Symantec pcAnywhere™ Administrator's Guide
Symantec pcAnywhere™ Administrator's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 12.1 Legal Notice Copyright © 2007 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions.
Technical Support Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion.
Select your country or language under Global Support.
Consulting Services Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.
Contents Technical Support Chapter 1 Planning a migration and upgrade strategy About migrations and upgrades ...................................................... Migrating from pcAnywhere 12.0.2 in Windows 2000/2003 Server/XP to Vista ............................................................ Migrating from pcAnywhere 11.x in Windows 2000/2003 Server/XP ....................................................................... Migrating from pcAnywhere 10.5.x in Windows 2000/2003 Server/XP ..............
Contents Chapter 3 Deploying Symantec pcAnywhere custom installations About deployment ........................................................................ About package installation file locations ........................................... Deploying installation packages using Web-based deployment .............. About Web-based deployment requirements ................................ Setting up the installation Web server ........................................ Customizing the deployment files .
Contents Monitoring performance using SNMP traps ................................. 72 About the pcAnywhere MIB file ................................................. 73 Chapter 5 Integrating pcAnywhere with directory services About directory services ................................................................ Using directory services with pcAnywhere ........................................ Configuring the directory servers ....................................................
Contents
Chapter 1 Planning a migration and upgrade strategy This chapter includes the following topics: ■ About migrations and upgrades ■ Using Symantec Packager to streamline migrations and upgrades About migrations and upgrades Symantec pcAnywhere supports migration from versions 10.5.x to version 12.1 on Windows 2000/2003 Server/XP/Vista. During a migration, pcAnywhere lets you install over the previous version of the product and preserve user-defined settings.
Planning a migration and upgrade strategy About migrations and upgrades Table 1-1 Migration and upgrade strategy matrix Symantec pcAnywhere version Operating system Restart required Data preserved automatically 12.0 Windows 2000/2003 Server/XP/Vista Yes (for Vista) Host items Caller items Remote items Option sets Registry settings AutoTransfer files (must be converted) Serial ID sets 11.
Planning a migration and upgrade strategy Using Symantec Packager to streamline migrations and upgrades During the installation, you are prompted to preserve existing configuration settings. This data includes settings for host, remote, and caller items, as well as option sets. Migration of remote-only packages and integrity-checked packages is not supported. Migrating from pcAnywhere 11.
Planning a migration and upgrade strategy Using Symantec Packager to streamline migrations and upgrades The product installation requires you to Create a custom installation package that manually uninstall a previous version of the includes a custom command to silently product. uninstall the previous version before installing the product. The product installation requires you to restart the computer to complete the installation process.
Chapter 2 Creating custom installation packages This chapter includes the following topics: ■ About Symantec Packager ■ What you can do with Symantec Packager ■ How Symantec Packager works ■ Importing a product module ■ Customizing product settings ■ Creating a custom command ■ Creating installation packages ■ Building product installations and packages ■ Testing packages About Symantec Packager Symantec Packager lets you create, modify, and build custom installation packages that you ca
Creating custom installation packages What you can do with Symantec Packager Note: Symantec Packager runs on Windows 2000/2003 Server/XP Professional/Vista platforms only.
Creating custom installation packages How Symantec Packager works Table 2-1 Package creation process Task Description Import product modules into Product modules contain the installation binary and product Symantec Packager. template files that are needed to create a custom installation of the product. See “Importing a product module” on page 18. Configure products.
Creating custom installation packages Importing a product module Importing a product module Product modules are the building blocks for creating packages. Symantec Packager extracts the product installation binary files and the product template from the product module. The product template details the feature requirements and conflicts, making it possible to create custom installations of the product.
Creating custom installation packages Customizing product settings Table 2-2 Symantec pcAnywhere product configuration options Tab Settings Features You can customize the following features in pcAnywhere such as: Configuration Files ■ User interface (pcAnywhere Manager) ■ Remote components ■ Host components ■ Communications protocols ■ Documentation (online manuals and Help) ■ Symantec installation utilities The pcAnywhere product template includes default remote and host configuration i
Creating custom installation packages Customizing product settings Selecting product features Symantec Packager lets you customize product installations by including the features that you want and removing the features that you do not need. The product size and installed size change, depending on the features that you choose. Some features in pcAnywhere have dependencies on other components.
