BP (v6) to EPS SOA (v7) Upgrade - Residual Problems

[nannunannu]

Should start with - I'm new to the avast business products.  I've used product for years on personal computers, but the managed console stuff is a little bit of a learning process...  So, I'm asking for a sanity check on a couple things:

After a reboot, the web service is not initialiazing on the secure port 8732.  What was strange is that it worked for a day after the upgrade (before rebooting the server)...  HTTP console access on 8731 works, thankfully.  Restarting the Admin Console Website Host service does not corect the issue, and both ports have rules to allow access in the windows firewall rules.  Any idea what is happening here?

Some clients have failed to start the network shield after the managed client updated itself.  It's happened as more of a fluke on a workstation running Vista (32 bit), and consistantly on several servers running 2003 R2 (32bit) and 2008 R2 (64 bit)...  The servers also fail to run the mail shield after the upgrade.  Removing and reinstalling the managed client (with out, and then again with the clean removal tool) enabled the mail shield on the servers, but left the network shield not installed / not running.  Upon further review it looks like it was not installed for servers with the v6 client - but the status is a green check (secured) in the console, where as the status has the amber (attention) indicator with the v7 client in the same condition.  It makes sense that the network shield may _not_ want to be installed on a file server (especially one that has iSCSI volumes mounted), but I'm just not familiar enough with the product to say that with 100% certainty.  It's odd to me that the "out of the box" configuration is giving a "system is not secured" warning though, which is the crux of my question about the network shield on server 2003/2008 boxes.

It is likely that I'm going to disable monitoring the network shield for my servers group, but before I do that - can anyone bring me some clarity on what "should" be running on a server with the managed EPS client? 

Thanks.

[marekb]

Hi nannunannu,
Log files would be very useful there, could you please open a console, then go to Admin -> Settings -> Troubleshooting -> Generate troubleshooting package and send it to my email?

Thanks,
Marek

[nannunannu]

Email should be on the way, let me know if you don't recieve it in the next 10 minutes.

Regarding the attention status of the avast managed client on servers - I think the warning was due to the SharePoint shield...  We don't use it, but I didn't customize the installer to not include it, so it apparently installed on all servers and was in a waiting status.  I disabled the SharePoint shield and exchange shield in the group settings (we don't use either one) and that seemed to make things happy from a "attention" status standpoint.

Mentioned this in the email, but I'm still curious about a definitive answer about the "correctness" of the behavior we are seeing with the network shield not installing on servers by default...  I guess it's correct, but want someone to confirm.  And the mail shield not installing on the servers during an upgrade from the v6 to v7 managed client, but is installing on the servers during a clean install of the v7 managed client.  Is that a situation I'm causing, or something to resolve with the install package?

Thanks for the help!


Edit:  I guess as another datapoint I should mention that I didn't cusomize the v6 installer either before that version of the managed client was deployed to these servers, FWIW.

[marekb]

Hi,
There is a bug in current installation of avast! Small Office Administration that causes secure (HTTPS) site to be unavailable when upgrading from previous versions of avast! Administration Console. This will be fixed in next console update.

To workaround this issue, please perform following steps:

1. Regenerate default certificate
Start a command line and invoke following command:

Code: [Select]

C:\Program Files\AVAST Software\Administration Console\Avast.Sbc.ServiceUtil.exe -c certificate -vThis should create default certificate. Write down the value of field [Thumbprint], you will need it in next steps.

2. Delete the existing SSL certificate binding:
In Windows Server 2003 or Windows XP, use the HttpCfg.exe tool with the delete and ssl keywords. Use the -i switch to specify the IP:port number.

Code: [Select]

httpcfg delete ssl -i 0.0.0.0:8732In Windows Vista/7/2008, use the Netsh.exe tool using following command:

Code: [Select]

netsh http delete sslcert ipport=0.0.0.0:8732
3. Bind newly created certificate to port 8732:
In Windows Server 2003 or Windows XP, use the HttpCfg.exe tool in "set" mode on the Secure Sockets Layer (SSL) store to bind the certificate to a port number. The tool uses the thumbprint to identify the certificate, as shown in the following example.

