Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Best Practice - Altiris Solutions Agent Configuration

Created: 18 Mar 2009 | 6 comments
Language Translations
Antonp's picture
+6 8 Votes
Login to vote

Many people often ask what is the best configuration for their Altiris agent and various Solution agents. Well it always depends on your environment and infrastructure design.

Below is a quick guide into what settings to use in a typical environment where you have 3000 - 4500 clients connecting to one Altiris Notification server. If you have fewer clients than mentioned in your environment you may downscale on some of the settings below, or even upscale on some of the settings if you have more clients connection. But please keep in mind the limit of clients connection to one Altiris Notification server.

 
Typical Configuration:

1. Altiris Agent Configuartion

  • All Desktop Computers (excluding package servers)
  •   General
  •   Interaction
  •   Advance Settings
  • All windows Servers (excluding package servers)
  •   General
  •   Interaction
  •   Advance Settings
  • Altiris agent Upgrade

2. Inventory Solution Policies

  • Hardeware inventory
  • Recreate Full Inventory
  • Recreate User Inventory
  • Software Inventory
  • User Inventory

3. Software Delivery Agent Policies

  • Software Delivery Agent Install
  • Software Delivery Agent Upgrade

4. Application Metering Solution Policies

  • Application Metering Agent Install/Upgrade

5. Carbon Copy Solution Policies

  • All windows 98/ME computers
  • All windows NT/2000/XP/2003 Computers

6. Carbon Copy Solution Rolllout Policies

  • No Reboot - Carbon Copy Agent Install
  • No Reboot - Carbon Copy Agent Upgrade

7. Patch Management Solution Configuration Policy

  • Default Software Update Configuration Policy

8. Patch Management Solution Rollout Policies

  • Default Software Update Install Policy
  • Default Software Update Upgrade Policy

 

Altiris Agent Configuration

All Desktop Computers (excluding package servers)

imagebrowser image

General TAB

 

Agent Basic Settings

  • Request new configuration info every  -  4 hours
  • Send Basic Inventory every                   -  1 Day
  • Agents should compress events over  -  200 Kbytes

Download and Execute Options

  • Leave as Default

Bandwidth/Throttle Settings

  • Enable throttling when connection speed is below 50 Kbyte/sec
  • Throttle regardsless of connection speed to be enabled when clients connect from various sites on low speed lines.

Disable Period and Blockout Periods

  • No blockout settings defined, unless business requires it
  • Recommended to use blockout if the bandwidth utilization is high during business hours, no altiris communication will pass through until the blockout period expires.

imagebrowser image

Interaction TAB

  • Recommended to remove altiris icon from the systems tray
  • Recommended to notify users when manual software delivery task arrive
  • Other settings should stay default

imagebrowser image

Advance Settings TAB

  • Recommended to enable power management on the altiris agent.

All windows servers (excluding package servers)

imagebrowser image

General TAB

Agent Basic Settings

  • Request new configuration info every  -  2 hours
  • Send Basic Inventory every                   -  1 Day
  • Agents should compress events over  -  200 Kbytes

Download and Execute Options

  • Leave as Default

Bandwidth/Throttle Settings

  • Enable throttling when connection speed is below 50 Kbyte/sec
  • Throttle regardsless of connection speed to be enabled when clients connect from various sites on low speed lines.

Disable Period and Blockout Periods

  • No blockout settings defined, unless business requires it
  • Recommended to use blockout if the bandwidth utilization is high during business hours, no altiris communication will pass through until the blockout period expires.

imagebrowser image

Interaction TAB

  • Recommended to remove altiris icon from the systems tray
  • Recommended to not notify users when manual software delivery task arrive
  • Other settings should stay default

imagebrowser image

Advance Settings TAB

  • Recommended to enable power management on the altiris agent.

Altiris Agent Upgrade

imagebrowser image

  • Recommended to have this always enabled to avoid outdated agents
  • Applies to all windows computers requiring altiris agent upgrade
  • Should be set to "Run once ASAP", as new versions are available and on a daily schedule with run as soon as possible after the scheduled time enabled

Inventory Solution
Hardware Inventory

imagebrowser image

  • Should always be enabled to gather inventory information
  • Run schedule as per above

Recreate Full Inventory

imagebrowser image

  • Should always be enabled to gather inventory information
  • Run schedule as per above

Recreate User inventory

imagebrowser image

  • Should always be enabled to gather inventory information
  • Run schedule as per above

Software Inventory

imagebrowser image

  • Should always be enabled to gather inventory information
  • Run schedule as per above

User Inventory

imagebrowser image

  • Should always be enabled to gather inventory information
  • Run schedule as per above

Software Delivery Solution Agent Install

imagebrowser image

  • Should be enabled if used
  • should be applied to a target collection
  • Should be set to run "Run once ASAP" and on a daily schedule with run as soon as possible scheduled time enabled

Software Delivery Solution Agent

imagebrowser image

Upgrade

  • should always be enabled
  • should be applied to a target collection
  • Should be set to run "Run once ASAP" and on a daily schedule with run as soon as possible scheduled time enabled

Application Metering Agent

Install/Upgrade

imagebrowser image

  • Should be enabled if used
  • should be applied to a target collection
  • Should be set to run "Run once ASAP" and on a daily schedule with run as soon as possible scheduled time enabled

Application Metering Configuration Policy

imagebrowser image

  • Ensure that this policy gets disabled first. It is enabled by default, but unless otherwise specified by the client, not needed.