Creating custom installation packages Customizing product settings To select product features 1 2 3 4 In the Symantec Packager window, on the Configure Products tab, do one of the following: ■ Create a new product configuration. ■ Double-click an existing product to edit it. In the Product Editor window, on the Features tab, do any of the following: ■ Select the product features that you want to include in the custom product. ■ Clear the features that you do not want to include.
Creating custom installation packages Customizing product settings Remote connection item files (.chf) Provides default settings to support connections to a host computer over a modem, network, or direct connection. Also provides default settings to start a connection in file transfer or remote management mode. Host connection item files (.bhf) Provides default settings to allow remote users to connect to the computer over a modem, network, or direct connection.
Creating custom installation packages Customizing product settings Windows 2000/2003 Server/XP \Documents and Settings\All Users\Application Data\Symantec\pcAnywhere Vista \Users\LoggedinUser\Documents\Packager These folders are hidden by default in the operating system. To browse for the pcAnywhere configuration files, you must edit the folder options on your operating system to show hidden files. You can also add registry key files to control certain pcAnywhere settings.
Creating custom installation packages Customizing product settings Integrity stamping a product configuration You can prevent unauthorized changes to the installed product by using integrity management. If pcAnywhere detects that a pcAnywhere executable, registry, or configuration file has been changed in an installed, integrity-stamped package, pcAnywhere will not run. If you use integrity management, you must exclude the pcAnywhere Manager and LiveUpdate features.
Creating custom installation packages Customizing product settings 7 If prompted, type a file name, and then click Save. 8 Do one of the following: ■ Build the product. Building a product configuration file creates an .msi file that contains the single product. ■ Create a package that includes the product, and then build the package. Building a package creates a self-extracting .exe file. See “Building product installations and packages” on page 38.
Creating custom installation packages Customizing product settings 4 Click Add. 5 Click OK. The Serial ID file is added to the right pane under Serial ID Sets. Creating a serialized installation file To create a serialized version of pcAnywhere, you must add the serial ID file that you generate in pcAnywhere to a product definition file in Symantec Packager. The serial ID is embedded in the product when you build the product or build a package that contains the product definition.
Creating custom installation packages Customizing product settings 6 Select one of the following: OK Saves your changes and closes the Product Editor window Apply Saves your changes and lets you continue the product configuration 7 If prompted, type a file name, and then click Save. 8 Do one of the following: ■ Build the product. Building a product configuration file creates an .msi file that contains the single product. ■ Create a package that includes the product, and then build the package.
Creating custom installation packages Customizing product settings Table 2-4 Symantec pcAnywhere option set properties (continued) Tab Description Host Communications Contains customization options for modem and network connections on the host computer Remote Communications Contains customization options for modem and network connections on the remote computer Session Manager Controls basic session options, such as the background color for the unusable part of the remote desktop, and lets you
Creating custom installation packages Customizing product settings 4 Configure the settings that you want to use. 5 When you are finished, click OK. For more information about a feature, see the Symantec pcAnywhere User's Guide . Adding an option set to a custom installation file You can add the option sets that you create in pcAnywhere to a custom installation file. After the package or custom product is installed on the target computer, the option set can be applied on the local computer.
Creating custom installation packages Customizing product settings To apply an option set on the local computer 1 In the pcAnywhere Manager window, on the left navigation bar, click Option Sets. 2 In the right pane, right-click the option set file that you want to use, and then click Apply to Local System.
Creating custom installation packages Customizing product settings Remote object to use as template Lets you select the remote configuration file that you want to use as a template for new remote connection items that the user creates after installation See “Selecting the default template for remote connections” on page 33.
Creating custom installation packages Customizing product settings ■ 7 Click Apply to save your changes and continue the product configuration. If prompted, type a file name, and then click Save. Prompting users to register upon startup Symantec Packager lets you configure the product to prompt users to complete the online registration process the first time they start the product. To use this installation option, you must include the pcAnywhere Manager feature in the product configuration.
Creating custom installation packages Customizing product settings ■ Create a new product configuration. ■ Double-click an existing product to edit it. 2 In the Product Editor window, on the Installation Options tab, double-click Host object to use as template. 3 In the Host object to use as template dialog box, under Value, select the host connection item file (.bhf) that you want to use as a template. 4 Click OK.