Code: [Select]

httpcfg set ssl -i 0.0.0.0:8732 -h <THUMBPRINT>In Windows Vista/7/2008, use the Netsh.exe tool:

Code: [Select]

netsh http add sslcert ipport=0.0.0.0:8732 certhash=<THUMBPRINT> appid={00112233-4455-6677-8899-AABBCCDDEEFF} Note: Replace the <THUMBPRINT> with an actual certificate thumbprint e.g. 0000000000003ed9cd0c315bbb6dc1c08da5e6

Now you should be able to access secured site on https://localhost:8732/

Hope this helps,
Marek

[petr.chytil]

Hello nannunannu,

regarding the v6 -> v7 server antivirus update. You mention mail shield not being installed during the upgrade process.

As far as I know, it a bug in the upgrade process itself. It "recovers" the default component configuration of the new version during the upgrade.

In version 7, we do not install mail shield and network shield by default. Mail shield on the server is useful only when an e-mail client is installed on the machine. We just don't see that as a common configuration. However, you can install it if you want. The network shield is deselected for possible issues with network sharing etc. So it is not installed by default.

[nannunannu]

In Windows Vista/7/2008, use the Netsh.exe tool:

Code: [Select]

netsh http add sslcert ipport=0.0.0.0:8000 certhash=<THUMBPRINT> appid={00112233-4455-6677-8899-AABBCCDDEEFF} Note: Replace the <THUMBPRINT> with an actual certificate thumbprint e.g. 0000000000003ed9cd0c315bbb6dc1c08da5e6

should that be 0.0.0.0:8000 or 0.0.0.0:8732
??

[nannunannu]

In version 7, we do not install mail shield and network shield by default. Mail shield on the server is useful only when an e-mail client is installed on the machine. We just don't see that as a common configuration. However, you can install it if you want. The network shield is deselected for possible issues with network sharing etc. So it is not installed by default.

Makes sense.  Thanks for the confirmation. 

[nannunannu]

In Windows Vista/7/2008, use the Netsh.exe tool:

Code: [Select]

netsh http add sslcert ipport=0.0.0.0:8000 certhash=<THUMBPRINT> appid={00112233-4455-6677-8899-AABBCCDDEEFF} Note: Replace the <THUMBPRINT> with an actual certificate thumbprint e.g. 0000000000003ed9cd0c315bbb6dc1c08da5e6

should that be 0.0.0.0:8000 or 0.0.0.0:8732
??

FWIW I did it with 8732 (only makes sense), and it worked.

Code: [Select]

netsh http add sslcert ipport=0.0.0.0:8732 certhash=<THUMBPRINT> appid={00112233-4455-6677-8899-AABBCCDDEEFF} Note: Replace the <THUMBPRINT> with an actual certificate thumbprint e.g. 0000000000003ed9cd0c315bbb6dc1c08da5e6

Thanks for your help.

Edit:  If anyone else tries these instructions and has the Avast.Sbc.ServiceUtil.exe program crash, you need to run the CMD prompt as an administrator.  Sounds self explanatory but I managed to need two attempts to get it right. 

[marekb]

Sorry for the typo, it should be 8732 ;-)

Thanks,
Marek

[ChadT]

1. Regenerate default certificate
Start a command line and invoke following command:
Code: [Select]
C:\Program Files\AVAST Software\Administration Console\Avast.Sbc.ServiceUtil.exe -c certificate -v
This should create default certificate. Write down the value of field [Thumbprint], you will need it in next steps.

