KACE's documentation was a little lacking here, so I thought I'd do a quick write up to describe the procedure I followed to successfully apply generate and apply an SSL Certificate.
Generate a CSR
Prior to completing this task, make sure you goto Settings>Network Settings and make sure your Web Server name is in FQDN format. Example: K1000.dell.com
Now onto generating the CSR.
Generate a CSR (Certificate Signing Request) by clicking Settings>Security Settings>"Open SSL Certificate Wizard" on the K1000.
You will be presented a web page that has all the typical fields to create a CSR. When you've filled all these in you will click on the "Set CSR Options" button. This will generate the CSR on the bottom half of the page. You will copy the CSR as directed on the page, and apply for a SSL Certificate with a vendor. My company uses Thawte, so we did it through their Enterprise portal. I pasted in the CSR with the option ApacheSSL and generated the new certificate. I'm assuming each vendor will be slightly different, but look for an option called ApacheSSL or something along those lines.
Once your certificate is signed you will need to copy and paste is from your vendor's website to a text file. You will want it in X.509 format for the KACE to be able to apply it properly. You can also choose to save it with the file extension x509 or cer, so you know what it is later.
Take a backup of your K1000 prior to applying the SSL certificate.
Go to Settings>Server Maintenance Tab> Edit Mode
Click on "Run Backup".
This will take about 5 minutes. When completed and you can reconnect to the K1000, go back to the Settings>Server Maintenance Tab>Edit Mode and download the backup files somewhere safe.
Also make sure SSH is enabled so that KACE can get into the K1000 if you mess up :).
Applying the Certificate
On the K1000 goto Settings>Security Settings>edit mode
On the bottom of the page goto "Set SSL Certificate File:" and click the "Choose File" button. Select the file you saved the certificate text into and click OK.
You will also need the intermediate certificate for Thawte (may not be true for all vendors. Refer to their installation instructions to obtain the correct intermediate certificate for your server.)
Under Optional SSL Settings, put checks in only these 2 boxes:
Enable port 80 access
SSL Enabled on port 443
Click the "Set Security Options" button to finalize all the changes. Your clients will now begin communicating with the server via SSL. You can now deploy the agents using the SSL option and turn off the Security Settings option to enable port 80 access when you are sure all your agents are connecting via this method if desired.
Thursday, November 17, 2011
Friday, October 28, 2011
Domino Extended Directory Catalog - Rebuilding and Configuring
I ran into a problem recently where our corporate Domino Extended Directory Catalog needed some updating and had not been refreshing data properly. The data was completely stale and hadn't been properly setup to update.
As a starting point I read this document on the IBM site about the EDC: https://www-304.ibm.com/support/docview.wss?uid=swg21093442
This was great for getting a handle on how the EDC is supposed to work, but some of the descriptions are out of date on the configuration documents.
Updating Settings
To update an existing EDC, open up theadministration client. Cick on the configuration tab, and in the left-hand navigation pane, expand "Directory Cataloger." You should check that you have entries for the appropriate filename, and times to run the task. You should also see another entry based on the EDC's Title under the "Directory Cataloger" section. This is where we'll want to make changes if we need to add new directories to aggregate etc.
Rebuilding
If you need to completely rebuild the EDC, goto the Advanced tab when viewing the Directory Cataloger><EDC TITLE> options. Click the "Clear History" button. This will force the EDC to rebuild everything completely when the task is next run. You can click on the Server tab in the Admin Client and goto the Server Tasks view to see if Directory Cataloger is currently running. If it's running and you'd like to stop it, on the server console type in "tell dircat quit". Then to force an immediate rebuild after clearing the history, type in "load dircat <EDC Filename>.nsf".
That should be it. You should see the file directory rebuilding on the server tasks view, and if inside the file by pressing F9 periodically. You will then want to manually force replication to other Domino servers holding a replica to get all the changes out into the Environment.