Creating custom installation packages Customizing product settings 4 Click OK. 5 In the Product Editor window, do one of the following: 6 ■ Click OK to save your changes and close the Product Editor window. ■ Click Apply to save your changes and continue the product configuration. If prompted, type a file name, and then click Save.
Creating custom installation packages Creating a custom command Preserving existing configuration settings If you are installing a package over an existing version of pcAnywhere (from version 10.0 and later), Symantec Packager lets you preserve existing registry, host, remote, and caller configuration settings. This option is available for silent and passive mode installations only. You must configure installation mode settings at the package level. See “Creating installation packages” on page 36.
Creating custom installation packages Creating installation packages prior to inclusion in a package. Symantec pcAnywhere packages do not require custom commands. For more information about custom commands, see the Symantec Packager online Help. To create a custom command 1 In the Symantec Packager window, on the Configure Products tab, on the File menu, click New Custom Command. 2 In the Command Editor window, on the Parameters tab, double-click Description.
Creating custom installation packages Creating installation packages the configuration information and installation instructions that Symantec Packager requires to build the package. Package creation is optional for pcAnywhere custom installations. Symantec Packager lets you build the Symantec pcAnywhere product configuration file, which creates an .msi file that can be installed locally. You can deploy the Symantec pcAnywhere .msi file using a third-party deployment tool.
Creating custom installation packages Building product installations and packages 4 Click Open. The Estimated package size changes to reflect the product or command that you include. 5 Repeat 2 through 4 to add more products or custom commands. 6 In the Package Editor window, do one of the following: 7 ■ Click OK to save your changes and close the Package Editor window. ■ Click Apply to save your changes and continue the package definition. If prompted, type a file name, and then click Save.
Creating custom installation packages Building product installations and packages To build a product configuration file 1 In the Symantec Packager window, on the Configure Products tab, select the product configuration file that you want to build. 2 On the File menu, click Build. The Product Build Status window appears, which provides information about the progress of the build and logs any problems that have occurred.
Creating custom installation packages Testing packages Testing packages It is important to test packages before you deploy them to end users to ensure proper functionality. You should test package installation and deployment in an isolated, controlled environment. One to two test computers should be sufficient to conduct testing. Although some error checking occurs during the build process, some errors cannot be detected until installation.
Chapter 3 Deploying Symantec pcAnywhere custom installations This chapter includes the following topics: ■ About deployment ■ About package installation file locations ■ Deploying installation packages using Web-based deployment ■ Deploying pcAnywhere using SMS 2.
Deploying Symantec pcAnywhere custom installations About package installation file locations For more information about installing pcAnywhere, see the Symantec pcAnywhere User's Guide. ■ Symantec Packager deployment tool This tool lets you deploy packages to one or more computers on your network. The Symantec Packager deployment tool supports deployment to Microsoft 32-bit computers only (for example, Windows 2000/2003 Server/XP/Vista).
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment Deploying installation packages using Web-based deployment Packages that are created with Symantec Packager can be deployed over your corporate intranet using a Web-based deployment tool that is provided by Symantec. All of the source files that are necessary to implement Web-based deployment are included on the Symantec pcAnywhere CD in the Tools/Web Deploy folder.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment Table 3-1 Web server and target computer requirements (continued) Deployment Requirements Target computer ■ ■ ■ ■ ■ Internet Explorer 4.0 or later. Symantec pcAnywhere requires Internet Explorer 6.x or later for installation. Windows Installer 3.1 or later (required only for MSI installations). Browser security must allow ActiveX controls to be downloaded to the target computer.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment Deploy/Webinst Deploy\Webinst\Webinst ■ brnotsup.htm ■ default.htm ■ intro.htm ■ logo.jpg ■ oscheck.htm ■ plnotsup.htm ■ readme.htm ■ start.htm ■ webinst.cab ■ files.ini ■ Launch.bat (required only for MSI installations) ■ Installation packages For example: Symantec pcAnywhere - Full Product.exe Symantec pcAnywhere - Host Only (Network).
