-testpackageinfo-tool-view-package-server-and-package-codebases
Hi Network23,
since 7.5 maybe it is not working but on 7.5 SP1 with HF1 and HF3 it was working. It seems to me that there was a bug and they fixed it in HF5.
Regarding your idea - we are not using DS 7.x. We use 6.9 and are happy with it.
Hi Kada
Hi Arthur
@Arthur: We are also using getpackageinfo.vbs since Altiris 6.0 and for Altiris 7.1. You are right - since 7.5 this isn´t working anymore because of security / encryption...
But it would be great to have an script like "getpackageinfo.vbs" mention by Kada - that would work with 7.5 and beyond...
@Kada
I´ve done some reseach and have found that you can make use of "getnearestpackageserverinfo.aspx"
Try this on your SMP Server: https://YOUR_SMP_SERVER_NAME/Altiris/Deployment/Agent/GetNearestPackageServerInfo.aspx you should get a description of the elements and attributes needed.
I also tryed to write an Powershell Script to acomplish the same as with "getpackageinfo.vbs" but didn´t make it because I´m running out of time. It would be great if you are able to create a powershell or vbs script and share that script within Symantec Connect.
I´m sure there are some customers / users that would benefit from having a working script...
Maybe Symantec could update the GETPACKAGEINFO.vbs with a working Version for 7.5 / 7.6.
I also tryed to write an Powershell Script to acomplish the same as with "getpackageinfo.vbs" but didn´t make it because I´m running out of time. It would be great if you are able to create a powershell or vbs Script and share that Script within Symantec Connect.
many thanks for your response, really appreciate it.
1. we are using getpackageinfo method from this document http://www.symantec.com/business/support/index?page=content&id=HOWTO3579
It was perfectly working till HF5. We upgraded from 7.1 SP1 to 7.5 SP1 HF1, then to HF3 and now to HF5. In HF3 everything was ok. So I assume encryption was not working for 7.5 SP1 and now it was solved in HF5. What do you think? Can this be checked?
Format of calling getpackageinfo is :
http://servername/altiris/ns/agent/GetPackageInfo.aspx?xml=%20%3Crequest%20version=%221%22%20resource=%228C90643A-2A62-441A-ABD2-D8A62B7DCF5F%22%20totalTime=%2232%22%20type=%22codebases%22%20compress=%22false%22%3E%20%3Cpackages%3E%20%3Cpackage%20guid=%22EEFEE0EC-28D9-4C7A-AD2F-AF32694134AF%22%20%2F%3E%20%3C%2Fpackages%3E%20%3Caddresses%3E%20%3Caddress%20ip=%22SOMEIPADDRESS%22%20%2F%3E%20%3C%2Faddresses%3E%20%3C%2Frequest%3E
I tried to call this aspx from 7.1 computers and there it works. But customer has 3500 PC with HF5 agents.
2. We are using this tool during computer's installation to have user's SW installed according some definitions. We are using it from version 6.x and are / were very happy with it.
Any idea how we can still use it in HF5 ?
Hello Kada!
There are few things worth mentioning about GetPackageInfo
1) The encryption of the GetPackageInfo.aspx response has been occurring since NS 7.5 for 7.5 agents and higher. It is very strange why you have not experienced the same problems before. The response is NOT encrypted for 7.1 agents however. Probably you were using the Guid of some 7.1 managed agent before and now you are using the Guid of agent 7.5?
OR that very 7.1 agent whose Guid was used is now upgraded to >=7.5, thus the reposnse for it comes encrypted...
Without knowing the request format which is used by the tool and Guids usage it is impossible to provide exact explanation
2) GetPackageInfo.aspx is by no means public API. I am wondering how the tool's author got that page's request format - it is something tha Symantec/Altiris has published officially???
What is the purpose of using that tool? Where it is launched - on the agent side or at the NS side? Depending on the answer I might propose other workarounds.
Currently if you still need the "open" response format you need to use request from 7.1 MANAGED agent. However for the future please be prepared that we will strengthen the security even more and agent X will be given responses ONLY for packages it is supposed (potentially) to receive. One might not be able to request ANY package in the system on behalf of agent X.in the future
I am trying to say that SMP DEV is unaware of existence of "custom package downloads" . Thus the custom tools must work through the officially declared supported API.
Example: Agent DEV SDK - there we should have COM-based API for package downloads
Regards
Hello again,
today we discovered issue wiht Getpackageinfo.aspx. We are using this in our tool to get PS for download. In HF5 this page is not returning any codebases anymore because of encryption. According Symantec support this was change in HF5 because of security. It is really pity why this is not mentioned in release notes becuase we are now in PRO and 3500 PC has problem with download via cusomter tool.
Is there any advice how this can be handled? Ideas are about - disable this "feature" in HF6, downgrade to HF3 - how?, SMP on HF3 and PC on HF5 - will this work?, any other idea?
Thank you
This warning about counters was there every 2 minutes.