Also you may want to setup directory assistance if you haven't already. See this document to do so:
http://ksgnotes1.harvard.edu/help/help7_admin.nsf/f4b82fbb75e942a6852566ac0037f284/a4f6cf3dcc1e06ac852570610054b277?OpenDocument
As a starting point I read this document on the IBM site about the EDC: https://www-304.ibm.com/support/docview.wss?uid=swg21093442
This was great for getting a handle on how the EDC is supposed to work, but some of the descriptions are out of date on the configuration documents.
Updating Settings
To update an existing EDC, open up theadministration client. Cick on the configuration tab, and in the left-hand navigation pane, expand "Directory Cataloger." You should check that you have entries for the appropriate filename, and times to run the task. You should also see another entry based on the EDC's Title under the "Directory Cataloger" section. This is where we'll want to make changes if we need to add new directories to aggregate etc.
Rebuilding
If you need to completely rebuild the EDC, goto the Advanced tab when viewing the Directory Cataloger><EDC TITLE> options. Click the "Clear History" button. This will force the EDC to rebuild everything completely when the task is next run. You can click on the Server tab in the Admin Client and goto the Server Tasks view to see if Directory Cataloger is currently running. If it's running and you'd like to stop it, on the server console type in "tell dircat quit". Then to force an immediate rebuild after clearing the history, type in "load dircat <EDC Filename>.nsf".
That should be it. You should see the file directory rebuilding on the server tasks view, and if inside the file by pressing F9 periodically. You will then want to manually force replication to other Domino servers holding a replica to get all the changes out into the Environment.
Also you may want to setup directory assistance if you haven't already. See this document to do so:
http://ksgnotes1.harvard.edu/help/help7_admin.nsf/f4b82fbb75e942a6852566ac0037f284/a4f6cf3dcc1e06ac852570610054b277?OpenDocument
Monday, August 29, 2011
Integrating UltraVNC and VNC Repeater with Dell KACE
UltraVNC is a great remote support option for taking control of PCs which are far from you physically. This ability can be rewarding for your Help Desk community, as the speed and reliability of VNC remote control is unparalleled. Not only does UltraVNC offer a great internal WAN remote control solution, but UltraVNC Repeater allows for the possibility of accessing users who work from home and are not connected to the company's VPN (behind NAT'ed cable routers etc.) The nice thing is Dell KACE offers UltraVNC provisioning simple by making a wizard based configuration from the scripting menu.
To create a new KACE UltraVNC distribution policy, click on the Scripting Tab>UltraVNC Wizard. You will see these options:
Make it Attempt 1 time. On Failure: Break.
Save the Script.
Now when your Help Desk needs to Remote Control a Home User, they can add the user to the deployment list (making sure they remove any old users from the list first) and click on Run Now. They will be notified when the script has been run, and they can verify they have a waiting session on the Web GUI of the Repeater Server if desired.
Once they have a waiting connection on the Repeater server they will want to view it. To do so I created the Help Desk Administrators each their own batch script that they can easily double-click to connect to their assigned Repeater IDs. This is all that needs to be inside of the script:
"C:\Program Files\UltraVNC\vncviewer.exe" -proxy <IP/Hostname of your repeater server>::5901 ID:<4 digit Unique ID you want to Connect To>
That's it. Once you run the batch file, you will be launching VNC Viewer and connecting directly into the session.
If you wanted to do this manually by opening up the VNC Viewer application you would do this:
To create a new KACE UltraVNC distribution policy, click on the Scripting Tab>UltraVNC Wizard. You will see these options:
Choose what you want your users to have for set as their UltraVNC Settings and click save. You will now have a new script available by clicking the Scripting Tab, usually named UltraVNC policy. I don't like the users to know anything about UltraVNC, so I edited the policy by clicking the "edit the policy using this editor, click here." link. I added in this task to the policy: Launch “SYS\
Next you will want to create some "Smart Labels" to deploy the software to your users. I created one Called Needs UltraVNC Deployed with criteria Software Titles does not contain UltraVNC. I then edited my UltraVNC Policy's Deployment section to Limit deployment to selected labels: "Needs UltraVNC Deployed". I selected Don't Run on a Schedule "Also Run Once at next Client Checkin" and saved. This deploys the software to anyone that does not have it installed. When they check-in again KACE sees they have the software and they drop out of this Smart Label.