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment The Web-based deployment tool supports Microsoft Internet Information Server (IIS) or Apache HTTP Web Server. The procedures for creating a virtual directory on these servers vary. To create a virtual directory on a Microsoft Internet Information Server 1 Do one of the following to launch the Internet Services Manager: ■ In IIS version 4.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment This file is installed by default in C:\Program Files\ Apache Group\Apache\conf. 2 Type the following lines at the end of the file: DirectoryIndex default.htm #ServerName machinename DocumentRoot "C:\Client\Webinst" For the VirtualHost Replace 111.111.111.111 with the IP address of the computer on which Apache HTTP Server is installed.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment Customizing Start.htm The parameters in the Start.htm file contain information about the Web server and the location of the files that need to be installed. The configuration parameters are located near the bottom of the Start.htm file, inside the
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment You can also include additional files to support the deployment of third-party applications. To customize Files.ini for package deployment 1 In a text editor, open Files.ini. 2 In the [General] section, edit the line LaunchApplication= so that it references the package executable file that you want to start after the download completes.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment To customize Files.ini for MSI deployment 1 In a text editor, open Files.ini. 2 In the [General] section, edit the line LaunchApplication= so that it references Launch.bat. For example: LaunchApplication=Launch.bat This launches the MSI installation after the download is complete. You must also edit the Launch.bat file to include the name of the .msi file that you want to deploy.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment You must also modify the Files.ini file to run Launch.bat. See “Customizing Files.ini for MSI deployment” on page 49. Note: Installation of .msi files requires Windows Installer 3.1 or later. You should ensure that the target computer meets the system requirements before you deploy the product installation. To customize Launch.bat 1 In a text editor, open Launch.bat.
Deploying Symantec pcAnywhere custom installations Deploying pcAnywhere using SMS 2.0 downloaded to the client. When the installation is complete, the security level can be restored to its original setting. Make sure that users understand the system requirements and have the administrative rights that are required for the products that they are installing.
Deploying Symantec pcAnywhere custom installations Deploying pcAnywhere using SMS 2.0 SMS Package A collection of installation sources and packages that is used to inventory and install software on SMS client computers SMS packages can be any type of software program that supports installation using SMS. Package Definition File An SMS-specific information file used by SMS to create and deploy SMS packages The default package definition file (PDF) that is supplied with pcAnywhere is named pcAnywhere.
Deploying Symantec pcAnywhere custom installations Deploying pcAnywhere using SMS 2.0 Preparing the Package Definition File A default Package Definition File (pcAnywhere.pdf) is provided with pcAnywhere. This file can be modified to accommodate any package created with Symantec Packager. To use the supplied Package Definition File without modification, do one of the following: ■ For .exe-based packages, rename the pcAnywhere package that you want to use to Package.exe. ■ For .
Deploying Symantec pcAnywhere custom installations Deploying pcAnywhere using SMS 2.0 6 Click Always obtain files from a source directory. Do not select This package does not contain any files. 7 Click Browse to locate the folder that contains the pcAnywhere package that you created with Symantec Packager (or a supplied, preconfigured package). The Create Package from Definition Wizard uses this folder to point to the pcAnywhere package.
Deploying Symantec pcAnywhere custom installations Using Windows 2000/2003 Server/XP/Vista logon scripts 5 Click Browse, and then and pick the collection to which you want to advertise the installation. 6 Set the schedule, requirements, and appropriate security rights of the package. After the advertisement is created, pcAnywhere should deploy to all of the selected clients.
Deploying Symantec pcAnywhere custom installations Using Windows 2000/2003 Server/XP/Vista logon scripts @echo off setlocal REM ***** Package Variable -- Change to name of pcA Package ***** Set Package=Package.MSI REM ***** EXE or MSI Variable -- Change to package type (MSI or EXE) ***** Set PkgType=MSI Rem ***** File Server Name Variable ***** Rem ***** Change to server containing the pcA Package ***** Set FSName=\\2KServer REM ***** Maps a drive to the network share ***** net use z: %FSName%\PCAHOME REM
Deploying Symantec pcAnywhere custom installations Using NetWare logon scripts rd pcapkg Net Use Z: /DELETE :End endlocal Testing the Windows logon script Test the completed script on one or two workstations before setting up the script for all users. Windows 2000/2003 Server/XP/Vista users must have local administrative rights on their computers to install the pcAnywhere package.