I keep getting the error "ERROR! Missing some required input parameters" when I run this command.  I'm using your exact string with the addition of double quotes around the folder names with spaces.  The help file that displays when it gives me the error shows the following information:

Code: [Select]

C:\>C:\"Program Files"\"AVAST Software"\"Administration Console"\Avast.Sbc.ServiceUtil.exe -c certificate -v
Avast! Business Protection - Service Utility 1.0
Example usage:
Avast.Sbc.ServiceUtil -c restore
Avast.Sbc.ServiceUtil -c restart -v --log-file c:\log.txt
Avast.Sbc.ServiceUtil.exe -c configure --config-item="Server port"
--config-value="8731
Supported options:

  c, command      Required. Command to be executed. Supported commands:
                  'restart' - Restarts the avast! Administration Console service process.
                  'restore' - Restores default configuration and avast! related properties in node group settings.
                  'configure' - Changes selected configuration value.
  v, verbose      Enable verbose output.
  log-file        Optional logfile. The utility will log to console by default.
  max-retrials    Maximum number of command retrials (valid for 'restart' command only)
  force           Skip questions (the whole process will proceed without user interaction).
  config-class    Configuration class to be modified (valid for 'configure' command only)
  config-item     Configuration item to be modified (valid for 'configure' command only)
  config-value    Configuration value to be set (valid for 'configure' command only)
  timeout         Timeout of the server STARTING/STOPPING operations (in seconds).
  help            Display this help screen.
ERROR! Missing some required input parameters
I don't see a "certificate" command listed in the help file.  I'm running this as a domain admin on a 2008 R2 server.  Any help would be appreciated.

[nannunannu]

I don't see a "certificate" command listed in the help file.  I'm running this as a domain admin on a 2008 R2 server.  Any help would be appreciated.

Personally, I changed directory to the folder then just ran "Avast.Sbc.ServiceUtil.exe -c certificate -v" from the appropraite working directory.  I also got an error the first time and had to close the CMD prompt and relaunch it with a right click and "Run as Administrator" on a 2008 R2 server, even though I was logged into the desktop with an account that was a local admin on the server. 

[ChadT]

Personally, I changed directory to the folder then just ran "Avast.Sbc.ServiceUtil.exe -c certificate -v" from the appropraite working directory.  I also got an error the first time and had to close the CMD prompt and relaunch it with a right click and "Run as Administrator" on a 2008 R2 server, even though I was logged into the desktop with an account that was a local admin on the server.

I am running CMD as an administrator (via right clicking).  Changed directory to the folder and ran just the exe with the commands but got the same error.

[nannunannu]

Are you running an older version (Busienss Protection?) or did you install the new EPS SOA (v7) console?

Just checked and that utility certainly thinks it has more options in this environment...

Code: [Select]

Avast! Business Protection - Service Utility 1.0
Example usage:
Avast.Sbc.ServiceUtil -c restore
Avast.Sbc.ServiceUtil -c restart -v --log-file c:\log.txt
Avast.Sbc.ServiceUtil.exe -c configure --config-item="Server port"
--config-value="8731
Supported options:

  c, command       Required. Command to be executed. Supported commands:
                   'restart' - Restarts the avast! Administration Console
                   service process.
                   'restore' - Restores default configuration and avast!
                   related properties in node group settings.
                   'configure' - Changes selected configuration value.
                   'troubleshoot' - Creates a troubleshooting package from the
                   current installation.
                   'ports' - Allows you to alter listen ports for the service.
                   'certificate' - Creates a new certificate for the server to
                   use on the secure connection.
  v, verbose       Enable verbose output.
...[/code

[ChadT]

Are you running an older version (Busienss Protection?) or did you install the new EPS SOA (v7) console?

I apologize for the slow response.  Had a couple of major projects that took priority over this.  Apparently I was running the older version.  I had not downloaded the correct update for the console.  I downloaded and ran the "setup_console_ep_full.exe" and everything worked as soon as the update was finished.

Root Cause of issue: User error - Did not download and install the correct console file.

[Bicgatepc02]

I think I'd be able to be a little more understanding if I had received at least an acknowledgement from them with a "We're aware of your issue and will get back to you soon"... But spending close to 700.00, just to get the silent treatment is really making me wonder if I need to re-evaluate my recommending Avast to friends and customers.