Carbon Copy Agent Settings

All Windows 98/ME Computers

imagebrowser image

General TAB

  • Should be enabled
  • Carbon Copy agent shouldn't be displayed in the system tray, except when a connection is made
  • User should be notified during a connection attempt
  • User is always required to approve a connection
  • Data encryption should be disabled, slows down connection

imagebrowser image

Authentication TAB

  • Connections should always be authenticated
  • Use AD integrated accounts

Carbon Copy Agent Settings

All windows NT/2000/XP/2003 computers

imagebrowser image

  • Should be enabled
  • Carbon Copy agent shouldn't be displayed in the system tray, except when a connection is made
  • User should be notified during a connection attempt
  • User is always required to approve a connection
  • Data encryption should be disabled, slows down connection

imagebrowser image

Authentication TAB

  • Connections should always be authenticated
  • Use AD integrated accounts

No Reboot - Carbon Copy Agent Install

imagebrowser image

  • Must be enabled to rollout Carbon Copy agent
  • Use the "No reboot- Carbon Copy Agent Install"
  • Should be applied to a target collection
  • Should be set to run "Run once ASAP" and on a daily schedule with run as soon as possible scheduled time enabled

No Reboot - Carbon Copy Agent Upgrade

imagebrowser image

  • Must be enabled to upgrade Carbon Copy agent
  • Use the "No reboot- Carbon Copy Agent Install"
  • Should be applied to a target collection
  • Should be set to run "Run once ASAP" and on a daily schedule with run as soon as possible scheduled time enabled

Patch Management Solution Configuration Policies

Default Software Update Agent Configuration Policy

imagebrowser image

General TAB

  • Must be enabled
  • Schedule: For aggressive install of Microsoft Patches it is recommended that you specify multiple times for the installation. i.e. 3am, 10am, 1pm, 3pm and 9pm. This ensures that it runs at all times of the day and deploys to all machines of all shifts.

imagebrowser image

Notification TAB

  • Normally this is left default with no notifications going out to the user. Specify on request from clinet only.

imagebrowser image

  • Under "Download Software Update Packages" specify the location of where you would like to store all your downloaded patches, normally on a data drive.
  • Ensure that failed downloads are set to retry 3 times and click apply

imagebrowser image

  • Ensure that QChain settings are set to:
  •             Only download if modified
  •             On a schedule, default is fine
  •             Retry failed downloads 3 times

imagebrowser image

These settings will be for both Microsoft Patch Management Import and the Microsoft Import - Supplementary:

  • Locations left as default
  • Only download if odified
  • Run on a daily schedule, night or early mornings
  • Retry 3 times
  • Select "Automatically revise software update tasks after patch management import.

imagebrowser image

 

Software Update Agent Install Policy

imagebrowser image

  • Always enabled
  • should be applied to a target collection
  • Should be set to run "Run once ASAP" and on a daily schedule with run as soon as possible scheduled time enabled

imagebrowser image

Software Update Agent Upgrade

  • Always enabled
  • should be applied to a target collection
  • Should be set to run "Run once ASAP" and on a daily schedule with run as soon as possible scheduled time enabled

Comments 6 CommentsJump to latest comment

ag97690's picture

Don't forget about the Remote Altiris Agent Diagnostics tool. This tool is great for information on a machine not working correctly or if you need to get a machine to run a job manually. The tool does so much that everyone administrating Altiris should have it. Look for the download in  Altiris Knowledge base article #45023

+3
Login to vote
jjesse's picture

When working on setting the Altiris Agent settings and the othe other solutions confiugrations make sure you are setting them for your enviornment and not totally based on best practices.
These best practices can give you a starting a place for how your Altiris system and Agents run, but they could adversly affect your environment.  This is part of designing your infrastructure correctly.  What business needs and service level agreeements do you need to take into consideration when setting agent policies?  If there are some, then adjust to those needs.  How often and how active are your software delivery jobs runing? 
There are a lot of questions that need to be addressed when setting agent policies.  Make sure to think those through before makng changes.

Remember document the settings you made and the reason behind the settings you have selected.

An Altiris infrastructure should always improve your current enviornment, never harm the environment.

Jonathan Jesse Practice Principal ITS Partners

+2
Login to vote
RHN's picture

Would disabling encryption of data mean the data get ssent in the clear ??

0
Login to vote
G Ross's picture

This is a very useful article.  I agree that it is only a starting point and in situations where network bandwidth is touchy having the blockouts enabled may be necessary as an additional precaution.  The othere thing we do is enable bandwidth throttling on the package servers for sites with a small circuit between the site and the main office.  Just downloading the packages from the NS can cause issues on the WAN.

thank you.

0
Login to vote
KSchroeder's picture

One other "trick" you can implement, assuming you have QoS-capable (Quality of Service) equipment at your remote sites, is to implement QoS banding.  We do this and put all of our Altiris-related traffic on a low priority.  In the event that the pipe between HQ and remote sites becomes saturated, all other traffic (SAP, Outlook, VOIP, etc.) takes precedent over Altiris.  Since the Package replication is restartable (particularly when you using HTTP transfer only), the packages will get through in the end.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

0
Login to vote
G Ross's picture

Thanks Kyle.  I will mention that to the network group and see what we can do.

 

+1
Login to vote