Deploying Symantec pcAnywhere custom installations Using NetWare logon scripts Writing the NetWare logon script Use the following sample logon script and deployment batch file to roll out pcAnywhere. The script creates the appropriate drive mappings to the local workstation and launches the deployment batch file. The batch file installs the pcAnywhere package and removes the installation files when complete. The following examples assume default installation folders.
Deploying Symantec pcAnywhere custom installations Using NetWare logon scripts REM ***** Creates a folder in the Temp dir, and copies the package ***** C: CD %TEMP% MD pcapkg CD pcapkg Z: COPY %Package% c: REM ***** Launches package installation ***** C: IF %PkgType% == MSI msiexec -i %Package% IF %PkgType% == EXE %Package% REM ***** Cleanup ***** del %Package% CD ..
Chapter 4 Performing centralized management This chapter includes the following topics: ■ About centralized management ■ Managing pcAnywhere hosts remotely ■ Integrating with Microsoft Systems Management Server ■ About the Microsoft Distributed Component Object Model (DCOM) ■ About centralized logging About centralized management Symantec pcAnywhere includes the pcAnywhere Host Administrator tool, which lets you remotely manage multiple pcAnywhere hosts on a network.
Performing centralized management Managing pcAnywhere hosts remotely ■ Remotely start, stop, and connect to pcAnywhere hosts on the network ■ Create configuration groups to remotely manage and configure multiple workstations on the network ■ Simultaneously distribute pcAnywhere configuration files, including host, remote, and caller files, to multiple workstations on the network Installing the pcAnywhere Host Administrator tool The pcAnywhere Host Administrator tool is available as a custom setup
Performing centralized management Managing pcAnywhere hosts remotely 11 Click Install. 12 Follow the on-screen instructions to continue the installation process. When the installation is complete, click Finish. If your computer requires updates to system files, you will be prompted to restart your computer. The restart is necessary to ensure proper functionality.
Performing centralized management Managing pcAnywhere hosts remotely If you are using MMC, the pcAnywhere Host Administrator console is listed under Console Root. For more information, see the documentation for MMC. To create a configuration group 1 In the console window, in the left pane, under pcAnywhere Host Administrator, right-click Configuration Groups, and then click New > Configuration Group. 2 Type a name for this group. 3 Click OK.
Performing centralized management Managing pcAnywhere hosts remotely Admin.bhf Host template for the host computers that you want to remotely manage To use this template to start a host session, you must configure the caller information. Symantec pcAnywhere requires a user name and password for all host sessions. For more information, see the Symantec pcAnywhere User's Guide. Admin11.
Performing centralized management Managing pcAnywhere hosts remotely 6 In the pcAnywhere Manager window, in the right pane, under Remotes, right-click the remote connection item that you just created, and then click Rename. 7 Type a name. For example: Admin11 Creating a new administrator host item The administrator host connection contains the connection and security information needed to allow a remote administrator to connect from the pcAnywhere Host Administrator console.
Performing centralized management Managing pcAnywhere hosts remotely 8 In the pcAnywhere Manager window, in the right pane, under Hosts, right-click the host connection item that you just created, and then click Rename. 9 Type a name. For example: Admin Configuring a host item in pcAnywhere Host Administrator The pcAnywhere Host Administrator tool lets you create a host item that you can distribute to the host computers in your configuration group.
Performing centralized management Managing pcAnywhere hosts remotely 3 In the Distribute pcAnywhere Files dialog box, select the computers to which you want to distribute the file. 4 Select the file that you want to distribute. 5 Click OK. Managing hosts in a configuration group Once you have configured the computers in your configuration group, use the pcAnywhere Host Administrator console to start, stop, or connect to any managed host in the group.
Performing centralized management Integrating with Microsoft Systems Management Server Integrating with Microsoft Systems Management Server Symantec pcAnywhere supports integration with the Microsoft Systems Management Server (SMS). SMS is a scalable change and configuration management system for Microsoft Windows-based computers and servers. Symantec pcAnywhere provides the support files needed to integrate with SMS. These files are offered only on the Symantec pcAnywhere CD.
Performing centralized management About the Microsoft Distributed Component Object Model (DCOM) DCOM runs on a variety of network protocols and, by default, attempts to make connections on all installed protocols. After connecting to the network, DCOM uses Windows NT authentication to verify the necessary access rights. For example, an administrator with the appropriate access rights can perform management tasks on a locked pcAnywhere host from any location.