Next, you will want to ensure that you have VNC Viewer installed on any of the Help Desk Staff members' PCs. Easy enough, you can download the latest copy from www.ultravnc.com.
Now to remote control one of the PCs you've deployed VNC to, you will want to create a custom machine action. This allows you to simply click an icon next to the PC in your inventory to take control (only works in IE.) To create a custom machine action, click the Settings Tab>General Settings and scroll down to the "Machine Actions" section. Click on edit mode, click the drop down list for Action #2 and choose VNC Remote Control Using HOST NAME. Click "Set Actions". That's it. You'll see a new icon next to your PC's in your inventory. Click on one that you know you have VNC deployed to and test.
I'm assuming you have opened up the appropriate ports for your KBOX Agents to connect to your k1000 from anywhere in the world. This is a big part of how we're going to get around remote controlling NAT'ed home users. Once VNC is deployed to their systems the rest is pretty simple. You will want to setup a dedicated Windows Server to be your VNC Proxy. The TCP ports 5901 and 5500 (80 if you want to be able to access the admin web page) must be open to it through your firewall on the server and your company's VPN. It must have an internet routable IP Address as well, so you'll need to implement a NAT rule on your firewall to accomplish this. Now you need to setup the UltraVNC Repeater software. You can obtain it from www.ultravnc.com. Once you've downloaded the .zip Extract it to C:\Program Files\UltraVNC_Repeater\. Run C:\Program Files\UltraVNC_Repeater\distributer.exe -install to install as a service. The default TCP Port 80 is where the web server will run. You should be able to open up a web browser to the admin page. The default username and password is admin. You want to change that first and foremost. Click the settings button and uncheck mode I. We only want mode II (2) running. You can also specify a different Web GUI Port at this point if desired. That's all the configuration we need to do for the Repeater server to be up and running.
Now to actually be able to establish connections to the home users using this Proxy/Repeater server we will create a new script in KACE. What I did was give each Help Desk Administrator their own script with built in ID. This script will be run on target home users when remote control access is required on them. A repeater connection requires an ID of 4 numbers to begin. So click on the Scripting Tab. Click the "Choose Action" drop down menu and select Add New Item. We want an Online KScript.
Give it a name like "UltraVNC Connection - ID 1234 - <your help desk admin's name>.
Status Production.
Check Enabled.
Leave the Deployment section empty. You will choose individual machines on an as needed basis to establish connections to the Repeater server.
Supported OS: MS Windows.
Run As Local System
Leave Alerts blank unless desired.
Don't Run on a Schedule
Add the tasks:
- Launch “SYS\
cmd.exe” with params “/C ”C:\ Program Files\ UltraVNC\ winvnc.exe“ -autoreconnect ID:<give it a 4 digit Unique ID> -connect <your external IP to the Repeater Server>::5500”. - Log “DOS Command Issued Successfully.” to “status”.
Make it Attempt 1 time. On Failure: Break.
Save the Script.
Now when your Help Desk needs to Remote Control a Home User, they can add the user to the deployment list (making sure they remove any old users from the list first) and click on Run Now. They will be notified when the script has been run, and they can verify they have a waiting session on the Web GUI of the Repeater Server if desired.
Once they have a waiting connection on the Repeater server they will want to view it. To do so I created the Help Desk Administrators each their own batch script that they can easily double-click to connect to their assigned Repeater IDs. This is all that needs to be inside of the script:
"C:\Program Files\UltraVNC\vncviewer.exe" -proxy <IP/Hostname of your repeater server>::5901 ID:<4 digit Unique ID you want to Connect To>
That's it. Once you run the batch file, you will be launching VNC Viewer and connecting directly into the session.
If you wanted to do this manually by opening up the VNC Viewer application you would do this:
Subscribe to:
Posts (Atom)