Deployment Solution

Dear All,

I have been setting up our DS 7.5 SP1 HF4 system to work with SSL according to the following article:

http://www.symantec.com/business/support/index?page=content&id=HOWTO95059

All was working OK with BIOS machines (no EUFI), but once I switched the NS to only accept SSL, i found that I got these errors in the SbsLog_TFTP.txt:

Mon Feb 16 16:36:53 2015  1060     tftp.cpp                       Sbs::TftpServer::ProcessConnection                 1082       Debug    Req# 1, Failure code 995, client [192.168.117.129, 2070], file 'D:\Altiris\Altiris Agent\Agents\Deployment\SBS\Images\BStrap\x86pc\BStrap.0', options [flag=4 blk=512 tm=5 sz=24511]
Mon Feb 16 16:36:53 2015  3092     tftp.cpp                       Sbs::TftpServer::ProcessConnection                 1082       Debug    Req# 2, Success, client [192.168.117.129, 2071], file 'D:\Altiris\Altiris Agent\Agents\Deployment\SBS\Images\BStrap\x86pc\BStrap.0', time 0 secs, options [flag=1 blk=1456 tm=5 sz=0]
 

From here, then I looked high and low for the answer to this, but then found this article:

http://www.symantec.com/docs/TECH227344

In this article, it suggests that this issue is a coding problem with the SbsServer.exe file version 12.0.0.6274 and below and that it will be fixed in SMP 7.5 SP1 HF5 (the next hotfix) with version 12.0.0.6278 of the exe.

I checked my SbsServer.exe and it is version 12.0.0.6274.

The article says that as a part of the hotfix configuration, you need to change the following section of the SbsConfiguration.xml to look like this with the protocol="http" and port="80" settings changed to protocol="https" and port="443":

<clienthandler type="network" protocol="https" servername="NSServer.fqdn" port="443" validatecertificate="no"/>

Interestingly, when I changed the settings in the SbsConfiguration.xml to the correct ones and restarted the TFTP service, everything started to work again.

So, my question is, do I need SMP 7.5 SP1 HF5 or not? Just changing the config seems to work in this case - do I still need to upgrade and am i breaking something else?

Kindest regards,

QuietLeni

Sorry to answer my own question, but I think that the upgrade IS needed, as the SbsConfiguration.xml file is updated once a Configuration Request is run.

I came back to the same PXE Server and found that the SbsConfiguration.xml file had reverted. It seems that this happens if any changes are made to the PXE settings.

Oh well... ...hope that this helps others.

QuietLeni

There is a workaround for this.

Just set the configuration file as read only after you have done the change.

This will one downside of course, if later you want to make any changes in NBS general settings then you have manually apply them into configuration file.

Indrek,

Yes, I thought of that one as well. There would be lots of errors in the logs for the agent and we would have to make sure that the change was be documented. Also, I guess that this would also be unsupported by Symantec, as well? Lastly, if this needs to be done on lots of servers, then the process might take a bit of time (unless a script could be prepared)?

Kindest regards,

QuietLeni

QuietLeni,

As far as I remember then that was a supported scenario at some point, before the fix arrived in next HF.

To document things is definetly a must be, cause later on if we forget it, the finding mind be painful.

Regarding error, then yeah it will throw once per hour error could not update conf file.

Automated way should be easy with

attrib +r to force it read-only.

The main question would be if this is an acceptable workaround or not.