Performing centralized management About the Microsoft Distributed Component Object Model (DCOM) For more information, consult the dcomcnfg.exe online documentation. To modify DCOM settings ◆ In Windows 2000/2003 Server/XP/Vista, open the \WinNT\System32 folder, and then run dcomcnfg.exe. About AwShim AwShim is the management component that bridges pcAnywhere and the centralized management integration. The pcAnywhere Host Administrator tool uses AwShim to start and stop host and remote sessions.
Performing centralized management About centralized logging About centralized logging Security, accountability, and logging are important concerns in a distributed computing environment. Symantec pcAnywhere provides an extended logging utility that supports centralized event logging. An administrator can collect logging information from every pcAnywhere host on the network and store this information on a secure, centralized server.
Performing centralized management About centralized logging 6 Select the events that you want to log. For more information, see the Symantec pcAnywhere User's Guide. 7 Click OK. About the pcAnywhere MIB file The pcAnywhere MIB file outlines the SNMP traps that pcAnywhere can generate. Use the pcAnywhere MIB file as a tool to help build automated responses to pcAnywhere events that occur on the network. The pcAnywhere MIB file is located in the following directory: \Program Files\Symantec\pcAnywhere\CMS
Performing centralized management About centralized logging
Chapter 5 Integrating pcAnywhere with directory services This chapter includes the following topics: ■ About directory services ■ Using directory services with pcAnywhere ■ Configuring the directory servers ■ Configuring pcAnywhere to use directory services About directory services The directory services capability in pcAnywhere is an example of a Lightweight Directory Access Protocol (LDAP) client application, which stores and retrieves information about users.
Integrating pcAnywhere with directory services Configuring the directory servers When the remote starts, a new application, the directory services browser, launches and connects to an LDAP server. The directory services browser queries all entries that satisfy its filter criteria and displays the entries in a list view. You can then select the host to which you want to connect from this list.
Integrating pcAnywhere with directory services Configuring the directory servers 8 Type the password for the Directory Manager, and then click Submit. 9 On the left selection bar, click Create Objectclass. 10 In the ObjectClass Name field, type pcaHost 11 In the Available Attributes list, locate the objectclass attribute, and then click Add to include it in the Required Attributes list.
Integrating pcAnywhere with directory services Configuring the directory servers 17 Click OK to add the object class. 18 On the Tasks tab, click Restart the Directory Server. 19 At the prompt, click Yes. Configuring Novell v5.0 server The following procedures only apply if LDAP is installed, configured, and functioning on the Novell server with Novell Directory Services (NDS) 8.0.
Integrating pcAnywhere with directory services Configuring the directory servers Creating the pcaHost object in ConsoleOne Follow this procedure to create the pcaHost object. To create the pcaHost object in ConsoleOne 1 Open ConsoleOne from the following location: sys:public\mgmt\ConsoleOne\1.2\bin\ConsoleOne.exe 2 On the Tools menu, click Schema Manager. 3 On the Class tab, click Create. 4 Click Next. 5 In the Name field, type pcaHost, leaving the ASNI ID blank. This entry is case-sensitive.
Integrating pcAnywhere with directory services Configuring the directory servers 7 In the LDAP attribute field, type pcaHostEntry This entry is case-sensitive and must be entered exactly as it appears above. 8 In the NDS Attribute box, click pcaHostEntry. 9 Click OK. 10 Do one of the following: ■ Click Apply to map other attributes. ■ Click OK to finish. 11 To modify the attributes for this map, highlight the attribute, and then click Modify.
Integrating pcAnywhere with directory services Configuring the directory servers To create an LDIF file 1 In Notepad, type the following lines for each user: DN:cn=user,ou=organization_unit,o=organization Changetype:modify Add:objectclass Objectclass:pcaHost 2 Save this file locally, and then copy it to the following location: sys:system\schema\ 3 At the server prompt, type the following: Load Bulkload.nlm 4 Click Apply LDIF file. 5 At the prompt, type the following log path: sys:system\schema\
Integrating pcAnywhere with directory services Configuring the directory servers To assign rights to multiple users 1 Click the container in which to place the group. 2 Right-click the container, and then click New > Group. 3 Type a name for the group. 4 Right-click the group name, and then click Properties. 5 On the Members tab, click Add to include other users. 6 On the File menu, click Properties Of Multiple Objects to establish access rights.