I was able to open Performance monitor and select counters. To be sure I run lodctr /r and restart the server. After restart I can see it one time, not repeating every 2 minutes. Hopefuly it is gone.
Thanks for help, Alex
It might be that an old version of TS assembly was in cache and causes these warnings.
Regarding "Database counters failed to validate, recreating" - such warning logged once on CTDataloader service start-up; this is not critical one. If you see this warning re-occur in log often then it might be that your server has problems with performance counters database, please take a look at this discussion:
https://www-secure.symantec.com/connect/forums/failed-setup-performance-counters-and-database-counters-failed-validate-errors
Thank you,
Alex.
SMA and TS on SMP server are upgraded to 3300. Services are running under local system account.
I remember during upgrade to HF3 we had problem with installation of the task management. But it was solved by reinstall SMA and repair task management via SIM.
After lunch this warnings are gone, no idea what happened.
Another waring message is this: Database counters failed to validate, recreating. Any idea?
As I see version mentioned in warning is 7.5.3153. Version of SMP and Task Server in HF5 is 3300 - please verify you have the latest version of Task Server installed and take a look at CTDataLoader and ATRSHOST services - they should run under the local system account.
I upgraded from HF3 to HF5 and when I check logs I can see MMF warnings - in attachment.
Any idea what does it mean?
Igor,
"StubbedPolicyCache" is set to 0 in my environment. I'm still having sporadic problems with the agent check-in interval. I've attached a screenshot of my personal computer and it seems to be working just fine but then the "server is busy" and then it says the next policy request will be in 60 minutes.
Ray,
1. According to http://www.symantec.com/docs/TECH222804 "SingletonPolicyRequest" should be = "1"
2. According to http://www.symantec.com/docs/TECH225352 "StubbedPolicyCache" should be = "0"
Thanks,
IP.
SMPDiag has no other recommendations out of the normal results I usually get. I know it's normal to output "server busy or paused" when there is an actual increase in server load, but there has been no such increase or nothing I am easily detecting. I guess I'll just did deeper into the logs.
Your primary symptom to focus on is why the client is getting a "server busy or paused" error. Its normal for the config request interval to back off when the server is busy so don't worry about that mismatch for the moment. How do the server logs look? Is utilization of the server itslef ok? If so, you may just need some tuning. Try running SMPDiag and see what recommendations it has.
Joe,
I'm attaching 2 screenshots of 2 separate endpoints that still do not abide by the agent config request interval specified in the Targeted Agent Settings policy. The server is still busy supposedly and my default interval is 60 minutes instead of what you see specified on the agent settings window. In an effort to test, I'm going to try cutting in half the 'MaxConcurrentConfgRequests' setting to 5.
I'm also investigating as to if I have a running task somewhere that is somehow making the server busy.
It is important to note that this issue, even with 'MaxConcurrentConfigRequest' set to '20' was not apparent before HF5. I'll check several client logs tomorrow morning to see where my environment stands.
Thanks.
Hmmm.... Good to know Ray. My MaxConcurrentConfgRequests is currently set to 100 on my prod box. SMPDiag warns me about this and recommends <= 10 but unfortunatly the article it links to (TECH45258) apears to be a mistake since it does not mention this setting at all. I found some old articles (v6) warning about setting it too high but nothing for the current platform. I've searched my notes and couldn't find any comments about when / why I changed that setting. I belive it was after the 7.5 SP1 install when I tried everything to resolve client config issues and I forgot to set it back. I guess I'll back it down to 10 and see if I start seeing warnings about exceeding the limit.
Thanks for taking the early plunge on HF5. I may reach out to you in a few days and see if things have smoothed out. If so, I may jump into HF5 as well.
Anyone else have success stories or warnings about HF5?
After HF5 installation, all your 8000 managed endpoints were targeted to receive upgrade rollout policies/settings, etc. I'm not 100% sure (probably there were other aspects), but it seems like in that case, when 'MaxConcurrentConfigRequest' was '20' (instead of '10') , "ClientPolicyCacheMaxSize" with '20000' was probably reached and part of clients weren't able to receive policies due:
'http://smp.dteco.com/Altiris/NS/Agent/GetClientPolicies.aspx': The server is currently busy or paused (0x8004200C)]]>
After talking with support, I discovered that my 'MaxConcurrentConfigRequest' value was set to 20 instead of the default 10. I don't now how it got set to 20 but it did. It's not like it's an incredibly high value, but regardless, setting it back to 10 seems to have corrected my agent communication issue that apparently didn't stem from HF5.
This error is my client logs is concerning.
<event date='01/13/2015 07:16:03.0280000 -05:00' severity='2' hostName='GO807-U21738-D' source='ConfigServer' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='3440' thread='3460' tickCount='295545828' > <![CDATA[Policy request failed: Unexpected response from URL 'http://smp.dteco.com/Altiris/NS/Agent/GetClientPolicies.aspx': The server is currently busy or paused (0x8004200C)]]> </event>
When SP1 was release and installed in several environments, this same error was encountered by other customers as mentioned in this thread: https://www-secure.symantec.com/connect/forums/cpu-usage-high-post-sp1-upgrade
The client policy contains 10 minutes or 600 seconds as shown in the screenshot. This client last requested an update on 1/12/2015 at 10:00:14 AM and it has not changed as shown in the screenshot. It is 10:46:00 AM as I type this.