Integrating pcAnywhere with directory services Configuring the directory servers To add the snap-in 1 On the Windows taskbar, click Start > Run. 2 Type mmc 3 Click OK. 4 On the Console1 toolbar, click Console > Add/Remove Snap-in. 5 In the Add/Remove Snap-in dialog box, click Add. 6 Click Active Directory Schema, and then click Add. 7 Close the Add standalone snap-in dialog box. 8 In the Add/Remove Snap-in dialog box, click OK.
Integrating pcAnywhere with directory services Configuring the directory servers Creating the pcaHost object Follow this procedure to create the pcaHost object. To create the pcaHost object 1 In the Common Name entry field, type pcaHost This is case-sensitive. 2 In the LDAP Display Name field, type pcaHost 3 In the Unique X500 Object ID field, type the following: 1.3.6.1.4.1.393.100.9.8.2 4 In the Parent class field, type Top 5 In the Class list, click Auxiliary. 6 Click Next.
Integrating pcAnywhere with directory services Configuring the directory servers Setting the rights for the pcAnywhere user To set up the rights for the pcAnywhere user, you must first set up view rights, and then set up edit rights. To set up view rights for the user 1 On the Windows taskbar, click Start > Programs > Administrative Tools >Active Directory Users and Computers. 2 On the View menu, make sure that Advanced Features is selected. This enables the Security tab in the property pages.
Integrating pcAnywhere with directory services Configuring pcAnywhere to use directory services 8 On the Object tab, in the Apply onto list, click Child objects only. 9 Click OK until you close the Security property page. Configuring pcAnywhere to use directory services Configuring pcAnywhere to use directory services involves the following process: ■ Set up directory services in pcAnywhere preferences so that all connection items use the same settings.
Integrating pcAnywhere with directory services Configuring pcAnywhere to use directory services 7 Click Advanced to configure the port number and the search base of the directory tree. You should always configure this information. The Port number controls the port that the directory server uses to accept queries from the client. The default port is 389. Search Base is the root of the directory structure that begins the query search. 8 Click OK.
Integrating pcAnywhere with directory services Configuring pcAnywhere to use directory services Setting up the remote computer to use directory services When you set up a remote connection to use directory services, the remote looks on the directory server for waiting host connections. Configure the directory server entries before beginning this procedure. To set up the remote computer to use directory services 1 In the pcAnywhere Manager window, click Remotes.
Chapter 6 Managing security in Symantec pcAnywhere This chapter includes the following topics: ■ Controlling access to pcAnywhere hosts ■ Protecting session security ■ Maintaining audit trails ■ Implementing policy-based administration Controlling access to pcAnywhere hosts The first step in securing a computer environment is controlling remote access to the network. Administrators should limit the number of external entry points into their networking infrastructure.
Managing security in Symantec pcAnywhere Controlling access to pcAnywhere hosts ■ Implement an authentication method. Symantec pcAnywhere supports a number of centralized authentication types, including Active Directory, Novell Directory Services, Novell Bindery, NT, and RSA SecurID, giving you the flexibility of using the authentication measures already in place on your network. See “Leveraging centralized authentication in pcAnywhere” on page 91.
Managing security in Symantec pcAnywhere Controlling access to pcAnywhere hosts To limit connections to specific computer names or IP addresses 1 In the pcAnywhere Manager window, on the Edit menu, click Preferences. 2 In the pcAnywhere Options window, on the Host Communications tab, under Limit connections to the following names or IP addresses, type the computer name or IP address of the remote users from which you want to allow connections. 3 Click Add Restriction.
Managing security in Symantec pcAnywhere Controlling access to pcAnywhere hosts ■ On the host computer, open pcAnywhere and configure a host connection item to use SecurID authentication. For more information, see the Symantec pcAnywhere User's Guide. When a remote user attempts to connect to a host computer that uses SecurID authentication, the user is prompted for authentication credentials which include a PIN number, logon name, and passcode.
Managing security in Symantec pcAnywhere Controlling access to pcAnywhere hosts Table 6-1 Microsoft Windows-based authentication types (continued) Microsoft Windows-based authentication types Explanation Windows Validates a user or group by checking a Microsoft Networking Shared Directory.