Ray
client policy xml also contains 60 minutes or 10 minutes?
<ClientPoliciesRequest Interval="3600"/>
Please see the latest screenshot from a different endpoint. This endpoint shown in this screenshot has it's interval set to every 10 minutes but if you notice at the bottom, the log says "Next policy request from server smtp.dteco.com will be at 2015-01-12 11:00:15, in 60 minutes".
I'm going to open a support incident.
1. About SMA service stopped:
2. About C:\Program Files\Altiris\Altiris Agent\Client Policies\:
3. About SMA UI timestamp update for "Policy Request":
Next policy request from server will be at 2015-01-12 15:40:46, in 5 minutes "Next basic inventory update will be sent to server at 2015-01-12 15:46:05, in 10 minutes
Next policy request from server will be at 2015-01-12 15:40:46, in 5 minutes
"Next basic inventory update will be sent to server at 2015-01-12 15:46:05, in 10 minutes
4. I see that your client SMA has some network restriction settings. Could you please send me via private message, what Network Restriction settings you have in SMA "Targeted Settings" policy?
I've attached another screenshot of the problematic SMA. If this screenshot, you'll notice that the 'Requested' timestamp is 8:10:38 AM and that the system time in the lower right is 8:26:33 AM. It should have updated the 'Requested' timestamp to 8:25:38 AM based on the 15 minute interval.
This is a test computer so do not focus too much on the 15 minute interval for the configuration and basic inventory. I actually updated the interval to 30 minutes for the configuration and 8 hours for the basic inventory for testing and that is why I know that the 'Requested' timestamp should have changed and so should the 'Change' timestamp should have updated as well.
If I were to manually press the 'Update' button it will update and change. This should be happening automatically and was before the application of HF5.
I've attached another screenshot of me manually pressing the 'Update' button and the result.
Thank you for responding. The client policy is present on the computer. Please see the attached picture. Also, the "ClientPolicyCacheMaxSize" value is set to 20000 after applying HF5.
Over the weekend, I had to use the RAAD tool to start the SMA service on the majority of my endpoints because if they downloaded and installed the updated SMA, the service was stopped. Every 3-4 hours I had to stop and then start the SMA to get it to check in with the NS so that it could download and install the remaining plugins/sub-agents.
Hi Ray,
According to your client log output, there are following cases:
"1/10/2015 8:37:26 PM","Error reading policy from file C:\Program Files\Altiris\Altiris Agent\Client Policies\dca-pro346.dtenet.com.dtenet.u21738.xml: Error loading policy file: The system cannot find the file specified. (0x80070002). This is normal the first time the agent runs after being installed.","PolicyStore","AeXNSAgent.exe","2360","Informational"
"1/10/2015 8:37:26 PM","Policy request failed: Unexpected response from URL 'http://dca-pro346.dtenet.com/Altiris/NS/Agent/GetClientPolicies.aspx': The server is currently busy or paused (0x8004200C)","ConfigServer","AeXNSAgent.exe","2360","Warnings"
1. Does policy isn't really there on client computer?
C:\Program Files\Altiris\Altiris Agent\Client Policies\dca-pro346.dtenet.com.dtenet.u21738.xml
2. What is a "ClientPolicyCacheMaxSize" value in CoreSettings.config on your NS?
<customSetting key="ClientPolicyCacheMaxSize" type="local" value="20000" />
So here is a screenshot of a computer that last updated it's configuration late on 1/9. Despite MULTIPLE attempts to update the configuration without actually pressing the 'Update Configuration' button on the agent it will not update even though there is definitely an SMA Upgrade policy waiting to apply to it. I believe HF5 has something wrong with it. The 'Update Configuration' and 'Send Basic Inventory' tasks indicate that it ran successfully on many clients, but the 'Change' timestamp on the actual computer never updates and a new config never downloads. I'm starting to get concerned as to how many endpoints I have 'stuck' or 'frozen' that will not download a new config.
So far, after having applied HF5 I'm having troubles with running tasks such as "Update Client Configuration" and actually having it update the client configuration. It changes the "Requested" timestamp, but it never updates the "Changed" timestamp and no new configs get downloaded. It has been over 18 hours since I've applied HF5 and out of 8000 computers active on the network only about 4700 computers have received the updated SMA. I taking steps to manipulate the agent to start and check in.
Anybody apply HF5 yet? I'm scheduled to later this evening. I'll report my findings/results once I'm done!
Derik,
Just had someone from symantec find this gem for me as I missed it, http://www.symantec.com/business/support/index?page=content&id=DOC8025
thanks
In HF5 were there any new platforms support added (RHEL 7 or OSX 10.10)?