Managing security in Symantec pcAnywhere Controlling access to pcAnywhere hosts Using Novell-based authentication types Table 6-2 includes information about the authentication types for Novell-based platforms. Note: Novell-based authentication requires Novell NetWare Client 32. The Novell Client 32 is currently not supported on Windows Vista.
Managing security in Symantec pcAnywhere Protecting session security Table 6-3 Web-based authentication types (continued) Web-based authentication Explanation methods Implementation in pcAnywhere HTTP Caller Authentication Lets a host that is running on Users must specify a server an HTTP Web server validate name and a valid user name. a user by checking a user list associated with the HTTP service. The user name and password are sent over the network in clear text.
Managing security in Symantec pcAnywhere Protecting session security Table 6-4 Session security options Option Description Strong encryption Protect the data stream, including the authorization process, from eavesdropping and hacker attacks by using strong encryption. Symantec pcAnywhere supports public-key and symmetric types of strong encryption. When connecting with a host or remote that is running pcAnywhere 11.0.
Managing security in Symantec pcAnywhere Maintaining audit trails Table 6-4 Session security options (continued) Option Description Time limits for individual users or Protect the host from a malicious user's intent on user groups disrupting service, as well as from innocent users who inadvertently forget to end a session, by setting time limits for sessions and configuring the host to automatically end the session after a specified length of inactivity.
Managing security in Symantec pcAnywhere Implementing policy-based administration Implementing policy-based administration Administrators can securely customize the look and behavior of pcAnywhere through centralized policy-based administration. Symantec pcAnywhere supports Group Policy in Windows 2000/2003 Server/XP/Vista. Administrator rights are required to modify policy settings in Windows 2000/2003 Server/XP/Vista.
Managing security in Symantec pcAnywhere Implementing policy-based administration To import the pcAnywhere.adm file for Windows 2000/2003 Server/XP/Vista 1 On the Windows taskbar, click Start > Run, and then type the following: gpedit.msc 2 In the console window, in the left pane, select the Group Policy object for which you want to set policies. 3 Under the Group Policy object, right-click Administrative Templates, and then click Add/Remove Templates.
Managing security in Symantec pcAnywhere Implementing policy-based administration Table 6-5 Location of pcAnywhere policy settings (continued) Folder Description Actions\pcAnywhere Tools Contains policy settings to prohibit users from using the following tools in pcAnywhere: ■ Package Deployment Tool ■ Host Administrator ■ Activity Log Processing Actions\Remote Management Contains policy settings to prohibit users from using all Remote Management features or from using individual features.
Managing security in Symantec pcAnywhere Implementing policy-based administration Table 6-5 Location of pcAnywhere policy settings (continued) Folder Description UI Changes\Help Lets you use a custom URL for the Service and Support option on the Help menu. Managing user policies in Windows 2000/2003 Server/XP/Vista To manage user policies in Windows 2000/2003 Server/XP/Vista, you must run MMC with the Group Policy snap-in.
Managing security in Symantec pcAnywhere Implementing policy-based administration
Index Numerics .bhf files 22, 66 .chf files 22, 65 .cif files 22, 66 .cqf files 22 .sid files 25 A ACE/Agent. See SecurID ACE/Server. See SecurID Active Directory Services 82 Admin.bhf 65 Admin11.chf 65 administrative template 98 alias 52 authentication centralized types 91 global users 93 Microsoft Windows-based methods 93 Novell-based methods 94 two-factor 91 Web-based methods 95 awshim.exe 71 C caller files 22 centralized server logging events on 72 command configuration files.
Index event logging (continued) SNMP traps 72 login scripts (continued) testing 58, 60 F M Files.ini file 48–49 management shims 71 MIB 73 Microsoft Management Console. See MMC migration about 11 from pcAnywhere 10.x 13 from pcAnywhere 11.
Index packages (continued) configuring products 18 defining 37 deployment over Web 43 testing 51 using SMS 53 integrity stamping 24 product dependencies 20 product settings host templates 32 installation directory 31 online registration 32 preserving 35 product updates 34 remote templates 33 serializing 25 setting global options 27 testing 40 pcAnywhere Tools Host Administrator 61 pcAnywhere.